iaptoolkit 0.3.7a3__tar.gz → 0.3.8__tar.gz

{iaptoolkit-0.3.7a3 → iaptoolkit-0.3.8}/PKG-INFO

@@ -1,16 +1,16 @@
 Metadata-Version: 2.3
 Name: iaptoolkit
-Version: 0.3.7a3
+Version: 0.3.8
 Summary: Library of common utils for interacting with Identity-Aware Proxies
 Author: Rob Voigt
 Author-email: code@ravoigt.com
-Requires-Python: >=3.11
+Requires-Python: >=3.11,<4.0
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: google-auth (>=2.29.0,<3.0.0)
-Requires-Dist: kvcommon[k8s] (>=0.2.12,<0.3.0)
+Requires-Dist: kvcommon[k8s] (>=0.4.0,<0.5.0)
 Requires-Dist: requests (>=2.31.0,<3.0.0)
 Requires-Dist: toml (>=0.10.2,<0.11.0)
 Project-URL: Homepage, https://github.com/RAVoigt/iaptoolkit

{iaptoolkit-0.3.7a3 → iaptoolkit-0.3.8}/pyproject.toml

@@ -1,24 +1,16 @@
-[project]
+[tool.poetry]
 name = "iaptoolkit"
-version = "0.3.7-a3"
+version = "0.3.8"
 description = "Library of common utils for interacting with Identity-Aware Proxies"
-authors = [
-    {name = "Rob Voigt", email = "code@ravoigt.com"}
-]
+authors = ["Rob Voigt <code@ravoigt.com>"]
 readme = "README.md"
-requires-python = ">=3.11"
-
-# [tool.poetry]
-# packages = [{include = "iaptoolkit"}]
+homepage = "https://github.com/RAVoigt/iaptoolkit"
+repository = "https://github.com/RAVoigt/iaptoolkit"
 
 [build-system]
-requires = ["poetry-core>=2.0"]
+requires = ["poetry-core>=1.0.0"] # Poetry 1.x style; not PEP 621
 build-backend = "poetry.core.masonry.api"
 
-[project.urls]
-Homepage = "https://github.com/RAVoigt/iaptoolkit"
-Repository = "https://github.com/RAVoigt/iaptoolkit"
-
 # ================================
 # Tools etc.
 [tool.black]
@@ -33,11 +25,7 @@ python = "^3.11"
 google-auth = "^2.29.0"
 requests = "^2.31.0"
 toml = "^0.10.2"
-kvcommon = {extras = ["k8s"], version = "^0.2.12"}
-
-# flask = { version = "^0.20.0", optional = true }
-# quart = { version = "^0.20.0", optional = true }
-# prometheus-client = { version = "^0.20.0", optional = true }
+kvcommon = {extras = ["k8s"], version = "^0.4.0"}
 
 [tool.poetry.group.dev.dependencies]
 black = "*"
@@ -49,7 +37,3 @@ pytest = "*"
 pytest-cov = "*"
 pytest-socket = "*"
 pyfakefs = "^5.3.2"
-
-flask = "*"
-quart = "*"
-prometheus_client = "*"

{iaptoolkit-0.3.7a3 → iaptoolkit-0.3.8}/src/iaptoolkit/constants.py

@@ -10,5 +10,3 @@ GOOGLE_IAP_AUTH_HEADER = "Authorization"
 GOOGLE_IAP_AUTH_HEADER_PROXY = "Proxy-Authorization"
 
 GOOGLE_IAP_PUBLIC_KEY_URL = "https://www.gstatic.com/iap/verify/public_key-jwk"
-
-GOOGLE_IAP_JWT_HEADER_KEY = "x-goog-iap-jwt-assertion"

{iaptoolkit-0.3.7a3 → iaptoolkit-0.3.8}/src/iaptoolkit/exceptions.py

@@ -62,31 +62,4 @@ class PublicKeyException(IAPToolkitBaseException):
 
