commonground-api-common 1.13.0__py3-none-any.whl → 2.4.1__py3-none-any.whl

vng_api_common/middleware.py

@@ -1,242 +1,16 @@
 # https://pyjwt.readthedocs.io/en/latest/usage.html#reading-headers-without-validation
 # -> we can put the organization/service in the headers itself
 import logging
-from typing import Any, Dict, Iterable, List, Optional
 
 from django.conf import settings
-from django.db import models, transaction
-from django.db.models import QuerySet
-from django.utils.translation import gettext as _
 
-import jwt
-from djangorestframework_camel_case.util import underscoreize
-from rest_framework.exceptions import PermissionDenied
 from rest_framework.response import Response
-from zds_client.client import ClientError
 
-from .authorizations.models import Applicatie, AuthorizationsConfig, Autorisatie
-from .authorizations.serializers import ApplicatieUuidSerializer
-from .constants import VERSION_HEADER, VertrouwelijkheidsAanduiding
-from .models import JWTSecret
-from .utils import get_uuid_from_path
+from .constants import VERSION_HEADER
 
 logger = logging.getLogger(__name__)
 
 
-class JWTAuth:
-    def __init__(self, encoded: str = None):
-        self.encoded = encoded
-
-    @property
-    def applicaties(self) -> Iterable[Applicatie]:
-        if self.client_id is None:
-            return []
-
-        applicaties = self._get_auth()
-
-        if not applicaties:
-            auth_data = self._request_auth()
-            applicaties = self._save_auth(auth_data)
-
-        return applicaties
-
-    @property
-    def autorisaties(self) -> models.QuerySet:
-        """
-        Retrieve all authorizations relevant to this component.
-        """
-        app_ids = [app.id for app in self.applicaties]
-        config = AuthorizationsConfig.get_solo()
-        return Autorisatie.objects.filter(
-            applicatie_id__in=app_ids, component=config.component
-        )
-
-    def _request_auth(self) -> list:
-        client = AuthorizationsConfig.get_client()
-        try:
-            response = client.list(
-                "applicatie", query_params={"clientIds": self.client_id}
-            )
-        except ClientError as exc:
-            response = exc.args[0]
-            # friendly debug - hint at where the problem is located
-            if response["status"] == 403 and response["code"] == "not_authenticated":
-                detail = _(
-                    "Component could not authenticate against the AC - "
-                    "authorizations could not be retrieved"
-                )
-                raise PermissionDenied(detail=detail, code="not_authenticated_for_ac")
-            logger.warn("Authorization component can't be accessed")
-            return []
-
-        return underscoreize(response["results"])
-
-    def _get_auth(self):
-        return Applicatie.objects.filter(client_ids__contains=[self.client_id])
-
-    @transaction.atomic
-    def _save_auth(self, auth_data):
-        applicaties = []
-
-        for applicatie_data in auth_data:
-            applicatie_serializer = ApplicatieUuidSerializer(data=applicatie_data)
-            uuid = get_uuid_from_path(applicatie_data["url"])
-            applicatie_data["uuid"] = uuid
-            applicatie_serializer.is_valid()
-            applicaties.append(applicatie_serializer.save())
-
-        return applicaties
-
-    @property
-    def payload(self) -> Optional[Dict[str, Any]]:
-        if self.encoded is None:
-            return None
-
-        if not hasattr(self, "_payload"):
-            # decode the JWT and validate it
-
-            # jwt check
-            try:
-                payload = jwt.decode(
-                    self.encoded,
-                    algorithms=["HS256"],
-                    options={"verify_signature": False},
-                    leeway=settings.JWT_LEEWAY,
-                )
-            except jwt.DecodeError:
-                logger.info("Invalid JWT encountered")
-                raise PermissionDenied(
-                    _(
-                        "JWT could not be decoded. Possibly you made a copy-paste mistake."
-                    ),
-                    code="jwt-decode-error",
-                )
-
-            # get client_id
-            try:
-                client_id = payload["client_id"]
-            except KeyError:
-                raise PermissionDenied(
