dnastack-client-library 3.1.144__py3-none-any.whl → 3.1.145__py3-none-any.whl

dnastack/__main__.py

@@ -71,12 +71,30 @@ def version():
             type=bool,
             required=False,
             hidden=True,
+        ),
+        ArgumentSpec(
+            name='platform_credentials',
+            arg_names=['--platform-credentials'],
+            help='Use platform-specific credentials (IMDS) for authentication',
+            type=bool,
+            required=False,
+            hidden=True,
+        ),
+        ArgumentSpec(
+            name='subject_token',
+            arg_names=['--subject-token'],
+            help='Subject token for token exchange authentication',
+            type=str,
+            required=False,
+            hidden=True,
         )
     ]
 )
 def use(registry_hostname_or_url: str,
         context_name: Optional[str] = None,
-        no_auth: bool = False):
+        no_auth: bool = False,
+        platform_credentials: bool = False,
+        subject_token: Optional[str] = None):
     """
     Import a configuration from host's service registry (if available) or the corresponding public configuration from
     cloud storage. If "--no-auth" is not defined, it will automatically initiate all authentication.
@@ -85,7 +103,7 @@ def use(registry_hostname_or_url: str,
 
     This is a shortcut to dnastack config contexts use".
     """
-    _context_command_handler.use(registry_hostname_or_url, context_name=context_name, no_auth=no_auth)
+    _context_command_handler.use(registry_hostname_or_url, context_name=context_name, no_auth=no_auth, platform_credentials=platform_credentials, subject_token=subject_token)
 
 
 # noinspection PyTypeChecker

dnastack/cli/commands/auth/commands.py

@@ -50,8 +50,7 @@ def init_auth_commands(group: Group):
         handler.initiate_authentications(endpoint_ids=[endpoint_id] if endpoint_id else [],
                                          force_refresh=force_refresh,
                                          revoke_existing=revoke_existing)
-    
-    
+
     @formatted_command(
         group=group,
         name='status',
@@ -94,6 +93,8 @@ def init_auth_commands(group: Group):
         handler.revoke([endpoint_id] if endpoint_id else [], force)
     
     
+
+    
 class AuthCommandHandler:
     def __init__(self, context_name: Optional[str] = None):
         self._logger = get_logger(type(self).__name__)
@@ -126,7 +127,7 @@ class AuthCommandHandler:
         echo_header('Summary')
 
         if affected_endpoint_ids:
-            echo_list('The client is no longer authenticated to the follow endpoints:',
+            echo_list('The client is no longer authenticated to the following endpoints:',
                       affected_endpoint_ids)
         else:
             click.echo('No changes')
@@ -158,3 +159,4 @@ class AuthCommandHandler:
         auth_manager.events.on('refresh-skipped', handle_refresh_skipped)
 
         auth_manager.initiate_authentications(endpoint_ids, force_refresh, revoke_existing)
+

dnastack/cli/commands/config/contexts.py

@@ -170,9 +170,9 @@ class ContextCommandHandler:
     def manager(self):
         return self._context_manager
 
-    def use(self, registry_hostname_or_url: str, context_name: Optional[str] = None, no_auth: bool = False):
+    def use(self, registry_hostname_or_url: str, context_name: Optional[str] = None, no_auth: bool = False, platform_credentials: bool = False, subject_token: Optional[str] = None):
         echo_result('Context', 'blue', 'syncing', registry_hostname_or_url)
-        self._context_manager.use(registry_hostname_or_url, context_name=context_name, no_auth=no_auth)
+        self._context_manager.use(registry_hostname_or_url, context_name=context_name, no_auth=no_auth, platform_credentials=platform_credentials, subject_token=subject_token)
         echo_result('Context', 'green', 'use', registry_hostname_or_url)
 
     def __handle_sync_event(self, event: Event):

dnastack/client/service_registry/helper.py

@@ -2,6 +2,7 @@ from typing import Any, Dict, Optional
 
 from dnastack.client.models import ServiceEndpoint
 from dnastack.client.service_registry.models import Service
+from dnastack.http.authenticators.oauth2_adapter.models import GRANT_TYPE_TOKEN_EXCHANGE
 
 
 def parse_ga4gh_service_info(service: Service, alternate_service_id: Optional[str] = None) -> ServiceEndpoint:
@@ -36,4 +37,5 @@ def _parse_authentication_info(auth_info: Dict[str, Any]) -> Dict[str, Any]:
         resource_url=auth_info.get('resource'),
         scope=auth_info.get('scope'),
         token_endpoint=auth_info.get('accessTokenUrl'),
+        platform_credentials=auth_info.get('grantType') == GRANT_TYPE_TOKEN_EXCHANGE,
     )

dnastack/constants.py

@@ -1,5 +1,5 @@
 import os
 
-__version__ = "v3.1.144"
+__version__ = "v3.1.145"
 
 LOCAL_STORAGE_DIRECTORY = os.path.join(os.path.expanduser("~"), '.dnastack')

dnastack/context/manager.py

@@ -17,6 +17,7 @@ from dnastack.common.events import EventSource, Event
 from dnastack.common.logger import get_logger
 from dnastack.configuration.manager import ConfigurationManager
 from dnastack.context.models import Context
+from dnastack.http.authenticators.oauth2_adapter.models import GRANT_TYPE_TOKEN_EXCHANGE
 from dnastack.http.client_factory import HttpClientFactory
 
 
@@ -252,7 +253,9 @@ class BaseContextManager:
     def use(self,
             registry_hostname_or_url: str,
             context_name: Optional[str] = None,
-            no_auth: Optional[bool] = False) -> EndpointRepository:
+            no_auth: Optional[bool] = False,
+            platform_credentials: Optional[bool] = False,
+            subject_token: Optional[str] = None) -> EndpointRepository:
         target_hostname = self._get_hostname(registry_hostname_or_url)
         context_name = context_name or target_hostname
 
