earthscope-sdk 1.0.0b1__tar.gz → 1.1.0__tar.gz

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: earthscope-sdk
-Version: 1.0.0b1
+Version: 1.1.0
 Summary: An SDK for EarthScope API
 Author-email: EarthScope <data-help@earthscope.org>
 License:                                  Apache License
@@ -222,6 +222,7 @@ Requires-Dist: build; extra == "dev"
 Requires-Dist: pytest; extra == "dev"
 Requires-Dist: twine; extra == "dev"
 Requires-Dist: pip-tools; extra == "dev"
+Requires-Dist: pre-commit; extra == "dev"
 Requires-Dist: pytest-httpx; extra == "dev"
 Requires-Dist: pytest-asyncio; extra == "dev"
 Requires-Dist: ruff; extra == "dev"
@@ -243,7 +244,7 @@ pip install earthscope-sdk
 
 ### Usage
 
-For detailed usage options and examples, visit [our usage docs](docs/usage.md).
+For detailed usage info and examples, visit [our SDK docs](https://docs.earthscope.org/projects/SDK).
 
 ```py
 # Import and create a client
@@ -300,7 +301,7 @@ Once refreshable credentials are available to the SDK, it will transparently han
 
 ### Same host
 
-If you have the [EarthScope CLI](TODO) installed on the same host that is running your application which uses `earthscope-sdk`, you can simply log in using the CLI. The CLI shares credentials and configuration with this SDK (when running on the same host).
+If you have the [EarthScope CLI](https://docs.earthscope.org/projects/CLI) installed on the same host that is running your application which uses `earthscope-sdk`, you can simply log in using the CLI. The CLI shares credentials and configuration with this SDK (when running on the same host).
 
 Running `es login` will open your browser and prompt you to log in to your EarthScope account.
 
@@ -320,7 +321,7 @@ Now when you run your application, `earthscope-sdk` will find your credentials.
 
 Sometimes your workload runs on different hosts than your main workstation and you cannot feasibly "log in" on all of them. For example, maybe you're running many containers in your workload.
 
-You can still use the [EarthScope CLI](TODO) to facilitate auth for applications on other machines.
+You can still use the [EarthScope CLI](https://docs.earthscope.org/projects/CLI) to facilitate auth for applications on other machines.
 
 1. Use the CLI on your primary workstation [as described above](#same-host) to log in.
 

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/README.md

@@ -14,7 +14,7 @@ pip install earthscope-sdk
 
 ### Usage
 
-For detailed usage options and examples, visit [our usage docs](docs/usage.md).
+For detailed usage info and examples, visit [our SDK docs](https://docs.earthscope.org/projects/SDK).
 
 ```py
 # Import and create a client
@@ -71,7 +71,7 @@ Once refreshable credentials are available to the SDK, it will transparently han
 
 ### Same host
 
-If you have the [EarthScope CLI](TODO) installed on the same host that is running your application which uses `earthscope-sdk`, you can simply log in using the CLI. The CLI shares credentials and configuration with this SDK (when running on the same host).
+If you have the [EarthScope CLI](https://docs.earthscope.org/projects/CLI) installed on the same host that is running your application which uses `earthscope-sdk`, you can simply log in using the CLI. The CLI shares credentials and configuration with this SDK (when running on the same host).
 
 Running `es login` will open your browser and prompt you to log in to your EarthScope account.
 
@@ -91,7 +91,7 @@ Now when you run your application, `earthscope-sdk` will find your credentials.
 
 Sometimes your workload runs on different hosts than your main workstation and you cannot feasibly "log in" on all of them. For example, maybe you're running many containers in your workload.
 
-You can still use the [EarthScope CLI](TODO) to facilitate auth for applications on other machines.
+You can still use the [EarthScope CLI](https://docs.earthscope.org/projects/CLI) to facilitate auth for applications on other machines.
 
 1. Use the CLI on your primary workstation [as described above](#same-host) to log in.
 

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "earthscope-sdk"
-version = "1.0.0b1"
+version = "1.1.0"
 description = "An SDK for EarthScope API"
 readme = "README.md"
 authors = [{ name = "EarthScope", email = "data-help@earthscope.org" }]
@@ -31,6 +31,7 @@ dev = [
     "pytest",
     "twine",
     "pip-tools",
+    "pre-commit",
     "pytest-httpx",
     "pytest-asyncio",
     "ruff",
@@ -40,7 +41,7 @@ dev = [
 Homepage = "https://gitlab.com/earthscope/public/earthscope-sdk"
 
 [tool.bumpver]
-current_version = "1.0.0b1"
+current_version = "1.1.0"
 version_pattern = "MAJOR.MINOR.PATCH[PYTAGNUM]"
 commit_message = "chore: bump version {old_version} -> {new_version}"
 commit = true

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/src/earthscope_sdk/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "1.0.0b1"
+__version__ = "1.1.0"
 
 from earthscope_sdk.client import AsyncEarthScopeClient, EarthScopeClient
 

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/src/earthscope_sdk/auth/auth_flow.py