-                    "Client identifier is niet aanwezig in JWT",
-                    code="missing-client-identifier",
-                )
-
-            # find client_id in DB and retrieve its secret
-            try:
-                jwt_secret = JWTSecret.objects.exclude(secret="").get(
-                    identifier=client_id
-                )
-            except JWTSecret.DoesNotExist:
-                raise PermissionDenied(
-                    "Client identifier bestaat niet", code="invalid-client-identifier"
-                )
-            else:
-                key = jwt_secret.secret
-
-            # check signature of the token
-            try:
-                payload = jwt.decode(
-                    self.encoded,
-                    key,
-                    algorithms=["HS256"],
-                    leeway=settings.JWT_LEEWAY,
-                )
-            except jwt.InvalidSignatureError:
-                logger.exception("Invalid signature - possible payload tampering?")
-                raise PermissionDenied(
-                    "Client credentials zijn niet geldig", code="invalid-jwt-signature"
-                )
-
-            self._payload = payload
-
-        return self._payload
-
-    @property
-    def client_id(self) -> str:
-        if not self.payload:
-            return None
-        return self.payload["client_id"]
-
-    def filter_vertrouwelijkheidaanduiding(self, base: QuerySet, value) -> QuerySet:
-        if value is None:
-            return base
-
-        order_provided = VertrouwelijkheidsAanduiding.get_choice_order(value)
-        order_case = VertrouwelijkheidsAanduiding.get_order_expression(
-            "max_vertrouwelijkheidaanduiding"
-        )
-
-        # In this case we are filtering Autorisatie model to look for auth which meets our needs.
-        # Therefore we're only considering authorizations here that have a max_vertrouwelijkheidaanduiding
-        # bigger or equal than what we're checking for the object.
-        # In cases when we are filtering data objects (Zaak, InformatieObject etc) it's the other way around
-
-        return base.annotate(max_vertr=order_case).filter(max_vertr__gte=order_provided)
-
-    def filter_default(self, base: QuerySet, name, value) -> QuerySet:
-        if value is None:
-            return base
-
-        return base.filter(**{name: value})
-
-    def has_auth(
-        self, scopes: List[str], component: Optional[str] = None, **fields
-    ) -> bool:
-        if scopes is None:
-            return False
-
-        scopes_provided = set()
-        config = AuthorizationsConfig.get_solo()
-        if component is None:
-            component = config.component
-
-        for applicatie in self.applicaties:
-            # allow everything
-            if applicatie.heeft_alle_autorisaties is True:
-                return True
-
-            autorisaties = applicatie.autorisaties.filter(component=component)
-
-            # filter on all additional components
-            for field_name, field_value in fields.items():
-                if hasattr(self, f"filter_{field_name}"):
-                    autorisaties = getattr(self, f"filter_{field_name}")(
-                        autorisaties, field_value
-                    )
-                else:
-                    autorisaties = self.filter_default(
-                        autorisaties, field_name, field_value
-                    )
-
-            for autorisatie in autorisaties:
-                scopes_provided.update(autorisatie.scopes)
-
-        return scopes.is_contained_in(list(scopes_provided))
-
-
-class AuthMiddleware:
-    header = "HTTP_AUTHORIZATION"
-    auth_type = "Bearer"
-
-    def __init__(self, get_response=None):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        self.extract_jwt_payload(request)
-        return self.get_response(request) if self.get_response else None
-
-    def extract_jwt_payload(self, request):
-        authorization = request.META.get(self.header, "")
-        prefix = f"{self.auth_type} "
-        if authorization.startswith(prefix):
-            # grab the actual token
-            encoded = authorization[len(prefix) :]
-        else:
-            encoded = None
-
-        request.jwt_auth = JWTAuth(encoded)
-
-
 class APIVersionHeaderMiddleware:
     """
     Include a header specifying the API-version

