iaptoolkit 0.3.4__tar.gz → 0.3.5__tar.gz

{iaptoolkit-0.3.4 → iaptoolkit-0.3.5}/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2024 Robert A. Voigt
+Copyright (c) 2024-2025 Robert A. Voigt
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

{iaptoolkit-0.3.4 → iaptoolkit-0.3.5}/PKG-INFO

@@ -1,8 +1,7 @@
 Metadata-Version: 2.3
 Name: iaptoolkit
-Version: 0.3.4
+Version: 0.3.5
 Summary: Library of common utils for interacting with Identity-Aware Proxies
-Home-page: https://github.com/RAVoigt/iaptoolkit
 Author: Rob Voigt
 Author-email: code@ravoigt.com
 Requires-Python: >=3.11
@@ -11,9 +10,10 @@ Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: google-auth (>=2.29.0,<3.0.0)
-Requires-Dist: kvcommon[k8s] (>=0.2.4,<0.3.0)
+Requires-Dist: kvcommon[k8s] (>=0.2.8,<0.3.0)
 Requires-Dist: requests (>=2.31.0,<3.0.0)
 Requires-Dist: toml (>=0.10.2,<0.11.0)
+Project-URL: Homepage, https://github.com/RAVoigt/iaptoolkit
 Project-URL: Repository, https://github.com/RAVoigt/iaptoolkit
 Description-Content-Type: text/markdown
 

{iaptoolkit-0.3.4 → iaptoolkit-0.3.5}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "iaptoolkit"
-version = "0.3.4"
+version = "0.3.5"
 description = "Library of common utils for interacting with Identity-Aware Proxies"
 authors = [
     {name = "Rob Voigt", email = "code@ravoigt.com"}
@@ -22,8 +22,8 @@ Repository = "https://github.com/RAVoigt/iaptoolkit"
 # ================================
 # Tools etc.
 [tool.black]
-line-length = 120
-target-version = ['py311']
+line-length = 110
+# target-version = ['py311'] # Weirdly unsupported currently
 include = '\.pyi?$'
 
 # ================================
@@ -33,7 +33,7 @@ python = "^3.11"
 google-auth = "^2.29.0"
 requests = "^2.31.0"
 toml = "^0.10.2"
-kvcommon = {extras = ["k8s"], version = "^0.2.4"}
+kvcommon = {extras = ["k8s"], version = "^0.2.8"}
 
 [tool.poetry.group.dev.dependencies]
 black = "*"

{iaptoolkit-0.3.4 → iaptoolkit-0.3.5}/src/iaptoolkit/__init__.py

@@ -29,10 +29,7 @@ class IAPToolkit:
 
     _GOOGLE_IAP_CLIENT_ID: str
 
-    def __init__(
-        self,
-        google_iap_client_id: str,
-    ) -> None:
+    def __init__(self, google_iap_client_id: str) -> None:
         self._GOOGLE_IAP_CLIENT_ID = google_iap_client_id
 
     @staticmethod
@@ -41,7 +38,9 @@ class IAPToolkit:
 
     def get_token_oidc(self, bypass_cached: bool = False) -> TokenStruct:
         try:
-            return ServiceAccount.get_token(iap_client_id=self._GOOGLE_IAP_CLIENT_ID, bypass_cached=bypass_cached)
+            return ServiceAccount.get_token(
+                iap_client_id=self._GOOGLE_IAP_CLIENT_ID, bypass_cached=bypass_cached,
+            )
         except ServiceAccountTokenException as ex:
             LOG.debug(ex)
             raise
@@ -92,17 +91,14 @@ class IAPToolkit:
             from_cache = token_struct.from_cache
 
         headers.add_token_to_request_headers(
-            request_headers=request_headers,
-            id_token=id_token,
-            use_auth_header=use_auth_header,
+            request_headers=request_headers, id_token=id_token, use_auth_header=use_auth_header,
         )
 
         return from_cache
 
     @staticmethod
     def is_url_safe_for_token(
-        url: str | ParseResult,
-        valid_domains: t.Optional[t.List[str] | t.Set[str] | t.Tuple[str]] = None,
+        url: str | ParseResult, valid_domains: t.Optional[t.List[str] | t.Set[str] | t.Tuple[str]] = None,
     ):
         if not isinstance(url, ParseResult):
             url = urlparse(url)
@@ -199,12 +195,7 @@ class IAPToolkit_OAuth2(IAPToolkit):
     _GOOGLE_CLIENT_ID: str
     _GOOGLE_CLIENT_SECRET: str
 
