mrok 0.6.0__py3-none-any.whl → 0.8.0__py3-none-any.whl

mrok/agent/devtools/inspector/utils.py

@@ -0,0 +1,149 @@
+from collections.abc import Generator
+from dataclasses import dataclass
+from io import BytesIO
+
+from multipart import MultipartParser
+
+TEXTUAL_CONTENT_TYPES = {
+    "application/json",
+    "application/xml",
+    "application/javascript",
+    "application/x-www-form-urlencoded",
+}
+
+TEXTUAL_PREFIXES = ("text/",)
+
+CONTENT_TYPE_TO_LANGUAGE = {
+    "application/json": "json",
+    "application/ld+json": "json",
+    "application/problem+json": "json",
+    "application/schema+json": "json",
+    "application/xml": "xml",
+    "text/xml": "xml",
+    "application/xhtml+xml": "html",
+    "text/html": "html",
+    "text/css": "css",
+    "application/javascript": "javascript",
+    "application/x-javascript": "javascript",
+    "text/javascript": "javascript",
+    "application/ecmascript": "javascript",
+    "text/markdown": "markdown",
+    "text/x-markdown": "markdown",
+    "application/yaml": "yaml",
+    "application/x-yaml": "yaml",
+    "text/yaml": "yaml",
+    "application/toml": "toml",
+    "application/x-toml": "toml",
+    "application/sql": "sql",
+    "text/x-sql": "sql",
+    "application/java": "java",
+    "text/x-java-source": "java",
+    "application/python": "python",
+    "text/x-python": "python",
+    "application/x-python-code": "python",
+    "application/rust": "rust",
+    "text/x-rust": "rust",
+    "application/go": "go",
+    "text/x-go": "go",
+    "application/bash": "bash",
+    "application/x-sh": "bash",
+    "text/x-shellscript": "bash",
+    "application/regex": "regex",
+    "text/x-regex": "regex",
+}
+
+
+@dataclass
+class ContentTypeInfo:
+    content_type: str
+    binary: bool
+    charset: str | None = None
+    boundary: str | None = None
+
+
+def parse_content_type(content_type_header: str) -> ContentTypeInfo:
+    parts = content_type_header.split(";")
+    content_type = parts[0].strip().lower()
+
+    charset = None
+    boundary = None
+
+    for part in parts[1:]:
+        part = part.strip()
+        if "=" in part:
+            key, value = part.split("=", 1)
+            key = key.strip().lower()
+            value = value.strip().strip('"')
+            if key == "charset":
+                charset = value
+            elif key == "boundary":
+                boundary = value
+
+    binary = not is_textual(content_type)
+
+    if charset is None and not binary:
+        charset = "utf-8"
+
+    return ContentTypeInfo(
+        content_type=content_type, binary=binary, charset=charset, boundary=boundary
+    )
+
+
+def parse_form_data(data: bytes, boundary: str) -> Generator[tuple[str, str]]:
+    parser = MultipartParser(BytesIO(data), boundary)
+    for part in parser:
+        if is_textual(part.content_type):
+            yield part.name, part.value
+            continue
+        yield part.name, "<binary>"
+
+
+def is_textual(content_type: str) -> bool:
+    ct = content_type.lower()
+    if ct in TEXTUAL_CONTENT_TYPES:
+        return True
+    if any(ct.startswith(p) for p in TEXTUAL_PREFIXES):
+        return True
+    return False
+
+
+def build_tree(node, data):
+    if isinstance(data, dict):
+        for key, value in data.items():
+            child = node.add(str(key))
+            build_tree(child, value)
+    elif isinstance(data, list):
+        for index, value in enumerate(data):
+            child = node.add(f"[{index}]")
+            build_tree(child, value)
+    else:
+        node.add(repr(data))
+
+
+def hexdump(data, width=16):
+    lines = []
+    for i in range(0, len(data), width):
+        chunk = data[i : i + width]
+        hex_part = " ".join(f"{b:02x}" for b in chunk)
+        ascii_part = "".join(chr(b) if 32 <= b <= 126 else "." for b in chunk)
+        lines.append(f"{hex_part:<{width * 3}} {ascii_part}")
+    return "\n".join(lines)
+
+
+def humanize_bytes(num_bytes: int) -> tuple[float, str]:  # type: ignore[return-value]
+    if num_bytes < 0:
+        raise ValueError("num_bytes must be non-negative")
+
+    units = ["B", "KiB", "MiB", "GiB", "TiB", "PiB"]
+    value = float(num_bytes)
+
+    for unit in units:
+        if value < 1024 or unit == units[-1]:
+            return round(value, 2), unit
+        value /= 1024
+
+
+def get_highlighter_language_by_content_type(content_type: str) -> str | None:
+    if content_type in CONTENT_TYPE_TO_LANGUAGE:
+        return CONTENT_TYPE_TO_LANGUAGE[content_type]
+    return None

