clear-skies 2.0.4__py3-none-any.whl → 2.0.5__py3-none-any.whl

clearskies/secrets/additional_configs/__init__.py

@@ -1,32 +0,0 @@
-from .mysql_connection_dynamic_producer import MySQLConnectionDynamicProducer
-from .mysql_connection_dynamic_producer_via_ssh_cert_bastion import MySQLConnectionDynamicProducerViaSSHCertBastion
-
-
-def mysql_connection_dynamic_producer(producer_name=None, database_host=None, database_name=None):
-    return MySQLConnectionDynamicProducer(
-        producer_name=producer_name,
-        database_host=database_host,
-        database_name=database_name,
-    )
-
-
-def mysql_connection_dynamic_producer_via_ssh_cert_bastion(
-    producer_name=None,
-    bastion_host=None,
-    bastion_username=None,
-    public_key_file_path=None,
-    cert_issuer_name=None,
-    database_host=None,
-    database_name=None,
-    local_proxy_port=None,
-):
-    return MySQLConnectionDynamicProducerViaSSHCertBastion(
-        producer_name=producer_name,
-        bastion_host=bastion_host,
-        bastion_username=bastion_username,
-        cert_issuer_name=cert_issuer_name,
-        public_key_file_path=public_key_file_path,
-        database_host=database_host,
-        database_name=database_name,
-        local_proxy_port=local_proxy_port,
-    )

clearskies/secrets/additional_configs/mysql_connection_dynamic_producer.py

@@ -1,61 +0,0 @@
-import clearskies.di
-
-
-class MySQLConnectionDynamicProducer(clearskies.di.additional_config.AdditionalConfig):
-    _producer_name = None
-    _database_host = None
-    _database_name = None
-
-    def __init__(self, producer_name=None, database_host=None, database_name=None):
-        self._producer_name = producer_name
-        self._database_host = database_host
-        self._database_name = database_name
-
-    def provide_connection_details(self, environment, secrets):
-        if not secrets:
-            raise ValueError(
-                "I was asked to connect to a database via an AKeyless dynamic producer, \
-                 but AKeyless itself wasn't configured. \
-                Try setting the AKeyless auth method via clearskies.secrets.akeyless_[jwt|saml|aws_iam]_auth()"
-            )
-
-        producer_name = (
-            self._producer_name
-            if self._producer_name is not None
-            else environment.get("akeyless_mysql_dynamic_producer", silent=True)
-        )
-        if not producer_name:
-            raise ValueError(
-                "I was asked to connect to a database via an AKeyless dynamic producer, \
-                but I wasn't told the path to the dynamic producer. \
-                This can be set in an environment variable named 'akeyless_mysql_dynamic_producer'\
-                or it can be set in the configuration via the producer_name kwarg."
-            )
-        database_name = (
-            self._database_name if self._database_name is not None else environment.get("db_database", silent=True)
-        )
-        if not database_name:
-            raise ValueError(
-                "I was asked to connect to a database via an AKeyless dynamic producer, \
-                but I wasn't told the name of the database. \
-                This can be set in an environment variable named 'db_database' \
-                or it can be set in the configuration via the database_name kwarg."
-            )
-        database_host = (
-            self._database_host if self._database_host is not None else environment.get("db_host", silent=True)
-        )
-        if not database_host:
-            raise ValueError(
-                "I was asked to connect to a database via an AKeyless dynamic producer, \
-                but I wasn't told the host name of the database. \
-                This can be set in an environment variable named 'db_host' \
-                or it can be set in the configuration via the database_host kwarg."
-            )
-        credentials = secrets.get_dynamic_secret(producer_name)
-
-        return {
-            "username": credentials["user"],
-            "password": credentials["password"],
-            "host": database_host,
-            "database": database_name,
-        }

clearskies/secrets/additional_configs/mysql_connection_dynamic_producer_via_ssh_cert_bastion.py

