eodag 3.0.0b3__py3-none-any.whl → 3.0.1__py3-none-any.whl

eodag/plugins/authentication/openid_connect.py

@@ -20,22 +20,18 @@ from __future__ import annotations
 import logging
 import re
 import string
-from datetime import datetime
+from datetime import datetime, timedelta, timezone
 from random import SystemRandom
-from typing import TYPE_CHECKING, Any, Dict, Optional, TypedDict
+from typing import TYPE_CHECKING, Any, Dict, Optional
 
+import jwt
 import requests
 from lxml import etree
 from requests.auth import AuthBase
 
 from eodag.plugins.authentication import Authentication
 from eodag.utils import HTTP_REQ_TIMEOUT, USER_AGENT, parse_qs, repeatfunc, urlparse
-from eodag.utils.exceptions import (
-    AuthenticationError,
-    MisconfiguredError,
-    RequestError,
-    TimeOutError,
-)
+from eodag.utils.exceptions import AuthenticationError, MisconfiguredError, TimeOutError
 
 if TYPE_CHECKING:
     from requests import PreparedRequest, Response
@@ -47,93 +43,121 @@ logger = logging.getLogger("eodag.auth.openid_connect")
 
 
 class OIDCRefreshTokenBase(Authentication):
-    """OIDC refresh token base class, to be used through specific OIDC flows plugins.
+    """OIDC refresh token base class, to be used through specific OIDC flows plugins;
+    Common mechanism to handle refresh token from all OIDC auth plugins;
+
+    Plugins inheriting from this base class must implement the methods ``_request_new_token()`` and
+    ``_get_token_with_refresh_token()``. Depending on the implementation of these methods they can have
+    different configuration parameters.
 
-    Common mechanism to handle refresh token from all OIDC auth plugins.
     """
 
-    class TokenInfo(TypedDict, total=False):
-        """Token infos"""
+    jwks_client: jwt.PyJWKClient
+
+    access_token: str
+    access_token_expiration: datetime
 
-        refresh_token: str
-        refresh_time: datetime
-        token_time: datetime
-        access_token: str
-        access_token_expiration: float
-        refresh_token_expiration: float
+    refresh_token: str
+    refresh_token_expiration: datetime
+
+    token_endpoint: str
+    authorization_endpoint: str
 
     def __init__(self, provider: str, config: PluginConfig) -> None:
         super(OIDCRefreshTokenBase, self).__init__(provider, config)
         self.session = requests.Session()
-        # already retrieved token info store
-        self.token_info: OIDCRefreshTokenBase.TokenInfo = {}
+
+        self.access_token = ""
+        self.access_token_expiration = datetime.min
+
+        self.refresh_token = ""
+        self.refresh_token_expiration = datetime.min
+
+        try:
+            response = requests.get(self.config.oidc_config_url)
+            response.raise_for_status()
+            auth_config = response.json()
+        except requests.HTTPError as e:
+            raise MisconfiguredError(
+                f"Cannot obtain OIDC endpoints from {self.config.oidc_config_url}"
+                f"Request returned {e.response.text}."
+            )
+
+        self.jwks_client = jwt.PyJWKClient(auth_config["jwks_uri"])
+        self.token_endpoint = auth_config["token_endpoint"]
+        self.authorization_endpoint = auth_config["authorization_endpoint"]
+        self.algorithms = auth_config["id_token_signing_alg_values_supported"]
+
+    def decode_jwt_token(self, token: str) -> Dict[str, Any]:
+        """Decode JWT token."""
+        try:
+            key = self.jwks_client.get_signing_key_from_jwt(token).key
+            if getattr(self.config, "allowed_audiences", None):
+                return jwt.decode(
+                    token,
+                    key,
+                    algorithms=self.algorithms,
+                    # NOTE: Audience validation MUST match audience claim if set in token
+                    # (https://pyjwt.readthedocs.io/en/stable/changelog.html?highlight=audience#id40)
+                    audience=self.config.allowed_audiences,
+                )
+            else:
+                return jwt.decode(
+                    token,
+                    key,
+                    algorithms=self.algorithms,
+                )
+        except (jwt.exceptions.InvalidTokenError, jwt.exceptions.DecodeError) as e:
+            raise AuthenticationError(e)
 
