h2o-secure-store 1.0.0__tar.gz

h2o_secure_store-1.0.0/.gitignore

@@ -0,0 +1,8 @@
+src/.openapi-generator
+.pytest_cache
+dist
+__pycache__
+
+# Ignore custom scripts for local development & testing (except example.py and ambassador_host.yaml that we want to track).
+local/*
+!local/example.py

h2o_secure_store-1.0.0/Makefile

@@ -0,0 +1,23 @@
+build:
+	hatch -v build
+
+clean-build:
+	rm -rf dist
+
+test-unit:
+	hatch run test:unit -v
+
+test-api:
+	hatch run test:api -v
+
+test-e2e:
+	hatch run test:e2e -v
+
+lint-check:
+	hatch run lint:check -v
+
+lint-fix:
+	hatch run lint:fix -v
+
+generate-docs:
+	hatch run docs:generate -v

h2o_secure_store-1.0.0/PKG-INFO

@@ -0,0 +1,34 @@
+Metadata-Version: 2.3
+Name: h2o-secure-store
+Version: 1.0.0
+Summary: Python client for H2O Secure Store
+Project-URL: Documentation, https://docs.h2o.ai/secure-store/py/initialization
+Author-email: "H2O.ai" <support@h2o.ai>
+Requires-Python: >=3.8
+Requires-Dist: certifi>=2022.12.7
+Requires-Dist: gcloud>=0.18.3
+Requires-Dist: google-api-python-client>=2.108.0
+Requires-Dist: grpcio>=1.60.0
+Requires-Dist: h2o-authn>=1.1.0
+Requires-Dist: h2o-cloud-discovery>=2.1.0
+Requires-Dist: protobuf>=4.25.1
+Requires-Dist: python-dateutil>=2.8.2
+Requires-Dist: requests>=2.26.0
+Requires-Dist: urllib3>=1.26.15
+Description-Content-Type: text/markdown
+
+# `h2o-secure-store`
+
+[![pypi](https://img.shields.io/pypi/v/h2o-secure-store?style=flat-square)](https://pypi.org/project/h2o-secure-store/)
+
+Python client for [H2O Secure Store](https://docs.h2o.ai/secure-store/).
+
+## Installation
+
+```sh
+pip install h2o-secure-store
+```
+
+## Usage
+
+Visit the [documentation](https://docs.h2o.ai/secure-store/py/initialization) for more information.

h2o_secure_store-1.0.0/PUBLIC_README.md

@@ -0,0 +1,15 @@
+# `h2o-secure-store`
+
+[![pypi](https://img.shields.io/pypi/v/h2o-secure-store?style=flat-square)](https://pypi.org/project/h2o-secure-store/)
+
+Python client for [H2O Secure Store](https://docs.h2o.ai/secure-store/).
+
+## Installation
+
+```sh
+pip install h2o-secure-store
+```
+
+## Usage
+
+Visit the [documentation](https://docs.h2o.ai/secure-store/py/initialization) for more information.

h2o_secure_store-1.0.0/README.md

@@ -0,0 +1,40 @@
+# H2O Secure Store
+
+H2O Secure Store Python client.
+This Python client implements interaction with the Secure Store REST API server.
+
+## Local development
+
+This python project is managed by [hatch](https://github.com/pypa/hatch) (environment management, version management,
+dependency management, building, publishing, etc.).
+
+You're free to use any tools for local development for managing python environments that you're comfortable with.
+
+## Usage
+
+### Run using hatch
+
+You can run H2O Secure Store Python client using Hatch.
+Hatch will automatically create an environment and install all required dependencies:
+
+```shell
+hatch run python local/example.py
+```
+
+You can also switch to hatch's environment and run commands in it:
+
+```shell
+hatch shell
+python local/example.py
+```
+
+### Run in custom env
+
+If you want to use your own environment for running the client (global, virtual env, etc.), you can do so.
+For example to build, install and run H2O Secure Store Python client in the current python env:
+
+```shell
+hatch build
+pip install dist/h2o_secure_store-*.whl
+python local/example.py
+```