@@ -1,160 +0,0 @@
-import os
-import socket
-import subprocess
-import time
-from pathlib import Path
-
-import clearskies.di
-
-
-class MySQLConnectionDynamicProducerViaSSHCertBastion(clearskies.di.additional_config.AdditionalConfig):
-    _config = None
-
-    def __init__(
-        self,
-        producer_name=None,
-        bastion_host=None,
-        bastion_username=None,
-        public_key_file_path=None,
-        local_proxy_port=None,
-        cert_issuer_name=None,
-        database_host=None,
-        database_name=None,
-    ):
-        # not using kwargs because I want the argument list to be explicit
-        self.config = {
-            "producer_name": producer_name,
-            "bastion_host": bastion_host,
-            "bastion_username": bastion_username,
-            "public_key_file_path": public_key_file_path,
-            "local_proxy_port": local_proxy_port,
-            "cert_issuer_name": cert_issuer_name,
-            "database_host": database_host,
-            "database_name": database_name,
-        }
-
-    def provide_connection_details(self, environment, secrets):
-        if not secrets:
-            raise ValueError(
-                "I was asked to connect to a database via an AKeyless dynamic producer but AKeyless itself wasn't configured.  Try setting the AKeyless auth method via clearskies.secrets.akeyless_[jwt|saml|aws_iam]_auth()"
-            )
-
-        home = str(Path.home())
-        default_public_key_file_path = f"{home}/.ssh/id_rsa.pub"
-
-        producer_name = self._fetch_config(environment, "producer_name", "akeyless_mysql_dynamic_producer")
-        bastion_host = self._get_bastion_host(environment)
-        bastion_username = self._fetch_config(environment, "bastion_username", "akeyless_mysql_bastion_username")
-        public_key_file_path = self._fetch_config(
-            environment,
-            "public_key_file_path",
-            "akeyless_mysql_bastion_public_key_file_path",
-            default=default_public_key_file_path,
-        )
-        cert_issuer_name = self._fetch_config(
-            environment, "cert_issuer_name", "akeyless_mysql_bastion_cert_issuer_name"
-        )
-        local_proxy_port = self._fetch_config(
-            environment, "local_proxy_port", "akeyless_mysql_bastion_local_proxy_port", default=8888
-        )
-        database_host = self._fetch_config(environment, "database_host", "db_host")
-        database_name = self._fetch_config(environment, "database_name", "db_database")
-
-        # Create the SSH tunnel (yeah, it's obnoxious)
-        self._create_tunnel(
-            secrets,
-            bastion_host,
-            bastion_username,
-            local_proxy_port,
-            cert_issuer_name,
-            public_key_file_path,
-            database_host,
-        )
-
-        # and now we can fetch credentials
-        credentials = secrets.get_dynamic_secret(producer_name)
-
-        return {
-            "username": credentials["user"],
-            "password": credentials["password"],
-            "host": "127.0.0.1",
-            "database": database_name,
-            "port": local_proxy_port,
-        }
-
-    def _get_bastion_host(self, environment):
-        return self._fetch_config(environment, "bastion_host", "akeyless_mysql_bastion_host")
-
-    def _fetch_config(self, environment, config_key_name, environment_key_name, default=None):
-        if self.config[config_key_name]:
-            return self.config[config_key_name]
-        from_environment = environment.get(environment_key_name, silent=True)
-        if from_environment:
-            return from_environment
-        if default is not None:
-            return default
-        raise ValueError(
-            f"I was asked to connect to a database via an AKeyless dynamic producer through an SSH bastion"
-            "with certificate auth, but I wasn't given a required configuration value: '{config_key_name}'."
-            "This can be set in the call to "
-            "`clearskies.backends.akeyless.mysql_connection_dynamic_producer_via_ssh_cert_bastion()` by providing the "
-            "'{config_key_name}' argument, or by setting an environment variable named '{environment_key_name}'."
-        )
-
-    def _create_tunnel(
-        self,
-        secrets,
-        bastion_host,
-        bastion_username,
-        local_proxy_port,
-        cert_issuer_name,
-        public_key_file_path,
-        database_host,
-    ):
-        # first see if the socket is already open, since we don't close it.
-        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        result = sock.connect_ex(("127.0.0.1", local_proxy_port))
-        if result == 0:
-            sock.close()
-            return
-
-        if not os.path.isfile(public_key_file_path):
-            raise ValueError(
-                f"I was asked to connect to AKeyless SSH with the public key file in '{public_key_file_path}',"
-                "but this file does not exist"
-            )
-
-        ssh_certificate = secrets.get_ssh_certificate(cert_issuer_name, bastion_username, public_key_file_path)
-
-        # We need to write the certificate out to the standard location that SSH expects it so that SSH can find it.
-        # I haven't found a good library for doing this in Python, so I'm relying on the ssh command
-        home = str(Path.home())
-        with open(f"{home}/.ssh/id_rsa-cert.pub", "w") as fp:
-            fp.write(ssh_certificate)
-
-        # and now we can do this thing.
-        tunnel_command = [
-            "ssh",
-            "-o",
-            "ConnectTimeout=2",
-            "-N",
-            "-L",
-            f"{local_proxy_port}:{database_host}:3306",
-            "-p",
-            "22",
-            f"{bastion_username}@{bastion_host}",
-        ]
-        subprocess.Popen(tunnel_command)
-        connected = False
-        attempts = 0
-        while not connected and attempts < 6:
-            attempts += 1
-            time.sleep(0.5)
-            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-            result = sock.connect_ex(("127.0.0.1", local_proxy_port))
-            if result == 0:
-                connected = True
-        if not connected:
-            raise ValueError(
-                "Failed to open SSH tunnel.  The following command was used: \n" + " ".join(tunnel_command)
-            )