@@ -311,9 +311,10 @@ class AuthFlow(httpx.Auth):
         """
         super().async_auth_flow
         if request.headers.get("authorization") is None:
-            await self.async_refresh_if_necessary()
-            access_token = self.access_token
-            request.headers["authorization"] = f"Bearer {access_token}"
+            if self._settings.is_host_allowed(request.url.host):
+                await self.async_refresh_if_necessary()
+                access_token = self.access_token
+                request.headers["authorization"] = f"Bearer {access_token}"
 
         yield request
 
@@ -326,8 +327,9 @@ class AuthFlow(httpx.Auth):
         # NOTE: we explicitly redefine this sync method because ctx.syncify()
         # does not support generators
         if request.headers.get("authorization") is None:
-            self.refresh_if_necessary()
-            access_token = self.access_token
-            request.headers["authorization"] = f"Bearer {access_token}"
+            if self._settings.is_host_allowed(request.url.host):
+                self.refresh_if_necessary()
+                access_token = self.access_token
+                request.headers["authorization"] = f"Bearer {access_token}"
 
         yield request

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/src/earthscope_sdk/auth/client_credentials_flow.py

@@ -1,5 +1,4 @@
 import logging
-from dataclasses import dataclass
 from json import JSONDecodeError
 
 from earthscope_sdk.auth.auth_flow import AuthFlow
@@ -9,12 +8,6 @@ from earthscope_sdk.common.context import SdkContext
 logger = logging.getLogger(__name__)
 
 
-@dataclass
-class GetTokensErrorResponse:
-    error: str
-    error_description: str
-
-
 class ClientCredentialsFlow(AuthFlow):
     """
     Implements the oauth2 Client Credentials "machine-to-machine" (M2M) flow.
@@ -69,12 +62,9 @@ class ClientCredentialsFlow(AuthFlow):
 
         # Unauthorized
         if r.status_code == 401:
-            err = GetTokensErrorResponse(**resp)
-            if err.error == "access_denied":
-                if err.error_description == "Unauthorized":
-                    raise UnauthorizedError(
-                        f"m2m client '{self._settings.client_id}' is not authorized"
-                    )
+            raise UnauthorizedError(
+                f"m2m client '{self._settings.client_id}' is not authorized. IdP response: {resp}"
+            )
 
         # Unhandled
         raise ClientCredentialsFlowError("client credentials flow failed", r.content)

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/src/earthscope_sdk/auth/device_code_flow.py

@@ -1,11 +1,12 @@
 import logging
+from asyncio import sleep
 from contextlib import asynccontextmanager, contextmanager
-from dataclasses import dataclass
 from enum import Enum
 from json import JSONDecodeError
-from time import sleep
 from typing import Optional
 
+from pydantic import BaseModel, ValidationError
+
 from earthscope_sdk.auth.auth_flow import AuthFlow
 from earthscope_sdk.auth.error import (
     DeviceCodePollingError,
@@ -25,18 +26,16 @@ class PollingErrorType(str, Enum):
     ACCESS_DENIED = "access_denied"
 
 
-@dataclass
-class GetDeviceCodeResponse:
+class GetDeviceCodeResponse(BaseModel):
     device_code: str
     user_code: str
     verification_uri: str
     verification_uri_complete: str
     expires_in: int
-    interval: int
+    interval: float
 
 
-@dataclass
-class PollingErrorResponse:
+class PollingErrorResponse(BaseModel):
     error: PollingErrorType
     error_description: str
 
@@ -157,7 +156,7 @@ class DeviceCodeFlow(AuthFlow):
         try:
             while True:
                 # IdP-provided poll interval
-                sleep(codes.interval)
+                await sleep(codes.interval)
 
                 r = await self._ctx.httpx_client.post(
                     f"{self._settings.domain}oauth/token",
@@ -185,7 +184,12 @@ class DeviceCodeFlow(AuthFlow):
                     return self
 
                 # Keep polling
-                poll_err = PollingErrorResponse(**resp)
+                try:
+                    poll_err = PollingErrorResponse.model_validate(resp)
+                except ValidationError as e:
+                    raise DeviceCodePollingError(
+                        f"Failed to unpack polling response: {r.text}"
+                    ) from e
                 if poll_err.error in [
                     PollingErrorType.AUTHORIZATION_PENDING,
                     PollingErrorType.SLOW_DOWN,
@@ -235,7 +239,12 @@ class DeviceCodeFlow(AuthFlow):
                 f"Failed to get a device code: {r.content}"
             )
 
-        codes = GetDeviceCodeResponse(**r.json())
+        try:
+            codes = GetDeviceCodeResponse.model_validate_json(r.content)
+        except ValidationError as e:
+            raise DeviceCodeRequestDeviceCodeError(
+                f"Failed to unpack device code response: {r.text}"
+            ) from e
 
         logger.debug(f"Got device code response: {codes}")
         return codes

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/src/earthscope_sdk/common/context.py