h2o_secure_store-1.0.0/pyproject.toml

@@ -0,0 +1,91 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "h2o-secure-store"
+dynamic = ["version"]
+description = 'Python client for H2O Secure Store'
+readme = "PUBLIC_README.md"
+requires-python = ">=3.8"
+keywords = []
+authors = [
+    { name = "H2O.ai", email = "support@h2o.ai" },
+]
+dependencies = [
+    "urllib3>=1.26.15",
+    "python-dateutil>=2.8.2",
+    "h2o-authn>=1.1.0",
+    "h2o-cloud-discovery>=2.1.0",
+    "requests>=2.26.0",
+    "certifi>=2022.12.7",
+    # GRPC client dependencies
+    "grpcio>=1.60.0",
+    "protobuf>=4.25.1",
+    "gcloud>=0.18.3",
+    "google-api-python-client>=2.108.0",
+]
+
+[project.urls]
+Documentation = "https://docs.h2o.ai/secure-store/py/initialization"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/h2o_secure_store"]
+
+[tool.hatch.version]
+path = "../../VERSION"
+pattern = "(?P<version>.*)"
+
+[tool.hatch.envs.lint]
+detached = true
+dependencies = [
+    "black==23.1.0",
+    "isort==5.12.0",
+    "autoflake==2.3.0",
+]
+
+[tool.hatch.envs.lint.scripts]
+# TODO use flake8 and mypy
+check = [
+    "black --check --diff .",
+    "isort --check --diff .",
+    "autoflake --check-diff ."
+]
+fix = [
+    "black .",
+    "isort .",
+    "autoflake ."
+]
+
+[tool.black]
+exclude = [
+    "src/h2o_secure_store/gen",
+    "local",
+]
+skip-magic-trailing-comma = true
+
+[tool.isort]
+skip = [
+    "src/h2o_secure_store/gen",
+    "local"
+]
+force_single_line = true
+known_application = ["h2o_secure_store"]
+profile = "black"
+
+[tool.autoflake]
+exclude = [
+    "*/gen/*",
+    "local",
+]
+remove_all_unused_imports = true
+recursive = true
+
+[tool.hatch.envs.test]
+dependencies = [
+    "pytest==8.2.1",
+    "psycopg2-binary==2.9.9",
+]
+
+[tool.hatch.envs.test.scripts]
+e2e = "python -m pytest tests/integration/e2e"

h2o_secure_store-1.0.0/src/.openapi-generator-ignore

@@ -0,0 +1,4 @@
+h2o_secure_store/__init__.py
+h2o_secure_store/gen_README.md
+h2o_secure_store/gen/test/*
+h2o_secure_store/gen/docs/*

h2o_secure_store-1.0.0/src/h2o_secure_store/__init__.py

@@ -0,0 +1,3 @@
+from h2o_secure_store.clients.login import login  # noqa
+from h2o_secure_store.clients.login import login_custom  # noqa
+from h2o_secure_store.clients.login import login_custom_with_token_provider  # noqa

h2o_secure_store-1.0.0/src/h2o_secure_store/clients/auth/token_api_client.py

@@ -0,0 +1,25 @@
+from typing import Callable
+
+from h2o_secure_store.gen.api_client import ApiClient
+from h2o_secure_store.gen.api_client import Configuration
+
+
+class TokenApiClient(ApiClient):
+    """Overrides update_params_for_auth method of the generated ApiClient classes"""
+
+    def __init__(self, configuration: Configuration, token_provider: Callable[[], str]):
+        self._token_provider = token_provider
+        super().__init__(configuration=configuration)
+
+    def update_params_for_auth(
+        self,
+        headers,
+        queries,
+        auth_settings,
+        resource_path,
+        method,
+        body,
+        request_auths=None,
+    ):
+        token = self._token_provider()
+        headers["Authorization"] = f"Bearer {token}"

