feldera 0.148.0__tar.gz → 0.150.0__tar.gz

{feldera-0.148.0 → feldera-0.150.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: feldera
-Version: 0.148.0
+Version: 0.150.0
 Summary: The feldera python client
 Author-email: Feldera Team <dev@feldera.com>
 License: MIT
@@ -20,6 +20,7 @@ Requires-Dist: typing-extensions
 Requires-Dist: numpy>=2.2.4
 Requires-Dist: pretty-errors
 Requires-Dist: ruff>=0.6.9
+Requires-Dist: PyJWT>=2.8.0
 
 # Feldera Python SDK
 

{feldera-0.148.0 → feldera-0.150.0}/feldera/_callback_runner.py

@@ -6,6 +6,7 @@ from queue import Queue, Empty
 import pandas as pd
 from feldera import FelderaClient
 from feldera._helpers import dataframe_from_response
+from feldera.enums import PipelineFieldSelector
 
 
 class _CallbackRunnerInstruction(Enum):
@@ -38,7 +39,9 @@ class CallbackRunner(Thread):
         :meta private:
         """
 
-        pipeline = self.client.get_pipeline(self.pipeline_name)
+        pipeline = self.client.get_pipeline(
+            self.pipeline_name, PipelineFieldSelector.ALL
+        )
 
         schemas = pipeline.tables + pipeline.views
         for schema in schemas:

{feldera-0.148.0 → feldera-0.150.0}/feldera/enums.py

@@ -336,3 +336,11 @@ class FaultToleranceModel(Enum):
         raise ValueError(
             f"Unknown value '{value}' for enum {FaultToleranceModel.__name__}"
         )
+
+
+class PipelineFieldSelector(Enum):
+    ALL = "all"
+    """Select all fields of a pipeline."""
+
+    STATUS = "status"
+    """Select only the fields required to know the status of a pipeline."""

{feldera-0.148.0 → feldera-0.150.0}/feldera/pipeline.py

@@ -12,6 +12,7 @@ from queue import Queue
 
 from feldera.rest.errors import FelderaAPIError
 from feldera.enums import (
+    PipelineFieldSelector,
     PipelineStatus,
     ProgramStatus,
     CheckpointStatus,
@@ -60,14 +61,16 @@ class Pipeline:
                 # block until the callback runner is ready
                 queue.join()
 
-    def refresh(self):
+    def refresh(self, field_selector: PipelineFieldSelector):
         """
         Calls the backend to get the updated, latest version of the pipeline.
 
+        :param field_selector: Choose what pipeline information to refresh; see PipelineFieldSelector enum definition.
+
         :raises FelderaConnectionError: If there is an issue connecting to the backend.
         """
 
-        self._inner = self.client.get_pipeline(self.name)
+        self._inner = self.client.get_pipeline(self.name, field_selector)
 
     def status(self) -> PipelineStatus:
         """
@@ -75,7 +78,7 @@ class Pipeline:
         """
 
         try:
-            self.refresh()
+            self.refresh(PipelineFieldSelector.STATUS)
             return PipelineStatus.from_str(self._inner.deployment_status)
 
         except FelderaAPIError as err:
@@ -124,7 +127,7 @@ class Pipeline:
 
         ensure_dataframe_has_columns(df)
 
-        pipeline = self.client.get_pipeline(self.name)
+        pipeline = self.client.get_pipeline(self.name, PipelineFieldSelector.ALL)
         if table_name.lower() != "now" and table_name.lower() not in [
             tbl.name.lower() for tbl in pipeline.tables
         ]:
@@ -672,7 +675,7 @@ metrics"""
         """
 
         try:
-            inner = client.get_pipeline(name)
+            inner = client.get_pipeline(name, PipelineFieldSelector.ALL)
             return Pipeline._from_inner(inner, client)
         except FelderaAPIError as err:
             if err.status_code == 404:
@@ -948,7 +951,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the program SQL code of the pipeline.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.ALL)
         return self._inner.program_code
 
     def modify(
@@ -988,7 +991,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the storage status of the pipeline.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return StorageStatus.from_str(self._inner.storage_status)
 
