looker-sdk 24.18.0__py3-none-any.whl → 24.20.0__py3-none-any.whl

looker_sdk/rtl/auth_session.py

@@ -0,0 +1,353 @@
+# The MIT License (MIT)
+#
+# Copyright (c) 2019 Looker Data Sciences, Inc.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+"""AuthSession to provide automatic authentication
+"""
+import hashlib
+import secrets
+from typing import cast, Dict, Optional, Union
+import urllib.parse
+
+import attr
+
+from looker_sdk import error
+from looker_sdk.rtl import api_settings
+from looker_sdk.rtl import auth_token
+from looker_sdk.rtl import model
+from looker_sdk.rtl import serialize
+from looker_sdk.rtl import transport
+
+
+class AuthSession:
+    """AuthSession to provide automatic authentication"""
+
+    def __init__(
+        self,
+        settings: api_settings.PApiSettings,
+        transport: transport.Transport,
+        deserialize: serialize.TDeserialize,
+        api_version: str,
+    ):
+        settings.is_configured()
+        self.settings = settings
+        self.api_version = api_version
+        self.sudo_token: auth_token.AuthToken = auth_token.AuthToken()
+        self.token: auth_token.AuthToken = auth_token.AuthToken()
+        self._sudo_id: Optional[int] = None
+        self.transport = transport
+        self.deserialize = deserialize
+        self.token_model = auth_token.AccessToken
+
+    def _is_authenticated(self, token: auth_token.AuthToken) -> bool:
+        """Determines if current token is active."""
+        if not (token.access_token):
+            return False
+        return token.is_active
+
+    @property
+    def is_sudo_authenticated(self) -> bool:
+        return self._is_authenticated(self.sudo_token)
+
+    @property
+    def is_authenticated(self) -> bool:
+        return self._is_authenticated(self.token)
+
+    def _get_sudo_token(
+        self, transport_options: transport.TransportOptions
+    ) -> auth_token.AuthToken:
+        """Returns an active sudo token."""
+        if not self.is_sudo_authenticated:
+            self._login_sudo(transport_options)
+        return self.sudo_token
+
+    def _get_token(
+        self, transport_options: transport.TransportOptions
+    ) -> auth_token.AuthToken:
+        """Returns an active token."""
+        if not self.is_authenticated:
+            self._login(transport_options)
+        return self.token
+
+    def authenticate(
+        self, transport_options: transport.TransportOptions
+    ) -> Dict[str, str]:
+        """Return the Authorization header to authenticate each API call.
+
+        Expired token renewal happens automatically.
+        """
+        if self._sudo_id:
+            token = self._get_sudo_token(transport_options)
+        else:
+            token = self._get_token(transport_options)
+
+        return {"Authorization": f"Bearer {token.access_token}"}
+
+    def login_user(
+        self,
+        sudo_id: int,
+        transport_options: Optional[transport.TransportOptions] = None,
+    ) -> None:
+        """Authenticate using settings credentials and sudo as sudo_id.
+
+        Make API calls as if authenticated as sudo_id. The sudo_id
+        token is automatically renewed when it expires. In order to
+        subsequently login_user() as another user you must first logout()
+        """
+        if self._sudo_id is None:
+            self._sudo_id = sudo_id
+            try:
+                self._login_sudo(transport_options or {})
+            except error.SDKError:
+                self._sudo_id = None
+                raise
+
+        else:
+            if self._sudo_id != sudo_id:
+                raise error.SDKError(
+                    f"Another user ({self._sudo_id}) "
+                    "is already logged in. Log them out first."
+                )
+            elif not self.is_sudo_authenticated:
+                self._login_sudo(transport_options or {})
+
+    def _login(self, transport_options: transport.TransportOptions) -> None:
+        client_id = self.settings.read_config().get("client_id")
+        client_secret = self.settings.read_config().get("client_secret")
+        if not (client_id and client_secret):
