eodag 2.12.0__py3-none-any.whl → 3.0.0__py3-none-any.whl

eodag/plugins/authentication/aws_auth.py

@@ -22,7 +22,7 @@ from typing import TYPE_CHECKING, Dict
 from eodag.plugins.authentication.base import Authentication
 
 if TYPE_CHECKING:
-    from botocore.client import S3
+    from mypy_boto3_s3.client import S3Client
 
     from eodag.config import PluginConfig
 
@@ -35,23 +35,24 @@ class AwsAuth(Authentication):
     - auth anonymously using no-sign-request
     - auth using ``aws_profile``
     - auth using ``aws_access_key_id`` and ``aws_secret_access_key``
+      (optionally ``aws_session_token``)
     - auth using current environment (AWS environment variables and/or ``~/aws/*``),
       will be skipped if AWS credentials are filled in eodag conf
     """
 
-    s3_client: S3
+    s3_client: S3Client
 
     def __init__(self, provider: str, config: PluginConfig) -> None:
         super(AwsAuth, self).__init__(provider, config)
         self.aws_access_key_id = None
         self.aws_secret_access_key = None
+        self.aws_session_token = None
         self.profile_name = None
 
     def authenticate(self) -> Dict[str, str]:
         """Authenticate
 
         :returns: dict containing AWS/boto3 non-empty credentials
-        :rtype: dict
         """
         credentials = getattr(self.config, "credentials", {}) or {}
         self.aws_access_key_id = credentials.get(
@@ -60,7 +61,15 @@ class AwsAuth(Authentication):
         self.aws_secret_access_key = credentials.get(
             "aws_secret_access_key", self.aws_secret_access_key
         )
+        self.aws_session_token = credentials.get(
+            "aws_session_token", self.aws_session_token
+        )
         self.profile_name = credentials.get("aws_profile", self.profile_name)
 
-        auth_keys = ["aws_access_key_id", "aws_secret_access_key", "profile_name"]
+        auth_keys = [
+            "aws_access_key_id",
+            "aws_secret_access_key",
+            "aws_session_token",
+            "profile_name",
+        ]
         return {k: getattr(self, k) for k in auth_keys if getattr(self, k)}

eodag/plugins/authentication/base.py

@@ -27,7 +27,16 @@ if TYPE_CHECKING:
 
 
 class Authentication(PluginTopic):
-    """Plugins authentication Base plugin"""
+    """Plugins authentication Base plugin
+
+    :param provider: provider name
+    :param config: Authentication plugin configuration:
+
+        * :attr:`~eodag.config.PluginConfig.matching_url` (``str``): URL pattern to match with search plugin endpoint or
+          download link
+        * :attr:`~eodag.config.PluginConfig.matching_conf` (``Dict[str, Any]``): Part of the search or download plugin
+          configuration that needs authentication and helps identifying it
+    """
 
     def authenticate(self) -> Union[AuthBase, Dict[str, str]]:
         """Authenticate"""

eodag/plugins/authentication/generic.py

@@ -48,6 +48,6 @@ class GenericAuth(Authentication):
             )
         else:
             raise MisconfiguredError(
-                f"Cannot authenticate with {self.provider}:",
-                f"method {method} is not supported. Must be one of digest or basic",
+                f"Cannot authenticate with {self.provider}",
+                f"Method {method} is not supported; it must be one of 'digest' or 'basic'.",
             )

eodag/plugins/authentication/header.py

@@ -22,6 +22,7 @@ from typing import TYPE_CHECKING, Dict
 from requests.auth import AuthBase
 
 from eodag.plugins.authentication import Authentication
+from eodag.utils.exceptions import MisconfiguredError
 
 if TYPE_CHECKING:
     from requests import PreparedRequest
@@ -58,16 +59,40 @@ class HTTPHeaderAuth(Authentication):
                 oh-my-another-user-input: YYY
 
     Expect an undefined behaviour if you use empty braces in header value strings.
+
+    The plugin also accepts headers to be passed directly through credentials::
+
+        provider:
+            ...
+            auth:
+                plugin: HTTPHeaderAuth
+                credentials:
+                    Authorization: "Something XXX"
+                    X-Special-Header: "Fixed value"
+                    X-Another-Special-Header: "YYY"
+                ...
+            ...
     """
 
