jaaql-middleware-python 4.33.7__tar.gz → 4.33.9__tar.gz

{jaaql_middleware_python-4.33.7 → jaaql_middleware_python-4.33.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: jaaql-middleware-python
-Version: 4.33.7
+Version: 4.33.9
 Summary: The jaaql package, allowing for rapid development and deployment of RESTful HTTP applications
 Home-page: https://github.com/JAAQL/JAAQL-middleware-python
 Author: Software Quality Measurement and Improvement bv

{jaaql_middleware_python-4.33.7 → jaaql_middleware_python-4.33.9}/jaaql/constants.py

@@ -208,5 +208,5 @@ ROLE__postgres = "postgres"
 
 PROTOCOL__postgres = "postgresql://"
 
-VERSION = "4.33.7"
+VERSION = "4.33.9"
 

{jaaql_middleware_python-4.33.7 → jaaql_middleware_python-4.33.9}/jaaql/documentation/documentation_internal.py

@@ -478,4 +478,57 @@ DOCUMENTATION__procedures = SwaggerDocumentation(
             )
         ]
     )
+)
+
+ARG_RES__id_token_hint = SwaggerArgumentResponse(
+	name="id_token_hint",
+	description="Optional ID Token previously issued to the user; recommended for OIDC RP-initiated logout.",
+	arg_type=str,
+	required=False,
+    condition="Recommended",
+	example=["eyJ..."]
+)
+
+DOCUMENTATION__oidc_begin_logout = SwaggerDocumentation(
+	tags="oidc",
+	security=False,
+	methods=SwaggerMethod(
+		name="Begin OIDC logout",
+		description="Clears the app session, sets a logout state cookie, and redirects the browser to the OP end-session endpoint. After logout, the OP redirects to /api/oidc/post-logout.",
+		method=REST__GET,
+		arguments=[
+			ARG_RES__tenant,
+			ARG_RES__provider,
+			ARG_RES__application,
+			ARG_RES__schema,
+			ARG_RES__redirect_uri,
+			ARG_RES__id_token_hint
+		],
+		response=SwaggerFlatResponse(
+			description="Redirect",
+			code=HTTPStatus.FOUND,
+			body="You are being redirected to the identity server for logout..."
+		)
+	)
+)
+
+DOCUMENTATION__oidc_post_logout = SwaggerDocumentation(
+	tags="oidc",
+	security=False,
+	methods=SwaggerMethod(
+		name="OIDC post-logout redirect",
+		description="Receives the OP redirect after logout, validates state, clears the cookie, and redirects to the final app URL.",
+		method=REST__GET,
+		arguments=SwaggerArgumentResponse(
+			name="state",
+			description="Opaque state returned by the OP; must match the value set at logout start.",
+			arg_type=str,
+			example=["y3nvJ..."]
+		),
+		response=SwaggerFlatResponse(
+			description="Redirect",
+			code=HTTPStatus.FOUND,
+			body="You are being redirected back to your place in the app..."
+		)
+	)
 )

{jaaql_middleware_python-4.33.7 → jaaql_middleware_python-4.33.9}/jaaql/interpreter/interpret_jaaql.py

@@ -2,6 +2,7 @@ import string
 import traceback
 import random
 
+from decimal import Decimal
 from jaaql.exceptions.http_status_exception import *
 from datetime import datetime
 import re
@@ -28,7 +29,7 @@ ERR_missing_query = "Missing query key from input dictionary"
 ERR_unused_parameter = "Unused parameter! Supplied with '%s' but was never used"
 ERR_polluted_input = "Input polluted. If passing query, only pass parameters as well"
 ERR_malformed_query = "Value of 'query' key malformed. Please use a string if you are passing a value to 'query'"
-ERR_mistyped_parameter = "Type '%s', for parameter '%s' unexpected. Please provide either a date, string, float, list or integer"
+ERR_mistyped_parameter = "Type '%s', for parameter '%s' unexpected. Please provide either a date, string, float, list, Decimal or integer"
 ERR_malformed_operation_type = "Operation malformed. Expecting either a list, string or dictionary input"
 ERR_assert_expecting = "Assert expecting %s row(s) but received %d row(s)!"
 ERR_malformed_join = "Joins only allowed as list or string input at the moment!"
@@ -613,6 +614,8 @@ GROUP BY CH.column_name, CH.data_type, CH.udt_name, CH.domain_name;"""
             return PYFORMAT_str
         elif type(value).__name__ == "date":
             return PYFORMAT_str
+        elif isinstance(value, Decimal):
+            return PYFORMAT_str
         else:
             raise HttpStatusException(ERR_mistyped_parameter % (type(value).__name__, key), HTTPStatus.BAD_REQUEST)
 

