kscale 0.3.16__py3-none-any.whl → 0.3.18__py3-none-any.whl

kscale/web/clients/base.py

@@ -1,33 +1,19 @@
 """Defines a base client for the K-Scale WWW API client."""
 
-import asyncio
-import json
 import logging
 import os
-import secrets
 import sys
-import time
-import webbrowser
 from types import TracebackType
 from typing import Any, Mapping, Self, Type
 from urllib.parse import urljoin
 
-import aiohttp
 import httpx
-from aiohttp import web
-from async_lru import alru_cache
-from jwt import ExpiredSignatureError, PyJWKClient, decode as jwt_decode
 from pydantic import BaseModel
-from yarl import URL
 
-from kscale.web.gen.api import OICDInfo
-from kscale.web.utils import DEFAULT_UPLOAD_TIMEOUT, get_api_root, get_auth_dir
+from kscale.web.utils import DEFAULT_UPLOAD_TIMEOUT, get_api_root
 
 logger = logging.getLogger(__name__)
 
-# This port matches the available port for the OAuth callback.
-OAUTH_PORT = 16821
-
 # This is the name of the API key header for the K-Scale WWW API.
 HEADER_NAME = "x-kscale-api-key"
 
@@ -36,126 +22,6 @@ def verbose_error() -> bool:
     return os.environ.get("KSCALE_VERBOSE_ERROR", "0") == "1"
 
 
-class OAuthCallback:
-    def __init__(self) -> None:
-        self.token_type: str | None = None
-        self.access_token: str | None = None
-        self.id_token: str | None = None
-        self.state: str | None = None
-        self.expires_in: str | None = None
-        self.app = web.Application()
-        self.app.router.add_get("/token", self.handle_token)
-        self.app.router.add_get("/callback", self.handle_callback)
-
-    async def handle_token(self, request: web.Request) -> web.Response:
-        """Handle the token extraction."""
-        self.token_type = request.query.get("token_type")
-        self.access_token = request.query.get("access_token")
-        self.id_token = request.query.get("id_token")
-        self.state = request.query.get("state")
-        self.expires_in = request.query.get("expires_in")
-        return web.Response(text="OK")
-
-    async def handle_callback(self, request: web.Request) -> web.Response:
-        """Handle the OAuth callback with token in URL fragment."""
-        return web.Response(
-            text="""
-                <!DOCTYPE html>
-                <html lang="en">
-                <head>
-                    <meta charset="UTF-8">
-                    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-                    <title>Authentication successful</title>
-                    <style>
-                        body {
-                            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-                            display: flex;
-                            justify-content: center;
-                            align-items: center;
-                            min-height: 100vh;
-                            margin: 0;
-                            background: #f5f5f5;
-                            color: #333;
-                        }
-                        .container {
-                            background: white;
-                            padding: 2rem;
-                            border-radius: 8px;
-                            box-shadow: 0 2px 4px rgba(0,0,0,0.1);
-                            max-width: 600px;
-                            width: 90%;
-                        }
-                        h1 {
-                            color: #2c3e50;
-                            margin-bottom: 1rem;
-                        }
-                        .token-info {
-                            background: #f8f9fa;
-                            border: 1px solid #dee2e6;
-                            border-radius: 4px;
-                            padding: 1rem;
-                            margin: 1rem 0;
-                            word-break: break-all;
-                        }
-                        .token-label {
-                            font-weight: bold;
-                            color: #6c757d;
-                            margin-bottom: 0.5rem;
-                        }
-                        .success-icon {
-                            color: #28a745;
-                            font-size: 48px;
-                            margin-bottom: 1rem;
-                        }
-                    </style>
-                </head>
-                <body>
-                    <div class="container">
-                        <div class="success-icon">✓</div>
-                        <h1>Authentication successful!</h1>
-                        <p>Your authentication tokens are shown below. You can now close this window.</p>
-
-                        <div class="token-info">
-                            <div class="token-label">Access Token:</div>
-                            <div id="accessTokenDisplay"></div>
-                        </div>
-
-                        <div class="token-info">
-                            <div class="token-label">ID Token:</div>
-                            <div id="idTokenDisplay"></div>
-                        </div>
-                    </div>
-
-                    <script>
-                        const params = new URLSearchParams(window.location.hash.substring(1));
-                        const tokenType = params.get('token_type');
-                        const accessToken = params.get('access_token');
-                        const idToken = params.get('id_token');
-                        const state = params.get('state');
-                        const expiresIn = params.get('expires_in');
-
-                        // Display tokens
-                        document.getElementById('accessTokenDisplay').textContent = accessToken || 'Not provided';
-                        document.getElementById('idTokenDisplay').textContent = idToken || 'Not provided';
-
-                        if (accessToken) {
-                            const tokenUrl = new URL(window.location.href);
-                            tokenUrl.pathname = '/token';
-                            tokenUrl.searchParams.set('access_token', accessToken);
-                            tokenUrl.searchParams.set('token_type', tokenType);
-                            tokenUrl.searchParams.set('id_token', idToken);
-                            tokenUrl.searchParams.set('state', state);
-                            tokenUrl.searchParams.set('expires_in', expiresIn);
-                            fetch(tokenUrl.toString());
-                        }
-                    </script>
-                </body>
-                </html>
-            """,
-            content_type="text/html",
-        )
-
-
 class BaseClient:
     def __init__(
         self,
@@ -169,179 +35,14 @@ class BaseClient:
         self._client: httpx.AsyncClient | None = None
         self._client_no_auth: httpx.AsyncClient | None = None
 