h2o_secure_store-1.0.0/src/h2o_secure_store/clients/base/workspace.py

@@ -0,0 +1,5 @@
+# Reserved name of the global workspace.
+GLOBAL_WORKSPACE = "workspaces/global"
+
+# Reserved name of the default (personal) workspace.
+DEFAULT_WORKSPACE = "workspaces/default"

h2o_secure_store-1.0.0/src/h2o_secure_store/clients/connection_config.py

@@ -0,0 +1,110 @@
+import ssl
+from typing import Callable
+from typing import NamedTuple
+from typing import Optional
+from typing import Union
+
+import h2o_authn
+import h2o_discovery
+from h2o_authn import TokenProvider
+
+# Name of the platform client in the discovery response.
+PLATFORM_CLIENT_NAME = "platform"
+# Name of the Secure Store API service in the discovery response.
+SECURE_STORE_SERVICE_NAME = "secure-store"
+
+
+class ConnectionConfig(NamedTuple):
+    """Object holding connection configuration for the Secure Store API server."""
+
+    server_url: str
+    token_provider: Union[TokenProvider, Callable[[], str]]
+
+
+def get_connection(
+    server_url: str,
+    refresh_token: str,
+    issuer_url: str,
+    client_id: str,
+    client_secret: Optional[str] = None,
+) -> ConnectionConfig:
+    """Creates ConnectionConfig object. Initializes and tests token provider."""
+
+    # init token provider
+    tp = h2o_authn.TokenProvider(
+        issuer_url=issuer_url,
+        refresh_token=refresh_token,
+        client_id=client_id,
+        client_secret=client_secret,
+    )
+    # test token refresh
+    tp()
+
+    return ConnectionConfig(server_url=server_url, token_provider=tp)
+
+
+def discover_platform_connection(
+        environment_url: Optional[str] = None,
+        config_path: Optional[str] = None,
+        platform_token: Optional[str] = None,
+        token_provider: Optional[TokenProvider] = None,
+        ssl_context: Optional[ssl.SSLContext] = None,
+) -> ConnectionConfig:
+    """Creates ConnectionConfig object by discovering platform connection configuration using h2o_discovery.
+
+    :param environment_url: Override for the URL of the environment passed to the discovery service.
+    :param config_path: Override path to the h2o cli config file passed to the discovery service.
+    :param platform_token: Platform token. If not provided, the token will be discovered.
+    :param token_provider: Token provider. If not provided, the provider will be constructed from the discovered config.
+    :param ssl_context: SSL context to use for the discovery client.
+    """
+    # Discover the Secure Store server URL
+    d = h2o_discovery.discover(environment=environment_url, config_path=config_path, ssl_context=ssl_context)
+
+    secure_store_service = d.services.get(SECURE_STORE_SERVICE_NAME)
+    if secure_store_service is None:
+        raise Exception("Secure Store API service is not registered in discovery service")
+
+    secure_store_url = secure_store_service.uri
+    if not secure_store_url:
+        raise ConnectionError("Unable to discover Secure Store server URL connection value.")
+
+    # If the token provider is provided, use it to construct the connection config.
+    if token_provider is not None:
+        # Test token refresh
+        token_provider()
+        return ConnectionConfig(server_url=secure_store_url, token_provider=token_provider)
+
+    # If the token provider is not provided, construct it from the discovered config.
+    if not platform_token:
+        platform_client_credentials = d.credentials[PLATFORM_CLIENT_NAME]
+        if platform_client_credentials is None:
+            raise Exception("Platform client credentials are not available in discovery service")
+
+        platform_token = platform_client_credentials.refresh_token
+
+    if not platform_token:
+        raise ValueError(
+            "Please set the 'platform_token' argument or configure the H2O CLI."
+        )
+
+    # Discover client id
+    platform_client = d.clients.get(PLATFORM_CLIENT_NAME)
+    if platform_client is None:
+        raise Exception("platform client is not registered in discovery service")
+
+    client_id = platform_client.oauth2_client_id
+    if not client_id:
+        raise ConnectionError(
+            "Unable to discover platform oauth2_client_id connection value."
+        )
+
+    tp = h2o_authn.TokenProvider(
+        issuer_url=d.environment.issuer_url,
+        client_id=client_id,
+        refresh_token=platform_token,
+    )
+    # Test token refresh
+    tp()
+
+    return ConnectionConfig(server_url=secure_store_url, token_provider=tp)