 
 class JWTVerificationFailure(IAPToolkitBaseException):
-    def __init__(self, message: str, google_exception: DefaultCredentialsError | None):
-        self.google_exception = google_exception
-        self.message = (f"{message}, google_exception='{str(google_exception)}'")
-        super().__init__(self.message)
-
-
-class JWTInvalidData(JWTVerificationFailure):
-    def __init__(self, message: str | None = None, google_exception: DefaultCredentialsError | None = None):
-        message = message or "Invalid JWT values"
-        super().__init__(message=message, google_exception=google_exception)
-
-
-class JWTMalformed(JWTVerificationFailure):
-    def __init__(self, message: str | None = None, google_exception: DefaultCredentialsError | None = None):
-        message = message or "Malformed JWT schema"
-        super().__init__(message=message, google_exception=google_exception)
-
-
-class JWTInvalidAudience(JWTVerificationFailure):
-    def __init__(self, message: str | None = None):
-        message = message or "JWT audience mismatch"
-        super().__init__(message=message, google_exception=None)
-
-
-class JWTDisallowedUser(JWTVerificationFailure):
-    def __init__(self, message: str | None = None):
-        message = message or "User from JWT not allowed"
-        super().__init__(message=message, google_exception=None)
+    pass

{iaptoolkit-0.3.7a3/src/iaptoolkit/jwt → iaptoolkit-0.3.8/src/iaptoolkit/utils}/verify.py

@@ -3,14 +3,10 @@ import json
 import requests
 
 from google.auth import jwt
-from google.auth.exceptions import InvalidValue
-from google.auth.exceptions import MalformedError
 
 from iaptoolkit.constants import GOOGLE_IAP_PUBLIC_KEY_URL
 from iaptoolkit.exceptions import PublicKeyException
-from iaptoolkit.exceptions import JWTInvalidData
-from iaptoolkit.exceptions import JWTInvalidAudience
-from iaptoolkit.exceptions import JWTMalformed
+from iaptoolkit.exceptions import JWTVerificationFailure
 
 
 class GooglePublicKeyException(PublicKeyException):
@@ -73,18 +69,13 @@ def verify_iap_jwt(iap_jwt: str, expected_audience: str|None) -> str:
     if not google_public_keys:
         google_public_keys = GoogleIAPKeys()
 
-    try:
-        decoded_jwt = jwt.decode(iap_jwt, certs=google_public_keys.certs, verify=True)
-    except InvalidValue as ex:
-        raise JWTInvalidData(google_exception=ex)
-    except MalformedError as ex:
-        raise JWTMalformed(google_exception=ex)
+    decoded_jwt = jwt.decode(iap_jwt, certs=google_public_keys.certs, verify=True)
 
     # Extract claims
     email = decoded_jwt.get("email")
     audience = decoded_jwt.get("aud")
 
     if expected_audience and audience != expected_audience:
-        raise JWTInvalidAudience()
+        raise JWTVerificationFailure("Audience mismatch when verifying IAP JWT")
 
     return email

iaptoolkit-0.3.7a3/src/iaptoolkit/jwt/constants.py

@@ -1,9 +0,0 @@
-from enum import StrEnum
-
-class JWT_Event(StrEnum):
-    SUCCESS = "success"
-    FAIL_NO_HEADER = "fail_no_header"
-    FAIL_INVALID_JWT = "fail_invalid"
-    FAIL_NO_EMAIL = "fail_no_email"
-    FAIL_WRONG_USER = "fail_wrong_user"
-    FAIL_WRONG_AUDIENCE = "fail_wrong_audience"

