csaccess 0.0.1__py3-none-any.whl

csaccess/__init__.py

@@ -0,0 +1,396 @@
+# -*- mode: python; coding: utf-8 -*-
+#
+# Copyright 2025 CONTACT Software GmbH
+# https://www.contact-software.com/
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import functools
+import getpass
+import json
+import logging
+import os
+import sys
+import time
+import urllib.request
+import urllib.parse
+import webbrowser
+
+import boto3
+
+from typing import Callable, Dict, Optional, Any
+
+from csaccess.utils import mask_sensitive_data
+from csaccess.rp import RPServer
+from csaccess.constants import DEFAULT_CONFIG
+
+logger = logging.getLogger(__name__)
+
+# Type alias for action functions, for clarity.
+ActionFunction = Callable[[argparse.Namespace], Optional[str]]
+
+
+@functools.lru_cache(maxsize=1)
+def get_issuer_config(oidc_issuer: str) -> Dict[str, Any]:
+    """Retrieve and cache the OIDC issuer configuration."""
+    logger.debug("get_issuer_config: %s", oidc_issuer)
+
+    req = urllib.request.Request(
+        f"{oidc_issuer}/.well-known/openid-configuration", headers={"Accept": "application/json"}
+    )
+
+    with urllib.request.urlopen(req, timeout=15) as response:
+        data = response.read()
+        issuer_config: Dict[str, Any] = json.loads(data)
+
+        if not issuer_config:
+            raise ValueError("Response doesn't contain issuer config.")
+
+        return issuer_config
+
+
+def assume_aws_role_with_web_identity(
+    oidc_access_token: str,
+    role_arn: str,
+    role_session_name: str,
+    region: str,
+    key_duration_seconds: int,
+) -> Dict[str, Any]:
+    """Request AWS STS credentials using the OIDC access token as a web identity."""
+    logger.debug(
+        "assume_aws_role_with_web_identity: %s, %s, %s, %s, %s",
+        mask_sensitive_data(oidc_access_token),
+        role_arn,
+        role_session_name,
+        region,
+        key_duration_seconds,
+    )
+
+    sts_client = boto3.client("sts", region_name=region)
+    sts_response = sts_client.assume_role_with_web_identity(
+        RoleArn=role_arn,
+        RoleSessionName=role_session_name,
+        WebIdentityToken=oidc_access_token,
+        DurationSeconds=key_duration_seconds,
+    )
+    credentials: Dict[str, Any] = sts_response.get("Credentials", {})
+    if not all(k in credentials for k in ("AccessKeyId", "SecretAccessKey", "SessionToken")):
+        raise ValueError("Incomplete AWS credentials received.")
+    return credentials
+
+
+def get_aws_client(service_name: str, credentials: Dict[str, Any], region: str) -> boto3.client:
+    """Create a boto3 client with the given credentials."""
+    logger.debug("get_issuer_config: %s, %s, %s", service_name, mask_sensitive_data(credentials), region)
+
+    return boto3.client(
+        service_name,
+        region_name=region,
+        aws_access_key_id=credentials.get("AccessKeyId"),
+        aws_secret_access_key=credentials.get("SecretAccessKey"),
+        aws_session_token=credentials.get("SessionToken"),
+    )
+
+
+def get_ecr_auth_token(credentials: Dict[str, Any], registry_id: str, region: str) -> str:
+    """Retrieve the AWS ECR authentication token using temporary AWS credentials."""
+    logger.debug("get_ecr_auth_token: %s, %s, %s", mask_sensitive_data(credentials), registry_id, region)
+
+    ecr_client = get_aws_client("ecr", credentials, region)
+    response = ecr_client.get_authorization_token(registryIds=[registry_id])
+    auth_data = response.get("authorizationData", [])
+
+    if not auth_data:
+        raise ValueError("Failed to retrieve ECR authorization data.")
+
+    auth_token: str = auth_data[0].get("authorizationToken", "")
+    if not auth_token:
+        raise ValueError("Failed to retrieve ECR authentication token.")
+
+    return auth_token
+
+
+def get_ca_auth_token(credentials: Dict[str, Any], domain: str, region: str) -> str:
+    """Retrieve the AWS CodeArtifact authentication token using temporary AWS credentials."""
+    logger.debug("get_ca_auth_token: %s, %s, %s", mask_sensitive_data(credentials), domain, region)
+
+    ca_client = get_aws_client("codeartifact", credentials, region)
+    response = ca_client.get_authorization_token(domain=domain)
+
+    auth_token: str = response.get("authorizationToken", "")
+    if not auth_token:
+        raise ValueError("Failed to retrieve CodeArtifact authentication token.")
