miso-client 0.1.0__py3-none-any.whl

miso_client/services/redis.py

@@ -0,0 +1,179 @@
+"""
+Redis service for caching and log queuing.
+
+This module provides Redis connectivity with graceful degradation when Redis
+is unavailable. It handles caching of roles and permissions, and log queuing.
+"""
+
+import redis.asyncio as redis
+from typing import Optional
+from ..models.config import RedisConfig
+
+
+class RedisService:
+    """Redis service for caching and log queuing."""
+    
+    def __init__(self, config: Optional[RedisConfig] = None):
+        """
+        Initialize Redis service.
+        
+        Args:
+            config: Optional Redis configuration
+        """
+        self.config = config
+        self.redis: Optional[redis.Redis] = None
+        self.connected = False
+
+    async def connect(self) -> None:
+        """
+        Connect to Redis.
+        
+        Raises:
+            Exception: If connection fails and config is provided
+        """
+        if not self.config:
+            print("Redis not configured, using controller fallback")
+            return
+
+        try:
+            self.redis = redis.Redis(
+                host=self.config.host,
+                port=self.config.port,
+                password=self.config.password,
+                db=self.config.db,
+                decode_responses=True,
+                retry_on_timeout=True,
+                socket_connect_timeout=5,
+                socket_timeout=5,
+            )
+            
+            # Test connection
+            # Some redis stubs type ping as possibly non-awaitable; support both
+            resp = self.redis.ping()
+            if hasattr(resp, "__await__"):
+                await resp  # type: ignore[misc]
+            self.connected = True
+            print("Connected to Redis")
+            
+        except Exception as error:
+            print(f"Failed to connect to Redis: {error}")
+            self.connected = False
+            if self.config:  # Only raise if Redis was configured
+                raise error
+
+    async def disconnect(self) -> None:
+        """Disconnect from Redis."""
+        if self.redis:
+            await self.redis.aclose()
+            self.connected = False
+            print("Disconnected from Redis")
+
+    def is_connected(self) -> bool:
+        """
+        Check if Redis is connected.
+        
+        Returns:
+            True if connected, False otherwise
+        """
+        return self.connected and self.redis is not None
+
+    async def get(self, key: str) -> Optional[str]:
+        """
+        Get value from Redis.
+        
+        Args:
+            key: Redis key
+            
+        Returns:
+            Value if found, None otherwise
+        """
+        if not self.is_connected():
+            return None
+
+        try:
+            assert self.redis is not None
+            prefixed_key = f"{self.config.key_prefix}{key}" if self.config else key
+            resp = self.redis.get(prefixed_key)
+            if hasattr(resp, "__await__"):
+                result = await resp  # type: ignore[misc]
+            else:
+                result = resp
+            return None if result is None else str(result)
+        except Exception as error:
+            print(f"Redis get error: {error}")
+            return None
+
+    async def set(self, key: str, value: str, ttl: int) -> bool:
+        """
+        Set value in Redis with TTL.
+        
+        Args:
+            key: Redis key
+            value: Value to store
+            ttl: Time to live in seconds
+            
+        Returns:
+            True if successful, False otherwise
+        """
+        if not self.is_connected():
+            return False
+
+        try:
+            assert self.redis is not None
+            prefixed_key = f"{self.config.key_prefix}{key}" if self.config else key
+            resp = self.redis.setex(prefixed_key, ttl, value)
+            if hasattr(resp, "__await__"):
+                await resp  # type: ignore[misc]
+            return True
+        except Exception as error:
+            print(f"Redis set error: {error}")
+            return False
+
+    async def delete(self, key: str) -> bool:
+        """
+        Delete key from Redis.
+        
+        Args:
+            key: Redis key
+            
+        Returns:
+            True if successful, False otherwise
+        """
+        if not self.is_connected():
+            return False
+
+        try:
+            assert self.redis is not None
+            prefixed_key = f"{self.config.key_prefix}{key}" if self.config else key
+            resp = self.redis.delete(prefixed_key)
+            if hasattr(resp, "__await__"):
+                await resp  # type: ignore[misc]
+            return True
+        except Exception as error:
+            print(f"Redis delete error: {error}")
+            return False
+
+    async def rpush(self, queue: str, value: str) -> bool:
+        """
+        Push value to Redis list (for log queuing).
+        
+        Args:
+            queue: Queue name
+            value: Value to push
+            
+        Returns:
+            True if successful, False otherwise
+        """
+        if not self.is_connected():
+            return False
+
+        try:
+            assert self.redis is not None
+            prefixed_queue = f"{self.config.key_prefix}{queue}" if self.config else queue
+            resp = self.redis.rpush(prefixed_queue, value)
+            if hasattr(resp, "__await__"):
+                await resp  # type: ignore[misc]
+            return True
+        except Exception as error:
+            print(f"Redis rpush error: {error}")
+            return False