iaptoolkit-0.3.7a3/src/iaptoolkit/jwt/flask.py

@@ -1,142 +0,0 @@
-import typing as t
-from functools import wraps
-
-from flask import request
-from flask.wrappers import Request
-from flask.wrappers import Response
-
-from iaptoolkit.constants import GOOGLE_IAP_JWT_HEADER_KEY
-from iaptoolkit.exceptions import JWTDisallowedUser
-from iaptoolkit.exceptions import JWTInvalidAudience
-from iaptoolkit.exceptions import JWTInvalidData
-from iaptoolkit.exceptions import JWTMalformed
-
-from .constants import JWT_Event
-from .metrics import Counter
-from .metrics import default_metric
-from .metrics import inc_metric
-from .verify import verify_iap_jwt
-
-
-def _verify_jwt(
-        request: Request,
-        jwt_header_key: str,
-        jwt_audience: str,
-        allowed_users: set[str] | None = None,
-        response_cls: t.Type[Response] = Response,
-        metric: Counter | None = default_metric
-    ) -> Response | None:
-    jwt_header: str = request.headers.get(jwt_header_key.lower(), "")
-    if not jwt_header:
-        inc_metric(metric, event=JWT_Event.FAIL_NO_HEADER)
-        return response_cls(f"No Google IAP JWT header in request at key: '{jwt_header_key}'", status=401)
-
-    try:
-        user_email = verify_iap_jwt(iap_jwt=jwt_header, expected_audience=jwt_audience)
-        if not user_email:
-            raise JWTInvalidData("No user_email in decoded JWT")
-
-        if allowed_users and user_email not in allowed_users:
-            raise JWTDisallowedUser(message=f"User '{user_email}' from JWT not allowed for route")
-
-    except (JWTInvalidData, JWTMalformed) as ex:
-        inc_metric(metric, event=JWT_Event.FAIL_INVALID_JWT)
-        return response_cls(f"Forbidden: '{ex.message}'", status=401)
-
-    except JWTInvalidAudience as ex:
-        inc_metric(metric, event=JWT_Event.FAIL_WRONG_AUDIENCE)
-        return response_cls(f"Forbidden: '{ex.message}'", status=403)
-
-    except JWTDisallowedUser as ex:
-        inc_metric(metric, event=JWT_Event.FAIL_WRONG_USER)
-        return response_cls(f"Forbidden: '{ex.message}'", status=403)
-
-    return None
-
-
-def requires_iap_jwt(
-        jwt_audience: str,
-        response_cls: t.Type[Response] = Response,
-        jwt_header_key: str = GOOGLE_IAP_JWT_HEADER_KEY,
-        metric: Counter | None = default_metric
-    ):
-    """
-    A decorator that ensures the incoming request has a valid IAP JWT for a Flask route,
-    and that the user in the JWT has permission for the route.
-
-    Params:
-        jwt_audience: JWT Audience string (or IAP Client ID) to verify JWT against
-        response_cls: Flask response class or subclass thereof to return from decorator
-        jwt_header_key: request header key from which to retrieve the JWT (Default: 'x-goog-iap-jwt-assertion')
-        metric:
-            prometheus_client.Counter object (or None) to inc() for different outcomes.
-            Must have a single label: 'event'.
-            Set metric param to 'None' to disable metrics.
-
-    Returns:
-        Flask response of type determined by response_cls param on JWT Failure, else result of decorated view function
-    """
-    def decorator(f: t.Callable) -> t.Callable:
-
-        @wraps(f)
-        def decorated_function(*args, **kwargs) -> Response:
-            resp: Response | None = _verify_jwt(
-                request,
-                jwt_header_key=jwt_header_key,
-                jwt_audience=jwt_audience,
-                allowed_users=None,
-                response_cls=response_cls,
-                metric=metric
-            )
-            if resp is not None:
-                return resp
-            return f(*args, **kwargs)
-
-        return decorated_function
-
-    return decorator
-
-
-def requires_iap_jwt_valid_user(
-        jwt_audience: str,
-        allowed_users: set[str],
-        response_cls: t.Type[Response] = Response,
-        jwt_header_key: str = GOOGLE_IAP_JWT_HEADER_KEY,
-        metric: Counter | None = default_metric
-    ):
-    """
-    A decorator that ensures the incoming request has a valid IAP JWT for a Flask route,
-    and that the user in the JWT has permission for the route
-
-    Params:
-        jwt_audience: JWT Audience string (or IAP Client ID) to verify JWT against
-        allowed_users: set of email strings to check against user_email in JWT for permission to access decorated view func
-        response_cls: Flask response class or subclass thereof to return from decorator
-        jwt_header_key: request header key from which to retrieve the JWT (Default: 'x-goog-iap-jwt-assertion')
-        metric:
-            prometheus_client.Counter object (or None) to inc() for different outcomes.
-            Must have a single label: 'event'.
-            Set metric param to 'None' to disable metrics.
-
-    Returns:
-        Flask response of type determined by response_cls param on JWT Failure, else result of decorated view function
-    """
-    def decorator(f: t.Callable) -> t.Callable:
-
-        @wraps(f)
-        def decorated_function(*args, **kwargs) -> Response:
-            resp: Response | None = _verify_jwt(
-                request,
-                jwt_header_key=jwt_header_key,
-                jwt_audience=jwt_audience,
-                allowed_users=allowed_users,
-                response_cls=response_cls,
-                metric=metric
-            )
-            if resp is not None:
-                return resp
-            return f(*args, **kwargs)
-
-        return decorated_function
-
-    return decorator