     def program_status(self) -> ProgramStatus:
@@ -1000,7 +1003,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Rust code to a binary.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return ProgramStatus.from_value(self._inner.program_status)
 
     def program_status_since(self) -> datetime:
@@ -1008,7 +1011,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the timestamp when the current program status was set.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return datetime.fromisoformat(self._inner.program_status_since)
 
     def udf_rust(self) -> str:
@@ -1016,7 +1019,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the Rust code for UDFs.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.ALL)
         return self._inner.udf_rust
 
     def udf_toml(self) -> str:
@@ -1024,7 +1027,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the Rust dependencies required by UDFs (in the TOML format).
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.ALL)
         return self._inner.udf_toml
 
     def program_config(self) -> Mapping[str, Any]:
@@ -1032,7 +1035,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the program config of the pipeline.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.ALL)
         return self._inner.program_config
 
     def runtime_config(self) -> RuntimeConfig:
@@ -1040,7 +1043,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the runtime config of the pipeline.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.ALL)
         return RuntimeConfig.from_dict(self._inner.runtime_config)
 
     def set_runtime_config(self, runtime_config: RuntimeConfig):
@@ -1065,7 +1068,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the ID of the pipeline.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return self._inner.id
 
     def description(self) -> str:
@@ -1073,7 +1076,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the description of the pipeline.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return self._inner.description
 
     def tables(self) -> List[SQLTable]:
@@ -1081,7 +1084,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the tables of the pipeline.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.ALL)
         return self._inner.tables
 
     def views(self) -> List[SQLView]:
@@ -1089,7 +1092,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the views of the pipeline.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.ALL)
         return self._inner.views
 
     def created_at(self) -> datetime:
@@ -1097,7 +1100,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the creation time of the pipeline.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return datetime.fromisoformat(self._inner.created_at)
 
     def version(self) -> int:
@@ -1105,7 +1108,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the version of the pipeline.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return self._inner.version
 
     def program_version(self) -> int:
@@ -1113,7 +1116,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the program version of the pipeline.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return self._inner.program_version
 
     def deployment_status_since(self) -> datetime:
@@ -1122,7 +1125,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         was set.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return datetime.fromisoformat(self._inner.deployment_status_since)
 
     def deployment_config(self) -> Mapping[str, Any]:
@@ -1130,7 +1133,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the deployment config of the pipeline.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.ALL)
         return self._inner.deployment_config
 
     def deployment_desired_status(self) -> DeploymentDesiredStatus:
@@ -1139,7 +1142,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         This is the next state that the pipeline should transition to.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return DeploymentDesiredStatus.from_str(self._inner.deployment_desired_status)
 
     def deployment_resources_desired_status(self) -> DeploymentResourcesDesiredStatus:
@@ -1147,7 +1150,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the desired status of the the deployment resources.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return DeploymentResourcesDesiredStatus.from_str(
             self._inner.deployment_resources_desired_status
         )
@@ -1157,7 +1160,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the status of the deployment resources.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return DeploymentResourcesStatus.from_str(
             self._inner.deployment_resources_status
         )
@@ -1167,7 +1170,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the deployment runtime desired status.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return DeploymentRuntimeDesiredStatus.from_str(
             self._inner.deployment_runtime_desired_status
         )
@@ -1177,7 +1180,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Return the deployment runtime status.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return DeploymentRuntimeStatus.from_str(self._inner.deployment_runtime_status)
 
     def deployment_error(self) -> Mapping[str, Any]:
@@ -1186,7 +1189,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         Returns an empty string if there is no error.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return self._inner.deployment_error
 
     def deployment_location(self) -> str:
@@ -1196,7 +1199,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         at runtime (a TCP port number or a URI).
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.STATUS)
         return self._inner.deployment_location
 
     def program_info(self) -> Mapping[str, Any]:
@@ -1207,7 +1210,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         and the SQL program schema.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.ALL)
         return self._inner.program_info
 
     def program_error(self) -> Mapping[str, Any]:
@@ -1217,7 +1220,7 @@ pipeline '{self.name}' to sync checkpoint '{uuid}'"""
         `sql_compilation` and `rust_compilation` will be 0.
         """
 