     def _get_access_token(self) -> str:
-        current_time = datetime.now()
-        if (
-            # No info: first time
-            not self.token_info
-            # Refresh token available but expired
-            or (
-                "refresh_token" in self.token_info
-                and self.token_info["refresh_token_expiration"] > 0
-                and (current_time - self.token_info["token_time"]).seconds
-                >= self.token_info["refresh_token_expiration"]
+        now = datetime.now(timezone.utc)
+        if self.access_token and now < self.access_token_expiration:
+            logger.debug(
+                f"Existing access_token is still valid until {self.access_token_expiration.isoformat()}."
             )
-            # Refresh token *not* available and access token expired
-            or (
-                "refresh_token" not in self.token_info
-                and (current_time - self.token_info["token_time"]).seconds
-                >= self.token_info["access_token_expiration"]
+            return self.access_token
+
+        elif self.refresh_token and now < self.refresh_token_expiration:
+            response = self._get_token_with_refresh_token()
+            logger.debug(
+                "access_token expired, fetching new access_token using refresh_token"
             )
-        ):
-            # Request *new* token on first attempt or if token expired
-            res = self._request_new_token()
-            self.token_info["token_time"] = current_time
-            self.token_info["access_token_expiration"] = float(res["expires_in"])
-            if "refresh_token" in res:
-                self.token_info["refresh_time"] = current_time
-                self.token_info["refresh_token_expiration"] = float(
-                    res["refresh_expires_in"]
-                )
-                self.token_info["refresh_token"] = str(res["refresh_token"])
-            return str(res["access_token"])
-
-        elif (
-            # Refresh token available and access token expired
-            "refresh_token" in self.token_info
-            and (current_time - self.token_info["refresh_time"]).seconds
-            >= self.token_info["access_token_expiration"]
-        ):
-            # Use refresh token
-            res = self._get_token_with_refresh_token()
-            self.token_info["refresh_token"] = res["refresh_token"]
-            self.token_info["refresh_time"] = current_time
-            return res["access_token"]
+        else:
+            logger.debug("access_token expired or not available yet, new token request")
+            response = self._request_new_token()
+
+        self.access_token = response[getattr(self.config, "token_key", "access_token")]
+        self.access_token_expiration = datetime.fromtimestamp(
+            self.decode_jwt_token(self.access_token)["exp"], timezone.utc
+        )
+        self.refresh_token = response.get(
+            getattr(self.config, "refresh_token_key", "refresh_token"), ""
+        )
+        if self.refresh_token and response.get("refresh_expires_in", "0"):
+            self.refresh_token_expiration = now + timedelta(
+                seconds=int(response["refresh_expires_in"])
+            )
+        else:
+            # refresh token does not expire but will be changed at each request
+            self.refresh_token_expiration = now + timedelta(days=1000)
 
-        logger.debug("Using already retrieved access token")
-        return self.token_info["access_token"]
+        return self.access_token
 
     def _request_new_token(self) -> Dict[str, str]:
-        """Fetch the access token with a new authentcation"""
+        """Fetch the access token with a new authentication"""
         raise NotImplementedError(
             "Incomplete OIDC refresh token retrieval mechanism implementation"
         )
 
     def _request_new_token_error(self, e: requests.RequestException) -> Dict[str, str]:
         """Handle RequestException raised by `self._request_new_token()`"""
-        if self.token_info.get("access_token"):
+        if self.access_token:
             # try using already retrieved token if authenticate() fails (OTP use-case)
-            if "access_token_expiration" in self.token_info:
-                return {
-                    "access_token": self.token_info["access_token"],
-                    "expires_in": str(self.token_info["access_token_expiration"]),
-                }
-            else:
-                return {
-                    "access_token": self.token_info["access_token"],
-                    "expires_in": "0",
-                }
+            return {
+                "access_token": self.access_token,
+                "expires_in": self.access_token_expiration.isoformat(),
+            }
         response_text = getattr(e.response, "text", "").strip()
         # check if error is identified as auth_error in provider conf
         auth_errors = getattr(self.config, "auth_error_code", [None])
@@ -145,8 +169,9 @@ class OIDCRefreshTokenBase(Authentication):
             and e.response.status_code in auth_errors
         ):
             raise AuthenticationError(
-                "HTTP Error %s returned, %s\nPlease check your credentials for %s"
-                % (e.response.status_code, response_text, self.provider)
+                f"Please check your credentials for {self.provider}.",
+                f"HTTP Error {e.response.status_code} returned.",
+                response_text,
             )
         # other error
         else:
@@ -175,6 +200,7 @@ class OIDCAuthorizationCodeFlowAuth(OIDCRefreshTokenBase):
     adds an authentication layer on top of oauth 2.0. This plugin implements the
     `authorization code flow <http://openid.net/specs/openid-connect-core-1_0.html#Authentication>`_
     option of this specification.
+
     The particularity of this plugin is that it proceeds to a headless (not involving the user)
     interaction with the OpenID provider (if necessary) to authenticate a
     registered user with its username and password on the server and then granting to eodag the
@@ -184,83 +210,60 @@ class OIDCAuthorizationCodeFlowAuth(OIDCRefreshTokenBase):
     The headless interaction is fully configurable, and rely on XPATH to retrieve all the necessary
     information.
 