miso_client/services/role.py

@@ -0,0 +1,180 @@
+"""
+Role service for user authorization with caching.
+
+This module handles role-based access control with caching support.
+Roles are cached with Redis and in-memory fallback using CacheService.
+Optimized to extract userId from JWT token before API calls for cache optimization.
+"""
+
+import time
+from typing import List, cast
+from ..models.config import RoleResult
+from ..services.cache import CacheService
+from ..utils.http_client import HttpClient
+from ..utils.jwt_tools import extract_user_id
+
+
+class RoleService:
+    """Role service for user authorization with caching."""
+    
+    def __init__(self, http_client: HttpClient, cache: CacheService):
+        """
+        Initialize role service.
+        
+        Args:
+            http_client: HTTP client instance
+            cache: Cache service instance (handles Redis + in-memory fallback)
+        """
+        self.config = http_client.config
+        self.http_client = http_client
+        self.cache = cache
+        self.role_ttl = self.config.role_ttl
+
+    async def get_roles(self, token: str) -> List[str]:
+        """
+        Get user roles with Redis caching.
+        
+        Optimized to extract userId from token first to check cache before API call.
+        
+        Args:
+            token: JWT token
+            
+        Returns:
+            List of user roles
+        """
+        try:
+            # Extract userId from token to check cache first (avoids API call on cache hit)
+            user_id = extract_user_id(token)
+            cache_key = f"roles:{user_id}" if user_id else None
+
+            # Check cache first if we have userId
+            if cache_key:
+                cached_data = await self.cache.get(cache_key)
+                if cached_data and isinstance(cached_data, dict):
+                    return cast(List[str], cached_data.get("roles", []))
+
+            # Cache miss or no userId in token - fetch from controller
+            # If we don't have userId, get it from validate endpoint
+            if not user_id:
+                user_info = await self.http_client.authenticated_request(
+                    "POST",
+                    "/api/auth/validate",
+                    token
+                )
+                user_id = user_info.get("user", {}).get("id") if user_info else None
+                if not user_id:
+                    return []
+                cache_key = f"roles:{user_id}"
+
+            # Cache miss - fetch from controller
+            role_result = await self.http_client.authenticated_request(
+                "GET",
+                "/api/auth/roles",  # Backend knows app/env from client token
+                token
+            )
+            
+            role_data = RoleResult(**role_result)
+            roles = role_data.roles or []
+
+            # Cache the result (CacheService handles Redis + in-memory automatically)
+            assert cache_key is not None
+            await self.cache.set(
+                cache_key,
+                {"roles": roles, "timestamp": int(time.time() * 1000)},
+                self.role_ttl
+            )
+
+            return roles
+            
+        except Exception:
+            # Failed to get roles, return empty list
+            return []
+
+    async def has_role(self, token: str, role: str) -> bool:
+        """
+        Check if user has specific role.
+        
+        Args:
+            token: JWT token
+            role: Role to check
+            
+        Returns:
+            True if user has the role, False otherwise
+        """
+        roles = await self.get_roles(token)
+        return role in roles
+
+    async def has_any_role(self, token: str, roles: List[str]) -> bool:
+        """
+        Check if user has any of the specified roles.
+        
+        Args:
+            token: JWT token
+            roles: List of roles to check
+            
+        Returns:
+            True if user has any of the roles, False otherwise
+        """
+        user_roles = await self.get_roles(token)
+        return any(role in user_roles for role in roles)
+
+    async def has_all_roles(self, token: str, roles: List[str]) -> bool:
+        """
+        Check if user has all of the specified roles.
+        
+        Args:
+            token: JWT token
+            roles: List of roles to check
+            
+        Returns:
+            True if user has all roles, False otherwise
+        """
+        user_roles = await self.get_roles(token)
+        return all(role in user_roles for role in roles)
+
+    async def refresh_roles(self, token: str) -> List[str]:
+        """
+        Force refresh roles from controller (bypass cache).
+        
+        Args:
+            token: JWT token
+            
+        Returns:
+            Fresh list of user roles
+        """
+        try:
+            # Get user info to extract userId
+            user_info = await self.http_client.authenticated_request(
+                "POST",
+                "/api/auth/validate",
+                token
+            )
+            
+            user_id = user_info.get("user", {}).get("id") if user_info else None
+            if not user_id:
+                return []
+
+            cache_key = f"roles:{user_id}"
+
+            # Fetch fresh roles from controller using refresh endpoint
+            role_result = await self.http_client.authenticated_request(
+                "GET",
+                "/api/auth/roles/refresh",
+                token
+            )
+            
+            role_data = RoleResult(**role_result)
+            roles = role_data.roles or []
+
+            # Update cache with fresh data (CacheService handles Redis + in-memory automatically)
+            await self.cache.set(
+                cache_key,
+                {"roles": roles, "timestamp": int(time.time() * 1000)},
+                self.role_ttl
+            )
+
+            return roles
+            
+        except Exception:
+            # Failed to refresh roles, return empty list
+            return []