clearskies/secrets/akeyless.py

@@ -1,182 +0,0 @@
-import datetime
-from typing import Any
-
-import clearskies.configs
-from clearskies.di import InjectableProperties, inject
-
-
-class Akeyless(clearskies.Configurable, clearskies.di.InjectableProperties):
-    requests = clearskies.di.inject.Requests()
-    environment = clearskies.di.inject.Environment()
-    akeyless = clearskies.di.inject.ByName("akeyless")
-
-    access_id = clearskies.configs.String(required=True, regexp=r"^p-[\d\w]+$")
-    access_type = clearskies.configs.Select(["aws_iam", "saml", "jwt"], required=True)
-    api_host = clearskies.configs.String(default="https://api.akeyless.io")
-    profile = clearskies.configs.String(regexp=r"^[\d\w\-]+$")
-
-    _token_refresh: datetime.datetime = None  # type: ignore
-    _token: str = ""
-    _api: Any = None
-
-    def __init__(self, access_id: str, access_type: str, jwt_env_key: str = "", api_host: str = "", profile: str = ""):
-        self.access_id = access_id
-        self.access_type = access_type
-        self.jwt_env_key = jwt_env_key
-        self.api_host = api_host
-        self.profile = profile
-        if self.access_type == "jwt" and not self.jwt_env_key:
-            raise ValueError("When using the JWT access type for Akeyless you must provide jwt_env_key")
-
-        self.finalize_and_validate_configuration()
-
-    @property
-    def api(self) -> Any:
-        if self._api is None:
-            configuration = self.akeyless.Configuration(host=self.api_host)
-            self._api = self.akeyless.V2Api(self.akeyless.ApiClient(configuration))
-        return self._api
-
-    def create(self, path: str, value: Any) -> bool:
-        res = self.api.create_secret(self.akeyless.CreateSecret(name=path, value=str(value), token=self._get_token()))
-        return True
-
-    def get(self, path: str, silent_if_not_found: bool = False) -> str:
-        try:
-            res = self._api.get_secret_value(self.akeyless.GetSecretValue(names=[path], token=self._get_token()))
-        except Exception as e:
-            if e.status == 404:  # type: ignore
-                if silent_if_not_found:
-                    return ""
-                raise KeyError(f"Secret '{path}' not found")
-            raise e
-        return res[path]
-
-    def get_dynamic_secret(self, path: str, args: dict[str, Any] | None = None) -> Any:
-        kwargs = {
-            "name": path,
-            "token": self._get_token(),
-        }
-        if args:
-            kwargs["args"] = args  # type: ignore
-
-        return self._api.get_dynamic_secret_value(self.akeyless.GetDynamicSecretValue(**kwargs))
-
-    def get_rotated_secret(self, path: str, args: dict[str, Any] | None = None) -> Any:
-        kwargs = {
-            "names": path,
-            "token": self._get_token(),
-        }
-        if args:
-            kwargs["args"] = args  # type: ignore
-
-        res = self._api.get_rotated_secret_value(self.akeyless.GetRotatedSecretValue(**kwargs))
-        return res
-
-    def list_secrets(self, path: str) -> list[Any]:
-        res = self._api.list_items(self.akeyless.ListItems(path=path, token=self._get_token()))
-        if not res.items:
-            return []
-
-        return [item.item_name for item in res.items]
-
-    def update(self, path: str, value: Any) -> None:
-        res = self._api.update_secret_val(
-            self.akeyless.UpdateSecretVal(name=path, value=str(value), token=self._get_token())
-        )
-
-    def upsert(self, path: str, value: Any) -> None:
-        try:
-            self.update(path, value)
-        except Exception as e:
-            self.create(path, value)
-
