kailash 0.4.1__py3-none-any.whl → 0.5.0__py3-none-any.whl

kailash/__init__.py

@@ -3,9 +3,8 @@
 The Kailash SDK provides a comprehensive framework for creating nodes and workflows
 that align with container-node architecture while allowing rapid prototyping.
 
-New in v0.4.1: Production-ready Alert Nodes with Discord integration and
-AI Provider Vision Support. Rich Discord alerts with embeds, rate limiting,
-and universal vision capabilities across OpenAI, Anthropic, and Ollama providers.
+New in v0.4.2: Bug fixes including circular import resolution and JWT implementation
+consolidation. Improved changelog organization with individual release files.
 """
 
 from kailash.nodes.base import Node, NodeMetadata, NodeParameter
@@ -34,7 +33,7 @@ except ImportError:
 # For backward compatibility
 WorkflowGraph = Workflow
 
-__version__ = "0.4.1"
+__version__ = "0.4.2"
 
 __all__ = [
     # Core workflow components

kailash/middleware/__init__.py

@@ -36,7 +36,7 @@ The middleware consists of these interconnected layers:
 
 **API Gateway Layer**:
 - RESTful API endpoints with OpenAPI documentation
-- JWT-based authentication using JWTConfigNode
+- JWT-based authentication using JWTAuthManager
 - Request/response middleware with comprehensive logging
 - Dynamic schema generation for node discovery
 
@@ -181,9 +181,11 @@ Usage Examples
     >>> workflow_id = await agent_ui.create_dynamic_workflow(
     ...     session_id, workflow_config
     ... )
-    >>> execution_id = await agent_ui.execute_workflow(
+    >>> # Use execute() for consistency with runtime API (preferred)
+    >>> execution_id = await agent_ui.execute(
     ...     session_id, workflow_id, inputs={}
     ... )
+    >>> # Note: execute_workflow() is deprecated and will be removed in v1.0.0
 
 Production Deployment
 --------------------

kailash/middleware/auth/__init__.py

@@ -15,19 +15,62 @@ Features:
 - Audit logging
 """
 
-from .access_control import (
-    MiddlewareAccessControlManager,
-    MiddlewareAuthenticationMiddleware,
+from .exceptions import (
+    AuthenticationError,
+    InvalidTokenError,
+    PermissionDeniedError,
+    TokenBlacklistedError,
+    TokenExpiredError,
 )
-from .auth_manager import AuthLevel, MiddlewareAuthManager
-from .kailash_jwt_auth import KailashJWTAuthManager
+
+# Import without circular dependencies
+from .jwt_auth import JWTAuthManager
+from .models import AuthenticationResult, JWTConfig, TokenPair, TokenPayload, UserClaims
+from .utils import generate_key_pair, generate_secret_key, parse_bearer_token
+
+# Import other components (check for circular deps)
+try:
+    from .access_control import (
+        MiddlewareAccessControlManager,
+        MiddlewareAuthenticationMiddleware,
+    )
+    from .auth_manager import AuthLevel, MiddlewareAuthManager
+
+    _has_access_control = True
+except ImportError:
+    # These imports might fail due to circular dependencies with communication
+    _has_access_control = False
+
+# KailashJWTAuthManager has been consolidated into JWTAuthManager
+# For backward compatibility, use JWTAuthManager directly
 
 __all__ = [
-    # Core authentication
-    "KailashJWTAuthManager",
-    "MiddlewareAuthManager",  # Main auth manager using SDK nodes
-    "AuthLevel",
-    # Authorization & Access Control
-    "MiddlewareAccessControlManager",
-    "MiddlewareAuthenticationMiddleware",
+    # Core authentication (always available)
+    "JWTAuthManager",
+    "JWTConfig",
+    "TokenPayload",
+    "TokenPair",
+    "UserClaims",
+    "AuthenticationResult",
+    # Exceptions
+    "AuthenticationError",
+    "TokenExpiredError",
+    "InvalidTokenError",
+    "TokenBlacklistedError",
+    "PermissionDeniedError",
+    # Utilities
+    "generate_secret_key",
+    "generate_key_pair",
+    "parse_bearer_token",
 ]
+
+# Add access control components if available
+if _has_access_control:
+    __all__.extend(
+        [
+            "MiddlewareAuthManager",
+            "AuthLevel",
+            "MiddlewareAccessControlManager",
+            "MiddlewareAuthenticationMiddleware",
+        ]
+    )