miso_client/utils/__init__.py

@@ -0,0 +1,15 @@
+"""Utility modules for MisoClient SDK."""
+
+from .http_client import HttpClient
+from .config_loader import load_config
+from .data_masker import DataMasker
+from .jwt_tools import decode_token, extract_user_id, extract_session_id
+
+__all__ = [
+    "HttpClient",
+    "load_config",
+    "DataMasker",
+    "decode_token",
+    "extract_user_id",
+    "extract_session_id",
+]

miso_client/utils/config_loader.py

@@ -0,0 +1,87 @@
+"""
+Configuration loader utility.
+
+Automatically loads environment variables with sensible defaults.
+"""
+
+import os
+from typing import Literal, cast
+from ..models.config import MisoClientConfig, RedisConfig
+from ..errors import ConfigurationError
+
+
+def load_config() -> MisoClientConfig:
+    """
+    Load configuration from environment variables with defaults.
+    
+    Required environment variables:
+    - MISO_CONTROLLER_URL (or default to https://controller.aifabrix.ai)
+    - MISO_CLIENTID or MISO_CLIENT_ID
+    - MISO_CLIENTSECRET or MISO_CLIENT_SECRET
+    
+    Optional environment variables:
+    - MISO_LOG_LEVEL (debug, info, warn, error)
+    - REDIS_HOST (if Redis is used)
+    - REDIS_PORT (default: 6379)
+    - REDIS_PASSWORD
+    - REDIS_DB (default: 0)
+    - REDIS_KEY_PREFIX (default: miso:)
+    
+    Returns:
+        MisoClientConfig instance
+        
+    Raises:
+        ConfigurationError: If required environment variables are missing
+    """
+    # Load dotenv if available (similar to TypeScript dotenv/config)
+    try:
+        from dotenv import load_dotenv
+        load_dotenv()
+    except ImportError:
+        pass  # dotenv not installed, continue without it
+    
+    controller_url = os.environ.get("MISO_CONTROLLER_URL") or "https://controller.aifabrix.ai"
+    
+    client_id = os.environ.get("MISO_CLIENTID") or os.environ.get("MISO_CLIENT_ID") or ""
+    if not client_id:
+        raise ConfigurationError("MISO_CLIENTID environment variable is required")
+    
+    client_secret = os.environ.get("MISO_CLIENTSECRET") or os.environ.get("MISO_CLIENT_SECRET") or ""
+    if not client_secret:
+        raise ConfigurationError("MISO_CLIENTSECRET environment variable is required")
+    
+    log_level_str = os.environ.get("MISO_LOG_LEVEL", "info")
+    if log_level_str not in ["debug", "info", "warn", "error"]:
+        log_level_str = "info"
+    # Constrain to Literal for type-checker
+    log_level: Literal["debug", "info", "warn", "error"] = cast(
+        Literal["debug", "info", "warn", "error"], log_level_str
+    )
+    
+    config: MisoClientConfig = MisoClientConfig(
+        controller_url=controller_url,
+        client_id=client_id,
+        client_secret=client_secret,
+        log_level=log_level,
+    )
+    
+    # Optional Redis configuration
+    redis_host = os.environ.get("REDIS_HOST")
+    if redis_host:
+        redis_port = int(os.environ.get("REDIS_PORT", "6379"))
+        redis_password = os.environ.get("REDIS_PASSWORD")
+        redis_db = int(os.environ.get("REDIS_DB", "0")) if os.environ.get("REDIS_DB") else 0
+        redis_key_prefix = os.environ.get("REDIS_KEY_PREFIX", "miso:")
+        
+        redis_config = RedisConfig(
+            host=redis_host,
+            port=redis_port,
+            password=redis_password,
+            db=redis_db,
+            key_prefix=redis_key_prefix,
+        )
+        
+        config.redis = redis_config
+    
+    return config
+