-    def __init__(
-        self,
-        google_iap_client_id: str,
-        google_client_id: str,
-        google_client_secret: str,
-    ) -> None:
+    def __init__(self, google_iap_client_id: str, google_client_id: str, google_client_secret: str,) -> None:
         super().__init__(google_iap_client_id=google_iap_client_id)
         self._GOOGLE_CLIENT_ID = google_client_id
         self._GOOGLE_CLIENT_SECRET = google_client_secret

{iaptoolkit-0.3.4 → iaptoolkit-0.3.5}/src/iaptoolkit/constants.py

@@ -8,3 +8,5 @@ IAPTOOLKIT_CONFIG_VERSION = 1
 GOOGLE_IAP_AUTH_HEADER = "Authorization"
 # Alternative auth header used for IAP-aware requests when 'Authorization' clashes. Stripped by IAP if consumed.
 GOOGLE_IAP_AUTH_HEADER_PROXY = "Proxy-Authorization"
+
+GOOGLE_IAP_PUBLIC_KEY_URL = "https://www.gstatic.com/iap/verify/public_key-jwk"

{iaptoolkit-0.3.4 → iaptoolkit-0.3.5}/src/iaptoolkit/exceptions.py

@@ -55,3 +55,11 @@ class ServiceAccountTokenFailedRefresh(ServiceAccountTokenException):
 
 class InvalidDomain(IAPToolkitBaseException):
     pass
+
+
+class PublicKeyException(IAPToolkitBaseException):
+    pass
+
+
+class JWTVerificationFailure(IAPToolkitBaseException):
+    pass

{iaptoolkit-0.3.4 → iaptoolkit-0.3.5}/src/iaptoolkit/tokens/service_account.py

@@ -42,7 +42,11 @@ class ServiceAccount(object):
     def get_stored_token(iap_client_id: str) -> t.Optional[TokenStruct]:
         try:
             token_dict = datastore.get_stored_service_account_token(iap_client_id)
-            if not token_dict or not token_dict.get("id_token", None) or not token_dict.get("token_expiry", None):
+            if (
+                not token_dict
+                or not token_dict.get("id_token", None)
+                or not token_dict.get("token_expiry", None)
+            ):
                 LOG.debug("No stored service account token for current iap_client_id")
                 return
 
@@ -53,7 +57,9 @@ class ServiceAccount(object):
             try:
                 token_expiry = datetime.datetime.fromisoformat(token_expiry_from_dict)
             except (ValueError, TypeError) as ex:
-                LOG.debug("Invalid token expiry for stored token - Could not parse from ISO format to datetime.")
+                LOG.debug(
+                    "Invalid token expiry for stored token - Could not parse from ISO format to datetime."
+                )
                 return
 
             token_struct = TokenStruct(id_token=id_token_from_dict, expiry=token_expiry, from_cache=True)
@@ -90,8 +96,7 @@ class ServiceAccount(object):
             # Likely attempting to get a token for a service account in an environment that
             # doesn't have one attached.
             raise ServiceAccountTokenFailedRefresh(
-                message="Failed to get ServiceAccount token: Refreshing token failed.",
-                google_exception=ex,
+                message="Failed to get ServiceAccount token: Refreshing token failed.", google_exception=ex,
             )
         return credentials
 
@@ -166,7 +171,9 @@ class GoogleServiceAccount(ServiceAccount):
 
     def __init__(self, iap_client_id: str) -> None:
         if not iap_client_id or not isinstance(iap_client_id, str):
-            raise ServiceAccountTokenException("Invalid iap_client_id for GoogleServiceAccount", google_exception=None)
+            raise ServiceAccountTokenException(
+                "Invalid iap_client_id for GoogleServiceAccount", google_exception=None
+            )
         self._iap_client_id = iap_client_id
         super().__init__()
 

