commonground-api-common 1.12.2__py3-none-any.whl → 2.4.1__py3-none-any.whl

vng_api_common/generators.py

@@ -1,16 +1,7 @@
-from collections import OrderedDict
-from typing import List
-
-from drf_yasg import openapi
-from drf_yasg.generators import (
+from drf_spectacular.generators import (
     EndpointEnumerator as _EndpointEnumerator,
-    OpenAPISchemaGenerator as _OpenAPISchemaGenerator,
+    SchemaGenerator as _OpenAPISchemaGenerator,
 )
-from drf_yasg.utils import get_consumes, get_produces
-from rest_framework.schemas.utils import is_list_view
-from rest_framework.settings import api_settings
-
-from vng_api_common.utils import get_view_summary
 
 
 class EndpointEnumerator(_EndpointEnumerator):
@@ -29,110 +20,18 @@ class EndpointEnumerator(_EndpointEnumerator):
 
 
 class OpenAPISchemaGenerator(_OpenAPISchemaGenerator):
-    endpoint_enumerator_class = EndpointEnumerator
-
-    def get_tags(self, request=None, public=False):
-        """Retrieve the tags for the root schema.
-
-        :param request: the request used for filtering accessible endpoints and finding the spec URI
-        :param bool public: if True, all endpoints are included regardless of access through `request`
-
-        :return: List of tags containing the tag name and a description.
-        """
-        tags = {}
+    endpoint_inspector_cls = EndpointEnumerator
 
-        endpoints = self.get_endpoints(request)
-        for path, (view_cls, methods) in sorted(endpoints.items()):
-            if "{" in path:
-                continue
-
-            tag = path.rsplit("/", 1)[-1]
-            if tag in tags:
-                continue
-
-            # exclude special non-rest actions
-            if tag.startswith("_"):
-                continue
-            tags[tag] = get_view_summary(view_cls)
-
-        return [
-            OrderedDict([("name", operation), ("description", desc)])
-            for operation, desc in sorted(tags.items())
-        ]
-
-    def get_schema(self, request=None, public=False):
-        """
-        Rewrite parent class to add 'responses' in components
+    def create_view(self, callback, method, request=None):
         """
-        endpoints = self.get_endpoints(request)
-        components = self.reference_resolver_class(
-            openapi.SCHEMA_DEFINITIONS, "responses", force_init=True
-        )
-        self.consumes = get_consumes(api_settings.DEFAULT_PARSER_CLASSES)
-        self.produces = get_produces(api_settings.DEFAULT_RENDERER_CLASSES)
-        paths, prefix = self.get_paths(endpoints, components, request, public)
-
-        security_definitions = self.get_security_definitions()
-        if security_definitions:
-            security_requirements = self.get_security_requirements(security_definitions)
-        else:
-            security_requirements = None
-
-        url = self.url
-        if url is None and request is not None:
-            url = request.build_absolute_uri()
-
-        return openapi.Swagger(
-            info=self.info,
-            paths=paths,
-            consumes=self.consumes or None,
-            produces=self.produces or None,
-            tags=self.get_tags(request, public),
-            security_definitions=security_definitions,
-            security=security_requirements,
-            _url=url,
-            _prefix=prefix,
-            _version=self.version,
-            **dict(components),
-        )
-
-    def get_path_parameters(self, path, view_cls):
-        """Return a list of Parameter instances corresponding to any templated path variables.
-
-        :param str path: templated request path
-        :param type view_cls: the view class associated with the path
-        :return: path parameters
-        :rtype: list[openapi.Parameter]
+        workaround for HEAD method which doesn't have action
         """
-        parameters = super().get_path_parameters(path, view_cls)
-
-        # see if we can specify UUID a bit more
-        for parameter in parameters:
-            # the most pragmatic of checks
-            if not parameter.name.endswith("_uuid"):
-                continue
-            parameter.format = openapi.FORMAT_UUID
-            parameter.description = "Unieke resource identifier (UUID4)"
-        return parameters
-
-    def get_operation_keys(self, subpath, method, view) -> List[str]:
-        if method != "HEAD":
-            return super().get_operation_keys(subpath, method, view)
-
-        assert not is_list_view(
-            subpath, method, view
-        ), "HEAD requests are only supported on detail endpoints"
-
-        # taken from DRF schema generation
-        named_path_components = [
-            component
-            for component in subpath.strip("/").split("/")
-            if "{" not in component
-        ]
+        if method == "HEAD":
+            view = super(_OpenAPISchemaGenerator, self).create_view(
+                callback, method, request=request
+            )
+            return view
 