-    def authenticate(self) -> AuthBase:
+    def authenticate(self) -> HeaderAuth:
         """Authenticate"""
         self.validate_config_credentials()
-        headers = {
-            header: value.format(**self.config.credentials)
-            for header, value in self.config.headers.items()
-        }
-        return HeaderAuth(headers)
+        try:
+            headers = (
+                {
+                    header: value.format(**self.config.credentials)
+                    for header, value in self.config.headers.items()
+                }
+                if getattr(self.config, "headers", None)
+                else self.config.credentials
+            )
+            return HeaderAuth(headers)
+        except KeyError as e:
+            raise MisconfiguredError(
+                "The following credentials are missing for provider {}: {}".format(
+                    self.provider, ", ".join(e.args)
+                )
+            )
 
 
 class HeaderAuth(AuthBase):

eodag/plugins/authentication/keycloak.py

@@ -18,15 +18,16 @@
 from __future__ import annotations
 
 import logging
-from datetime import datetime
-from typing import TYPE_CHECKING, Dict, Union
+from typing import TYPE_CHECKING, Any, Dict
 
 import requests
 
-from eodag.plugins.authentication import Authentication
-from eodag.plugins.authentication.openid_connect import CodeAuthorizedAuth
+from eodag.plugins.authentication.openid_connect import (
+    CodeAuthorizedAuth,
+    OIDCRefreshTokenBase,
+)
 from eodag.utils import HTTP_REQ_TIMEOUT, USER_AGENT
-from eodag.utils.exceptions import AuthenticationError, MisconfiguredError
+from eodag.utils.exceptions import MisconfiguredError, TimeOutError
 
 if TYPE_CHECKING:
     from requests.auth import AuthBase
@@ -37,7 +38,7 @@ if TYPE_CHECKING:
 logger = logging.getLogger("eodag.auth.keycloak")
 
 
-class KeycloakOIDCPasswordAuth(Authentication):
+class KeycloakOIDCPasswordAuth(OIDCRefreshTokenBase):
     """Authentication plugin using Keycloak and OpenId Connect.
 
     This plugin request a token and use it through a query-string or a header.
@@ -80,13 +81,9 @@ class KeycloakOIDCPasswordAuth(Authentication):
     GRANT_TYPE = "password"
     TOKEN_URL_TEMPLATE = "{auth_base_uri}/realms/{realm}/protocol/openid-connect/token"
     REQUIRED_PARAMS = ["auth_base_uri", "client_id", "client_secret", "token_provision"]
-    # already retrieved token store, to be used if authenticate() fails (OTP use-case)
-    retrieved_token: str = ""
-    token_info: Dict[str, Union[str, datetime]] = {}
 
     def __init__(self, provider: str, config: PluginConfig) -> None:
         super(KeycloakOIDCPasswordAuth, self).__init__(provider, config)
-        self.session = requests.Session()
 
     def validate_config_credentials(self) -> None:
         """Validate configured credentials"""
@@ -105,51 +102,14 @@ class KeycloakOIDCPasswordAuth(Authentication):
         """
         self.validate_config_credentials()
         access_token = self._get_access_token()
-        self.retrieved_token = access_token
+        self.token_info["access_token"] = access_token
         return CodeAuthorizedAuth(
-            self.retrieved_token,
+            self.token_info["access_token"],
             self.config.token_provision,
             key=getattr(self.config, "token_qs_key", None),
         )
 