mrok/cli/commands/admin/bootstrap.py

@@ -22,8 +22,8 @@ async def bootstrap(
         return await bootstrap_identity(
             mgmt_api,
             client_api,
-            settings.proxy.identity,
-            settings.proxy.mode,
+            settings.frontend.identity,
+            settings.frontend.mode,
             forced,
             tags,
         )

mrok/cli/commands/admin/register/extensions.py

@@ -5,8 +5,8 @@ import typer
 from rich import print
 
 from mrok.cli.commands.admin.utils import parse_tags
-from mrok.conf import Settings
-from mrok.constants import RE_EXTENSION_ID
+from mrok.cli.utils import validate_extension_id
+from mrok.conf import Settings, get_settings
 from mrok.ziti.api import ZitiManagementAPI
 from mrok.ziti.services import register_service
 
@@ -16,18 +16,16 @@ async def do_register(settings: Settings, extension_id: str, tags: list[str] | N
         await register_service(settings, api, extension_id, tags=parse_tags(tags))
 
 
-def validate_extension_id(extension_id: str) -> str:
-    if not RE_EXTENSION_ID.fullmatch(extension_id):
-        raise typer.BadParameter("it must match EXT-xxxx-yyyy (case-insensitive)")
-    return extension_id
-
-
 def register(app: typer.Typer) -> None:
+    settings = get_settings()
+
     @app.command("extension")
     def register_extension(
         ctx: typer.Context,
         extension_id: str = typer.Argument(
-            ..., callback=validate_extension_id, help="Extension ID in format EXT-xxxx-yyyy"
+            ...,
+            callback=validate_extension_id,
+            help=f"Extension ID in the format {settings.identifiers.extension.format}",
         ),
         tags: Annotated[
             list[str] | None,

mrok/cli/commands/admin/register/instances.py

@@ -6,8 +6,11 @@ from typing import Annotated
 import typer
 
 from mrok.cli.commands.admin.utils import parse_tags
-from mrok.conf import Settings
-from mrok.constants import RE_EXTENSION_ID, RE_INSTANCE_ID
+from mrok.cli.utils import (
+    validate_extension_id,
+    validate_instance_id,
+)
+from mrok.conf import Settings, get_settings
 from mrok.ziti.api import ZitiClientAPI, ZitiManagementAPI
 from mrok.ziti.identities import register_identity
 
@@ -21,27 +24,21 @@ async def do_register(
         )
 
 
-def validate_extension_id(extension_id: str):
-    if not RE_EXTENSION_ID.fullmatch(extension_id):
-        raise typer.BadParameter("it must match EXT-xxxx-yyyy (case-insensitive)")
-    return extension_id
-
-
-def validate_instance_id(instance_id: str):
-    if not RE_INSTANCE_ID.fullmatch(instance_id):
-        raise typer.BadParameter("it must match INS-xxxx-yyyy-zzzz (case-insensitive)")
-    return instance_id
-
-
 def register(app: typer.Typer) -> None:
+    settings = get_settings()
+
     @app.command("instance")
     def register_instance(
         ctx: typer.Context,
         extension_id: str = typer.Argument(
-            ..., callback=validate_extension_id, help="Extension ID in format EXT-xxxx-yyyy"
+            ...,
+            callback=validate_extension_id,
+            help=f"Extension ID in the format {settings.identifiers.extension.format}",
         ),
         instance_id: str = typer.Argument(
-            ..., callback=validate_instance_id, help="Instance ID in format INS-xxxx-yyyy-zzzz"
+            ...,
+            callback=validate_instance_id,
+            help=f"Instance ID in the format {settings.identifiers.instance.format}",
         ),
         output: Path = typer.Argument(
             ...,

mrok/cli/commands/admin/unregister/extensions.py

@@ -1,32 +1,28 @@
 import asyncio
-import re
 
 import typer
 
-from mrok.conf import Settings
+from mrok.cli.utils import validate_extension_id
+from mrok.conf import Settings, get_settings
 from mrok.ziti.api import ZitiManagementAPI
 from mrok.ziti.services import unregister_service
 