@@ -312,6 +315,11 @@ class BaseContextManager:
             self._logger.debug(f'Syncing: {reg_endpoint.url}')
             reg_manager.synchronize_endpoints(reg_endpoint.id)
 
+        if platform_credentials:
+            self._filter_endpoints_for_token_exchange(context)
+            if subject_token:
+                context.platform_subject_token = subject_token
+
         # Set the current context.
         self._contexts.set_current_context_name(context_name)
         self._contexts.set(context_name, context)
@@ -404,6 +412,41 @@ class BaseContextManager:
                 return None
         # end: if
 
+    def _filter_endpoints_for_token_exchange(self, context: Context):
+        """Filter endpoint authentication methods to only include token-exchange grant types
+            Raises error if no endpoints support token exchange authentication"""
+        has_any_token_exchange = False
+        
+        for endpoint in context.endpoints:
+            if endpoint.type == STANDARD_SERVICE_REGISTRY_TYPE_V1_0:
+                continue
+            
+            all_auths = []
+            if endpoint.authentication:
+                all_auths.append(endpoint.authentication)
+            if endpoint.fallback_authentications:
+                all_auths.extend(endpoint.fallback_authentications)
+            
+            token_exchange_auths = [
+                auth for auth in all_auths
+                if auth.get('grant_type') == GRANT_TYPE_TOKEN_EXCHANGE
+            ]
+            
+            if token_exchange_auths:
+                endpoint.authentication = token_exchange_auths[0]
+                endpoint.fallback_authentications = token_exchange_auths[1:] or None
+                has_any_token_exchange = True
+            else:
+                endpoint.authentication = None
+                endpoint.fallback_authentications = None
+        
+        if not has_any_token_exchange:
+            raise InvalidServiceRegistryError(
+                "Platform credentials (--platform-credentials) requested, but no endpoints "
+                "support token exchange authentication. Either remove --platform-credentials "
+                "or ensure the service registry includes token exchange authentication methods."
+            )
+
 
 @service.registered()
 class InMemoryContextManager(BaseContextManager):

dnastack/context/models.py

@@ -1,4 +1,4 @@
-from typing import Dict, List
+from typing import Dict, List, Optional
 from uuid import uuid4
 
 from pydantic import BaseModel, Field
@@ -16,3 +16,6 @@ class Context(BaseModel):
     defaults: Dict[str, str] = Field(default_factory=lambda: dict())
 
     endpoints: List[Endpoint] = Field(default_factory=lambda: list())
+    
+    # Store subject token for token exchange authentication if provided
+    platform_subject_token: Optional[str] = Field(default=None)

dnastack/http/authenticators/abstract.py

@@ -147,7 +147,7 @@ class Authenticator(AuthBase, ABC):
             logger.debug('initialize: Restoring the session...')
             info = self.restore_session()
             if not info:
-                logger.debug('initialize: Session is UNAVALIABLE.')
+                logger.debug('initialize: Session is UNAVAILABLE.')
                 raise AuthenticationRequired('Session is not available')
             elif not info.is_valid():
                 logger.debug(f'initialize: Session is INVALID ({"expired" if info.access_token else "token revoked"}).')

dnastack/http/authenticators/oauth2.py

@@ -17,7 +17,8 @@ from dnastack.http.authenticators.abstract import Authenticator, AuthenticationR
     AuthStateStatus
 from dnastack.http.authenticators.constants import get_authenticator_log_level
 from dnastack.http.authenticators.oauth2_adapter.factory import OAuth2AdapterFactory
-from dnastack.http.authenticators.oauth2_adapter.models import OAuth2Authentication
+from dnastack.http.authenticators.oauth2_adapter.token_exchange import TokenExchangeAdapter
+from dnastack.http.authenticators.oauth2_adapter.models import OAuth2Authentication, GRANT_TYPE_TOKEN_EXCHANGE
 from dnastack.http.client_factory import HttpClientFactory
 from dnastack.http.session_info import SessionInfo, SessionManager, SessionInfoHandler
 
@@ -26,9 +27,18 @@ class OAuth2MisconfigurationError(RuntimeError):
     pass
 
 
+def _is_token_exchange_session(session_info: SessionInfo) -> bool:
+    """Check if this session was created via token exchange"""
+    if not session_info.handler or not session_info.handler.auth_info:
+        return False
+
+    grant_type = session_info.handler.auth_info.get('grant_type')
+    return grant_type == GRANT_TYPE_TOKEN_EXCHANGE
+
+
 class OAuth2Authenticator(Authenticator):
     def __init__(self,
-                 endpoint: ServiceEndpoint,
+                 endpoint: Optional[ServiceEndpoint],
                  auth_info: Dict[str, Any],
                  session_manager: Optional[SessionManager] = None,
                  adapter_factory: Optional[OAuth2AdapterFactory] = None,
@@ -105,6 +115,12 @@ class OAuth2Authenticator(Authenticator):
         self.events.dispatch('authentication-before', event_details)
 
         auth_info = OAuth2Authentication(**self._auth_info)
+
+        use_platform_credentials = self._auth_info.get('platform_credentials', False) is True
+
+        if auth_info.grant_type == GRANT_TYPE_TOKEN_EXCHANGE or use_platform_credentials:
+            return self._authenticate_token_exchange(auth_info, trace_context)
+
         adapter = self._adapter_factory.get_from(auth_info)
 
         if adapter:
@@ -131,7 +147,7 @@ class OAuth2Authenticator(Authenticator):
         return self._session_info
 
     def refresh(self, trace_context: Optional[Span] = None) -> SessionInfo:
-        """ Refresh the session using a refresh token. """
+        """ Refresh the session using a refresh token or re-authenticate for token exchange. """
         trace_context = trace_context or Span(origin='OAuth2Authenticator.refresh')
         logger = trace_context.create_span_logger(self._logger)
 
