eodag 2.12.0__py3-none-any.whl → 3.0.0__py3-none-any.whl

eodag/plugins/authentication/openid_connect.py

@@ -17,10 +17,12 @@
 # limitations under the License.
 from __future__ import annotations
 
+import logging
 import re
 import string
+from datetime import datetime
 from random import SystemRandom
-from typing import TYPE_CHECKING, Any, Dict, Optional
+from typing import TYPE_CHECKING, Any, Dict, Optional, TypedDict
 
 import requests
 from lxml import etree
@@ -36,7 +38,133 @@ if TYPE_CHECKING:
     from eodag.config import PluginConfig
 
 
-class OIDCAuthorizationCodeFlowAuth(Authentication):
+logger = logging.getLogger("eodag.auth.openid_connect")
+
+
+class OIDCRefreshTokenBase(Authentication):
+    """OIDC refresh token base class, to be used through specific OIDC flows plugins.
+
+    Common mechanism to handle refresh token from all OIDC auth plugins.
+    """
+
+    class TokenInfo(TypedDict, total=False):
+        """Token infos"""
+
+        refresh_token: str
+        refresh_time: datetime
+        token_time: datetime
+        access_token: str
+        access_token_expiration: float
+        refresh_token_expiration: float
+
+    def __init__(self, provider: str, config: PluginConfig) -> None:
+        super(OIDCRefreshTokenBase, self).__init__(provider, config)
+        self.session = requests.Session()
+        # already retrieved token info store
+        self.token_info: OIDCRefreshTokenBase.TokenInfo = {}
+
+    def _get_access_token(self) -> str:
+        current_time = datetime.now()
+        if (
+            # No info: first time
+            not self.token_info
+            # Refresh token available but expired
+            or (
+                "refresh_token" in self.token_info
+                and self.token_info["refresh_token_expiration"] > 0
+                and (current_time - self.token_info["token_time"]).seconds
+                >= self.token_info["refresh_token_expiration"]
+            )
+            # Refresh token *not* available and access token expired
+            or (
+                "refresh_token" not in self.token_info
+                and (current_time - self.token_info["token_time"]).seconds
+                >= self.token_info["access_token_expiration"]
+            )
+        ):
+            # Request *new* token on first attempt or if token expired
+            res = self._request_new_token()
+            self.token_info["token_time"] = current_time
+            self.token_info["access_token_expiration"] = float(res["expires_in"])
+            if "refresh_token" in res:
+                self.token_info["refresh_time"] = current_time
+                self.token_info["refresh_token_expiration"] = float(
+                    res["refresh_expires_in"]
+                )
+                self.token_info["refresh_token"] = str(res["refresh_token"])
+            return str(res["access_token"])
+
+        elif (
+            # Refresh token available and access token expired
+            "refresh_token" in self.token_info
+            and (current_time - self.token_info["refresh_time"]).seconds
+            >= self.token_info["access_token_expiration"]
+        ):
+            # Use refresh token
+            res = self._get_token_with_refresh_token()
+            self.token_info["refresh_token"] = res["refresh_token"]
+            self.token_info["refresh_time"] = current_time
+            return res["access_token"]
+
+        logger.debug("Using already retrieved access token")
+        return self.token_info["access_token"]
+
+    def _request_new_token(self) -> Dict[str, str]:
+        """Fetch the access token with a new authentcation"""
+        raise NotImplementedError(
+            "Incomplete OIDC refresh token retrieval mechanism implementation"
+        )
+
+    def _request_new_token_error(self, e: requests.RequestException) -> Dict[str, str]:
+        """Handle RequestException raised by `self._request_new_token()`"""
+        if self.token_info.get("access_token"):
+            # try using already retrieved token if authenticate() fails (OTP use-case)
+            if "access_token_expiration" in self.token_info:
+                return {
+                    "access_token": self.token_info["access_token"],
+                    "expires_in": str(self.token_info["access_token_expiration"]),
+                }
+            else:
+                return {
+                    "access_token": self.token_info["access_token"],
+                    "expires_in": "0",
+                }
+        response_text = getattr(e.response, "text", "").strip()
+        # check if error is identified as auth_error in provider conf
+        auth_errors = getattr(self.config, "auth_error_code", [None])
+        if not isinstance(auth_errors, list):
+            auth_errors = [auth_errors]
+        if (
+            e.response
+            and hasattr(e.response, "status_code")
+            and e.response.status_code in auth_errors
+        ):
+            raise AuthenticationError(
+                f"Please check your credentials for {self.provider}.",
+                f"HTTP Error {e.response.status_code} returned.",
+                response_text,
+            )
+        # other error
+        else:
+            import traceback as tb
+
+            logger.error(
+                f"Provider {self.provider} returned {getattr(e.response, 'status_code', '')}: {response_text}"
+            )
+            raise AuthenticationError(
+                "Something went wrong while trying to get access token:\n{}".format(
+                    tb.format_exc()
+                )
+            )
+
+    def _get_token_with_refresh_token(self) -> Dict[str, str]:
+        """Fetch the access token with the refresh token"""
+        raise NotImplementedError(
+            "Incomplete OIDC refresh token retrieval mechanism implementation"
+        )
+
+
+class OIDCAuthorizationCodeFlowAuth(OIDCRefreshTokenBase):
     """Implement the authorization code flow of the OpenIDConnect authorization specification.
 
