iaptoolkit 0.1.0__tar.gz → 0.2.0__tar.gz

iaptoolkit-0.2.0/PKG-INFO

@@ -0,0 +1,69 @@
+Metadata-Version: 2.1
+Name: iaptoolkit
+Version: 0.2.0
+Summary: Library of common utils for interacting with Identity-Aware Proxies
+Author: Rob Voigt
+Author-email: code@ravoigt.com
+Requires-Python: >=3.11,<4.0
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Dist: google-auth (>=2.29.0,<3.0.0)
+Requires-Dist: kvcommon (>=0.1.1,<0.2.0)
+Requires-Dist: pytest (>=7.4.4,<8.0.0)
+Requires-Dist: requests (>=2.31.0,<3.0.0)
+Requires-Dist: toml (>=0.10.2,<0.11.0)
+Description-Content-Type: text/markdown
+
+# IAP Toolkit
+
+A library of utils to ease programmatic authentication with Google IAP (and ideally other IAPs in future).
+
+
+## Quick Start / Example Usage
+
+```python
+import requests
+
+from iaptoolkit import IAPToolkit
+
+iaptk = IAPToolkit(google_iap_client_id="EXAMPLE_ID_123456789ABCDEF")
+allowed_domains = ["example.com", ]
+
+
+# Example #1 - Combined Calls
+def example1(url: str):
+    headers = dict()
+    result = iaptk.check_url_and_add_token_header(
+        url=url,
+        request_headers=headers,
+        valid_domains=allowed_domains
+    )
+    # result.token_added (bool) indicates if the token was added, depending on whether or not URL was valid
+    # headers dict now contains the appropriate Bearer Token header for Google IAP
+
+    # Make HTTP GET request with requests lib, with our headers containing bearer token to auth with IAP
+    response = requests.request("GET", url, headers=headers)
+
+
+# Example #2 - Separate Calls - Functionally the same as Example 1 but more flexibility in URL validation
+def example1(url: str):
+    is_url_safe: bool = iaptk.is_url_safe_for_token(url=url, valid_domains=valid_domains)
+
+    if not is_url_safe:
+        raise ExampleBadURLException("This URL isn't safe to send token headers to!")
+
+    headers = dict()
+    token_is_fresh: bool = iaptk.get_token_and_add_to_headers(request_headers=headers)
+    # token_is_fresh indicates if token was newly retrieved (True), or if a cached token was reused (False)
+    # headers dict now contains the appropriate Bearer Token header for Google IAP
+
+    # Make HTTP GET request with requests lib, with our headers containing bearer token to auth with IAP
+    response = requests.request("GET", url, headers=headers)
+
+```
+
+## Disclaimer
+
+This project is not affiliated with Google. No trademark infringement intended.
+

iaptoolkit-0.2.0/README.md

@@ -0,0 +1,51 @@
+# IAP Toolkit
+
+A library of utils to ease programmatic authentication with Google IAP (and ideally other IAPs in future).
+
+
+## Quick Start / Example Usage
+
+```python
+import requests
+
+from iaptoolkit import IAPToolkit
+
+iaptk = IAPToolkit(google_iap_client_id="EXAMPLE_ID_123456789ABCDEF")
+allowed_domains = ["example.com", ]
+
+
+# Example #1 - Combined Calls
+def example1(url: str):
+    headers = dict()
+    result = iaptk.check_url_and_add_token_header(
+        url=url,
+        request_headers=headers,
+        valid_domains=allowed_domains
+    )
+    # result.token_added (bool) indicates if the token was added, depending on whether or not URL was valid
+    # headers dict now contains the appropriate Bearer Token header for Google IAP
+
+    # Make HTTP GET request with requests lib, with our headers containing bearer token to auth with IAP
+    response = requests.request("GET", url, headers=headers)
+
+
+# Example #2 - Separate Calls - Functionally the same as Example 1 but more flexibility in URL validation
+def example1(url: str):
+    is_url_safe: bool = iaptk.is_url_safe_for_token(url=url, valid_domains=valid_domains)
+
+    if not is_url_safe:
+        raise ExampleBadURLException("This URL isn't safe to send token headers to!")
+
+    headers = dict()
+    token_is_fresh: bool = iaptk.get_token_and_add_to_headers(request_headers=headers)
+    # token_is_fresh indicates if token was newly retrieved (True), or if a cached token was reused (False)
+    # headers dict now contains the appropriate Bearer Token header for Google IAP
+
+    # Make HTTP GET request with requests lib, with our headers containing bearer token to auth with IAP
+    response = requests.request("GET", url, headers=headers)
+
+```
+
+## Disclaimer
+
+This project is not affiliated with Google. No trademark infringement intended.