+
+    return auth_token
+
+
+def get_client_secret() -> str:
+    """Get the client secret from environment or prompt user."""
+    client_secret = os.environ.get("CS_AWS_OIDC_CLIENT_SECRET", "")
+    if not client_secret:
+        client_secret = getpass.getpass("Please enter your OIDC client secret: ")
+    if not client_secret:
+        raise ValueError("Client secret is required.")
+    return client_secret
+
+
+def get_client_access_token(oidc_issuer: str, client_id: str, client_secret: str) -> str:
+    """Get the OIDC access token using static client credentials."""
+    logger.debug(
+        "get_client_access_token: %s, %s, %s",
+        oidc_issuer,
+        mask_sensitive_data(client_id),
+        mask_sensitive_data(client_secret),
+    )
+
+    token_endpoint: str = get_issuer_config(oidc_issuer).get("token_endpoint", "")
+    if not token_endpoint:
+        raise ValueError("Token endpoint not found in issuer config.")
+
+    payload = {
+        "grant_type": "client_credentials",
+        "client_id": client_id,
+        "client_secret": client_secret,
+    }
+
+    data = urllib.parse.urlencode(payload).encode("ascii")
+
+    req = urllib.request.Request(
+        token_endpoint,
+        data=data,
+        headers={"Content-Type": "application/x-www-form-urlencoded", "Accept": "application/json"},
+    )
+
+    with urllib.request.urlopen(req, timeout=15) as response:
+        response_data = response.read()
+        token_data = json.loads(response_data)
+
+        access_token: str = token_data.get("access_token", "")
+        if not access_token:
+            raise ValueError("Response doesn't contain access_token.")
+
+        return access_token
+
+
+def get_user_access_token(oidc_issuer: str, client_id: str, client_secret: str) -> str:
+    """Get the OIDC access token via user authentication flow."""
+    logger.debug(
+        "get_user_access_token: %s, %s, %s",
+        oidc_issuer,
+        mask_sensitive_data(client_id),
+        mask_sensitive_data(client_secret),
+    )
+
+    rp = RPServer(
+        oidc_issuer=oidc_issuer,
+        client_id=client_id,
+        client_secret=client_secret,
+    )
+    rp.start()
+
+    # Session info is mutable dict, modified in RPServer.
+    session_info: dict = {}
+    auth_url = rp.get_auth_url(session_info, use_pkce=True)
+
+    webbrowser.open(auth_url)
+    while not rp.srv.auth_code:  # type: ignore
+        time.sleep(0.1)
+
+    request_args = {"code": rp.srv.auth_code, "code_verifier": rp.pkce_verifier}  # type: ignore
+
+    resp = rp.client.do_access_token_request(
+        request_args=request_args,
+        state=session_info["state"],
+        authn_method="client_secret_basic",
+    )
+
+    access_token: str = resp["access_token"]
+
+    rp.shutdown()
+    return access_token
+
+
+def get_access_token(args: argparse.Namespace) -> str:
+    """Get the appropriate OIDC access token based on args."""
+    logger.debug("get_access_token: %s", mask_sensitive_data(args))
+
+    client_secret = get_client_secret()
+
+    if args.static_oidc:
+        return get_client_access_token(args.oidc_issuer, args.client_id, client_secret)
+    else:
+        return get_user_access_token(args.oidc_issuer, args.client_id, client_secret)
+
+
+def get_aws_credentials(args: argparse.Namespace, access_token: str) -> Dict[str, Any]:
+    """Get AWS credentials using the OIDC access token."""
+    logger.debug("get_aws_credentials: %s, %s", mask_sensitive_data(args), mask_sensitive_data(access_token))
+
+    return assume_aws_role_with_web_identity(
+        access_token,
+        args.aws_role_arn,
+        args.aws_role_session_name,
+        args.aws_region,
+        args.aws_key_duration,
+    )
+
+
+def action_ecr_auth_token(args: argparse.Namespace) -> str:
+    """Action to retrieve an ECR auth token."""
+    logger.debug("action_ecr_auth_token: %s", mask_sensitive_data(args))
+
+    access_token = get_access_token(args)
+    credentials = get_aws_credentials(args, access_token)
+    auth_token = get_ecr_auth_token(credentials, args.aws_tenant_id, args.aws_region)
+
+    if not args.quiet:
+        print("\033[1;32mAuthentication successful.\033[0m You can now proceed with docker commands:")
+        print()
+        print(
+            f"echo '{auth_token}' | base64 -d | cut -d: -f2 | docker login --username AWS --password-stdin "
