mrok 0.7.0__py3-none-any.whl → 0.8.0__py3-none-any.whl

mrok/agent/devtools/inspector/__main__.py

@@ -1,3 +1,5 @@
+import sys
+
 from mrok.agent.devtools.inspector.app import module_main
 
-module_main()
+module_main(sys.argv[1:])

mrok/cli/commands/admin/bootstrap.py

@@ -22,8 +22,8 @@ async def bootstrap(
         return await bootstrap_identity(
             mgmt_api,
             client_api,
-            settings.proxy.identity,
-            settings.proxy.mode,
+            settings.frontend.identity,
+            settings.frontend.mode,
             forced,
             tags,
         )

mrok/cli/commands/admin/register/extensions.py

@@ -5,8 +5,8 @@ import typer
 from rich import print
 
 from mrok.cli.commands.admin.utils import parse_tags
-from mrok.conf import Settings
-from mrok.constants import RE_EXTENSION_ID
+from mrok.cli.utils import validate_extension_id
+from mrok.conf import Settings, get_settings
 from mrok.ziti.api import ZitiManagementAPI
 from mrok.ziti.services import register_service
 
@@ -16,18 +16,16 @@ async def do_register(settings: Settings, extension_id: str, tags: list[str] | N
         await register_service(settings, api, extension_id, tags=parse_tags(tags))
 
 
-def validate_extension_id(extension_id: str) -> str:
-    if not RE_EXTENSION_ID.fullmatch(extension_id):
-        raise typer.BadParameter("it must match EXT-xxxx-yyyy (case-insensitive)")
-    return extension_id
-
-
 def register(app: typer.Typer) -> None:
+    settings = get_settings()
+
     @app.command("extension")
     def register_extension(
         ctx: typer.Context,
         extension_id: str = typer.Argument(
-            ..., callback=validate_extension_id, help="Extension ID in format EXT-xxxx-yyyy"
+            ...,
+            callback=validate_extension_id,
+            help=f"Extension ID in the format {settings.identifiers.extension.format}",
         ),
         tags: Annotated[
             list[str] | None,

mrok/cli/commands/admin/register/instances.py

@@ -6,8 +6,11 @@ from typing import Annotated
 import typer
 
 from mrok.cli.commands.admin.utils import parse_tags
-from mrok.conf import Settings
-from mrok.constants import RE_EXTENSION_ID, RE_INSTANCE_ID
+from mrok.cli.utils import (
+    validate_extension_id,
+    validate_instance_id,
+)
+from mrok.conf import Settings, get_settings
 from mrok.ziti.api import ZitiClientAPI, ZitiManagementAPI
 from mrok.ziti.identities import register_identity
 
@@ -21,27 +24,21 @@ async def do_register(
         )
 
 
-def validate_extension_id(extension_id: str):
-    if not RE_EXTENSION_ID.fullmatch(extension_id):
-        raise typer.BadParameter("it must match EXT-xxxx-yyyy (case-insensitive)")
-    return extension_id
-
-
-def validate_instance_id(instance_id: str):
-    if not RE_INSTANCE_ID.fullmatch(instance_id):
-        raise typer.BadParameter("it must match INS-xxxx-yyyy-zzzz (case-insensitive)")
-    return instance_id
-
-
 def register(app: typer.Typer) -> None:
+    settings = get_settings()
+
     @app.command("instance")
     def register_instance(
         ctx: typer.Context,
         extension_id: str = typer.Argument(
-            ..., callback=validate_extension_id, help="Extension ID in format EXT-xxxx-yyyy"
+            ...,
+            callback=validate_extension_id,
+            help=f"Extension ID in the format {settings.identifiers.extension.format}",
         ),
         instance_id: str = typer.Argument(
-            ..., callback=validate_instance_id, help="Instance ID in format INS-xxxx-yyyy-zzzz"
+            ...,
+            callback=validate_instance_id,
+            help=f"Instance ID in the format {settings.identifiers.instance.format}",
         ),
         output: Path = typer.Argument(
             ...,

mrok/cli/commands/admin/unregister/extensions.py

@@ -1,32 +1,28 @@
 import asyncio
-import re
 
 import typer
 
-from mrok.conf import Settings
+from mrok.cli.utils import validate_extension_id
+from mrok.conf import Settings, get_settings
 from mrok.ziti.api import ZitiManagementAPI
 from mrok.ziti.services import unregister_service
 