{jaaql_middleware_python-4.33.7 → jaaql_middleware_python-4.33.9}/jaaql/mvc/controller.py

@@ -201,3 +201,16 @@ class JAAQLController(BaseJAAQLController):
         @self.publish_route('/rendered_documents', DOCUMENTATION__rendered_document)
         def documents(http_inputs: dict):
             return self.model.fetch_document_stream(http_inputs)
+
+        @self.publish_route('/oidc/logout', DOCUMENTATION__oidc_begin_logout)
+        def begin_oidc_logout(http_inputs: dict, response: JAAQLResponse):
+            # inputs: application, tenant, provider, optional schema, redirect_uri, optional id_token_hint
+            self.model.begin_oidc_logout(http_inputs, response)
+
+        @self.publish_route('/oidc/post-logout', DOCUMENTATION__oidc_post_logout)
+        def finish_oidc_logout(http_inputs: dict, response: JAAQLResponse):
+            # KC returns ?state=... here; validate against cookie and bounce to final app URL
+            self.model.finish_oidc_logout(
+                {"state": http_inputs["state"], "oidc_cookie": request.cookies.get(COOKIE_OIDC)},
+                response
+            )

{jaaql_middleware_python-4.33.7 → jaaql_middleware_python-4.33.9}/jaaql/mvc/model.py