-        return named_path_components + ["headers"]
+        return super().create_view(callback, method, request=request)
 
-    def get_overrides(self, view, method) -> dict:
-        if method == "HEAD":
-            return {}
-        return super().get_overrides(view, method)
+    # todo support registering and reusing Response components

vng_api_common/middleware.py

@@ -1,242 +1,16 @@
 # https://pyjwt.readthedocs.io/en/latest/usage.html#reading-headers-without-validation
 # -> we can put the organization/service in the headers itself
 import logging
-from typing import Any, Dict, Iterable, List, Optional
 
 from django.conf import settings
-from django.db import models, transaction
-from django.db.models import QuerySet
-from django.utils.translation import gettext as _
 
-import jwt
-from djangorestframework_camel_case.util import underscoreize
-from rest_framework.exceptions import PermissionDenied
 from rest_framework.response import Response
-from zds_client.client import ClientError
 
-from .authorizations.models import Applicatie, AuthorizationsConfig, Autorisatie
-from .authorizations.serializers import ApplicatieUuidSerializer
-from .constants import VERSION_HEADER, VertrouwelijkheidsAanduiding
-from .models import JWTSecret
-from .utils import get_uuid_from_path
+from .constants import VERSION_HEADER
 
 logger = logging.getLogger(__name__)
 