-RE_EXTENSION_ID = re.compile(r"(?i)EXT-\d{4}-\d{4}")
-
 
 async def do_unregister(settings: Settings, extension_id: str):
     async with ZitiManagementAPI(settings) as api:
         await unregister_service(settings, api, extension_id)
 
 
-def validate_extension_id(extension_id: str):
-    if not RE_EXTENSION_ID.fullmatch(extension_id):
-        raise typer.BadParameter("ext_id must match EXT-xxxx-yyyy (case-insensitive)")
-    return extension_id
-
-
 def register(app: typer.Typer) -> None:
+    settings = get_settings()
+
     @app.command("extension")
     def unregister_extension(
         ctx: typer.Context,
         extension_id: str = typer.Argument(
-            ..., callback=validate_extension_id, help="Extension ID in format EXT-xxxx-yyyy"
+            ...,
+            callback=validate_extension_id,
+            help=f"Extension ID in the format {settings.identifiers.extension.format}",
         ),
     ):
         """Unregister a new Extension in OpenZiti (service)."""

mrok/cli/commands/admin/unregister/instances.py

@@ -1,34 +1,34 @@
 import asyncio
-import re
 
 import typer
 
-from mrok.conf import Settings
+from mrok.cli.utils import validate_extension_id, validate_instance_id
+from mrok.conf import Settings, get_settings
 from mrok.ziti.api import ZitiManagementAPI
 from mrok.ziti.identities import unregister_identity
 
-RE_EXTENSION_ID = re.compile(r"(?i)EXT-\d{4}-\d{4}")
-
 
 async def do_unregister(settings: Settings, extension_id: str, instance_id: str):
     async with ZitiManagementAPI(settings) as api:
         await unregister_identity(settings, api, extension_id, instance_id)
 
 
-def validate_extension_id(extension_id: str):
-    if not RE_EXTENSION_ID.fullmatch(extension_id):
-        raise typer.BadParameter("ext_id must match EXT-xxxx-yyyy (case-insensitive)")
-    return extension_id
-
-
 def register(app: typer.Typer) -> None:
+    settings = get_settings()
+
     @app.command("instance")
     def unregister_instance(
         ctx: typer.Context,
         extension_id: str = typer.Argument(
-            ..., callback=validate_extension_id, help="Extension ID in format EXT-xxxx-yyyy"
+            ...,
+            callback=validate_extension_id,
+            help=f"Extension ID in the format {settings.identifiers.extension.format}",
+        ),
+        instance_id: str = typer.Argument(
+            ...,
+            callback=validate_instance_id,
+            help=f"Instance ID in the format {settings.identifiers.instance.format}",
         ),
-        instance_id: str = typer.Argument(..., help="Instance ID"),
     ):
         """Register a new Extension Instance in OpenZiti (identity)."""
         asyncio.run(do_unregister(ctx.obj, extension_id, instance_id))

mrok/cli/commands/agent/run/asgi.py

@@ -12,8 +12,8 @@ default_workers = number_of_workers()
 def register(app: typer.Typer) -> None:
     @app.command("asgi")
     def run_asgi(
-        app: Annotated[str, typer.Argument(..., help="ASGI application")],
         identity_file: Annotated[Path, typer.Argument(..., help="Identity json file")],
+        app: Annotated[str, typer.Argument(..., help="ASGI application")],
         workers: Annotated[
             int,
             typer.Option(

mrok/cli/commands/frontend/run.py

@@ -30,7 +30,7 @@ def register(app: typer.Typer) -> None:
             int,
             typer.Option(
                 "--port",
-                "-P",
+                "-p",
                 help="Port to bind to. Default: 8000",
                 show_default=True,
             ),

mrok/cli/utils.py

@@ -1,5 +1,31 @@
 import multiprocessing
+import re
+
+import typer
+
+from mrok.conf import get_settings
 