h2o_secure_store-1.0.0/src/h2o_secure_store/clients/login.py

@@ -0,0 +1,175 @@
+import ssl
+from typing import Callable
+from typing import Optional
+from urllib.parse import urljoin
+
+import requests
+from h2o_authn import TokenProvider
+
+from h2o_secure_store.clients.connection_config import ConnectionConfig
+from h2o_secure_store.clients.connection_config import discover_platform_connection
+from h2o_secure_store.clients.connection_config import get_connection
+from h2o_secure_store.clients.oauth_client.client import OAuthClientClient
+from h2o_secure_store.clients.secret.client import SecretClient
+from h2o_secure_store.clients.secret_version.client import SecretVersionClient
+from h2o_secure_store.clients.token_source.client import TokenSourceClient
+
+
+class Clients:
+    def __init__(
+        self,
+        oauth_client_client: OAuthClientClient,
+        token_source_client: TokenSourceClient,
+        secret_client: SecretClient,
+        secret_version_client: SecretVersionClient,
+    ) -> None:
+        self.oauth_client_client = oauth_client_client
+        self.token_source_client = token_source_client
+        self.secret_client = secret_client
+        self.secret_version_client = secret_version_client
+
+
+def login(
+    environment: Optional[str] = None,
+    token_provider: Optional[TokenProvider] = None,
+    platform_token: Optional[str] = None,
+    config_path: Optional[str] = None,
+    verify_ssl: bool = True,
+    ssl_ca_cert: Optional[str] = None,
+) -> Clients:
+    """Initializes Secure Store clients for H2O AI Cloud.
+
+    All arguments are optional. Configuration-less login is dependent on having the H2O CLI configured.
+    See: https://docs.h2o.ai/h2o-ai-cloud/developerguide/cli#platform-token
+    The Discovery Service is used to discover the Secure Store server endpoint.
+    See: https://pypi.org/project/h2o-cloud-discovery/
+
+    Args:
+        environment (str, optional): The H2O Cloud environment URL to use (e.g. https://cloud.h2o.ai).
+            If left empty, the environment will be read from the H2O CLI configuration or environmental variables.
+            Then, h2o-cloud-discovery will be used to discover the Secure Store API server endpoint.
+        token_provider (TokenProvider, optional) = Token provider. Takes priority over platform_token argument.
+        platform_token (str, optional): H2O Platform Token.
+            If neither 'token_provider' nor 'platform_token' is provided the platform token will be read
+            from the H2O CLI configuration.
+        config_path: (str, optional): Path to the H2O AI Cloud configuration file.
+            Defaults to '~/.h2oai/h2o-cli-config.toml'.
+        verify_ssl: Set to False to disable SSL certificate verification.
+        ssl_ca_cert: Path to a CA cert bundle with certificates of trusted CAs.
+
+    Raises:
+        FileNotFoundError: When the H2O CLI configuration file is needed but cannot be found.
+        TomlDecodeError: When the H2O CLI configuration file is needed but cannot be processed.
+        LookupError: When the service endpoint cannot be discovered.
+        ConnectionError: When a communication with server failed.
+    """
+    ssl_context = ssl.create_default_context(cafile=ssl_ca_cert)  # Will use system store if None
+    if not verify_ssl:
+        ssl_context.check_hostname = False
+        ssl_context.verify_mode = ssl.CERT_NONE
+
+    cfg = discover_platform_connection(
+        environment_url=environment,
+        platform_token=platform_token,
+        token_provider=token_provider,
+        config_path=config_path,
+        ssl_context=ssl_context,
+    )
+
+    return __init_clients(
