contentgrid-extension-helpers 0.0.1__py3-none-any.whl

contentgrid_extension_helpers/authentication/__init__.py

@@ -0,0 +1,2 @@
+from .oidc import create_current_user_dependency, decode_and_verify_token, create_oauth2_scheme, get_jwks_client
+from .user import ContentGridUser

contentgrid_extension_helpers/authentication/oidc.py

@@ -0,0 +1,238 @@
+import logging
+import os
+import hyperlink
+from typing import Annotated, Optional
+
+from contentgrid_extension_helpers.authentication.user import ContentGridUser
+import jwt
+import requests
+from dotenv import load_dotenv
+from fastapi import Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from pydantic import BaseModel
+
+# Load environment variables
+load_dotenv()
+load_dotenv(".env.secret")
+
+# Default constants
+DEFAULT_ALGORITHM = "RS256"
+
+
+def _get_jwks_client_from_config_uri(config_uri: str) -> tuple[dict, jwt.PyJWKClient]:
+    """
+    Common helper function to retrieve JWKS client from a configuration URI.
+
+    Args:
+        config_uri: The URI to find the OAuth/OIDC configuration.
+
+    Returns:
+        Tuple of OAuth/OIDC configuration and JWKS client.
+    """
+    try:
+        config = requests.get(config_uri).json()
+        return config, jwt.PyJWKClient(config["jwks_uri"])
+    except (requests.RequestException, KeyError) as e:
+        logging.exception(f"Error retrieving configuration: {e}")
+        raise
+
+def get_oidc_jwks_client(
+    oidc_issuer: str,
+) -> tuple[dict, jwt.PyJWKClient]:
+    """
+    Retrieves the JWKS (JSON Web Key Set) client from the OIDC (OpenID Connect) issuer configuration URI.
+    
+    Args:
+        oidc_issuer (str): The OIDC issuer URL. The issuer URL is used to retrieve the JWKS URI.
+                            The url is adjusted to point to the .well-known/openid-configuration path, based on the OpenID Connect specification.
+                            If not on the default endpoint, use function _get_jwks_client_from_config_uri instead.
+    
+    Returns:
+        Tuple[dict, jwt.PyJWKClient]: A tuple containing the OIDC configuration and the JWKS client.
+    """
+    oidc_issuer_url: hyperlink.URL = hyperlink.parse(oidc_issuer)
+    assert oidc_issuer_url.absolute
+
+    oidc_config_uri = oidc_issuer_url.replace(
+        path=oidc_issuer_url.path + (".well-known", "openid-configuration") 
+    ).to_iri().to_text()
+
+    return _get_jwks_client_from_config_uri(oidc_config_uri)
+
+def get_oauth_jwks_client(
+    oauth_issuer: str,
+    oauth_config_uri: Optional[str] = None,
+) -> tuple[dict, jwt.PyJWKClient]:
+    """
+    Retrieve JWKS client from a generic OAuth 2.0 issuer.  Constructs the configuration URI if not provided.
+
+    Args:
+        oauth_issuer: OAuth issuer used to construct the configuration URI.
+        oauth_config_uri: Optional URI to find the OAuth config. If not provided, will be derived from oauth_issuer.
+
+    Returns:
+        Tuple of OAuth configuration and JWKS client.
+    """
+    if not oauth_issuer:
+        oauth_issuer = os.environ.get("OAUTH_ISSUER", None) 
+    assert oauth_issuer
+    oauth_issuer_url = hyperlink.parse(oauth_issuer)
+    assert oauth_issuer_url.absolute
+
+    if oauth_config_uri is None:
+        oauth_config_uri = oauth_issuer_url.replace(
+            path=(".well-known", "oauth-authorization-server") + oauth_issuer_url.path
+        ).to_iri().to_text()
+
+    return _get_jwks_client_from_config_uri(oauth_config_uri)
+
+def decode_and_verify_token(
+    access_token: str, 
+    jwks_client: jwt.PyJWKClient, 
+    issuer: str, 
+    algorithms: Optional[list[str]] = None,
+    audience: Optional[str] = None,
+    verify_exp: bool = True,
+    verify_aud: bool = True,
+    verify_iss: bool = True,
+    verify_nbf: bool = False,
+    verify_iat: bool = False,
+) -> dict:
+    """
+    Decode and verify the access token with flexible configuration.
+    """
+    if not issuer:
+        issuer = os.environ.get("OIDC_ISSUER", None)
+
+    if not audience:
+        audience = os.environ.get("AUDIENCE", None)
+
+    if verify_iss and issuer is None:
+        raise Exception("Issuer not provided while expecting to verify the issuer.")
+    
+    if verify_aud and audience is None:
+        raise Exception("Audience not provided while expecting to verify the audience.")
+    
+    if algorithms is None:
+        algorithms = [os.environ.get("ALGORITHM", DEFAULT_ALGORITHM)]
+    
+    try:
+        signing_key = jwks_client.get_signing_key_from_jwt(access_token)
+        data = jwt.decode(
+            access_token,
+            signing_key.key,
+            algorithms=algorithms,
+            issuer=issuer,
+            audience=audience,
+            options={
+                "verify_exp": verify_exp,
+                "verify_aud": verify_aud,
+                "verify_iss": verify_iss,
+                "verify_iat": verify_iat,
+                "verify_nbf": verify_nbf
+            },
+        )
+        data["access_token"] = access_token
+        return data
+    except jwt.PyJWTError as e:
+        logging.exception(f"Token verification failed: {e}")
+        raise
+