+            f"{args.aws_tenant_id}.dkr.ecr.{args.aws_region}.amazonaws.com"
+        )
+        print(
+            f"docker pull {args.aws_tenant_id}.dkr.ecr.{args.aws_region}.amazonaws.com/cs-central1-elements_platform:16.0.1"
+        )
+    else:
+        # In quiet mode, just print the auth token (for scripting)
+        print(auth_token)
+
+    return auth_token
+
+
+def action_ca_auth_token(args: argparse.Namespace) -> str:
+    """Action to retrieve a CodeArtifact auth token."""
+    logger.debug("action_ca_auth_token: %s", mask_sensitive_data(args))
+
+    access_token = get_access_token(args)
+    credentials = get_aws_credentials(args, access_token)
+    ca_auth_token = get_ca_auth_token(credentials, args.aws_domain, args.aws_region)
+
+    print(ca_auth_token)
+
+    return ca_auth_token
+
+
+def action_index_url(args: argparse.Namespace) -> str:
+    """Action to generate and display a PyPI index URL."""
+    logger.debug("action_index_url: %s", mask_sensitive_data(args))
+
+    ca_auth_token = action_ca_auth_token(args)
+    domain_owner = args.aws_role_arn.split(":")[4]
+    index_url = (
+        f"https://aws:{ca_auth_token}@"
+        f"{args.aws_domain}-{domain_owner}"
+        f".d.codeartifact.{args.aws_region}.amazonaws.com/pypi/elements/simple/"
+    )
+
+    if not args.quiet:
+        print("\033[1;32mAuthentication successful.\033[0m You can now use the following index URL:")
+        print(index_url)
+        print("For example, run:")
+        print(f"pip install -i {index_url} cs.spin")
+    else:
+        # In quiet mode, just print the URL (for scripting)
+        print(index_url)
+
+    return index_url
+
+
+def parse_arguments() -> argparse.Namespace:
+    """Parse command line arguments."""
+    parser = argparse.ArgumentParser(
+        prog="csaccess",
+        description="Provides access to CONTACT artifact storage.",
+    )
+    parser.add_argument(
+        "action",
+        choices=["index-url", "ca-auth-token", "ecr-auth-token"],
+        default="index-url",
+        nargs="?",
+        help="Action to perform.",
+    )
+    parser.add_argument(
+        "--static-oidc",
+        action="store_true",
+        default=False,
+        help="Use static OIDC credentials.",
+    )
+    parser.add_argument("--aws-domain", default=DEFAULT_CONFIG["AWS_DOMAIN"], help="AWS domain name.")
+    parser.add_argument(
+        "--aws-key-duration",
+        type=int,
+        default=DEFAULT_CONFIG["AWS_KEY_DURATION"],
+        help="AWS key duration in seconds.",
+    )
+    parser.add_argument(
+        "--aws-region",
+        default=DEFAULT_CONFIG["AWS_REGION"],
+        help="AWS region name.",
+    )
+    parser.add_argument(
+        "--aws-tenant-id",
+        default=DEFAULT_CONFIG["AWS_TENANT_ID"],
+        help="AWS tenant ID.",
+    )
+    parser.add_argument(
+        "--aws-role-arn",
+        default=DEFAULT_CONFIG["AWS_ROLE_ARN"],
+        help="AWS role ARN for CodeArtifact and ECR access.",
+    )
+    parser.add_argument(
+        "--aws-role-session-name",
+        default=DEFAULT_CONFIG["AWS_ROLE_SESSION_NAME"],
+        help="AWS STS role session name.",
+    )
+    parser.add_argument(
+        "--oidc-issuer",
+        default=DEFAULT_CONFIG["OIDC_ISSUER"],
+        help="OIDC issuer URL for authentication.",
+    )
+    parser.add_argument(
+        "--client-id",
+        default=DEFAULT_CONFIG["OIDC_CLIENT_ID"],
+        help="OIDC client ID for authentication.",
+    )
+    parser.add_argument("--quiet", "-q", action="store_true", help="Only output the result without additional text.")
+    parser.add_argument(
+        "--verbose",
+        "-v",
+        action="store_true",
+        help="Be verbose.",
+    )
+    args = parser.parse_args()
+    logging.basicConfig(
+        format="[%(levelname)-8s] [%(name)s] [%(module)s] %(message)s",
+        stream=sys.stderr,
+        level=(logging.DEBUG if args.verbose else logging.INFO),
+    )
+    return args
+
+
+def main() -> None:
+    """Main entry point."""
+    interface = {
+        "index-url": action_index_url,
+        "ca-auth-token": action_ca_auth_token,
+        "ecr-auth-token": action_ecr_auth_token,
+    }
+
+    args = parse_arguments()
+    interface[args.action](args)
+
+
+if __name__ == "__main__":
+    main()