-        self.refresh()
+        self.refresh(PipelineFieldSelector.ALL)
         return self._inner.program_error
 
     def errors(self) -> List[Mapping[str, Any]]:

{feldera-0.148.0 → feldera-0.150.0}/feldera/pipeline_builder.py

@@ -4,7 +4,7 @@ from typing import Optional
 from feldera.rest.feldera_client import FelderaClient
 from feldera.rest.pipeline import Pipeline as InnerPipeline
 from feldera.pipeline import Pipeline
-from feldera.enums import CompilationProfile
+from feldera.enums import CompilationProfile, PipelineFieldSelector
 from feldera.runtime_config import RuntimeConfig
 from feldera.rest.errors import FelderaAPIError
 
@@ -60,7 +60,10 @@ class PipelineBuilder:
             raise ValueError("Name and SQL are required to create a pipeline")
 
         try:
-            if self.client.get_pipeline(self.name) is not None:
+            if (
+                self.client.get_pipeline(self.name, PipelineFieldSelector.STATUS)
+                is not None
+            ):
                 raise RuntimeError(f"Pipeline with name {self.name} already exists")
         except FelderaAPIError as err:
             if err.error_code != "UnknownPipelineName":

{feldera-0.148.0 → feldera-0.150.0}/feldera/rest/feldera_client.py

@@ -7,6 +7,7 @@ from decimal import Decimal
 from typing import Generator, Mapping
 from urllib.parse import quote
 
+from feldera.enums import PipelineFieldSelector
 from feldera.rest.config import Config
 from feldera.rest.feldera_config import FelderaConfig
 from feldera.rest.errors import FelderaTimeoutError, FelderaAPIError
@@ -93,14 +94,19 @@ class FelderaClient:
 
         return FelderaClient(f"http://127.0.0.1:{port}")
 
-    def get_pipeline(self, pipeline_name) -> Pipeline:
+    def get_pipeline(
+        self, pipeline_name: str, field_selector: PipelineFieldSelector
+    ) -> Pipeline:
         """
         Get a pipeline by name
 
         :param pipeline_name: The name of the pipeline
+        :param field_selector: Choose what pipeline information to refresh; see PipelineFieldSelector enum definition.
         """
 
-        resp = self.http.get(f"/pipelines/{pipeline_name}")
+        resp = self.http.get(
+            f"/pipelines/{pipeline_name}?selector={field_selector.value}"
+        )
 
         return Pipeline.from_dict(resp)
 
@@ -130,12 +136,14 @@ class FelderaClient:
         wait = ["Pending", "CompilingSql", "SqlCompiled", "CompilingRust"]
 
         while True:
-            p = self.get_pipeline(name)
+            p = self.get_pipeline(name, PipelineFieldSelector.STATUS)
             status = p.program_status
 
             if status == "Success":
-                return p
+                return self.get_pipeline(name, PipelineFieldSelector.ALL)
             elif status not in wait:
+                p = self.get_pipeline(name, PipelineFieldSelector.ALL)
+
                 # error handling for SQL compilation errors
                 if status == "SqlError":
                     sql_errors = p.program_error["sql_compilation"]["messages"]
@@ -181,7 +189,7 @@ class FelderaClient:
                         f"transition to '{state}' state"
                     )
 
-            resp = self.get_pipeline(pipeline_name)
+            resp = self.get_pipeline(pipeline_name, PipelineFieldSelector.STATUS)
             status = resp.deployment_status
 
             if status.lower() == state.lower():
@@ -502,7 +510,9 @@ Reason: The pipeline is in a STOPPED state due to the following error:
         start = time.monotonic()
 
         while time.monotonic() - start < timeout_s:
-            status = self.get_pipeline(pipeline_name).deployment_status
+            status = self.get_pipeline(
+                pipeline_name, PipelineFieldSelector.STATUS
+            ).deployment_status
 