@@ -158,6 +174,15 @@ class OAuth2Authenticator(Authenticator):
             raise ReauthenticationRequired(f'The stored session information does not provide enough information to '
                                            f'refresh token. (given: {session_info})')
 
+        if _is_token_exchange_session(session_info):
+            try:
+                return self._reauthenticate_token_exchange(session_info, trace_context)
+            except Exception as e:
+                logger.error(f'refresh: Token exchange re-authentication failed: {e}')
+                event_details['reason'] = f'Token exchange re-authentication failed: {e}'
+                self.events.dispatch('refresh-failure', event_details)
+                raise ReauthenticationRequired(f'Token exchange re-authentication failed: {e}')
+
         if not session_info.refresh_token:
             logger.debug('refresh: Cannot refresh the tokens as the refresh token is not provided.')
 
@@ -209,7 +234,7 @@ class OAuth2Authenticator(Authenticator):
 
                 if updated_session_info.scope:
                     session_info.scope = updated_session_info.scope
-                
+
                 if updated_session_info.refresh_token:
                     # NOTE: The refresh token may not be available in the response.
                     session_info.refresh_token = updated_session_info.refresh_token
@@ -276,9 +301,7 @@ class OAuth2Authenticator(Authenticator):
         # Clear the local cache
         self._session_info = None
         self._session_manager.delete(session_id)
-
         self._logger.debug(f'Revoked Session {session_id}')
-
         self.events.dispatch('session-revoked', dict(session_id=session_id))
 
     def clear_access_token(self):
@@ -296,13 +319,11 @@ class OAuth2Authenticator(Authenticator):
 
     def restore_session(self) -> Optional[SessionInfo]:
         logger = self._logger
-
         session_id = self.session_id
-        event_details = dict(cached=self._session_info is not None,
-                             cache_hash=session_id)
-
-        session: SessionInfo = self._session_info
+        event_details = dict(cached=self._session_info is not None, cache_hash=session_id)
 
+        # Try to get session (in-memory, then stored)
+        session = self._session_info
         if session:
             logger.debug(f'In-memory Session Info: {session}')
         else:
@@ -312,46 +333,37 @@ class OAuth2Authenticator(Authenticator):
         if not session:
             event_details['reason'] = 'No session available'
             self.events.dispatch('session-not-restored', event_details)
-
             logger.debug(f'Require RE-AUTH -- event details = {event_details}')
-
             raise AuthenticationRequired('No session available')
-        elif session.is_valid():
-            logger.debug('The session is valid.')
-
-            current_auth_info = OAuth2Authentication(**self._auth_info)
-            current_config_hash = current_auth_info.get_content_hash()
-            stored_config_hash = session.config_hash
 
-            if current_config_hash == stored_config_hash:
-                return session
-            else:
-                event_details['reason'] = 'Authentication information has changed and the session is invalidated.'
-                self.events.dispatch('session-not-restored', event_details)
-
-                logger.debug(f'Require RE-AUTH -- event details = {event_details}')
-
-                raise ReauthenticationRequiredDueToConfigChange(
-                    'The session is invalidated as the endpoint configuration has changed.'
-                )
-        else:
+        if not session.is_valid():
             logger.debug(f'The session is INVALID ({"expired" if session.access_token else "token revoked"}).')
 
             if session.refresh_token:
                 event_details['reason'] = 'The session is invalid but it can be refreshed.'
                 self.events.dispatch('session-not-restored', event_details)
-
                 logger.debug(f'Require REFRESH -- event details = {event_details}')
-
                 raise RefreshRequired(session)
             else:
                 event_details['reason'] = 'The session is invalid. Require re-authentication.'
                 self.events.dispatch('session-not-restored', event_details)
-
                 logger.debug(f'Require RE-AUTH -- event details = {event_details}')
-
                 raise ReauthenticationRequired('The session is invalid and refreshing tokens is not possible.')
 
+        current_auth_info = OAuth2Authentication(**self._auth_info)
+        current_config_hash = current_auth_info.get_content_hash()
+        stored_config_hash = session.config_hash
+
+        if current_config_hash == stored_config_hash:
+            return session
+        else:
+            event_details['reason'] = 'Authentication information has changed and the session is invalidated.'
+            self.events.dispatch('session-not-restored', event_details)
+            logger.debug(f'Require RE-AUTH -- event details = {event_details}')
+            raise ReauthenticationRequiredDueToConfigChange(
+                'The session is invalidated as the endpoint configuration has changed.'
+            )
+
     def _convert_token_response_to_session(self,
                                            authentication: Dict[str, Any],
                                            response: Dict[str, Any]):
@@ -359,8 +371,8 @@ class OAuth2Authenticator(Authenticator):
 
         created_time = time()
         expiry_time = created_time + response['expires_in']
-
         current_auth_info = OAuth2Authentication(**self._auth_info)
+        self._logger.debug(f'Creating session: created_time={created_time}, expires_in={response["expires_in"]}, expiry_time={expiry_time}')
 
         return SessionInfo(
             model_version=4,
@@ -369,8 +381,8 @@ class OAuth2Authenticator(Authenticator):
             refresh_token=response.get('refresh_token'),
             scope=response.get('scope'),
             token_type=response['token_type'],
-            issued_at=created_time,
-            valid_until=expiry_time,
+            issued_at=int(created_time),
+            valid_until=int(expiry_time),
             handler=SessionInfoHandler(auth_info=authentication)
         )
 