{iaptoolkit-0.1.0 → iaptoolkit-0.2.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "iaptoolkit"
-version = "0.1.0"
+version = "0.2.0"
 description = "Library of common utils for interacting with Identity-Aware Proxies"
 authors = ["Rob Voigt <code@ravoigt.com>"]
 readme = "README.md"
@@ -28,7 +28,7 @@ google-auth = "^2.29.0"
 requests = "^2.31.0"
 pytest = "^7.4.4"
 toml = "^0.10.2"
-kvcommon = "^0.1.0"
+kvcommon = "^0.1.1"
 
 [tool.poetry.dev-dependencies]
 black = "*"

iaptoolkit-0.2.0/src/iaptoolkit/__init__.py

@@ -0,0 +1,215 @@
+from __future__ import annotations
+
+import logging
+
+logging.getLogger(__name__).addHandler(logging.NullHandler())
+
+import typing as t
+from urllib.parse import ParseResult
+from urllib.parse import urlparse
+
+from kvcommon import logger
+
+from iaptoolkit import headers
+from iaptoolkit.exceptions import ServiceAccountTokenException
+from iaptoolkit.tokens.service_account import ServiceAccount
+from iaptoolkit.tokens.structs import ResultAddTokenHeader
+
+from iaptoolkit.tokens.structs import TokenRefreshStruct
+from iaptoolkit.utils.urls import is_url_safe_for_token
+
+LOG = logger.get_logger("iaptk")
+
+
+class IAPToolkit:
+    """
+    Class to encapsulate client-specific vars and forward them to static functions
+    """
+
+    _GOOGLE_IAP_CLIENT_ID: str
+
+    def __init__(
+        self,
+        google_iap_client_id: str,
+    ) -> None:
+        self._GOOGLE_IAP_CLIENT_ID = google_iap_client_id
+
+    @staticmethod
+    def sanitize_request_headers(request_headers: dict) -> dict:
+        return headers.sanitize_request_headers(request_headers)
+
+    def get_token_oidc(self, bypass_cached: bool = False) -> TokenRefreshStruct:
+        try:
+            return ServiceAccount.get_token(
+                iap_client_id=self._GOOGLE_IAP_CLIENT_ID, bypass_cached=bypass_cached
+            )
+        except ServiceAccountTokenException as ex:
+            LOG.debug(ex)
+            raise
+
+    def get_token_oidc_str(self, bypass_cached: bool = False) -> str:
+        struct = self.get_token_oidc(bypass_cached=bypass_cached)
+        return struct.id_token
+
+    def get_token_oauth2(self, bypass_cached: bool = False) -> TokenRefreshStruct:
+        # TODO
+        raise NotImplementedError()
+
+    def get_token_oauth2_str(self, bypass_cached: bool = False) -> str:
+        struct = self.get_token_oauth2(bypass_cached=bypass_cached)
+        return struct.id_token
+
+    def get_token_and_add_to_headers(
+        self, request_headers: dict, use_oauth2: bool = False, use_auth_header: bool = False
+    ) -> bool:
+        """
+        Retrieves an auth token and inserts it into the supplied request_headers dict.
+        request_headers is modified in-place
+
+        Params:
+            request_headers: dict of headers to insert into
+            use_oauth2: Use OAuth2.0 credentials and respective token, else use OIDC (default)
+                As a general guideline, OIDC is the assumed default approach for ServiceAccounts.
+            use_auth_header: If true, use the 'Authorization' header instead of 'Proxy-Authorization'
+
+
+        """
+        if not use_oauth2:
+            token_refresh_struct: TokenRefreshStruct = self.get_token_oidc()
+        else:
+            token_refresh_struct: TokenRefreshStruct = self.get_token_oauth2()
+
+        headers.add_token_to_request_headers(
+            request_headers=request_headers,
+            id_token=token_refresh_struct.id_token,
+            use_auth_header=use_auth_header,
+        )
+
+        return token_refresh_struct.token_is_new
+
+    @staticmethod
+    def is_url_safe_for_token(
+        url: str | ParseResult,
+        valid_domains: t.Optional[t.List[str] | t.Set[str] | t.Tuple[str]] = None,
+    ):
+        if not isinstance(url, ParseResult):
+            url = urlparse(url)
+
+        return is_url_safe_for_token(url_parts=url, allowed_domains=valid_domains)
+
+    def check_url_and_add_token_header(
+        self,
+        url: str | ParseResult,
+        request_headers: dict,
+        valid_domains: t.List[str] | None = None,
+        use_oauth2: bool = False,
+        use_auth_header: bool = False,
+    ) -> ResultAddTokenHeader:
+        """
+        Checks that the supplied URL is valid (i.e.; in valid_domains) and if so, retrieves a
+        token and adds it to request_headers.
+
+        i.e.; A convenience wrapper with logging for is_url_safe_for_token() and get_token_and_add_to_headers()
+
+        Params:
+            url: URL string or urllib.ParseResult to check for validity
+            request_headers: Dict of headers to insert into
+            valid_domains: List of domains to validate URL against
+            use_oauth2: Passed to get_token_and_add_to_headers() to determine if OAuth2.0 is used or OIDC (default)
+        """
+
+        if self.is_url_safe_for_token(url=url, valid_domains=valid_domains):
+            token_is_fresh = self.get_token_and_add_to_headers(
+                request_headers=request_headers,
+                use_oauth2=use_oauth2,
+                use_auth_header=use_auth_header,
+            )
+            return ResultAddTokenHeader(token_added=True, token_is_fresh=token_is_fresh)
+        else:
+            LOG.warn(
+                "URL is not approved: %s - Token will not be added to headers. Valid domains are: %s",
+                url,
+                valid_domains,
+            )
+            return ResultAddTokenHeader(token_added=False, token_is_fresh=False)
+
+
+class IAPToolkit_OIDC(IAPToolkit):
+    """
+    Convenience subclass of IAPToolkit for scenarios where OIDC will always be used, never OAuth2
+    """
+
+    def get_token_oauth2(self, *args, **kwargs):
+        raise NotImplementedError("Cannot call OAuth2 methods on OIDC-only instance of IAPToolkit.")
+
+    def get_token_oauth2_str(self, *args, **kwargs):
+        raise NotImplementedError("Cannot call OAuth2 methods on OIDC-only instance of IAPToolkit.")
+
+    def get_token_and_add_to_headers(
+        self, request_headers: dict, use_auth_header: bool = False
+    ) -> bool:
+        return super().get_token_and_add_to_headers(
+            request_headers=request_headers, use_oauth2=False, use_auth_header=use_auth_header
+        )
+
+    def check_url_and_add_token_header(
+        self,
+        url: str | ParseResult,
+        request_headers: dict,
+        valid_domains: t.List[str] | None = None,
+        use_auth_header: bool = False,
+    ) -> ResultAddTokenHeader:
+        return super().check_url_and_add_token_header(
+            url,
+            request_headers=request_headers,
+            valid_domains=valid_domains,
+            use_oauth2=False,
+            use_auth_header=use_auth_header,
+        )
+
+
+class IAPToolkit_OAuth2(IAPToolkit):
+    """
+    Convenience subclass of IAPToolkit for scenarios where OAuth2 will always be used, never OIDC
+    """
+
+    _GOOGLE_CLIENT_ID: str
+    _GOOGLE_CLIENT_SECRET: str
+
+    def __init__(
+        self,
+        google_iap_client_id: str,
+        google_client_id: str,
+        google_client_secret: str,
+    ) -> None:
+        super().__init__(google_iap_client_id=google_iap_client_id)
+        self._GOOGLE_CLIENT_ID = google_client_id
+        self._GOOGLE_CLIENT_SECRET = google_client_secret
+
+    def get_token_oidc(self, *args, **kwargs):
+        raise NotImplementedError("Cannot call OIDC methods on OAuth2-only instance of IAPToolkit.")
+
+    def get_token_oidc_str(self, *args, **kwargs):
+        raise NotImplementedError("Cannot call OIDC methods on OAuth2-only instance of IAPToolkit.")
+
+    def get_token_and_add_to_headers(
+        self, request_headers: dict, use_auth_header: bool = False
+    ) -> bool:
+        return super().get_token_and_add_to_headers(
+            request_headers=request_headers, use_oauth2=True, use_auth_header=use_auth_header
+        )
+
+    def check_url_and_add_token_header(
+        self,
+        url: str | ParseResult,
+        request_headers: dict,
+        valid_domains: t.List[str] | None = None,
+        use_auth_header: bool = False,
+    ) -> ResultAddTokenHeader:
+        return super().check_url_and_add_token_header(
+            url=url,
+            request_headers=request_headers,
+            valid_domains=valid_domains,
+            use_oauth2=True,
+            use_auth_header=use_auth_header,
+        )