     The `OpenID Connect <http://openid.net/specs/openid-connect-core-1_0.html>`_ specification
@@ -109,6 +237,10 @@ class OIDCAuthorizationCodeFlowAuth(Authentication):
         # same rules as with user_consent_form_data
         additional_login_form_data:
 
+        # (optional) Key/value pairs of patterns/messages. If exchange_url contains the given pattern, the associated
+        message will be sent in an AuthenticationError
+        exchange_url_error_pattern:
+
         # (optional) The OIDC provider's client secret of the eodag provider
         client_secret:
 
@@ -123,6 +255,8 @@ class OIDCAuthorizationCodeFlowAuth(Authentication):
         # used in the query request
         token_qs_key:
 
+        # (optional) The key pointing to the refresh_token in the json response to the POST request to the token server
+        refresh_token_key:
     """
 
     SCOPE = "openid"
@@ -131,6 +265,10 @@ class OIDCAuthorizationCodeFlowAuth(Authentication):
 
     def __init__(self, provider: str, config: PluginConfig) -> None:
         super(OIDCAuthorizationCodeFlowAuth, self).__init__(provider, config)
+
+    def validate_config_credentials(self) -> None:
+        """Validate configured credentials"""
+        super(OIDCAuthorizationCodeFlowAuth, self).validate_config_credentials()
         if getattr(self.config, "token_provision", None) not in ("qs", "header"):
             raise MisconfiguredError(
                 'Provider config parameter "token_provision" must be one of "qs" or "header"'
@@ -142,33 +280,76 @@ class OIDCAuthorizationCodeFlowAuth(Authentication):
                 'Provider config parameter "token_provision" with value "qs" must have '
                 '"token_qs_key" config parameter as well'
             )
-        self.session = requests.Session()
 
