eodag 2.12.1__py3-none-any.whl → 3.0.0__py3-none-any.whl

eodag/plugins/authentication/token.py

@@ -46,6 +46,7 @@ class TokenAuth(Authentication):
     def __init__(self, provider: str, config: PluginConfig) -> None:
         super(TokenAuth, self).__init__(provider, config)
         self.token = ""
+        self.refresh_token = ""
 
     def validate_config_credentials(self) -> None:
         """Validate configured credentials"""
@@ -55,9 +56,9 @@ class TokenAuth(Authentication):
             self.config.auth_uri = self.config.auth_uri.format(
                 **self.config.credentials
             )
-            # format headers if needed
+            # format headers if needed (and accepts {token} to be formatted later)
             self.config.headers = {
-                header: value.format(**self.config.credentials)
+                header: value.format(**{"token": "{token}", **self.config.credentials})
                 for header, value in getattr(self.config, "headers", {}).items()
             }
         except KeyError as e:
@@ -69,65 +70,112 @@ class TokenAuth(Authentication):
         """Authenticate"""
         self.validate_config_credentials()
 
-        # append headers to req if some are specified in config
-        req_kwargs: Dict[str, Any] = (
-            {"headers": dict(self.config.headers, **USER_AGENT)}
-            if hasattr(self.config, "headers")
-            else {"headers": USER_AGENT}
-        )
         s = requests.Session()
-        retries = Retry(
-            total=3, backoff_factor=2, status_forcelist=[401, 429, 500, 502, 503, 504]
-        )
-        s.mount(self.config.auth_uri, HTTPAdapter(max_retries=retries))
         try:
             # First get the token
-            if getattr(self.config, "request_method", "POST") == "POST":
-                response = s.post(
-                    self.config.auth_uri,
-                    data=self.config.credentials,
-                    timeout=HTTP_REQ_TIMEOUT,
-                    **req_kwargs,
-                )
-            else:
-                cred = self.config.credentials
-                response = s.get(
-                    self.config.auth_uri,
-                    auth=(cred["username"], cred["password"]),
-                    timeout=HTTP_REQ_TIMEOUT,
-                    **req_kwargs,
-                )
+            response = self._token_request(session=s)
             response.raise_for_status()
         except requests.exceptions.Timeout as exc:
             raise TimeOutError(exc, timeout=HTTP_REQ_TIMEOUT) from exc
         except RequestException as e:
             response_text = getattr(e.response, "text", "").strip()
-            raise AuthenticationError(
-                f"Could no get authentication token: {str(e)}, {response_text}"
-            )
+            # check if error is identified as auth_error in provider conf
+            auth_errors = getattr(self.config, "auth_error_code", [None])
+            if not isinstance(auth_errors, list):
+                auth_errors = [auth_errors]
+            if (
+                e.response is not None
+                and getattr(e.response, "status_code", None)
+                and e.response.status_code in auth_errors
+            ):
+                raise AuthenticationError(
+                    f"Please check your credentials for {self.provider}.",
+                    f"HTTP Error {e.response.status_code} returned.",
+                    response_text,
+                ) from e
+            # other error
+            else:
+                raise AuthenticationError(
+                    "Could no get authentication token", str(e), response_text
+                ) from e
         else:
             if getattr(self.config, "token_type", "text") == "json":
                 token = response.json()[self.config.token_key]
             else:
                 token = response.text
-            headers = self._get_headers(token)
             self.token = token
+            if getattr(self.config, "refresh_token_key", None):
+                self.refresh_token = response.json()[self.config.refresh_token_key]
+            if not hasattr(self.config, "headers"):
+                raise MisconfiguredError(f"Missing headers configuration for {self}")
             # Return auth class set with obtained token
-            return RequestsTokenAuth(token, "header", headers=headers)
-
-    def _get_headers(self, token: str) -> Dict[str, str]:
-        headers = self.config.headers
-        if "Authorization" in headers and "$" in headers["Authorization"]:
-            headers["Authorization"] = headers["Authorization"].replace("$token", token)
-        if (
-            self.token
-            and token != self.token
-            and self.token in headers["Authorization"]
-        ):
-            headers["Authorization"] = headers["Authorization"].replace(
-                self.token, token
+            return RequestsTokenAuth(
+                token, "header", headers=getattr(self.config, "headers", {})
             )
-        return headers
+
+    def _token_request(
+        self,
+        session: requests.Session,
+    ) -> requests.Response:
+        retries = Retry(
+            total=3,
+            backoff_factor=2,
+            status_forcelist=[401, 429, 500, 502, 503, 504],
+        )
+
+        # append headers to req if some are specified in config
+        req_kwargs: Dict[str, Any] = {
+            "headers": dict(self.config.headers, **USER_AGENT)
+        }
+        ssl_verify = getattr(self.config, "ssl_verify", True)
+
+        if self.refresh_token:
+            logger.debug("fetching access token with refresh token")
+            session.mount(self.config.refresh_uri, HTTPAdapter(max_retries=retries))
+            try:
+                response = session.post(
+                    self.config.refresh_uri,
+                    data={"refresh_token": self.refresh_token},
+                    timeout=HTTP_REQ_TIMEOUT,
+                    verify=ssl_verify,
+                    **req_kwargs,
+                )
+                response.raise_for_status()
+                return response
+            except requests.exceptions.HTTPError as e:
+                logger.debug(getattr(e.response, "text", "").strip())
+
+        logger.debug("fetching access token from %s", self.config.auth_uri)
+        # append headers to req if some are specified in config
+        session.mount(self.config.auth_uri, HTTPAdapter(max_retries=retries))
+        method = getattr(self.config, "request_method", "POST")
+
+        # send credentials also as data in POST requests
+        if method == "POST":
+            # append req_data to credentials if specified in config
+            req_kwargs["data"] = dict(
+                getattr(self.config, "req_data", {}), **self.config.credentials
+            )
+
+        # credentials as auth tuple if possible
+        req_kwargs["auth"] = (
+            (
+                self.config.credentials["username"],
+                self.config.credentials["password"],
+            )
+            if all(
+                k in self.config.credentials.keys() for k in ["username", "password"]
+            )
+            else None
+        )
+
+        return session.request(
+            method=method,
+            url=self.config.auth_uri,
+            timeout=HTTP_REQ_TIMEOUT,
+            verify=ssl_verify,
+            **req_kwargs,
+        )
 