-    def list_sub_folders(self, main_folder: str) -> list[str]:
-        """Return the list of secrets/sub folders in the given folder."""
-        items = self._api.list_items(self.akeyless.ListItems(path=main_folder, token=self._get_token()))
-
-        # akeyless will return the absolute path and end in a slash but we only want the folder name
-        main_folder_string_len = len(main_folder)
-        return [sub_folder[main_folder_string_len:-1] for sub_folder in items.folders]
-
-    def get_ssh_certificate(self, cert_issuer: str, cert_username: str, path_to_public_file: str) -> Any:
-        with open(path_to_public_file, "r") as fp:
-            public_key = fp.read()
-
-        res = self._api.get_ssh_certificate(
-            self.akeyless.GetSSHCertificate(
-                cert_username=cert_username,
-                cert_issuer_name=cert_issuer,
-                public_key_data=public_key,
-                token=self._get_token(),
-            )
-        )
-
-        return res.data
-
-    def _get_token(self) -> str:
-        # AKeyless tokens live for an hour
-        if self._token is not None and (self._token_refresh - datetime.datetime.now()).total_seconds() > 10:
-            return self._token
-
-        auth_method_name = f"auth_{self.access_type}"
-        if not hasattr(self, auth_method_name):
-            raise ValueError(f"Requested Akeyless authentication with unsupported auth method: '{self.access_type}'")
-
-        self._token_refresh = datetime.datetime.now() + datetime.timedelta(hours=0.5)
-        self._token = getattr(self, auth_method_name)()
-        return self._token
-
-    def auth_aws_iam(self):
-        from akeyless_cloud_id import CloudId  # type: ignore
-
-        res = self._api.auth(
-            self.akeyless.Auth(access_id=self.access_id, access_type="aws_iam", cloud_id=CloudId().generate())
-        )
-        return res.token
-
-    def auth_saml(self):
-        import os
-        from pathlib import Path
-
-        os.system(f"akeyless list-items --profile {self.profile} --path /not/a/real/path > /dev/null 2>&1")
-        home = str(Path.home())
-        with open(f"{home}/.akeyless/.tmp_creds/{self.profile}-{self.access_id}", "r") as creds_file:
-            credentials = creds_file.read()
-
-        # and now we can turn that into a token
-        response = self.requests.post(
-            "https://rest.akeyless.io/",
-            data={
-                "cmd": "static-creds-auth",
-                "access-id": self.access_id,
-                "creds": credentials.strip(),
-            },
-        )
-        return response.json()["token"]
-
-    def auth_jwt(self):
-        if not self.jwt_env_key:
-            raise ValueError(
-                "To use AKeyless JWT Auth, "
-                "you must specify the name of the ENV key to load the JWT from when configuring AKeyless"
-            )
-        res = self._api.auth(
-            self.akeyless.Auth(access_id=self.access_id, access_type="jwt", jwt=self.environment.get(self.jwt_env_key))
-        )
-        return res.token
-
-
-class AkeylessSaml(Akeyless):
-    def __init__(self, access_id: str, api_host: str = "", profile: str = ""):
-        return super().__init__(access_id, "saml", api_host=api_host, profile=profile)
-
-
-class AkeylessJwt(Akeyless):
-    def __init__(self, access_id: str, jwt_env_key: str = "", api_host: str = "", profile: str = ""):
-        return super().__init__(access_id, "jwt", jwt_env_key=jwt_env_key, api_host=api_host, profile=profile)
-
-
-class AkeylessAwsIam(Akeyless):
-    def __init__(self, access_id: str, api_host: str = ""):
-        return super().__init__(access_id, "aws_iam", api_host=api_host)