vng_api_common/migrations/0006_delete_apicredential.py

@@ -0,0 +1,120 @@
+# Generated by Django 5.1.2 on 2024-10-24 13:51
+
+import logging
+from typing import Set
+
+from django.db import migrations, models
+from django.utils.text import slugify
+
+from zgw_consumers.constants import APITypes, AuthTypes
+
+logger = logging.getLogger(__name__)
+
+
+def _get_api_type(api_root: str) -> APITypes:
+    mapping = {
+        "/autorisaties/api/": APITypes.ac,
+        "/zaken/api/": APITypes.zrc,
+        "/catalogi/api/": APITypes.ztc,
+        "/documenten/api/": APITypes.drc,
+        "/besluiten/api/": APITypes.drc,
+    }
+
+    for path, _type in mapping.items():
+        if path in api_root.lower():
+            return _type
+
+    return APITypes.orc
+
+
+def _get_service_slug(credential: models.Model, existing_slugs: Set[str]) -> str:
+    default_slug: str = slugify(credential.label)
+
+    if default_slug not in existing_slugs or not existing_slugs:
+        return default_slug
+
+    count = 2
+    slug = f"{default_slug}-{count}"
+
+    while slug in existing_slugs:
+        count += 1
+        slug = f"{default_slug}-{count}"
+
+    return slug
+
+
+def migrate_credentials_to_service(apps, _) -> None:
+    APICredential = apps.get_model("vng_api_common", "APICredential")
+    Service = apps.get_model("zgw_consumers", "Service")
+
+    credentials = APICredential.objects.all()
+
+    existings_service_slugs = set(Service.objects.values_list("slug", flat=True))
+
+    for credential in credentials:
+        logger.info(f"Creating Service for {credential.client_id}")
+
+        service_slug = _get_service_slug(credential, existings_service_slugs)
+
+        _, created = Service.objects.get_or_create(
+            api_root=credential.api_root,
+            defaults=dict(
+                label=credential.label,
+                slug=service_slug,
+                api_type=_get_api_type(credential.api_root),
+                auth_type=AuthTypes.zgw,
+                client_id=credential.client_id,
+                secret=credential.secret,
+                user_id=credential.user_id,
+                user_representation=credential.user_representation,
+            ),
+        )
+
+        existings_service_slugs.add(service_slug)
+
+        if created:
+            logger.info(f"Created new Service for {credential.api_root}")
+        else:
+            logger.info(f"Existing service found for {credential.api_root}")
+
+
+def migrate_service_to_credentials(apps, _) -> None:
+    APICredential = apps.get_model("vng_api_common", "APICredential")
+    Service = apps.get_model("zgw_consumers", "Service")
+
+    services = Service.objects.filter(auth_type=AuthTypes.zgw)
+
+    for service in services:
+        logger.info(f"Creating APICredentials for {service.client_id}")
+
+        _, created = APICredential.objects.get_or_create(
+            api_root=service.api_root,
+            defaults=dict(
+                label=f"Migrated credentials for {service.client_id}",
+                client_id=service.client_id,
+                secret=service.secret,
+                user_id=service.user_id,
+                user_representation=service.user_representation,
+            ),
+        )
+        if created:
+            logger.info(f"Created new APICredentials for {service.api_root}")
+        else:
+            logger.info(f"Existing APICredentials found for {service.api_root}")
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vng_api_common", "0005_auto_20190614_1346"),
+        ("zgw_consumers", "0022_set_default_service_slug"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            migrate_credentials_to_service, reverse_code=migrate_service_to_credentials
+        ),
+        migrations.DeleteModel(
+            name="APICredential",
+        ),
+    ]

vng_api_common/mocks.py

@@ -1,7 +1,10 @@
 import re
 from urllib.parse import urlparse
 
-from zds_client.client import UUID_PATTERN
+UUID_PATTERN = re.compile(
+    r"[0-9a-f]{8}\-[0-9a-f]{4}\-4[0-9a-f]{3}\-[89ab][0-9a-f]{3}\-[0-9a-f]{12}",
+    flags=re.I,
+)
 
 
 class Response:

vng_api_common/models.py

@@ -1,15 +1,7 @@
-from typing import Optional, Union
-from urllib.parse import urlsplit, urlunsplit
-
 from django.db import models
-from django.db.models.functions import Length
 from django.utils.translation import gettext_lazy as _
 
 from rest_framework.reverse import reverse
-from solo.models import SingletonModel
-from zds_client import Client, ClientAuth
-
-from .client import get_client as _get_client
 
 
 class APIMixin:
@@ -34,6 +26,11 @@ class APIMixin:
         return url
 
 
+class JWTSecretManager(models.Manager):
+    def get_by_natural_key(self, identifier):
+        return self.get(identifier=identifier)
+
+
 class JWTSecret(models.Model):
     """
     Store credentials of clients that want to access our API.
@@ -53,112 +50,14 @@ class JWTSecret(models.Model):
         _("secret"), max_length=255, help_text=_("Secret belonging to the client ID.")
     )
 