 
-class JWTAuth:
-    def __init__(self, encoded: str = None):
-        self.encoded = encoded
-
-    @property
-    def applicaties(self) -> Iterable[Applicatie]:
-        if self.client_id is None:
-            return []
-
-        applicaties = self._get_auth()
-
-        if not applicaties:
-            auth_data = self._request_auth()
-            applicaties = self._save_auth(auth_data)
-
-        return applicaties
-
-    @property
-    def autorisaties(self) -> models.QuerySet:
-        """
-        Retrieve all authorizations relevant to this component.
-        """
-        app_ids = [app.id for app in self.applicaties]
-        config = AuthorizationsConfig.get_solo()
-        return Autorisatie.objects.filter(
-            applicatie_id__in=app_ids, component=config.component
-        )
-
-    def _request_auth(self) -> list:
-        client = AuthorizationsConfig.get_client()
-        try:
-            response = client.list(
-                "applicatie", query_params={"clientIds": self.client_id}
-            )
-        except ClientError as exc:
-            response = exc.args[0]
-            # friendly debug - hint at where the problem is located
-            if response["status"] == 403 and response["code"] == "not_authenticated":
-                detail = _(
-                    "Component could not authenticate against the AC - "
-                    "authorizations could not be retrieved"
-                )
-                raise PermissionDenied(detail=detail, code="not_authenticated_for_ac")
-            logger.warn("Authorization component can't be accessed")
-            return []
-
-        return underscoreize(response["results"])
-
-    def _get_auth(self):
-        return Applicatie.objects.filter(client_ids__contains=[self.client_id])
-
-    @transaction.atomic
-    def _save_auth(self, auth_data):
-        applicaties = []
-
-        for applicatie_data in auth_data:
-            applicatie_serializer = ApplicatieUuidSerializer(data=applicatie_data)
-            uuid = get_uuid_from_path(applicatie_data["url"])
-            applicatie_data["uuid"] = uuid
-            applicatie_serializer.is_valid()
-            applicaties.append(applicatie_serializer.save())
-
-        return applicaties
-
-    @property
-    def payload(self) -> Optional[Dict[str, Any]]:
-        if self.encoded is None:
-            return None
-
-        if not hasattr(self, "_payload"):
-            # decode the JWT and validate it
-
-            # jwt check
-            try:
-                payload = jwt.decode(
-                    self.encoded,
-                    algorithms=["HS256"],
-                    options={"verify_signature": False},
-                    leeway=settings.JWT_LEEWAY,
-                )
-            except jwt.DecodeError:
-                logger.info("Invalid JWT encountered")
-                raise PermissionDenied(
-                    _(
-                        "JWT could not be decoded. Possibly you made a copy-paste mistake."
-                    ),
-                    code="jwt-decode-error",
-                )
-
-            # get client_id
-            try:
-                client_id = payload["client_id"]
-            except KeyError:
-                raise PermissionDenied(
-                    "Client identifier is niet aanwezig in JWT",
-                    code="missing-client-identifier",
-                )
-
-            # find client_id in DB and retrieve its secret
-            try:
-                jwt_secret = JWTSecret.objects.exclude(secret="").get(
-                    identifier=client_id
-                )
-            except JWTSecret.DoesNotExist:
-                raise PermissionDenied(
-                    "Client identifier bestaat niet", code="invalid-client-identifier"
-                )
-            else:
-                key = jwt_secret.secret
-
-            # check signature of the token
-            try:
-                payload = jwt.decode(
-                    self.encoded,
-                    key,
-                    algorithms=["HS256"],
-                    leeway=settings.JWT_LEEWAY,
-                )
-            except jwt.InvalidSignatureError:
-                logger.exception("Invalid signature - possible payload tampering?")
-                raise PermissionDenied(
-                    "Client credentials zijn niet geldig", code="invalid-jwt-signature"
-                )
-
-            self._payload = payload
-
-        return self._payload
-
-    @property
-    def client_id(self) -> str:
-        if not self.payload:
-            return None
-        return self.payload["client_id"]
-
-    def filter_vertrouwelijkheidaanduiding(self, base: QuerySet, value) -> QuerySet:
-        if value is None:
-            return base
-
-        order_provided = VertrouwelijkheidsAanduiding.get_choice_order(value)
-        order_case = VertrouwelijkheidsAanduiding.get_order_expression(
-            "max_vertrouwelijkheidaanduiding"
-        )
-
-        # In this case we are filtering Autorisatie model to look for auth which meets our needs.
-        # Therefore we're only considering authorizations here that have a max_vertrouwelijkheidaanduiding
-        # bigger or equal than what we're checking for the object.
-        # In cases when we are filtering data objects (Zaak, InformatieObject etc) it's the other way around
-
-        return base.annotate(max_vertr=order_case).filter(max_vertr__gte=order_provided)
-
-    def filter_default(self, base: QuerySet, name, value) -> QuerySet:
-        if value is None:
-            return base
-
-        return base.filter(**{name: value})
-
-    def has_auth(
-        self, scopes: List[str], component: Optional[str] = None, **fields
-    ) -> bool:
-        if scopes is None:
-            return False
-
-        scopes_provided = set()
-        config = AuthorizationsConfig.get_solo()
-        if component is None:
-            component = config.component
-
-        for applicatie in self.applicaties:
-            # allow everything
-            if applicatie.heeft_alle_autorisaties is True:
-                return True
-
-            autorisaties = applicatie.autorisaties.filter(component=component)
-
-            # filter on all additional components
-            for field_name, field_value in fields.items():
-                if hasattr(self, f"filter_{field_name}"):
-                    autorisaties = getattr(self, f"filter_{field_name}")(
-                        autorisaties, field_value
-                    )
-                else:
-                    autorisaties = self.filter_default(
-                        autorisaties, field_name, field_value
-                    )
-
-            for autorisatie in autorisaties:
-                scopes_provided.update(autorisatie.scopes)
-
-        return scopes.is_contained_in(list(scopes_provided))
-
-
-class AuthMiddleware:
-    header = "HTTP_AUTHORIZATION"
-    auth_type = "Bearer"
-
-    def __init__(self, get_response=None):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        self.extract_jwt_payload(request)
-        return self.get_response(request) if self.get_response else None
-
-    def extract_jwt_payload(self, request):
-        authorization = request.META.get(self.header, "")
-        prefix = f"{self.auth_type} "
-        if authorization.startswith(prefix):
-            # grab the actual token
-            encoded = authorization[len(prefix) :]
-        else:
-            encoded = None
-
-        request.jwt_auth = JWTAuth(encoded)
-
-
 class APIVersionHeaderMiddleware:
     """
     Include a header specifying the API-version