             if status == "Stopped":
                 return
@@ -536,7 +546,9 @@ Reason: The pipeline is in a STOPPED state due to the following error:
         start = time.monotonic()
 
         while time.monotonic() - start < timeout_s:
-            status = self.get_pipeline(pipeline_name).storage_status
+            status = self.get_pipeline(
+                pipeline_name, PipelineFieldSelector.STATUS
+            ).storage_status
 
             if status == "Cleared":
                 return

{feldera-0.148.0 → feldera-0.150.0}/feldera/testutils.py

@@ -15,6 +15,28 @@ from feldera.runtime_config import Resources, RuntimeConfig
 from feldera.rest import FelderaClient
 
 API_KEY = os.environ.get("FELDERA_API_KEY")
+
+
+# OIDC authentication support
+def _get_oidc_token():
+    """Get OIDC token if environment is configured, otherwise return None"""
+    try:
+        from feldera.testutils_oidc import get_oidc_test_helper
+
+        oidc_helper = get_oidc_test_helper()
+        if oidc_helper is not None:
+            return oidc_helper.obtain_access_token()
+    except ImportError:
+        pass
+    return None
+
+
+def _get_effective_api_key():
+    """Get effective API key - OIDC token takes precedence over static API key"""
+    oidc_token = _get_oidc_token()
+    return oidc_token if oidc_token else API_KEY
+
+
 BASE_URL = (
     os.environ.get("FELDERA_HOST")
     or os.environ.get("FELDERA_BASE_URL")
@@ -44,6 +66,7 @@ class _LazyClient:
         if self._client is None:
             self._client = FelderaClient(
                 connection_timeout=10,
+                api_key=_get_effective_api_key(),
             )
         return self._client
 

