doorin 0.1.0__tar.gz

doorin-0.1.0/.gitignore

@@ -0,0 +1,162 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+*.http
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+*.sqlite3
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+.venv-speech/
+.venv-cli/
+.venv-toolbox/
+.venv-rag/
+.venv-agents/
+.venv-sdk/
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+staticfiles/
+mediafiles/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# EDITOR
+.idea
+
+# NODEJS
+node_modules/
+
+# LOCAL ONLY
+localonly/
+
+# Whoosh index
+whoosh/
+whoosh_index/
+.whoosh/
+.whoosh_index/
+
+export/
+.export/
+
+*.identifier
+staticfiles/
+redis/
+minio/
+postgresql/
+notebooks/
+volumes/
+.artifacts/
+.env

doorin-0.1.0/PKG-INFO

@@ -0,0 +1,20 @@
+Metadata-Version: 2.4
+Name: doorin
+Version: 0.1.0
+Summary: Extensible API Gateway Core
+Requires-Python: >=3.12
+Requires-Dist: authlib>=1.3.0
+Requires-Dist: httpx[http2]>=0.27.0
+Requires-Dist: itsdangerous>=2.2.0
+Requires-Dist: pydantic-settings>=2.2.1
+Requires-Dist: pydantic>=2.7.0
+Requires-Dist: pyfiglet>=1.0.4
+Requires-Dist: python-dotenv>=1.0.1
+Requires-Dist: python-hookups>=0.1.0
+Requires-Dist: python-jose[cryptography]>=3.3.0
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: redis[hiredis]>=8.0.0
+Requires-Dist: rich>=15.0.0
+Requires-Dist: starlette>=1.3.1
+Requires-Dist: typer>=0.26.7
+Requires-Dist: uvicorn>=0.27.0

doorin-0.1.0/app/doorin.yaml

@@ -0,0 +1,32 @@
+components:
+  transformers:
+    - type: add_request_header
+      enabled: true
+    - type: add_query_param
+      enabled: true
+    - type: modify_response_status
+      enabled: false
+  auth_providers:
+    - name: api_key
+      enabled: true
+  rate_limiters:
+    - name: sliding_window
+      enabled: true
+
+services:
+  example:
+    base_url: "http://httpbin.org"
+    default_require_api_key: false
+    default_rate_limit: 30
+    routes:
+      - path: "/get"
+        methods: ["GET"]
+        transformers:
+          - type: add_request_header
+            order: 10
+            config:
+              name: "X-Gateway"
+              value: "Doorin"
+
+api_keys:
+  - "test-key-123"

doorin-0.1.0/app/services/placeholder.yaml

@@ -0,0 +1,55 @@
+# JSONPlaceholder Service Configuration
+# Documentation: https://jsonplaceholder.typicode.com/
+
+transformers:
+  # Adds a custom header to the request before forwarding to JSONPlaceholder
+  doorin_identity:
+    type: "add_request_header"
+    order: 1
+    config:
+      name: "X-Gateway"
+      value: "Doorin"
+
+  # Adds a custom query parameter to every request
+  # Example: GET /posts -> GET /posts?source=doorin_gateway
+  source_tag:
+    type: "add_query_param"
+    order: 2
+    config:
+      name: "source"
+      value: "doorin_gateway"
+
+services:
+  jsonplaceholder:
+    base_url: "https://jsonplaceholder.typicode.com"
+    default_require_api_key: false
+    default_rate_limit: 100
+    routes:
+      - path: "/posts"
+        strip_prefix: false
+        methods: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+        transformers: ["doorin_identity", "source_tag"]
+      
+      - path: "/comments"
+        strip_prefix: false
+        methods: ["GET"]
+        transformers: ["doorin_identity"]
+      
+      - path: "/albums"
+        strip_prefix: false
+        methods: ["GET"]
+      
+      - path: "/photos"
+        strip_prefix: false
+        methods: ["GET"]
+      
+      - path: "/todos"
+        strip_prefix: false
+        methods: ["GET", "PATCH"]
+      
+      - path: "/users"
+        strip_prefix: false
+        methods: ["GET"]
+
+api_keys:
+  - "sk-dev-placeholder-12345"

