digitalhub 0.14.0b7__py3-none-any.whl → 0.14.1b0__py3-none-any.whl

digitalhub/stores/client/{dhcore/client.py → client.py}

@@ -6,17 +6,16 @@ from __future__ import annotations
 
 from typing import Any
 
-from digitalhub.stores.client._base.client import Client
-from digitalhub.stores.client.dhcore.api_builder import ClientDHCoreApiBuilder
-from digitalhub.stores.client.dhcore.header_manager import HeaderManager
-from digitalhub.stores.client.dhcore.http_handler import HttpRequestHandler
-from digitalhub.stores.client.dhcore.key_builder import ClientDHCoreKeyBuilder
-from digitalhub.stores.client.dhcore.params_builder import ClientDHCoreParametersBuilder
+from digitalhub.stores.client.api_builder import ClientApiBuilder
+from digitalhub.stores.client.header_manager import HeaderManager
+from digitalhub.stores.client.http_handler import HttpRequestHandler
+from digitalhub.stores.client.key_builder import ClientKeyBuilder
+from digitalhub.stores.client.params_builder import ClientParametersBuilder
 from digitalhub.utils.exceptions import BackendError
 from digitalhub.utils.generic_utils import dump_json
 
 
-class ClientDHCore(Client):
+class Client:
     """
     DHCore client for remote DigitalHub Core backend communication.
 
@@ -27,13 +26,11 @@ class ClientDHCore(Client):
     JSON serialization.
     """
 
-    def __init__(self, config: dict | None = None) -> None:
-        super().__init__()
-
+    def __init__(self) -> None:
         # API, key and parameters builders
-        self._api_builder: ClientDHCoreApiBuilder = ClientDHCoreApiBuilder()
-        self._key_builder: ClientDHCoreKeyBuilder = ClientDHCoreKeyBuilder()
-        self._params_builder: ClientDHCoreParametersBuilder = ClientDHCoreParametersBuilder()
+        self._api_builder: ClientApiBuilder = ClientApiBuilder()
+        self._key_builder: ClientKeyBuilder = ClientKeyBuilder()
+        self._params_builder: ClientParametersBuilder = ClientParametersBuilder()
 
         # HTTP request handling
         self._http_handler = HttpRequestHandler()
@@ -239,23 +236,68 @@ class ClientDHCore(Client):
         return objects
 
     ##############################
-    # Interface methods
+    # Build methods
     ##############################
 
-    @staticmethod
-    def is_local() -> bool:
+    def build_api(self, category: str, operation: str, **kwargs) -> str:
         """
-        Check if this client operates locally.
+        Build the API for the client.
 
-        Used to distinguish between ClientDHCore (remote) and ClientLocal
-        implementations.
+        Parameters
+        ----------
+        category : str
+            API category.
+        operation : str
+            API operation.
+        **kwargs : dict
+            Additional parameters.
 
         Returns
         -------
-        bool
-            False, indicating this client communicates with remote DHCore backend.
+        str
+            API formatted.
+        """
+        return self._api_builder.build_api(category, operation, **kwargs)
+
+    def build_key(self, category: str, *args, **kwargs) -> str:
+        """
+        Build the key for the client.
+
+        Parameters
+        ----------
+        category : str
+            Key category.
+        *args : tuple
+            Additional arguments.
+        **kwargs : dict
+            Additional parameters.
+
+        Returns
+        -------
+        str
+            Key formatted.
+        """
+        return self._key_builder.build_key(category, *args, **kwargs)
+
+    def build_parameters(self, category: str, operation: str, **kwargs) -> dict:
+        """
+        Build the parameters for the client call.
+
+        Parameters
+        ----------
+        category : str
+            API category.
+        operation : str
+            API operation.
+        **kwargs : dict
+            Parameters to build.
+
+        Returns
+        -------
+        dict
+            Parameters formatted.
         """
-        return False
+        return self._params_builder.build_parameters(category, operation, **kwargs)
 
