iaptoolkit 0.0.2__tar.gz → 0.0.4__tar.gz

{iaptoolkit-0.0.2 → iaptoolkit-0.0.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: iaptoolkit
-Version: 0.0.2
+Version: 0.0.4
 Summary: Library of common utils for interacting with Identity-Aware Proxies
 Author: Rob Voigt
 Author-email: code@ravoigt.com
@@ -9,7 +9,7 @@ Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Requires-Dist: google-auth (>=2.26.2,<3.0.0)
-Requires-Dist: kvcommon (>=0.0.6,<0.0.7)
+Requires-Dist: kvcommon (>=0.0.7.1,<0.0.8.0)
 Requires-Dist: pytest (>=7.4.4,<8.0.0)
 Requires-Dist: requests (>=2.31.0,<3.0.0)
 Requires-Dist: toml (>=0.10.2,<0.11.0)

{iaptoolkit-0.0.2 → iaptoolkit-0.0.4}/pyproject.toml

@@ -1,18 +1,34 @@
 [tool.poetry]
 name = "iaptoolkit"
-version = "0.0.2"
+version = "0.0.4"
 description = "Library of common utils for interacting with Identity-Aware Proxies"
 authors = ["Rob Voigt <code@ravoigt.com>"]
 readme = "README.md"
 
+[build-system]
+requires = ["poetry-core>=1.0.0"]
+build-backend = "poetry.core.masonry.api"
+
+[project.urls]
+Homepage = "https://github.com/RAVoigt/iaptoolkit"
+Repository = "https://github.com/RAVoigt/iaptoolkit"
+
+# ================================
+# Tools etc.
+[tool.black]
+line-length = 100
+target-version = ['py311']
+include = '\.pyi?$'
+
+# ================================
+# Dependencies
 [tool.poetry.dependencies]
 python = "^3.11"
 google-auth = "^2.26.2"
 requests = "^2.31.0"
 pytest = "^7.4.4"
 toml = "^0.10.2"
-kvcommon = "^0.0.6"
-
+kvcommon = "^0.0.7.1"
 
 [tool.poetry.dev-dependencies]
 black = "*"
@@ -25,12 +41,6 @@ pytest-cov = "*"
 pytest-socket = "*"
 pyfakefs = "^5.3.2"
 
-
-[tool.black]
-line-length = 100
-target-version = ['py311']
-include = '\.pyi?$'
-
-[build-system]
-requires = ["poetry-core>=1.0.0"]
-build-backend = "poetry.core.masonry.api"
+# [tool.poetry.extras]
+# flask = ["flask"]
+# k8s = ["kubernetes"]

{iaptoolkit-0.0.2 → iaptoolkit-0.0.4}/src/iaptoolkit/exceptions.py

@@ -24,7 +24,7 @@ class TokenStorageException(TokenException):
 
 class ServiceAccountTokenException(TokenException):
     def __init__(
-        self, message: str, google_exception: t.Union[DefaultCredentialsError, RefreshError]
+        self, message: str, google_exception: t.Union[DefaultCredentialsError, RefreshError] | None
     ):
         self.google_exception = google_exception
         credentials_env_var_value = os.environ.get(GOOGLE_CREDENTIALS_FILE_PATH)
@@ -40,7 +40,7 @@ class ServiceAccountTokenException(TokenException):
 
     @property
     def retryable(self):
-        return self.google_exception._retryable
+        return self.google_exception and self.google_exception._retryable
 
 
 class ServiceAccountNoDefaultCredentials(ServiceAccountTokenException):
@@ -49,3 +49,7 @@ class ServiceAccountNoDefaultCredentials(ServiceAccountTokenException):
 
 class ServiceAccountTokenFailedRefresh(ServiceAccountTokenException):
     pass
+
+
+class InvalidDomain(IAPToolkitBaseException):
+    pass