@@ -385,3 +397,33 @@ class OAuth2Authenticator(Authenticator):
     @classmethod
     def make(cls, endpoint: ServiceEndpoint, auth_info: Dict[str, Any]):
         return cls(endpoint, auth_info)
+
+    def _reauthenticate_token_exchange(self, session_info: SessionInfo, trace_context: Span) -> SessionInfo:
+        """
+        Re-authenticate a token exchange session by performing the exchange again.
+        Assumes we're in a cloud environment and attempts to fetch new identity token.
+        """
+        if not session_info.handler or not session_info.handler.auth_info:
+            raise ReauthenticationRequired('Cannot re-authenticate: missing authentication configuration')
+        auth_info_dict = session_info.handler.auth_info.copy()
+        auth_info_dict['subject_token'] = None  # Force cloud metadata fetch
+
+        auth_info = OAuth2Authentication(**auth_info_dict)
+        return self._authenticate_token_exchange(auth_info, trace_context)
+
+    def _authenticate_token_exchange(self, auth_info: OAuth2Authentication, trace_context: Span) -> SessionInfo:
+        """Handle token exchange authentication flow"""
+        session_id = self.session_id
+        event_details = dict(session_id=session_id, auth_info=self._auth_info)
+        adapter = TokenExchangeAdapter(auth_info)
+        for auth_event_type in ['blocking-response-required', 'blocking-response-ok', 'blocking-response-failed']:
+            self.events.relay_from(adapter.events, auth_event_type)
+
+        token_response = adapter.exchange_tokens(trace_context)
+        self._session_info = self._convert_token_response_to_session(auth_info.dict(), token_response)
+        self._session_manager.save(session_id, self._session_info)
+
+        event_details['session_info'] = self._session_info
+        self.events.dispatch('authentication-ok', event_details)
+
+        return self._session_info

dnastack/http/authenticators/oauth2_adapter/client_credential.py

@@ -2,12 +2,19 @@ from typing import Dict, Any, List
 
 from dnastack.common.tracing import Span
 from dnastack.http.authenticators.oauth2_adapter.abstract import OAuth2Adapter, AuthException
+from dnastack.http.authenticators.oauth2_adapter.models import OAuth2Authentication
 from dnastack.http.client_factory import HttpClientFactory
 
 
 class ClientCredentialAdapter(OAuth2Adapter):
     __grant_type = 'client_credentials'
 
+    @classmethod
+    def is_compatible_with(cls, auth_info: OAuth2Authentication) -> bool:
+        if auth_info.grant_type != cls.__grant_type:
+            return False
+        return super().is_compatible_with(auth_info)
+
     @staticmethod
     def get_expected_auth_info_fields() -> List[str]:
         return [

dnastack/http/authenticators/oauth2_adapter/cloud_providers.py

@@ -0,0 +1,122 @@
+from abc import ABC, abstractmethod
+from typing import Optional
+from enum import Enum
+from pydantic import BaseModel, Field
+import logging
+
+from dnastack.common.tracing import Span
+from dnastack.http.client_factory import HttpClientFactory
+
+
+class CloudProvider(str, Enum):
+    GCP = "gcp"
+
+
+class CloudMetadataProvider(ABC):
+    """Abstract base class for cloud metadata providers."""
+
+    timeout: int
+    _logger: logging.Logger
+
+    def __init__(self, timeout: int = 5):
+        self.timeout = timeout
+        self._logger = logging.getLogger(type(self).__name__)
+
+    @abstractmethod
+    def is_available(self) -> bool:
+        """Check if this cloud provider's metadata service is available."""
+        pass
+
+    @abstractmethod
+    def get_identity_token(self, audience: str, trace_context: Span) -> Optional[str]:
+        """Fetch an identity token from the cloud metadata service."""
+        pass
+
+    @property
+    @abstractmethod
+    def name(self) -> str:
+        """Return the name of this cloud provider."""
+        pass
+
+
+class GCPMetadataProvider(CloudMetadataProvider):
+    """Google Cloud Platform metadata provider."""
+
+    _METADATA_BASE_URL = 'http://metadata.google.internal/computeMetadata/v1'
+    _IDENTITY_ENDPOINT = '/instance/service-accounts/default/identity'
+    _METADATA_FLAVOR = 'Google'
+
+    @property
+    def name(self) -> str:
+        return CloudProvider.GCP.value
+
+    def is_available(self) -> bool:
+        """Check if GCP metadata service is available."""
+        try:
+            with HttpClientFactory.make() as http_session:
+                response = http_session.get(
+                    f'{self._METADATA_BASE_URL}/project/project-id',
+                    headers={'Metadata-Flavor': self._METADATA_FLAVOR},
+                    timeout=1
+                )
+                return response.ok
+        except Exception:
+            return False
+
+    def get_identity_token(self, audience: str, trace_context: Span) -> Optional[str]:
+        """Fetch GCP identity token from metadata service.
+           '&format=full' ensures we get email in response"""
+        url = f'{self._METADATA_BASE_URL}{self._IDENTITY_ENDPOINT}?audience={audience}&format=full'
+
+        try:
+            with HttpClientFactory.make() as http_session:
+                response = http_session.get(
+                    url,
+                    headers={'Metadata-Flavor': self._METADATA_FLAVOR},
+                    timeout=self.timeout
+                )
+
+                if response.ok:
+                    token = response.text.strip()
+                    self._logger.debug(f'Successfully fetched GCP identity token for audience: {audience}')
+                    return token
+                else:
+                    self._logger.warning(f'GCP metadata service returned {response.status_code}: {response.text}')
+                    return None
+
+        except Exception as e:
+            self._logger.warning(f'Failed to fetch GCP identity token: {e}')
+            return None
+
+
+class CloudMetadataConfig(BaseModel):
+    """Configuration model for cloud metadata provider."""
+    timeout: int = Field(5, ge=1, le=30, description="Timeout for metadata service request (1-30 seconds).")
+
+
+class CloudProviderFactory:
+    """Factory for creating cloud metadata providers."""
+    _providers = {
+        CloudProvider.GCP: GCPMetadataProvider,
+    }
+
+    @classmethod
+    def create(cls, provider: CloudProvider, config: CloudMetadataConfig) -> CloudMetadataProvider:
+        """Create a cloud metadata provider instance."""
+        provider_class = cls._providers.get(provider)
+        if not provider_class:
+            raise ValueError(f'Unsupported cloud provider: {provider}')
+        return provider_class(timeout=config.timeout)
+
+    @classmethod
+    def detect_provider(cls, config: CloudMetadataConfig) -> Optional[CloudMetadataProvider]:
+        """Auto-detect the current cloud provider by checking all available providers."""
+        for provider_type in cls._providers.keys():
+            try:
+                provider = cls.create(provider_type, config)
+                if provider.is_available():
+                    return provider
+            except Exception:
+                # Skip providers that fail to initialize or check availability
+                continue
+        return None