 
 def number_of_workers() -> int:
     return (multiprocessing.cpu_count() * 2) + 1
+
+
+def validate_identifier(regex_exp: str, format: str, identifier: str) -> str:
+    match = re.fullmatch(regex_exp, identifier)
+    if not match:
+        raise typer.BadParameter(f"it must match {format}")
+    return identifier
+
+
+def validate_extension_id(extension_id: str) -> str:
+    settings = get_settings()
+    return validate_identifier(
+        settings.identifiers.extension.regex, settings.identifiers.extension.format, extension_id
+    )
+
+
+def validate_instance_id(instance_id: str) -> str:
+    settings = get_settings()
+    return validate_identifier(
+        settings.identifiers.instance.regex, settings.identifiers.instance.format, instance_id
+    )

mrok/conf.py

@@ -7,19 +7,27 @@ DEFAULT_SETTINGS = {
         "debug": False,
         "rich": False,
     },
-    "PROXY": {
+    "FRONTEND": {
         "identity": "public",
         "mode": "zrok",
     },
     "ZITI": {
         "ssl_verify": False,
     },
-    "PAGINATION": {"limit": 50},
-    "SIDECAR": {
-        "textual_port": 4040,
-        "store_port": 5051,
-        "store_size": 1000,
-        "textual_command": "python mrok/agent/sidecar/inspector.py",
+    "CONTROLLER": {
+        "pagination": {"limit": 50},
+    },
+    "IDENTIFIERS": {
+        "extension": {
+            "regex": "(?i)EXT-\\d{4}-\\d{4}",
+            "format": "EXT-xxxx-yyyy",
+            "example": "EXT-2000-1000",
+        },
+        "instance": {
+            "regex": "(?i)INS-\\d{4}-\\d{4}-\\d{4}",
+            "format": "INS-xxxx-yyyy-zzzz",
+            "example": "INS-2004-2000-3000",
+        },
     },
 }
 

mrok/controller/app.py

@@ -5,8 +5,8 @@ import fastapi_pagination
 from fastapi import Depends, FastAPI
 from fastapi.routing import APIRoute, APIRouter
 
-from mrok.conf import get_settings
-from mrok.controller.auth import authenticate
+from mrok.conf import Settings, get_settings
+from mrok.controller.auth import HTTPAuthManager
 from mrok.controller.openapi import generate_openapi_spec
 from mrok.controller.routes.extensions import router as extensions_router
 from mrok.controller.routes.instances import router as instances_router
@@ -36,7 +36,8 @@ def setup_custom_serialization(router: APIRouter):
             api_route.response_model_exclude_none = True
 
 
-def setup_app():
+def setup_app(settings: Settings):
+    auth_manager = HTTPAuthManager(settings.controller.auth)
     app = FastAPI(
         title="mrok Controller API",
         description="API to orchestrate OpenZiti for Extensions.",
@@ -49,22 +50,23 @@ def setup_app():
 
     setup_custom_serialization(extensions_router)
 
-    # TODO: Add healthcheck
+    @app.get("/healthcheck")
+    async def healthcheck():
+        return {"status": "healthy"}
+
     app.include_router(
         extensions_router,
         prefix="/extensions",
-        dependencies=[Depends(authenticate)],
+        dependencies=[Depends(auth_manager)],
     )
     app.include_router(
         instances_router,
         prefix="/instances",
-        dependencies=[Depends(authenticate)],
+        dependencies=[Depends(auth_manager)],
     )
 
-    settings = get_settings()
-
-    app.openapi = partial(generate_openapi_spec, app, settings)
+    app.openapi = partial(generate_openapi_spec, app, settings)  # type: ignore[method-assign]
     return app
 
