csspin-python 2.0.0__py3-none-any.whl → 2.1.0__py3-none-any.whl

csspin_python/python.py

@@ -15,7 +15,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-# pylint: disable=too-few-public-methods,missing-class-docstring
+# pylint: disable=too-few-public-methods,missing-class-docstring,too-many-lines
 
 """``python``
 ==========
@@ -148,6 +148,13 @@ defaults = config(
         install=True,
         extras=[],
     ),
+    aws_auth=config(
+        enabled=False,
+        memo="{spin.spin_dir}/aws_auth.memo",
+        key_duration=3600 * 10,  # 10 hours
+        static_oidc=False,
+        index="16.0/simple",
+    ),
     index_url="https://pypi.org/simple",
     requires=config(
         python=["build", "wheel"],
@@ -337,6 +344,9 @@ def configure(cfg):
     if exists(cfg.python.python):
         cfg.python.site_packages = get_site_packages(interpreter=cfg.python.python)
 
+    if cfg.python.aws_auth.enabled:
+        _check_aws_token_validity(cfg)
+
 
 def init(cfg):
     """Initialize the python plugin"""
@@ -888,13 +898,7 @@ def venv_provision(cfg):  # pylint: disable=too-many-branches,missing-function-d
     # This sets PATH to the venv
     init(cfg)
 
-    # Always create a pip conf with at least the packageserver index_url as content
-    if sys.platform == "win32":
-        pipconf = cfg.python.venv / "pip.ini"
-    else:
-        pipconf = cfg.python.venv / "pip.conf"
-
-    _create_pipconf(cfg, pipconf)
+    _configure_pipconf(cfg)
 
     # Establish the prerequisites
     if fresh_env:
@@ -945,7 +949,9 @@ def cleanup(cfg: ConfigTree) -> None:
                     f"'{provisioner.__class__.__name__}' failed: {err}"
                 )
         memo.clear()
+
     rmtree(cfg.python.provisioner_memo)
+    rmtree(cfg.python.aws_auth.memo)
     for path in cfg.python.build_wheels:
         current_path = Path(interpolate1(path))
         rmtree(current_path / "build")
@@ -955,16 +961,89 @@ def cleanup(cfg: ConfigTree) -> None:
                 rmtree(current_path / filename)
 
 
-def _create_pipconf(cfg, configfile):
-    # pip cannot handle a section being defined twice, so let's insert the
-    # index_url ourselves and create the configfile
+def _get_pipconf(cfg):
+    """Retrieve the pipconf configuration file path."""
+    if sys.platform == "win32":
+        pipconf = interpolate1(Path(cfg.python.venv)) / "pip.ini"
+    else:
+        pipconf = interpolate1(Path(cfg.python.venv)) / "pip.conf"
+
+    return pipconf
+
+
+def _configure_pipconf(cfg, update=False):
+    """Configure the pip configuration file"""
     config_parser = configparser.ConfigParser()
     config_parser.read_string(cfg.python.pipconf)
     if not config_parser.has_section("global"):
         config_parser.add_section("global")
-    if not (
+    if update or not (
         "index_url" in config_parser["global"] or "index-url" in config_parser["global"]
     ):
-        config_parser["global"]["index_url"] = cfg.python.index_url
-    with open(configfile, mode="w", encoding="utf-8") as fd:
+        config_parser["global"]["index_url"] = interpolate1(cfg.python.index_url)
+    with open(_get_pipconf(cfg), mode="w", encoding="utf-8") as fd:
         config_parser.write(fd)
+
+
+def _obfuscate_index_url(index_url):
+    """Add the CodeArtifact token to the secrets."""
+
+    from csspin import secrets
+
+    secrets.add(index_url.split(":")[2].split("@")[0])  # Codeartifact token
+
+
+def _check_aws_token_validity(cfg):
+    """
+    If csspin-python[aws_auth] is installed, we can use csaccess to get the
+    CodeArtifact authentication token.
+    """
+
+    try:
+        from csaccess import get_ca_pypi_url_programmatic
+    except ImportError:
+        die(
+            "The 'aws_auth' feature requires the 'aws_auth' extra being"
+            " installed (e.g. via csspin-python[aws_auth] in spinfile.yaml)."
+        )
+
+    import time
+
+    current_time = int(time.time())
+    timestamp_key = "aws_auth_timestamp"
+
+    with memoizer(cfg.python.aws_auth.memo) as memo:
+        for item in memo.items():
+            if isinstance(item, str) and item.startswith(f"{timestamp_key}:"):
+                last_time = int(item.split(":", 1)[1])
+                if current_time - last_time < cfg.python.aws_auth.key_duration:
+                    pipconf = _get_pipconf(cfg)
+                    config_parser = configparser.ConfigParser()
+                    config_parser.read(pipconf)
+                    info(f"Using existing index URL from {pipconf}.")
+
+                    if index_url := (
+                        config_parser["global"].get("index_url")
+                        or config_parser["global"].get("index-url")
+                    ):
+                        cfg.python.index_url = index_url
+                        _obfuscate_index_url(index_url)
+                    break
+                memo.items().remove(item)
+        else:
+            info("Updating Codeartifact token.")
+            from urllib.parse import urljoin
+
+            index_url = urljoin(
+                get_ca_pypi_url_programmatic(
+                    static_oidc=cfg.python.aws_auth.static_oidc
+                )
+                + "/",
+                cfg.python.aws_auth.index,
+            )
+            cfg.python.index_url = index_url
+            _obfuscate_index_url(index_url)
+
+            if exists(cfg.python.venv):
+                _configure_pipconf(cfg, update=True)
+            memo.add(f"{timestamp_key}:{current_time}")