{iaptoolkit-0.1.0 → iaptoolkit-0.2.0}/src/iaptoolkit/tokens/token_datastore.py

@@ -4,13 +4,10 @@ import typing as t
 from kvcommon import logger
 from kvcommon.datastore.backend import DatastoreBackend
 from kvcommon.datastore.backend import DictBackend
-from kvcommon.datastore.backend import TOMLBackend
+# from kvcommon.datastore.backend import TOMLBackend
 from kvcommon.datastore import VersionedDatastore
 
 from iaptoolkit.constants import IAPTOOLKIT_CONFIG_VERSION
-# from iaptoolkit.vars import PERSISTENT_DATASTORE_ENABLED
-# from iaptoolkit.vars import PERSISTENT_DATASTORE_PATH
-# from iaptoolkit.vars import PERSISTENT_DATASTORE_USERNAME
 
 
 LOG = logger.get_logger("iaptk-ds")
@@ -30,7 +27,7 @@ class TokenDatastore(VersionedDatastore):
         self.set_value("tokens", tokens_dict)
 
     def discard_existing_tokens(self):
-        LOG.info("Discarding existing tokens.")
+        LOG.debug("Discarding existing tokens.")
         self.update_data(tokens={})
 
     def get_stored_service_account_token(self, iap_client_id: str) -> t.Optional[dict]:

iaptoolkit-0.1.0/PKG-INFO

@@ -1,40 +0,0 @@
-Metadata-Version: 2.1
-Name: iaptoolkit
-Version: 0.1.0
-Summary: Library of common utils for interacting with Identity-Aware Proxies
-Author: Rob Voigt
-Author-email: code@ravoigt.com
-Requires-Python: >=3.11,<4.0
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Requires-Dist: google-auth (>=2.29.0,<3.0.0)
-Requires-Dist: kvcommon (>=0.1.0,<0.2.0)
-Requires-Dist: pytest (>=7.4.4,<8.0.0)
-Requires-Dist: requests (>=2.31.0,<3.0.0)
-Requires-Dist: toml (>=0.10.2,<0.11.0)
-Description-Content-Type: text/markdown
-
-# IAP Toolkit
-
-A library of utils to ease programmatic authentication with Google IAP (and ideally other IAPs in future).
-
-## Configuration & Env Vars
-
-| Env Var | Default | Type | Description|
-|---|---|---|---|
-|`KVC_LOG_FORMAT`|`"%(asctime)s - [%(levelname)s] - %(name)s - %(message)s"`|String|Sets log format for internal logger|
-|`KVC_LOG_DATEFMT`|`"%Y-%m-%d %H:%M:%S"`|String|Sets log datetime format for internal logger|
-|`IAPTOOLKIT_USE_AUTH_HEADER`|`False`|Boolean|If False, only adds Google IAP auth tokens to the `Proxy-Authorization` header. If True, adds tokens in the `Authorization` header if available/unused, falling back to the `Proxy-Authorization` header if needed. |
-|`IAPTOOLKIT_PERSISTENT_DATASTORE_ENABLED`|`False`|Boolean|If true, the TOML-backed datastore for tokens is enabled.|
-|`IAPTOOLKIT_PERSISTENT_DATASTORE_PATH`|`"~/.iaptoolkit"`|String|Path to dir where TOML-backed datastore|
-|`IAPTOOLKIT_PERSISTENT_DATASTORE_USERNAME`|`"user.toml"`|String|Filename for TOML-backed datastore|
-|`IAPTOOLKIT_CONFIG_VERSION`|`False`|Boolean|(Unused) Schema version for token storage|
-|`GOOGLE_IAP_CLIENT_ID`|None|String|#TODO|
-|`GOOGLE_CLIENT_ID`|None|String|#TODO|
-|`GOOGLE_CLIENT_SECRET`|None|String|#TODO|
-
-## Disclaimer
-
-This project is not affiliated with Google. No trademark infringement intended.
-

