miso-client 0.1.0__py3-none-any.whl → 3.7.2__py3-none-any.whl

miso_client/utils/client_token_manager.py

@@ -0,0 +1,244 @@
+"""
+Client token manager for InternalHttpClient.
+
+This module provides client token management functionality including token fetching,
+caching, and correlation ID extraction.
+"""
+
+import asyncio
+from datetime import datetime, timedelta
+from typing import Optional
+
+import httpx
+
+from ..errors import AuthenticationError, ConnectionError
+from ..models.config import ClientTokenResponse, MisoClientConfig
+from .controller_url_resolver import resolve_controller_url
+from .jwt_tools import decode_token
+
+
+class ClientTokenManager:
+    """
+    Manages client token lifecycle including fetching, caching, and expiration.
+
+    This class handles all client token operations for InternalHttpClient.
+    """
+
+    def __init__(self, config: MisoClientConfig):
+        """
+        Initialize client token manager.
+
+        Args:
+            config: MisoClient configuration
+        """
+        self.config = config
+        self.client_token: Optional[str] = None
+        self.token_expires_at: Optional[datetime] = None
+        self.token_refresh_lock = asyncio.Lock()
+
+    def extract_correlation_id(self, response: Optional[httpx.Response] = None) -> Optional[str]:
+        """
+        Extract correlation ID from response headers.
+
+        Checks common correlation ID header names.
+
+        Args:
+            response: HTTP response object (optional)
+
+        Returns:
+            Correlation ID string if found, None otherwise
+        """
+        if not response:
+            return None
+
+        # Check common correlation ID header names (case-insensitive)
+        correlation_headers = [
+            "x-correlation-id",
+            "x-request-id",
+            "correlation-id",
+            "correlationId",
+            "x-correlationid",
+            "request-id",
+        ]
+
+        for header_name in correlation_headers:
+            correlation_id = response.headers.get(header_name) or response.headers.get(
+                header_name.lower()
+            )
+            if correlation_id:
+                return str(correlation_id)
+
+        return None
+
+    async def get_client_token(self) -> str:
+        """
+        Get client token, fetching if needed.
+
+        Proactively refreshes if token will expire within 60 seconds.
+
+        Returns:
+            Client token string
+
+        Raises:
+            AuthenticationError: If token fetch fails
+        """
+        now = datetime.now()
+
+        # If token exists and not expired (with 60s buffer for proactive refresh), return it
+        if (
+            self.client_token
+            and self.token_expires_at
+            and self.token_expires_at > now + timedelta(seconds=60)
+        ):
+            assert self.client_token is not None
+            return self.client_token
+
+        # Acquire lock to prevent concurrent token fetches
+        async with self.token_refresh_lock:
+            # Double-check after acquiring lock
+            if (
+                self.client_token
+                and self.token_expires_at
+                and self.token_expires_at > now + timedelta(seconds=60)
+            ):
+                assert self.client_token is not None
+                return self.client_token
+
+            # Fetch new token
+            await self.fetch_client_token()
+            assert self.client_token is not None
+            return self.client_token
+
+    async def fetch_client_token(self) -> None:
+        """
+        Fetch client token from controller.
+
+        Raises:
+            AuthenticationError: If token fetch fails
+        """
+        client_id = self.config.client_id
+        response: Optional[httpx.Response] = None
+        correlation_id: Optional[str] = None
+
+        try:
+            # Use resolved URL for temporary client
+            resolved_url = resolve_controller_url(self.config)
+            # Use a temporary client to avoid interceptor recursion
+            temp_client = httpx.AsyncClient(
+                base_url=resolved_url,
+                timeout=30.0,
+                headers={
+                    "Content-Type": "application/json",
+                    "x-client-id": client_id,
+                    "x-client-secret": self.config.client_secret,
+                },
+            )
+
+            # Use configurable client token URI or default
+            token_uri = self.config.clientTokenUri or "/api/v1/auth/token"
+            response = await temp_client.post(token_uri)
+            await temp_client.aclose()
+
+            # Extract correlation ID from response
+            correlation_id = self.extract_correlation_id(response)
+
+            # OpenAPI spec returns 201 (Created) on success, but accept both 200 and 201 for compatibility