csspin_python/python_schema.yaml

@@ -129,3 +129,31 @@ python:
             help: |
                 A list of packages that will be built along with the current
                 project when executing python:wheel.
+        aws_auth:
+            type: object
+            help: Configuration for the 'aws_auth' extra.
+            properties:
+                enabled:
+                    type: bool
+                    help: |
+                        Whether to enable AWS authentication for retrieving
+                        packages from CodeArtifact.
+                memo:
+                    type: path
+                    help: |
+                        Path to the memoized information regarding the aws_auth
+                        extra.
+                key_duration:
+                    type: int
+                    help: |
+                        Time in seconds defining how long the plugin should
+                        consider the authentication token as valid before
+                        issuing a new one.
+                static_oidc:
+                    type: bool
+                    help: |
+                        Whether to static OIDC when authenticating with AWS
+                        CodeArtifact.
+                index:
+                    type: str
+                    help: The Codeartifact repository index (e.g. "16.0/simple").

{csspin_python-2.0.0.dist-info → csspin_python-2.1.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
-Name: csspin_python
-Version: 2.0.0
+Name: csspin-python
+Version: 2.1.0
 Summary: Plugin-package for csspin providing Python related plugins
 Author-email: CONTACT Software GmbH <info@contact-software.com>
 Maintainer-email: Waleri Enns <waleri.enns@contact-software.com>, Benjamin Thomas Schwertfeger <benjaminthomas.schwertfeger@contact-software.com>, Fabian Hafer <fabian.hafer@contact-software.com>
@@ -22,19 +22,16 @@ Description-Content-Type: text/x-rst
 License-File: LICENSE
 Requires-Dist: virtualenv
 Provides-Extra: aws-auth
-Requires-Dist: boto3; extra == "aws-auth"
-Requires-Dist: requests; extra == "aws-auth"
+Requires-Dist: csaccess>=0.1.0; extra == "aws-auth"
 Dynamic: license-file
 
 |Latest Version| |Python| |License|
 
-`csspin_python` is maintained and published by `CONTACT Software GmbH`_ and
+`csspin-python` is maintained and published by `CONTACT Software GmbH`_ and
 serves Python-based plugins for the `csspin`_ task runner.
 
 The following plugins are available:
 
-- `csspin_python.aws_auth`: A plugin for authenticating to CONTACT Elements
-  instances hosted on AWS.
 - `csspin_python.behave`: A plugin for running tests using Behave.
 - `csspin_python.debugpy`: A plugin for debugging Python code using `debugpy`_.
 - `csspin_python.devpi`: A plugin for simplified usage of `devpi`_.
@@ -46,6 +43,9 @@ The following plugins are available:
   complexity.
 - `csspin_python.sphinx`: A plugin for building Sphinx documentation.
 
+The package provides an ``aws_auth`` extra, that, if enabled, can
+authenticate to `CONTACT Software GmbH`_'s AWS Codeartifact.
+
 Prerequisites
 -------------
 
@@ -56,10 +56,10 @@ Python package manager, e.g.:
 
    python -m pip install csspin
 
-Using csspin_python
+Using csspin-python
 -------------------
 
-The `csspin_python` package and its plugins can be installed by defining those
+The `csspin-python` package and its plugins can be installed by defining those
 within the `spinfile.yaml` configuration file of your project.
 