feldera-0.150.0/feldera/testutils_oidc.py

@@ -0,0 +1,368 @@
+"""
+OIDC Authentication Test Helper
+
+Utilities for testing OIDC authentication integration with remote providers.
+Provides token generation, validation helpers, and test configuration.
+"""
+
+import os
+import time
+import json
+import requests
+import jwt
+import logging
+from typing import Optional, Dict, Any
+from dataclasses import dataclass
+
+
+@dataclass
+class OidcTestConfig:
+    """Configuration for OIDC authentication tests using Resource Owner Password Flow"""
+
+    issuer: str
+    client_id: str
+    client_secret: str
+    username: str
+    password: str
+    scope: str = "openid profile email"
+
+    @classmethod
+    def from_environment(cls) -> Optional["OidcTestConfig"]:
+        """Load OIDC test configuration from environment variables"""
+        issuer = os.getenv("OIDC_TEST_ISSUER")
+        client_id = os.getenv("OIDC_TEST_CLIENT_ID")
+        client_secret = os.getenv("OIDC_TEST_CLIENT_SECRET")
+        username = os.getenv("OIDC_TEST_USERNAME")
+        password = os.getenv("OIDC_TEST_PASSWORD")
+
+        # All fields are required
+        if not all([issuer, client_id, client_secret, username, password]):
+            return None
+
+        return cls(
+            issuer=issuer,
+            client_id=client_id,
+            client_secret=client_secret,
+            username=username,
+            password=password,
+            scope=os.getenv("OIDC_TEST_SCOPE", "openid profile email"),
+        )
+
+
+class OidcTestHelper:
+    """Helper class for OIDC authentication testing"""
+
+    def __init__(self, config: OidcTestConfig):
+        self.config = config
+        self._discovery_doc = None
+        self._jwks = None
+        self._access_token = None
+        self._token_expires_at = 0
+
+    def get_discovery_document(self) -> Dict[str, Any]:
+        """Fetch and cache the OIDC discovery document"""
+        if self._discovery_doc is None:
+            discovery_url = (
+                f"{self.config.issuer.rstrip('/')}/.well-known/openid-configuration"
+            )
+            response = requests.get(discovery_url, timeout=30)
+            response.raise_for_status()
+            self._discovery_doc = response.json()
+        return self._discovery_doc
+
+    def get_jwks(self) -> Dict[str, Any]:
+        """Fetch and cache the JSON Web Key Set"""
+        if self._jwks is None:
+            discovery_doc = self.get_discovery_document()
+            jwks_uri = discovery_doc["jwks_uri"]
+            response = requests.get(jwks_uri, timeout=30)
+            response.raise_for_status()
+            self._jwks = response.json()
+        return self._jwks
+
+    def get_token_endpoint(self) -> str:
+        """Get the token endpoint URL from discovery document"""
+        discovery_doc = self.get_discovery_document()
+        token_endpoint = discovery_doc.get("token_endpoint")
+        if not token_endpoint:
+            raise ValueError("Token endpoint not found in OIDC discovery document")
+        return token_endpoint
+
+    def obtain_access_token(self, pytest_cache=None) -> str:
+        """
+        Obtain access token using environment variable set by pytest master node.
+
+        The actual token fetching is handled by pytest_configure hooks in conftest.py,
+        which guarantees only one auth request per test session across all workers.
+
+        If OIDC is configured but no token is available, this will fail fast.
+        """
+        logger = logging.getLogger(__name__)
+        current_time = time.time()
+
+        # Check environment variable for cross-process token sharing
+        token_data = get_cached_token_from_env()
+        if token_data:
+            logger.info("Using environment variable cached access token")
+            # Cache in instance for future calls to avoid repeated parsing
+            self._access_token = token_data["access_token"]
+            self._token_expires_at = token_data["expires_at"]
+            return token_data["access_token"]
+
+        # Fallback: Check instance cache
+        if self._access_token and current_time < self._token_expires_at - 30:
+            logger.info("Using instance cached access token")
+            return self._access_token
+
+        # If OIDC is configured but no token is available, this is a critical failure
+        raise RuntimeError(
+            "OIDC authentication is configured but no valid token is available. "
+            "This indicates the oidc_token_fixture failed to retrieve a token. "
+            "Check OIDC configuration and ensure pytest hooks ran properly."
+        )
+
+    def decode_token_claims(self, token: str) -> Dict[str, Any]:
+        """Decode JWT token claims without signature verification (for testing)"""
+        return jwt.decode(token, options={"verify_signature": False})
+
+    def is_token_expired(self, token: str) -> bool:
+        """Check if a JWT token is expired"""
+        try:
+            claims = self.decode_token_claims(token)
+            exp = claims.get("exp")
+            if exp is None:
+                return False  # No expiration claim
+            return time.time() > exp
+        except Exception:
+            return True  # Invalid token is considered expired
+
+    def validate_token_structure(self, token: str) -> bool:
+        """Validate that token has correct JWT structure"""
+        try:
+            # Just check if it can be decoded (ignoring signature)
+            self.decode_token_claims(token)
+            return True
+        except Exception:
+            return False
+
+    def create_authenticated_headers(self) -> Dict[str, str]:
+        """Create HTTP headers with valid authentication token"""
+        token = self.obtain_access_token()
+        return {"Accept": "application/json", "Authorization": f"Bearer {token}"}
+
+    def get_malformed_test_tokens(self) -> Dict[str, str]:
+        """Get various malformed tokens for negative testing"""
+        return {
+            "malformed_structure": "not.a.jwt",
+            "empty": "",
+            "malformed_header": "eyJhbGciOiJub25lIn0.eyJzdWIiOiJ0ZXN0In0.invalid",
+            "wrong_issuer": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3dyb25nLWlzc3Vlci5jb20iLCJhdWQiOiJ0ZXN0IiwiZXhwIjo5OTk5OTk5OTk5fQ.signature",
+        }
+
+
+def skip_if_oidc_not_configured():
+    """Decorator to skip tests if OIDC test environment is not configured"""