-    The configuration keys of this plugin are as follows (they have no defaults)::
-
-        # (mandatory) The authorization url of the server (where to query for grants)
-        authorization_uri:
-
-        # (mandatory) The callback url that will handle the code given by the OIDC provider
-        redirect_uri:
-
-        # (mandatory) The url to query to exchange the authorization code obtained from the OIDC provider
-        # for an authorized token
-        token_uri:
-
-        # (mandatory) The OIDC provider's client ID of the eodag provider
-        client_id:
-
-        # (mandatory) Wether a user consent is needed during the authentication
-        user_consent_needed:
-
-        # (mandatory) One of: json, data or params. This is the way to pass the data to the POST request
-        # that is made to the token server. They correspond to the recognised keywords arguments
-        # of the Python `requests <http://docs.python-requests.org/>`_ library
-        token_exchange_post_data_method:
-
-        # (mandatory) The key pointing to the token in the json response to the POST request to the token server
-        token_key:
-
-        # (mandatory) One of qs or header. This is how the token obtained will be used to authenticate the user
-        # on protected requests. If 'qs' is chosen, then 'token_qs_key' is mandatory
-        token_provision:
+    :param provider: provider name
+    :param config: Authentication plugin configuration:
+
+        * :attr:`~eodag.config.PluginConfig.type` (``str``) (**mandatory**): OIDCAuthorizationCodeFlowAuth
+        * :attr:`~eodag.config.PluginConfig.redirect_uri` (``str``) (**mandatory**):  The callback
+          url that will handle the code given by the OIDC provider
+        * :attr:`~eodag.config.PluginConfig.oidc_config_url` (``str``) (**mandatory**):
+          The url to get the OIDC Provider's endpoints
+        * :attr:`~eodag.config.PluginConfig.client_id` (``str``) (**mandatory**): The OIDC provider's
+          client ID of the eodag provider
+        * :attr:`~eodag.config.PluginConfig.user_consent_needed` (``bool``) (mandatory): Whether
+          a user consent is needed during the authentication
+        * :attr:`~eodag.config.PluginConfig.token_exchange_post_data_method` (``str``) (**mandatory**):
+          One of: ``json``, ``data`` or ``params``. This is the way to pass the data to the
+          POST request that is made to the token server. They correspond to the recognised keywords
+          arguments of the Python `requests <http://docs.python-requests.org/>`_ library
+        * :attr:`~eodag.config.PluginConfig.token_key` (``str``): The key pointing
+          to the token in the json response to the POST request to the token server
+        * :attr:`~eodag.config.PluginConfig.token_provision` (``str``) (**mandatory**): One of
+          ``qs`` or ``header``. This is how the token obtained will be used to authenticate the
+          user on protected requests. If ``qs`` is chosen, then ``token_qs_key`` is mandatory
+        * :attr:`~eodag.config.PluginConfig.login_form_xpath` (``str``) (**mandatory**): The
+          xpath to the HTML form element representing the user login form
+        * :attr:`~eodag.config.PluginConfig.authentication_uri_source` (``str``) (**mandatory**): Where
+          to look for the authentication_uri. One of ``config`` (in the configuration) or ``login-form``
+          (use the 'action' URL found in the login form retrieved with login_form_xpath). If the
+          value is ``config``, authentication_uri config param is mandatory
+        * :attr:`~eodag.config.PluginConfig.authentication_uri` (``str``): (**mandatory if
+          authentication_uri_source=config**) The URL of the authentication backend of the OIDC provider
+        * :attr:`~eodag.config.PluginConfig.user_consent_form_xpath` (``str``): The xpath to
+          the user consent form. The form is searched in the content of the response to the authorization request
+        * :attr:`~eodag.config.PluginConfig.user_consent_form_data` (``Dict[str, str]``): The data that
+          will be passed with the POST request on the form 'action' URL. The data are given as
+          key value pairs, the keys representing the data key and the value being either a 'constant'
+          string value, or a string of the form 'xpath(<path-to-a-value-to-be-retrieved>)' and representing a
+          value to be retrieved in the user consent form. The xpath must resolve directly to a
+          string value, not to an HTML element. Example: ``xpath(//input[@name="sessionDataKeyConsent"]/@value)``
+        * :attr:`~eodag.config.PluginConfig.additional_login_form_data` (``Dict[str, str]``): A mapping
+          giving additional data to be passed to the login POST request. The value follows
+          the same rules as with user_consent_form_data
+        * :attr:`~eodag.config.PluginConfig.exchange_url_error_pattern` (``Dict[str, str]``): Key/value
+          pairs of patterns/messages. If exchange_url contains the given pattern, the associated
+          message will be sent in an AuthenticationError
+        * :attr:`~eodag.config.PluginConfig.client_secret` (``str``): The OIDC provider's client
+          secret of the eodag provider
+        * :attr:`~eodag.config.PluginConfig.token_exchange_params` (``Dict[str, str]``): mandatory
+          keys for the dict: redirect_uri, client_id; A mapping between OIDC url query string
+          and token handler query string params (only necessary if they are not the same as for OIDC).
+          This is eodag provider dependant
+        * :attr:`~eodag.config.PluginConfig.token_qs_key` (``str``): (mandatory when token_provision=qs)
+          Refers to the name of the query param to be used in the query request
+        * :attr:`~eodag.config.PluginConfig.refresh_token_key` (``str``): The key pointing to
+          the refresh_token in the json response to the POST request to the token server
 