+            raise error.SDKError("Required auth credentials not found.")
+
+        login = {
+            "client_id": cast(str, client_id),
+            "client_secret": cast(str, client_secret),
+        }
+
+        serialized = urllib.parse.urlencode(login).encode("utf-8")
+
+        transport_options.setdefault("headers", {}).update(
+            {"Content-Type": "application/x-www-form-urlencoded"}
+        )
+        response = self._ok(
+            self.transport.request(
+                transport.HttpMethod.POST,
+                f"{self.settings.base_url}/api/{self.api_version}/login",
+                body=serialized,
+                transport_options=transport_options,
+            )
+        )
+
+        # ignore type: mypy bug doesn't recognized kwarg `structure` to partial func
+        access_token = self.deserialize(
+            data=response, structure=self.token_model
+        )  # type: ignore
+        assert isinstance(access_token, auth_token.AccessToken)
+        self.token = auth_token.AuthToken(access_token)
+
+    def _login_sudo(self, transport_options: transport.TransportOptions) -> None:
+        def authenticator(
+            transport_options: transport.TransportOptions,
+        ) -> Dict[str, str]:
+            return {
+                "Authorization": f"Bearer {self._get_token(transport_options).access_token}"
+            }
+
+        response = self._ok(
+            self.transport.request(
+                transport.HttpMethod.POST,
+                f"{self.settings.base_url}/api/{self.api_version}/login/{self._sudo_id}",
+                authenticator=authenticator,
+                transport_options=transport_options,
+            )
+        )
+        # ignore type: mypy bug doesn't recognized kwarg `structure` to partial func
+        access_token = self.deserialize(
+            data=response, structure=self.token_model
+        )  # type: ignore
+        assert isinstance(access_token, auth_token.AccessToken)
+        self.sudo_token = auth_token.AuthToken(access_token)
+
+    def logout(
+        self,
+        full: bool = False,
+        transport_options: Optional[transport.TransportOptions] = None,
+    ) -> None:
+        """Logout of API.
+
+        If the session is authenticated as sudo_id, logout() "undoes"
+        the sudo and deactivates that sudo_id's current token. By default
+        the current api3credential session is active at which point
+        you can continue to make API calls as the api3credential user
+        or logout(). If you want to logout completely in one step pass
+        full=True
+        """
+        if self._sudo_id:
+            self._sudo_id = None
+            if self.is_sudo_authenticated:
+                self._logout(sudo=True, transport_options=transport_options)
+                if full:
+                    self._logout(transport_options=transport_options)
+
+        elif self.is_authenticated:
+            self._logout(transport_options=transport_options)
+
+    def _logout(
+        self,
+        sudo: bool = False,
+        transport_options: Optional[transport.TransportOptions] = None,
+    ) -> None:
+
+        if sudo:
+            token = self.sudo_token.access_token
+            self.sudo_token = auth_token.AuthToken()
+        else:
+            token = self.token.access_token
+            self.token = auth_token.AuthToken()
+
+        def authenticator(
+            _transport_options: transport.TransportOptions,
+        ) -> Dict[str, str]:
+            return {"Authorization": f"Bearer {token}"}
+
+        self._ok(
+            self.transport.request(
+                transport.HttpMethod.DELETE,
+                f"{self.settings.base_url}/api/logout",
+                authenticator=authenticator,
+                transport_options=transport_options,
+            )
+        )
+
+    def _ok(self, response: transport.Response) -> str:
+        if not response.ok:
+            raise error.SDKError(response.value.decode(encoding="utf-8"))
+        return response.value.decode(encoding="utf-8")
+
+
+class CryptoHash:
+    def secure_random(self, byte_count: int) -> str:
+        return secrets.token_urlsafe(byte_count)
