csspin-python 2.0.0__py3-none-any.whl

csspin_python/aws_auth.py

@@ -0,0 +1,195 @@
+# -*- mode: python; coding: utf-8 -*-
+#
+# Copyright (C) 2025 CONTACT Software GmbH
+# https://www.contact-software.com/
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+"""Module implementing the aws_auth plugin for spin"""
+
+import configparser
+import os
+
+from csspin import Path, config, debug, die, exists, info, interpolate1
+
+defaults = config(
+    aws_role_arn="arn:aws:iam::373369985286:role/cs-central1-codeartifact-ecr-read-role",
+    aws_region="eu-central-1",
+    aws_role_session_name="CodeArtifactSession",
+    aws_codeartifact_domain="contact",
+    aws_key_duration=3600,
+    keycloak_url="https://login.contact-cloud.com/realms/contact/protocol/openid-connect/token",
+    client_id="central1-auth-oidc-read",
+    requires=config(
+        spin=[
+            "csspin_python.python",
+        ],
+    ),
+)
+
+
+def configure(cfg):  # pylint: disable=too-many-statements
+    """Configure the plugin and apply changes to the configuration tree"""
+    # Could be useful in CI e.g. when you want to build docs
+    # and need to include this plugin in spinfile
+    # without using it's functionality
+    if os.environ.get("AWS_AUTH_DISABLE"):
+        info("AWS_AUTH_DISABLE is set, ignoring aws_auth plugin")
+        return
+
+    from sys import platform
+
+    try:
+        import boto3
+        import requests
+        from botocore.exceptions import ClientError
+    except ImportError:
+        die(
+            "Failed to import required modules. Please install them by setting:"
+            "\n\tplugin_packages:\n\t\t- csspin_python[aws_auth]\n"
+            "in your project's spinfile.yaml"
+        )
+
+    cfg.aws_auth.client_secret = os.environ.get("KEYCLOAK_CLIENT_SECRET")
+    if not cfg.aws_auth.client_secret:
+        die(
+            "Neither aws_auth.client_secret config"
+            "entry nor KEYCLOAK_CLIENT_SECRET environment variable was found."
+        )
+
+    def get_keycloak_access_token(keycloak_url, client_id, client_secret):
+        """
+        Obtain the Keycloak access token using client credentials.
+        """
+        debug("Requesting Keycloak access token...")
+        payload = {
+            "grant_type": "client_credentials",
+            "client_id": client_id,
+            "client_secret": client_secret,
+        }
+
+        try:
+            response = requests.post(keycloak_url, data=payload, timeout=15)
+            response.raise_for_status()
+            data = response.json()
+            access_token = data.get("access_token")
+            if not access_token:
+                raise ValueError("Response doesn't contain access_token")
+        except (ValueError, requests.exceptions.RequestException) as e:
+            die(f"Failed to fetch Keycloak access token: {e}")
+
+        return access_token
+
+    def assume_aws_role_with_web_identity(
+        keycloak_access_token,
+        role_arn,
+        role_session_name,
+        region,
+        key_duration_seconds,
+    ):
+        """
+        Request AWS STS credentials using the Keycloak token as a web identity.
+        """
+        debug("Requesting AWS STS credentials...")
+        sts_client = boto3.client("sts", region_name=region)
+        try:
+            sts_response = sts_client.assume_role_with_web_identity(
+                RoleArn=role_arn,
+                RoleSessionName=role_session_name,
+                WebIdentityToken=keycloak_access_token,
+                DurationSeconds=key_duration_seconds,
+            )
+            credentials = sts_response.get("Credentials", {})
+            if not (
+                credentials.get("AccessKeyId")
+                and credentials.get("SecretAccessKey")
+                and credentials.get("SessionToken")
+            ):
+                raise ValueError("Incomplete AWS credentials received")
+        except (ValueError, ClientError) as e:
+            die(f"Failed to assume AWS role with web identity: {e}")
+
+        return credentials
+
+    def get_codeartifact_auth_token(credentials, domain, region):
+        """
+        Retrieve the AWS CodeArtifact authentication token using temporary AWS credentials.
+        """
+        debug("Requesting CodeArtifact authentication token...")
+        codeartifact_client = boto3.client(
+            "codeartifact",
+            region_name=region,
+            aws_access_key_id=credentials.get("AccessKeyId"),
+            aws_secret_access_key=credentials.get("SecretAccessKey"),
+            aws_session_token=credentials.get("SessionToken"),
+        )
+
+        try:
+            response = codeartifact_client.get_authorization_token(domain=domain)
+            auth_token = response.get("authorizationToken")
+            if not auth_token:
+                raise ValueError("Failed to retrieve CodeArtifact authentication token")
+        except (ValueError, ClientError) as e:
+            die(f"Failed to retrieve CodeArtifact authentication token: {e}")
+
+        return auth_token
+
+    keycloak_access_token = get_keycloak_access_token(
+        cfg.aws_auth.keycloak_url, cfg.aws_auth.client_id, cfg.aws_auth.client_secret
+    )
+
+    credentials = assume_aws_role_with_web_identity(
+        keycloak_access_token,
+        cfg.aws_auth.aws_role_arn,
+        cfg.aws_auth.aws_role_session_name,
+        cfg.aws_auth.aws_region,
+        cfg.aws_auth.aws_key_duration,
+    )
+
+    codeartifact_auth_token = get_codeartifact_auth_token(
+        credentials, cfg.aws_auth.aws_codeartifact_domain, cfg.aws_auth.aws_region
+    )
+
+    domain_owner = cfg.aws_auth.aws_role_arn.split(":")[4]
+
+    cfg.aws_auth.codeartifact_auth_token = codeartifact_auth_token
+    cfg.python.index_url = (
+        f"https://aws:{codeartifact_auth_token}@"
+        f"{cfg.aws_auth.aws_codeartifact_domain}-{domain_owner}"
+        f".d.codeartifact.{cfg.aws_auth.aws_region}.amazonaws.com/pypi/elements/simple/"
+    )
+
+    pipconf = interpolate1(cfg.python.venv) / Path(
+        "pip.ini" if platform == "win32" else "pip.conf"
+    )
+    if exists(pipconf):
+        # Need to update pip.conf with the new index_url
+        # for "spin run pip ..." to use the right index and
+        # not the default one
+        _update_pipconf_url(pipconf, cfg.python.index_url)
+
+
+def _update_pipconf_url(filename, url):
+    """Upates the python.index_url in the pip.conf file with the new value"""
+    info(f"Updating python.index_url in {filename} with a fresh token...")
+    config_parser = configparser.ConfigParser()
+    config_parser.read(filename)
+    if not config_parser.has_section("global"):
+        config_parser.add_section("global")
+    option = (
+        "index-url" if config_parser.has_option("global", "index-url") else "index_url"
+    )
+    config_parser.set("global", option, url)
+    with open(filename, mode="w", encoding="utf-8") as f:
+        config_parser.write(f)