kailash/middleware/auth/exceptions.py

@@ -0,0 +1,80 @@
+"""
+Authentication Exceptions for Kailash Middleware
+
+Provides exception classes for authentication errors without circular dependencies.
+"""
+
+
+class AuthenticationError(Exception):
+    """Base exception for authentication errors."""
+
+    def __init__(self, message: str, error_code: str = None):
+        super().__init__(message)
+        self.error_code = error_code
+
+
+class TokenExpiredError(AuthenticationError):
+    """Raised when a JWT token has expired."""
+
+    def __init__(self, message: str = "Token has expired"):
+        super().__init__(message, "TOKEN_EXPIRED")
+
+
+class InvalidTokenError(AuthenticationError):
+    """Raised when a JWT token is invalid."""
+
+    def __init__(self, message: str = "Invalid token"):
+        super().__init__(message, "INVALID_TOKEN")
+
+
+class TokenBlacklistedError(AuthenticationError):
+    """Raised when a JWT token has been blacklisted/revoked."""
+
+    def __init__(self, message: str = "Token has been revoked"):
+        super().__init__(message, "TOKEN_BLACKLISTED")
+
+
+class KeyRotationError(AuthenticationError):
+    """Raised when key rotation fails."""
+
+    def __init__(self, message: str = "Key rotation failed"):
+        super().__init__(message, "KEY_ROTATION_ERROR")
+
+
+class RefreshTokenError(AuthenticationError):
+    """Raised when refresh token operations fail."""
+
+    def __init__(self, message: str = "Refresh token error"):
+        super().__init__(message, "REFRESH_TOKEN_ERROR")
+
+
+class PermissionDeniedError(AuthenticationError):
+    """Raised when user lacks required permissions."""
+
+    def __init__(
+        self, message: str = "Permission denied", required_permission: str = None
+    ):
+        super().__init__(message, "PERMISSION_DENIED")
+        self.required_permission = required_permission
+
+
+class RateLimitError(AuthenticationError):
+    """Raised when authentication rate limit is exceeded."""
+
+    def __init__(self, message: str = "Rate limit exceeded", retry_after: int = None):
+        super().__init__(message, "RATE_LIMIT_EXCEEDED")
+        self.retry_after = retry_after
+
+
+class InvalidCredentialsError(AuthenticationError):
+    """Raised when login credentials are invalid."""
+
+    def __init__(self, message: str = "Invalid credentials"):
+        super().__init__(message, "INVALID_CREDENTIALS")
+
+
+class SessionExpiredError(AuthenticationError):
+    """Raised when a session has expired."""
+
+    def __init__(self, message: str = "Session has expired"):
+        super().__init__(message, "SESSION_EXPIRED")

kailash/middleware/auth/jwt_auth.py

@@ -1,16 +1,14 @@
 """
 JWT Authentication Manager for Kailash Middleware
 
-Provides enterprise-grade JWT authentication built entirely with Kailash SDK components.
-Uses Kailash nodes, workflows, and patterns for all authentication operations.
+Provides enterprise-grade JWT authentication with support for both HS256 and RSA algorithms.
+This consolidates the functionality of both JWTAuthManager and KailashJWTAuthManager.
 """
 
-import json
 import logging
 import secrets
 import time
 import uuid
-from dataclasses import dataclass
 from datetime import datetime, timedelta, timezone
 from typing import Any, Dict, List, Optional, Union
 
@@ -22,82 +20,18 @@ except ImportError:
     jwt = None
     rsa = None
 
-# Import Kailash SDK components
-from kailash.nodes.base import Node, NodeParameter
-from kailash.nodes.code import PythonCodeNode
-from kailash.nodes.data import JSONReaderNode
-from kailash.nodes.logic import SwitchNode
-from kailash.runtime.local import LocalRuntime
-from kailash.workflow.builder import WorkflowBuilder
+from .exceptions import (
+    InvalidTokenError,
+    RefreshTokenError,
+    TokenBlacklistedError,
+    TokenExpiredError,
+)
 
-logger = logging.getLogger(__name__)
-
-
-@dataclass
-class JWTConfig:
-    """Configuration for JWT authentication using only Python standard library."""
-
-    # Signing configuration
-    algorithm: str = (
-        "HS256"  # Use HMAC instead of RSA to avoid external crypto dependencies
-    )
-    access_token_expire_minutes: int = 15
-    refresh_token_expire_days: int = 7
-
-    # Security settings
-    issuer: str = "kailash-middleware"
-    audience: str = "kailash-api"
-
-    # Key management
-    auto_generate_keys: bool = True
-    key_rotation_days: int = 30
-
-    # Token settings
-    include_user_claims: bool = True
-    include_permissions: bool = True
-    max_refresh_count: int = 10
-
-
-@dataclass
-class TokenPayload:
-    """JWT token payload structure using standard Python."""
+# Import models and utilities (no circular dependencies)
+from .models import JWTConfig, RefreshTokenData, TokenPair, TokenPayload
+from .utils import generate_secret_key, is_token_expired
 