dnastack/http/authenticators/oauth2_adapter/device_code_flow.py

@@ -18,6 +18,12 @@ class DeviceCodeFlowAdapter(OAuth2Adapter):
         super(DeviceCodeFlowAdapter, self).__init__(auth_info)
         self.__console: Console = container.get(Console)
 
+    @classmethod
+    def is_compatible_with(cls, auth_info: OAuth2Authentication) -> bool:
+        if auth_info.grant_type != cls.__grant_type:
+            return False
+        return super().is_compatible_with(auth_info)
+
     @staticmethod
     def get_expected_auth_info_fields() -> List[str]:
         return [

dnastack/http/authenticators/oauth2_adapter/factory.py

@@ -5,6 +5,7 @@ from imagination.decorator import service
 from dnastack.http.authenticators.oauth2_adapter.abstract import OAuth2Adapter
 from dnastack.http.authenticators.oauth2_adapter.client_credential import ClientCredentialAdapter
 from dnastack.http.authenticators.oauth2_adapter.device_code_flow import DeviceCodeFlowAdapter
+from dnastack.http.authenticators.oauth2_adapter.token_exchange import TokenExchangeAdapter
 from dnastack.http.authenticators.oauth2_adapter.models import OAuth2Authentication
 
 
@@ -14,6 +15,7 @@ class OAuth2AdapterFactory:
     __supported_auth_adapter_classes = [
         DeviceCodeFlowAdapter,
         ClientCredentialAdapter,
+        TokenExchangeAdapter,
     ]
 
     def get_from(self, auth_info: OAuth2Authentication) -> Optional[OAuth2Adapter]:

dnastack/http/authenticators/oauth2_adapter/models.py

@@ -5,6 +5,9 @@ from pydantic import BaseModel
 from dnastack.common.model_mixin import JsonModelMixin as HashableModel
 
 
+GRANT_TYPE_TOKEN_EXCHANGE = 'urn:ietf:params:oauth:grant-type:token-exchange'
+
+
 class OAuth2Authentication(BaseModel, HashableModel):
     """OAuth2 Authentication Information"""
     authorization_endpoint: Optional[str]
@@ -19,4 +22,9 @@ class OAuth2Authentication(BaseModel, HashableModel):
     resource_url: str
     scope: Optional[str]
     token_endpoint: Optional[str]
-    type: str = 'oauth2'
+    type: str = 'oauth2'
+    subject_token: Optional[str]
+    subject_token_type: Optional[str]
+    requested_token_type: Optional[str]
+    audience: Optional[str]
+    cloud_provider: Optional[str]  # Currently supported: 'gcp'