clearskies/secrets/exceptions/__init__.py

@@ -1 +0,0 @@
-from .not_found import NotFound

clearskies/secrets/exceptions/not_found.py

@@ -1,2 +0,0 @@
-class NotFound(Exception):
-    pass

clearskies/secrets/secrets.py

@@ -1,38 +0,0 @@
-from typing import Any
-
-
-class Secrets:
-    def create(self, path: str, value: str) -> None:
-        raise NotImplementedError(
-            "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
-        )
-
-    def get(self, path: str, silent_if_not_found: bool = False) -> str:
-        raise NotImplementedError(
-            "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
-        )
-
-    def get_dynamic_secret(self, path: str, args: dict[str, Any] | None = None) -> Any:
-        raise NotImplementedError(
-            "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
-        )
-
-    def list_secrets(self, path: str) -> list[Any]:
-        raise NotImplementedError(
-            "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
-        )
-
-    def update(self, path: str, value: Any) -> None:
-        raise NotImplementedError(
-            "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
-        )
-
-    def upsert(self, path: str, value: Any) -> None:
-        raise NotImplementedError(
-            "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
-        )
-
-    def list_sub_folders(self, path: str) -> list[Any]:
-        raise NotImplementedError(
-            "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
-        )

clearskies/security_header.py

@@ -1,15 +0,0 @@
-from clearskies.configurable import Configurable
-
-
-class SecurityHeader(Configurable):
-    """
-    Attach all the various security headers to endpoints.
-
-    The security header classes can be attached directly to both endpoints and endpoint groups and
-    are used to set all the various security headers.
-    """
-
-    is_cors = False
-
-    def set_headers_for_input_output(self, input_output):
-        raise NotImplementedError()

clearskies/security_headers/__init__.py

@@ -1,11 +0,0 @@
-from clearskies.security_headers.cache_control import CacheControl
-from clearskies.security_headers.cors import Cors
-from clearskies.security_headers.csp import Csp
-from clearskies.security_headers.hsts import Hsts
-
-__all__ = [
-    "CacheControl",
-    "Cors",
-    "Csp",
-    "Hsts",
-]