-    # Standard claims
-    sub: str  # Subject (user ID)
-    iss: str  # Issuer
-    aud: str  # Audience
-    exp: int  # Expiration time
-    iat: int  # Issued at
-    jti: str  # JWT ID
-
-    # Custom claims
-    tenant_id: Optional[str] = None
-    session_id: Optional[str] = None
-    user_type: str = "user"
-    permissions: List[str] = None
-    roles: List[str] = None
-
-    # Token metadata
-    token_type: str = "access"  # access, refresh
-    refresh_count: int = 0
-
-    def __post_init__(self):
-        if self.permissions is None:
-            self.permissions = []
-        if self.roles is None:
-            self.roles = []
-
-
-@dataclass
-class TokenPair:
-    """Access and refresh token pair using standard Python."""
-
-    access_token: str
-    refresh_token: str
-    token_type: str = "Bearer"
-    expires_in: int = 0
-    expires_at: Optional[datetime] = None
-    scope: Optional[str] = None
+logger = logging.getLogger(__name__)
 
 
 class JWTAuthManager:
@@ -105,30 +39,111 @@ class JWTAuthManager:
     Enterprise JWT Authentication Manager.
 
     Provides comprehensive JWT token management with security best practices:
-    - RSA key pair generation and rotation
+    - Support for both HS256 (default) and RSA algorithms
+    - RSA key pair generation and rotation (when using RSA)
     - Refresh token management
     - Token blacklisting
     - Comprehensive audit logging
     - Rate limiting protection
+
+    This consolidates both JWTAuthManager and KailashJWTAuthManager functionality.
     """
 
-    def __init__(self, config: JWTConfig = None):
+    def __init__(
+        self,
+        config: JWTConfig = None,
+        secret_key: str = None,
+        algorithm: str = None,
+        use_rsa: bool = None,
+        **kwargs,
+    ):
+        """
+        Initialize JWT Auth Manager.
+
+        Args:
+            config: JWTConfig object with full configuration
+            secret_key: Secret key for HS256 (overrides config)
+            algorithm: Algorithm to use (overrides config)
+            use_rsa: Whether to use RSA (overrides config)
+            **kwargs: Additional config parameters
+        """
         self.config = config or JWTConfig()
 
+        # Override config with direct parameters for backward compatibility
+        if secret_key is not None:
+            self.config.secret_key = secret_key
+        if algorithm is not None:
+            self.config.algorithm = algorithm
+        if use_rsa is not None:
+            self.config.use_rsa = use_rsa
+            if use_rsa:
+                self.config.algorithm = "RS256"
+
+        # Apply any additional kwargs to config
+        for key, value in kwargs.items():
+            if hasattr(self.config, key):
+                setattr(self.config, key, value)
+
         # Key management
         self._private_key: Optional[rsa.RSAPrivateKey] = None
         self._public_key: Optional[rsa.RSAPublicKey] = None
+        self._secret_key: Optional[str] = self.config.secret_key
         self._key_id = str(uuid.uuid4())
         self._key_generated_at = datetime.now(timezone.utc)
 
         # Token tracking
-        self._blacklisted_tokens: set = set()
+        self._blacklisted_tokens: set = set() if self.config.enable_blacklist else None
         self._refresh_tokens: Dict[str, Dict[str, Any]] = {}
         self._failed_attempts: Dict[str, List[datetime]] = {}
 