     ##############################
     # Utility methods
@@ -265,5 +307,4 @@ class ClientDHCore(Client):
         """
         Manually trigger OAuth2 token refresh.
         """
-        self._http_handler._configurator.check_config()
         self._http_handler._configurator.refresh_credentials()

digitalhub/stores/client/{dhcore/configurator.py → configurator.py}

@@ -8,10 +8,9 @@ import typing
 
 from requests import request
 
-from digitalhub.stores.client.dhcore.enums import AuthType
-from digitalhub.stores.credentials.configurator import Configurator
-from digitalhub.stores.credentials.enums import CredsEnvVar
-from digitalhub.stores.credentials.handler import creds_handler
+from digitalhub.stores.client.enums import AuthType
+from digitalhub.stores.configurator.configurator import configurator
+from digitalhub.stores.configurator.enums import ConfigurationVars, CredentialsVars
 from digitalhub.utils.exceptions import ClientError
 from digitalhub.utils.generic_utils import list_enum
 from digitalhub.utils.uri_utils import has_remote_scheme
@@ -20,7 +19,10 @@ if typing.TYPE_CHECKING:
     from requests import Response
 
 
-class ClientDHCoreConfigurator(Configurator):
+DEFAULT_TIMEOUT = 60
+
+
+class ClientConfigurator:
     """
     DHCore client configurator for credential management and authentication.
 
@@ -35,20 +37,13 @@ class ClientDHCoreConfigurator(Configurator):
     credential storage.
     """
 
-    keys = [*list_enum(CredsEnvVar)]
-    required_keys = [CredsEnvVar.DHCORE_ENDPOINT.value]
-    keys_to_prefix = [
-        CredsEnvVar.DHCORE_REFRESH_TOKEN.value,
-        CredsEnvVar.DHCORE_ACCESS_TOKEN.value,
-        CredsEnvVar.DHCORE_ISSUER.value,
-        CredsEnvVar.DHCORE_CLIENT_ID.value,
-    ]
+    keys = [*list_enum(ConfigurationVars), *list_enum(CredentialsVars)]
 
     def __init__(self) -> None:
         """
         Initialize DHCore configurator and evaluate authentication type.
         """
-        super().__init__()
+        self._validate()
         self._auth_type: str | None = None
         self.set_auth_type()
 
@@ -56,92 +51,6 @@ class ClientDHCoreConfigurator(Configurator):
     # Credentials methods
     ##############################
 
-    def load_env_vars(self) -> None:
-        """
-        Load and sanitize credentials from environment variables.
-
-        Sanitizes endpoint and issuer URLs to ensure proper HTTP/HTTPS schemes
-        and removes trailing slashes.
-        """
-        env_creds = self._creds_handler.load_from_env(self.keys)
-        env_creds = self._sanitize_env_vars(env_creds)
-        self._creds_handler.set_credentials(self._env, env_creds)
-
-    def _sanitize_env_vars(self, creds: dict) -> dict:
-        """
-        Sanitize environment variable credentials.
-
-        Validates and normalizes endpoint and issuer URLs. Environment variables
-        use full "DHCORE_" prefixes.
-
-        Parameters
-        ----------
-        creds : dict
-            Raw credentials from environment variables.
-
-        Returns
-        -------
-        dict
-            Sanitized credentials with normalized URLs.
-
-        Raises
-        ------
-        ClientError
-            If endpoint or issuer URLs have invalid schemes.
-        """
-        creds[CredsEnvVar.DHCORE_ENDPOINT.value] = self._sanitize_endpoint(creds[CredsEnvVar.DHCORE_ENDPOINT.value])
-        creds[CredsEnvVar.DHCORE_ISSUER.value] = self._sanitize_endpoint(creds[CredsEnvVar.DHCORE_ISSUER.value])
-        return creds
-
-    def load_file_vars(self) -> None:
-        """
-        Load credentials from configuration file with CLI compatibility.
-
-        Handles keys without "DHCORE_" prefix for CLI compatibility. Falls back
-        to environment variables for missing endpoint and personal access token values.
-        """
-        file_creds = self._creds_handler.load_from_file(self.keys)
-
-        # Because in the response there is no personal access token
-        pat = CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value
-        if file_creds[pat] is None:
-            file_creds[pat] = self._creds_handler.load_from_env([pat]).get(pat)
-
-        # Because in the response there is no endpoint
-        endpoint = CredsEnvVar.DHCORE_ENDPOINT.value
-        if file_creds[endpoint] is None:
-            file_creds[endpoint] = self._creds_handler.load_from_env([endpoint]).get(endpoint)
-
-        file_creds = self._sanitize_file_vars(file_creds)
-        self._creds_handler.set_credentials(self._file, file_creds)
-
-    def _sanitize_file_vars(self, creds: dict) -> dict:
-        """
-        Sanitize configuration file credentials.
-
-        Handles different key formats between file and environment variables.
-        File format omits "DHCORE_" prefix for: issuer, client_id, access_token,
-        refresh_token. Full names used for: endpoint, user, password, personal_access_token.
-
-        Parameters
-        ----------
-        creds : dict
-            Raw credentials from configuration file.
-
-        Returns
-        -------
-        dict
-            Sanitized credentials with standardized keys and normalized URLs.
-
-        Raises
-        ------
-        ClientError
-            If endpoint or issuer URLs have invalid schemes.
-        """
-        creds[CredsEnvVar.DHCORE_ENDPOINT.value] = self._sanitize_endpoint(creds[CredsEnvVar.DHCORE_ENDPOINT.value])
-        creds[CredsEnvVar.DHCORE_ISSUER.value] = self._sanitize_endpoint(creds[CredsEnvVar.DHCORE_ISSUER.value])
-        return {k: v for k, v in creds.items() if k in self.keys}
-
     @staticmethod
     def _sanitize_endpoint(endpoint: str | None = None) -> str | None:
         """
@@ -188,8 +97,9 @@ class ClientDHCoreConfigurator(Configurator):
         KeyError
             If endpoint not configured in current credential source.
         """
-        creds = self._creds_handler.get_credentials(self._origin)
-        return creds[CredsEnvVar.DHCORE_ENDPOINT.value]
+        config = configurator.get_configuration()
+        endpoint = config[ConfigurationVars.DHCORE_ENDPOINT.value]
+        return self._sanitize_endpoint(endpoint)
 