 .. code-block:: yaml
@@ -70,7 +70,7 @@ within the `spinfile.yaml` configuration file of your project.
     # To develop plugins comfortably, install the packages editable as
     # follows and add the relevant plugins to the list 'plugins' below
     plugin_packages:
-      - csspin_python
+      - csspin-python
 
     # The list of plugins to be used for this project.
     plugins:
@@ -93,13 +93,13 @@ environment and install the required dependencies. After that, you can run
 tests using ``spin pytest`` and do other great things.
 
 .. _`CONTACT Software GmbH`: https://contact-software.com
-.. |Python| image:: https://img.shields.io/pypi/pyversions/csspin_python.svg?style=flat
-    :target: https://pypi.python.org/pypi/csspin_python/
+.. |Python| image:: https://img.shields.io/pypi/pyversions/csspin-python.svg?style=flat
+    :target: https://pypi.python.org/pypi/csspin-python/
     :alt: Supported Python Versions
-.. |Latest Version| image:: http://img.shields.io/pypi/v/csspin_python.svg?style=flat
+.. |Latest Version| image:: http://img.shields.io/pypi/v/csspin-python.svg?style=flat
     :target: https://pypi.python.org/pypi/csspin/
     :alt: Latest Package Version
-.. |License| image:: http://img.shields.io/pypi/l/csspin_python.svg?style=flat
+.. |License| image:: http://img.shields.io/pypi/l/csspin-python.svg?style=flat
     :target: https://www.apache.org/licenses/LICENSE-2.0.txt
     :alt: License
 .. _`csspin`: https://pypi.org/project/csspin

{csspin_python-2.0.0.dist-info → csspin_python-2.1.0.dist-info}/RECORD

@@ -1,5 +1,3 @@
-csspin_python/aws_auth.py,sha256=cQXz2AWW-TM-KAv8ZpXOSntTRRzvRL21f2NwMpOf3PA,7232
-csspin_python/aws_auth_schema.yaml,sha256=GgLhnwn4savhmLUcfL2eVPyNhWkiKA5tKz6y1tU1C6w,1353
 csspin_python/behave.py,sha256=iA5t-vwMDhmWoo-FHaeZ6JyIzj6k4r2WLyYa2AjXyp4,4815
 csspin_python/behave_schema.yaml,sha256=8qoOCK-uTmwgRRW29urgK0X_kgn0zO0X34v89bvii2w,1241
 csspin_python/debugpy.py,sha256=v0ZZopv5TNoSaFf2kiePsw9OmhBpjfOBFh0u71jTcnQ,962
@@ -10,12 +8,12 @@ csspin_python/playwright.py,sha256=nYuPjuTfGx_6QPYsUpr-eAZARyXX_hZF8D4AxeI2u1s,4
 csspin_python/playwright_schema.yaml,sha256=WFMok7dB7G6L8f8y_2_RKHjGe4ww1iUUS4tqCoUI1FE,1054
 csspin_python/pytest.py,sha256=EwxPynyPWS72NTtIah1jUGVa7fJYY8I2_NQz0y0U7Os,2978
 csspin_python/pytest_schema.yaml,sha256=1bF8hNsJfV-LHUwGBBJ3GnQOZJiIQkG81DCBma2MalU,809
-csspin_python/python.py,sha256=lWFSBeeqq3wM_DkR_zv3v9QlagXSZ-UMALhzxoAVXlY,30553
-csspin_python/python_schema.yaml,sha256=lhqZmepoGdWlBd27Bu3ErUDNtMLPM9oQ_fh71cdc4a8,4823
+csspin_python/python.py,sha256=du1sFA6Uh8Wp5V6sN3_iSsQNEz-OZBAJG-FdgCyvsjM,33114
+csspin_python/python_schema.yaml,sha256=F_PMK8D3KBvXK945b6-oRDoaxuDgxkBGqVPAJ-eFmv0,5970
 csspin_python/radon.py,sha256=OSV0vTz7SMMHC82jUvWsBq6vtWolOjdiZ2bBdxplVJ4,1744
 csspin_python/radon_schema.yaml,sha256=rlRzXw5z4XbjOVznRiUxWGP4E9hx1Jm-gGw1iQiYzE0,548
-csspin_python-2.0.0.dist-info/licenses/LICENSE,sha256=4MAecetnRTQw5DlHtiikDSzKWO1xVLwzM5_DsPMYlnE,10172
-csspin_python-2.0.0.dist-info/METADATA,sha256=7I3BD1CdoU9z-1q4qvec-XFeB7UL_q1GLAe3-meg1so,4184
-csspin_python-2.0.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-csspin_python-2.0.0.dist-info/top_level.txt,sha256=QSeglMEGbFu1z4L6MCQYwo01NgL0KojWvC4rzgMQ8gU,14
-csspin_python-2.0.0.dist-info/RECORD,,
+csspin_python-2.1.0.dist-info/licenses/LICENSE,sha256=4MAecetnRTQw5DlHtiikDSzKWO1xVLwzM5_DsPMYlnE,10172
+csspin_python-2.1.0.dist-info/METADATA,sha256=-cWwMdEo8x0I1_vcEAjiCO5DC79Y-ymGXro6Qig7Q4s,4174
+csspin_python-2.1.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+csspin_python-2.1.0.dist-info/top_level.txt,sha256=QSeglMEGbFu1z4L6MCQYwo01NgL0KojWvC4rzgMQ8gU,14
+csspin_python-2.1.0.dist-info/RECORD,,