csaccess/__main__.py

@@ -0,0 +1,21 @@
+# -*- mode: python; coding: utf-8 -*-
+#
+# Copyright 2025 CONTACT Software GmbH
+# https://www.contact-software.com/
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+from csaccess import main
+
+main()

csaccess/constants.py

@@ -0,0 +1,35 @@
+# -*- mode: python; coding: utf-8 -*-
+#
+# Copyright (C) 2025 CONTACT Software GmbH
+# All rights reserved.
+# https://www.contact-software.com/
+
+"""
+Default constants for CS Access module.
+"""
+
+import os
+from typing import Dict, Any
+
+DEFAULT_CONFIG: Dict[str, Any] = {
+    # AWS Constants
+    "AWS_DOMAIN": "contact",
+    "AWS_KEY_DURATION": 3600,
+    "AWS_REGION": "eu-central-1",
+    "AWS_TENANT_ID": "373369985286",
+    "AWS_ROLE_ARN": "arn:aws:iam::373369985286:role/cs-central1-codeartifact-ecr-read-role",
+    "AWS_ROLE_SESSION_NAME": "CodeArtifactSession",
+    # OIDC Constants
+    "OIDC_ISSUER": "https://login.contact-cloud.com/realms/contact",
+    "OIDC_CLIENT_ID": "central1-auth-oidc-read",
+    # Environment Variable Names
+    "ENV_CLIENT_SECRET": "CS_AWS_OIDC_CLIENT_SECRET",
+}
+
+
+def get_client_secret() -> str:
+    """Get the client secret from environment variable."""
+    client_secret = os.environ.get(DEFAULT_CONFIG["ENV_CLIENT_SECRET"], "")
+    if not client_secret:
+        raise ValueError(f"Environment variable {DEFAULT_CONFIG['ENV_CLIENT_SECRET']} is required.")
+    return client_secret

csaccess/rp.py

@@ -0,0 +1,193 @@
+# -*- mode: python; coding: utf-8 -*-
+#
+# Copyright 2025 CONTACT Software GmbH
+# https://www.contact-software.com/
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from http import server
+import threading
+import logging
+
+from oic import rndstr
+from oic.oic import Client
+from oic.oic.message import AuthorizationResponse, RegistrationResponse
+from oic.utils.authn.client import CLIENT_AUTHN_METHOD
+
+logger = logging.getLogger(__name__)
+
+
+class RPRequestHandler(server.BaseHTTPRequestHandler):
+    def parse_auth_response(self) -> None:
+        response = self.path[len("/callback?") :]  # noqa: E203
+        logger.debug("Response: %s", response)
+
+        aresp = self.server.client.parse_response(  # type: ignore
+            AuthorizationResponse, info=response, sformat="urlencoded"
+        )
+        self.server.auth_code = aresp["code"]  # type: ignore
+        self.server.auth_event.set()  # type: ignore
+
+    def do_GET(self) -> None:
+        if self.path.startswith("/callback?"):
+            logger.debug("Got callback GET.")
+            self.parse_auth_response()
+
+        # The tab is not closed automatically, we rely on the text instructions.
+        content = b"""
+        <!DOCTYPE html>
+        <html>
+        <head>
+            <title>Authentication Complete</title>
+        </head>
+        <body>
+            <h3>Authentication Complete</h3>
+            <p>This window will close automatically. If it doesn't, you can close it manually.</p>
+            <script>
+                // Try multiple approaches to close the window.
+                window.addEventListener('load', function() {
+                    // First attempt
+                    window.close();
+
+                    // Second attempt - countdown and close.
+                    let counter = 3;
+                    const countdown = document.createElement('p');
+                    document.body.appendChild(countdown);
+
+                    const timer = setInterval(function() {
+                        countdown.textContent = 'Closing in ' + counter + ' seconds...';
+                        counter--;
+                        if (counter < 0) {
+                            clearInterval(timer);
+                            window.close();
+                        }
+                    }, 1000);
+                });
+            </script>
+        </body>
+        </html>
+        """
+
+        self.send_response(200, "Authentication Complete")
+        self.send_header("Content-type", "text/html")
+        self.send_header("Content-Length", str(len(content)))
+        self.end_headers()
+        self.wfile.write(content)
+
+    def do_POST(self) -> None:
+        if self.path.startswith("/callback"):
+            logger.debug("Got callback POST.")
+        self.send_response(200, "All good")
+        self.end_headers()
+
+
+class RPServer(threading.Thread):
+    """
+    Simple RP Service
+
+    Fires up an HTTP Server on 127.0.0.1 to receive the authorization code.
+    """
+
+    def __init__(self, *args, **kwargs) -> None:  # type: ignore
+        self.port = 29398
+
+        self.issuer = kwargs.pop("oidc_issuer")
+        self.client_id = kwargs.pop("client_id")
+        client_info = {
+            "client_id": self.client_id,
+            "client_secret": kwargs.pop("client_secret"),
+        }
+        self.client_registration = RegistrationResponse(**client_info)
+
+        super().__init__(name="RP HTTPD", daemon=True)
+
+        self.client = Client(client_id=self.client_id, client_authn_method=CLIENT_AUTHN_METHOD)
+        provider_info = self.client.provider_config(self.issuer)
+        self.client.handle_provider_config(provider_info, self.issuer)
+        self.client.store_registration_info(self.client_registration)
+
+        self.pkce_verifier = None
+        self.addr = ("", self.port)
+        self.hdlr = RPRequestHandler
+        self.auth_event = threading.Event()
+
+        self.srv = server.HTTPServer(self.addr, self.hdlr)
+        self.srv.client = self.client  # type: ignore
+        self.srv.timeout = 0.05  # Wakeup every 50ms
+        self.srv.auth_code = None  # type: ignore
+        self.srv.auth_event = self.auth_event  # type: ignore
+        self.srv.auth_event.clear()  # type: ignore
+
+        self._shutdown_requested = False
+
+    def run(self) -> None:
+        try:
+            while not self._shutdown_requested:
+                self.srv.handle_request()
+        finally:
+            # Proper cleanup
+            if self.srv:
+                self.srv.server_close()
+                logger.debug("HTTP server closed.")
+
+    def shutdown(self) -> None:
+        """Shut down the server and thread"""
+        logger.debug("Shutting down RPServer.")
+        self._shutdown_requested = True
+
+        # Wait for the thread to finish (with timeout).
+        if self.is_alive():
+            self.join(timeout=2.0)
+
+        # Force server shutdown if still alive.
+        if hasattr(self, "srv") and self.srv:
+            try:
+                self.srv.server_close()
+                logger.debug("Server resources released")
+            except Exception as e:  # pylint: disable=broad-exception-caught
+                logger.error("Error during server cleanup: %s", e)
+
+        logger.debug("RPServer shutdown complete.")
+
+    def get_auth_url(
+        self,
+        session: dict | None = None,
+        extra_scopes: list | None = None,
+        login_hint: str | None = None,
+        use_pkce: bool = False,
+    ) -> str:
+        if session is None:
+            session = {}
+
+        session["state"] = rndstr()
+        session["nonce"] = rndstr()
+        args = {
+            "client_id": self.client.client_id,
+            "response_type": "code",
+            "scope": ["openid"],
+            "nonce": session["nonce"],
+            "redirect_uri": [f"http://127.0.0.1:{self.port}/callback"],
+            "state": session["state"],
+        }
+        if use_pkce:
+            pkce_args, pkce_verifier = self.client.add_code_challenge()
+            args.update(pkce_args)
+            self.pkce_verifier = pkce_verifier
+
+        if extra_scopes:
+            args["scope"].extend(extra_scopes)
+        if login_hint:
+            args["login_hint"] = login_hint
+
+        auth_req = self.client.construct_AuthorizationRequest(request_args=args)
+        return str(auth_req.request(self.client.authorization_endpoint))