doorin-0.1.0/doorin/__init__.py

@@ -0,0 +1,17 @@
+"""Doorin – Extensible API Gateway"""
+
+from doorin.core.models import Addon
+from doorin.core.registry import register_manifest
+from doorin.core.storage import storage, init_redis, close_redis
+
+def register_addon(config: dict = None, **kwargs):
+    """
+    Registers an addon manifest. Can be called with a dict or keyword arguments.
+    """
+    if config:
+        # If a dict is passed, merge with kwargs
+        kwargs.update(config)
+    
+    addon = Addon(**kwargs)
+    register_manifest(addon)
+    return addon

doorin-0.1.0/doorin/addons/base/__init__.py

@@ -0,0 +1,7 @@
+__manifest__ = {
+    "name": "base",
+    "version": "1.0.0",
+    "description": "Base addon with standard transformers, auth providers, and gateway middleware",
+    "libraries": [],
+    "dependencies": []
+}

doorin-0.1.0/doorin/addons/base/auth/api_key.py

@@ -0,0 +1,19 @@
+from doorin.core.responses import JSONResponse
+from doorin.core.types import AuthProvider
+from doorin.core.storage import storage
+from doorin.core.registry import register_auth_provider
+
+class ApiKeyAuthProvider(AuthProvider):
+    async def authenticate(self, request, config):
+        api_key = request.headers.get("X-API-Key")
+        if not api_key:
+            return JSONResponse({"error": "Missing API key"}, status_code=401)
+        
+        valid = await storage.is_api_key_valid(api_key)
+        if not valid:
+            return JSONResponse({"error": "Invalid API key"}, status_code=401)
+        return None
+
+# The AddonManager handles registration based on class inheritance,
+# but we keep this for manual imports if needed.
+register_auth_provider("api_key", ApiKeyAuthProvider)

doorin-0.1.0/doorin/addons/base/middlewares/gateway.py

@@ -0,0 +1,66 @@
+from doorin.core.requests import Request
+from doorin.core.responses import JSONResponse
+from doorin.core.registry import (
+    get_auth_provider, get_rate_limiter, is_component_enabled, register_middleware
+)
+from doorin.core.types import GatewayMiddleware
+from doorin.core.storage import storage
+from doorin.core.models import RouteConfig, ServiceConfig
+from doorin.core.proxy import load_route, forward_request
+
+class MainGatewayMiddleware(GatewayMiddleware):
+    async def dispatch(self, request: Request, call_next):
+        path = request.url.path
+        route_info = await load_route(path)
+        if not route_info:
+            return await call_next(request)
+
+        route: RouteConfig = route_info["route"]
+        service: ServiceConfig = route_info["service"]
+        req_trans = route_info["request_transformers"]
+        resp_trans = route_info["response_transformers"]
+        route_id = route_info["route_id"]
+
+        if request.method not in route.methods:
+            return JSONResponse({"error": "Method not allowed"}, status_code=405)
+
+        # Authentication
+        auth_name = route.auth_provider or service.default_auth_provider
+        if is_component_enabled("auth_providers", auth_name):
+            auth_func = get_auth_provider(auth_name)
+            if auth_func:
+                auth_resp = await auth_func(request, route.auth_config)
+                if auth_resp:
+                    return auth_resp
+        elif route.require_api_key if route.require_api_key is not None else service.default_require_api_key:
+            key = request.headers.get("X-API-Key")
+            if not await storage.is_api_key_valid(key):
+                return JSONResponse({"error": "Invalid API key"}, 401)
+
+        # Rate limiting
+        limit = route.rate_limit or service.default_rate_limit
+        if limit and limit > 0:
+            limiter_name = route.rate_limiter or service.default_rate_limiter
+            if is_component_enabled("rate_limiters", limiter_name):
+                LimiterClass = get_rate_limiter(limiter_name)
+                if LimiterClass:
+                    limiter = LimiterClass()
+                    client_ip = request.client.host
+                    key = storage.rate_limit_key(route_id, client_ip)
+                    if await limiter.is_limited(key, limit):
+                        return JSONResponse({"error": "Rate limit exceeded"}, 429)
+
+        # Forward
+        if route.strip_prefix:
+            remaining = path[len(route_info["path_prefix"]):]
+        else:
+            remaining = path
+            
+        if not remaining.startswith("/"):
+            remaining = "/" + remaining
+
+        response = await forward_request(request, service.base_url, remaining, req_trans, resp_trans)
+        return response
+
+
+register_middleware(MainGatewayMiddleware)