-    @alru_cache
-    async def _get_oicd_info(self) -> OICDInfo:
-        cache_path = get_auth_dir() / "oicd_info.json"
-        if self.use_cache and cache_path.exists():
-            with open(cache_path, "r") as f:
-                return OICDInfo(**json.load(f))
-        data = await self._request("GET", "/auth/oicd", auth=False)
-        if self.use_cache:
-            cache_path.parent.mkdir(parents=True, exist_ok=True)
-            with open(cache_path, "w") as f:
-                json.dump(data, f)
-        return OICDInfo(**data)
-
-    @alru_cache
-    async def _get_oicd_metadata(self) -> dict:
-        """Returns the OpenID Connect server configuration.
-
-        Returns:
-            The OpenID Connect server configuration.
-        """
-        cache_path = get_auth_dir() / "oicd_metadata.json"
-        if self.use_cache and cache_path.exists():
-            with open(cache_path, "r") as f:
-                return json.load(f)
-        oicd_info = await self._get_oicd_info()
-        oicd_config_url = f"{oicd_info.authority}/.well-known/openid-configuration"
-        async with aiohttp.ClientSession() as session:
-            async with session.get(oicd_config_url) as response:
-                metadata = await response.json()
-        if self.use_cache:
-            cache_path.parent.mkdir(parents=True, exist_ok=True)
-            with open(cache_path, "w") as f:
-                json.dump(metadata, f, indent=2)
-            logger.info("Cached OpenID Connect metadata to %s", cache_path)
-        return metadata
-
-    async def _get_bearer_token(self) -> str:
-        """Get a bearer token using the OAuth2 implicit flow.
-
-        Returns:
-            A bearer token to use with the K-Scale WWW API.
-        """
-        # Check if we are in a headless environment.
-        error_message = (
-            "Cannot perform browser-based authentication in a headless environment. "
-            "Please use 'kscale user key' to generate an API key locally and set "
-            "the KSCALE_API_KEY environment variable instead."
-        )
-        try:
-            if not webbrowser.get().name != "null":
-                raise RuntimeError(error_message)
-        except webbrowser.Error:
-            raise RuntimeError(error_message)
-
-        oicd_info = await self._get_oicd_info()
-        metadata = await self._get_oicd_metadata()
-        auth_endpoint = metadata["authorization_endpoint"]
-
-        # Use the cached state and nonce if available, otherwise generate.
-        state_file = get_auth_dir() / "oauth_state.json"
-        state: str | None = None
-        nonce: str | None = None
-        if state_file.exists():
-            with open(state_file, "r") as f:
-                state_data = json.load(f)
-                state = state_data.get("state")
-                nonce = state_data.get("nonce")
-        if state is None:
-            state = secrets.token_urlsafe(32)
-        if nonce is None:
-            nonce = secrets.token_urlsafe(32)
-
-        # Change /oauth2/authorize to /login to use the login endpoint.
-        auth_endpoint = auth_endpoint.replace("/oauth2/authorize", "/login")
-
-        auth_url = str(
-            URL(auth_endpoint).with_query(
-                {
-                    "response_type": "token",
-                    "redirect_uri": f"http://localhost:{OAUTH_PORT}/callback",
-                    "state": state,
-                    "nonce": nonce,
-                    "scope": "openid profile email",
-                    "client_id": oicd_info.client_id,