-        # Initialize keys
-        if self.config.auto_generate_keys:
-            self._generate_key_pair()
+        # Initialize keys based on algorithm
+        self._initialize_keys()
+
+    def _initialize_keys(self):
+        """Initialize keys based on configured algorithm."""
+        if self.config.use_rsa or self.config.algorithm.startswith("RS"):
+            # RSA mode
+            if self.config.private_key and self.config.public_key:
+                # Load provided keys
+                self._load_rsa_keys()
+            elif self.config.auto_generate_keys:
+                # Generate new RSA keys
+                self._generate_key_pair()
+            else:
+                raise ValueError(
+                    "RSA mode requires either provided keys or auto_generate_keys=True"
+                )
+        else:
+            # HS256 mode
+            if not self._secret_key:
+                if self.config.auto_generate_keys:
+                    # Generate random secret
+                    self._secret_key = secrets.token_urlsafe(32)
+                    self.config.secret_key = self._secret_key
+                    logger.info("Generated new HS256 secret key")
+                else:
+                    raise ValueError(
+                        "HS256 mode requires secret_key or auto_generate_keys=True"
+                    )
+
+    def _load_rsa_keys(self):
+        """Load RSA keys from PEM strings."""
+        try:
+            from cryptography.hazmat.backends import default_backend
+            from cryptography.hazmat.primitives import serialization
+
+            self._private_key = serialization.load_pem_private_key(
+                self.config.private_key.encode(),
+                password=None,
+                backend=default_backend(),
+            )
+            self._public_key = serialization.load_pem_public_key(
+                self.config.public_key.encode(), backend=default_backend()
+            )
+            logger.info("Loaded RSA keys from configuration")
+        except Exception as e:
+            logger.error(f"Failed to load RSA keys: {e}")
+            raise
 
     def _generate_key_pair(self):
         """Generate new RSA key pair for token signing."""
@@ -193,7 +208,8 @@ class JWTAuthManager:
         **kwargs,
     ) -> str:
         """Create JWT access token."""
-        if self._should_rotate_keys():
+        # Only rotate keys in RSA mode
+        if self.config.use_rsa and self._should_rotate_keys():
             self._generate_key_pair()
 
         payload = self._create_token_payload(
@@ -206,16 +222,39 @@ class JWTAuthManager:
             **kwargs,
         )
 
-        # Add key ID to header
-        headers = {"kid": self._key_id}
-
-        # Sign token
-        token = jwt.encode(
-            payload.dict(),
-            self._private_key,
-            algorithm=self.config.algorithm,
-            headers=headers,
-        )
+        # Convert payload to dict for encoding
+        payload_dict = {
+            "sub": payload.sub,
+            "iss": payload.iss,
+            "aud": payload.aud,
+            "exp": payload.exp,
+            "iat": payload.iat,
+            "jti": payload.jti,
+            "tenant_id": payload.tenant_id,
+            "session_id": payload.session_id,
+            "token_type": payload.token_type,
+            "permissions": payload.permissions,
+            "roles": payload.roles,
+        }
+        payload_dict.update(kwargs)
+
+        # Sign token based on algorithm
+        if self.config.use_rsa or self.config.algorithm.startswith("RS"):
+            # RSA signing
+            headers = {"kid": self._key_id}
+            token = jwt.encode(
+                payload_dict,
+                self._private_key,
+                algorithm=self.config.algorithm,
+                headers=headers,
+            )
+        else:
+            # HS256 signing
+            token = jwt.encode(
+                payload_dict,
+                self._secret_key,
+                algorithm=self.config.algorithm,
+            )
 
         logger.debug(f"Created access token for user {user_id}")
         return token
@@ -232,14 +271,36 @@ class JWTAuthManager:
             **kwargs,
         )
 
-        headers = {"kid": self._key_id}
-
-        token = jwt.encode(
-            payload.dict(),
-            self._private_key,
-            algorithm=self.config.algorithm,
-            headers=headers,
-        )
+        # Convert payload to dict
+        payload_dict = {
+            "sub": payload.sub,
+            "iss": payload.iss,
+            "aud": payload.aud,
+            "exp": payload.exp,
+            "iat": payload.iat,
+            "jti": payload.jti,
+            "tenant_id": payload.tenant_id,
+            "session_id": payload.session_id,
+            "token_type": payload.token_type,
+            "refresh_count": payload.refresh_count,
+        }
+        payload_dict.update(kwargs)
+
+        # Sign token based on algorithm
+        if self.config.use_rsa or self.config.algorithm.startswith("RS"):
+            headers = {"kid": self._key_id}
+            token = jwt.encode(
+                payload_dict,
+                self._private_key,
+                algorithm=self.config.algorithm,
+                headers=headers,
+            )
+        else:
+            token = jwt.encode(
+                payload_dict,
+                self._secret_key,
+                algorithm=self.config.algorithm,
+            )
 
         # Store refresh token metadata
         self._refresh_tokens[payload.jti] = {
@@ -291,27 +352,39 @@ class JWTAuthManager:
         """
         try:
             # Check if token is blacklisted
-            if token in self._blacklisted_tokens:
+            if self._blacklisted_tokens and token in self._blacklisted_tokens:
                 raise jwt.InvalidTokenError("Token has been revoked")
 