csspin_python/aws_auth_schema.yaml

@@ -0,0 +1,38 @@
+# -*- mode: yaml; coding: utf-8 -*-
+#
+# Schema of the aws_auth plugin for spin
+
+aws_auth:
+    type: object
+    help: |
+        Configuration for the aws_auth plugin in spin.
+        This plugin handles authentication with AWS and retrieves
+        secret keys from AWS CodeArtifact.
+    properties:
+        aws_role_arn:
+            type: str
+            help: The ARN of the AWS IAM role to assume for authentication.
+        aws_region:
+            type: str
+            help: The AWS region where the CodeArtifact repository is located.
+        role_session_name:
+            type: str
+            help: The name for the AWS STS session when assuming a role.
+        aws_codeartifact_domain:
+            type: str
+            help: The domain name of the AWS CodeArtifact repository.
+        aws_key_duration:
+            type: int
+            help: The duration in seconds for which the temporary key will be valid.
+        keycloak_url:
+            type: str
+            help: The URL of the Keycloak authentication server.
+        client_id:
+            type: str
+            help: The client ID for authentication with Keycloak.
+        client_secret:
+            type: str
+            help: The client secret for authentication with Keycloak.
+        codeartifact_auth_token:
+            type: str
+            help: The CodeArtifact auth token.