-                }
-            )
-        )
-
-        # Start local server to receive callback
-        callback_handler = OAuthCallback()
-        runner = web.AppRunner(callback_handler.app)
-        await runner.setup()
-        site = web.TCPSite(runner, "localhost", OAUTH_PORT)
-
-        try:
-            await site.start()
-        except OSError as e:
-            raise OSError(
-                f"The command line interface requires access to local port {OAUTH_PORT} in order to authenticate with "
-                "OpenID Connect. Please ensure that no other application is using this port."
-            ) from e
-
-        # Open browser for user authentication
-        webbrowser.open(auth_url)
-
-        # Wait for the callback with timeout
-        try:
-            start_time = time.time()
-            while callback_handler.access_token is None:
-                if time.time() - start_time > 30:
-                    raise TimeoutError("Authentication timed out after 30 seconds")
-                await asyncio.sleep(0.1)
-
-            # Save the state and nonce to the cache.
-            state = callback_handler.state
-            state_file.parent.mkdir(parents=True, exist_ok=True)
-            state_file.write_text(json.dumps({"state": state, "nonce": nonce}))
-
-            return callback_handler.access_token
-        finally:
-            await runner.cleanup()
-
-    @alru_cache
-    async def _get_jwk_client(self) -> PyJWKClient:
-        """Returns a JWK client for the OpenID Connect server."""
-        oicd_info = await self._get_oicd_info()
-        jwks_uri = f"{oicd_info.authority}/.well-known/jwks.json"
-        return PyJWKClient(uri=jwks_uri)
-
-    async def _is_token_expired(self, token: str) -> bool:
-        """Check if a token is expired."""
-        jwk_client = await self._get_jwk_client()
-        signing_key = jwk_client.get_signing_key_from_jwt(token)
-
-        try:
-            claims = jwt_decode(
-                token,
-                signing_key.key,
-                algorithms=["RS256"],
-                options={"verify_aud": False},
-            )
-        except ExpiredSignatureError:
-            return True
-
-        return claims["exp"] < time.time()
-
-    @alru_cache
-    async def get_bearer_token(self) -> str:
-        """Get a bearer token from OpenID Connect.
-
-        Returns:
-            A bearer token to use with the K-Scale WWW API.
-        """
-        cache_path = get_auth_dir() / "bearer_token.txt"
-        if self.use_cache and cache_path.exists():
-            token = cache_path.read_text()
-            if not await self._is_token_expired(token):
-                return token
-        token = await self._get_bearer_token()
-        if self.use_cache:
-            cache_path.write_text(token)
-            cache_path.chmod(0o600)
-        return token
-
     async def get_client(self, *, auth: bool = True) -> httpx.AsyncClient:
         client = self._client if auth else self._client_no_auth
         if client is None:
             headers: dict[str, str] = {}
             if auth:
-                if "KSCALE_API_KEY" in os.environ:
-                    headers[HEADER_NAME] = os.environ["KSCALE_API_KEY"]
-                else:
-                    headers["Authorization"] = f"Bearer {await self.get_bearer_token()}"
+                if "KSCALE_API_KEY" not in os.environ:
+                    raise ValueError("KSCALE_API_KEY is not set! Obtain one here: https://kscale.dev/dashboard/keys")
+                headers[HEADER_NAME] = os.environ["KSCALE_API_KEY"]
 