csspin_python/aws_auth.py

@@ -1,195 +0,0 @@
-# -*- mode: python; coding: utf-8 -*-
-#
-# Copyright (C) 2025 CONTACT Software GmbH
-# https://www.contact-software.com/
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-"""Module implementing the aws_auth plugin for spin"""
-
-import configparser
-import os
-
-from csspin import Path, config, debug, die, exists, info, interpolate1
-
-defaults = config(
-    aws_role_arn="arn:aws:iam::373369985286:role/cs-central1-codeartifact-ecr-read-role",
-    aws_region="eu-central-1",
-    aws_role_session_name="CodeArtifactSession",
-    aws_codeartifact_domain="contact",
-    aws_key_duration=3600,
-    keycloak_url="https://login.contact-cloud.com/realms/contact/protocol/openid-connect/token",
-    client_id="central1-auth-oidc-read",
-    requires=config(
-        spin=[
-            "csspin_python.python",
-        ],
-    ),
-)
-
-
-def configure(cfg):  # pylint: disable=too-many-statements
-    """Configure the plugin and apply changes to the configuration tree"""
-    # Could be useful in CI e.g. when you want to build docs
-    # and need to include this plugin in spinfile
-    # without using it's functionality
-    if os.environ.get("AWS_AUTH_DISABLE"):
-        info("AWS_AUTH_DISABLE is set, ignoring aws_auth plugin")
-        return
-
-    from sys import platform
-
-    try:
-        import boto3
-        import requests
-        from botocore.exceptions import ClientError
-    except ImportError:
-        die(
-            "Failed to import required modules. Please install them by setting:"
-            "\n\tplugin_packages:\n\t\t- csspin_python[aws_auth]\n"
-            "in your project's spinfile.yaml"
-        )
-
-    cfg.aws_auth.client_secret = os.environ.get("KEYCLOAK_CLIENT_SECRET")
-    if not cfg.aws_auth.client_secret:
-        die(
-            "Neither aws_auth.client_secret config"
-            "entry nor KEYCLOAK_CLIENT_SECRET environment variable was found."
-        )
-
-    def get_keycloak_access_token(keycloak_url, client_id, client_secret):
-        """
-        Obtain the Keycloak access token using client credentials.
-        """
-        debug("Requesting Keycloak access token...")
-        payload = {
-            "grant_type": "client_credentials",
-            "client_id": client_id,
-            "client_secret": client_secret,
-        }
-
-        try:
-            response = requests.post(keycloak_url, data=payload, timeout=15)
-            response.raise_for_status()
-            data = response.json()
-            access_token = data.get("access_token")
-            if not access_token:
-                raise ValueError("Response doesn't contain access_token")
-        except (ValueError, requests.exceptions.RequestException) as e:
-            die(f"Failed to fetch Keycloak access token: {e}")
-
-        return access_token
-
-    def assume_aws_role_with_web_identity(
-        keycloak_access_token,
-        role_arn,
-        role_session_name,
-        region,
-        key_duration_seconds,
-    ):
-        """
-        Request AWS STS credentials using the Keycloak token as a web identity.
-        """
-        debug("Requesting AWS STS credentials...")
-        sts_client = boto3.client("sts", region_name=region)
-        try:
-            sts_response = sts_client.assume_role_with_web_identity(
-                RoleArn=role_arn,
-                RoleSessionName=role_session_name,
-                WebIdentityToken=keycloak_access_token,
-                DurationSeconds=key_duration_seconds,
-            )
-            credentials = sts_response.get("Credentials", {})
-            if not (
-                credentials.get("AccessKeyId")
-                and credentials.get("SecretAccessKey")
-                and credentials.get("SessionToken")
-            ):
-                raise ValueError("Incomplete AWS credentials received")
-        except (ValueError, ClientError) as e:
-            die(f"Failed to assume AWS role with web identity: {e}")
-
-        return credentials
-
-    def get_codeartifact_auth_token(credentials, domain, region):
-        """
-        Retrieve the AWS CodeArtifact authentication token using temporary AWS credentials.
-        """
-        debug("Requesting CodeArtifact authentication token...")
-        codeartifact_client = boto3.client(
-            "codeartifact",
-            region_name=region,
-            aws_access_key_id=credentials.get("AccessKeyId"),
-            aws_secret_access_key=credentials.get("SecretAccessKey"),
-            aws_session_token=credentials.get("SessionToken"),
-        )
-
-        try:
-            response = codeartifact_client.get_authorization_token(domain=domain)
-            auth_token = response.get("authorizationToken")
-            if not auth_token:
-                raise ValueError("Failed to retrieve CodeArtifact authentication token")
-        except (ValueError, ClientError) as e:
-            die(f"Failed to retrieve CodeArtifact authentication token: {e}")
-
-        return auth_token
-
-    keycloak_access_token = get_keycloak_access_token(
-        cfg.aws_auth.keycloak_url, cfg.aws_auth.client_id, cfg.aws_auth.client_secret
-    )
-
-    credentials = assume_aws_role_with_web_identity(
-        keycloak_access_token,
-        cfg.aws_auth.aws_role_arn,
-        cfg.aws_auth.aws_role_session_name,
-        cfg.aws_auth.aws_region,
-        cfg.aws_auth.aws_key_duration,
-    )
-
-    codeartifact_auth_token = get_codeartifact_auth_token(
-        credentials, cfg.aws_auth.aws_codeartifact_domain, cfg.aws_auth.aws_region
-    )
-
-    domain_owner = cfg.aws_auth.aws_role_arn.split(":")[4]
-
-    cfg.aws_auth.codeartifact_auth_token = codeartifact_auth_token
-    cfg.python.index_url = (
-        f"https://aws:{codeartifact_auth_token}@"
-        f"{cfg.aws_auth.aws_codeartifact_domain}-{domain_owner}"
-        f".d.codeartifact.{cfg.aws_auth.aws_region}.amazonaws.com/pypi/elements/simple/"
-    )
-
-    pipconf = interpolate1(cfg.python.venv) / Path(
-        "pip.ini" if platform == "win32" else "pip.conf"
-    )
-    if exists(pipconf):
-        # Need to update pip.conf with the new index_url
-        # for "spin run pip ..." to use the right index and
-        # not the default one
-        _update_pipconf_url(pipconf, cfg.python.index_url)
-
-
-def _update_pipconf_url(filename, url):
-    """Upates the python.index_url in the pip.conf file with the new value"""
-    info(f"Updating python.index_url in {filename} with a fresh token...")
-    config_parser = configparser.ConfigParser()
-    config_parser.read(filename)
-    if not config_parser.has_section("global"):
-        config_parser.add_section("global")
-    option = (
-        "index-url" if config_parser.has_option("global", "index-url") else "index_url"
-    )
-    config_parser.set("global", option, url)
-    with open(filename, mode="w", encoding="utf-8") as f:
-        config_parser.write(f)