dnastack/http/authenticators/oauth2_adapter/token_exchange.py

@@ -0,0 +1,142 @@
+from typing import Dict, Any, List, Optional
+
+from imagination import container
+
+from dnastack.common.tracing import Span
+from dnastack.http.authenticators.oauth2_adapter.abstract import OAuth2Adapter, AuthException
+from dnastack.http.authenticators.oauth2_adapter.models import OAuth2Authentication, GRANT_TYPE_TOKEN_EXCHANGE
+from dnastack.http.authenticators.oauth2_adapter.cloud_providers import (
+    CloudProviderFactory, CloudMetadataProvider, CloudMetadataConfig
+)
+from dnastack.http.client_factory import HttpClientFactory
+
+
+class TokenExchangeAdapter(OAuth2Adapter):
+    __grant_type = GRANT_TYPE_TOKEN_EXCHANGE
+    __subject_token_type = 'urn:ietf:params:oauth:token-type:jwt'
+    __METADATA_TIMEOUT = 10
+    
+    def __init__(self, auth_info: OAuth2Authentication):
+        super().__init__(auth_info)
+        self._cloud_provider: Optional[CloudMetadataProvider] = None
+
+    @classmethod
+    def is_compatible_with(cls, auth_info: OAuth2Authentication) -> bool:
+        if auth_info.grant_type != cls.__grant_type:
+            return False
+        required_fields = ['token_endpoint', 'resource_url']
+        return all(getattr(auth_info, field, None) for field in required_fields)
+
+    @staticmethod
+    def get_expected_auth_info_fields() -> List[str]:
+        return [
+            'grant_type',
+            'resource_url',
+            'token_endpoint',
+        ]
+
+    def _get_subject_token(self, trace_context: Span) -> str:
+        """
+        Get ID token from cloud metadata service or use provided token.
+        For re-authentication, always tries cloud metadata fetch.
+        """
+        if self._auth_info.subject_token:
+            return self._auth_info.subject_token
+        
+        context_subject_token = self._get_and_clear_context_subject_token()
+        if context_subject_token:
+            return context_subject_token
+
+        audience = self._auth_info.audience or self._auth_info.resource_url
+        token = self._fetch_cloud_identity_token(audience, trace_context)
+        if token:
+            return token
+        
+        raise AuthException(
+            'No subject token provided and unable to fetch from cloud. '
+            'Please provide a subject token or run from a supported cloud environment.'
+        )
+    
+    def _fetch_cloud_identity_token(self, audience: str, trace_context: Span) -> Optional[str]:
+        """Fetch identity token from cloud metadata service."""
+        logger = trace_context.create_span_logger(self._logger)
+        
+        if self._cloud_provider:
+            logger.debug(f'Attempting to fetch identity token from {self._cloud_provider.name}')
+            token = self._cloud_provider.get_identity_token(audience, trace_context)
+            if token:
+                return token
+            logger.error(f'Failed to fetch token from configured provider: {self._cloud_provider.name}')
+        
+        logger.info('Auto-detecting cloud provider...')
+        config = CloudMetadataConfig(timeout=self.__METADATA_TIMEOUT)
+        detected_provider = CloudProviderFactory.detect_provider(config)
+        if detected_provider:
+            logger.info(f'Detected cloud provider: {detected_provider.name}')
+            self._cloud_provider = detected_provider
+            token = detected_provider.get_identity_token(audience, trace_context)
+            if token:
+                return token
+            logger.error(f'Failed to fetch token from detected provider: {detected_provider.name}')
+        else:
+            logger.error('No cloud provider detected')
+        
+        return None
+
+    def _get_and_clear_context_subject_token(self) -> Optional[str]:
+        """Get subject token from current context if available and clear it after use"""
+        from dnastack.context.manager import ContextManager
+        context_manager = container.get(ContextManager)
+        current_context = context_manager.contexts.current_context
+        if current_context and current_context.platform_subject_token:
+            token = current_context.platform_subject_token
+            current_context.platform_subject_token = None
+            context_manager.contexts.set(context_manager.contexts.current_context_name, current_context)
+            return token
+        return None
+
+    def exchange_tokens(self, trace_context: Span) -> Dict[str, Any]:
+        logger = trace_context.create_span_logger(self._logger)
+        auth_info = self._auth_info
+        resource_urls = self._prepare_resource_urls_for_request(auth_info.resource_url)
+        subject_token = self._get_subject_token(trace_context)
+        client_id = auth_info.client_id
+        client_secret = auth_info.client_secret
+
+        trace_info = dict(
+            oauth='token-exchange',
+            token_url=auth_info.token_endpoint,
+            client_id=client_id,
+            grant_type=self.__grant_type,
+            resource_urls=resource_urls,
+            subject_token_type=self.__subject_token_type,
+            cloud_provider=self._cloud_provider.name if self._cloud_provider else 'none',
+        )
+        logger.debug(f'exchange_token: Authenticating with {trace_info}')
+        auth_params = {
+            'grant_type': self.__grant_type,
+            'subject_token_type': self.__subject_token_type,
+            'subject_token': subject_token,
+            'resource': resource_urls,
+            **({'requested_token_type': self._auth_info.requested_token_type} if self._auth_info.requested_token_type else {}),
+            **({'scope': auth_info.scope} if auth_info.scope else {})
+        }
+
+        with trace_context.new_span(metadata=trace_info) as sub_span:
+            with HttpClientFactory.make() as http_session:
+                span_headers = sub_span.create_http_headers()
+                response = http_session.post(
+                    auth_info.token_endpoint,
+                    data=auth_params,
+                    headers=span_headers,
+                    auth=(client_id, client_secret)
+                )
+
+            if not response.ok:
+                raise AuthException(
+                    f'Failed to perform token exchange for {client_id} as the server responds with HTTP {response.status_code}:'
+                    f'\n\n{response.text}\n',
+                    resource_urls
+                )
+
+            return response.json()

dnastack/http/session_info.py

@@ -97,6 +97,7 @@ class BaseSessionStorage(ABC):
     def __delitem__(self, id: str):
         raise NotImplementedError()
 
+
     def __str__(self):
         return f'{type(self).__module__}.{type(self).__name__}'
 
@@ -125,6 +126,7 @@ class InMemorySessionStorage(BaseSessionStorage):
         del self.__cache_map[id]
 
 
+
 @service.registered(
     params=[
         EnvironmentVariable('DNASTACK_SESSION_DIR',
@@ -174,6 +176,7 @@ class FileSessionStorage(BaseSessionStorage):
         final_file_path = self.__get_file_path(id)
         os.unlink(final_file_path)
 
+
     def __get_file_path(self, id: str) -> str:
         path_blocks = []
 
@@ -262,6 +265,7 @@ class SessionManager:
             finally:
                 del self.__change_locks[id]
 
+
     def __lock(self, id) -> Lock:
         if id not in self.__change_locks:
             self.__change_locks[id] = Lock()

{dnastack_client_library-3.1.144.dist-info → dnastack_client_library-3.1.145.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dnastack-client-library
-Version: 3.1.144
+Version: 3.1.145
 Summary: DNAstack's GA4GH library and CLI
 Author-email: DNAstack <devs@dnastack.com>
 License: Apache License, Version 2.0

{dnastack_client_library-3.1.144.dist-info → dnastack_client_library-3.1.145.dist-info}/RECORD