-    def authenticate(self) -> AuthBase:
+    def authenticate(self) -> CodeAuthorizedAuth:
         """Authenticate"""
+        self.token_info["access_token"] = self._get_access_token()
+
+        return CodeAuthorizedAuth(
+            self.token_info["access_token"],
+            self.config.token_provision,
+            key=getattr(self.config, "token_qs_key", None),
+        )
+
+    def _request_new_token(self) -> Dict[str, str]:
+        """Fetch the access token with a new authentcation"""
+        logger.debug("Fetching access token from %s", self.config.token_uri)
         state = self.compute_state()
         authentication_response = self.authenticate_user(state)
         exchange_url = authentication_response.url
+        for err_pattern, err_message in getattr(
+            self.config, "exchange_url_error_pattern", {}
+        ).items():
+            if err_pattern in exchange_url:
+                raise AuthenticationError(err_message)
+        if not exchange_url.startswith(self.config.redirect_uri):
+            raise AuthenticationError(
+                f"Could not authenticate user with provider {self.provider}.",
+                "Please verify your credentials",
+            )
         if self.config.user_consent_needed:
             user_consent_response = self.grant_user_consent(authentication_response)
             exchange_url = user_consent_response.url
         try:
-            token = self.exchange_code_for_token(exchange_url, state)
+            token_response = self.exchange_code_for_token(exchange_url, state)
+            token_response.raise_for_status()
         except requests.exceptions.Timeout as exc:
             raise TimeOutError(exc, timeout=HTTP_REQ_TIMEOUT) from exc
-        except Exception:
-            import traceback as tb
-
-            raise AuthenticationError(
-                "Something went wrong while trying to get authorization token:\n{}".format(
-                    tb.format_exc()
-                )
-            )
-        return CodeAuthorizedAuth(
-            token,
-            self.config.token_provision,
-            key=getattr(self.config, "token_qs_key", None),
+        except requests.RequestException as e:
+            return self._request_new_token_error(e)
+        return token_response.json()
+
+    def _get_token_with_refresh_token(self) -> Dict[str, str]:
+        """Fetch the access token with the refresh token"""
+        logger.debug(
+            "Fetching access token with refresh token from %s", self.config.token_uri
         )
+        token_data: Dict[str, Any] = {
+            "refresh_token": self.token_info["refresh_token"],
+            "grant_type": "refresh_token",
+        }
+        token_data = self._prepare_token_post_data(token_data)
+        post_request_kwargs: Any = {
+            self.config.token_exchange_post_data_method: token_data
+        }
+        ssl_verify = getattr(self.config, "ssl_verify", True)
+        try:
+            token_response = self.session.post(
+                self.config.token_uri,
+                timeout=HTTP_REQ_TIMEOUT,
+                verify=ssl_verify,
+                **post_request_kwargs,
+            )
+            token_response.raise_for_status()
+        except requests.exceptions.Timeout as exc:
+            raise TimeOutError(exc, timeout=HTTP_REQ_TIMEOUT) from exc
+        except requests.RequestException as exc:
+            logger.error(
+                "Could not fetch access token with refresh token, executing new token request, error: %s",
+                getattr(exc.response, "text", ""),
+            )
+            return self._request_new_token()
+        return token_response.json()
 
     def authenticate_user(self, state: str) -> Response:
         """Authenticate user"""
@@ -180,15 +361,19 @@ class OIDCAuthorizationCodeFlowAuth(Authentication):
             "state": state,
             "redirect_uri": self.config.redirect_uri,
         }
+        ssl_verify = getattr(self.config, "ssl_verify", True)
         authorization_response = self.session.get(
             self.config.authorization_uri,
             params=params,
             headers=USER_AGENT,
             timeout=HTTP_REQ_TIMEOUT,
+            verify=ssl_verify,
         )
 
         login_document = etree.HTML(authorization_response.text)
-        login_form = login_document.xpath(self.config.login_form_xpath)[0]
+        login_forms = login_document.xpath(self.config.login_form_xpath)
+        login_form = login_forms[0]
+
         # Get the form data to pass to the login form from config or from the login form
         login_data = {
             key: self._constant_or_xpath_extracted(value, login_form)
@@ -198,16 +383,29 @@ class OIDCAuthorizationCodeFlowAuth(Authentication):
         }
         # Add the credentials
         login_data.update(self.config.credentials)
-        auth_uri = getattr(self.config, "authentication_uri", None)
+
         # Retrieve the authentication_uri from the login form if so configured
         if self.config.authentication_uri_source == "login-form":
             # Given that the login_form_xpath resolves to an HTML element, if suffices to add '/@action' to get
             # the value of its action attribute to this xpath
             auth_uri = login_form.xpath(
                 self.config.login_form_xpath.rstrip("/") + "/@action"
-            )[0]
+            )
+            if not auth_uri or not auth_uri[0]:
+                raise MisconfiguredError(
+                    f"Could not get auth_uri from {self.config.login_form_xpath}"
+                )
+            auth_uri = auth_uri[0]
+        else:
+            auth_uri = getattr(self.config, "authentication_uri", None)
+            if not auth_uri:
+                raise MisconfiguredError("authentication_uri is missing")
         return self.session.post(
-            auth_uri, data=login_data, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT
+            auth_uri,
+            data=login_data,
+            headers=USER_AGENT,
+            timeout=HTTP_REQ_TIMEOUT,
+            verify=ssl_verify,
         )
 