+    objects = JWTSecretManager()
+
+    def natural_key(self):
+        return (self.identifier,)
+
     class Meta:
         verbose_name = _("client credential")
         verbose_name_plural = _("client credentials")
 
     def __str__(self):
         return self.identifier
-
-
-class APICredential(models.Model):
-    """
-    Store credentials for external APIs.
-
-    When we need to authenticate against a remote API, we need to know which
-    client ID and secret to use to sign the JWT.
-    """
-
-    api_root = models.URLField(
-        _("API-root"),
-        unique=True,
-        help_text=_(
-            "URL of the external API, ending in a trailing slash. Example: https://example.com/api/v1/"
-        ),
-    )
-    label = models.CharField(
-        _("label"),
-        max_length=100,
-        default="",
-        help_text=_("Human readable label of the external API."),
-    )
-    client_id = models.CharField(
-        _("client ID"),
-        max_length=255,
-        help_text=_("Client ID to identify this API at the external API."),
-    )
-    secret = models.CharField(
-        _("secret"), max_length=255, help_text=_("Secret belonging to the client ID.")
-    )
-    user_id = models.CharField(
-        _("user ID"),
-        max_length=255,
-        help_text=_(
-            "User ID to use for the audit trail. Although these external API credentials are typically used by"
-            "this API itself instead of a user, the user ID is required."
-        ),
-    )
-    user_representation = models.CharField(
-        _("user representation"),
-        max_length=255,
-        default="",
-        help_text=_("Human readable representation of the user."),
-    )
-
-    class Meta:
-        verbose_name = _("external API credential")
-        verbose_name_plural = _("external API credentials")
-
-    def __str__(self):
-        return self.api_root
-
-    @classmethod
-    def get_auth(cls, url: str, **kwargs) -> Union[ClientAuth, None]:
-        split_url = urlsplit(url)
-        scheme_and_domain = urlunsplit(split_url[:2] + ("", "", ""))
-
-        candidates = (
-            cls.objects.filter(api_root__startswith=scheme_and_domain)
-            .annotate(api_root_length=Length("api_root"))
-            .order_by("-api_root_length")
-        )
-
-        # select the one matching
-        for candidate in candidates.iterator():
-            if url.startswith(candidate.api_root):
-                credentials = candidate
-                break
-        else:
-            return None
-
-        auth = ClientAuth(
-            client_id=credentials.client_id,
-            secret=credentials.secret,
-            user_id=credentials.user_id,
-            user_representation=credentials.user_representation,
-            **kwargs,
-        )
-        return auth
-
-
-class ClientConfig(SingletonModel):
-    api_root = models.URLField(_("api root"), unique=True)
-
-    class Meta:
-        abstract = True
-
-    def __str__(self):
-        return self.api_root
-
-    def save(self, *args, **kwargs):
-        if not self.api_root.endswith("/"):
-            self.api_root = f"{self.api_root}/"
-        super().save(*args, **kwargs)
-
-    @classmethod
-    def get_client(cls) -> Optional[Client]:
-        """
-        Construct a client, prepared with the required auth.
-        """
-        config = cls.get_solo()
-        return _get_client(config.api_root, url_is_api_root=True)

vng_api_common/notifications/api/views.py

@@ -1,8 +1,9 @@
 from django.conf import settings
 from django.utils.module_loading import import_string
 
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from notifications_api_common.api.serializers import NotificatieSerializer
+from notifications_api_common.constants import SCOPE_NOTIFICATIES_PUBLICEREN_LABEL
 from rest_framework import status
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -10,7 +11,6 @@ from rest_framework.views import APIView
 from ...permissions import AuthScopesRequired
 from ...scopes import Scope
 from ...serializers import FoutSerializer, ValidatieFoutSerializer
-from ..constants import SCOPE_NOTIFICATIES_PUBLICEREN_LABEL
 
 
 class NotificationBaseView(APIView):
@@ -18,17 +18,15 @@ class NotificationBaseView(APIView):
     Abstract view to receive webhooks
     """
 
-    swagger_schema = None
+    schema = None
 
     permission_classes = (AuthScopesRequired,)
-    required_scopes = Scope(
-        SCOPE_NOTIFICATIES_PUBLICEREN_LABEL
-    )  # FIXME: this should be standalone!
+    required_scopes = Scope(SCOPE_NOTIFICATIES_PUBLICEREN_LABEL, private=True)
 
     def get_serializer(self, *args, **kwargs):
         return NotificatieSerializer(*args, **kwargs)
 