@@ -1,6 +1,6 @@
 dnastack/__init__.py,sha256=mslf7se8vBSK_HkqWTGPdibeVhT4xyKXgzQBV7dEK1M,333
-dnastack/__main__.py,sha256=0R4pq-kVx2TjcGT_bUXiqKj91ba3Op8I6w1pqiaxR10,3682
-dnastack/constants.py,sha256=jaK6QFWKaJVTqeMQ6KIkcEk6jNZF9eYkteiTPeHFOXA,114
+dnastack/__main__.py,sha256=EKmtIs4TBseQJi-OT_U6LqRyKLiyrGTBuTQg9zE-G2I,4376
+dnastack/constants.py,sha256=9HWP6mq4zFzR5KcChCWx0_tG3OvN3GT_mjqi3CwAck4,114
 dnastack/feature_flags.py,sha256=RK_V_Ovncoe6NeTheAA_frP-kYkZC1fDlTbbup2KYG4,1419
 dnastack/json_path.py,sha256=TyghhDf7nGQmnsUWBhenU_fKsE_Ez-HLVER6HgH5-hU,2700
 dnastack/omics_cli.py,sha256=ZppKZTHv_XjUUZyRIzSkx0Ug5ODAYrCOTsU0ezCOVrA,3694
@@ -31,7 +31,7 @@ dnastack/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dnastack/cli/commands/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dnastack/cli/commands/utils.py,sha256=ZwKTyyvqBTrt27cF9wF6SglE01t7NkHWLMjXegi_6iA,574
 dnastack/cli/commands/auth/__init__.py,sha256=SGnt7w8ccS1ED6EQzBq4PaH3kqoLuXC4wrFMa7P_Vg4,313
-dnastack/cli/commands/auth/commands.py,sha256=ds-Rj8KtmS567DbJLdZSXTiPbycc1rjzq6b8BT1-z8c,6469
+dnastack/cli/commands/auth/commands.py,sha256=RhLvCIwjg3fRbRKSVqYqEFlSaGwp2hJqYByZlMMBkJM,6470
 dnastack/cli/commands/auth/event_handlers.py,sha256=g6FPChlBZZr7M6hejGWT6Z3THNZr7AtbV0S5PJEtU_o,3627
 dnastack/cli/commands/collections/__init__.py,sha256=hrsjIkOvqOnYUN4xwoSB3iTCLrbX6qG-XeafVzoGleI,535
 dnastack/cli/commands/collections/commands.py,sha256=yawGsTZfgkTYvyCIyRaup9mEQOrr_nfE7Cj6lPcEaIk,8978
@@ -39,7 +39,7 @@ dnastack/cli/commands/collections/tables.py,sha256=31D3QuI7VQp9V7M4EeoiTzwf3lg1d
 dnastack/cli/commands/collections/utils.py,sha256=o59nT42PACZiGo-dgo5Qjg8UDWgvcjmgb4fDGWpjm7w,6225
 dnastack/cli/commands/config/__init__.py,sha256=xBBLgV5tvRr45gWgZhGHLxB12fNMF8LDqeBvMXCt_sk,706
 dnastack/cli/commands/config/commands.py,sha256=ANyepqMCCwL2qtbrlS4OxYyGzbMQLF_P7iiKnACIsj8,813
-dnastack/cli/commands/config/contexts.py,sha256=OcTd_XhTyDf0-CyLnmdYbD7dlO8r1peprTtQV-A-JEc,6095
+dnastack/cli/commands/config/contexts.py,sha256=Dhl3C90D1cuO_LgO0zZIwZtfX3yB3WqhIX3Nu2Bsr78,6240
 dnastack/cli/commands/config/endpoints.py,sha256=2R6bw7cx32iJ_zzu4C7nUsQiDFsu0tvj_PplmpgsA0E,23906
 dnastack/cli/commands/config/registries.py,sha256=PCSA05mLuG8_4XR6Gl6yjZy6wPXT4BLhTRMIjO6Zq0I,6422
 dnastack/cli/commands/dataconnect/__init__.py,sha256=pmSnzfQQkhupJ-ORfTNVo3ev9ASpOGk5Cv4kMZA7zQ8,521
@@ -130,7 +130,7 @@ dnastack/client/explorer/models.py,sha256=vrltbcb4qAx6z1oGXG8ufw2kZ36dDiwU5QGqOo
 dnastack/client/service_registry/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dnastack/client/service_registry/client.py,sha256=r7D8CnPJLbNkc03g2PYHt880Ba1oPW2d8B0ShP0p4Eo,1131
 dnastack/client/service_registry/factory.py,sha256=MKidmvDuIdnz9jsqm6yDjImldcNajKxopwmKFFCTN4U,10751
-dnastack/client/service_registry/helper.py,sha256=CxWsov0WCk5weYj-dYP4gE136nILQTyshYrJl2hpQRw,1326
+dnastack/client/service_registry/helper.py,sha256=9zJLsgEN1kwEZJs9MdXQbcqRikXHf-uXHHyKcYUxBwo,1501
 dnastack/client/service_registry/manager.py,sha256=o_Eqg1GRj8x2q-duWozVge8JRFXUEGhV5-jbkcATFw8,9311
 dnastack/client/service_registry/models.py,sha256=X0vf1sv1f5sZ_7wZMmynjPF57ZrKHZ8FDXV5iHxv7b4,1513
 dnastack/client/workbench/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -175,26 +175,28 @@ dnastack/configuration/wrapper.py,sha256=qLmI8bgwTTflym_e0HC85IwdoCuLfazJt_O8mJJ
 dnastack/context/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dnastack/context/context_wraper.py,sha256=G88LciVBW5HJkvhi3oYS6RlrH_-l0H2CSYSU8nS33_0,315
 dnastack/context/helper.py,sha256=GOlmi2ddkstSRBo3sG6yB8_2oMFqN1o6yI8Ny-gpkbQ,1475
-dnastack/context/manager.py,sha256=5rwQGmV4Em3RyJZNvVIgi8xc2ANfTIGP7v7a6gqowZU,15340
-dnastack/context/models.py,sha256=1tVkBiQQf252VS5YmLqSNTt0McbitC3Oe2_C7dH-OQg,520