iaptoolkit-0.1.0/README.md

@@ -1,22 +0,0 @@
-# IAP Toolkit
-
-A library of utils to ease programmatic authentication with Google IAP (and ideally other IAPs in future).
-
-## Configuration & Env Vars
-
-| Env Var | Default | Type | Description|
-|---|---|---|---|
-|`KVC_LOG_FORMAT`|`"%(asctime)s - [%(levelname)s] - %(name)s - %(message)s"`|String|Sets log format for internal logger|
-|`KVC_LOG_DATEFMT`|`"%Y-%m-%d %H:%M:%S"`|String|Sets log datetime format for internal logger|
-|`IAPTOOLKIT_USE_AUTH_HEADER`|`False`|Boolean|If False, only adds Google IAP auth tokens to the `Proxy-Authorization` header. If True, adds tokens in the `Authorization` header if available/unused, falling back to the `Proxy-Authorization` header if needed. |
-|`IAPTOOLKIT_PERSISTENT_DATASTORE_ENABLED`|`False`|Boolean|If true, the TOML-backed datastore for tokens is enabled.|
-|`IAPTOOLKIT_PERSISTENT_DATASTORE_PATH`|`"~/.iaptoolkit"`|String|Path to dir where TOML-backed datastore|
-|`IAPTOOLKIT_PERSISTENT_DATASTORE_USERNAME`|`"user.toml"`|String|Filename for TOML-backed datastore|
-|`IAPTOOLKIT_CONFIG_VERSION`|`False`|Boolean|(Unused) Schema version for token storage|
-|`GOOGLE_IAP_CLIENT_ID`|None|String|#TODO|
-|`GOOGLE_CLIENT_ID`|None|String|#TODO|
-|`GOOGLE_CLIENT_SECRET`|None|String|#TODO|
-
-## Disclaimer
-
-This project is not affiliated with Google. No trademark infringement intended.