+def create_oauth2_scheme(token_url: str = "token") -> OAuth2PasswordBearer:
+    """
+    Create OAuth2 password bearer scheme with configurable token URL.
+    """
+    return OAuth2PasswordBearer(tokenUrl=token_url)
+
+def create_current_user_dependency(
+    jwks_client: jwt.PyJWKClient,
+    oidc_issuer: Optional[str] = None,
+    audience: Optional[str] = None,
+    user_model: type[BaseModel] = ContentGridUser,
+    token_url: str = "token",
+    algorithms: Optional[list[str]] = None,
+    verify_exp: bool = True,
+    verify_aud: bool = True,
+    verify_iss: bool = True,
+    verify_nbf: bool = False,
+    verify_iat: bool = False,
+):
+    """
+    Creates a FastAPI dependency for retrieving and verifying the current user from a JWT.
+
+    This function sets up an OAuth2PasswordBearer scheme and a dependency that can be used
+    in FastAPI endpoints to authenticate users based on JWTs (JSON Web Tokens). It handles
+    token decoding, verification, and user data extraction.
+
+    Args:
+        jwks_client: The PyJWKClient instance used to verify the JWT signature.  This client
+                     should be initialized with the correct JWKS (JSON Web Key Set) for your
+                     authentication provider.
+        oidc_issuer: The expected issuer of the JWT (e.g., "https://extensions.eu-west-1.contentgrid.cloud/authentication/external").  This value
+                     is used to verify the `iss` (issuer) claim in the JWT.  If provided, the
+                     `verify_iss` parameter must be True.
+        audience: The expected audience of the JWT (e.g., "contentgrid:extension:extract").  This value is used to
+                  verify the `aud` (audience) claim in the JWT. If provided, the `verify_aud`
+                  parameter must be True.  This is a crucial security setting.
+        user_model: The Pydantic model that represents the user data. Defaults to ContentGridUser.
+                     This model will be used to deserialize the JWT payload after successful
+                     verification.  It should match the structure of the claims in your JWT.
+        token_url: The URL of the token endpoint. This is used by the OAuth2PasswordBearer
+                   scheme for its OpenAPI documentation and is typically "/token".
+        algorithms: A list of allowed algorithms for JWT verification (e.g., ["RS256", "ES256"]).
+                    Defaults to None, which might use a default algorithm or an algorithm from the environment.
+                    It's highly recommended to explicitly specify the allowed algorithms for security reasons.
+        verify_exp: Whether to verify the 'exp' (expiration time) claim of the JWT. Defaults to True.
+        verify_aud: Whether to verify the 'aud' (audience) claim of the JWT. Defaults to True.
+        verify_iss: Whether to verify the 'iss' (issuer) claim of the JWT. Defaults to True.
+        verify_nbf: Whether to verify the 'nbf' (not before) claim of the JWT. Defaults to False.
+        verify_iat: Whether to verify the 'iat' (issued at) claim of the JWT. Defaults to False.
+
+    Returns:
+        A callable (dependency) that can be used with FastAPI's `Depends()` to inject
+        the authenticated user into an endpoint.  The dependency raises an HTTPException
+        with a 401 status code if authentication fails.
+
+    Raises:
+        HTTPException: If the token is invalid, expired, has an invalid signature, incorrect issuer or audience,
+                       or if the user data cannot be extracted.
+
+    Example:
+        # Assuming you have a jwks_client and oidc_issuer configured:
+        get_current_user = create_current_user_dependency(
+            jwks_client=my_jwks_client,
+            oidc_issuer="https://extensions.eu-west-1.contentgrid.cloud/authentication/external",
+            audience="contentgrid:extension:extract"  # Important: Set the audience!
+        )
+
+        @app.get("/items/")
+        async def read_items(current_user: ContentGridUser = Depends(get_current_user)):
+            # current_user is now an instance of ContentGridUser, populated from the JWT
+            return {"user": current_user}
+    """
+    oauth2_scheme = create_oauth2_scheme(token_url)
+
+    async def get_current_user(token: Annotated[str, Depends(oauth2_scheme)]) -> BaseModel:
+        try:
+            token_data = decode_and_verify_token(
+                access_token=token, 
+                jwks_client=jwks_client,
+                audience=audience,
+                issuer=oidc_issuer,
+                algorithms=algorithms,
+                verify_aud=verify_aud,
+                verify_exp=verify_exp,
+                verify_iss=verify_iss,
+                verify_nbf=verify_nbf,
+                verify_iat=verify_iat
+            )
+            return user_model(**token_data)
+        except Exception:
+            logging.exception("Exception thrown in user verification.")
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid authentication credentials",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+
+    return get_current_user