clearskies/security_headers/cache_control.py

@@ -1,67 +0,0 @@
-import clearskies.configs
-import clearskies.decorators
-from clearskies.security_header import SecurityHeader
-
-
-class CacheControl(SecurityHeader):
-    max_age = clearskies.configs.Integer()
-    s_maxage = clearskies.configs.Integer()
-    stale_while_revalidate = clearskies.configs.Integer()
-    stale_if_error = clearskies.configs.Integer()
-    immutable = clearskies.configs.Boolean(default=False)
-    must_understand = clearskies.configs.Boolean(default=False)
-    no_cache = clearskies.configs.Boolean(default=False)
-    no_store = clearskies.configs.Boolean(default=False)
-    no_transform = clearskies.configs.Boolean(default=False)
-    private = clearskies.configs.Boolean(default=False)
-    public = clearskies.configs.Boolean(default=False)
-
-    numbers: list[str] = [
-        "max_age",
-        "stale_if_error",
-        "stale_while_revalidate",
-        "s_maxage",
-    ]
-    bools: list[str] = [
-        "immutable",
-        "must_understand",
-        "no_cache",
-        "no_store",
-        "no_transform",
-        "private",
-        "public",
-    ]
-
-    @clearskies.decorators.parameters_to_properties
-    def __init__(
-        self,
-        max_age: int | None = None,
-        s_maxage: int | None = None,
-        stale_while_revalidate: int | None = None,
-        stale_if_error: int | None = None,
-        immutable: bool = False,
-        must_understand: bool = False,
-        no_cache: bool = False,
-        no_store: bool = False,
-        no_transform: bool = False,
-        private: bool = False,
-        public: bool = False,
-    ):
-        self.finalize_and_validate_configuration()
-
-    def set_headers_for_input_output(self, input_output):
-        parts = []
-        for variable_name in self.bools:
-            value = getattr(self, variable_name)
-            if not value:
-                continue
-            parts.append(variable_name.replace("_", "-"))
-        for variable_name in self.numbers:
-            value = getattr(self, variable_name)
-            if value is None:
-                continue
-            key_name = variable_name.replace("_", "-")
-            parts.append(f"{key_name}={value}")
-        if not parts:
-            return
-        input_output.response_headers.add("cache-control", ", ".join(parts))

clearskies/security_headers/cors.py

@@ -1,50 +0,0 @@
-import clearskies.configs
-import clearskies.decorators
-from clearskies.security_header import SecurityHeader
-
-
-class Cors(SecurityHeader):
-    origin = clearskies.configs.String()
-    methods = clearskies.configs.StringList(default=[])
-    headers = clearskies.configs.StringList(default=[])
-    max_age = clearskies.configs.Integer(default=5)
-    credentials = clearskies.configs.Boolean(default=False)
-    expose_headers = clearskies.configs.StringList(default=[])
-    is_cors = True
-
-    @clearskies.decorators.parameters_to_properties
-    def __init__(
-        self,
-        credentials: bool = False,
-        expose_headers: list[str] = [],
-        headers: list[str] = [],
-        max_age: int = 5,
-        methods: list[str] = [],
-        origin: str = "",
-    ):
-        self.finalize_and_validate_configuration()
-
-    def set_headers(self, headers: list[str]):
-        self.headers = headers
-
-    def add_header(self, header: str):
-        self.headers = [*self.headers, header]
-
-    def set_methods(self, methods: list[str]):
-        self.methods = methods
-
-    def add_method(self, method: str):
-        self.methods = [*self.methods, method]
-
-    def set_headers_for_input_output(self, input_output):
-        for key in ["expose_headers", "methods", "headers"]:
-            value = getattr(self, key)
-            if not value:
-                continue
-            input_output.response_headers.add(f"access-control-allow-{key}".replace("_", "-"), ", ".join(value))
-        if self.credentials:
-            input_output.response_headers.add("access-control-allow-credentials", "true")
-        if self.max_age:
-            input_output.response_headers.add("access-control-max-age", str(self.max_age))
-        if self.origin:
-            input_output.response_headers.add("access-control-allow-origin", str(self.origin))