     ##############################
     # Origin methods
@@ -220,15 +130,13 @@ class ClientDHCoreConfigurator(Configurator):
         (username + password). For EXCHANGE type, automatically exchanges the
         personal access token and switches to file-based credentials storage.
         """
-        creds = creds_handler.get_credentials(self._origin)
+        creds = configurator.get_credentials()
         self._auth_type = self._eval_auth_type(creds)
         # If we have an exchange token, we need to get a new access token.
         # Therefore, we change the origin to file, where the refresh token is written.
         # We also try to fetch the PAT from both env and file
         if self._auth_type == AuthType.EXCHANGE.value:
-            self.refresh_credentials(change_origin=True)
-            # Just to ensure we get the right source from file
-            self.change_to_file()
+            self.refresh_credentials(retry=True)
 
     def refreshable_auth_types(self) -> bool:
         """
@@ -261,83 +169,97 @@ class ClientDHCoreConfigurator(Configurator):
         dict
             Modified kwargs with authentication parameters.
         """
-        creds = creds_handler.get_credentials(self._origin)
+        creds = configurator.get_credentials()
         if self._auth_type in (
             AuthType.EXCHANGE.value,
             AuthType.OAUTH2.value,
             AuthType.ACCESS_TOKEN.value,
         ):
-            access_token = creds[CredsEnvVar.DHCORE_ACCESS_TOKEN.value]
+            access_token = creds[CredentialsVars.DHCORE_ACCESS_TOKEN.value]
             if "headers" not in kwargs:
                 kwargs["headers"] = {}
             kwargs["headers"]["Authorization"] = f"Bearer {access_token}"
         elif self._auth_type == AuthType.BASIC.value:
-            user = creds[CredsEnvVar.DHCORE_USER.value]
-            password = creds[CredsEnvVar.DHCORE_PASSWORD.value]
+            user = creds[CredentialsVars.DHCORE_USER.value]
+            password = creds[CredentialsVars.DHCORE_PASSWORD.value]
             kwargs["auth"] = (user, password)
         return kwargs
 
-    def refresh_credentials(self, change_origin: bool = False) -> None:
+    def refresh_credentials(self) -> None:
         """
         Refresh authentication tokens using OAuth2 flows.
+        """
+        # Get credentials and configuration
+        creds = configurator.get_config_creds()
+
+        # Get token refresh from creds
+        if (url := creds.get(ConfigurationVars.OAUTH2_TOKEN_ENDPOINT.value)) is None:
+            url = self._get_refresh_endpoint()
+        url = self._sanitize_endpoint(url)
+
+        # Execute the appropriate auth flow
+        response = self._evaluate_auth_flow(url, creds)
 