csaccess/utils.py

@@ -0,0 +1,70 @@
+# -*- mode: python; coding: utf-8 -*-
+#
+# Copyright 2025 CONTACT Software GmbH
+# https://www.contact-software.com/
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from typing import Any
+
+
+def mask_sensitive_data(data: Any, param_name: str = "", show_chars: int = 3) -> Any:
+    """
+    Create a copy of the data with sensitive information masked.
+
+    Args:
+        data: The data to be masked (dictionary, string, list, or None)
+        param_name: Optional name of the parameter (for context-aware masking)
+        show_chars: Number of characters to show before masking (0 for complete masking)
+
+    Returns:
+        Masked version of the input data
+    """
+    if data is None:
+        return None
+
+    # Handle dictionary case (recursively).
+    if isinstance(data, dict):
+        result = {}
+        for key, value in data.items():
+            # Recursively mask nested values, passing the key name as context.
+            result[key] = mask_sensitive_data(value, key)
+        return result
+
+    # Handle list case (recursively).
+    if isinstance(data, list):
+        return [mask_sensitive_data(item, param_name) for item in data]
+
+    # Handle string case.
+    if isinstance(data, str):
+        # Check if the parameter name or string content suggests sensitive data.
+        is_sensitive = param_name and any(
+            sensitive in param_name.lower() for sensitive in ["password", "token", "secret", "key", "auth"]
+        )
+
+        # If the string itself contains obvious patterns, consider it sensitive.
+        if not is_sensitive and len(data) > 20:
+            # Check for patterns that suggest tokens or keys.
+            token_patterns = ["ey", "sk_", "ak_", "pk_", "key-", "sess-"]
+            is_sensitive = any(data.startswith(pattern) for pattern in token_patterns)
+
+        if is_sensitive:
+            if len(data) <= show_chars or show_chars <= 0:
+                return "***MASKED***"
+            else:
+                return data[:show_chars] + "***MASKED***"
+
+        return data
+
+    # For other types (int, bool, etc.), just return as is.
+    return data