csspin_python/behave.py

@@ -0,0 +1,150 @@
+# -*- mode: python; coding: utf-8 -*-
+#
+# Copyright (C) 2022 CONTACT Software GmbH
+# https://www.contact-software.com
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+"""Module implementing the behave plugin for spin"""
+
+import contextlib
+import sys
+from typing import Generator
+
+from csspin import config, die, info, option, rmtree, setenv, sh, task, writetext
+from csspin.tree import ConfigTree
+from path import Path
+
+defaults = config(
+    # Exclude the flaky tests in the defaults for now.
+    # Will switch the default back to True as soon as
+    # we have an easy way to set this in the CI.
+    flaky=False,
+    coverage=False,
+    cov_report="python-at-coverage.xml",
+    cov_config="setup.cfg",
+    # Default to concise and readable output
+    opts=[
+        "--no-source",
+        "--tags=~skip",
+        "--format=pretty",
+        "--no-skipped",
+    ],
+    report=config(
+        name="cept_test_results.json",
+        format="json.pretty",
+    ),
+    # This is the default location of behave tests
+    tests=["tests/accepttests"],
+    requires=config(
+        spin=[
+            "csspin_python.python",
+        ],
+        python=[
+            "behave",
+            "coverage",
+        ],
+    ),
+)
+
+
+def configure(cfg: ConfigTree) -> None:
+    """Add some runtime-dependent options"""
+    if sys.platform == "win32":
+        cfg.behave.opts.append("--tags=~linux")
+    else:
+        cfg.behave.opts.append("--tags=~windows")
+
+
+def create_coverage_pth(cfg: ConfigTree) -> str:  # pylint: disable=unused-argument
+    """Creating the coverage path file and returning its path"""
+    coverage_pth_path = cfg.python.site_packages / "coverage.pth"
+    info(f"Create {coverage_pth_path}")
+    writetext(coverage_pth_path, "import coverage; coverage.process_startup()")
+    return coverage_pth_path
+
+
+@contextlib.contextmanager
+def with_coverage(cfg: ConfigTree) -> Generator:
+    """Context-manager enabling to run coverage"""
+    coverage_pth = ""
+    try:
+
+        sh("coverage", "erase", check=False)
+        setenv(COVERAGE_PROCESS_START=cfg.behave.cov_config)
+        coverage_pth = create_coverage_pth(cfg)
+        yield
+    finally:
+        setenv(COVERAGE_PROCESS_START=None)
+        rmtree(coverage_pth)
+        sh("coverage", "combine", check=False)
+        sh("coverage", "report", check=False)
+        sh("coverage", "xml", "-o", cfg.behave.cov_report, check=False)
+
+
+@task(when="cept")
+def behave(  # pylint: disable=too-many-arguments,too-many-positional-arguments
+    cfg,
+    instance: option(
+        "-i",  # noqa: F821
+        "--instance",  # noqa: F821
+        help="Directory of the CONTACT Elements instance.",  # noqa: F722
+    ),
+    coverage: option(
+        "-c",  # noqa: F821
+        "--coverage",  # noqa: F821
+        is_flag=True,
+        help="Run the tests while collecting coverage.",  # noqa: F722
+    ),
+    debug: option(
+        "--debug", is_flag=True, help="Start debug server."  # noqa: F722,F821
+    ),
+    with_test_report: option(
+        "--with-test-report",  # noqa: F722
+        is_flag=True,
+        help="Create a test execution report.",  # noqa: F722
+    ),
+    args,
+):
+    """Run Gherkin tests using behave."""
+    # pylint: disable=missing-function-docstring
+    coverage_enabled = coverage or cfg.behave.coverage
+    coverage_context = with_coverage if coverage_enabled else contextlib.nullcontext
+    opts = cfg.behave.opts
+    if not cfg.behave.flaky:
+        opts.append("--tags=~flaky")
+    if with_test_report and cfg.behave.report.name and cfg.behave.report.format:
+        opts = [
+            f"--format={cfg.behave.report.format}",
+            f"-o={cfg.behave.report.name}",
+        ] + opts
+    if cfg.loaded.get("csspin_ce.mkinstance"):
+        inst = Path(instance or cfg.mkinstance.base.instance_location).absolute()
+        if not (inst).is_dir():
+            die(f"Cannot find the CE instance '{inst}'.")
+        setenv(CADDOK_BASE=inst)
+
+        cmd = ["powerscript"]
+        if debug:
+            cmd.append("--debugpy")
+
+        with coverage_context(cfg):
+            sh(*cmd, "-m", "behave", *opts, *args, *cfg.behave.tests)
+    else:
+        cmd = ["python"]
+        if debug:
+            cmd = ["debugpy"] + cfg.debugpy.opts
+
+        with coverage_context(cfg):
+            sh(*cmd, "-m", "behave", *opts, *args, *cfg.behave.tests)