-        # (mandatory) The xpath to the HTML form element representing the user login form
-        login_form_xpath:
-
-        # (mandatory) Where to look for the authentication_uri. One of 'config' (in the configuration) or 'login-form'
-        # (use the 'action' URL found in the login form retrieved with login_form_xpath). If the value is 'config',
-        # authentication_uri config param is mandatory
-        authentication_uri_source:
-
-        # (optional) The URL of the authentication backend of the OIDC provider
-        authentication_uri:
-
-        # (optional) The xpath to the user consent form. The form is searched in the content of the response
-        # to the authorization request
-        user_consent_form_xpath:
-
-        # (optional) The data that will be passed with the POST request on the form 'action' URL. The data are
-        # given as a key value pairs, the keys representing the data key and the value being either
-        # a 'constant' string value, or a string of the form 'xpath(<path-to-a-value-to-be-retrieved>)'
-        # and representing a value to be retrieved in the user consent form. The xpath must resolve
-        # directly to a string value, not to an HTML element. Example:
-        # `xpath(//input[@name="sessionDataKeyConsent"]/@value)`
-        user_consent_form_data:
-
-        # (optional) A mapping giving additional data to be passed to the login POST request. The value follows the
-        # same rules as with user_consent_form_data
-        additional_login_form_data:
-
-        # (optional) Key/value pairs of patterns/messages. If exchange_url contains the given pattern, the associated
-        message will be sent in an AuthenticationError
-        exchange_url_error_pattern:
-
-        # (optional) The OIDC provider's client secret of the eodag provider
-        client_secret:
-
-        # (optional) A mapping between OIDC url query string and token handler query string
-        # params (only necessary if they are not the same as for OIDC). This is eodag provider
-        # dependant
-        token_exchange_params:
-          redirect_uri:
-          client_id:
-
-        # (optional) Only necessary when 'token_provision' is 'qs'. Refers to the name of the query param to be
-        # used in the query request
-        token_qs_key:
-
-        # (optional) The key pointing to the refresh_token in the json response to the POST request to the token server
-        refresh_token_key:
     """
 