-RE_EXTENSION_ID = re.compile(r"(?i)EXT-\d{4}-\d{4}")
-
 
 async def do_unregister(settings: Settings, extension_id: str):
     async with ZitiManagementAPI(settings) as api:
         await unregister_service(settings, api, extension_id)
 
 
-def validate_extension_id(extension_id: str):
-    if not RE_EXTENSION_ID.fullmatch(extension_id):
-        raise typer.BadParameter("ext_id must match EXT-xxxx-yyyy (case-insensitive)")
-    return extension_id
-
-
 def register(app: typer.Typer) -> None:
+    settings = get_settings()
+
     @app.command("extension")
     def unregister_extension(
         ctx: typer.Context,
         extension_id: str = typer.Argument(
-            ..., callback=validate_extension_id, help="Extension ID in format EXT-xxxx-yyyy"
+            ...,
+            callback=validate_extension_id,
+            help=f"Extension ID in the format {settings.identifiers.extension.format}",
         ),
     ):
         """Unregister a new Extension in OpenZiti (service)."""

mrok/cli/commands/admin/unregister/instances.py

@@ -1,34 +1,34 @@
 import asyncio
-import re
 
 import typer
 
-from mrok.conf import Settings
+from mrok.cli.utils import validate_extension_id, validate_instance_id
+from mrok.conf import Settings, get_settings
 from mrok.ziti.api import ZitiManagementAPI
 from mrok.ziti.identities import unregister_identity
 
-RE_EXTENSION_ID = re.compile(r"(?i)EXT-\d{4}-\d{4}")
-
 
 async def do_unregister(settings: Settings, extension_id: str, instance_id: str):
     async with ZitiManagementAPI(settings) as api:
         await unregister_identity(settings, api, extension_id, instance_id)
 
 
-def validate_extension_id(extension_id: str):
-    if not RE_EXTENSION_ID.fullmatch(extension_id):
-        raise typer.BadParameter("ext_id must match EXT-xxxx-yyyy (case-insensitive)")
-    return extension_id
-
-
 def register(app: typer.Typer) -> None:
+    settings = get_settings()
+
     @app.command("instance")
     def unregister_instance(
         ctx: typer.Context,
         extension_id: str = typer.Argument(
-            ..., callback=validate_extension_id, help="Extension ID in format EXT-xxxx-yyyy"
+            ...,
+            callback=validate_extension_id,
+            help=f"Extension ID in the format {settings.identifiers.extension.format}",
+        ),
+        instance_id: str = typer.Argument(
+            ...,
+            callback=validate_instance_id,
+            help=f"Instance ID in the format {settings.identifiers.instance.format}",
         ),
-        instance_id: str = typer.Argument(..., help="Instance ID"),
     ):
         """Register a new Extension Instance in OpenZiti (identity)."""
         asyncio.run(do_unregister(ctx.obj, extension_id, instance_id))

mrok/cli/commands/agent/run/asgi.py

@@ -12,8 +12,8 @@ default_workers = number_of_workers()
 def register(app: typer.Typer) -> None:
     @app.command("asgi")
     def run_asgi(
-        app: Annotated[str, typer.Argument(..., help="ASGI application")],
         identity_file: Annotated[Path, typer.Argument(..., help="Identity json file")],
+        app: Annotated[str, typer.Argument(..., help="ASGI application")],
         workers: Annotated[
             int,
             typer.Option(

mrok/cli/commands/frontend/run.py

@@ -30,7 +30,7 @@ def register(app: typer.Typer) -> None:
             int,
             typer.Option(
                 "--port",
-                "-P",
+                "-p",
                 help="Port to bind to. Default: 8000",
                 show_default=True,
             ),

mrok/cli/main.py

@@ -1,5 +1,6 @@
 import inspect
 import sys
+from typing import Annotated
 
 import typer
 from pyfiglet import Figlet
@@ -79,11 +80,23 @@ for name, module in inspect.getmembers(commands):
     elif hasattr(module, "app"):  # pragma: no branch
         app.add_typer(module.app, name=name.replace("_", "-"))
 
