feldera 0.149.0__tar.gz → 0.151.0__tar.gz

{feldera-0.149.0 → feldera-0.151.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: feldera
-Version: 0.149.0
+Version: 0.151.0
 Summary: The feldera python client
 Author-email: Feldera Team <dev@feldera.com>
 License: MIT
@@ -20,6 +20,7 @@ Requires-Dist: typing-extensions
 Requires-Dist: numpy>=2.2.4
 Requires-Dist: pretty-errors
 Requires-Dist: ruff>=0.6.9
+Requires-Dist: PyJWT>=2.8.0
 
 # Feldera Python SDK
 

{feldera-0.149.0 → feldera-0.151.0}/feldera/testutils.py

@@ -15,6 +15,28 @@ from feldera.runtime_config import Resources, RuntimeConfig
 from feldera.rest import FelderaClient
 
 API_KEY = os.environ.get("FELDERA_API_KEY")
+
+
+# OIDC authentication support
+def _get_oidc_token():
+    """Get OIDC token if environment is configured, otherwise return None"""
+    try:
+        from feldera.testutils_oidc import get_oidc_test_helper
+
+        oidc_helper = get_oidc_test_helper()
+        if oidc_helper is not None:
+            return oidc_helper.obtain_access_token()
+    except ImportError:
+        pass
+    return None
+
+
+def _get_effective_api_key():
+    """Get effective API key - OIDC token takes precedence over static API key"""
+    oidc_token = _get_oidc_token()
+    return oidc_token if oidc_token else API_KEY
+
+
 BASE_URL = (
     os.environ.get("FELDERA_HOST")
     or os.environ.get("FELDERA_BASE_URL")
@@ -44,6 +66,7 @@ class _LazyClient:
         if self._client is None:
             self._client = FelderaClient(
                 connection_timeout=10,
+                api_key=_get_effective_api_key(),
             )
         return self._client
 