vng_api_common/migrations/0006_delete_apicredential.py

@@ -0,0 +1,120 @@
+# Generated by Django 5.1.2 on 2024-10-24 13:51
+
+import logging
+from typing import Set
+
+from django.db import migrations, models
+from django.utils.text import slugify
+
+from zgw_consumers.constants import APITypes, AuthTypes
+
+logger = logging.getLogger(__name__)
+
+
+def _get_api_type(api_root: str) -> APITypes:
+    mapping = {
+        "/autorisaties/api/": APITypes.ac,
+        "/zaken/api/": APITypes.zrc,
+        "/catalogi/api/": APITypes.ztc,
+        "/documenten/api/": APITypes.drc,
+        "/besluiten/api/": APITypes.drc,
+    }
+
+    for path, _type in mapping.items():
+        if path in api_root.lower():
+            return _type
+
+    return APITypes.orc
+
+
+def _get_service_slug(credential: models.Model, existing_slugs: Set[str]) -> str:
+    default_slug: str = slugify(credential.label)
+
+    if default_slug not in existing_slugs or not existing_slugs:
+        return default_slug
+
+    count = 2
+    slug = f"{default_slug}-{count}"
+
+    while slug in existing_slugs:
+        count += 1
+        slug = f"{default_slug}-{count}"
+
+    return slug
+
+
+def migrate_credentials_to_service(apps, _) -> None:
+    APICredential = apps.get_model("vng_api_common", "APICredential")
+    Service = apps.get_model("zgw_consumers", "Service")
+
+    credentials = APICredential.objects.all()
+
+    existings_service_slugs = set(Service.objects.values_list("slug", flat=True))
+
+    for credential in credentials:
+        logger.info(f"Creating Service for {credential.client_id}")
+
+        service_slug = _get_service_slug(credential, existings_service_slugs)
+
+        _, created = Service.objects.get_or_create(
+            api_root=credential.api_root,
+            defaults=dict(
+                label=credential.label,
+                slug=service_slug,
+                api_type=_get_api_type(credential.api_root),
+                auth_type=AuthTypes.zgw,
+                client_id=credential.client_id,
+                secret=credential.secret,
+                user_id=credential.user_id,
+                user_representation=credential.user_representation,
+            ),
+        )
+
+        existings_service_slugs.add(service_slug)
+
+        if created:
+            logger.info(f"Created new Service for {credential.api_root}")
+        else:
+            logger.info(f"Existing service found for {credential.api_root}")
+
+
+def migrate_service_to_credentials(apps, _) -> None:
+    APICredential = apps.get_model("vng_api_common", "APICredential")
+    Service = apps.get_model("zgw_consumers", "Service")
+
+    services = Service.objects.filter(auth_type=AuthTypes.zgw)
+
+    for service in services:
+        logger.info(f"Creating APICredentials for {service.client_id}")
+
+        _, created = APICredential.objects.get_or_create(
+            api_root=service.api_root,
+            defaults=dict(
+                label=f"Migrated credentials for {service.client_id}",
+                client_id=service.client_id,
+                secret=service.secret,
+                user_id=service.user_id,
+                user_representation=service.user_representation,
+            ),
+        )
+        if created:
+            logger.info(f"Created new APICredentials for {service.api_root}")
+        else:
+            logger.info(f"Existing APICredentials found for {service.api_root}")
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vng_api_common", "0005_auto_20190614_1346"),
+        ("zgw_consumers", "0022_set_default_service_slug"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            migrate_credentials_to_service, reverse_code=migrate_service_to_credentials
+        ),
+        migrations.DeleteModel(
+            name="APICredential",
+        ),
+    ]

vng_api_common/mocks.py

@@ -1,7 +1,10 @@
 import re
 from urllib.parse import urlparse
 
-from zds_client.client import UUID_PATTERN
+UUID_PATTERN = re.compile(
+    r"[0-9a-f]{8}\-[0-9a-f]{4}\-4[0-9a-f]{3}\-[89ab][0-9a-f]{3}\-[0-9a-f]{12}",
+    flags=re.I,
+)
 