+            if response.status_code not in [200, 201]:
+                error_msg = f"Failed to get client token: HTTP {response.status_code}"
+                if client_id:
+                    error_msg += f" (clientId: {client_id})"
+                if correlation_id:
+                    error_msg += f" (correlationId: {correlation_id})"
+                raise AuthenticationError(error_msg, status_code=response.status_code)
+
+            data = response.json()
+
+            # Handle nested response structure (data field)
+            # If response has {'success': True, 'data': {...}}, extract data and preserve success
+            if isinstance(data, dict) and "data" in data and isinstance(data["data"], dict):
+                nested_data = data["data"]
+                # Merge success from top level if present
+                if "success" in data:
+                    nested_data["success"] = data["success"]
+                data = nested_data
+
+            # Handle controller response format that may not include all fields
+            # Controller may return {'token': '...', 'expiresAt': '...'} without success/expiresIn
+            if "token" in data:
+                # Default success to True if token is present
+                if "success" not in data:
+                    data["success"] = True
+                # Calculate expiresIn from expiresAt if missing
+                if "expiresIn" not in data and "expiresAt" in data:
+                    try:
+                        expires_at = datetime.fromisoformat(
+                            data["expiresAt"].replace("Z", "+00:00")
+                        )
+                        now = (
+                            datetime.now(expires_at.tzinfo) if expires_at.tzinfo else datetime.now()
+                        )
+                        expires_in = max(0, int((expires_at - now).total_seconds()))
+                        data["expiresIn"] = expires_in
+                    except Exception:
+                        # If parsing fails, default to 1800 seconds (30 minutes)
+                        data["expiresIn"] = 1800
+
+            token_response = ClientTokenResponse(**data)
+
+            if not token_response.success or not token_response.token:
+                error_msg = "Failed to get client token: Invalid response"
+                if client_id:
+                    error_msg += f" (clientId: {client_id})"
+                if correlation_id:
+                    error_msg += f" (correlationId: {correlation_id})"
+                raise AuthenticationError(error_msg)
+
+            self.client_token = token_response.token
+
+            # Calculate expiration: use expiresIn if available, otherwise decode JWT to get exp claim
+            expires_in = token_response.expiresIn
+            if not expires_in or expires_in <= 0:
+                # Try to extract expiration from JWT token
+                try:
+                    decoded = decode_token(token_response.token)
+                    if decoded and "exp" in decoded and isinstance(decoded["exp"], (int, float)):
+                        # Calculate expires_in from JWT exp claim
+                        token_exp = datetime.fromtimestamp(decoded["exp"])
+                        now = datetime.now()
+                        expires_in = max(0, int((token_exp - now).total_seconds()))
+                    else:
+                        # No expiration found, use default (30 minutes)
+                        expires_in = 1800
+                except Exception:
+                    # JWT decode failed, use default (30 minutes)
+                    expires_in = 1800
+
+            # Set expiration with 30 second buffer before actual expiration
+            expires_in = max(0, expires_in - 30)
+            self.token_expires_at = datetime.now() + timedelta(seconds=expires_in)
+
+        except httpx.HTTPError as e:
+            error_msg = f"Failed to get client token: {str(e)}"
+            if client_id:
+                error_msg += f" (clientId: {client_id})"
+            if correlation_id:
+                error_msg += f" (correlationId: {correlation_id})"
+            raise ConnectionError(error_msg)
+        except Exception as e:
+            if isinstance(e, (AuthenticationError, ConnectionError)):
+                raise
+            error_msg = f"Failed to get client token: {str(e)}"
+            if client_id:
+                error_msg += f" (clientId: {client_id})"
+            if correlation_id:
+                error_msg += f" (correlationId: {correlation_id})"
+            raise AuthenticationError(error_msg)
+
+    def clear_token(self) -> None:
+        """
+        Clear cached client token.
+
+        Forces token refresh on next request.
+        """
+        self.client_token = None
+        self.token_expires_at = None