feldera-0.151.0/feldera/testutils_oidc.py

@@ -0,0 +1,368 @@
+"""
+OIDC Authentication Test Helper
+
+Utilities for testing OIDC authentication integration with remote providers.
+Provides token generation, validation helpers, and test configuration.
+"""
+
+import os
+import time
+import json
+import requests
+import jwt
+import logging
+from typing import Optional, Dict, Any
+from dataclasses import dataclass
+
+
+@dataclass
+class OidcTestConfig:
+    """Configuration for OIDC authentication tests using Resource Owner Password Flow"""
+
+    issuer: str
+    client_id: str
+    client_secret: str
+    username: str
+    password: str
+    scope: str = "openid profile email"
+
+    @classmethod
+    def from_environment(cls) -> Optional["OidcTestConfig"]:
+        """Load OIDC test configuration from environment variables"""
+        issuer = os.getenv("OIDC_TEST_ISSUER")
+        client_id = os.getenv("OIDC_TEST_CLIENT_ID")
+        client_secret = os.getenv("OIDC_TEST_CLIENT_SECRET")
+        username = os.getenv("OIDC_TEST_USERNAME")
+        password = os.getenv("OIDC_TEST_PASSWORD")
+
+        # All fields are required
+        if not all([issuer, client_id, client_secret, username, password]):
+            return None
+
+        return cls(
+            issuer=issuer,
+            client_id=client_id,
+            client_secret=client_secret,
+            username=username,
+            password=password,
+            scope=os.getenv("OIDC_TEST_SCOPE", "openid profile email"),
+        )
+
+
+class OidcTestHelper:
+    """Helper class for OIDC authentication testing"""
+
+    def __init__(self, config: OidcTestConfig):
+        self.config = config
+        self._discovery_doc = None
+        self._jwks = None
+        self._access_token = None
+        self._token_expires_at = 0
+
+    def get_discovery_document(self) -> Dict[str, Any]:
+        """Fetch and cache the OIDC discovery document"""
+        if self._discovery_doc is None:
+            discovery_url = (
+                f"{self.config.issuer.rstrip('/')}/.well-known/openid-configuration"
+            )
+            response = requests.get(discovery_url, timeout=30)
+            response.raise_for_status()
+            self._discovery_doc = response.json()
+        return self._discovery_doc
+
+    def get_jwks(self) -> Dict[str, Any]:
+        """Fetch and cache the JSON Web Key Set"""
+        if self._jwks is None:
+            discovery_doc = self.get_discovery_document()
+            jwks_uri = discovery_doc["jwks_uri"]
+            response = requests.get(jwks_uri, timeout=30)
+            response.raise_for_status()
+            self._jwks = response.json()
+        return self._jwks
+
+    def get_token_endpoint(self) -> str:
+        """Get the token endpoint URL from discovery document"""
+        discovery_doc = self.get_discovery_document()
+        token_endpoint = discovery_doc.get("token_endpoint")
+        if not token_endpoint:
+            raise ValueError("Token endpoint not found in OIDC discovery document")
+        return token_endpoint
+
+    def obtain_access_token(self, pytest_cache=None) -> str:
+        """
+        Obtain access token using environment variable set by pytest master node.
+
+        The actual token fetching is handled by pytest_configure hooks in conftest.py,
+        which guarantees only one auth request per test session across all workers.
+
+        If OIDC is configured but no token is available, this will fail fast.
+        """
+        logger = logging.getLogger(__name__)
+        current_time = time.time()
+
+        # Check environment variable for cross-process token sharing
+        token_data = get_cached_token_from_env()
+        if token_data:
+            logger.info("Using environment variable cached access token")
+            # Cache in instance for future calls to avoid repeated parsing
+            self._access_token = token_data["access_token"]
+            self._token_expires_at = token_data["expires_at"]
+            return token_data["access_token"]
+
+        # Fallback: Check instance cache
+        if self._access_token and current_time < self._token_expires_at - 30:
+            logger.info("Using instance cached access token")
+            return self._access_token
+
+        # If OIDC is configured but no token is available, this is a critical failure
+        raise RuntimeError(
+            "OIDC authentication is configured but no valid token is available. "
+            "This indicates the oidc_token_fixture failed to retrieve a token. "
+            "Check OIDC configuration and ensure pytest hooks ran properly."
+        )
+
+    def decode_token_claims(self, token: str) -> Dict[str, Any]:
+        """Decode JWT token claims without signature verification (for testing)"""
+        return jwt.decode(token, options={"verify_signature": False})
+
+    def is_token_expired(self, token: str) -> bool:
+        """Check if a JWT token is expired"""
+        try:
+            claims = self.decode_token_claims(token)
+            exp = claims.get("exp")
+            if exp is None:
+                return False  # No expiration claim
+            return time.time() > exp
+        except Exception:
+            return True  # Invalid token is considered expired
+
+    def validate_token_structure(self, token: str) -> bool:
+        """Validate that token has correct JWT structure"""
+        try:
+            # Just check if it can be decoded (ignoring signature)
+            self.decode_token_claims(token)
+            return True
+        except Exception:
+            return False
+
+    def create_authenticated_headers(self) -> Dict[str, str]:
+        """Create HTTP headers with valid authentication token"""
+        token = self.obtain_access_token()
+        return {"Accept": "application/json", "Authorization": f"Bearer {token}"}
+
+    def get_malformed_test_tokens(self) -> Dict[str, str]:
+        """Get various malformed tokens for negative testing"""
+        return {
+            "malformed_structure": "not.a.jwt",
+            "empty": "",
+            "malformed_header": "eyJhbGciOiJub25lIn0.eyJzdWIiOiJ0ZXN0In0.invalid",
+            "wrong_issuer": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3dyb25nLWlzc3Vlci5jb20iLCJhdWQiOiJ0ZXN0IiwiZXhwIjo5OTk5OTk5OTk5fQ.signature",
+        }
+
+
+def skip_if_oidc_not_configured():
+    """Decorator to skip tests if OIDC test environment is not configured"""