{iaptoolkit-0.0.2 → iaptoolkit-0.0.4}/src/iaptoolkit/headers.py

@@ -4,13 +4,13 @@ from kvcommon import logger
 
 from iaptoolkit.constants import GOOGLE_IAP_AUTH_HEADER
 from iaptoolkit.constants import GOOGLE_IAP_AUTH_HEADER_PROXY
-from iaptoolkit.tokens import get_token_for_google_service_account as get_token
+from iaptoolkit.tokens import get_token_for_google_service_account
 from iaptoolkit.tokens.structs import ResultAddTokenHeader
 from iaptoolkit.utils.urls import is_url_safe_for_token
 from iaptoolkit.vars import IAPTOOLKIT_USE_AUTH_HEADER
+from iaptoolkit.vars import GOOGLE_IAP_CLIENT_ID
 
-
-LOG = logger.get_logger("iaptoolkit")
+LOG = logger.get_logger("iaptk")
 
 
 def _sanitize_request_header(headers_dict: dict, header_key: str):
@@ -39,7 +39,7 @@ def sanitize_request_headers(headers: dict) -> dict:
     return log_safe_headers
 
 
-def add_token_to_request_headers(request_headers: dict, use_oauth2: bool) -> bool:
+def add_token_to_request_headers(request_headers: dict, use_oauth2: bool, iap_client_id: str) -> bool:
     """
     Adds Bearer token to headers dict. Modifies dict in-place.
     Returns True if added token is a fresh one, or False if token is from cache
@@ -47,7 +47,7 @@ def add_token_to_request_headers(request_headers: dict, use_oauth2: bool) -> boo
     # TODO: Make this less google-specific, or move it to a google-specific implementation
     # TODO: oauth2
 
-    token_refresh_struct = get_token()
+    token_refresh_struct = get_token_for_google_service_account(iap_client_id=iap_client_id)
     id_token: str = token_refresh_struct.id_token
     auth_header_str = "Bearer {}".format(id_token)
 
@@ -73,7 +73,8 @@ def check_url_and_add_token_header(
     url: str,
     request_headers: dict,
     use_oauth2: bool = False,
-    valid_domains: t.Optional[t.List[str]] = None,
+    valid_domains: t.List[str] | None = None,
+    iap_client_id: str = GOOGLE_IAP_CLIENT_ID
 ) -> ResultAddTokenHeader:
     """Prevent inadvertently sending private tokens to arbitrary locations.
     Returns:
@@ -85,7 +86,7 @@ def check_url_and_add_token_header(
 
     # Verify that the url's domain is one we allow before adding a token
     if is_url_safe_for_token(url_parts, valid_domains):
-        token_is_fresh = add_token_to_request_headers(request_headers, use_oauth2)
+        token_is_fresh = add_token_to_request_headers(request_headers, use_oauth2, iap_client_id=iap_client_id)
         return ResultAddTokenHeader(token_added=True, token_is_fresh=token_is_fresh)
     else:
         LOG.warn(

{iaptoolkit-0.0.2 → iaptoolkit-0.0.4}/src/iaptoolkit/tokens/__init__.py

@@ -3,7 +3,6 @@ from kvcommon import logger
 from iaptoolkit.exceptions import ServiceAccountTokenException
 from iaptoolkit.exceptions import TokenStorageException
 from iaptoolkit.exceptions import TokenException
-from iaptoolkit.vars import GOOGLE_IAP_CLIENT_ID
 
 from .structs import TokenStruct
 from .structs import TokenRefreshStruct
@@ -13,14 +12,12 @@ from .structs import TokenRefreshStruct
 # from .service_account import ServiceAccount
 from .service_account import GoogleServiceAccount
 
-LOG = logger.get_logger("iaptoolkit")
+LOG = logger.get_logger("iaptk")
 
-google_sa_token_client = GoogleServiceAccount(GOOGLE_IAP_CLIENT_ID)
 
