iaptoolkit 0.3.3__tar.gz → 0.3.5__tar.gz

{iaptoolkit-0.3.3 → iaptoolkit-0.3.5}/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2024 Robert A. Voigt
+Copyright (c) 2024-2025 Robert A. Voigt
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

{iaptoolkit-0.3.3 → iaptoolkit-0.3.5}/PKG-INFO

@@ -1,8 +1,7 @@
 Metadata-Version: 2.3
 Name: iaptoolkit
-Version: 0.3.3
+Version: 0.3.5
 Summary: Library of common utils for interacting with Identity-Aware Proxies
-Home-page: https://github.com/RAVoigt/iaptoolkit
 Author: Rob Voigt
 Author-email: code@ravoigt.com
 Requires-Python: >=3.11
@@ -11,9 +10,10 @@ Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: google-auth (>=2.29.0,<3.0.0)
-Requires-Dist: kvcommon[k8s] (>=0.2.4,<0.3.0)
+Requires-Dist: kvcommon[k8s] (>=0.2.8,<0.3.0)
 Requires-Dist: requests (>=2.31.0,<3.0.0)
 Requires-Dist: toml (>=0.10.2,<0.11.0)
+Project-URL: Homepage, https://github.com/RAVoigt/iaptoolkit
 Project-URL: Repository, https://github.com/RAVoigt/iaptoolkit
 Description-Content-Type: text/markdown
 

{iaptoolkit-0.3.3 → iaptoolkit-0.3.5}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "iaptoolkit"
-version = "0.3.3"
+version = "0.3.5"
 description = "Library of common utils for interacting with Identity-Aware Proxies"
 authors = [
     {name = "Rob Voigt", email = "code@ravoigt.com"}
@@ -22,8 +22,8 @@ Repository = "https://github.com/RAVoigt/iaptoolkit"
 # ================================
 # Tools etc.
 [tool.black]
-line-length = 120
-target-version = ['py311']
+line-length = 110
+# target-version = ['py311'] # Weirdly unsupported currently
 include = '\.pyi?$'
 
 # ================================
@@ -33,7 +33,7 @@ python = "^3.11"
 google-auth = "^2.29.0"
 requests = "^2.31.0"
 toml = "^0.10.2"
-kvcommon = {extras = ["k8s"], version = "^0.2.4"}
+kvcommon = {extras = ["k8s"], version = "^0.2.8"}
 
 [tool.poetry.group.dev.dependencies]
 black = "*"

{iaptoolkit-0.3.3 → iaptoolkit-0.3.5}/src/iaptoolkit/__init__.py

@@ -29,10 +29,7 @@ class IAPToolkit:
 
     _GOOGLE_IAP_CLIENT_ID: str
 
-    def __init__(
-        self,
-        google_iap_client_id: str,
-    ) -> None:
+    def __init__(self, google_iap_client_id: str) -> None:
         self._GOOGLE_IAP_CLIENT_ID = google_iap_client_id
 
     @staticmethod
@@ -41,7 +38,9 @@ class IAPToolkit:
 
     def get_token_oidc(self, bypass_cached: bool = False) -> TokenStruct:
         try:
-            return ServiceAccount.get_token(iap_client_id=self._GOOGLE_IAP_CLIENT_ID, bypass_cached=bypass_cached)
+            return ServiceAccount.get_token(
+                iap_client_id=self._GOOGLE_IAP_CLIENT_ID, bypass_cached=bypass_cached,
+            )
         except ServiceAccountTokenException as ex:
             LOG.debug(ex)
             raise
@@ -92,17 +91,14 @@ class IAPToolkit:
             from_cache = token_struct.from_cache
 
         headers.add_token_to_request_headers(
-            request_headers=request_headers,
-            id_token=id_token,
-            use_auth_header=use_auth_header,
+            request_headers=request_headers, id_token=id_token, use_auth_header=use_auth_header,
         )
 
         return from_cache
 
     @staticmethod
     def is_url_safe_for_token(
-        url: str | ParseResult,
-        valid_domains: t.Optional[t.List[str] | t.Set[str] | t.Tuple[str]] = None,
+        url: str | ParseResult, valid_domains: t.Optional[t.List[str] | t.Set[str] | t.Tuple[str]] = None,
     ):
         if not isinstance(url, ParseResult):
             url = urlparse(url)
@@ -199,12 +195,7 @@ class IAPToolkit_OAuth2(IAPToolkit):
     _GOOGLE_CLIENT_ID: str
     _GOOGLE_CLIENT_SECRET: str
 