+    import pytest
+
+    config = OidcTestConfig.from_environment()
+    return pytest.mark.skipif(
+        config is None,
+        reason="OIDC test environment not configured. Set OIDC_TEST_ISSUER, OIDC_TEST_CLIENT_ID, OIDC_TEST_CLIENT_SECRET, OIDC_TEST_USERNAME, OIDC_TEST_PASSWORD",
+    )
+
+
+# Global test helper instance (lazy loaded)
+_test_helper = None
+
+
+def get_oidc_test_helper() -> Optional[OidcTestHelper]:
+    """Get global OIDC test helper instance"""
+    global _test_helper
+    if _test_helper is None:
+        config = OidcTestConfig.from_environment()
+        if config:
+            _test_helper = OidcTestHelper(config)
+    return _test_helper
+
+
+def parse_cached_token(env_token: str) -> Optional[Dict[str, Any]]:
+    """
+    Parse and validate a base64-encoded token from environment variable.
+
+    Args:
+        env_token: Base64-encoded JSON token data from environment variable
+
+    Returns:
+        Parsed token data dict if valid, None if invalid or expired
+    """
+    try:
+        import base64
+
+        token_json = base64.b64decode(env_token.encode()).decode()
+        token_data = json.loads(token_json)
+        return token_data
+    except Exception as e:
+        logging.getLogger(__name__).warning(f"Failed to parse cached token: {e}")
+        return None
+
+
+def is_token_valid(token_data: Dict[str, Any], buffer_seconds: int = 30) -> bool:
+    """
+    Check if token data is valid and not expired.
+
+    Args:
+        token_data: Dictionary containing token information
+        buffer_seconds: Safety buffer before expiration (default 30 seconds)
+
+    Returns:
+        True if token is valid and not expired, False otherwise
+    """
+    if not token_data:
+        return False
+
+    access_token = token_data.get("access_token")
+    expires_at = token_data.get("expires_at", 0)
+
+    if not access_token:
+        return False
+
+    current_time = time.time()
+    return current_time < expires_at - buffer_seconds
+
+
+def encode_token_for_env(token_data: Dict[str, Any]) -> str:
+    """
+    Encode token data as base64 for storage in environment variables.
+
+    Args:
+        token_data: Dictionary containing token information
+
+    Returns:
+        Base64-encoded JSON string suitable for environment variable storage
+    """
+    import base64
+
+    token_json = json.dumps(token_data)
+    return base64.b64encode(token_json.encode()).decode()
+
+
+def get_cached_token_from_env(
+    env_var_name: str = "FELDERA_PYTEST_OIDC_TOKEN",
+) -> Optional[Dict[str, Any]]:
+    """
+    Retrieve and validate cached token from environment variable.
+
+    Args:
+        env_var_name: Name of environment variable containing cached token
+
+    Returns:
+        Valid token data if available and not expired, None otherwise
+    """
+    import os
+
+    env_token = os.getenv(env_var_name)
+    if not env_token:
+        return None
+
+    token_data = parse_cached_token(env_token)
+    if token_data and is_token_valid(token_data):
+        return token_data
+
+    return None
+
+
+def setup_token_cache() -> Optional[Dict[str, Any]]:
+    """
+    Set up OIDC token cache in environment variable if not already present.
+
+    This function:
+    1. Checks if a valid token is already cached
+    2. If not, fetches a new token
+    3. Stores the token in environment variable for cross-process access
+
+    Used by both pytest hooks and demo runners to ensure consistent token caching.
+
+    Returns:
+        Token data if successfully cached, None if OIDC not configured
+    """
+    import os
+
+    # Check if token is already cached and still valid
+    cached_token = get_cached_token_from_env()
+    if cached_token:
+        print("🔐 AUTH: Using existing cached OIDC token")
+        return cached_token
+
+    # Fetch new token if needed
+    token_data = fetch_oidc_token()
+    if token_data:
+        # Store in environment variable for reuse by subsequent processes
+        token_b64 = encode_token_for_env(token_data)
+        os.environ["FELDERA_PYTEST_OIDC_TOKEN"] = token_b64
+        print("🔐 AUTH: Token cached in environment for cross-process access")
+        return token_data
+    else:
+        print("🔐 AUTH: No OIDC configuration found, using fallback authentication")
+        return None
+
+
+def fetch_oidc_token() -> Optional[Dict[str, Any]]:
+    """
+    Fetch OIDC token using Resource Owner Password Grant flow.
+
+    This function is used by both pytest hooks and demo runners to ensure
+    consistent token fetching behavior across the entire test infrastructure.
+
+    Returns:
+        Dict containing access_token, expires_at, and cached_at if successful,
+        None if OIDC is not configured.
+    """
+    oidc_helper = get_oidc_test_helper()
+    if oidc_helper is None:
+        return None
+
+    print("🔐 AUTH: Fetching OIDC token")
+
+    try:
+        token_endpoint = oidc_helper.get_token_endpoint()
+        data = {
+            "grant_type": "password",
+            "username": oidc_helper.config.username,
+            "password": oidc_helper.config.password,
+            "client_id": oidc_helper.config.client_id,
+            "client_secret": oidc_helper.config.client_secret,
+            "scope": oidc_helper.config.scope,
+            "audience": "feldera-api",
+        }
+
+        headers = {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "Accept": "application/json",
+        }
+
+        response = requests.post(token_endpoint, data=data, headers=headers, timeout=30)
+
+        if not response.ok:
+            print(f"🔐 AUTH: ❌ Token request FAILED: {response.status_code}")
+            raise Exception(
+                f"Token request failed: {response.status_code} - {response.text}"
+            )
+
+        token_response = response.json()
+        print("🔐 AUTH: ✅ Token request SUCCESS!")
+
+        access_token = token_response["access_token"]
+        expires_in = token_response.get("expires_in", 3600)
+        expires_at = time.time() + expires_in
+
+        return {
+            "access_token": access_token,
+            "expires_at": expires_at,
+            "cached_at": time.time(),
+        }
+
+    except Exception as e:
+        print(f"🔐 AUTH: CRITICAL FAILURE - Failed to fetch OIDC token: {e}")
+        raise RuntimeError(
+            f"OIDC authentication is configured but token retrieval failed: {e}"
+        ) from e