contentgrid_extension_helpers/authentication/user.py

@@ -0,0 +1,9 @@
+from pydantic import BaseModel
+
+class ContentGridUser(BaseModel):
+    sub: str
+    iss: str
+    exp: float
+    name: str | None = None
+    email: str | None = None
+    access_token: str

contentgrid_extension_helpers/logging/__init__.py

@@ -0,0 +1 @@
+from .json_logging import setup_json_logging, XenitJsonFormatter

contentgrid_extension_helpers/logging/json_logging.py

@@ -0,0 +1,93 @@
+import datetime
+import json
+import logging
+import time
+from typing import List, Optional, Any, Dict
+
+class XenitJsonFormatter(logging.Formatter):
+    def __init__(
+        self, 
+        component: str, 
+        additional_keys: dict[str,str] = {}, 
+        fmt: Optional[str] = None, 
+        datefmt: Optional[str] = None, 
+        style: str = "%", 
+        validate: bool = True, 
+        defaults: Optional[Dict[str, Any]] = None
+    ):
+        super().__init__(fmt, datefmt, style, validate, defaults=defaults)
+        self.component = component
+        self.additional_keys = additional_keys
+
+    def format(self, record: logging.LogRecord) -> str:
+        log_entry = {
+            "timestamp": time.time(),
+            "type": "application",
+            "component": self.component,
+            "time": datetime.datetime.now(datetime.UTC).isoformat(
+                sep=" ", timespec="milliseconds"
+            ),
+            "shortMessage": record.getMessage() if record.getMessage() else "",
+            "loggerName": record.name,
+            "severity": record.levelname,
+            "thread": record.threadName,
+            "fullMessage": self._get_full_message(record),
+            "level": record.levelno,
+            "sourceClassName": record.pathname,
+            "sourceLineNumber": record.lineno,
+            "sourceMethodName": record.funcName,
+        }
+        
+        # Add additional keys dynamically
+        for additional_key, additional_value in self.additional_keys.items():
+            log_entry[additional_key] = getattr(record, additional_value, None)
+        
+        return json.dumps(log_entry, ensure_ascii=False)
+    
+    def _get_full_message(self, record: logging.LogRecord) -> str:
+        """
+        Safely extract full error message
+        """
+        if record.exc_info:
+            return self.formatException(record.exc_info)
+        return record.exc_text or ""
+
+def setup_json_logging(
+    component: str = "cg-extension", 
+    additional_keys: dict[str, str] = [], 
+    log_level: int = logging.DEBUG
+) -> logging.Logger:
+    """
+    Setup JSON logging with a single logger
+    
+    Args:
+        component (str): Name of the component for logging
+        additional_keys (dict[str, str]): Additional keys to include in log. The key is the key in the json logline, the value is the value of in the extra field for the logging lib.
+        log_level (int): Logging level (default: DEBUG)
+    
+    Returns:
+        logging.Logger: Configured logger
+    """
+    # Get the root logger
+    root_logger = logging.getLogger()
+    root_logger.setLevel(log_level)
+
+    # Remove existing handlers to prevent duplicate logs
+    for handler in root_logger.handlers[:]:
+        root_logger.removeHandler(handler)
+    
+    # Create console handler
+    ch = logging.StreamHandler()
+    ch.setLevel(log_level)
+    
+    # Create JSON formatter
+    formatter = XenitJsonFormatter(
+        component=component, 
+        additional_keys=additional_keys
+    )
+    
+    # Add formatter to handler
+    ch.setFormatter(formatter)
+    
+    # Add handler to logger
+    root_logger.addHandler(ch)