+
+    def sha256_hash(self, message: str) -> str:
+        value = hashlib.sha256()
+        value.update(bytes(message, "utf8"))
+        return value.hexdigest()
+
+
+class OAuthSession(AuthSession):
+    def __init__(
+        self,
+        *,
+        settings: api_settings.PApiSettings,
+        transport: transport.Transport,
+        deserialize: serialize.TDeserialize,
+        serialize: serialize.TSerialize,
+        crypto: CryptoHash,
+        version: str,
+    ):
+        super().__init__(settings, transport, deserialize, version)
+        self.crypto = crypto
+        self.serialize = serialize
+        config_data = self.settings.read_config()
+        for required in ["client_id", "redirect_uri", "looker_url"]:
+            if required not in config_data:
+                raise error.SDKError(f"Missing required configuration value {required}")
+
+        # would have prefered using setattr(self, required, ...) in loop above
+        # but mypy can't follow it
+        self.client_id = config_data["client_id"]
+        self.redirect_uri = config_data.get("redirect_uri", "")
+        self.looker_url = config_data.get("looker_url", "")
+        self.code_verifier = ""
+
+    def create_auth_code_request_url(self, scope: str, state: str) -> str:
+        self.code_verifier = self.crypto.secure_random(32)
+        code_challenge = self.crypto.sha256_hash(self.code_verifier)
+        params: Dict[str, str] = {
+            "response_type": "code",
+            "client_id": self.client_id,
+            "redirect_uri": self.redirect_uri,
+            "scope": scope,
+            "state": state,
+            "code_challenge_method": "S256",
+            "code_challenge": code_challenge,
+        }
+        path = urllib.parse.urljoin(self.looker_url, "auth")
+        query = urllib.parse.urlencode(params)
+        return f"{path}?{query}"
+
+    @attr.s(auto_attribs=True, kw_only=True)
+    class GrantTypeParams(model.Model):
+        client_id: str
+        redirect_uri: str
+
+    @attr.s(auto_attribs=True, kw_only=True)
+    class AuthCodeGrantTypeParams(GrantTypeParams):
+        code: str
+        code_verifier: str
+        grant_type: str = "authorization_code"
+
+    @attr.s(auto_attribs=True, kw_only=True)
+    class RefreshTokenGrantTypeParams(GrantTypeParams):
+        refresh_token: str
+        grant_type: str = "refresh_token"
+
+    def _request_token(
+        self,
+        grant_type: Union[AuthCodeGrantTypeParams, RefreshTokenGrantTypeParams],
+        transport_options: transport.TransportOptions,
+    ) -> auth_token.AccessToken:
+        response = self.transport.request(
+            transport.HttpMethod.POST,
+            urllib.parse.urljoin(self.settings.base_url, "/api/token"),
+            body=self.serialize(api_model=grant_type),  # type: ignore
+        )
+        if not response.ok:
+            raise error.SDKError(response.value.decode(encoding=response.encoding))
+
+        # ignore type: mypy bug doesn't recognized kwarg `structure` to partial func
+        return self.deserialize(
+            data=response.value, structure=self.token_model
+        )  # type: ignore
+
+    def redeem_auth_code(
+        self,
+        auth_code: str,
+        code_verifier: Optional[str] = None,
+        transport_options: Optional[transport.TransportOptions] = None,
+    ) -> None:
+        params = self.AuthCodeGrantTypeParams(
+            client_id=self.client_id,
+            redirect_uri=self.redirect_uri,
+            code=auth_code,
+            code_verifier=code_verifier or self.code_verifier,
+        )
+
+        access_token = self._request_token(params, transport_options or {})
+        self.token = auth_token.AuthToken(access_token)
+
+    def _login(self, transport_options: transport.TransportOptions) -> None:
+        params = self.RefreshTokenGrantTypeParams(
+            client_id=self.client_id,
+            redirect_uri=self.redirect_uri,
+            refresh_token=self.token.refresh_token,
+        )
+        access_token = self._request_token(params, transport_options)
+        self.token = auth_token.AuthToken(access_token)