miso_client/utils/config_loader.py

@@ -5,51 +5,68 @@ Automatically loads environment variables with sensible defaults.
 """
 
 import os
-from typing import Literal, cast
-from ..models.config import MisoClientConfig, RedisConfig
+from typing import List, Literal, cast
+
 from ..errors import ConfigurationError
+from ..models.config import AuthMethod, AuthStrategy, MisoClientConfig, RedisConfig
 
 
 def load_config() -> MisoClientConfig:
     """
     Load configuration from environment variables with defaults.
-    
+
     Required environment variables:
     - MISO_CONTROLLER_URL (or default to https://controller.aifabrix.ai)
     - MISO_CLIENTID or MISO_CLIENT_ID
     - MISO_CLIENTSECRET or MISO_CLIENT_SECRET
-    
+
     Optional environment variables:
     - MISO_LOG_LEVEL (debug, info, warn, error)
+    - API_KEY (for testing - bypasses OAuth2 authentication)
+    - MISO_API_KEY (alternative to API_KEY)
+    - MISO_AUTH_STRATEGY (comma-separated list: bearer,client-token,api-key)
+    - MISO_CLIENT_TOKEN_URI (custom client token endpoint URI)
+    - MISO_ALLOWED_ORIGINS (comma-separated list of allowed origins, supports wildcard ports)
+    - MISO_CONTROLLER_URL (maps to controllerPrivateUrl and controller_url for backward compatibility)
+    - MISO_WEB_SERVER_URL (maps to controllerPublicUrl for browser/public access)
     - REDIS_HOST (if Redis is used)
     - REDIS_PORT (default: 6379)
     - REDIS_PASSWORD
     - REDIS_DB (default: 0)
     - REDIS_KEY_PREFIX (default: miso:)
-    
+
     Returns:
         MisoClientConfig instance
-        
+
     Raises:
         ConfigurationError: If required environment variables are missing
     """
     # Load dotenv if available (similar to TypeScript dotenv/config)
     try:
         from dotenv import load_dotenv
+
         load_dotenv()
     except ImportError:
         pass  # dotenv not installed, continue without it
-    
+
+    # MISO_CONTROLLER_URL maps to controllerPrivateUrl (server/internal) and controller_url (backward compatibility)
     controller_url = os.environ.get("MISO_CONTROLLER_URL") or "https://controller.aifabrix.ai"
-    
+    controller_private_url = os.environ.get(
+        "MISO_CONTROLLER_URL"
+    )  # Same as controller_url for server
+    # MISO_WEB_SERVER_URL maps to controllerPublicUrl (browser/public)
+    controller_public_url = os.environ.get("MISO_WEB_SERVER_URL")
+
     client_id = os.environ.get("MISO_CLIENTID") or os.environ.get("MISO_CLIENT_ID") or ""
     if not client_id:
         raise ConfigurationError("MISO_CLIENTID environment variable is required")
-    
-    client_secret = os.environ.get("MISO_CLIENTSECRET") or os.environ.get("MISO_CLIENT_SECRET") or ""
+
+    client_secret = (
+        os.environ.get("MISO_CLIENTSECRET") or os.environ.get("MISO_CLIENT_SECRET") or ""
+    )
     if not client_secret:
         raise ConfigurationError("MISO_CLIENTSECRET environment variable is required")
-    
+
     log_level_str = os.environ.get("MISO_LOG_LEVEL", "info")
     if log_level_str not in ["debug", "info", "warn", "error"]:
         log_level_str = "info"
@@ -57,22 +74,77 @@ def load_config() -> MisoClientConfig:
     log_level: Literal["debug", "info", "warn", "error"] = cast(
         Literal["debug", "info", "warn", "error"], log_level_str
     )
-    
+
+    # Optional API_KEY for testing (support both API_KEY and MISO_API_KEY)
+    api_key = os.environ.get("API_KEY") or os.environ.get("MISO_API_KEY")
+
+    # Optional auth strategy
+    auth_strategy = None
+    auth_strategy_str = os.environ.get("MISO_AUTH_STRATEGY")
+    if auth_strategy_str:
+        try:
+            methods_str = [m.strip() for m in auth_strategy_str.split(",")]
+            # Validate methods
+            valid_methods: List[AuthMethod] = [
+                "bearer",
+                "client-token",
+                "client-credentials",
+                "api-key",
+            ]
+            methods: List[AuthMethod] = []
+            for method in methods_str:
+                if method in valid_methods:
+                    methods.append(method)  # type: ignore
+                else:
+                    raise ConfigurationError(
+                        f"Invalid auth method '{method}' in MISO_AUTH_STRATEGY. "
+                        f"Valid methods: {', '.join(valid_methods)}"
+                    )
+            if methods:
+                auth_strategy = AuthStrategy(methods=methods, apiKey=api_key)
+        except Exception as e:
+            if isinstance(e, ConfigurationError):
+                raise
+            raise ConfigurationError(f"Failed to parse MISO_AUTH_STRATEGY: {str(e)}")
+
+    # Optional client token URI
+    client_token_uri = os.environ.get("MISO_CLIENT_TOKEN_URI")
+
+    # Optional allowed origins
+    allowed_origins = None
+    allowed_origins_str = os.environ.get("MISO_ALLOWED_ORIGINS")
+    if allowed_origins_str:
+        # Split comma-separated list and trim whitespace
+        origins_list = [
+            origin.strip() for origin in allowed_origins_str.split(",") if origin.strip()
+        ]
+        if origins_list:
+            allowed_origins = origins_list
+
     config: MisoClientConfig = MisoClientConfig(
         controller_url=controller_url,
         client_id=client_id,
         client_secret=client_secret,
         log_level=log_level,
+        api_key=api_key,
+        authStrategy=auth_strategy,
+        clientTokenUri=client_token_uri,
+        allowedOrigins=allowed_origins,
+        controllerPrivateUrl=controller_private_url,
+        controllerPublicUrl=controller_public_url,
     )
-    
+
     # Optional Redis configuration
     redis_host = os.environ.get("REDIS_HOST")
     if redis_host:
         redis_port = int(os.environ.get("REDIS_PORT", "6379"))
         redis_password = os.environ.get("REDIS_PASSWORD")
+        # Convert empty string to None
+        if redis_password == "":
+            redis_password = None
         redis_db = int(os.environ.get("REDIS_DB", "0")) if os.environ.get("REDIS_DB") else 0
         redis_key_prefix = os.environ.get("REDIS_KEY_PREFIX", "miso:")
-        
+
         redis_config = RedisConfig(
             host=redis_host,
             port=redis_port,
@@ -80,8 +152,7 @@ def load_config() -> MisoClientConfig:
             db=redis_db,
             key_prefix=redis_key_prefix,
         )
-        
+
         config.redis = redis_config
-    
-    return config
 