-        Uses refresh_token grant for OAUTH2 or token exchange for EXCHANGE authentication.
-        On 400/401/403 errors with change_origin=True, attempts to switch credential
-        sources and retry. Saves new credentials to configuration file.
+        # Evaluate a retry
+        self._evaluate_retry(response)
+
+        # Raise an error if the response indicates failure
+        response.raise_for_status()
+
+        # Export new credentials to file
+        self._export_new_creds(response.json())
+
+    def _evaluate_auth_flow(self, url: str, creds: dict) -> Response:
+        """
+        Evaluate the auth flow to execute.
 
         Parameters
         ----------
-        change_origin : bool, default False
-            Whether to switch credential sources on auth failure.
-
-        Raises
-        ------
-        ClientError
-            If auth type doesn't support refresh or credentials missing.
+        url : str
+            Token endpoint URL.
+        creds : dict
+            Available credential values.
         """
         if not self.refreshable_auth_types():
             raise ClientError(f"Auth type {self._auth_type} does not support refresh.")
 
-        # Get refresh endpoint
-        url = self._get_refresh_endpoint()
-
-        # Get credentials
-        creds = self._creds_handler.get_credentials(self._origin)
-
-        # Get client id
-        if (client_id := creds.get(CredsEnvVar.DHCORE_CLIENT_ID.value)) is None:
+        if (client_id := creds.get(ConfigurationVars.DHCORE_CLIENT_ID.value)) is None:
             raise ClientError("Client id not set.")
 
-        # Handling of token exchange or refresh
+        # Handling of token refresh
         if self._auth_type == AuthType.OAUTH2.value:
-            response = self._call_refresh_endpoint(
+            return self._call_refresh_endpoint(
                 url,
                 client_id=client_id,
-                refresh_token=creds.get(CredsEnvVar.DHCORE_REFRESH_TOKEN.value),
+                refresh_token=creds.get(CredentialsVars.DHCORE_REFRESH_TOKEN.value),
                 grant_type="refresh_token",
                 scope="credentials",
             )
-        elif self._auth_type == AuthType.EXCHANGE.value:
-            response = self._call_refresh_endpoint(
-                url,
-                client_id=client_id,
-                subject_token=creds.get(CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value),
-                subject_token_type="urn:ietf:params:oauth:token-type:pat",
-                grant_type="urn:ietf:params:oauth:grant-type:token-exchange",
-                scope="credentials",
-            )
-
-        # Change origin of creds if needed
-        if response.status_code in (400, 401, 403):
-            if not change_origin:
-                raise ClientError("Unable to refresh credentials. Please check your credentials.")
-            self.eval_change_origin()
-            self.refresh_credentials(change_origin=False)
 
-        response.raise_for_status()
+        ## Handling of token exchange
+        return self._call_refresh_endpoint(
+            url,
+            client_id=client_id,
+            subject_token=creds.get(CredentialsVars.DHCORE_PERSONAL_ACCESS_TOKEN.value),
+            subject_token_type="urn:ietf:params:oauth:token-type:pat",
+            grant_type="urn:ietf:params:oauth:grant-type:token-exchange",
+            scope="credentials",
+        )
 
-        # Read new credentials and propagate to config file
-        self._export_new_creds(response.json())
+    def _evaluate_retry(self, response: Response) -> None:
+        """
+        Evaluate the status of retry lifecycle.
+        """
+        if response.status_code not in (400, 401, 403):
+            return
+        if configurator.eval_retry():
+            self.refresh_credentials()
+        raise ClientError(
+            "Failed to refresh credentials after retry"
+            " (checked credentials from file and env)."
+            " Please check your credentials"
+            " (refresh tokens, password, etc.)."
+        )
 
     def _get_refresh_endpoint(self) -> str:
         """
@@ -346,28 +268,25 @@ class ClientDHCoreConfigurator(Configurator):
         Queries /.well-known/openid-configuration to extract token_endpoint for
         credential refresh operations.
 