-            # Decode without verification first to get header
-            unverified_header = jwt.get_unverified_header(token)
-            key_id = unverified_header.get("kid")
-
-            # Verify key ID matches current key
-            if key_id != self._key_id:
-                logger.warning(f"Token signed with unknown key ID: {key_id}")
-                # In production, you might want to support multiple keys
-                # for graceful key rotation
-
-            # Verify and decode token
-            payload = jwt.decode(
-                token,
-                self._public_key,
-                algorithms=[self.config.algorithm],
-                issuer=self.config.issuer,
-                audience=self.config.audience,
-            )
+            # Get verification key based on algorithm
+            if self.config.use_rsa or self.config.algorithm.startswith("RS"):
+                # RSA verification
+                # Decode without verification first to get header
+                unverified_header = jwt.get_unverified_header(token)
+                key_id = unverified_header.get("kid")
+
+                # Verify key ID matches current key (optional check)
+                if key_id and key_id != self._key_id:
+                    logger.warning(f"Token signed with unknown key ID: {key_id}")
+                    # In production, you might want to support multiple keys
+                    # for graceful key rotation
+
+                # Verify and decode token
+                payload = jwt.decode(
+                    token,
+                    self._public_key,
+                    algorithms=[self.config.algorithm],
+                    issuer=self.config.issuer,
+                    audience=self.config.audience,
+                )
+            else:
+                # HS256 verification
+                payload = jwt.decode(
+                    token,
+                    self._secret_key,
+                    algorithms=[self.config.algorithm],
+                    issuer=self.config.issuer,
+                    audience=self.config.audience,
+                )
 
             return payload
 
@@ -461,7 +534,9 @@ class JWTAuthManager:
         """Get authentication manager statistics."""
         return {
             "active_refresh_tokens": len(self._refresh_tokens),
-            "blacklisted_tokens": len(self._blacklisted_tokens),
+            "blacklisted_tokens": (
+                len(self._blacklisted_tokens) if self._blacklisted_tokens else 0
+            ),
             "key_id": self._key_id,
             "key_age_days": (
                 (datetime.now(timezone.utc) - self._key_generated_at).days
@@ -475,3 +550,70 @@ class JWTAuthManager:
                 "refresh_token_expire_days": self.config.refresh_token_expire_days,
             },
         }
+
+    # Backward compatibility methods for KailashJWTAuthManager
+    def generate_token(self, user_id: str, **claims) -> str:
+        """
+        Generate access token (backward compatibility).
+
+        .. deprecated:: 0.5.0
+            Use :meth:`create_access_token` instead. This method will be removed in version 1.0.0.
+
+        This method exists for compatibility with KailashJWTAuthManager.
+        """
+        import warnings
+
+        warnings.warn(
+            "generate_token() is deprecated and will be removed in version 1.0.0. "
+            "Use create_access_token() instead.",
+            DeprecationWarning,
+            stacklevel=2,
+        )
+        return self.create_access_token(user_id, **claims)
+
+    def verify_and_decode_token(self, token: str) -> Dict[str, Any]:
+        """
+        Verify and decode token (backward compatibility).
+
+        .. deprecated:: 0.5.0
+            Use :meth:`verify_token` instead. This method will be removed in version 1.0.0.
+
+        This method exists for compatibility with KailashJWTAuthManager.
+        """
+        import warnings
+
+        warnings.warn(
+            "verify_and_decode_token() is deprecated and will be removed in version 1.0.0. "
+            "Use verify_token() instead.",
+            DeprecationWarning,
+            stacklevel=2,
+        )
+        return self.verify_token(token)
+
+    def blacklist_token(self, token: str):
+        """
+        Blacklist token (backward compatibility).
+
+        This method exists for compatibility with KailashJWTAuthManager.
+        """
+        # Just call the main revoke_token method
+        self.revoke_token(token)
+
+    def generate_refresh_token(self, user_id: str, **claims) -> str:
+        """
+        Generate refresh token (backward compatibility).
+
+        .. deprecated:: 0.5.0
+            Use :meth:`create_refresh_token` instead. This method will be removed in version 1.0.0.
+
+        This method exists for compatibility with KailashJWTAuthManager.
+        """
+        import warnings
+
+        warnings.warn(
+            "generate_refresh_token() is deprecated and will be removed in version 1.0.0. "
+            "Use create_refresh_token() instead.",
+            DeprecationWarning,
+            stacklevel=2,
+        )
+        return self.create_refresh_token(user_id, **claims)