 
 class RequestsTokenAuth(AuthBase):
@@ -153,7 +201,8 @@ class RequestsTokenAuth(AuthBase):
         if self.where == "qs":
             parts = urlparse(str(request.url))
             qs = parse_qs(parts.query)
-            qs[self.qs_key] = self.token  # type: ignore
+            if self.qs_key is not None:
+                qs[self.qs_key] = [self.token]
             request.url = urlunparse(
                 (
                     parts.scheme,
@@ -165,5 +214,7 @@ class RequestsTokenAuth(AuthBase):
                 )
             )
         elif self.where == "header":
-            request.headers["Authorization"] = "Bearer {}".format(self.token)
+            request.headers["Authorization"] = request.headers.get(
+                "Authorization", "Bearer {token}"
+            ).format(token=self.token)
         return request

eodag/plugins/authentication/token_exchange.py

@@ -0,0 +1,122 @@
+# -*- coding: utf-8 -*-
+# Copyright 2024, CS GROUP - France, https://www.csgroup.eu/
+#
+# This file is part of EODAG project
+#     https://www.github.com/CS-SI/EODAG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from __future__ import annotations
+
+import logging
+
+import requests
+from requests import RequestException
+
+from eodag.config import PluginConfig
+from eodag.plugins.authentication import Authentication
+from eodag.plugins.authentication.openid_connect import (
+    CodeAuthorizedAuth,
+    OIDCAuthorizationCodeFlowAuth,
+)
+from eodag.utils import HTTP_REQ_TIMEOUT, USER_AGENT
+from eodag.utils.exceptions import AuthenticationError, MisconfiguredError, TimeOutError
+
+logger = logging.getLogger("eodag.auth.token_exchange")
+
+
+class OIDCTokenExchangeAuth(Authentication):
+    """Token exchange implementation using
+        :class:`~eodag.plugins.authentication.openid_connect.OIDCAuthorizationCodeFlowAuth` token as subject.
+
+    The configuration keys of this plugin are as follows (they have no defaults)::
+
+        # (mandatory) The full OIDCAuthorizationCodeFlowAuth plugin configuration used to retrieve subject token
+        subject:
+
+        # (mandatory) Identifies the issuer of the subject_token
+        subject_issuer:
+
+        # (mandatory) The url to query to get the authorized token
+        token_uri:
+
+        # (mandatory) The OIDC provider's client ID of the eodag provider
+        client_id:
+
+        # (mandatory) This parameter specifies the target client you want the new token minted for.
+        audience:
+
+        # (mandatory) The key pointing to the token in the json response to the POST request to the token server
+        token_key:
+    """
+
+    GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange"
+    SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token"
+    REQUIRED_KEYS = [
+        "subject",
+        "subject_issuer",
+        "token_uri",
+        "client_id",
+        "audience",
+        "token_key",
+    ]
+
+    def __init__(self, provider: str, config: PluginConfig) -> None:
+        super(OIDCTokenExchangeAuth, self).__init__(provider, config)
+        for required_key in self.REQUIRED_KEYS:
+            if getattr(self.config, required_key, None) is None:
+                raise MisconfiguredError(
+                    f"Missing required entry for OIDCTokenExchangeAuth configuration: {required_key}"
+                )
+        self.subject = OIDCAuthorizationCodeFlowAuth(
+            provider,
+            PluginConfig.from_mapping(
+                {
+                    "credentials": getattr(self.config, "credentials", {}),
+                    **self.config.subject,
+                }
+            ),
+        )
+
+    def authenticate(self) -> CodeAuthorizedAuth:
+        """Authenticate"""
+        logger.debug("Getting subject auth token")
+        subject_auth = self.subject.authenticate()
+        auth_data = {
+            "grant_type": self.GRANT_TYPE,
+            "subject_token": subject_auth.token,
+            "subject_issuer": self.config.subject_issuer,
+            "subject_token_type": self.SUBJECT_TOKEN_TYPE,
+            "client_id": self.config.client_id,
+            "audience": self.config.audience,
+        }
+        logger.debug("Getting target auth token")
+        ssl_verify = getattr(self.config, "ssl_verify", True)
+        try:
+            auth_response = self.subject.session.post(
+                self.config.token_uri,
+                data=auth_data,
+                headers=USER_AGENT,
+                timeout=HTTP_REQ_TIMEOUT,
+                verify=ssl_verify,
+            )
+            auth_response.raise_for_status()
+        except requests.exceptions.Timeout as exc:
+            raise TimeOutError(exc, timeout=HTTP_REQ_TIMEOUT) from exc
+        except RequestException as exc:
+            raise AuthenticationError("Could no get authentication token") from exc
+        finally:
+            self.subject.session.close()
+
+        token = auth_response.json()[self.config.token_key]
+
+        return CodeAuthorizedAuth(token, where="header")