     SCOPE = "openid"
@@ -287,17 +290,17 @@ class OIDCAuthorizationCodeFlowAuth(OIDCRefreshTokenBase):
 
     def authenticate(self) -> CodeAuthorizedAuth:
         """Authenticate"""
-        self.token_info["access_token"] = self._get_access_token()
+        self._get_access_token()
 
         return CodeAuthorizedAuth(
-            self.token_info["access_token"],
+            self.access_token,
             self.config.token_provision,
             key=getattr(self.config, "token_qs_key", None),
         )
 
     def _request_new_token(self) -> Dict[str, str]:
-        """Fetch the access token with a new authentcation"""
-        logger.debug("Fetching access token from %s", self.config.token_uri)
+        """Fetch the access token with a new authentication"""
+        logger.debug("Fetching access token from %s", self.token_endpoint)
         state = self.compute_state()
         authentication_response = self.authenticate_user(state)
         exchange_url = authentication_response.url
@@ -326,20 +329,22 @@ class OIDCAuthorizationCodeFlowAuth(OIDCRefreshTokenBase):
     def _get_token_with_refresh_token(self) -> Dict[str, str]:
         """Fetch the access token with the refresh token"""
         logger.debug(
-            "Fetching access token with refresh token from %s", self.config.token_uri
+            "Fetching access token with refresh token from %s.", self.token_endpoint
         )
         token_data: Dict[str, Any] = {
-            "refresh_token": self.token_info["refresh_token"],
+            "refresh_token": self.refresh_token,
             "grant_type": "refresh_token",
         }
         token_data = self._prepare_token_post_data(token_data)
         post_request_kwargs: Any = {
             self.config.token_exchange_post_data_method: token_data
         }
+        ssl_verify = getattr(self.config, "ssl_verify", True)
         try:
             token_response = self.session.post(
-                self.config.token_uri,
+                self.token_endpoint,
                 timeout=HTTP_REQ_TIMEOUT,
+                verify=ssl_verify,
                 **post_request_kwargs,
             )
             token_response.raise_for_status()
@@ -363,11 +368,13 @@ class OIDCAuthorizationCodeFlowAuth(OIDCRefreshTokenBase):
             "state": state,
             "redirect_uri": self.config.redirect_uri,
         }
+        ssl_verify = getattr(self.config, "ssl_verify", True)
         authorization_response = self.session.get(
-            self.config.authorization_uri,
+            self.authorization_endpoint,
             params=params,
             headers=USER_AGENT,
             timeout=HTTP_REQ_TIMEOUT,
+            verify=ssl_verify,
         )
 
         login_document = etree.HTML(authorization_response.text)
@@ -392,7 +399,7 @@ class OIDCAuthorizationCodeFlowAuth(OIDCRefreshTokenBase):
                 self.config.login_form_xpath.rstrip("/") + "/@action"
             )
             if not auth_uri or not auth_uri[0]:
-                raise RequestError(
+                raise MisconfiguredError(
                     f"Could not get auth_uri from {self.config.login_form_xpath}"
                 )
             auth_uri = auth_uri[0]
@@ -401,7 +408,11 @@ class OIDCAuthorizationCodeFlowAuth(OIDCRefreshTokenBase):
             if not auth_uri:
                 raise MisconfiguredError("authentication_uri is missing")
         return self.session.post(
-            auth_uri, data=login_data, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT
+            auth_uri,
+            data=login_data,
+            headers=USER_AGENT,
+            timeout=HTTP_REQ_TIMEOUT,
+            verify=ssl_verify,
         )
 
     def grant_user_consent(self, authentication_response: Response) -> Response:
@@ -415,11 +426,13 @@ class OIDCAuthorizationCodeFlowAuth(OIDCRefreshTokenBase):
             key: self._constant_or_xpath_extracted(value, user_consent_form)
             for key, value in self.config.user_consent_form_data.items()
         }
+        ssl_verify = getattr(self.config, "ssl_verify", True)
         return self.session.post(
-            self.config.authorization_uri,
+            self.authorization_endpoint,
             data=user_consent_data,
             headers=USER_AGENT,
             timeout=HTTP_REQ_TIMEOUT,
+            verify=ssl_verify,
         )
 