@@ -78,6 +78,8 @@ class SdkContext:
         self._httpx_client = httpx.AsyncClient(
             auth=self.auth_flow,
             headers={
+                **self.settings.http.extra_headers,
+                # override anything specified via extra_headers
                 "user-agent": self.settings.http.user_agent,
             },
             limits=self.settings.http.limits,

earthscope_sdk-1.1.0/src/earthscope_sdk/config/_bootstrap.py

@@ -0,0 +1,42 @@
+"""
+This module facilitates bootstrapping SDK settings from a JSON-encoded environment variable.
+"""
+
+import json
+import logging
+import os
+
+from pydantic_settings import PydanticBaseSettingsSource
+
+logger = logging.getLogger(__name__)
+
+
+class BootstrapEnvironmentSettingsSource(PydanticBaseSettingsSource):
+    """
+    This SettingsSource facilitates bootstrapping the SDK from a special environment variable.
+
+    The environment variable should be a JSON string of the expected SDK settings and structure.
+    """
+
+    def __init__(self, settings_cls, env_var: str):
+        super().__init__(settings_cls)
+        self._env_var = env_var
+
+    def __call__(self):
+        try:
+            bootstrap_settings = os.environ[self._env_var]
+        except KeyError:
+            return {}
+
+        try:
+            return json.loads(bootstrap_settings)
+        except json.JSONDecodeError:
+            logger.warning(
+                f"Found bootstrap environment variable '{self._env_var}', but unable to decode content as JSON"
+            )
+            return {}
+
+    def __repr__(self) -> str:
+        return f"{self.__class__.__name__}(env_var='{self._env_var}')"
+
+    def get_field_value(self, *args, **kwargs): ...  # unused abstract method

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/src/earthscope_sdk/config/models.py

@@ -1,6 +1,7 @@
 import base64
 import binascii
 import datetime as dt
+import fnmatch
 import functools
 from contextlib import suppress
 from enum import Enum
@@ -15,14 +16,12 @@ from pydantic import (
     ConfigDict,
     Field,
     HttpUrl,
-    SecretStr,
-    SerializationInfo,
     ValidationError,
-    field_serializer,
     model_validator,
 )
 
 from earthscope_sdk import __version__
+from earthscope_sdk.model.secret import SecretStr
 
 
 def _try_float(v: Any):
@@ -94,23 +93,6 @@ class Tokens(BaseModel):
 
         raise ValueError("Unable to decode access token body")
 
-    @field_serializer("access_token", "id_token", "refresh_token", when_used="json")
-    def dump_secret_json(self, secret: Optional[SecretStr], info: SerializationInfo):
-        """
-        A special field serializer to dump the actual secret value when writing to JSON.
-
-        Only writes secret in plaintext when `info.context == "plaintext".
-
-        See [Pydantic docs](https://docs.pydantic.dev/latest/concepts/serialization/#serialization-context)
-        """
-        if secret is None:
-            return None
-
-        if info.context == "plaintext":
-            return secret.get_secret_value()
-
-        return str(secret)
-
     @model_validator(mode="after")
     def ensure_one_of(self):
         # allow all fields to be optional in subclasses
@@ -207,6 +189,12 @@ class AuthFlowSettings(Tokens):
     scope: str = "offline_access"
     client_secret: Optional[SecretStr] = None
 
+    # Only inject bearer token for requests to these hosts
+    allowed_hosts: set[str] = {
+        "earthscope.org",
+        "*.earthscope.org",
+    }
+
     # Auth exchange retries
     retry: HttpRetrySettings = HttpRetrySettings(
         attempts=5,
@@ -222,6 +210,37 @@ class AuthFlowSettings(Tokens):
 
         return AuthFlowType.DeviceCode
 
+    @cached_property
+    def allowed_host_patterns(self) -> set[str]:
+        """
+        The subset of allowed hosts that are glob patterns.
+
+        Use `is_host_allowed` to check if a host is allowed by any of these patterns.
+        """
+        return {h for h in self.allowed_hosts if "*" in h or "?" in h}
+
+    def is_host_allowed(self, host: str) -> bool:
+        """
+        Check if a host matches any pattern in the allowed hosts set.
+
+        Supports glob patterns with '?' and '*' characters (e.g., *.earthscope.org).
+
+        Args:
+            host: The hostname to check
+
+        Returns:
+            True if the host matches any allowed pattern, False otherwise
+        """
+        if host in self.allowed_hosts:
+            return True
+
+        for allowed_pattern in self.allowed_host_patterns:
+            if fnmatch.fnmatch(host, allowed_pattern):
+                self.allowed_hosts.add(host)
+                return True
+
+        return False
+
 
 class HttpSettings(BaseModel):
     """
@@ -242,6 +261,7 @@ class HttpSettings(BaseModel):
 
     # Other
     user_agent: str = f"earthscope-sdk py/{__version__}"
+    extra_headers: dict[str, str] = {}
 
     @cached_property
     def limits(self):