+_debug_mode = False
+
 
 @app.callback()
 def main(
     ctx: typer.Context,
+    debug: Annotated[
+        bool,
+        typer.Option(
+            "--debug",
+            help="Run the CLI in debug mode",
+            show_default=True,
+        ),
+    ] = False,
 ):
+    global _debug_mode
+    _debug_mode = debug
     settings = get_settings()
     setup_logging(settings, cli_mode=True)
     ctx.obj = settings
@@ -93,5 +106,8 @@ def run():
     try:
         app()
     except Exception as e:
-        err_console.print(f"[bold red]Error:[/bold red] {e}")
+        if _debug_mode:
+            raise
+        message = str(e) or "Unexpected error. Debug it with --debug"
+        err_console.print(f"[bold red]Error:[/bold red] {message}")
         sys.exit(-1)

mrok/cli/utils.py

@@ -1,5 +1,31 @@
 import multiprocessing
+import re
+
+import typer
+
+from mrok.conf import get_settings
 
 
 def number_of_workers() -> int:
     return (multiprocessing.cpu_count() * 2) + 1
+
+
+def validate_identifier(regex_exp: str, format: str, identifier: str) -> str:
+    match = re.fullmatch(regex_exp, identifier)
+    if not match:
+        raise typer.BadParameter(f"it must match {format}")
+    return identifier
+
+
+def validate_extension_id(extension_id: str) -> str:
+    settings = get_settings()
+    return validate_identifier(
+        settings.identifiers.extension.regex, settings.identifiers.extension.format, extension_id
+    )
+
+
+def validate_instance_id(instance_id: str) -> str:
+    settings = get_settings()
+    return validate_identifier(
+        settings.identifiers.instance.regex, settings.identifiers.instance.format, instance_id
+    )

mrok/conf.py

@@ -7,19 +7,27 @@ DEFAULT_SETTINGS = {
         "debug": False,
         "rich": False,
     },
-    "PROXY": {
+    "FRONTEND": {
         "identity": "public",
         "mode": "zrok",
     },
     "ZITI": {
         "ssl_verify": False,
     },
-    "PAGINATION": {"limit": 50},
-    "SIDECAR": {
-        "textual_port": 4040,
-        "store_port": 5051,
-        "store_size": 1000,
-        "textual_command": "python mrok/agent/sidecar/inspector.py",
+    "CONTROLLER": {
+        "pagination": {"limit": 50},
+    },
+    "IDENTIFIERS": {
+        "extension": {
+            "regex": "(?i)EXT-\\d{4}-\\d{4}",
+            "format": "EXT-xxxx-yyyy",
+            "example": "EXT-2000-1000",
+        },
+        "instance": {
+            "regex": "(?i)INS-\\d{4}-\\d{4}-\\d{4}",
+            "format": "INS-xxxx-yyyy-zzzz",
+            "example": "INS-2004-2000-3000",
+        },
     },
 }
 

mrok/constants.py

@@ -2,3 +2,24 @@ import re
 
 RE_EXTENSION_ID = re.compile(r"(?i)EXT-\d{4}-\d{4}")
 RE_INSTANCE_ID = re.compile(r"(?i)INS-\d{4}-\d{4}-\d{4}")
+
+
+BINARY_CONTENT_TYPES = {
+    "application/octet-stream",
+    "application/pdf",
+}
+
+BINARY_PREFIXES = (
+    "image/",
+    "video/",
+    "audio/",
+)
+
+TEXTUAL_CONTENT_TYPES = {
+    "application/json",
+    "application/xml",
+    "application/javascript",
+    "application/x-www-form-urlencoded",
+}
+
+TEXTUAL_PREFIXES = ("text/",)

mrok/controller/app.py

@@ -5,8 +5,8 @@ import fastapi_pagination
 from fastapi import Depends, FastAPI
 from fastapi.routing import APIRoute, APIRouter
 
-from mrok.conf import get_settings
-from mrok.controller.auth import authenticate
+from mrok.conf import Settings, get_settings
+from mrok.controller.auth import HTTPAuthManager
 from mrok.controller.openapi import generate_openapi_spec
 from mrok.controller.routes.extensions import router as extensions_router
 from mrok.controller.routes.instances import router as instances_router
@@ -36,7 +36,8 @@ def setup_custom_serialization(router: APIRouter):
             api_route.response_model_exclude_none = True
 
 
-def setup_app():
+def setup_app(settings: Settings):
+    auth_manager = HTTPAuthManager(settings.controller.auth)
     app = FastAPI(
         title="mrok Controller API",
         description="API to orchestrate OpenZiti for Extensions.",
@@ -49,22 +50,23 @@ def setup_app():
 
     setup_custom_serialization(extensions_router)
 
-    # TODO: Add healthcheck
+    @app.get("/healthcheck")
+    async def healthcheck():
+        return {"status": "healthy"}
+
     app.include_router(
         extensions_router,
         prefix="/extensions",
-        dependencies=[Depends(authenticate)],
+        dependencies=[Depends(auth_manager)],
     )
     app.include_router(
         instances_router,
         prefix="/instances",
-        dependencies=[Depends(authenticate)],
+        dependencies=[Depends(auth_manager)],
     )
 