 
-app = setup_app()
+app = setup_app(get_settings())

mrok/controller/auth/__init__.py

@@ -0,0 +1,11 @@
+from mrok.controller.auth.backends import OIDCJWTAuthenticationBackend  # noqa: F401
+from mrok.controller.auth.base import AuthIdentity, BaseHTTPAuthBackend
+from mrok.controller.auth.manager import HTTPAuthManager
+from mrok.controller.auth.registry import register_authentication_backend
+
+__all__ = [
+    "AuthIdentity",
+    "BaseHTTPAuthBackend",
+    "HTTPAuthManager",
+    "register_authentication_backend",
+]

mrok/controller/auth/backends.py

@@ -0,0 +1,60 @@
+import logging
+
+import httpx
+import jwt
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from fastapi.security.http import HTTPBase
+
+from mrok.controller.auth.base import UNAUTHORIZED_EXCEPTION, AuthIdentity, BaseHTTPAuthBackend
+from mrok.controller.auth.registry import register_authentication_backend
+
+logger = logging.getLogger("mrok.controller")
+
+
+@register_authentication_backend("oidc")
+class OIDCJWTAuthenticationBackend(BaseHTTPAuthBackend):
+    def init_scheme(self) -> HTTPBase:
+        return HTTPBearer(auto_error=False)
+
+    async def authenticate(self, credentials: HTTPAuthorizationCredentials) -> AuthIdentity | None:
+        async with httpx.AsyncClient() as client:
+            try:
+                config_resp = await client.get(self.config.config_url)
+                config_resp.raise_for_status()
+                config = config_resp.json()
+                issuer = config["issuer"]
+                jwks_uri = config["jwks_uri"]
+
+                jwks_resp = await client.get(jwks_uri)
+                jwks_resp.raise_for_status()
+                jwks = jwks_resp.json()
+
+                header = jwt.get_unverified_header(credentials.credentials)
+                kid = header["kid"]
+
+                key_data = next((k for k in jwks["keys"] if k["kid"] == kid), None)
+            except Exception:
+                logger.exception("Error fetching openid-config/jwks")
+                raise UNAUTHORIZED_EXCEPTION
+        if key_data is None:
+            logger.error("Key ID not found in JWKS")
+            raise UNAUTHORIZED_EXCEPTION
+
+        try:
+            payload = jwt.decode(
+                credentials.credentials,
+                jwt.PyJWK(key_data),
+                algorithms=[header["alg"]],
+                issuer=issuer,
+                audience=self.config.audience,
+            )
+            return AuthIdentity(
+                subject=payload["sub"],
+                metadata=payload,
+            )
+        except jwt.InvalidKeyError as e:
+            logger.error(f"Invalid jwt token: {e} ({credentials.credentials})")
+            raise UNAUTHORIZED_EXCEPTION
+        except jwt.InvalidTokenError as e:
+            logger.error(f"Invalid jwt token: {e} ({credentials.credentials})")
+            raise UNAUTHORIZED_EXCEPTION

mrok/controller/auth/base.py

@@ -0,0 +1,38 @@
+from abc import ABC, abstractmethod
+from typing import Any
+
+from dynaconf.utils.boxing import DynaBox
+from fastapi import HTTPException, Request, status
+from fastapi.security import HTTPAuthorizationCredentials
+from fastapi.security.http import HTTPBase
+from pydantic import BaseModel
+
+UNAUTHORIZED_EXCEPTION = HTTPException(
+    status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized."
+)
+
+
+class AuthIdentity(BaseModel):
+    subject: str
+    scopes: list[str] = []
+    metadata: dict[str, Any] = {}
+
+
+class BaseHTTPAuthBackend(ABC):
+    def __init__(self, config: DynaBox):
+        self.config = config
+        self.scheme = self.init_scheme()
+
+    @abstractmethod
+    def init_scheme(self) -> HTTPBase:
+        raise NotImplementedError()
+
+    @abstractmethod
+    async def authenticate(self, credentials: HTTPAuthorizationCredentials) -> AuthIdentity | None:
+        raise NotImplementedError()
+
+    async def __call__(self, request: Request) -> AuthIdentity | None:
+        credentials = await self.scheme(request)
+        if not credentials:
+            return None
+        return await self.authenticate(credentials)