csaccess-0.0.1.dist-info/METADATA

@@ -0,0 +1,333 @@
+Metadata-Version: 2.4
+Name: csaccess
+Version: 0.0.1
+Summary: A Python library for authenticating and accessing CONTACT resources in AWS.
+Author-email: Alexander Vetski <alexander.vetski@contact-software.com>, Elias Haag <elias.haag@contact-software.com>
+License:                                 Apache License
+                                   Version 2.0, January 2004
+                                http://www.apache.org/licenses/
+        
+           TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+        
+           1. Definitions.
+        
+              "License" shall mean the terms and conditions for use, reproduction,
+              and distribution as defined by Sections 1 through 9 of this document.
+        
+              "Licensor" shall mean the copyright owner or entity authorized by
+              the copyright owner that is granting the License.
+        
+              "Legal Entity" shall mean the union of the acting entity and all
+              other entities that control, are controlled by, or are under common
+              control with that entity. For the purposes of this definition,
+              "control" means (i) the power, direct or indirect, to cause the
+              direction or management of such entity, whether by contract or
+              otherwise, or (ii) ownership of fifty percent (50%) or more of the
+              outstanding shares, or (iii) beneficial ownership of such entity.
+        
+              "You" (or "Your") shall mean an individual or Legal Entity
+              exercising permissions granted by this License.
+        
+              "Source" form shall mean the preferred form for making modifications,
+              including but not limited to software source code, documentation
+              source, and configuration files.
+        
+              "Object" form shall mean any form resulting from mechanical
+              transformation or translation of a Source form, including but
+              not limited to compiled object code, generated documentation,
+              and conversions to other media types.
+        
+              "Work" shall mean the work of authorship, whether in Source or
+              Object form, made available under the License, as indicated by a
+              copyright notice that is included in or attached to the work
+              (an example is provided in the Appendix below).
+        
+              "Derivative Works" shall mean any work, whether in Source or Object
+              form, that is based on (or derived from) the Work and for which the
+              editorial revisions, annotations, elaborations, or other modifications
+              represent, as a whole, an original work of authorship. For the purposes
+              of this License, Derivative Works shall not include works that remain
+              separable from, or merely link (or bind by name) to the interfaces of,
+              the Work and Derivative Works thereof.
+        
+              "Contribution" shall mean any work of authorship, including
+              the original version of the Work and any modifications or additions
+              to that Work or Derivative Works thereof, that is intentionally
+              submitted to Licensor for inclusion in the Work by the copyright owner
+              or by an individual or Legal Entity authorized to submit on behalf of
+              the copyright owner. For the purposes of this definition, "submitted"
+              means any form of electronic, verbal, or written communication sent
+              to the Licensor or its representatives, including but not limited to
+              communication on electronic mailing lists, source code control systems,
+              and issue tracking systems that are managed by, or on behalf of, the
+              Licensor for the purpose of discussing and improving the Work, but
+              excluding communication that is conspicuously marked or otherwise
+              designated in writing by the copyright owner as "Not a Contribution."
+        
+              "Contributor" shall mean Licensor and any individual or Legal Entity
+              on behalf of whom a Contribution has been received by Licensor and
+              subsequently incorporated within the Work.
+        
+           2. Grant of Copyright License. Subject to the terms and conditions of
+              this License, each Contributor hereby grants to You a perpetual,
+              worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+              copyright license to reproduce, prepare Derivative Works of,
+              publicly display, publicly perform, sublicense, and distribute the
+              Work and such Derivative Works in Source or Object form.
+        
+           3. Grant of Patent License. Subject to the terms and conditions of
+              this License, each Contributor hereby grants to You a perpetual,
+              worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+              (except as stated in this section) patent license to make, have made,
+              use, offer to sell, sell, import, and otherwise transfer the Work,
+              where such license applies only to those patent claims licensable
+              by such Contributor that are necessarily infringed by their
+              Contribution(s) alone or by combination of their Contribution(s)
+              with the Work to which such Contribution(s) was submitted. If You
+              institute patent litigation against any entity (including a
+              cross-claim or counterclaim in a lawsuit) alleging that the Work
+              or a Contribution incorporated within the Work constitutes direct
+              or contributory patent infringement, then any patent licenses
+              granted to You under this License for that Work shall terminate
+              as of the date such litigation is filed.
+        
+           4. Redistribution. You may reproduce and distribute copies of the
+              Work or Derivative Works thereof in any medium, with or without
+              modifications, and in Source or Object form, provided that You
+              meet the following conditions:
+        
+              (a) You must give any other recipients of the Work or
+                  Derivative Works a copy of this License; and
+        
+              (b) You must cause any modified files to carry prominent notices
+                  stating that You changed the files; and
+        
+              (c) You must retain, in the Source form of any Derivative Works
+                  that You distribute, all copyright, patent, trademark, and
+                  attribution notices from the Source form of the Work,
+                  excluding those notices that do not pertain to any part of
+                  the Derivative Works; and
+        
+              (d) If the Work includes a "NOTICE" text file as part of its
+                  distribution, then any Derivative Works that You distribute must
+                  include a readable copy of the attribution notices contained
+                  within such NOTICE file, excluding those notices that do not
+                  pertain to any part of the Derivative Works, in at least one
+                  of the following places: within a NOTICE text file distributed
+                  as part of the Derivative Works; within the Source form or
+                  documentation, if provided along with the Derivative Works; or,
+                  within a display generated by the Derivative Works, if and
+                  wherever such third-party notices normally appear. The contents
+                  of the NOTICE file are for informational purposes only and
+                  do not modify the License. You may add Your own attribution
+                  notices within Derivative Works that You distribute, alongside
+                  or as an addendum to the NOTICE text from the Work, provided
+                  that such additional attribution notices cannot be construed
+                  as modifying the License.
+        
+              You may add Your own copyright statement to Your modifications and
+              may provide additional or different license terms and conditions
+              for use, reproduction, or distribution of Your modifications, or
+              for any such Derivative Works as a whole, provided Your use,