-    @swagger_auto_schema(
+    @extend_schema(
         responses={
             204: "",
             400: ValidatieFoutSerializer,
@@ -55,7 +53,9 @@ class NotificationBaseView(APIView):
 class NotificationView(NotificationBaseView):
     action = "create"
     permission_classes = (AuthScopesRequired,)
-    required_scopes = {"create": Scope(SCOPE_NOTIFICATIES_PUBLICEREN_LABEL)}
+    required_scopes = {
+        "create": Scope(SCOPE_NOTIFICATIES_PUBLICEREN_LABEL, private=True)
+    }
 
     def create(self, request, *args, **kwargs):
         return self.post(request, *args, **kwargs)

vng_api_common/notifications/handlers.py

@@ -4,7 +4,7 @@ from djangorestframework_camel_case.util import underscoreize
 
 from ..authorizations.models import Applicatie
 from ..authorizations.serializers import ApplicatieUuidSerializer
-from ..client import get_client
+from ..client import get_client, to_internal_data
 from ..constants import CommonResourceAction
 from ..utils import get_uuid_from_path
 
@@ -20,8 +20,13 @@ class LoggingHandler:
 class AuthHandler:
     def _request_auth(self, url: str) -> dict:
         client = get_client(url)
-        response = client.retrieve("applicatie", url)
-        return underscoreize(response)
+
+        if not client:
+            return {}
+
+        response = client.get(url)
+        data = to_internal_data(response)
+        return underscoreize(data)
 
     def handle(self, message: dict) -> None:
         uuid = get_uuid_from_path(message["resource_url"])

vng_api_common/notifications/migrations/0011_remove_subscription_config_and_more.py

@@ -0,0 +1,23 @@
+# Generated by Django 5.1.2 on 2024-10-25 14:07
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("notifications", "0010_auto_20220704_1419"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="subscription",
+            name="config",
+        ),
+        migrations.DeleteModel(
+            name="NotificationsConfig",
+        ),
+        migrations.DeleteModel(
+            name="Subscription",
+        ),
+    ]

vng_api_common/oas.py

@@ -1,23 +1,19 @@
 """
 Utility module for Open API Specification 3.0.x.
-
-This should get merged into gemma-zds-client, but some heavy refactoring is
-needed for that.
 """
 
 from typing import Union
 
 import requests
 import yaml
-from drf_yasg import openapi
 
 TYPE_MAP = {
-    openapi.TYPE_OBJECT: dict,
-    openapi.TYPE_STRING: str,
-    openapi.TYPE_NUMBER: (float, int),
-    openapi.TYPE_INTEGER: int,
-    openapi.TYPE_BOOLEAN: bool,
-    openapi.TYPE_ARRAY: list,
+    "object": dict,
+    "string": str,
+    "number": (float, int),
+    "integer": int,
+    "boolean": bool,
+    "array": list,
 }
 
 

vng_api_common/pagination.py

@@ -0,0 +1,10 @@
+from rest_framework.pagination import PageNumberPagination
+
+
+class DynamicPageSizeMixin:
+    page_size = 100
+    page_size_query_param = "pageSize"
+    max_page_size = 500
+
+
+class DynamicPageSizePagination(DynamicPageSizeMixin, PageNumberPagination): ...

vng_api_common/routers.py

@@ -8,7 +8,7 @@ class APIRootView(_APIRootView):
     permission_classes = ()
 
 
-class ZDSNestedRegisteringMixin:
+class NestedRegisteringMixin:
     _nested_router = None
 
     def __init__(self, *args, **kwargs):
@@ -47,11 +47,11 @@ class ZDSNestedRegisteringMixin:
             )
 
 
-class NestedSimpleRouter(ZDSNestedRegisteringMixin, routers.NestedSimpleRouter):
+class NestedSimpleRouter(NestedRegisteringMixin, routers.NestedSimpleRouter):
     pass
 
 
-class DefaultRouter(ZDSNestedRegisteringMixin, routers.DefaultRouter):
+class DefaultRouter(NestedRegisteringMixin, routers.DefaultRouter):
     APIRootView = APIRootView