             client = httpx.AsyncClient(
                 base_url=self.base_url,
@@ -389,7 +90,7 @@ class BaseClient:
                 logger.info("Use KSCALE_VERBOSE_ERROR=1 to see the full error message")
                 logger.info("If this persists, please create an issue here: https://github.com/kscalelabs/kscale")
 
-            logger.error("Got error %d from the K-Scale API", error_code)
+            logger.error("Got error %d from the K-Scale API %s endpoint %s", error_code, method, url)
             if isinstance(error_json, Mapping):
                 for key, value in error_json.items():
                     logger.error("  [%s] %s", key, value)

kscale/web/clients/client.py

@@ -1,6 +1,9 @@
 """Defines a unified client for the K-Scale WWW API."""
 
 from kscale.web.clients.base import BaseClient
+from kscale.web.clients.clip import ClipClient
+from kscale.web.clients.group import GroupClient
+from kscale.web.clients.permission import PermissionClient
 from kscale.web.clients.robot import RobotClient
 from kscale.web.clients.robot_class import RobotClassClient
 from kscale.web.clients.user import UserClient
@@ -10,6 +13,9 @@ class WWWClient(
     RobotClient,
     RobotClassClient,
     UserClient,
+    ClipClient,
+    GroupClient,
+    PermissionClient,
     BaseClient,
 ):
     pass

kscale/web/clients/clip.py

@@ -0,0 +1,118 @@
+"""Defines the client for interacting with the K-Scale clip endpoints."""
+
+import hashlib
+import logging
+from pathlib import Path
+
+import httpx
+
+from kscale.web.clients.base import BaseClient
+from kscale.web.gen.api import (
+    Clip,
+    ClipDownloadResponse,
+    ClipUploadResponse,
+)
+
+logger = logging.getLogger(__name__)
+
+UPLOAD_TIMEOUT = 300.0
+DOWNLOAD_TIMEOUT = 60.0
+
+
+class ClipClient(BaseClient):
+    async def get_clips(self) -> list[Clip]:
+        """Get all clips for the authenticated user."""
+        data = await self._request("GET", "/clips/", auth=True)
+        return [Clip.model_validate(item) for item in data]
+
+    async def get_clip(self, clip_id: str) -> Clip:
+        """Get a specific clip by ID."""
+        data = await self._request("GET", f"/clips/{clip_id}", auth=True)
+        return Clip.model_validate(data)
+
+    async def create_clip(self, description: str | None = None) -> Clip:
+        """Create a new clip."""
+        data = {}
+        if description is not None:
+            data["description"] = description
+        response_data = await self._request("POST", "/clips/", data=data, auth=True)
+        return Clip.model_validate(response_data)
+
+    async def update_clip(self, clip_id: str, new_description: str | None = None) -> Clip:
+        """Update a clip's metadata."""
+        data = {}
+        if new_description is not None:
+            data["new_description"] = new_description
+        response_data = await self._request("POST", f"/clips/{clip_id}", data=data, auth=True)
+        return Clip.model_validate(response_data)
+
+    async def delete_clip(self, clip_id: str) -> None:
+        """Delete a clip."""
+        await self._request("DELETE", f"/clips/{clip_id}", auth=True)
+
+    async def upload_clip(self, clip_id: str, file_path: str | Path) -> ClipUploadResponse:
+        """Upload a file for a clip."""
+        if not (file_path := Path(file_path)).exists():
+            raise FileNotFoundError(f"File not found: {file_path}")
+
+        # Determine content type based on file extension
+        ext = file_path.suffix.lower()
+        content_type_map = {
+            ".mp4": "video/mp4",
+            ".avi": "video/x-msvideo",
+            ".mov": "video/quicktime",
+            ".mkv": "video/x-matroska",
+            ".webm": "video/webm",
+            ".json": "application/json",
+            ".txt": "text/plain",
+        }
+        content_type = content_type_map.get(ext, "application/octet-stream")
+
+        # Get upload URL
+        data = await self._request(
+            "PUT",
+            f"/clips/{clip_id}/upload",
+            data={"filename": file_path.name, "content_type": content_type},
+            auth=True,
+        )
+        response = ClipUploadResponse.model_validate(data)
+
+        # Upload the file
+        async with httpx.AsyncClient(timeout=httpx.Timeout(UPLOAD_TIMEOUT)) as client:
+            async with client.stream(
+                "PUT",
+                response.url,
+                content=file_path.read_bytes(),
+                headers={"Content-Type": response.content_type},
+            ) as r:
+                r.raise_for_status()
+
+        return response
+
+    async def download_clip(self, clip_id: str) -> ClipDownloadResponse:
+        """Get download URL and metadata for a clip."""
+        data = await self._request("GET", f"/clips/{clip_id}/download", auth=True)
+        return ClipDownloadResponse.model_validate(data)
+
+    async def download_clip_to_file(self, clip_id: str, output_path: str | Path) -> Path:
+        """Download a clip to a local file."""
+        download_response = await self.download_clip(clip_id)
+        output_path = Path(output_path)
+
+        async with httpx.AsyncClient(timeout=httpx.Timeout(DOWNLOAD_TIMEOUT)) as client:
+            async with client.stream("GET", download_response.url) as response:
+                response.raise_for_status()
+                with output_path.open("wb") as f:
+                    async for chunk in response.aiter_bytes():
+                        f.write(chunk)
+
+        # Verify download integrity if hash is provided
+        if download_response.md5_hash:
+            with output_path.open("rb") as f:
+                file_hash = hashlib.md5(f.read()).hexdigest()
+                if file_hash != download_response.md5_hash:
+                    raise ValueError(
+                        f"Downloaded file hash mismatch: expected {download_response.md5_hash}, got {file_hash}"
+                    )
+
+        return output_path