+        Parameters
+        ----------
+        creds : dict
+            Available credential values.
+
         Returns
         -------
         str
             Token endpoint URL for credential refresh.
-
-        Raises
-        ------
-        ClientError
-            If issuer endpoint not configured.
-        HTTPError
-            If well-known configuration endpoint inaccessible.
-        KeyError
-            If token_endpoint not found in issuer configuration.
         """
+        config = configurator.get_configuration()
+
         # Get issuer endpoint
-        creds = self._creds_handler.get_credentials(self._origin)
-        endpoint_issuer = creds.get(CredsEnvVar.DHCORE_ISSUER.value)
-        if endpoint_issuer is None:
+        if (endpoint_issuer := config.get(ConfigurationVars.DHCORE_ISSUER.value)) is None:
             raise ClientError("Issuer endpoint not set.")
 
         # Standard issuer endpoint path
         url = endpoint_issuer + "/.well-known/openid-configuration"
+        url = self._sanitize_endpoint(url)
 
         # Call issuer to get refresh endpoint
         r = request("GET", url, timeout=60)
@@ -400,7 +319,13 @@ class ClientDHCoreConfigurator(Configurator):
         # Send request to get new access token
         payload = {**kwargs}
         headers = {"Content-Type": "application/x-www-form-urlencoded"}
-        return request("POST", url, data=payload, headers=headers, timeout=60)
+        return request(
+            "POST",
+            url,
+            data=payload,
+            headers=headers,
+            timeout=DEFAULT_TIMEOUT,
+        )
 
     def _eval_auth_type(self, creds: dict) -> str | None:
         """
@@ -419,16 +344,19 @@ class ClientDHCoreConfigurator(Configurator):
         str or None
             Authentication type from AuthType enum, or None if no valid credentials.
         """
-        if creds[CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value] is not None:
+        if creds[CredentialsVars.DHCORE_PERSONAL_ACCESS_TOKEN.value] is not None:
             return AuthType.EXCHANGE.value
         if (
-            creds[CredsEnvVar.DHCORE_ACCESS_TOKEN.value] is not None
-            and creds[CredsEnvVar.DHCORE_REFRESH_TOKEN.value] is not None
+            creds[CredentialsVars.DHCORE_ACCESS_TOKEN.value] is not None
+            and creds[CredentialsVars.DHCORE_REFRESH_TOKEN.value] is not None
         ):
             return AuthType.OAUTH2.value
-        if creds[CredsEnvVar.DHCORE_ACCESS_TOKEN.value] is not None:
+        if creds[CredentialsVars.DHCORE_ACCESS_TOKEN.value] is not None:
             return AuthType.ACCESS_TOKEN.value
-        if creds[CredsEnvVar.DHCORE_USER.value] is not None and creds[CredsEnvVar.DHCORE_PASSWORD.value] is not None:
+        if (
+            creds[CredentialsVars.DHCORE_USER.value] is not None
+            and creds[CredentialsVars.DHCORE_PASSWORD.value] is not None
+        ):
             return AuthType.BASIC.value
         return None
 
@@ -444,12 +372,30 @@ class ClientDHCoreConfigurator(Configurator):
         response : dict
             OAuth2 token response with new credentials.
         """
-        for key in self.keys_to_prefix:
+        keys_to_prefix = [
+            CredentialsVars.DHCORE_REFRESH_TOKEN.value,
+            CredentialsVars.DHCORE_ACCESS_TOKEN.value,
+            ConfigurationVars.DHCORE_CLIENT_ID.value,
+            ConfigurationVars.DHCORE_ISSUER.value,
+            ConfigurationVars.OAUTH2_TOKEN_ENDPOINT.value,
+        ]
+        for key in keys_to_prefix:
+            if key == ConfigurationVars.OAUTH2_TOKEN_ENDPOINT.value:
+                prefix = "oauth2_"
+            else:
+                prefix = "dhcore_"
             key = key.lower()
-            if key.removeprefix("dhcore_") in response:
-                response[key] = response.pop(key.removeprefix("dhcore_"))
-        creds_handler.write_env(response)
-        self.load_file_vars()
+            if key.removeprefix(prefix) in response:
+                response[key] = response.pop(key.removeprefix(prefix))
+        configurator.write_file(response)
+        configurator.reload_credentials()
 