-
-def get_token_for_google_service_account(iap_client_id: str = GOOGLE_IAP_CLIENT_ID):
+def get_token_for_google_service_account(iap_client_id):
     try:
-        return GoogleServiceAccount(GOOGLE_IAP_CLIENT_ID).get_token()
+        return GoogleServiceAccount(iap_client_id).get_token()
     except ServiceAccountTokenException as ex:
         LOG.debug(ex)
         raise

{iaptoolkit-0.0.2 → iaptoolkit-0.0.4}/src/iaptoolkit/tokens/service_account.py

@@ -16,7 +16,6 @@ from iaptoolkit.exceptions import ServiceAccountTokenFailedRefresh
 from iaptoolkit.exceptions import ServiceAccountNoDefaultCredentials
 from iaptoolkit.exceptions import TokenStorageException
 
-from iaptoolkit.vars import GOOGLE_IAP_CLIENT_ID
 # from iaptoolkit.vars import GOOGLE_CLIENT_ID
 # from iaptoolkit.vars import GOOGLE_CLIENT_SECRET
 
@@ -24,13 +23,13 @@ from .structs import TokenStruct
 from .structs import TokenRefreshStruct
 
 
-LOG = logger.get_logger("iaptoolkit")
+LOG = logger.get_logger("iaptk")
 MAX_RECURSE = 3
 
 
 class ServiceAccount(object):
-    """Base class for interacting with service accounts and OIDC tokens for IAP
-    """
+    """Base class for interacting with service accounts and OIDC tokens for IAP"""
+
     # TODO: This is a static namespace for SA functions. Turn it into a per-iap-client-id client
     # TODO: Move Google-specific logic to GoogleServiceAccount
 
@@ -166,9 +165,13 @@ class ServiceAccount(object):
 
 
 class GoogleServiceAccount(ServiceAccount):
-    """For interacting with Google service accounts and OIDC tokens for Google IAP
-    """
-    def __init__(self, iap_client_id: str = GOOGLE_IAP_CLIENT_ID) -> None:
+    """For interacting with Google service accounts and OIDC tokens for Google IAP"""
+
+    def __init__(self, iap_client_id: str) -> None:
+        if not iap_client_id or not isinstance(iap_client_id, str):
+            raise ServiceAccountTokenException(
+                "Invalid iap_client_id for GoogleServiceAccount", google_exception=None
+            )
         self._iap_client_id = iap_client_id
         super().__init__()
 

{iaptoolkit-0.0.2 → iaptoolkit-0.0.4}/src/iaptoolkit/tokens/structs.py

@@ -5,7 +5,7 @@ import typing as t
 from kvcommon import logger
 
 
-LOG = logger.get_logger("iaptoolkit")
+LOG = logger.get_logger("iaptk")
 
 
 @dataclass(kw_only=True)

{iaptoolkit-0.0.2 → iaptoolkit-0.0.4}/src/iaptoolkit/tokens/token_datastore.py

@@ -13,7 +13,7 @@ from iaptoolkit.vars import PERSISTENT_DATASTORE_PATH
 from iaptoolkit.vars import PERSISTENT_DATASTORE_USERNAME
 
 
-LOG = logger.get_logger("iaptoolkit-datastore")
+LOG = logger.get_logger("iaptk-ds")
 
 
 class TokenDatastore(VersionedDatastore):

{iaptoolkit-0.0.2 → iaptoolkit-0.0.4}/src/iaptoolkit/utils/urls.py

@@ -4,13 +4,9 @@ from urllib.parse import ParseResult
 from kvcommon import logger
 from kvcommon.urls import get_netloc_without_port_from_url_parts
 
-from iaptoolkit.exceptions import IAPToolkitBaseException
+from iaptoolkit.exceptions import InvalidDomain
 
-LOG = logger.get_logger("iaptoolkit")
-
-
-class InvalidDomain(IAPToolkitBaseException):
-    pass
+LOG = logger.get_logger("iaptk")
 
 
 def is_url_safe_for_token(