 
 class Response:

vng_api_common/models.py

@@ -1,15 +1,7 @@
-from typing import Optional, Union
-from urllib.parse import urlsplit, urlunsplit
-
 from django.db import models
-from django.db.models.functions import Length
 from django.utils.translation import gettext_lazy as _
 
 from rest_framework.reverse import reverse
-from solo.models import SingletonModel
-from zds_client import Client, ClientAuth
-
-from .client import get_client as _get_client
 
 
 class APIMixin:
@@ -34,6 +26,11 @@ class APIMixin:
         return url
 
 
+class JWTSecretManager(models.Manager):
+    def get_by_natural_key(self, identifier):
+        return self.get(identifier=identifier)
+
+
 class JWTSecret(models.Model):
     """
     Store credentials of clients that want to access our API.
@@ -53,112 +50,14 @@ class JWTSecret(models.Model):
         _("secret"), max_length=255, help_text=_("Secret belonging to the client ID.")
     )
 
+    objects = JWTSecretManager()
+
+    def natural_key(self):
+        return (self.identifier,)
+
     class Meta:
         verbose_name = _("client credential")
         verbose_name_plural = _("client credentials")
 
     def __str__(self):
         return self.identifier
-
-
-class APICredential(models.Model):
-    """
-    Store credentials for external APIs.
-
-    When we need to authenticate against a remote API, we need to know which
-    client ID and secret to use to sign the JWT.
-    """
-
-    api_root = models.URLField(
-        _("API-root"),
-        unique=True,
-        help_text=_(
-            "URL of the external API, ending in a trailing slash. Example: https://example.com/api/v1/"
-        ),
-    )
-    label = models.CharField(
-        _("label"),
-        max_length=100,
-        default="",
-        help_text=_("Human readable label of the external API."),
-    )
-    client_id = models.CharField(
-        _("client ID"),
-        max_length=255,
-        help_text=_("Client ID to identify this API at the external API."),
-    )
-    secret = models.CharField(
-        _("secret"), max_length=255, help_text=_("Secret belonging to the client ID.")
-    )
-    user_id = models.CharField(
-        _("user ID"),
-        max_length=255,
-        help_text=_(
-            "User ID to use for the audit trail. Although these external API credentials are typically used by"
-            "this API itself instead of a user, the user ID is required."
-        ),
-    )
-    user_representation = models.CharField(
-        _("user representation"),
-        max_length=255,
-        default="",
-        help_text=_("Human readable representation of the user."),
-    )
-
-    class Meta:
-        verbose_name = _("external API credential")
-        verbose_name_plural = _("external API credentials")
-
-    def __str__(self):
-        return self.api_root
-
-    @classmethod
-    def get_auth(cls, url: str, **kwargs) -> Union[ClientAuth, None]:
-        split_url = urlsplit(url)
-        scheme_and_domain = urlunsplit(split_url[:2] + ("", "", ""))
-
-        candidates = (
-            cls.objects.filter(api_root__startswith=scheme_and_domain)
-            .annotate(api_root_length=Length("api_root"))
-            .order_by("-api_root_length")
-        )
-
-        # select the one matching
-        for candidate in candidates.iterator():
-            if url.startswith(candidate.api_root):
-                credentials = candidate
-                break
-        else:
-            return None
-
-        auth = ClientAuth(
-            client_id=credentials.client_id,
-            secret=credentials.secret,
-            user_id=credentials.user_id,
-            user_representation=credentials.user_representation,
-            **kwargs,
-        )
-        return auth
-
-
-class ClientConfig(SingletonModel):
-    api_root = models.URLField(_("api root"), unique=True)
-
-    class Meta:
-        abstract = True
-
-    def __str__(self):
-        return self.api_root
-
-    def save(self, *args, **kwargs):
-        if not self.api_root.endswith("/"):
-            self.api_root = f"{self.api_root}/"
-        super().save(*args, **kwargs)
-
-    @classmethod
-    def get_client(cls) -> Optional[Client]:
-        """
-        Construct a client, prepared with the required auth.
-        """
-        config = cls.get_solo()
-        return _get_client(config.api_root, url_is_api_root=True)