eodag/plugins/crunch/base.py

@@ -19,6 +19,7 @@ from __future__ import annotations
 
 from typing import TYPE_CHECKING, Any, Dict, List, Optional
 
+from eodag.config import PluginConfig
 from eodag.plugins.base import PluginTopic
 
 if TYPE_CHECKING:
@@ -29,7 +30,8 @@ class Crunch(PluginTopic):
     """Base cruncher"""
 
     def __init__(self, config: Optional[Dict[str, Any]]) -> None:
-        self.config = config if config is not None else {}
+        self.config = PluginConfig()
+        self.config.__dict__ = config if config is not None else {}
 
     def proceed(
         self, products: List[EOProduct], **search_params: Any

eodag/plugins/crunch/filter_date.py

@@ -21,7 +21,7 @@ import datetime
 import logging
 import time
 from datetime import datetime as dt
-from typing import TYPE_CHECKING, Any, Dict, List
+from typing import TYPE_CHECKING, Any, List
 
 import dateutil.parser
 from dateutil import tz
@@ -41,12 +41,8 @@ class FilterDate(Crunch):
 
                    - `start`: (optional) start sensing time in iso format
                    - `end`: (optional) end sensing time in iso format
-
-    :type config: dict
     """
 
-    config: Dict[str, str]
-
     @staticmethod
     def sort_product_by_start_date(product: EOProduct) -> dt:
         """Get product start date"""
@@ -63,16 +59,14 @@ class FilterDate(Crunch):
         """Execute crunch: Filter products between start and end dates.
 
         :param products: A list of products resulting from a search
-        :type products: list(:class:`~eodag.api.product._product.EOProduct`)
         :returns: The filtered products
-        :rtype: list(:class:`~eodag.api.product._product.EOProduct`)
         """
         logger.debug("Start filtering by date")
         if not products:
             return []
 
         # filter start date
-        filter_start_str = self.config.get("start", None)
+        filter_start_str = self.config.__dict__.get("start", None)
         if filter_start_str:
             filter_start = dateutil.parser.parse(filter_start_str)
             if not filter_start.tzinfo:
@@ -81,7 +75,7 @@ class FilterDate(Crunch):
             filter_start = None
 
         # filter end date
-        filter_end_str = self.config.get("end", None)
+        filter_end_str = self.config.__dict__.get("end", None)
         if filter_end_str:
             filter_end = dateutil.parser.parse(filter_end_str)
             if not filter_end.tzinfo:

eodag/plugins/crunch/filter_latest_intersect.py

@@ -59,12 +59,9 @@ class FilterLatestIntersect(Crunch):
         Filter latest products (the ones with a the highest start date) that intersect search extent.
 