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/src/earthscope_sdk/config/settings.py

@@ -11,11 +11,15 @@ from pydantic_settings import (
     TomlConfigSettingsSource,
 )
 
+from earthscope_sdk.config._bootstrap import BootstrapEnvironmentSettingsSource
 from earthscope_sdk.config._compat import LegacyEarthScopeCLISettingsSource
 from earthscope_sdk.config._util import deep_merge, get_config_dir, slugify
 from earthscope_sdk.config.error import ProfileDoesNotExistError
 from earthscope_sdk.config.models import SdkBaseSettings, Tokens
 
+_BOOTSTRAP_ENV_VAR = "ES_BOOTSTRAP_SETTINGS"
+"""Environment variable for bootstrapping the SDK"""
+
 _DEFAULT_PROFILE = "default"
 """Default profile name"""
 
@@ -269,6 +273,12 @@ class SdkSettings(SdkBaseSettings, BaseSettings):
         alias = SdkSettings.model_fields["profile_name"].validation_alias
         global_settings = _GlobalSettingsSource(settings_cls, "profile_name", alias)
 
+        # Check for bootstrapping configuration
+        bootstrap_settings = BootstrapEnvironmentSettingsSource(
+            settings_cls,
+            _BOOTSTRAP_ENV_VAR,
+        )
+
         # Compatibility with earthscope-cli v0.x.x state:
         # If we find this file, we only care about the access and refresh tokens
         keep_keys = {"access_token", "refresh_token"}
@@ -281,4 +291,5 @@ class SdkSettings(SdkBaseSettings, BaseSettings):
             dotenv_settings,
             global_settings,
             legacy_settings,
+            bootstrap_settings,
         )

earthscope_sdk-1.1.0/src/earthscope_sdk/model/secret.py

@@ -0,0 +1,29 @@
+from typing import Annotated
+
+from pydantic import PlainSerializer, SerializationInfo
+from pydantic import SecretStr as _SecretStr
+
+
+def _dump_secret_plaintext(secret: _SecretStr, info: SerializationInfo):
+    """
+    A special field serializer to dump the actual secret value.
+
+    Only writes secret in plaintext when `info.context == "plaintext".
+
+    See [Pydantic docs](https://docs.pydantic.dev/latest/concepts/serialization/#serialization-context)
+    """
+
+    if info.context == "plaintext":
+        return secret.get_secret_value()
+
+    return str(secret)
+
+
+SecretStr = Annotated[
+    _SecretStr,
+    PlainSerializer(
+        _dump_secret_plaintext,
+        return_type=str,
+        when_used="json-unless-none",
+    ),
+]

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/src/earthscope_sdk.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: earthscope-sdk
-Version: 1.0.0b1
+Version: 1.1.0
 Summary: An SDK for EarthScope API
 Author-email: EarthScope <data-help@earthscope.org>
 License:                                  Apache License
@@ -222,6 +222,7 @@ Requires-Dist: build; extra == "dev"
 Requires-Dist: pytest; extra == "dev"
 Requires-Dist: twine; extra == "dev"
 Requires-Dist: pip-tools; extra == "dev"
+Requires-Dist: pre-commit; extra == "dev"
 Requires-Dist: pytest-httpx; extra == "dev"
 Requires-Dist: pytest-asyncio; extra == "dev"
 Requires-Dist: ruff; extra == "dev"
@@ -243,7 +244,7 @@ pip install earthscope-sdk
 