contentgrid_extension_helpers-0.0.1.dist-info/LICENSE

@@ -0,0 +1,13 @@
+Copyright 2024 Xenit Solutions
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

contentgrid_extension_helpers-0.0.1.dist-info/METADATA

@@ -0,0 +1,32 @@
+Metadata-Version: 2.2
+Name: contentgrid-extension-helpers
+Version: 0.0.1
+Summary: Helper functions for contentgrid extensions.
+Author-email: Ranec Belpaire <ranec.belpaire@xenit.eu>
+License: Copyright 2024 Xenit Solutions
+        
+        Licensed under the Apache License, Version 2.0 (the "License");
+        you may not use this file except in compliance with the License.
+        You may obtain a copy of the License at
+        
+            http://www.apache.org/licenses/LICENSE-2.0
+        
+        Unless required by applicable law or agreed to in writing, software
+        distributed under the License is distributed on an "AS IS" BASIS,
+        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+        See the License for the specific language governing permissions and
+        limitations under the License.
+Classifier: Development Status :: 3 - Alpha
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Requires-Python: >=3.5
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: requests<3,>=2.20.0
+Requires-Dist: uri-template<2
+Requires-Dist: fastapi>=0.111
+Requires-Dist: PyJWT>2
+
+### ContentGrid-Extension-Helpers
+
+ContentGrid extensions helpers is a python library that is used for defining reusable helper functions for python extensions.

contentgrid_extension_helpers-0.0.1.dist-info/RECORD

@@ -0,0 +1,11 @@
+contentgrid_extension_helpers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+contentgrid_extension_helpers/authentication/__init__.py,sha256=b6Bp8jCg2-T7bcTGid7pCk5PfNYwH-52UFUX2Op8ArQ,146
+contentgrid_extension_helpers/authentication/oidc.py,sha256=14XEmp_WWDVygb3oBKB9S29UlgJV8wnm_1lw36U4xxc,9820
+contentgrid_extension_helpers/authentication/user.py,sha256=pr3DVZKchLxpJXU6k2uUNLquwr9LjWfr_sArdAjUjZU,185
+contentgrid_extension_helpers/logging/__init__.py,sha256=u6edUMrsULUinBNN94yJywZyINz4azhIAXO2LMbmtaY,64
+contentgrid_extension_helpers/logging/json_logging.py,sha256=QRoDHZjtMXM-JGPR6JWqJnCljwSQ912wjsZ38XMA7Tw,3119
+contentgrid_extension_helpers-0.0.1.dist-info/LICENSE,sha256=tk6n-p8lEmzLJg-O4052CkMgfUtt1q2Zoh1QLAyL7S8,555
+contentgrid_extension_helpers-0.0.1.dist-info/METADATA,sha256=eP5YG_IsyyRtfonDnTiwnLlKPuQHZ7JWkB2s4aFaO2k,1347
+contentgrid_extension_helpers-0.0.1.dist-info/WHEEL,sha256=jB7zZ3N9hIM9adW7qlTAyycLYW9npaWKLRzaoVcLKcM,91
+contentgrid_extension_helpers-0.0.1.dist-info/top_level.txt,sha256=yJGGofrNVsl5psVGO0vLFHO1610ob88GtB9zpvS8iIk,30
+contentgrid_extension_helpers-0.0.1.dist-info/RECORD,,

contentgrid_extension_helpers-0.0.1.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (75.8.2)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

contentgrid_extension_helpers-0.0.1.dist-info/top_level.txt

@@ -0,0 +1 @@
+contentgrid_extension_helpers