{iaptoolkit-0.3.4 → iaptoolkit-0.3.5}/src/iaptoolkit/utils/urls.py

@@ -15,7 +15,7 @@ LOG = logger.get_logger("iaptk")
 
 
 def is_url_safe_for_token(
-    url_parts: ParseResult, allowed_domains: t.Optional[t.List[str] | t.Set[str] | t.Tuple[str]] = None
+    url_parts: ParseResult, allowed_domains: t.Optional[t.List[str] | t.Set[str] | t.Tuple[str]] = None,
 ) -> bool:
     """Determines if the given url is considered a safe to receive a token in request headers.
 
@@ -40,7 +40,8 @@ def is_url_safe_for_token(
     for domain in allowed_domains:
         if domain == "" or not isinstance(domain, str):
             raise InvalidDomain(
-                f"Empty or non-string domain in allowed_domains: " f"'{str(domain)}' (type#: {type(domain).__name__})"
+                f"Empty or non-string domain in allowed_domains: "
+                f"'{str(domain)}' (type#: {type(domain).__name__})"
             )
 
         if netloc.endswith(domain):

iaptoolkit-0.3.5/src/iaptoolkit/utils/verify.py

@@ -0,0 +1,82 @@
+import datetime
+import json
+import requests
+
+from google.auth import jwt
+
+from iaptoolkit.constants import GOOGLE_IAP_PUBLIC_KEY_URL
+from iaptoolkit.exceptions import PublicKeyException
+from iaptoolkit.exceptions import JWTVerificationFailure
+
+
+class GooglePublicKeyException(PublicKeyException):
+    pass
+
+
+class GoogleIAPKeys:
+    """
+    Retrieve Google's public keys for JWT verification and record the timestamp at retrieval.
+    If the retrieval was >5m ago (default),  refresh the keys in case of rotation or expiry
+    """
+
+    _retrieved_timestamp: datetime.datetime
+    _key_ttl_seconds: int = 300  # 5 mins
+    _certs: dict
+
+    def __init__(self, key_ttl_seconds: int = 300) -> None:
+        self._key_ttl_seconds = key_ttl_seconds
+        self.refresh()
+
+    def refresh(self):
+
+        response = requests.get(GOOGLE_IAP_PUBLIC_KEY_URL)
+        response.raise_for_status()
+
+        try:
+            certs = json.loads(response.text)["keys"]
+        except json.JSONDecodeError as ex:
+            raise GooglePublicKeyException(f"Decode error in JSON retrieved for Google Public Keys: {ex}")
+        except KeyError as ex:
+            raise GooglePublicKeyException(f"KeyError with JSON retrieved for Google Public Keys: {ex}")
+        if not certs:
+            raise GooglePublicKeyException(
+                f"Failed to retrieve JSON public keys from Google at: '{GOOGLE_IAP_PUBLIC_KEY_URL}'"
+            )
+
+        self._retrieved_timestamp = datetime.datetime.now(tz=datetime.UTC)
+        self._certs = certs
+
+    @property
+    def should_refresh(self) -> bool:
+        if self._retrieved_timestamp > datetime.datetime.now() - datetime.timedelta(
+            seconds=self._key_ttl_seconds
+        ):
+            return False
+        return True
+
+    @property
+    def certs(self) -> dict:
+        if self.should_refresh:
+            self.refresh()
+        return self._certs.copy()
+
+
+google_public_keys: GoogleIAPKeys | None = None
+
+
+def verify_iap_jwt(iap_jwt: str, expected_audience: str) -> str:
+    global google_public_keys  # Use as singleton
+    if not google_public_keys:
+        google_public_keys = GoogleIAPKeys()
+
+    decoded_jwt = jwt.decode(iap_jwt, certs=google_public_keys.certs, verify=True)
+
+    # Extract claims
+    email = decoded_jwt.get("email")
+    audience = decoded_jwt.get("aud")
+
+    if audience != expected_audience:
+        print("Invalid audience:", audience)
+        raise JWTVerificationFailure("Audience mismatch when verifying IAP JWT")
+
+    return email