doorin-0.1.0/doorin/addons/base/transformers/request_transformers.py

@@ -0,0 +1,40 @@
+from doorin.core.requests import Request
+from doorin.core.types import RequestTransformer, ResponseTransformer
+from doorin.core.registry import register_transformer, register_response_transformer
+
+class AddHeaderTransformer(RequestTransformer):
+    async def transform(self, request: Request, config: dict) -> Request:
+        if not hasattr(request.state, "headers_to_add"):
+            request.state.headers_to_add = []
+        request.state.headers_to_add.append((config["name"], config["value"]))
+        return request
+
+class RemoveHeaderTransformer(RequestTransformer):
+    async def transform(self, request: Request, config: dict) -> Request:
+        if not hasattr(request.state, "headers_to_remove"):
+            request.state.headers_to_remove = []
+        request.state.headers_to_remove.append(config["name"])
+        return request
+
+class AddQueryParamTransformer(RequestTransformer):
+    async def transform(self, request: Request, config: dict) -> Request:
+        if not hasattr(request.state, "query_params_to_add"):
+            request.state.query_params_to_add = []
+        request.state.query_params_to_add.append((config["name"], config["value"]))
+        return request
+
+class ModifyResponseStatusTransformer(ResponseTransformer):
+    async def transform(self, response, config):
+        response.status_code = config["status"]
+        return response
+
+class AddResponseHeaderTransformer(ResponseTransformer):
+    async def transform(self, response, config):
+        response.headers[config["name"]] = config["value"]
+        return response
+
+register_transformer("add_request_header", AddHeaderTransformer)
+register_transformer("remove_request_header", RemoveHeaderTransformer)
+register_transformer("add_query_param", AddQueryParamTransformer)
+register_response_transformer("modify_response_status", ModifyResponseStatusTransformer)
+register_response_transformer("add_response_header", AddResponseHeaderTransformer)

doorin-0.1.0/doorin/addons/oidc/__init__.py

@@ -0,0 +1,12 @@
+__manifest__ = {
+    "name": "oidc",
+    "version": "1.0.0",
+    "description": "OpenID Connect addon for Doorin",
+    "libraries": [
+        "authlib>=1.3.0",
+        "itsdangerous",
+        "httpx>=0.27.0",
+        "python-jose[cryptography]>=3.3.0"
+    ],
+    "dependencies": ["base"]
+}