+              reproduction, and distribution of the Work otherwise complies with
+              the conditions stated in this License.
+        
+           5. Submission of Contributions. Unless You explicitly state otherwise,
+              any Contribution intentionally submitted for inclusion in the Work
+              by You to the Licensor shall be under the terms and conditions of
+              this License, without any additional terms or conditions.
+              Notwithstanding the above, nothing herein shall supersede or modify
+              the terms of any separate license agreement you may have executed
+              with Licensor regarding such Contributions.
+        
+           6. Trademarks. This License does not grant permission to use the trade
+              names, trademarks, service marks, or product names of the Licensor,
+              except as required for reasonable and customary use in describing the
+              origin of the Work and reproducing the content of the NOTICE file.
+        
+           7. Disclaimer of Warranty. Unless required by applicable law or
+              agreed to in writing, Licensor provides the Work (and each
+              Contributor provides its Contributions) on an "AS IS" BASIS,
+              WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+              implied, including, without limitation, any warranties or conditions
+              of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+              PARTICULAR PURPOSE. You are solely responsible for determining the
+              appropriateness of using or redistributing the Work and assume any
+              risks associated with Your exercise of permissions under this License.
+        
+           8. Limitation of Liability. In no event and under no legal theory,
+              whether in tort (including negligence), contract, or otherwise,
+              unless required by applicable law (such as deliberate and grossly
+              negligent acts) or agreed to in writing, shall any Contributor be
+              liable to You for damages, including any direct, indirect, special,
+              incidental, or consequential damages of any character arising as a
+              result of this License or out of the use or inability to use the
+              Work (including but not limited to damages for loss of goodwill,
+              work stoppage, computer failure or malfunction, or any and all
+              other commercial damages or losses), even if such Contributor
+              has been advised of the possibility of such damages.
+        
+           9. Accepting Warranty or Additional Liability. While redistributing
+              the Work or Derivative Works thereof, You may choose to offer,
+              and charge a fee for, acceptance of support, warranty, indemnity,
+              or other liability obligations and/or rights consistent with this
+              License. However, in accepting such obligations, You may act only
+              on Your own behalf and on Your sole responsibility, not on behalf
+              of any other Contributor, and only if You agree to indemnify,
+              defend, and hold each Contributor harmless for any liability
+              incurred by, or claims asserted against, such Contributor by reason
+              of your accepting any such warranty or additional liability.
+        
+           END OF TERMS AND CONDITIONS
+        
+Project-URL: Homepage, https://contact-software.com
+Classifier: Environment :: Console
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Intended Audience :: Developers
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Software Development
+Classifier: License :: OSI Approved :: Apache Software License
+Requires-Python: >=3.11
+Description-Content-Type: text/x-rst
+License-File: LICENSE
+Requires-Dist: boto3~=1.38
+Requires-Dist: oic~=1.7
+Dynamic: license-file
+
+=========
+csaccess
+=========
+
+A Python library for authenticating and accessing CONTACT resources in AWS CodeArtifact and Elastic Container Registry (ECR) using OIDC.
+
+Overview
+--------
+
+``csaccess`` simplifies access to CONTACT cloud resources by providing a streamlined authentication flow with support for both interactive user-based and automated service-based authentication methods.
+
+Authentication Methods
+~~~~~~~~~~~~~~~~~~~~~~
+
++------------------------+-----------------------------------------------+---------------------------------------------------+
+| Feature                | User OIDC                                     | Static OIDC (Client Credentials)                  |
++========================+===============================================+===================================================+
+| **Authentication**     | Interactive user login via web browser        | Application authenticates itself using its secret |
++------------------------+-----------------------------------------------+---------------------------------------------------+
+| **Grant Type**         | Authorization Code with PKCE                  | Client Credentials                                |
++------------------------+-----------------------------------------------+---------------------------------------------------+
+| **User Context**       | Represents a specific user                    | Represents the application/service itself         |
++------------------------+-----------------------------------------------+---------------------------------------------------+
+| **Security**           | Relies on user credentials and browser        | Relies on the client secret's security            |
++------------------------+-----------------------------------------------+---------------------------------------------------+
+| **Use Cases**          | Applications acting on behalf of a user       | Service accounts, background processes            |
++------------------------+-----------------------------------------------+---------------------------------------------------+
+| **Token Audience**     | Targeted to specific user and application     | Targeted to the application                       |
++------------------------+-----------------------------------------------+---------------------------------------------------+
+
+**Security Warning:** Be extremely careful when handling access tokens. Treat them like passwords:
+
+- Avoid logging them or storing them insecurely
+- Never paste sensitive tokens into untrusted online services
+- Use environment variables where possible to avoid exposing secrets
+
+Installation
+------------
+
+.. code-block:: bash
+
+    pip install csaccess
+
+Setup and Configuration
+-----------------------
+
+Configuration
+~~~~~~~~~~~~~
+
+- The "relying party" local server requires port **29398** to be free and available
+- Set environment variables to avoid interactive prompts:
+
+On Linux / macOS:
+
+.. code-block:: bash
+
+    export CS_AWS_OIDC_CLIENT_SECRET="<OIDC-client-secret>"
+
+Windows CMD:
+
+.. code-block:: bash
+
+    set CS_AWS_OIDC_CLIENT_SECRET="<OIDC-client-secret>"
+
+Windows PowerShell:
+
+.. code-block:: bash
+
+    $env:CS_AWS_OIDC_CLIENT_SECRET = "<OIDC-client-secret>"
+
+Usage Examples
+--------------
+
+**Important:**: unset AWS specific vars existing in local env as they will interfere with AWS STS functionality.
+
+.. code-block:: bash
+
+    unset AWS_PROFILE
+    unset AWS_DEFAULT_PROFILE
+    unset AWSUME_PROFILE
+    unset AWSUME_COMMAND
+
+Basic Usage
+~~~~~~~~~~~
+
+Get PyPI index URL with embedded auth token (default action):
+
+.. code-block:: python
+
+    import csaccess
+    index_url = csaccess.get_index_url()
+
+Command-Line Interface
+~~~~~~~~~~~~~~~~~~~~~~
+
+Returns the CodeArtifact URL with an injected token (default):
+
+.. code-block:: bash
+
+    python -m csaccess
+
+Get the CodeArtifact token:
+
+.. code-block:: bash
+
+    python -m csaccess ca-auth-token
+
+Get the ECR token:
+
+.. code-block:: bash
+
+    python -m csaccess ecr-auth-token
+
+Integration Examples
+--------------------
+
+Following are examples for Linux / macOS:
+
+Using with pip
+~~~~~~~~~~~~~~
+
+.. code-block:: bash
+
+    INDEX_URL=$(python -m csaccess --quiet)
+    pip install -i $INDEX_URL your-private-package
+
+Using with Docker
+~~~~~~~~~~~~~~~~~
+
+.. code-block:: bash
+
+    ECR_TOKEN=$(python -m csaccess ecr-auth-token --quiet)
+    echo $ECR_TOKEN | docker login -u AWS --password-stdin <ECR-registry-url>