mrok/controller/auth/manager.py

@@ -0,0 +1,31 @@
+from dynaconf.utils.boxing import DynaBox
+from fastapi import Request
+
+from mrok.controller.auth.base import UNAUTHORIZED_EXCEPTION, AuthIdentity, BaseHTTPAuthBackend
+from mrok.controller.auth.registry import get_authentication_backend
+
+
+class HTTPAuthManager:
+    def __init__(self, auth_settings: DynaBox):
+        self.auth_settings = auth_settings
+        self.active_backends: list[BaseHTTPAuthBackend] = []
+        self._setup_backends()
+
+    def _setup_backends(self):
+        enabled_keys = self.auth_settings.get("backends", [])
+
+        for key in enabled_keys:
+            backend_cls = get_authentication_backend(key)
+            if not backend_cls:
+                raise ValueError(f"Backend '{key}' is not registered.")
+
+            specific_config = self.auth_settings.get(key, {})
+            self.active_backends.append(backend_cls(specific_config))
+
+    async def __call__(self, request: Request) -> AuthIdentity:
+        for backend in self.active_backends:
+            identity = await backend(request)
+            if identity:
+                return identity
+
+        raise UNAUTHORIZED_EXCEPTION

mrok/controller/auth/registry.py

@@ -0,0 +1,17 @@
+from mrok.controller.auth.base import BaseHTTPAuthBackend
+
+BACKEND_REGISTRY: dict[str, type[BaseHTTPAuthBackend]] = {}
+
+
+def register_authentication_backend(name: str):
+    """Decorator to register a backend class with a unique key."""
+
+    def decorator(cls: type[BaseHTTPAuthBackend]):
+        BACKEND_REGISTRY[name] = cls
+        return cls
+
+    return decorator
+
+
+def get_authentication_backend(name: str) -> type[BaseHTTPAuthBackend] | None:
+    return BACKEND_REGISTRY.get(name)

mrok/frontend/app.py

@@ -1,14 +1,21 @@
-import re
+from http import HTTPStatus
+from pathlib import Path
+from typing import Any
 
 from httpcore import AsyncConnectionPool
+from jinja2 import Environment, FileSystemLoader, select_autoescape
 
 from mrok.conf import get_settings
+from mrok.frontend.utils import get_target_name, parse_accept_header
 from mrok.proxy.app import ProxyAppBase
 from mrok.proxy.backend import AIOZitiNetworkBackend
 from mrok.proxy.exceptions import InvalidTargetError
-from mrok.types.proxy import Scope
+from mrok.types.proxy import ASGISend, Scope
 
-RE_SUBDOMAIN = re.compile(r"(?i)^(?:EXT-\d{4}-\d{4}|INS-\d{4}-\d{4}-\d{4})$")
+ERROR_TEMPLATE_FORMATS = {
+    "application/json": "json",
+    "text/html": "html",
+}
 
 
 class FrontendProxyApp(ProxyAppBase):
@@ -19,10 +26,11 @@ class FrontendProxyApp(ProxyAppBase):
         max_connections: int | None = 10,
         max_keepalive_connections: int | None = None,
         keepalive_expiry: float | None = None,
-        retries=0,
+        retries: int = 0,
     ):
         self._identity_file = identity_file
-        self._proxy_domain = self._get_proxy_domain()
+        self._jinja_env_cache: dict[Path, Environment] = {}
+        self._templates_by_error = get_settings().frontend.get("errors", {})
         super().__init__(
             max_connections=max_connections,
             max_keepalive_connections=max_keepalive_connections,
@@ -46,30 +54,90 @@ class FrontendProxyApp(ProxyAppBase):
         )
 
     def get_upstream_base_url(self, scope: Scope) -> str:
-        target = self._get_target_name(
+        target = get_target_name(
             {k.decode("latin1"): v.decode("latin1") for k, v in scope.get("headers", {})}
         )
+        if not target:
+            raise InvalidTargetError()
+
         return f"http://{target.lower()}"
 
-    def _get_proxy_domain(self):
-        settings = get_settings()
-        return (
-            settings.proxy.domain
-            if settings.proxy.domain[0] == "."
-            else f".{settings.proxy.domain}"
-        )
+    async def send_error_response(
+        self,
+        scope: Scope,
+        send: ASGISend,
+        http_status: int,
+        body: str,
+        headers: list[tuple[bytes, bytes]] | None = None,
+    ):
+        request_headers = {
+            k.decode("latin1"): v.decode("latin1") for k, v in scope.get("headers", {})
+        }
+        accept_header = request_headers.get("accept")
+        if not (accept_header and str(http_status) in self._templates_by_error):
+            return await super().send_error_response(scope, send, http_status, body)
 