+        cfg=cfg, verify_ssl=verify_ssl, ssl_ca_cert=ssl_ca_cert,
+    )
+
+
+def login_custom(
+    endpoint: str,
+    refresh_token: str,
+    issuer_url: str,
+    client_id: str,
+    client_secret: Optional[str] = None,
+    verify_ssl: bool = True,
+    ssl_ca_cert: Optional[str] = None,
+) -> Clients:
+    """Initializes Secure store clients using h2o_authn to construct a token provider.
+
+    Args:
+        endpoint (str): The Secure Store API server endpoint URL (e.g. https://secure-store.cloud.h2o.ai).
+        refresh_token (str): The OIDC refresh token.
+        issuer_url (str): The OIDC issuer URL.
+        client_id (str): The OIDC Client ID that issued the 'refresh_token'.
+        client_secret (str, optional): Optional OIDC Client Secret that issued the 'refresh_token'. Defaults to None.
+        verify_ssl: Set to False to disable SSL certificate verification.
+        ssl_ca_cert: Path to a CA cert bundle with certificates of trusted CAs.
+    """
+    # Remove trailing slash from the URL for the generated clients
+    endpoint = endpoint.rstrip("/")
+    cfg = get_connection(
+        server_url=endpoint,
+        refresh_token=refresh_token,
+        issuer_url=issuer_url,
+        client_id=client_id,
+        client_secret=client_secret,
+    )
+
+    return __init_clients(
+        cfg=cfg, verify_ssl=verify_ssl, ssl_ca_cert=ssl_ca_cert,
+    )
+
+
+def login_custom_with_token_provider(
+    endpoint: str,
+    token_provider: Callable[[], str],
+    verify_ssl: bool = True,
+    ssl_ca_cert: Optional[str] = None,
+) -> Clients:
+    """Initializes Secure store clients using a custom token provider.
+
+    A token provider can be constructed using h2o_authn:
+    token_provider = h2o_authn.TokenProvider(
+        issuer_url=issuer_url,
+        refresh_token=refresh_token,
+        client_id=client_id,
+        client_secret=client_secret,
+    )
+
+    Args:
+        endpoint (str): The Secure Store API server endpoint URL (e.g. https://secure-store.cloud.h2o.ai).
+        token_provider (Callable[[], str]): A callable that returns an OIDC access token.
+        verify_ssl: Set to False to disable SSL certificate verification.
+        ssl_ca_cert: Path to a CA cert bundle with certificates of trusted CAs.
+    """
+    # Remove trailing slash from the URL for the generated clients
+    endpoint = endpoint.rstrip("/")
+    # Test token refresh
+    token_provider()
+    cfg = ConnectionConfig(server_url=endpoint, token_provider=token_provider)
+
+    return __init_clients(
+        cfg=cfg, verify_ssl=verify_ssl, ssl_ca_cert=ssl_ca_cert,
+    )
+
+
+def __init_clients(
+    cfg: ConnectionConfig,
+    verify_ssl: bool,
+    ssl_ca_cert: Optional[str],
+):
+    # Verify that the server is reachable
+    version_url = urljoin(cfg.server_url, "version")
+    resp = requests.get(version_url)
+    if not (200 <= resp.status_code <= 299):
+        raise ConnectionError(
+            f"Server is not reachable. Status code: {resp.status_code}, Response body: {resp.text}"
+        )
+
+    oauth_client_client = OAuthClientClient(connection_config=cfg, verify_ssl=verify_ssl, ssl_ca_cert=ssl_ca_cert)
+    token_source_client = TokenSourceClient(connection_config=cfg, verify_ssl=verify_ssl, ssl_ca_cert=ssl_ca_cert)
+    secret_client = SecretClient(connection_config=cfg, verify_ssl=verify_ssl, ssl_ca_cert=ssl_ca_cert)
+    secret_version_client = SecretVersionClient(connection_config=cfg, verify_ssl=verify_ssl, ssl_ca_cert=ssl_ca_cert)
+
+    return Clients(
+        oauth_client_client=oauth_client_client,
+        token_source_client=token_source_client,
+        secret_client=secret_client,
+        secret_version_client=secret_version_client,
+    )