doorin-0.1.0/doorin/addons/oidc/auth/__init__.py

@@ -0,0 +1 @@
+# OIDC Auth Providers

doorin-0.1.0/doorin/addons/oidc/auth/bearer.py

@@ -0,0 +1,176 @@
+"""
+OIDC Bearer token validation using JWKS and optional introspection.
+"""
+
+import json
+import time
+import httpx
+from urllib.request import urlopen
+from jose import jwt
+from jose.exceptions import JWTError, ExpiredSignatureError
+
+from doorin.core.responses import JSONResponse
+from doorin.core.logger import get_logger
+from doorin.core.types import AuthProvider
+from doorin.core.storage import storage
+from doorin.core.registry import register_auth_provider
+
+logger = get_logger("oidc.bearer")
+
+# Cache for JWKS (shared across instances)
+_jwks_cache = {}
+_jwks_cache_time = {}
+
+def get_jwks_client(issuer_url: str, cache_ttl: int = 3600):
+    now = time.time()
+    if issuer_url in _jwks_cache and now - _jwks_cache_time.get(issuer_url, 0) < cache_ttl:
+        return _jwks_cache[issuer_url]
+    jwks_url = f"{issuer_url.rstrip('/')}/protocol/openid-connect/certs"
+    try:
+        with urlopen(jwks_url) as resp:
+            jwks = json.loads(resp.read())
+        _jwks_cache[issuer_url] = jwks
+        _jwks_cache_time[issuer_url] = now
+        return jwks
+    except Exception as e:
+        logger.error(f"Failed to fetch JWKS from {jwks_url}: {e}")
+        return None
+
+
+class OIDCBearerAuthProvider(AuthProvider):
+    async def authenticate(self, request, config: dict):
+        auth_header = request.headers.get("Authorization")
+        if not auth_header or not auth_header.startswith("Bearer "):
+            if config.get("optional", False):
+                return None
+            return JSONResponse({"error": "Missing or invalid Authorization header"}, status_code=401)
+
+        token = auth_header.split(" ")[1]
+        issuer = config.get("issuer_url")
+        audience = config.get("audience")
+
+        if not issuer or not audience:
+            logger.error("OIDC config missing issuer_url or audience")
+            return JSONResponse({"error": "Provider misconfigured"}, status_code=500)
+
+        # Choose validation method
+        if config.get("use_introspection", False):
+            claims = await self._introspect_token(token, config)
+        else:
+            claims = await self._validate_jwt(token, issuer, audience, config)
+
+        if claims is None:
+            return JSONResponse({"error": "Invalid token"}, status_code=401)
+
+        # Store user info in request state
+        request.state.user = claims.get("sub")
+        request.state.email = claims.get("email")
+        request.state.claims = claims
+
+        # Role extraction
+        role_claim_path = config.get("role_claim", "realm_access.roles")
+        roles = claims
+        for part in role_claim_path.split("."):
+            if isinstance(roles, dict):
+                roles = roles.get(part, {})
+            else:
+                roles = {}
+                break
+        request.state.roles = roles if isinstance(roles, list) else [roles] if roles else []
+
+        # Required roles
+        required_roles = config.get("required_roles", [])
+        if required_roles:
+            missing = [r for r in required_roles if r not in request.state.roles]
+            if missing:
+                return JSONResponse({"error": f"Missing roles: {', '.join(missing)}"}, status_code=403)
+
+        # Required scopes
+        required_scopes = config.get("required_scopes", [])
+        if required_scopes:
+            token_scopes = claims.get("scope", "").split()
+            missing = [s for s in required_scopes if s not in token_scopes]
+            if missing:
+                return JSONResponse({"error": f"Missing scopes: {', '.join(missing)}"}, status_code=403)
+
+        return None
+
+    async def _validate_jwt(self, token, issuer, audience, config):
+        jwks = get_jwks_client(issuer, config.get("cache_ttl", 3600))
+        if not jwks:
+            return None
+        try:
+            unverified_header = jwt.get_unverified_header(token)
+            kid = unverified_header.get("kid")
+            if not kid:
+                raise JWTError("No kid in token header")
+            key = None
+            for k in jwks.get("keys", []):
+                if k.get("kid") == kid:
+                    key = k
+                    break
+            if not key:
+                raise JWTError("No matching key found")
+            payload = jwt.decode(
+                token,
+                key,
+                algorithms=["RS256", "RS384", "RS512"],
+                audience=audience,
+                issuer=issuer,
+                options={"verify_aud": True, "verify_iss": True}
+            )
+            return payload
+        except ExpiredSignatureError:
+            logger.debug("Token expired")
+            return None
+        except JWTError as e:
+            logger.debug(f"JWT validation failed: {e}")
+            return None
+
+    async def _introspect_token(self, token, config):
+        discovery = await self._get_discovery(config["issuer_url"])
+        if not discovery:
+            return None
+        introspect_url = discovery.get("introspection_endpoint")
+        if not introspect_url:
+            logger.error("No introspection endpoint in discovery document")
+            return None
+        client_id = config.get("client_id")
+        client_secret = config.get("client_secret")
+        if not client_id or not client_secret:
+            logger.error("Introspection requires client_id and client_secret")
+            return None
+        async with httpx.AsyncClient(timeout=10.0) as http_client:
+            resp = await http_client.post(
+                introspect_url,
+                data={"token": token},
+                auth=(client_id, client_secret),
+            )
+            if resp.status_code != 200:
+                return None
+            data = resp.json()
+            if not data.get("active"):
+                return None
+            return data
+
+    async def _get_discovery(self, issuer_url):
+        cache_key = f"oidc_discovery:{issuer_url}"
+        if storage.client:
+            cached = await storage.client.get(cache_key)
+            if cached:
+                return json.loads(cached)
+        discovery_url = f"{issuer_url.rstrip('/')}/.well-known/openid-configuration"
+        async with httpx.AsyncClient(timeout=10.0) as http_client:
+            try:
+                resp = await http_client.get(discovery_url)
+                resp.raise_for_status()
+                data = resp.json()
+                if storage.client:
+                    await storage.client.setex(cache_key, 3600, json.dumps(data))
+                return data
+            except Exception as e:
+                logger.error(f"Discovery failed: {e}")
+                return None
+
+# Register the auth provider
+register_auth_provider("oidc_bearer", OIDCBearerAuthProvider)