-    def __init__(
-        self,
-        google_iap_client_id: str,
-        google_client_id: str,
-        google_client_secret: str,
-    ) -> None:
+    def __init__(self, google_iap_client_id: str, google_client_id: str, google_client_secret: str,) -> None:
         super().__init__(google_iap_client_id=google_iap_client_id)
         self._GOOGLE_CLIENT_ID = google_client_id
         self._GOOGLE_CLIENT_SECRET = google_client_secret

{iaptoolkit-0.3.3 → iaptoolkit-0.3.5}/src/iaptoolkit/constants.py

@@ -8,3 +8,5 @@ IAPTOOLKIT_CONFIG_VERSION = 1
 GOOGLE_IAP_AUTH_HEADER = "Authorization"
 # Alternative auth header used for IAP-aware requests when 'Authorization' clashes. Stripped by IAP if consumed.
 GOOGLE_IAP_AUTH_HEADER_PROXY = "Proxy-Authorization"
+
+GOOGLE_IAP_PUBLIC_KEY_URL = "https://www.gstatic.com/iap/verify/public_key-jwk"

{iaptoolkit-0.3.3 → iaptoolkit-0.3.5}/src/iaptoolkit/exceptions.py

@@ -22,6 +22,10 @@ class TokenStorageException(TokenException):
     pass
 
 
+class IAPClientIDException(IAPToolkitBaseException):
+    pass
+
+
 class ServiceAccountTokenException(TokenException):
     def __init__(self, message: str, google_exception: t.Union[DefaultCredentialsError, RefreshError] | None):
         self.google_exception = google_exception
@@ -51,3 +55,11 @@ class ServiceAccountTokenFailedRefresh(ServiceAccountTokenException):
 
 class InvalidDomain(IAPToolkitBaseException):
     pass
+
+
+class PublicKeyException(IAPToolkitBaseException):
+    pass
+
+
+class JWTVerificationFailure(IAPToolkitBaseException):
+    pass

{iaptoolkit-0.3.3 → iaptoolkit-0.3.5}/src/iaptoolkit/tokens/service_account.py

@@ -42,7 +42,11 @@ class ServiceAccount(object):
     def get_stored_token(iap_client_id: str) -> t.Optional[TokenStruct]:
         try:
             token_dict = datastore.get_stored_service_account_token(iap_client_id)
-            if not token_dict or not token_dict.get("id_token", None) or not token_dict.get("token_expiry", None):
+            if (
+                not token_dict
+                or not token_dict.get("id_token", None)
+                or not token_dict.get("token_expiry", None)
+            ):
                 LOG.debug("No stored service account token for current iap_client_id")
                 return
 
@@ -53,7 +57,9 @@ class ServiceAccount(object):
             try:
                 token_expiry = datetime.datetime.fromisoformat(token_expiry_from_dict)
             except (ValueError, TypeError) as ex:
-                LOG.debug("Invalid token expiry for stored token - Could not parse from ISO format to datetime.")
+                LOG.debug(
+                    "Invalid token expiry for stored token - Could not parse from ISO format to datetime."
+                )
                 return
 
             token_struct = TokenStruct(id_token=id_token_from_dict, expiry=token_expiry, from_cache=True)
@@ -90,8 +96,7 @@ class ServiceAccount(object):
             # Likely attempting to get a token for a service account in an environment that
             # doesn't have one attached.
             raise ServiceAccountTokenFailedRefresh(
-                message="Failed to get ServiceAccount token: Refreshing token failed.",
-                google_exception=ex,
+                message="Failed to get ServiceAccount token: Refreshing token failed.", google_exception=ex,
             )
         return credentials
 
@@ -166,7 +171,9 @@ class GoogleServiceAccount(ServiceAccount):
 
     def __init__(self, iap_client_id: str) -> None:
         if not iap_client_id or not isinstance(iap_client_id, str):
-            raise ServiceAccountTokenException("Invalid iap_client_id for GoogleServiceAccount", google_exception=None)
+            raise ServiceAccountTokenException(
+                "Invalid iap_client_id for GoogleServiceAccount", google_exception=None
+            )
         self._iap_client_id = iap_client_id
         super().__init__()
 