     def _prepare_token_post_data(self, token_data: Dict[str, Any]) -> Dict[str, Any]:
@@ -467,10 +480,12 @@ class OIDCAuthorizationCodeFlowAuth(OIDCRefreshTokenBase):
         post_request_kwargs: Any = {
             self.config.token_exchange_post_data_method: token_exchange_data
         }
+        ssl_verify = getattr(self.config, "ssl_verify", True)
         r = self.session.post(
-            self.config.token_uri,
+            self.token_endpoint,
             headers=USER_AGENT,
             timeout=HTTP_REQ_TIMEOUT,
+            verify=ssl_verify,
             **post_request_kwargs,
         )
         return r

eodag/plugins/authentication/qsauth.py

@@ -36,9 +36,17 @@ class HttpQueryStringAuth(Authentication):
     """An Authentication plugin using HTTP query string parameters.
 
     This plugin sends credentials as query-string parameters.
+
+    :param provider: provider name
+    :param config: Authentication plugin configuration:
+
+        * :attr:`~eodag.config.PluginConfig.type` (``str``) (**mandatory**): HttpQueryStringAuth
+        * :attr:`~eodag.config.PluginConfig.auth_uri` (``str``): used to check the credentials
+          given in the configuration
+
     Using :class:`~eodag.plugins.download.http.HTTPDownload` a download link
-    `http://example.com?foo=bar` will become
-    `http://example.com?foo=bar&apikey=XXX&otherkey=YYY` if associated to the following
+    ``http://example.com?foo=bar`` will become
+    ``http://example.com?foo=bar&apikey=XXX&otherkey=YYY`` if associated to the following
     configuration::
 
         provider:
@@ -56,7 +64,7 @@ class HttpQueryStringAuth(Authentication):
                 ...
             ...
 
-    If `auth_uri` is specified (optional), it will be used to check credentials through
+    If ``auth_uri`` is specified (optional), it will be used to check credentials through
     :meth:`~eodag.plugins.authentication.query_string.HttpQueryStringAuth.authenticate`
     """
 
@@ -82,7 +90,7 @@ class HttpQueryStringAuth(Authentication):
             except requests.exceptions.Timeout as exc:
                 raise TimeOutError(exc, timeout=HTTP_REQ_TIMEOUT) from exc
             except RequestException as e:
-                raise AuthenticationError(f"Could no authenticate: {str(e)}")
+                raise AuthenticationError("Could no authenticate", str(e)) from e
 
         return auth
 

eodag/plugins/authentication/sas_auth.py

@@ -75,7 +75,7 @@ class RequestsSASAuth(AuthBase):
             except requests.exceptions.Timeout as exc:
                 raise TimeOutError(exc, timeout=HTTP_REQ_TIMEOUT) from exc
             except (requests.RequestException, JSONDecodeError, KeyError) as e:
-                raise AuthenticationError(f"Could no get signed url: {str(e)}")
+                raise AuthenticationError("Could no get signed url", str(e)) from e
             else:
                 self.signed_urls[req_signed_url] = signed_url
 
@@ -85,7 +85,24 @@ class RequestsSASAuth(AuthBase):
 
 
 class SASAuth(Authentication):
-    """SASAuth authentication plugin"""
+    """SASAuth authentication plugin
+
+    An apiKey that is added in the headers can be given in the credentials in the config file.
+
+    :param provider: provider name
+    :param config: Authentication plugin configuration:
+
+        * :attr:`~eodag.config.PluginConfig.type` (``str``) (**mandatory**): SASAuth
+        * :attr:`~eodag.config.PluginConfig.auth_uri` (``str``) (**mandatory**): url used to
+          get the signed url
+        * :attr:`~eodag.config.PluginConfig.signed_url_key` (``str``) (**mandatory**): key to
+          get the signed url
+        * :attr:`~eodag.config.PluginConfig.headers` (``Dict[str, str]``) (**mandatory if
+          apiKey is used**): headers to be added to the requests
+        * :attr:`~eodag.config.PluginConfig.ssl_verify` (``bool``): if the ssl certificates should be
+          verified in the requests; default: ``True``
+
+    """
 
     def validate_config_credentials(self) -> None:
         """Validate configured credentials"""