csspin_python/aws_auth_schema.yaml

@@ -1,38 +0,0 @@
-# -*- mode: yaml; coding: utf-8 -*-
-#
-# Schema of the aws_auth plugin for spin
-
-aws_auth:
-    type: object
-    help: |
-        Configuration for the aws_auth plugin in spin.
-        This plugin handles authentication with AWS and retrieves
-        secret keys from AWS CodeArtifact.
-    properties:
-        aws_role_arn:
-            type: str
-            help: The ARN of the AWS IAM role to assume for authentication.
-        aws_region:
-            type: str
-            help: The AWS region where the CodeArtifact repository is located.
-        role_session_name:
-            type: str
-            help: The name for the AWS STS session when assuming a role.
-        aws_codeartifact_domain:
-            type: str
-            help: The domain name of the AWS CodeArtifact repository.
-        aws_key_duration:
-            type: int
-            help: The duration in seconds for which the temporary key will be valid.
-        keycloak_url:
-            type: str
-            help: The URL of the Keycloak authentication server.
-        client_id:
-            type: str
-            help: The client ID for authentication with Keycloak.
-        client_secret:
-            type: str
-            help: The client secret for authentication with Keycloak.
-        codeartifact_auth_token:
-            type: str
-            help: The CodeArtifact auth token.