{iaptoolkit-0.3.3 → iaptoolkit-0.3.5}/src/iaptoolkit/tokens/structs.py

@@ -52,6 +52,7 @@ class TokenRefreshStruct:
     def valid(self):
         return validate_token(self.id_token)
 
+
 @dataclass(kw_only=True)
 class TokenStructOAuth2(TokenStruct):
     refresh_token: str

iaptoolkit-0.3.5/src/iaptoolkit/utils/urls.py

@@ -0,0 +1,92 @@
+from dataclasses import dataclass
+import requests
+import typing as t
+from urllib.parse import parse_qs
+from urllib.parse import ParseResult
+from urllib.parse import urlparse
+
+from kvcommon import logger
+from kvcommon.urls import get_netloc_without_port_from_url_parts
+
+from iaptoolkit.exceptions import IAPClientIDException
+from iaptoolkit.exceptions import InvalidDomain
+
+LOG = logger.get_logger("iaptk")
+
+
+def is_url_safe_for_token(
+    url_parts: ParseResult, allowed_domains: t.Optional[t.List[str] | t.Set[str] | t.Tuple[str]] = None,
+) -> bool:
+    """Determines if the given url is considered a safe to receive a token in request headers.
+
+    If URL validation is enabled, check that the URL's netloc is in the list of valid domains.
+    """
+    if not isinstance(url_parts, ParseResult):
+        raise TypeError(
+            f"Invalid url_parts - Expected a ParseResult - Got: "
+            f"'{str(url_parts)}' (type#: {type(url_parts).__name__})"
+        )
+
+    if allowed_domains is not None and not isinstance(allowed_domains, (list, set, tuple)):
+        raise TypeError("allowed_domains must be a list, set or tuple if not None")
+
+    netloc = get_netloc_without_port_from_url_parts(url_parts)
+    if not netloc:
+        return False
+
+    if not allowed_domains:
+        return True
+
+    for domain in allowed_domains:
+        if domain == "" or not isinstance(domain, str):
+            raise InvalidDomain(
+                f"Empty or non-string domain in allowed_domains: "
+                f"'{str(domain)}' (type#: {type(domain).__name__})"
+            )
+
+        if netloc.endswith(domain):
+            return True
+
+    return False
+
+
+@dataclass(kw_only=True)
+class IAPURLState:
+    protected: bool = False
+    iap_client_id: str | None = None
+
+
+def get_url_iap_state(url: str) -> IAPURLState:
+    # This approach may not be reliable - Undocumented?
+
+    iap_client_id = None
+    requires_iap = False
+
+    response = requests.get(url, allow_redirects=False)
+    if response.status_code == 302:
+        location = response.headers.get("location")
+        qs = str(urlparse(location).query)
+        query = parse_qs(qs) or {}
+        if "client_id" in query:
+            iap_client_id = str(query["client_id"][0])
+            requires_iap = True
+
+    return IAPURLState(protected=requires_iap, iap_client_id=iap_client_id)
+
+
+def is_url_iap_protected(url: str) -> bool:
+    url_state: IAPURLState = get_url_iap_state(url)
+    return url_state.protected
+
+
+def get_iap_client_id_for_url(url: str) -> str | None:
+    url_state: IAPURLState = get_url_iap_state(url)
+    if not url_state.protected:
+        raise IAPClientIDException(f"URL does not appear to be IAP-protected: '{url}'")
+
+    iap_client_id = url_state.iap_client_id
+    if not iap_client_id:
+        raise IAPClientIDException(
+            f"No client_id returned in redirect for query when trying to retrieve IAP Client ID for url: '{url}'"
+        )
+    return iap_client_id