-    def _get_target_from_header(self, headers: dict[str, str], name: str) -> str | None:
-        header_value = headers.get(name, "")
-        if self._proxy_domain in header_value:
-            if ":" in header_value:
-                header_value, _ = header_value.split(":", 1)
-            return header_value[: -len(self._proxy_domain)]
+        available_templates = self._templates_by_error[str(http_status)]
 
-    def _get_target_name(self, headers: dict[str, str]) -> str:
-        target = self._get_target_from_header(headers, "x-forwarded-host")
-        if not target:
-            target = self._get_target_from_header(headers, "host")
-        if not target or not RE_SUBDOMAIN.fullmatch(target):
-            raise InvalidTargetError()
-        return target
+        media_types = parse_accept_header(accept_header)
+        for media_type in media_types:
+            template_format = ERROR_TEMPLATE_FORMATS.get(media_type)
+            if template_format and template_format in available_templates:
+                template_path = available_templates[template_format]
+                rendered = await self._render_error_template(
+                    Path(template_path), scope, http_status, body
+                )
+                return await super().send_error_response(
+                    scope,
+                    send,
+                    http_status,
+                    rendered,
+                    headers=[(b"content-type", media_type.encode("latin-1"))],
+                )
+
+        return await super().send_error_response(scope, send, http_status, body)
+
+    async def _render_error_template(
+        self, template_path: Path, scope: Scope, http_status: int, body: str
+    ) -> str:
+        env = self._get_jinja_env(template_path)
+        template = env.get_template(template_path.name)
+        status_title = HTTPStatus(http_status).name.replace("_", " ").title()
+        context = {
+            "status": http_status,
+            "status_title": status_title,
+            "body": body,
+            "request": self._extract_request_context(scope),
+        }
+
+        return await template.render_async(context)
+
+    def _extract_request_context(self, scope: Scope) -> dict[str, Any]:
+        headers = {k.decode("latin-1"): v.decode("latin-1") for k, v in scope.get("headers", [])}
+
+        return {
+            "method": scope.get("method"),
+            "path": scope.get("path"),
+            "raw_path": scope.get("raw_path", b"").decode("latin-1"),
+            "query_string": scope.get("query_string", b"").decode("latin-1"),
+            "scheme": scope.get("scheme"),
+            "headers": headers,
+            "client": scope.get("client"),
+            "server": scope.get("server"),
+            "http_version": scope.get("http_version"),
+        }
+
+    def _get_jinja_env(self, template_path: Path) -> Environment:
+        template_dir = template_path.parent
+
+        if template_dir not in self._jinja_env_cache:
+            self._jinja_env_cache[template_dir] = Environment(
+                loader=FileSystemLoader(str(template_dir)),
+                autoescape=select_autoescape(
+                    enabled_extensions=("html", "xml"),
+                    default_for_string=False,
+                ),
+                enable_async=True,
+            )
+
+        return self._jinja_env_cache[template_dir]

mrok/frontend/main.py

@@ -7,6 +7,7 @@ from uvicorn_worker import UvicornWorker
 
 from mrok.conf import get_settings
 from mrok.frontend.app import FrontendProxyApp
+from mrok.frontend.middleware import HealthCheckMiddleware
 from mrok.logging import get_logging_config
 