+    return config

miso_client/utils/controller_url_resolver.py

@@ -0,0 +1,80 @@
+"""
+Controller URL resolver with environment detection.
+
+Automatically selects appropriate controller URL based on environment
+(public for browser, private for server) with fallback support.
+"""
+
+from typing import Optional
+
+from ..errors import ConfigurationError
+from ..models.config import MisoClientConfig
+from .url_validator import validate_url
+
+
+def is_browser() -> bool:
+    """
+    Check if running in browser environment.
+
+    For Python SDK (server-side only), always returns False.
+
+    Returns:
+        False (Python SDK is server-side only)
+    """
+    return False
+
+
+def resolve_controller_url(config: MisoClientConfig) -> str:
+    """
+    Resolve controller URL based on environment and configuration.
+
+    For server environment:
+    - Uses controllerPrivateUrl if set
+    - Falls back to controller_url if controllerPrivateUrl not set
+    - Validates resolved URL
+    - Raises ConfigurationError if no valid URL found
+
+    Args:
+        config: MisoClient configuration
+
+    Returns:
+        Resolved controller URL string
+
+    Raises:
+        ConfigurationError: If no valid URL is configured
+
+    Example:
+        >>> config = MisoClientConfig(
+        ...     controller_url="https://controller.example.com",
+        ...     controllerPrivateUrl="https://controller-private.example.com",
+        ...     client_id="test",
+        ...     client_secret="secret"
+        ... )
+        >>> url = resolve_controller_url(config)
+        >>> url
+        'https://controller-private.example.com'
+    """
+    # Server environment: prefer controllerPrivateUrl, fallback to controller_url
+    resolved_url: Optional[str] = None
+
+    if is_browser():
+        # Browser environment (not applicable for Python SDK, but included for completeness)
+        resolved_url = config.controllerPublicUrl or config.controller_url
+    else:
+        # Server environment
+        resolved_url = config.controllerPrivateUrl or config.controller_url
+
+    if not resolved_url:
+        raise ConfigurationError(
+            "No controller URL configured. Set controller_url, controllerPrivateUrl, "
+            "or controllerPublicUrl in MisoClientConfig."
+        )
+
+    # Validate URL
+    if not validate_url(resolved_url):
+        raise ConfigurationError(
+            f"Invalid controller URL format: {resolved_url}. "
+            "URL must start with http:// or https:// and have a valid hostname."
+        )
+
+    return resolved_url