iaptoolkit-0.3.5/src/iaptoolkit/utils/verify.py

@@ -0,0 +1,82 @@
+import datetime
+import json
+import requests
+
+from google.auth import jwt
+
+from iaptoolkit.constants import GOOGLE_IAP_PUBLIC_KEY_URL
+from iaptoolkit.exceptions import PublicKeyException
+from iaptoolkit.exceptions import JWTVerificationFailure
+
+
+class GooglePublicKeyException(PublicKeyException):
+    pass
+
+
+class GoogleIAPKeys:
+    """
+    Retrieve Google's public keys for JWT verification and record the timestamp at retrieval.
+    If the retrieval was >5m ago (default),  refresh the keys in case of rotation or expiry
+    """
+
+    _retrieved_timestamp: datetime.datetime
+    _key_ttl_seconds: int = 300  # 5 mins
+    _certs: dict
+
+    def __init__(self, key_ttl_seconds: int = 300) -> None:
+        self._key_ttl_seconds = key_ttl_seconds
+        self.refresh()
+
+    def refresh(self):
+
+        response = requests.get(GOOGLE_IAP_PUBLIC_KEY_URL)
+        response.raise_for_status()
+
+        try:
+            certs = json.loads(response.text)["keys"]
+        except json.JSONDecodeError as ex:
+            raise GooglePublicKeyException(f"Decode error in JSON retrieved for Google Public Keys: {ex}")
+        except KeyError as ex:
+            raise GooglePublicKeyException(f"KeyError with JSON retrieved for Google Public Keys: {ex}")
+        if not certs:
+            raise GooglePublicKeyException(
+                f"Failed to retrieve JSON public keys from Google at: '{GOOGLE_IAP_PUBLIC_KEY_URL}'"
+            )
+
+        self._retrieved_timestamp = datetime.datetime.now(tz=datetime.UTC)
+        self._certs = certs
+
+    @property
+    def should_refresh(self) -> bool:
+        if self._retrieved_timestamp > datetime.datetime.now() - datetime.timedelta(
+            seconds=self._key_ttl_seconds
+        ):
+            return False
+        return True
+
+    @property
+    def certs(self) -> dict:
+        if self.should_refresh:
+            self.refresh()
+        return self._certs.copy()
+
+
+google_public_keys: GoogleIAPKeys | None = None
+
+
+def verify_iap_jwt(iap_jwt: str, expected_audience: str) -> str:
+    global google_public_keys  # Use as singleton
+    if not google_public_keys:
+        google_public_keys = GoogleIAPKeys()
+
+    decoded_jwt = jwt.decode(iap_jwt, certs=google_public_keys.certs, verify=True)
+
+    # Extract claims
+    email = decoded_jwt.get("email")
+    audience = decoded_jwt.get("aud")
+
+    if audience != expected_audience:
+        print("Invalid audience:", audience)
+        raise JWTVerificationFailure("Audience mismatch when verifying IAP JWT")
+
+    return email

iaptoolkit-0.3.3/src/iaptoolkit/utils/urls.py

@@ -1,44 +0,0 @@
-import typing as t
-from urllib.parse import ParseResult
-
-from kvcommon import logger
-from kvcommon.urls import get_netloc_without_port_from_url_parts
-
-from iaptoolkit.exceptions import InvalidDomain
-
-LOG = logger.get_logger("iaptk")
-
-
-def is_url_safe_for_token(
-    url_parts: ParseResult, allowed_domains: t.Optional[t.List[str] | t.Set[str] | t.Tuple[str]] = None
-) -> bool:
-    """Determines if the given url is considered a safe to receive a token in request headers.
-
-    If URL validation is enabled, check that the URL's netloc is in the list of valid domains.
-    """
-    if not isinstance(url_parts, ParseResult):
-        raise TypeError(
-            f"Invalid url_parts - Expected a ParseResult - Got: "
-            f"'{str(url_parts)}' (type#: {type(url_parts).__name__})"
-        )
-
-    if allowed_domains is not None and not isinstance(allowed_domains, (list, set, tuple)):
-        raise TypeError("allowed_domains must be a list, set or tuple if not None")
-
-    netloc = get_netloc_without_port_from_url_parts(url_parts)
-    if not netloc:
-        return False
-
-    if not allowed_domains:
-        return True
-
-    for domain in allowed_domains:
-        if domain == "" or not isinstance(domain, str):
-            raise InvalidDomain(
-                f"Empty or non-string domain in allowed_domains: " f"'{str(domain)}' (type#: {type(domain).__name__})"
-            )
-
-        if netloc.endswith(domain):
-            return True
-
-    return False