iaptoolkit-0.3.7a3/src/iaptoolkit/jwt/metrics.py

@@ -1,34 +0,0 @@
-import asyncio
-import typing as t
-
-try:
-    from prometheus_client import Counter
-    # TODO move to constants
-    default_metric = Counter(
-        "iaptoolkit_jwt_event_total",
-        "Count of JWT verification events",
-        labelnames=["event"]
-    )
-except ImportError:
-    Counter = t.TypeVar("Counter")
-    default_metric = None
-
-
-def inc_metric(metric: Counter | None, event: str):
-    if not metric:
-        return
-    metric.labels(event=event).inc()
-
-
-async def inc_metric_async(metric: Counter | None, event: str):
-    if not metric:
-        return
-    # TODO: Does prometheus_client have built-in async support?
-    await asyncio.to_thread(metric.labels(event=event).inc)
-
-__all__ = [
-    "default_metric",
-    "Counter",
-    "inc_metric",
-    "inc_metric_async"
-]

iaptoolkit-0.3.7a3/src/iaptoolkit/jwt/quart.py

@@ -1,143 +0,0 @@
-import typing as t
-from functools import wraps
-
-from quart import request
-from quart.wrappers import Request
-from quart.wrappers import Response
-
-from iaptoolkit.constants import GOOGLE_IAP_JWT_HEADER_KEY
-from iaptoolkit.exceptions import JWTDisallowedUser
-from iaptoolkit.exceptions import JWTInvalidAudience
-from iaptoolkit.exceptions import JWTInvalidData
-from iaptoolkit.exceptions import JWTMalformed
-from iaptoolkit.jwt.constants import JWT_Event
-from .constants import JWT_Event
-from .metrics import Counter
-from .metrics import default_metric
-from .metrics import inc_metric_async
-from .verify_async import verify_iap_jwt_async
-
-
-async def _verify_jwt_async(
-        request: Request,
-        jwt_header_key: str,
-        jwt_audience: str,
-        allowed_users: set[str] | None = None,
-        response_cls: t.Type[Response] = Response,
-        metric: Counter | None = default_metric
-    ) -> Response | None:
-
-    jwt_header: str = request.headers.get(jwt_header_key.lower(), "")
-    if not jwt_header:
-        await inc_metric_async(metric, event=JWT_Event.FAIL_NO_HEADER)
-        return response_cls(f"No Google IAP JWT header in request at key: '{jwt_header_key}'", status=401)
-
-    try:
-        user_email = await verify_iap_jwt_async(iap_jwt=jwt_header, expected_audience=jwt_audience)
-        if not user_email:
-            raise JWTInvalidData("No user_email in decoded JWT")
-
-        if allowed_users and user_email not in allowed_users:
-            raise JWTDisallowedUser(message=f"User '{user_email}' from JWT not allowed for route")
-
-    except (JWTInvalidData, JWTMalformed) as ex:
-        await inc_metric_async(metric, event=JWT_Event.FAIL_INVALID_JWT)
-        return response_cls(f"Forbidden: '{ex.message}'", status=401)
-
-    except JWTInvalidAudience as ex:
-        await inc_metric_async(metric, event=JWT_Event.FAIL_WRONG_AUDIENCE)
-        return response_cls(f"Forbidden: '{ex.message}'", status=403)
-
-    except JWTDisallowedUser as ex:
-        await inc_metric_async(metric, event=JWT_Event.FAIL_WRONG_USER)
-        return response_cls(f"Forbidden: '{ex.message}'", status=403)
-
-    return None
-
-
-def requires_iap_jwt(
-        jwt_audience: str,
-        response_cls: t.Type[Response] = Response,
-        jwt_header_key: str = GOOGLE_IAP_JWT_HEADER_KEY,
-        metric: Counter | None = default_metric
-    ):
-    """
-    A decorator that ensures the incoming request has a valid IAP JWT for a Quart route,
-    and that the user in the JWT has permission for the route.
-
-    Params:
-        jwt_audience: JWT Audience string (or IAP Client ID) to verify JWT against
-        response_cls: Quart response class or subclass thereof to return from decorator
-        jwt_header_key: request header key from which to retrieve the JWT (Default: 'x-goog-iap-jwt-assertion')
-        metric:
-            prometheus_client.Counter object (or None) to inc() for different outcomes.
-            Must have a single label: 'event'.
-            Set metric param to 'None' to disable metrics.
-
-    Returns:
-        Quart response of type determined by response_cls param on JWT Failure, else result of decorated view function
-    """
-    def decorator(f: t.Callable) -> t.Callable:
-
-        @wraps(f)
-        async def decorated_function(*args, **kwargs) -> Response:
-            resp: Response | None = await _verify_jwt_async(
-                request,
-                jwt_header_key=jwt_header_key,
-                jwt_audience=jwt_audience,
-                allowed_users=None,
-                response_cls=response_cls,
-                metric=metric
-            )
-            if resp is not None:
-                return resp
-            return await f(*args, **kwargs)
-
-        return decorated_function
-
-    return decorator
-
-
-def requires_iap_jwt_valid_user_async(
-        jwt_audience: str,
-        allowed_users: set[str],
-        response_cls: t.Type[Response] = Response,
-        jwt_header_key: str = GOOGLE_IAP_JWT_HEADER_KEY,
-        metric: Counter | None = default_metric
-    ):
-    """
-    A decorator that ensures the incoming request has a valid IAP JWT for a Quart route,
-    and that the user in the JWT has permission for the route.
-
-    Params:
-        jwt_audience: JWT Audience string (or IAP Client ID) to verify JWT against
-        allowed_users: set of email strings to check against user_email in JWT for permission to access decorated view func
-        response_cls: Quart response class or subclass thereof to return from decorator
-        jwt_header_key: request header key from which to retrieve the JWT (Default: 'x-goog-iap-jwt-assertion')
-        metric:
-            prometheus_client.Counter object (or None) to inc() for different outcomes.
-            Must have a single label: 'event'.
-            Set metric param to 'None' to disable metrics.
-
-    Returns:
-        Quart response of type determined by response_cls param on JWT Failure, else result of decorated view function
-    """
-    def decorator(f: t.Callable) -> t.Callable:
-
-        @wraps(f)
-        async def decorated_function(*args, **kwargs) -> Response:
-            resp: Response | None = await _verify_jwt_async(
-                request,
-                jwt_header_key=jwt_header_key,
-                jwt_audience=jwt_audience,
-                allowed_users=allowed_users,
-                response_cls=response_cls,
-                metric=metric
-            )
-            if resp is not None:
-                return resp
-            return await f(*args, **kwargs)
-
-        return decorated_function
-
-    return decorator