{feldera-0.149.0 → feldera-0.151.0}/feldera.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: feldera
-Version: 0.149.0
+Version: 0.151.0
 Summary: The feldera python client
 Author-email: Feldera Team <dev@feldera.com>
 License: MIT
@@ -20,6 +20,7 @@ Requires-Dist: typing-extensions
 Requires-Dist: numpy>=2.2.4
 Requires-Dist: pretty-errors
 Requires-Dist: ruff>=0.6.9
+Requires-Dist: PyJWT>=2.8.0
 
 # Feldera Python SDK
 

{feldera-0.149.0 → feldera-0.151.0}/feldera.egg-info/SOURCES.txt

@@ -10,6 +10,7 @@ feldera/pipeline_builder.py
 feldera/runtime_config.py
 feldera/stats.py
 feldera/testutils.py
+feldera/testutils_oidc.py
 feldera.egg-info/PKG-INFO
 feldera.egg-info/SOURCES.txt
 feldera.egg-info/dependency_links.txt

{feldera-0.149.0 → feldera-0.151.0}/feldera.egg-info/requires.txt

@@ -4,3 +4,4 @@ typing-extensions
 numpy>=2.2.4
 pretty-errors
 ruff>=0.6.9
+PyJWT>=2.8.0

{feldera-0.149.0 → feldera-0.151.0}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "setuptools.build_meta"
 name = "feldera"
 readme = "README.md"
 description = "The feldera python client"
-version = "0.149.0"
+version = "0.151.0"
 license = { text = "MIT" }
 requires-python = ">=3.10"
 authors = [
@@ -28,6 +28,7 @@ dependencies = [
     "numpy>=2.2.4",
     "pretty-errors",
     "ruff>=0.6.9",
+    "PyJWT>=2.8.0",
 ]
 [project.urls]
 Homepage = "https://www.feldera.com"
@@ -43,7 +44,7 @@ dev-dependencies = [
     "pytest>=8.3.5",
     "sphinx-rtd-theme==2.0.0",
     "sphinx==7.3.7",
-    "simplejson==3.20.1"
+    "simplejson==3.20.1",
 ]
 
 [tool.pytest.ini_options]