 ### Usage
 
-For detailed usage options and examples, visit [our usage docs](docs/usage.md).
+For detailed usage info and examples, visit [our SDK docs](https://docs.earthscope.org/projects/SDK).
 
 ```py
 # Import and create a client
@@ -300,7 +301,7 @@ Once refreshable credentials are available to the SDK, it will transparently han
 
 ### Same host
 
-If you have the [EarthScope CLI](TODO) installed on the same host that is running your application which uses `earthscope-sdk`, you can simply log in using the CLI. The CLI shares credentials and configuration with this SDK (when running on the same host).
+If you have the [EarthScope CLI](https://docs.earthscope.org/projects/CLI) installed on the same host that is running your application which uses `earthscope-sdk`, you can simply log in using the CLI. The CLI shares credentials and configuration with this SDK (when running on the same host).
 
 Running `es login` will open your browser and prompt you to log in to your EarthScope account.
 
@@ -320,7 +321,7 @@ Now when you run your application, `earthscope-sdk` will find your credentials.
 
 Sometimes your workload runs on different hosts than your main workstation and you cannot feasibly "log in" on all of them. For example, maybe you're running many containers in your workload.
 
-You can still use the [EarthScope CLI](TODO) to facilitate auth for applications on other machines.
+You can still use the [EarthScope CLI](https://docs.earthscope.org/projects/CLI) to facilitate auth for applications on other machines.
 
 1. Use the CLI on your primary workstation [as described above](#same-host) to log in.
 

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/src/earthscope_sdk.egg-info/SOURCES.txt

@@ -25,11 +25,13 @@ src/earthscope_sdk/common/client.py
 src/earthscope_sdk/common/context.py
 src/earthscope_sdk/common/service.py
 src/earthscope_sdk/config/__init__.py
+src/earthscope_sdk/config/_bootstrap.py
 src/earthscope_sdk/config/_compat.py
 src/earthscope_sdk/config/_util.py
 src/earthscope_sdk/config/error.py
 src/earthscope_sdk/config/models.py
 src/earthscope_sdk/config/settings.py
+src/earthscope_sdk/model/secret.py
 tests/test_auth.py
 tests/test_client.py
 tests/test_context.py

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/src/earthscope_sdk.egg-info/requires.txt

@@ -8,6 +8,7 @@ build
 pytest
 twine
 pip-tools
+pre-commit
 pytest-httpx
 pytest-asyncio
 ruff

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/tests/test_auth.py

@@ -1,12 +1,20 @@
 import time
 import webbrowser
+from typing import Type
 
 import pytest
 from pytest_httpx import HTTPXMock
 
 from earthscope_sdk.auth.client_credentials_flow import ClientCredentialsFlow
-from earthscope_sdk.auth.device_code_flow import DeviceCodeFlow
-from earthscope_sdk.auth.error import NoRefreshTokenError, NoTokensError
+from earthscope_sdk.auth.device_code_flow import DeviceCodeFlow, PollingErrorType
+from earthscope_sdk.auth.error import (
+    DeviceCodePollingExpiredError,
+    DeviceCodeRequestDeviceCodeError,
+    NoRefreshTokenError,
+    NoTokensError,
+    UnauthorizedError,
+)
+from earthscope_sdk.client import AsyncEarthScopeClient
 from earthscope_sdk.common.context import SdkContext
 from earthscope_sdk.config.models import AuthFlowSettings, Tokens
 from earthscope_sdk.config.settings import SdkSettings
@@ -76,6 +84,60 @@ class TestAuthDeviceCodeFlow:
         with pytest.raises(NoTokensError):
             flow.scope
 
+    @pytest.mark.asyncio
+    async def test_device_code_request_error(self, httpx_mock: HTTPXMock):
+        """Test handling of device code request errors."""
+        httpx_mock.add_response(
+            status_code=400,
+            json={"error": "invalid_request", "error_description": "Invalid client"},
+        )
+
+        async with AsyncEarthScopeClient() as client:
+            with pytest.raises(DeviceCodeRequestDeviceCodeError):
+                await client.ctx.device_code_flow._async_request_device_code()
+
+    @pytest.mark.parametrize(
+        "err_code, ErrType",
+        [
+            (PollingErrorType.ACCESS_DENIED, UnauthorizedError),
+            (PollingErrorType.EXPIRED_TOKEN, DeviceCodePollingExpiredError),
+        ],
+    )
+    @pytest.mark.asyncio
+    async def test_device_code_polling_error(
+        self,
+        httpx_mock: HTTPXMock,
+        err_code: str,
+        ErrType: Type[Exception],
+    ):
+        """Test handling of device code polling errors."""
+        # First response for device code request
+        httpx_mock.add_response(
+            status_code=200,
+            json={
+                "device_code": "test_code",
+                "user_code": "ABCD-EFGH",
+                "verification_uri": "activate",
+                "verification_uri_complete": "https://test.com/activate",
+                "expires_in": 900,
+                "interval": 0.001,
+            },
+        )
+        # Second response for polling with error
+        httpx_mock.add_response(
+            status_code=400,
+            json={
+                "error": err_code,
+                "error_description": "Pending",