iaptoolkit-0.3.7a3/src/iaptoolkit/jwt/verify_async.py

@@ -1,75 +0,0 @@
-import asyncio
-import datetime
-
-from google.auth import jwt
-from google.auth.exceptions import InvalidValue
-from google.auth.exceptions import MalformedError
-
-from iaptoolkit.exceptions import JWTInvalidData
-from iaptoolkit.exceptions import JWTInvalidAudience
-from iaptoolkit.exceptions import JWTMalformed
-
-from .verify import GoogleIAPKeys
-
-
-class GoogleIAPKeys_Async(GoogleIAPKeys):
-    """
-    Rudimentary async wrapper class for GoogleIAPKeys using asyncio threads
-
-    Retrieve Google's public keys for JWT verification and record the timestamp at retrieval.
-    If the retrieval was >5m ago (default),  refresh the keys in case of rotation or expiry
-    """
-
-    _retrieved_timestamp: datetime.datetime
-    _key_ttl_seconds: int = 300  # 5 mins
-    _certs: dict
-
-    def __init__(self, key_ttl_seconds: int = 300) -> None:
-        self._key_ttl_seconds = key_ttl_seconds
-
-    async def refresh_async(self):
-        await asyncio.to_thread(self.refresh)
-
-    @property
-    async def certs(self) -> dict:
-        if self.should_refresh:
-            await self.refresh_async()
-        return self._certs.copy()
-
-
-google_public_keys_async: GoogleIAPKeys_Async | None = None
-
-async def get_google_public_keys() -> GoogleIAPKeys_Async:
-    global google_public_keys_async  # Use as singleton
-    if not google_public_keys_async:
-        google_public_keys_async = GoogleIAPKeys_Async()
-        await google_public_keys_async.refresh_async()
-    return google_public_keys_async
-
-
-
-async def verify_iap_jwt_async(iap_jwt: str, expected_audience: str|None) -> str:
-    # Rudimentary async wrapper func for verify_iap_jwt using asyncio threads until google.auth.jwt_async is public
-
-    google_public_keys_async = await get_google_public_keys()
-
-    try:
-        decoded_jwt = await asyncio.to_thread(
-            jwt.decode,
-            iap_jwt,
-            certs=await google_public_keys_async.certs,
-            verify=True
-        )
-    except InvalidValue as ex:
-        raise JWTInvalidData(google_exception=ex)
-    except MalformedError as ex:
-        raise JWTMalformed(google_exception=ex)
-
-    # Extract claims
-    email = decoded_jwt.get("email")
-    audience = decoded_jwt.get("aud")
-
-    if expected_audience and audience != expected_audience:
-        raise JWTInvalidAudience()
-
-    return email