csaccess-0.0.1.dist-info/RECORD

@@ -0,0 +1,11 @@
+csaccess/__init__.py,sha256=68NDBFf_dQ0IjteAy7ABA-eMD3zjD05VI3eViUzF1c8,13138
+csaccess/__main__.py,sha256=hR3GY7dhLmSHoe1hR_UVuBT3OYGnHaIenDqNALjrzEw,697
+csaccess/constants.py,sha256=jrTLD9-ozidhTuTC8KItvOZVEHpOBJx0GdFlY9iXHlE,1111
+csaccess/rp.py,sha256=wWkCkU1yXEJk-dymc3RCSQuPs63jCg9QZPCGFJpKLb0,6805
+csaccess/utils.py,sha256=1UvDuFQRrMEN1cXHxhD2L8BfHVPn9vILYDCp_P4UkO0,2587
+csaccess-0.0.1.dist-info/licenses/LICENSE,sha256=4MAecetnRTQw5DlHtiikDSzKWO1xVLwzM5_DsPMYlnE,10172
+csaccess-0.0.1.dist-info/METADATA,sha256=5-mCswvigW1W9biP_aGBPi-0CzjLHF8SSsv-orRTTwA,16962
+csaccess-0.0.1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+csaccess-0.0.1.dist-info/entry_points.txt,sha256=3zj3FW5LuPZrMpNmx_qFFI-5Jvg4iBk2fCes_3Cr5Cs,43
+csaccess-0.0.1.dist-info/top_level.txt,sha256=VOPNz0PQhPfzdEc-oJc5CcCTrO0XZ5wOynYKTkl4z8I,9
+csaccess-0.0.1.dist-info/RECORD,,

csaccess-0.0.1.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.9.0)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

csaccess-0.0.1.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+csaccess = csaccess:main

csaccess-0.0.1.dist-info/licenses/LICENSE

@@ -0,0 +1,176 @@
+                                Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS

csaccess-0.0.1.dist-info/top_level.txt

@@ -0,0 +1 @@
+csaccess