kscale/web/clients/group.py

@@ -0,0 +1,85 @@
+"""Defines the client for interacting with the K-Scale group endpoints."""
+
+from kscale.web.clients.base import BaseClient
+from kscale.web.gen.api import (
+    GroupMembershipResponse,
+    GroupResponse,
+    GroupShareResponse,
+)
+
+
+class GroupClient(BaseClient):
+    async def get_groups(self) -> list[GroupResponse]:
+        """Get all groups for the authenticated user."""
+        data = await self._request("GET", "/groups/", auth=True)
+        return [GroupResponse.model_validate(item) for item in data]
+
+    async def get_group(self, group_id: str) -> GroupResponse:
+        """Get a specific group by ID."""
+        data = await self._request("GET", f"/groups/{group_id}", auth=True)
+        return GroupResponse.model_validate(data)
+
+    async def create_group(self, name: str, description: str | None = None) -> GroupResponse:
+        """Create a new group."""
+        data = {"name": name}
+        if description is not None:
+            data["description"] = description
+        response_data = await self._request("POST", "/groups/", data=data, auth=True)
+        return GroupResponse.model_validate(response_data)
+
+    async def update_group(
+        self,
+        group_id: str,
+        name: str | None = None,
+        description: str | None = None,
+    ) -> GroupResponse:
+        """Update a group's metadata."""
+        data = {}
+        if name is not None:
+            data["name"] = name
+        if description is not None:
+            data["description"] = description
+        response_data = await self._request("POST", f"/groups/{group_id}", data=data, auth=True)
+        return GroupResponse.model_validate(response_data)
+
+    async def delete_group(self, group_id: str) -> None:
+        """Delete a group."""
+        await self._request("DELETE", f"/groups/{group_id}", auth=True)
+
+    # Group membership management
+    async def get_group_memberships(self, group_id: str) -> list[GroupMembershipResponse]:
+        """Get all memberships for a group."""
+        data = await self._request("GET", f"/groups/{group_id}/memberships", auth=True)
+        return [GroupMembershipResponse.model_validate(item) for item in data]
+
+    async def request_group_membership(self, group_id: str) -> GroupMembershipResponse:
+        """Request to join a group."""
+        data = await self._request("POST", f"/groups/{group_id}/memberships", auth=True)
+        return GroupMembershipResponse.model_validate(data)
+
+    async def approve_group_membership(self, group_id: str, user_id: str) -> GroupMembershipResponse:
+        """Approve a membership request."""
+        data = await self._request("POST", f"/groups/{group_id}/memberships/{user_id}/approve", auth=True)
+        return GroupMembershipResponse.model_validate(data)
+
+    async def reject_group_membership(self, group_id: str, user_id: str) -> None:
+        """Reject a membership request."""
+        await self._request("DELETE", f"/groups/{group_id}/memberships/{user_id}", auth=True)
+
+    # Group sharing management
+    async def get_group_shares(self, group_id: str) -> list[GroupShareResponse]:
+        """Get all resources shared with a group."""
+        data = await self._request("GET", f"/groups/{group_id}/shares", auth=True)
+        return [GroupShareResponse.model_validate(item) for item in data]
+
+    async def share_resource_with_group(
+        self, group_id: str, resource_type: str, resource_id: str
+    ) -> GroupShareResponse:
+        """Share a resource with a group."""
+        data = {"resource_type": resource_type, "resource_id": resource_id}
+        response_data = await self._request("POST", f"/groups/{group_id}/shares", data=data, auth=True)
+        return GroupShareResponse.model_validate(response_data)
+
+    async def unshare_resource_from_group(self, group_id: str, share_id: str) -> None:
+        """Remove a resource share from a group."""
+        await self._request("DELETE", f"/groups/{group_id}/shares/{share_id}", auth=True)