-        # Change current origin to file because of refresh
-        self.change_to_file()
+    def _validate(self) -> None:
+        """
+        Validate if all required keys are present in the configuration.
+        """
+        required_keys = [ConfigurationVars.DHCORE_ENDPOINT.value]
+        current_keys = configurator.get_config_creds()
+        for key in required_keys:
+            if current_keys.get(key) is None:
+                raise ClientError(f"Required configuration key '{key}' is missing.")

digitalhub/stores/client/{_base/enums.py → enums.py}

@@ -7,6 +7,17 @@ from __future__ import annotations
 from enum import Enum
 
 
+class AuthType(Enum):
+    """
+    Authentication types.
+    """
+
+    BASIC = "basic"
+    OAUTH2 = "oauth2"
+    EXCHANGE = "exchange"
+    ACCESS_TOKEN = "access_token_only"
+
+
 class ApiCategories(Enum):
     """
     API categories.

digitalhub/stores/client/{dhcore/http_handler.py → http_handler.py}

@@ -6,8 +6,8 @@ from __future__ import annotations
 
 from requests import request
 
-from digitalhub.stores.client.dhcore.configurator import ClientDHCoreConfigurator
-from digitalhub.stores.client.dhcore.response_processor import ResponseProcessor
+from digitalhub.stores.client.configurator import ClientConfigurator
+from digitalhub.stores.client.response_processor import ResponseProcessor
 from digitalhub.utils.exceptions import BackendError
 
 # Default timeout for requests (in seconds)
@@ -25,7 +25,7 @@ class HttpRequestHandler:
     """
 
     def __init__(self) -> None:
-        self._configurator = ClientDHCoreConfigurator()
+        self._configurator = ClientConfigurator()
         self._response_processor = ResponseProcessor()
 
     def prepare_request(self, method: str, api: str, **kwargs) -> dict:
@@ -90,7 +90,7 @@ class HttpRequestHandler:
         except BackendError as e:
             # Handle authentication errors with token refresh
             if response.status_code == 401 and refresh and self._configurator.refreshable_auth_types():
-                self._configurator.refresh_credentials(change_origin=True)
+                self._configurator.refresh_credentials(retry=True)
                 kwargs = self._configurator.get_auth_parameters(kwargs)
                 return self._execute_request(method, url, refresh=False, **kwargs)
             raise e
@@ -109,7 +109,6 @@ class HttpRequestHandler:
         dict
             kwargs enhanced with authentication parameters.
         """
-        self._configurator.check_config()
         return self._configurator.get_auth_parameters(kwargs)
 
     def _build_url(self, api: str) -> str:

digitalhub/stores/client/{_base/key_builder.py → key_builder.py}

@@ -4,9 +4,7 @@
 
 from __future__ import annotations
 
-from abc import abstractmethod
-
-from digitalhub.stores.client._base.enums import ApiCategories
+from digitalhub.stores.client.enums import ApiCategories
 
 
 class ClientKeyBuilder:
@@ -36,7 +34,6 @@ class ClientKeyBuilder:
             return self.base_entity_key(*args, **kwargs)
         return self.context_entity_key(*args, **kwargs)
 
-    @abstractmethod
     def base_entity_key(self, entity_id: str) -> str:
         """
         Build for base entity key.
@@ -44,15 +41,15 @@ class ClientKeyBuilder:
         Parameters
         ----------
         entity_id : str
-            The entity identifier.
+            Entity id.
 
         Returns
         -------
         str
-            The formatted base entity key.
+            Key.
         """
+        return f"store://{entity_id}"
 
-    @abstractmethod
     def context_entity_key(
         self,
         project: str,
@@ -67,18 +64,21 @@ class ClientKeyBuilder:
         Parameters
         ----------
         project : str
-            The project name.
+            Project name.
         entity_type : str
-            The entity type.
+            Entity type.
         entity_kind : str
-            The entity kind.
+            Entity kind.
         entity_name : str
-            The entity name.
+            Entity name.
         entity_id : str
-            The entity identifier. If None, key will not include version.
+            Entity ID.
 
         Returns
         -------
         str
-            The formatted context entity key.
+            Key.
         """
+        if entity_id is None:
+            return f"store://{project}/{entity_type}/{entity_kind}/{entity_name}"
+        return f"store://{project}/{entity_type}/{entity_kind}/{entity_name}:{entity_id}"