iaptoolkit-0.1.0/src/iaptoolkit/__init__.py

@@ -1,130 +0,0 @@
-from __future__ import annotations
-
-import logging
-logging.getLogger(__name__).addHandler(logging.NullHandler())
-
-import typing as t
-from urllib.parse import ParseResult
-from urllib.parse import urlparse
-
-from kvcommon import logger
-
-from iaptoolkit import headers
-from iaptoolkit.exceptions import ServiceAccountTokenException
-from iaptoolkit.tokens.service_account import ServiceAccount
-from iaptoolkit.tokens.structs import ResultAddTokenHeader
-
-from iaptoolkit.tokens.structs import TokenRefreshStruct
-from iaptoolkit.utils.urls import is_url_safe_for_token
-
-LOG = logger.get_logger("iaptk")
-
-
-class IAPToolkit:
-    """
-    Class to encapsulate client-specific vars and forward them to static functions
-    """
-
-    _GOOGLE_IAP_CLIENT_ID: str
-    _USE_AUTH_HEADER: bool
-    # _GOOGLE_CLIENT_ID: str   # TODO: OAuth2
-    # _GOOGLE_CLIENT_SECRET: str  # TODO: OAuth2
-
-    def __init__(
-        self,
-        google_iap_client_id: str,
-        use_auth_header: bool,
-        # google_client_id: str,
-        # google_client_secret: str,
-    ) -> None:
-        self._GOOGLE_IAP_CLIENT_ID = google_iap_client_id
-        self._USE_AUTH_HEADER = use_auth_header
-        # self._GOOGLE_CLIENT_ID = google_client_id
-        # self._GOOGLE_CLIENT_SECRET = google_client_secret
-
-        # self.ServiceAccount = GoogleServiceAccount(iap_client_id=google_iap_client_id)
-
-    @staticmethod
-    def sanitize_request_headers(request_headers: dict) -> dict:
-        return headers.sanitize_request_headers(request_headers)
-
-    def get_token_oidc(self, bypass_cached: bool = False) -> TokenRefreshStruct:
-        try:
-            return ServiceAccount.get_token(
-                iap_client_id=self._GOOGLE_IAP_CLIENT_ID, bypass_cached=bypass_cached
-            )
-        except ServiceAccountTokenException as ex:
-            LOG.debug(ex)
-            raise
-
-    def get_token_oauth2(self) -> TokenRefreshStruct:
-        # TODO
-        raise NotImplementedError()
-
-    def get_token_and_add_to_headers(self, request_headers: dict, use_oauth2: bool = False) -> bool:
-        """
-        Retrieves an auth token and inserts it into the supplied request_headers dict.
-        request_headers is modified in-place
-
-        Params:
-            request_headers: dict of headers to insert into
-            use_oauth2: Use OAuth2.0 credentials and respective token, else use OIDC (default)
-                As a general guideline, OIDC is the assumed default approach for ServiceAccounts.
-
-
-        """
-        if not use_oauth2:
-            token_refresh_struct: TokenRefreshStruct = self.get_token_oidc()
-        else:
-            token_refresh_struct: TokenRefreshStruct = self.get_token_oauth2()
-
-        headers.add_token_to_request_headers(
-            request_headers=request_headers,
-            id_token=token_refresh_struct.id_token,
-            use_auth_header=self._USE_AUTH_HEADER,
-        )
-
-        return token_refresh_struct.token_is_new
-
-    @staticmethod
-    def is_url_safe_for_token(
-        url: str | ParseResult,
-        valid_domains: t.Optional[t.List[str] | t.Set[str] | t.Tuple[str]] = None,
-    ):
-        if not isinstance(url, ParseResult):
-            url = urlparse(url)
-
-        return is_url_safe_for_token(url_parts=url, allowed_domains=valid_domains)
-
-    def check_url_and_add_token_header(
-        self,
-        url: str | ParseResult,
-        request_headers: dict,
-        valid_domains: t.List[str] | None = None,
-        use_oauth2: bool = False,
-    ) -> ResultAddTokenHeader:
-        """
-            Checks that the supplied URL is valid (i.e.; in valid_domains) and if so, retrieves a
-            token and adds it to request_headers.
-
-            i.e.; A convenience wrapper with logging for is_url_safe_for_token() and get_token_and_add_to_headers()
-
-            Params:
-                url: URL string or urllib.ParseResult to check for validity
-                request_headers: Dict of headers to insert into
-                valid_domains: List of domains to validate URL against
-                use_oauth2: Passed to get_token_and_add_to_headers() to determine if OAuth2.0 is used or OIDC (default)
-        """
-
-        if self.is_url_safe_for_token(url=url, valid_domains=valid_domains):
-            token_is_fresh = self.get_token_and_add_to_headers(
-                request_headers=request_headers, use_oauth2=use_oauth2
-            )
-            return ResultAddTokenHeader(token_added=True, token_is_fresh=token_is_fresh)
-        else:
-            LOG.warn(
-                "URL is not approved: %s - Token will not be added to headers. Valid domains are: %s",
-                url,
-                valid_domains,
-            )
-            return ResultAddTokenHeader(token_added=False, token_is_fresh=False)