-    settings = get_settings()
-
-    app.openapi = partial(generate_openapi_spec, app, settings)
+    app.openapi = partial(generate_openapi_spec, app, settings)  # type: ignore[method-assign]
     return app
 
 
-app = setup_app()
+app = setup_app(get_settings())

mrok/controller/auth/__init__.py

@@ -0,0 +1,11 @@
+from mrok.controller.auth.backends import OIDCJWTAuthenticationBackend  # noqa: F401
+from mrok.controller.auth.base import AuthIdentity, BaseHTTPAuthBackend
+from mrok.controller.auth.manager import HTTPAuthManager
+from mrok.controller.auth.registry import register_authentication_backend
+
+__all__ = [
+    "AuthIdentity",
+    "BaseHTTPAuthBackend",
+    "HTTPAuthManager",
+    "register_authentication_backend",
+]

mrok/controller/auth/backends.py

@@ -0,0 +1,60 @@
+import logging
+
+import httpx
+import jwt
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from fastapi.security.http import HTTPBase
+
+from mrok.controller.auth.base import UNAUTHORIZED_EXCEPTION, AuthIdentity, BaseHTTPAuthBackend
+from mrok.controller.auth.registry import register_authentication_backend
+
+logger = logging.getLogger("mrok.controller")
+
+
+@register_authentication_backend("oidc")
+class OIDCJWTAuthenticationBackend(BaseHTTPAuthBackend):
+    def init_scheme(self) -> HTTPBase:
+        return HTTPBearer(auto_error=False)
+
+    async def authenticate(self, credentials: HTTPAuthorizationCredentials) -> AuthIdentity | None:
+        async with httpx.AsyncClient() as client:
+            try:
+                config_resp = await client.get(self.config.config_url)
+                config_resp.raise_for_status()
+                config = config_resp.json()
+                issuer = config["issuer"]
+                jwks_uri = config["jwks_uri"]
+
+                jwks_resp = await client.get(jwks_uri)
+                jwks_resp.raise_for_status()
+                jwks = jwks_resp.json()
+
+                header = jwt.get_unverified_header(credentials.credentials)
+                kid = header["kid"]
+
+                key_data = next((k for k in jwks["keys"] if k["kid"] == kid), None)
+            except Exception:
+                logger.exception("Error fetching openid-config/jwks")
+                raise UNAUTHORIZED_EXCEPTION
+        if key_data is None:
+            logger.error("Key ID not found in JWKS")
+            raise UNAUTHORIZED_EXCEPTION
+
+        try:
+            payload = jwt.decode(
+                credentials.credentials,
+                jwt.PyJWK(key_data),
+                algorithms=[header["alg"]],
+                issuer=issuer,
+                audience=self.config.audience,
+            )
+            return AuthIdentity(
+                subject=payload["sub"],
+                metadata=payload,
+            )
+        except jwt.InvalidKeyError as e:
+            logger.error(f"Invalid jwt token: {e} ({credentials.credentials})")
+            raise UNAUTHORIZED_EXCEPTION
+        except jwt.InvalidTokenError as e:
+            logger.error(f"Invalid jwt token: {e} ({credentials.credentials})")
+            raise UNAUTHORIZED_EXCEPTION

mrok/controller/auth/base.py

@@ -0,0 +1,38 @@
+from abc import ABC, abstractmethod
+from typing import Any
+
+from dynaconf.utils.boxing import DynaBox
+from fastapi import HTTPException, Request, status
+from fastapi.security import HTTPAuthorizationCredentials
+from fastapi.security.http import HTTPBase
+from pydantic import BaseModel
+
+UNAUTHORIZED_EXCEPTION = HTTPException(
+    status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized."
+)
+
+
+class AuthIdentity(BaseModel):
+    subject: str
+    scopes: list[str] = []
+    metadata: dict[str, Any] = {}
+
+
+class BaseHTTPAuthBackend(ABC):
+    def __init__(self, config: DynaBox):
+        self.config = config
+        self.scheme = self.init_scheme()
+
+    @abstractmethod
+    def init_scheme(self) -> HTTPBase:
+        raise NotImplementedError()
+
+    @abstractmethod
+    async def authenticate(self, credentials: HTTPAuthorizationCredentials) -> AuthIdentity | None:
+        raise NotImplementedError()
+
+    async def __call__(self, request: Request) -> AuthIdentity | None:
+        credentials = await self.scheme(request)
+        if not credentials:
+            return None
+        return await self.authenticate(credentials)