+    import pytest
+
+    config = OidcTestConfig.from_environment()
+    return pytest.mark.skipif(
+        config is None,
+        reason="OIDC test environment not configured. Set OIDC_TEST_ISSUER, OIDC_TEST_CLIENT_ID, OIDC_TEST_CLIENT_SECRET, OIDC_TEST_USERNAME, OIDC_TEST_PASSWORD",
+    )
+
+
+# Global test helper instance (lazy loaded)
+_test_helper = None
+
+
+def get_oidc_test_helper() -> Optional[OidcTestHelper]:
+    """Get global OIDC test helper instance"""
+    global _test_helper
+    if _test_helper is None:
+        config = OidcTestConfig.from_environment()
+        if config:
+            _test_helper = OidcTestHelper(config)
+    return _test_helper
+
+
+def parse_cached_token(env_token: str) -> Optional[Dict[str, Any]]:
+    """
+    Parse and validate a base64-encoded token from environment variable.
+
+    Args:
+        env_token: Base64-encoded JSON token data from environment variable
+
+    Returns:
+        Parsed token data dict if valid, None if invalid or expired
+    """
+    try:
+        import base64
+
+        token_json = base64.b64decode(env_token.encode()).decode()
+        token_data = json.loads(token_json)
+        return token_data
+    except Exception as e:
+        logging.getLogger(__name__).warning(f"Failed to parse cached token: {e}")
+        return None
+
+
+def is_token_valid(token_data: Dict[str, Any], buffer_seconds: int = 30) -> bool:
+    """
+    Check if token data is valid and not expired.
+
+    Args:
+        token_data: Dictionary containing token information
+        buffer_seconds: Safety buffer before expiration (default 30 seconds)
+
+    Returns:
+        True if token is valid and not expired, False otherwise
+    """
+    if not token_data:
+        return False
+
+    access_token = token_data.get("access_token")
+    expires_at = token_data.get("expires_at", 0)
+
+    if not access_token:
+        return False
+
+    current_time = time.time()
+    return current_time < expires_at - buffer_seconds
+
+
+def encode_token_for_env(token_data: Dict[str, Any]) -> str:
+    """
+    Encode token data as base64 for storage in environment variables.
+
+    Args:
+        token_data: Dictionary containing token information
+
+    Returns:
+        Base64-encoded JSON string suitable for environment variable storage
+    """
+    import base64
+
+    token_json = json.dumps(token_data)
+    return base64.b64encode(token_json.encode()).decode()
+
+
+def get_cached_token_from_env(
+    env_var_name: str = "FELDERA_PYTEST_OIDC_TOKEN",
+) -> Optional[Dict[str, Any]]:
+    """
+    Retrieve and validate cached token from environment variable.
+
+    Args:
+        env_var_name: Name of environment variable containing cached token
+
+    Returns:
+        Valid token data if available and not expired, None otherwise
+    """
+    import os
+
+    env_token = os.getenv(env_var_name)
+    if not env_token:
+        return None
+
+    token_data = parse_cached_token(env_token)
+    if token_data and is_token_valid(token_data):
+        return token_data
+
+    return None
+
+
+def setup_token_cache() -> Optional[Dict[str, Any]]:
+    """
+    Set up OIDC token cache in environment variable if not already present.
+
+    This function:
+    1. Checks if a valid token is already cached
+    2. If not, fetches a new token
+    3. Stores the token in environment variable for cross-process access
+
+    Used by both pytest hooks and demo runners to ensure consistent token caching.
+
+    Returns:
+        Token data if successfully cached, None if OIDC not configured
+    """
+    import os
+
+    # Check if token is already cached and still valid
+    cached_token = get_cached_token_from_env()
+    if cached_token:
+        print("🔐 AUTH: Using existing cached OIDC token")
+        return cached_token
+
+    # Fetch new token if needed
+    token_data = fetch_oidc_token()
+    if token_data:
+        # Store in environment variable for reuse by subsequent processes
+        token_b64 = encode_token_for_env(token_data)
+        os.environ["FELDERA_PYTEST_OIDC_TOKEN"] = token_b64
+        print("🔐 AUTH: Token cached in environment for cross-process access")
+        return token_data
+    else:
+        print("🔐 AUTH: No OIDC configuration found, using fallback authentication")
+        return None
+
+
+def fetch_oidc_token() -> Optional[Dict[str, Any]]:
+    """
+    Fetch OIDC token using Resource Owner Password Grant flow.
+
+    This function is used by both pytest hooks and demo runners to ensure
+    consistent token fetching behavior across the entire test infrastructure.
+
+    Returns:
+        Dict containing access_token, expires_at, and cached_at if successful,
+        None if OIDC is not configured.
+    """
+    oidc_helper = get_oidc_test_helper()
+    if oidc_helper is None:
+        return None
+
+    print("🔐 AUTH: Fetching OIDC token")
+
+    try:
+        token_endpoint = oidc_helper.get_token_endpoint()
+        data = {
+            "grant_type": "password",
+            "username": oidc_helper.config.username,
+            "password": oidc_helper.config.password,
+            "client_id": oidc_helper.config.client_id,
+            "client_secret": oidc_helper.config.client_secret,
+            "scope": oidc_helper.config.scope,
+            "audience": "feldera-api",
+        }
+
+        headers = {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "Accept": "application/json",
+        }
+
+        response = requests.post(token_endpoint, data=data, headers=headers, timeout=30)
+
+        if not response.ok:
+            print(f"🔐 AUTH: ❌ Token request FAILED: {response.status_code}")
+            raise Exception(
+                f"Token request failed: {response.status_code} - {response.text}"
+            )
+
+        token_response = response.json()
+        print("🔐 AUTH: ✅ Token request SUCCESS!")
+
+        access_token = token_response["access_token"]
+        expires_in = token_response.get("expires_in", 3600)
+        expires_at = time.time() + expires_in
+
+        return {
+            "access_token": access_token,
+            "expires_at": expires_at,
+            "cached_at": time.time(),
+        }
+
+    except Exception as e:
+        print(f"🔐 AUTH: CRITICAL FAILURE - Failed to fetch OIDC token: {e}")
+        raise RuntimeError(
+            f"OIDC authentication is configured but token retrieval failed: {e}"
+        ) from e