kscale/web/clients/permission.py

@@ -0,0 +1,35 @@
+"""Defines the client for interacting with the K-Scale permission endpoints."""
+
+from kscale.web.clients.base import BaseClient
+from kscale.web.gen.api import PermissionResponse, UserPermissionsResponse
+
+
+class PermissionClient(BaseClient):
+    async def get_all_permissions(self) -> list[PermissionResponse]:
+        """Get all available permissions."""
+        data = await self._request("GET", "/permissions/list")
+        return [PermissionResponse.model_validate(item) for item in data]
+
+    async def get_user_permissions(self, user_id: str = "me") -> UserPermissionsResponse:
+        """Get permissions for a specific user."""
+        data = {"user_id": user_id}
+        data = await self._request("GET", "/permissions/user", data=data, auth=True)
+        return UserPermissionsResponse.model_validate(data)
+
+    async def update_user_permissions(self, user_id: str, permissions: list[str]) -> UserPermissionsResponse:
+        """Update permissions for a user."""
+        data = {"user_id": user_id, "permissions": permissions}
+        response_data = await self._request("PUT", "/permissions/user", data=data, auth=True)
+        return UserPermissionsResponse.model_validate(response_data)
+
+    async def add_user_permission(self, user_id: str, permission: str) -> UserPermissionsResponse:
+        """Add a single permission to a user."""
+        data = {"user_id": user_id, "permission": permission}
+        response_data = await self._request("POST", "/permissions/user", data=data, auth=True)
+        return UserPermissionsResponse.model_validate(response_data)
+
+    async def remove_user_permission(self, user_id: str, permission: str) -> UserPermissionsResponse:
+        """Remove a single permission from a user."""
+        params = {"user_id": user_id, "permission": permission}
+        response_data = await self._request("DELETE", "/permissions/user", params=params, auth=True)
+        return UserPermissionsResponse.model_validate(response_data)

kscale/web/clients/user.py

@@ -8,7 +8,3 @@ class UserClient(BaseClient):
     async def get_profile_info(self) -> ProfileResponse:
         data = await self._request("GET", "/auth/profile", auth=True)
         return ProfileResponse(**data)
-
-    async def get_api_key(self, num_hours: int = 24) -> str:
-        data = await self._request("POST", "/auth/key", auth=True, data={"num_hours": num_hours})
-        return data["api_key"]