     def grant_user_consent(self, authentication_response: Response) -> Response:
@@ -221,56 +419,69 @@ class OIDCAuthorizationCodeFlowAuth(Authentication):
             key: self._constant_or_xpath_extracted(value, user_consent_form)
             for key, value in self.config.user_consent_form_data.items()
         }
+        ssl_verify = getattr(self.config, "ssl_verify", True)
         return self.session.post(
             self.config.authorization_uri,
             data=user_consent_data,
             headers=USER_AGENT,
             timeout=HTTP_REQ_TIMEOUT,
+            verify=ssl_verify,
         )
 
-    def exchange_code_for_token(self, authorized_url: str, state: str) -> str:
-        """Get exchange code for token"""
-        qs = parse_qs(urlparse(authorized_url).query)
-        if qs["state"][0] != state:
-            raise AuthenticationError(
-                "The state received in the authorized url does not match initially computed state"
-            )
-        code = qs["code"][0]
-        token_exchange_data: Dict[str, Any] = {
-            "redirect_uri": self.config.redirect_uri,
-            "client_id": self.config.client_id,
-            "code": code,
-            "state": state,
-        }
+    def _prepare_token_post_data(self, token_data: Dict[str, Any]) -> Dict[str, Any]:
+        """Prepare the common data to post to the token URI"""
+        token_data.update(
+            {
+                "redirect_uri": self.config.redirect_uri,
+                "client_id": self.config.client_id,
+            }
+        )
         # If necessary, change the keys of the form data that will be passed to the token exchange POST request
         custom_token_exchange_params = getattr(self.config, "token_exchange_params", {})
         if custom_token_exchange_params:
-            token_exchange_data[
-                custom_token_exchange_params["redirect_uri"]
-            ] = token_exchange_data.pop("redirect_uri")
-            token_exchange_data[
-                custom_token_exchange_params["client_id"]
-            ] = token_exchange_data.pop("client_id")
+            token_data[custom_token_exchange_params["redirect_uri"]] = token_data.pop(
+                "redirect_uri"
+            )
+            token_data[custom_token_exchange_params["client_id"]] = token_data.pop(
+                "client_id"
+            )
         # If the client_secret is known, the token exchange request must be authenticated with a BASIC Auth, using the
         # client_id and client_secret as username and password respectively
         if getattr(self.config, "client_secret", None):
-            token_exchange_data.update(
+            token_data.update(
                 {
                     "auth": (self.config.client_id, self.config.client_secret),
-                    "grant_type": "authorization_code",
                     "client_secret": self.config.client_secret,
                 }
             )
-        post_request_kwargs = {
+        return token_data
+
+    def exchange_code_for_token(self, authorized_url: str, state: str) -> Response:
+        """Get exchange code for token"""
+        qs = parse_qs(urlparse(authorized_url).query)
+        if qs["state"][0] != state:
+            raise AuthenticationError(
+                "The state received in the authorized url does not match initially computed state"
+            )
+        code = qs["code"][0]
+        token_exchange_data: Dict[str, Any] = {
+            "code": code,
+            "state": state,
+            "grant_type": "authorization_code",
+        }
+        token_exchange_data = self._prepare_token_post_data(token_exchange_data)
+        post_request_kwargs: Any = {
             self.config.token_exchange_post_data_method: token_exchange_data
         }
+        ssl_verify = getattr(self.config, "ssl_verify", True)
         r = self.session.post(
             self.config.token_uri,
             headers=USER_AGENT,
             timeout=HTTP_REQ_TIMEOUT,
+            verify=ssl_verify,
             **post_request_kwargs,
         )
-        return r.json()[self.config.token_key]
+        return r
 