-    def _get_access_token(self) -> str:
-        current_time = datetime.now()
-        if (
-            not self.token_info
-            or (
-                "refresh_token" in self.token_info
-                and (current_time - self.token_info["token_time"]).seconds
-                >= self.token_info["refresh_token_expiration"]
-            )
-            or (
-                "refresh_token" not in self.token_info
-                and (current_time - self.token_info["token_time"]).seconds
-                >= self.token_info["access_token_expiration"]
-            )
-        ):
-            # Request new TOKEN on first attempt or if token expired
-            res = self._request_new_token()
-            self.token_info["token_time"] = current_time
-            self.token_info["access_token_expiration"] = res["expires_in"]
-            if "refresh_token" in res:
-                self.token_info["refresh_time"] = current_time
-                self.token_info["refresh_token_expiration"] = res["refresh_expires_in"]
-                self.token_info["refresh_token"] = res["refresh_token"]
-            return res["access_token"]
-        elif (
-            "refresh_token" in self.token_info
-            and (current_time - self.token_info["refresh_time"]).seconds
-            >= self.token_info["access_token_expiration"]
-        ):
-            # Use refresh token
-            res = self._get_token_with_refresh_token()
-            self.token_info["refresh_token"] = res["refresh_token"]
-            self.token_info["refresh_time"] = current_time
-            return res["access_token"]
-        logger.debug("using already retrieved access token")
-        return self.retrieved_token
-
-    def _request_new_token(self) -> Dict[str, str]:
+    def _request_new_token(self) -> Dict[str, Any]:
         logger.debug("fetching new access token")
         req_data = {
             "client_id": self.config.client_id,
@@ -157,6 +117,7 @@ class KeycloakOIDCPasswordAuth(Authentication):
             "grant_type": self.GRANT_TYPE,
         }
         credentials = {k: v for k, v in self.config.credentials.items()}
+        ssl_verify = getattr(self.config, "ssl_verify", True)
         try:
             response = self.session.post(
                 self.TOKEN_URL_TEMPLATE.format(
@@ -166,43 +127,13 @@ class KeycloakOIDCPasswordAuth(Authentication):
                 data=dict(req_data, **credentials),
                 headers=USER_AGENT,
                 timeout=HTTP_REQ_TIMEOUT,
+                verify=ssl_verify,
             )
             response.raise_for_status()
+        except requests.exceptions.Timeout as exc:
+            raise TimeOutError(exc, timeout=HTTP_REQ_TIMEOUT) from exc
         except requests.RequestException as e:
-            if self.retrieved_token:
-                # try using already retrieved token if authenticate() fails (OTP use-case)
-                if "access_token_expiration" in self.token_info:
-                    return {
-                        "access_token": self.retrieved_token,
-                        "expires_in": self.token_info["access_token_expiration"],
-                    }
-                else:
-                    return {"access_token": self.retrieved_token, "expires_in": 0}
-            response_text = getattr(e.response, "text", "").strip()
-            # check if error is identified as auth_error in provider conf
-            auth_errors = getattr(self.config, "auth_error_code", [None])
-            if not isinstance(auth_errors, list):
-                auth_errors = [auth_errors]
-            if (
-                hasattr(e.response, "status_code")
-                and e.response.status_code in auth_errors
-            ):
-                raise AuthenticationError(
-                    "HTTP Error %s returned, %s\nPlease check your credentials for %s"
-                    % (e.response.status_code, response_text, self.provider)
-                )
-            # other error
-            else:
-                import traceback as tb
-
-                logger.error(
-                    f"Provider {self.provider} returned {e.response.status_code}: {response_text}"
-                )
-                raise AuthenticationError(
-                    "Something went wrong while trying to get access token:\n{}".format(
-                        tb.format_exc()
-                    )
-                )
+            return self._request_new_token_error(e)
         return response.json()
 
     def _get_token_with_refresh_token(self) -> Dict[str, str]:
@@ -213,6 +144,7 @@ class KeycloakOIDCPasswordAuth(Authentication):
             "grant_type": "refresh_token",
             "refresh_token": self.token_info["refresh_token"],
         }
+        ssl_verify = getattr(self.config, "ssl_verify", True)
         try:
             response = self.session.post(
                 self.TOKEN_URL_TEMPLATE.format(
@@ -222,6 +154,7 @@ class KeycloakOIDCPasswordAuth(Authentication):
                 data=req_data,
                 headers=USER_AGENT,
                 timeout=HTTP_REQ_TIMEOUT,
+                verify=ssl_verify,
             )
             response.raise_for_status()
         except requests.RequestException as e:

eodag/plugins/authentication/oauth.py

@@ -17,7 +17,7 @@
 # limitations under the License.
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, Dict
+from typing import TYPE_CHECKING, Dict, Optional
 
 from eodag.plugins.authentication.base import Authentication
 
@@ -30,8 +30,8 @@ class OAuth(Authentication):
 
     def __init__(self, provider: str, config: PluginConfig) -> None:
         super(OAuth, self).__init__(provider, config)
-        self.access_key = None
-        self.secret_key = None
+        self.access_key: Optional[str] = None
+        self.secret_key: Optional[str] = None
 
     def authenticate(self) -> Dict[str, str]:
         """Authenticate"""