miso_client/utils/data_masker.py

@@ -0,0 +1,156 @@
+"""
+Data masker utility for client-side sensitive data protection.
+
+Implements ISO 27001 data protection controls by masking sensitive fields
+in log entries and context data.
+"""
+
+from typing import Any, Set
+
+
+class DataMasker:
+    """Static class for masking sensitive data."""
+    
+    MASKED_VALUE = "***MASKED***"
+    
+    # Set of sensitive field names (normalized)
+    _sensitive_fields: Set[str] = {
+        "password",
+        "passwd",
+        "pwd",
+        "secret",
+        "token",
+        "key",
+        "auth",
+        "authorization",
+        "cookie",
+        "session",
+        "ssn",
+        "creditcard",
+        "cc",
+        "cvv",
+        "pin",
+        "otp",
+        "apikey",
+        "accesstoken",
+        "refreshtoken",
+        "privatekey",
+        "secretkey",
+    }
+    
+    @classmethod
+    def is_sensitive_field(cls, key: str) -> bool:
+        """
+        Check if a field name indicates sensitive data.
+        
+        Args:
+            key: Field name to check
+            
+        Returns:
+            True if field is sensitive, False otherwise
+        """
+        # Normalize key: lowercase and remove underscores/hyphens
+        normalized_key = key.lower().replace("_", "").replace("-", "")
+        
+        # Check exact match
+        if normalized_key in cls._sensitive_fields:
+            return True
+        
+        # Check if field contains sensitive keywords
+        for sensitive_field in cls._sensitive_fields:
+            if sensitive_field in normalized_key:
+                return True
+        
+        return False
+    
+    @classmethod
+    def mask_sensitive_data(cls, data: Any) -> Any:
+        """
+        Mask sensitive data in objects, arrays, or primitives.
+        
+        Returns a masked copy without modifying the original.
+        Recursively processes nested objects and arrays.
+        
+        Args:
+            data: Data to mask (dict, list, or primitive)
+            
+        Returns:
+            Masked copy of the data
+        """
+        # Handle null and undefined
+        if data is None:
+            return data
+        
+        # Handle primitives (string, number, boolean)
+        if not isinstance(data, (dict, list)):
+            return data
+        
+        # Handle arrays
+        if isinstance(data, list):
+            return [cls.mask_sensitive_data(item) for item in data]
+        
+        # Handle objects/dicts
+        masked: dict[str, Any] = {}
+        for key, value in data.items():
+            if cls.is_sensitive_field(key):
+                # Mask sensitive field
+                masked[key] = cls.MASKED_VALUE
+            elif isinstance(value, (dict, list)):
+                # Recursively mask nested objects
+                masked[key] = cls.mask_sensitive_data(value)
+            else:
+                # Keep non-sensitive value as-is
+                masked[key] = value
+        
+        return masked
+    
+    @classmethod
+    def mask_value(cls, value: str, show_first: int = 0, show_last: int = 0) -> str:
+        """
+        Mask specific value (useful for masking individual strings).
+        
+        Args:
+            value: String value to mask
+            show_first: Number of characters to show at the start
+            show_last: Number of characters to show at the end
+            
+        Returns:
+            Masked string value
+        """
+        if not value or len(value) <= show_first + show_last:
+            return cls.MASKED_VALUE
+        
+        first = value[:show_first] if show_first > 0 else ""
+        last = value[-show_last:] if show_last > 0 else ""
+        masked_length = max(8, len(value) - show_first - show_last)
+        masked = "*" * masked_length
+        
+        return f"{first}{masked}{last}"
+    
+    @classmethod
+    def contains_sensitive_data(cls, data: Any) -> bool:
+        """
+        Check if data contains sensitive information.
+        
+        Args:
+            data: Data to check
+            
+        Returns:
+            True if data contains sensitive fields, False otherwise
+        """
+        if data is None or not isinstance(data, (dict, list)):
+            return False
+        
+        if isinstance(data, list):
+            return any(cls.contains_sensitive_data(item) for item in data)
+        
+        # Check object keys
+        for key, value in data.items():
+            if cls.is_sensitive_field(key):
+                return True
+            if isinstance(value, (dict, list)):
+                if cls.contains_sensitive_data(value):
+                    return True
+        
+        return False
+