     def _constant_or_xpath_extracted(
         self, value: str, form_element: Any
@@ -279,7 +490,7 @@ class OIDCAuthorizationCodeFlowAuth(Authentication):
         if not match:
             return value
         value_from_xpath = form_element.xpath(
-            self.CONFIG_XPATH_REGEX.match(value).groupdict("xpath_value")
+            match.groupdict("xpath_value")["xpath_value"]
         )
         if len(value_from_xpath) == 1:
             return value_from_xpath[0]
@@ -309,13 +520,21 @@ class CodeAuthorizedAuth(AuthBase):
     def __call__(self, request: PreparedRequest) -> PreparedRequest:
         """Perform the actual authentication"""
         if self.where == "qs":
-            parts = urlparse(request.url)
+            parts = urlparse(str(request.url))
             query_dict = parse_qs(parts.query)
-            query_dict.update({self.key: self.token})
-            url_without_args = parts._replace(query=None).geturl()
+            if self.key is not None:
+                query_dict.update({self.key: [self.token]})
+            url_without_args = parts._replace(query="").geturl()
 
             request.prepare_url(url_without_args, query_dict)
 
         elif self.where == "header":
             request.headers["Authorization"] = "Bearer {}".format(self.token)
+        logger.debug(
+            re.sub(
+                r"'Bearer [^']+'",
+                r"'Bearer ***'",
+                f"PreparedRequest: {request.__dict__}",
+            )
+        )
         return request

eodag/plugins/authentication/qsauth.py

@@ -67,6 +67,8 @@ class HttpQueryStringAuth(Authentication):
         auth = QueryStringAuth(**self.config.credentials)
 
         auth_uri = getattr(self.config, "auth_uri", None)
+        ssl_verify = getattr(self.config, "ssl_verify", True)
+
         if auth_uri:
             try:
                 response = requests.get(
@@ -74,12 +76,13 @@ class HttpQueryStringAuth(Authentication):
                     timeout=HTTP_REQ_TIMEOUT,
                     headers=USER_AGENT,
                     auth=auth,
+                    verify=ssl_verify,
                 )
                 response.raise_for_status()
             except requests.exceptions.Timeout as exc:
                 raise TimeOutError(exc, timeout=HTTP_REQ_TIMEOUT) from exc
             except RequestException as e:
-                raise AuthenticationError(f"Could no authenticate: {str(e)}")
+                raise AuthenticationError("Could no authenticate", str(e)) from e
 
         return auth
 

eodag/plugins/authentication/sas_auth.py

@@ -43,11 +43,13 @@ class RequestsSASAuth(AuthBase):
         auth_uri: str,
         signed_url_key: str,
         headers: Optional[Dict[str, str]] = None,
+        ssl_verify: bool = True,
     ) -> None:
         self.auth_uri = auth_uri
         self.signed_url_key = signed_url_key
         self.headers = headers
         self.signed_urls: Dict[str, str] = {}
+        self.ssl_verify = ssl_verify
 
     def __call__(self, request: PreparedRequest) -> PreparedRequest:
         """Perform the actual authentication"""
@@ -63,14 +65,17 @@ class RequestsSASAuth(AuthBase):
             logger.debug(f"Signed URL request: {req_signed_url}")
             try:
                 response = requests.get(
-                    req_signed_url, headers=self.headers, timeout=HTTP_REQ_TIMEOUT
+                    req_signed_url,
+                    headers=self.headers,
+                    timeout=HTTP_REQ_TIMEOUT,
+                    verify=self.ssl_verify,
                 )
                 response.raise_for_status()
                 signed_url = response.json().get(self.signed_url_key)
             except requests.exceptions.Timeout as exc:
                 raise TimeOutError(exc, timeout=HTTP_REQ_TIMEOUT) from exc
             except (requests.RequestException, JSONDecodeError, KeyError) as e:
-                raise AuthenticationError(f"Could no get signed url: {str(e)}")
+                raise AuthenticationError("Could no get signed url", str(e)) from e
             else:
                 self.signed_urls[req_signed_url] = signed_url
 
@@ -95,6 +100,7 @@ class SASAuth(Authentication):
 
         # update headers with subscription key if exists
         apikey = getattr(self.config, "credentials", {}).get("apikey", None)
+        ssl_verify = getattr(self.config, "ssl_verify", True)
         if apikey:
             headers_update = format_dict_items(self.config.headers, apikey=apikey)
             headers.update(headers_update)
@@ -103,4 +109,5 @@ class SASAuth(Authentication):
             auth_uri=self.config.auth_uri,
             signed_url_key=self.config.signed_url_key,
             headers=headers,
+            ssl_verify=ssl_verify,
         )