+dnastack/context/manager.py,sha256=PMIGG34alXjFN6WJTqDpSEAO8jdRagzLs6iamcDlz7g,17354
+dnastack/context/models.py,sha256=BXSJZSwiopNZ_l2nY8uzofoYebLYwu0BLbirSBIY110,671
 dnastack/http/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dnastack/http/client_factory.py,sha256=HdRZpTEnFQcHEdVbdYl7AbCcRUv3K3kVyznIxEWIqvA,650
 dnastack/http/session.py,sha256=R-rsE_TTswlTTlqJW7a6_O-sVMmbrnEMnKBf7m_5I8U,15058
-dnastack/http/session_info.py,sha256=ae9MnzMxOoPanGrxec5oIlnv2cizx5bT_h0wclHkAJg,9362
+dnastack/http/session_info.py,sha256=I0m8Z17MCtsWgMCmlzhtOzsXZfUddBAXp0XSOLWfgrM,9366
 dnastack/http/authenticators/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dnastack/http/authenticators/abstract.py,sha256=xaTA_3Wmc24x7tCvUcb5daUcC8sALMQoOx6iyTECZts,9241
+dnastack/http/authenticators/abstract.py,sha256=b5zXqSdCasiy6Bz5LYTr7e_p7l4__Mq5shgTV6bBGnk,9241
 dnastack/http/authenticators/constants.py,sha256=mSpBnm5lMMmMJwr13KIfCoOXXJLP4qGDkFprYXALu8o,1278
 dnastack/http/authenticators/factory.py,sha256=PZhE7c59rDtmtUx3PcX_NzarSeRpoPCD6oexDE6Z05I,2062
-dnastack/http/authenticators/oauth2.py,sha256=GxS7ynHHH-76RUbxZqdqb9qagJavvLWPwfOEiQf51Nk,17030
+dnastack/http/authenticators/oauth2.py,sha256=wPTrDzR8Jzk6ugn9yLt9HBcFae9bH6tgSRhScVQcglU,20043
 dnastack/http/authenticators/oauth2_adapter/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dnastack/http/authenticators/oauth2_adapter/abstract.py,sha256=Tm4Nnroo5_vp0UgZHhcEDVRRbhIrvVdfPr8nTyihoH4,2832
-dnastack/http/authenticators/oauth2_adapter/client_credential.py,sha256=Lu22mTT1kjnfLbRPjNVoJ95vySK9G9FItlrnn1g4xgE,2516
-dnastack/http/authenticators/oauth2_adapter/device_code_flow.py,sha256=j0EODp-O8DCCqh9kOGi5MDOdVXkQO14Q7ZJe4ZrzPCY,6527
-dnastack/http/authenticators/oauth2_adapter/factory.py,sha256=r8K6swt5zhraP74KhTL2K4sQ71HWAMLM0oHg8qQT4BA,965
-dnastack/http/authenticators/oauth2_adapter/models.py,sha256=U11r8DZsWvjIRNCJE1mmQMuprZw3fpFwFBg7vmI5w48,660
-dnastack_client_library-3.1.144.dist-info/licenses/LICENSE,sha256=uwybO-wUbQhxkosgjhJlxmYATMy-AzoULFO9FUedE34,11580
-dnastack_client_library-3.1.144.dist-info/METADATA,sha256=VGEBV4ScOMv2xQbFzn8Pp0Ejo2d3DeOGJuf6W26Mu90,1490
-dnastack_client_library-3.1.144.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-dnastack_client_library-3.1.144.dist-info/entry_points.txt,sha256=Y6OeicsiyGn3-8D-SiV4NiKlJgXfkSqK88kFBR6R1rY,89
-dnastack_client_library-3.1.144.dist-info/top_level.txt,sha256=P2RgRyqJ7hfNy1wLVRoVLJYEppUVkCX3syGK9zBqkt8,9
-dnastack_client_library-3.1.144.dist-info/RECORD,,
+dnastack/http/authenticators/oauth2_adapter/client_credential.py,sha256=wWHk6-l-GIxG5_MtcjLvu6sU6wugAFudaBUH33BkXPQ,2823
+dnastack/http/authenticators/oauth2_adapter/cloud_providers.py,sha256=UHQ-YHHr5ipqSQVzCfr95Uv3zkFcop_RCpK4q6a2yJg,4317
+dnastack/http/authenticators/oauth2_adapter/device_code_flow.py,sha256=dXI5CyUcsqYg6gf5vDC_3eY6Cc-H1C8W7FeD_24j92A,6750
+dnastack/http/authenticators/oauth2_adapter/factory.py,sha256=ZtNXOklWEim-26ooNoPp3ji_hRg1vf4fHHnY94F0wLI,1087
+dnastack/http/authenticators/oauth2_adapter/models.py,sha256=iY7asrSElyjubInrGV5rJKKZAxJWeq7csnaj-EqMq00,943
+dnastack/http/authenticators/oauth2_adapter/token_exchange.py,sha256=aLSs0P5lj5LgpqUTzAn0hdbZxseVhqX2qV8KdcjmY6k,6303
+dnastack_client_library-3.1.145.dist-info/licenses/LICENSE,sha256=uwybO-wUbQhxkosgjhJlxmYATMy-AzoULFO9FUedE34,11580
+dnastack_client_library-3.1.145.dist-info/METADATA,sha256=10kJ53EGKrSgDaOEIBGHvQARcwfp488x6WmLMQ_ur6c,1490
+dnastack_client_library-3.1.145.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+dnastack_client_library-3.1.145.dist-info/entry_points.txt,sha256=Y6OeicsiyGn3-8D-SiV4NiKlJgXfkSqK88kFBR6R1rY,89
+dnastack_client_library-3.1.145.dist-info/top_level.txt,sha256=P2RgRyqJ7hfNy1wLVRoVLJYEppUVkCX3syGK9zBqkt8,9
+dnastack_client_library-3.1.145.dist-info/RECORD,,