{feldera-0.148.0 → feldera-0.150.0}/feldera.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: feldera
-Version: 0.148.0
+Version: 0.150.0
 Summary: The feldera python client
 Author-email: Feldera Team <dev@feldera.com>
 License: MIT
@@ -20,6 +20,7 @@ Requires-Dist: typing-extensions
 Requires-Dist: numpy>=2.2.4
 Requires-Dist: pretty-errors
 Requires-Dist: ruff>=0.6.9
+Requires-Dist: PyJWT>=2.8.0
 
 # Feldera Python SDK
 

{feldera-0.148.0 → feldera-0.150.0}/feldera.egg-info/SOURCES.txt

@@ -10,6 +10,7 @@ feldera/pipeline_builder.py
 feldera/runtime_config.py
 feldera/stats.py
 feldera/testutils.py
+feldera/testutils_oidc.py
 feldera.egg-info/PKG-INFO
 feldera.egg-info/SOURCES.txt
 feldera.egg-info/dependency_links.txt

{feldera-0.148.0 → feldera-0.150.0}/feldera.egg-info/requires.txt

@@ -4,3 +4,4 @@ typing-extensions
 numpy>=2.2.4
 pretty-errors
 ruff>=0.6.9
+PyJWT>=2.8.0

{feldera-0.148.0 → feldera-0.150.0}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "setuptools.build_meta"
 name = "feldera"
 readme = "README.md"
 description = "The feldera python client"
-version = "0.148.0"
+version = "0.150.0"
 license = { text = "MIT" }
 requires-python = ">=3.10"
 authors = [
@@ -28,6 +28,7 @@ dependencies = [
     "numpy>=2.2.4",
     "pretty-errors",
     "ruff>=0.6.9",
+    "PyJWT>=2.8.0",
 ]
 [project.urls]
 Homepage = "https://www.feldera.com"
@@ -43,7 +44,7 @@ dev-dependencies = [
     "pytest>=8.3.5",
     "sphinx-rtd-theme==2.0.0",
     "sphinx==7.3.7",
-    "simplejson==3.20.1"
+    "simplejson==3.20.1",
 ]
 
 [tool.pytest.ini_options]