@@ -1987,3 +1987,121 @@ WHERE
 
         return submit(self.vault, self.config, self.get_db_crypt_key(), self.jaaql_lookup_connection, inputs, account_id, verification_hook,
                       self.cached_canned_query_service, as_objects=as_objects, singleton=singleton)
+
+
+    def begin_oidc_logout(self, inputs: dict, response: JAAQLResponse):
+        """
+		Start RP-initiated logout: clear app cookies, set logout state cookie, and 302 to OP end-session.
+		inputs requires:
+			- KEY__application
+			- KG__user_registry__provider
+			- KG__user_registry__tenant
+			- KEY__redirect_uri (final place in your app after logout, e.g. "logged-out" or "")
+			- optional: "id_token_hint" (if you persisted the ID token)
+		"""
+        # Resolve schema & app
+        schema = inputs.get(KEY__schema)
+        application = application__select(self.jaaql_lookup_connection, inputs[KEY__application])
+        if not schema:
+            schema = application[KG__application__default_schema]
+
+        # Resolve registry and discovery
+        database = application_schema__select(self.jaaql_lookup_connection, inputs[KEY__application], schema)
+        user_registry = user_registry__select(self.jaaql_lookup_connection, inputs[KG__user_registry__provider], inputs[KG__user_registry__tenant])
+        db_user_registry = database_user_registry__select(
+        	self.jaaql_lookup_connection, self.get_db_crypt_key(),
+        	inputs[KG__user_registry__provider], inputs[KG__user_registry__tenant],
+        	database[KG__application_schema__database]
+        )
+
+        discovery = self.fetch_discovery_content(
+        	database[KG__application_schema__database],
+        	inputs[KG__user_registry__provider],
+        	inputs[KG__user_registry__tenant],
+        	user_registry[KG__user_registry__discovery_url]
+        )
+
+        end_session = discovery.get("end_session_endpoint")
+        if not end_session:
+            # Fallback for older KC if discovery is missing the field
+            issuer = discovery.get("issuer", "").rstrip("/")
+            end_session = issuer + "/protocol/openid-connect/logout"
+
+        # Final hop inside YOUR app after KC returns
+        final_app_redirect = application[KG__application__base_url] + "/" + (inputs.get(KEY__redirect_uri) or "")
+        # The URL that KC will call after it logs the user out (your handler)
+        post_logout = application[KG__application__base_url] + "/api/oidc/post-logout"
+
+        # Store the logout round-trip state (re-using your OIDC cookie machinery)
+        state = secrets.token_urlsafe(32)
+        logout_session = crypt_utils.jwt_encode(
+        	self.vault.get_obj(VAULT_KEY__jwt_crypt_key),
+        	{
+        		"redirect_uri": final_app_redirect,
+        		"state": state,
+        		"tenant": inputs[KG__user_registry__tenant],
+        		"provider": inputs[KG__user_registry__provider],
+        		"application": inputs[KEY__application],
+        		"schema": schema
+        	},
+        	JWT_PURPOSE__oidc,
+        	expiry_ms=self.oidc_login_expiry_ms
+        )
+
+        response.set_cookie(
+        	COOKIE_OIDC,
+        	value=logout_session,
+        	attributes=get_cookie_attrs(True, False, self.is_container),
+        	is_https=self.is_https
+        )
+
+        # Kill your own app session immediately
+        response.delete_cookie(COOKIE_JAAQL_AUTH, self.is_https)
+        # Optional: clear the UI helper marker
+        response.set_cookie(COOKIE_LOGIN_MARKER, value="", is_https=True, attributes=get_sloppy_cookie_attrs())
+
+        # Build front-channel logout URL (Keycloak requires either id_token_hint OR client_id with post_logout_redirect_uri)
+        url = urllib.parse.urlsplit(end_session)
+        q = dict(urllib.parse.parse_qsl(url.query, keep_blank_values=True))
+
+        q["post_logout_redirect_uri"] = post_logout
+        q["state"] = state
+
+        id_token_hint = inputs.get("id_token_hint")
+        if id_token_hint:
+            q["id_token_hint"] = id_token_hint
+        else:
+            q["client_id"] = db_user_registry[KG__database_user_registry__client_id]  # KC >= 18 accepts this fallback
+
+        logout_url = urllib.parse.urlunsplit((
+            url.scheme, url.netloc, url.path,
+            urllib.parse.urlencode(q, doseq=False, safe="/:"), url.fragment
+        ))
+
+        response.response_code = HTTPStatus.FOUND
+        response.raw_headers["Location"] = logout_url
+
+    def finish_oidc_logout(self, inputs: dict, response: JAAQLResponse):
+        """
+        Handle the OP redirect after logout. Validates state, clears OIDC cookie, and 302 to your final URL.
+        Expect 'state' in inputs (query param).
+        """
+        # Read & clear the stored logout session
+        oidc_cookie = inputs.get("oidc_cookie")  # if your routing passes cookies in inputs; otherwise fetch from request in your framework
+        if not oidc_cookie:
+            # fall back to reading directly if your framework wires cookies differently
+            raise HttpStatusException("Missing logout state", HTTPStatus.BAD_REQUEST)
+
+        logout_state = crypt_utils.jwt_decode(self.vault.get_obj(VAULT_KEY__jwt_crypt_key), oidc_cookie, JWT_PURPOSE__oidc)
+        if not logout_state:
+            raise HttpStatusException("Invalid logout state", HTTPStatus.BAD_REQUEST)
+
+        if inputs.get("state") != logout_state.get("state"):
+            raise HttpStatusException("Logout state mismatch", HTTPStatus.BAD_REQUEST)
+
+        # Remove the OIDC cookie now that we're done
+        response.delete_cookie(COOKIE_OIDC, self.is_https)
+
+        # Redirect to the place the app wanted to land after logout
+        response.response_code = HTTPStatus.FOUND
+        response.raw_headers["Location"] = logout_state["redirect_uri"]

{jaaql_middleware_python-4.33.7 → jaaql_middleware_python-4.33.9}/jaaql_middleware_python.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: jaaql-middleware-python
-Version: 4.33.7
+Version: 4.33.9
 Summary: The jaaql package, allowing for rapid development and deployment of RESTful HTTP applications
 Home-page: https://github.com/JAAQL/JAAQL-middleware-python
 Author: Software Quality Measurement and Improvement bv