looker_sdk/rtl/auth_token.py

@@ -0,0 +1,101 @@
+# The MIT License (MIT)
+#
+# Copyright (c) 2019 Looker Data Sciences, Inc.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+"""AuthToken
+"""
+from typing import Optional, Type, Union
+import datetime
+
+import attr
+
+from looker_sdk.rtl import auth_session
+from looker_sdk.rtl import model
+
+
+#  Same as the Looker API access token object
+#  Re-declared here to be independent of model generation
+@attr.s(auto_attribs=True, init=False)
+class AccessToken(model.Model):
+    """
+    Attributes:
+        access_token: Access Token used for API calls
+        token_type: Type of Token
+        expires_in: Number of seconds before the token expires
+        refresh_token: Refresh token which can be used to obtain a new access token
+    """
+
+    access_token: Optional[str] = None
+    token_type: Optional[str] = None
+    expires_in: Optional[int] = None
+    refresh_token: Optional[str] = None
+
+    def __init__(
+        self,
+        *,
+        access_token: Optional[str] = None,
+        token_type: Optional[str] = None,
+        expires_in: Optional[int] = None,
+        refresh_token: Optional[str] = None,
+    ):
+        self.access_token = access_token
+        self.token_type = token_type
+        self.expires_in = expires_in
+        self.refresh_token = refresh_token
+
+
+class AuthToken:
+    """Used to instantiate or check expiry of an AccessToken object"""
+
+    def __init__(
+        self, token: Optional[AccessToken] = None,
+    ):
+        self.lag_time = 10
+        self.access_token: str = ""
+        self.refresh_token: str = ""
+        self.token_type: str = ""
+        self.expires_in: int = 0
+        self.expires_at = datetime.datetime.now() + datetime.timedelta(
+            seconds=-self.lag_time
+        )
+        if token is None:
+            token = AccessToken()
+        self.set_token(token)
+
+    def set_token(self, token: AccessToken):
+        """Assign the token and set its expiration."""
+        self.access_token = token.access_token or ""
+        if isinstance(token, AccessToken):
+            self.refresh_token = token.refresh_token or ""
+        self.token_type = token.token_type or ""
+        self.expires_in = token.expires_in or 0
+
+        lag = datetime.timedelta(seconds=-self.lag_time)
+        if token.access_token and token.expires_in:
+            lag = datetime.timedelta(seconds=token.expires_in - self.lag_time)
+        self.expires_at = datetime.datetime.now() + lag
+
+    @property
+    def is_active(self) -> bool:
+        """True if authentication token has not timed out"""
+        if not self.expires_at:
+            return False
+        return self.expires_at > datetime.datetime.now()

looker_sdk/rtl/constants.py

@@ -0,0 +1,31 @@
+# The MIT License (MIT)
+#
+# Copyright (c) 2019 Looker Data Sciences, Inc.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+
+RESPONSE_STRING_MODE = (
+    r"(^application/.*"
+    r"(\bjson\b|\bxml\b|\bsql\b|\bgraphql\b|\bjavascript\b|\bx-www-form-urlencoded\b)"
+    r"|^text/|.*\+xml\b|;.*charset=)"
+)
+
+# note: string mode must be checked first
+RESPONSE_BINARY_MODE = r"^image/|^audio/|^video/|^font/|^application/|^multipart/"

looker_sdk/rtl/hooks.py

@@ -0,0 +1,86 @@
+# The MIT License (MIT)
+#
+# Copyright (c) 2022 Looker Data Sciences, Inc.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+import datetime
+import enum
+import keyword
+import sys
+from typing import Type
+
+
+def unstructure_hook(converter, api_model):
+    """cattr unstructure hook
+
+    Map reserved_ words in models to correct json field names.
+    Also handle stripping None fields from dict while setting
+    EXPLICIT_NULL fields to None so that we only send null
+    in the json for fields the caller set EXPLICIT_NULL on.
+    """
+    data = converter.unstructure_attrs_asdict(api_model)
+    for key, value in data.copy().items():
+        if value is None:
+            del data[key]
+        elif value == "EXPLICIT_NULL":
+            data[key] = None
+        # bug here: in the unittests cattrs unstructures this correctly
+        # as an enum calling .value but in the integration tests we see
+        # it doesn't for WriteCreateQueryTask.result_format for some reason
+        # Haven't been able to debug it fully, so catching and processing
+        # it here.
+        elif isinstance(value, enum.Enum):
+            data[key] = value.value
+    for reserved in keyword.kwlist:
+        if f"{reserved}_" in data:
+            data[reserved] = data.pop(f"{reserved}_")
+    return data
+
+
+DATETIME_FMT = "%Y-%m-%dT%H:%M:%S.%f%z"
+if sys.version_info < (3, 7):
+    from dateutil import parser
+
+    def datetime_structure_hook(
+        d: str, t: Type[datetime.datetime]
+    ) -> datetime.datetime:
+        return parser.isoparse(d)
+
+else:
+
+    def datetime_structure_hook(
+        d: str, t: Type[datetime.datetime]
+    ) -> datetime.datetime:
+        return datetime.datetime.strptime(d, DATETIME_FMT)
+
+
+def datetime_unstructure_hook(dt):
+    return dt.strftime(DATETIME_FMT)
+
+
+def tr_data_keys(data):
+    """Map top level json keys to model property names.
+
+    Currently this translates reserved python keywords like "from" => "from_"
+    """
+    for reserved in keyword.kwlist:
+        if reserved in data and isinstance(data, dict):
+            data[f"{reserved}_"] = data.pop(reserved)
+    return data