+            },
+        )
+
+        async with AsyncEarthScopeClient() as client:
+            codes = await client.ctx.device_code_flow._async_request_device_code()
+
+            with pytest.raises(ErrType):
+                await client.ctx.device_code_flow._async_poll(codes=codes)
+
     @pytest.mark.skipif(
         is_pipeline(),
         reason="No user input in pipeline",
@@ -195,6 +257,18 @@ class TestAuthClientCredentialsFlow:
         with pytest.raises(NoTokensError):
             flow.scope
 
+    @pytest.mark.asyncio
+    async def test_client_credentials_unauthorized(self, httpx_mock: HTTPXMock):
+        settings = SdkSettings(
+            oauth2=AuthFlowSettings(client_id="foo", client_secret="bar")
+        )
+        flow = ClientCredentialsFlow(SdkContext(settings))
+
+        httpx_mock.add_response(status_code=401, json={})
+
+        with pytest.raises(UnauthorizedError):
+            await flow.async_request_tokens()
+
     @pytest.mark.skipif(
         missing_m2m_creds(),
         reason="Missing M2M credentials",

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/tests/test_context.py

@@ -6,15 +6,25 @@ from pytest_httpx import HTTPXMock
 
 from earthscope_sdk.auth.error import NoAccessTokenError
 from earthscope_sdk.common.context import SdkContext
+from earthscope_sdk.config.models import HttpSettings
 from earthscope_sdk.config.settings import SdkSettings
 
 
 class TestContext:
+    @pytest.mark.parametrize(
+        "host",
+        [
+            "earthscope.org",
+            "api.earthscope.org",
+            "data.earthscope.org",
+        ],
+    )
     @pytest.mark.asyncio
-    async def test_context_async_refreshes_and_injects_auth_header(
+    async def test_context_async_refreshes_and_injects_auth_header_for_allowed_hosts(
         self,
         mock_settings: SdkSettings,
         httpx_mock: HTTPXMock,
+        host: str,
     ):
         httpx_mock.add_response()
 
@@ -22,15 +32,48 @@ class TestContext:
         with pytest.raises(NoAccessTokenError):
             ctx.auth_flow.access_token
 
-        await ctx.httpx_client.get(f"{mock_settings.resources.api_url}foo")
+        await ctx.httpx_client.get(f"https://{host}/foo")
 
         at = ctx.auth_flow.access_token
         req = httpx_mock.get_requests()
 
-        assert str(req[1].url).startswith(f"{mock_settings.resources.api_url}")
+        assert req[1].url.host == host
         assert req[1].headers["authorization"] == f"Bearer {at}"
         assert req[1].headers["user-agent"] == mock_settings.http.user_agent
 
+    @pytest.mark.parametrize(
+        "host",
+        [
+            "foo.org",
+            "earthscope.foo.org",
+        ],
+    )
+    @pytest.mark.httpx_mock(assert_all_responses_were_requested=False)
+    @pytest.mark.asyncio
+    async def test_context_allowed_hosts_doesnt_inject_auth_header(
+        self,
+        mock_settings: SdkSettings,
+        httpx_mock: HTTPXMock,
+        host: str,
+    ):
+        httpx_mock.add_response()
+
+        ctx = SdkContext(mock_settings)
+        with pytest.raises(NoAccessTokenError):
+            ctx.auth_flow.access_token
+
+        await ctx.httpx_client.get(f"https://{host}/bar")
+
+        with pytest.raises(NoAccessTokenError):
+            ctx.auth_flow.access_token
+
+        req = httpx_mock.get_requests()
+
+        assert req[0].url.host == host
+        assert req[0].headers["user-agent"] == mock_settings.http.user_agent
+        with pytest.raises(KeyError):
+            req[0].headers["authorization"]
+
     @pytest.mark.asyncio
     async def test_context_async_close(
         self,
@@ -114,3 +157,20 @@ class TestContext:
 
         # note: in custom client, we don't expect our custom user-agent
         assert req[1].headers["user-agent"] != mock_settings.http.user_agent
+
+    def test_extra_headers_injected_into_requests(self):
+        settings = SdkSettings(
+            http=HttpSettings(
+                user_agent="aaa-user-agent",
+                extra_headers={
+                    "x-test-header": "test",
+                    "user-agent": "bbb-user-agent",
+                },
+            ),
+        )
+
+        ctx = SdkContext(settings)
+        req = ctx.httpx_client.build_request("GET", "https://www.foo.com")
+
+        assert req.headers["x-test-header"] == "test", "extra header injected"
+        assert req.headers["user-agent"] == "aaa-user-agent", "user-agent override"

{earthscope_sdk-1.0.0b1 → earthscope_sdk-1.1.0}/tests/test_settings.py

@@ -1,3 +1,4 @@
+import json
 from pathlib import Path
 from textwrap import dedent
 
@@ -14,7 +15,25 @@ from earthscope_sdk.config.models import (
     HttpSettings,
     Tokens,
 )
-from earthscope_sdk.config.settings import SdkSettings, _get_config_toml_path
+from earthscope_sdk.config.settings import (
+    _BOOTSTRAP_ENV_VAR,
+    SdkSettings,
+    _get_config_toml_path,
+)
+
+_bootstrap_state_json = json.dumps(
+    {
+        "oauth2": {
+            "audience": "https://bootstrap-audience.earthscope.org",
+            "client_id": "bootstrap-client-id",