csspin_python/behave_schema.yaml

@@ -0,0 +1,39 @@
+# -*- mode: yaml; coding: utf-8 -*-
+#
+# Schema for the behave plugin for spin
+
+behave:
+    type: object
+    help: |
+        The behave plugin for spin enables running behave tests in the
+        context of spin.
+    properties:
+        flaky:
+            type: bool
+            help: Enable or disable flaky tests
+        coverage:
+            type: bool
+            help: Collect coverage while running behave.
+        cov_report:
+            type: path
+            help: Filepath to store the coverage report.
+        cov_config:
+            type: path
+            help: Filepath to the configuration that behave should respect.
+        opts:
+            type: list
+            help: Additional options for the behave command.
+        tests:
+            type: list
+            help: List of test files or directories to include.
+        report:
+            type: object
+            help: Configuration regarding the test report generation.
+            properties:
+                name:
+                    type: path
+                    help: Path to write the test report to.
+                format:
+                    type: str
+                    help: |
+                        A valid formatter of behave to use for the test report.

csspin_python/debugpy.py

@@ -0,0 +1,32 @@
+# -*- mode: python; coding: utf-8 -*-
+#
+# Copyright (C) 2022 CONTACT Software GmbH
+# https://www.contact-software.com
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+"""Module providing configurations for the debugpy plugin for spin"""
+
+from csspin import config
+
+defaults = config(
+    opts=[
+        "--listen localhost:5678",
+        "--wait-for-client",
+    ],
+    requires=config(
+        spin=["csspin_python.python"],
+        python=["debugpy"],
+    ),
+)

csspin_python/debugpy_schema.yaml

@@ -0,0 +1,14 @@
+# -*- mode: yaml; coding: utf-8 -*-
+#
+# Schema for the debugpy plugin for spin
+
+debugpy:
+    type: object
+    help: Configuration of the debugpy plugin for spin
+    properties:
+        enabled:
+            type: bool
+            help: Enable debugpy for usage.
+        opts:
+            type: list
+            help: Additional options used when executing debugpy.

csspin_python/devpi.py

@@ -0,0 +1,82 @@
+# -*- mode: python; coding: utf-8 -*-
+#
+# Copyright (C) 2020 CONTACT Software GmbH
+# https://www.contact-software.com/
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Module implementing the devpi plugin for spin"""
+
+
+from csspin import Command, config, die, exists, readyaml, setenv, sh, task
+
+defaults = config(
+    formats=["bdist_wheel"],
+    url=None,
+    user=None,
+    requires=config(
+        spin=["csspin_python.python"],
+        python=[
+            "devpi-client",
+            "keyring",
+        ],
+    ),
+)
+
+
+def init(cfg):  # pylint: disable=unused-argument
+    """Sets some environment variables"""
+    setenv(DEVPI_VENV="{python.venv}", DEVPI_CLIENTDIR="{spin.spin_dir}/devpi")
+
+
+@task("devpi:upload")
+def upload(cfg):
+    """Upload project wheel to a package server."""
+    if not cfg.devpi.user:
+        die("devpi.user is required!")
+
+    if exists(current_json := f"{cfg.spin.spin_dir}/devpi/current.json"):
+        data = readyaml(current_json)
+    else:
+        data = {}
+
+    devpi_ = Command("devpi")
+
+    if data.get("index") != (url := cfg.devpi.url):
+        if url == "None":
+            die("devpi.url not provided!")
+        devpi_("use", "-t", "yes", url)
+
+    devpi_("login", cfg.devpi.user)
+    devpi_(
+        "upload",
+        "-p",
+        cfg.python.python,
+        "--no-vcs",
+        f"--wheel={','.join(cfg.devpi.formats)}",
+    )
+
+
+@task()
+def devpi(cfg, args):
+    """Run the 'devpi' command inside the project's virtual environment.
+
+    All command line arguments are simply passed through to 'devpi'.
+
+    """
+    if cfg.devpi.url:
+        sh("devpi", "use", cfg.devpi.url)
+    if cfg.devpi.user:
+        sh("devpi", "login", cfg.devpi.user)
+
+    sh("devpi", *args)

csspin_python/devpi_schema.yaml

@@ -0,0 +1,17 @@
+# -*- mode: yaml; coding: utf-8 -*-
+#
+# Schema for the devpi plugin for spin
+
+devpi:
+    type: object
+    help: Configuration of the devpi plugin for spin
+    properties:
+        formats:
+            type: list
+            help: A list of formats to pass to devpi's --wheel option
+        url:
+            type: str
+            help: The URL of the package server to communicate with
+        user:
+            type: str
+            help: The user to authenticate with the package server