         :param products: A list of products resulting from a search
-        :type products: list(:class:`~eodag.api.product._product.EOProduct`)
         :param search_params: Search criteria that must contain `geometry` (dict)
                               or search `geom` (:class:`shapely.geometry.base.BaseGeometry`) argument will be used
-        :type search_params: dict
         :returns: The filtered products
-        :rtype: list(:class:`~eodag.api.product._product.EOProduct`)
         """
         logger.debug("Start filtering for latest products")
         if not products:

eodag/plugins/crunch/filter_latest_tpl_name.py

@@ -26,6 +26,7 @@ from eodag.utils.exceptions import ValidationError
 
 if TYPE_CHECKING:
     from eodag.api.product import EOProduct
+
 logger = logging.getLogger("eodag.crunch.latest_tpl_name")
 
 
@@ -37,8 +38,6 @@ class FilterLatestByName(Crunch):
     :param config: Crunch configuration, must contain :
 
                    - `name_pattern` : product name pattern
-
-    :type config: dict
     """
 
     NAME_PATTERN_CONSTRAINT = re.compile(r"\(\?P<tileid>\\d\{6\}\)")
@@ -60,9 +59,7 @@ class FilterLatestByName(Crunch):
         """Execute crunch: Filter Search results to get only the latest product, based on the name of the product
 
         :param products: A list of products resulting from a search
-        :type products: list(:class:`~eodag.api.product._product.EOProduct`)
         :returns: The filtered products
-        :rtype: list(:class:`~eodag.api.product._product.EOProduct`)
         """
         logger.debug("Starting products filtering")
         processed: List[str] = []

eodag/plugins/crunch/filter_overlap.py

@@ -48,7 +48,6 @@ class FilterOverlap(Crunch):
                    - `within` : True if product geometry is within the search area
 
                    These configuration parameters are mutually exclusive.
-    :type config: dict
     """
 
     def proceed(
@@ -57,11 +56,8 @@ class FilterOverlap(Crunch):
         """Execute crunch: Filter products, retaining only those that are overlapping with the search_extent
 
         :param products: A list of products resulting from a search
-        :type products: list(:class:`~eodag.api.product._product.EOProduct`)
         :param search_params: Search criteria that must contain `geometry`
-        :type search_params: dict
         :returns: The filtered products
-        :rtype: list(:class:`~eodag.api.product._product.EOProduct`)
         """
         logger.debug("Start filtering for overlapping products")
         filtered: List[EOProduct] = []
@@ -73,10 +69,10 @@ class FilterOverlap(Crunch):
                 "geometry not found in cruncher arguments, filtering disabled."
             )
             return products
-        minimum_overlap = float(self.config.get("minimum_overlap", "0"))
-        contains = self.config.get("contains", False)
-        intersects = self.config.get("intersects", False)
-        within = self.config.get("within", False)
+        minimum_overlap = float(self.config.__dict__.get("minimum_overlap", "0"))
+        contains = self.config.__dict__.get("contains", False)
+        intersects = self.config.__dict__.get("intersects", False)
+        within = self.config.__dict__.get("within", False)
 
         if contains and (within or intersects) or (within and intersects):
             logger.warning(

eodag/plugins/crunch/filter_property.py

@@ -19,7 +19,7 @@ from __future__ import annotations
 
 import logging
 import operator
-from typing import TYPE_CHECKING, Any, Dict, List, Optional, Union
+from typing import TYPE_CHECKING, Any, List
 
 from eodag.plugins.crunch.base import Crunch
 
@@ -38,23 +38,17 @@ class FilterProperty(Crunch):
 
                    - `property=value` : property key from product.properties, associated to its filter value
                    - `operator` : (optional) Operator used for filtering (one of `lt,le,eq,ne,ge,gt`). Default is `eq`
-
-    :type config: dict
     """
 
-    config: Dict[str, Union[str, Optional[str]]]
-
     def proceed(
         self, products: List[EOProduct], **search_params: Any
     ) -> List[EOProduct]:
         """Execute crunch: Filter products, retaining only those that match property filtering
 
         :param products: A list of products resulting from a search
-        :type products: list(:class:`~eodag.api.product._product.EOProduct`)
         :returns: The filtered products
-        :rtype: list(:class:`~eodag.api.product._product.EOProduct`)
         """
-        operator_name = self.config.pop("operator", "eq") or "eq"
+        operator_name = self.config.__dict__.pop("operator", "eq") or "eq"
         try:
             operator_method = getattr(operator, operator_name)
         except AttributeError:
@@ -64,12 +58,12 @@ class FilterProperty(Crunch):
             )
             return products
 
-        if len(self.config.keys()) != 1:
+        if len(self.config.__dict__.keys()) != 1:
             logger.warning("One property is needed for filtering, filtering disabled.")
             return products
 
-        property_key = next(iter(self.config))
-        property_value = self.config.get(property_key, None)
+        property_key = next(iter(self.config.__dict__))
+        property_value = self.config.__dict__.get(property_key, None)
 
         logger.debug(
             "Start filtering for products matching operator.%s(product.properties['%s'], %s)",