+            "domain": "https://bootstrap-domain.earthscope.org",
+            "scope": "bootstrap-scope",
+            "access_token": "bootstrap-at",
+            "refresh_token": "bootstrap-rt",
+            "id_token": "bootstrap-it",
+        }
+    }
+)
 
 
 @pytest.fixture
@@ -75,9 +94,32 @@ class TestSdkSettings:
         s = SdkSettings(oauth2={"scope": "dict-scope"})
         assert s.oauth2.scope == "dict-scope"
 
+    def test_secret_serialization(self):
+        s = SdkSettings(
+            oauth2={
+                "access_token": "foo-at",
+                "id_token": "foo-it",
+                "refresh_token": "foo-rt",
+                "client_secret": "foo-secret",
+            }
+        )
+
+        dumped = s.model_dump(mode="json")
+        assert dumped["oauth2"]["access_token"] == "**********"
+        assert dumped["oauth2"]["id_token"] == "**********"
+        assert dumped["oauth2"]["refresh_token"] == "**********"
+        assert dumped["oauth2"]["client_secret"] == "**********"
+
+        dumped_plaintext = s.model_dump(mode="json", context="plaintext")
+        assert dumped_plaintext["oauth2"]["access_token"] == "foo-at"
+        assert dumped_plaintext["oauth2"]["id_token"] == "foo-it"
+        assert dumped_plaintext["oauth2"]["refresh_token"] == "foo-rt"
+        assert dumped_plaintext["oauth2"]["client_secret"] == "foo-secret"
+
 
 class TestSdkSettingsPrecedence:
     def test_precedence_all(self, config_toml: Path, monkeypatch: MonkeyPatch):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, _bootstrap_state_json)
         config_toml.write_text(
             dedent("""
                 [default]
@@ -93,6 +135,7 @@ class TestSdkSettingsPrecedence:
         assert s.oauth2.scope == "init-scope"
 
     def test_precedence_env(self, config_toml: Path, monkeypatch: MonkeyPatch):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, _bootstrap_state_json)
         config_toml.write_text(
             dedent("""
                 [default]
@@ -107,7 +150,8 @@ class TestSdkSettingsPrecedence:
 
         assert s.oauth2.scope == "env-scope"
 
-    def test_precedence_profile(self, config_toml: Path):
+    def test_precedence_profile(self, config_toml: Path, monkeypatch: MonkeyPatch):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, _bootstrap_state_json)
         config_toml.write_text(
             dedent("""
                 [default]
@@ -121,7 +165,8 @@ class TestSdkSettingsPrecedence:
 
         assert s.oauth2.scope == "profile-scope"
 
-    def test_precedence_defaults(self, config_toml: Path):
+    def test_precedence_defaults(self, config_toml: Path, monkeypatch: MonkeyPatch):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, _bootstrap_state_json)
         config_toml.write_text(
             dedent("""
                 [default]
@@ -132,6 +177,18 @@ class TestSdkSettingsPrecedence:
 
         assert s.oauth2.scope == "default-scope"
 
+    def test_precedence_bootstrap_state(self, monkeypatch: MonkeyPatch):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, _bootstrap_state_json)
+
+        s = SdkSettings()
+        assert s.oauth2.audience == "https://bootstrap-audience.earthscope.org"
+        assert s.oauth2.client_id == "bootstrap-client-id"
+        assert str(s.oauth2.domain) == "https://bootstrap-domain.earthscope.org/"
+        assert s.oauth2.scope == "bootstrap-scope"
+        assert s.oauth2.access_token.get_secret_value() == "bootstrap-at"
+        assert s.oauth2.refresh_token.get_secret_value() == "bootstrap-rt"
+        assert s.oauth2.id_token.get_secret_value() == "bootstrap-it"
+
 
 class TestSdkSettingsProfiles:
     def test_profile_settings(self, config_toml: Path):
@@ -343,6 +400,7 @@ class TestTokensPrecedence:
         default_settings: SdkSettings,
         monkeypatch: MonkeyPatch,
     ):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, _bootstrap_state_json)
         default_settings.write_tokens(Tokens(access_token="state-at"))
         config_toml.write_text(
             dedent("""
@@ -364,6 +422,7 @@ class TestTokensPrecedence:
         default_settings: SdkSettings,
         monkeypatch: MonkeyPatch,
     ):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, _bootstrap_state_json)
         default_settings.write_tokens(Tokens(access_token="state-at"))
         config_toml.write_text(
             dedent("""
@@ -383,7 +442,9 @@ class TestTokensPrecedence:
         self,
         config_toml: Path,
         default_settings: SdkSettings,
+        monkeypatch: MonkeyPatch,
     ):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, _bootstrap_state_json)
         default_settings.write_tokens(Tokens(access_token="state-at"))
         config_toml.write_text(
             dedent("""
@@ -402,7 +463,9 @@ class TestTokensPrecedence:
         self,
         config_toml: Path,
         default_settings: SdkSettings,
+        monkeypatch: MonkeyPatch,
     ):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, _bootstrap_state_json)
         default_settings.write_tokens(Tokens(access_token="state-at"))
         config_toml.write_text(
             dedent("""
@@ -414,7 +477,12 @@ class TestTokensPrecedence:
         t = SdkSettings()
         assert t.oauth2.access_token.get_secret_value() == "default-at"
 
-    def test_tokens_precedence_state(self, default_settings: SdkSettings):
+    def test_tokens_precedence_state(
+        self,
+        default_settings: SdkSettings,
+        monkeypatch: MonkeyPatch,
+    ):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, _bootstrap_state_json)
         default_settings.write_tokens(Tokens(access_token="state-at"))
 
         t = SdkSettings()
@@ -463,3 +531,109 @@ class TestTokensPrecedence:
         s = SdkSettings()
         assert s.oauth2.refresh_token.get_secret_value() == "default-rt"
         assert s.oauth2.access_token.get_secret_value() == "profile-at"
+        config_toml.unlink()
+
+        # legacy > bootstrap
+        with monkeypatch.context() as m:
+            m.setenv(_BOOTSTRAP_ENV_VAR, _bootstrap_state_json)
+
+            s = SdkSettings()
+            assert s.oauth2.refresh_token.get_secret_value() == "legacy-rt"
+            assert s.oauth2.access_token.get_secret_value() == "legacy-at"
+            assert s.oauth2.scope == "bootstrap-scope"
+
+
+class TestBootstrapSettings:
+    def test_bootstrap_settings(self, monkeypatch: MonkeyPatch):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, _bootstrap_state_json)
+
+        s = SdkSettings()
+        assert s.oauth2.audience == "https://bootstrap-audience.earthscope.org"
+        assert s.oauth2.client_id == "bootstrap-client-id"
+        assert str(s.oauth2.domain) == "https://bootstrap-domain.earthscope.org/"
+        assert s.oauth2.scope == "bootstrap-scope"
+        assert s.oauth2.access_token.get_secret_value() == "bootstrap-at"
+        assert s.oauth2.refresh_token.get_secret_value() == "bootstrap-rt"
+        assert s.oauth2.id_token.get_secret_value() == "bootstrap-it"
+
+    def test_bootstrap_settings_invalid_json(self, monkeypatch: MonkeyPatch):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, "invalid-json")
+
+        s = SdkSettings()
+        assert s.oauth2.audience == "https://api.earthscope.org"
+        assert s.oauth2.client_id == "b9DtAFBd6QvMg761vI3YhYquNZbJX5G0"
+        assert str(s.oauth2.domain) == "https://login.earthscope.org/"
+        assert s.oauth2.scope == "offline_access"
+        assert s.oauth2.access_token is None
+        assert s.oauth2.refresh_token is None
+        assert s.oauth2.id_token is None
+
+    def test_bootstrap_settings_empty_json(self, monkeypatch: MonkeyPatch):
+        monkeypatch.setenv(_BOOTSTRAP_ENV_VAR, "{}")
+
+        s = SdkSettings()
+        assert s.oauth2.audience == "https://api.earthscope.org"
+        assert s.oauth2.client_id == "b9DtAFBd6QvMg761vI3YhYquNZbJX5G0"
+        assert str(s.oauth2.domain) == "https://login.earthscope.org/"
+        assert s.oauth2.scope == "offline_access"
+        assert s.oauth2.access_token is None
+        assert s.oauth2.refresh_token is None
+        assert s.oauth2.id_token is None
+
+    def test_bootstrap_settings_other_keys(self, monkeypatch: MonkeyPatch):
+        monkeypatch.setenv(
+            _BOOTSTRAP_ENV_VAR,
+            json.dumps(
+                {
+                    "http": {
+                        "timeout_read": 10.0,
+                        "user_agent": "bootstrap-ua",
+                    },
+                    "oauth2": {
+                        "scope": "bootstrap-scope",
+                    },
+                }
+            ),
+        )
+
+        s = SdkSettings()
+        # bootstrap settings
+        assert s.http.timeout_read.total_seconds() == 10.0
+        assert s.http.user_agent == "bootstrap-ua"
+        assert s.oauth2.scope == "bootstrap-scope"
+
+        # defaults
+        assert s.http.timeout_connect.total_seconds() == 5.0
+        assert s.oauth2.audience == "https://api.earthscope.org"
+        assert s.oauth2.client_id == "b9DtAFBd6QvMg761vI3YhYquNZbJX5G0"
+        assert str(s.oauth2.domain) == "https://login.earthscope.org/"
+        assert s.oauth2.access_token is None
+        assert s.oauth2.refresh_token is None
+        assert s.oauth2.id_token is None
+
+
+class TestAuthFlowSettings:
+    @pytest.mark.parametrize(
+        "host,allowed",
+        [
+            ("earthscope.org", True),
+            ("api.earthscope.org", True),
+            ("data.earthscope.org", True),
+            ("foo.earthscope.org", True),
+            ("foo.subdomain.earthscope.org", True),
+            ("earthscope.foo.org", False),
+            ("example.com", False),
+            ("foo.example.com", False),
+            ("earthscope.example.com", False),
+            ("foo.earthscope.example.com", False),
+        ],
+    )
+    def test_allowed_hosts_defaults(self, host: str, allowed: bool):
+        s = AuthFlowSettings()
+        assert s.is_host_allowed(host) == allowed
+
+    def test_allowed_hosts_cache(self):
+        s = AuthFlowSettings()
+        assert "foo.earthscope.org" not in s.allowed_hosts
+        assert s.is_host_allowed("foo.earthscope.org")
+        assert "foo.earthscope.org" in s.allowed_hosts