 
@@ -42,11 +43,13 @@ def run(
     max_keepalive_connections: int | None,
     keepalive_expiry: float | None,
 ):
-    app = FrontendProxyApp(
-        str(identity_file),
-        max_connections=max_connections,
-        max_keepalive_connections=max_keepalive_connections,
-        keepalive_expiry=keepalive_expiry,
+    app = HealthCheckMiddleware(
+        FrontendProxyApp(
+            str(identity_file),
+            max_connections=max_connections,
+            max_keepalive_connections=max_keepalive_connections,
+            keepalive_expiry=keepalive_expiry,
+        )
     )
 
     options = {

mrok/frontend/middleware.py

@@ -0,0 +1,35 @@
+import json
+
+from mrok.frontend.utils import get_target_name
+from mrok.types.proxy import ASGIApp, ASGIReceive, ASGISend, Scope
+
+
+class HealthCheckMiddleware:
+    def __init__(self, app: ASGIApp):
+        self.app = app
+
+    async def __call__(self, scope: Scope, receive: ASGIReceive, send: ASGISend):
+        if scope["type"] == "http" and scope["path"] == "/healthcheck":
+            target = get_target_name(
+                {k.decode("latin1"): v.decode("latin1") for k, v in scope.get("headers", {})}
+            )
+
+            if not target:
+                await send(
+                    {
+                        "type": "http.response.start",
+                        "status": 200,
+                        "headers": [
+                            [b"content-type", b"application/json"],
+                        ],
+                    }
+                )
+                await send(
+                    {
+                        "type": "http.response.body",
+                        "body": json.dumps({"status": "healthy"}).encode("utf-8"),
+                    }
+                )
+                return
+
+        await self.app(scope, receive, send)

mrok/frontend/utils.py

@@ -0,0 +1,83 @@
+import re
+
+from mrok.conf import get_settings
+
+
+def parse_accept_header(accept: str | None) -> list[str]:
+    if not accept:
+        return ["*/*"]
+
+    result: list[tuple[str, float, int]] = []
+
+    for index, item in enumerate(accept.split(",")):
+        item = item.strip()
+        if not item:
+            continue
+
+        parts = [p.strip() for p in item.split(";")]
+        media_type = parts[0].lower()
+
+        q = 1.0
+        for param in parts[1:]:
+            if param.startswith("q="):
+                try:
+                    q = float(param[2:])
+                except ValueError:
+                    q = 0.0
+
+        result.append((media_type, q, index))
+
+    # Sort by:
+    # 1) q value (desc)
+    # 2) specificity (more specific first)
+    # 3) original order (stable)
+    result.sort(
+        key=lambda x: (
+            -x[1],
+            -_media_type_specificity(x[0]),
+            x[2],
+        )
+    )
+
+    return [media_type for media_type, _, _ in result]
+
+
+def _media_type_specificity(media_type: str) -> int:
+    if media_type == "*/*":
+        return 0
+    if media_type.endswith("/*"):
+        return 1
+    return 2
+
+
+def get_frontend_domain():
+    settings = get_settings()
+    return (
+        settings.frontend.domain
+        if settings.frontend.domain[0] == "."
+        else f".{settings.frontend.domain}"
+    )
+
+
+def _get_target_from_header(headers: dict[str, str], name: str) -> str | None:
+    domain_name = get_frontend_domain()
+    header_value = headers.get(name, "")
+    if domain_name in header_value:
+        if ":" in header_value:
+            header_value, _ = header_value.split(":", 1)
+        return header_value[: -len(domain_name)]
+
+
+def get_target_name(headers: dict[str, str]) -> str | None:
+    settings = get_settings()
+
+    target = _get_target_from_header(headers, "x-forwarded-host")
+    if not target:
+        target = _get_target_from_header(headers, "host")
+
+    if target and (
+        re.fullmatch(settings.identifiers.extension.regex, target)
+        or re.fullmatch(settings.identifiers.instance.regex, target)
+    ):
+        return target
+    return None

mrok/logging.py

@@ -1,8 +1,14 @@
+import logging
 import logging.config
 
 from mrok.conf import Settings
 
 
+class HealthCheckFilter(logging.Filter):
+    def filter(self, record):
+        return "/healthcheck" not in record.getMessage()
+
+
 def get_logging_config(settings: Settings, cli_mode: bool = False) -> dict:
     log_level = "DEBUG" if settings.logging.debug else "INFO"
     handler = "rich" if settings.logging.rich else "console"
@@ -26,6 +32,11 @@ def get_logging_config(settings: Settings, cli_mode: bool = False) -> dict:
             },
             "plain": {"format": "%(message)s"},
         },
+        "filters": {
+            "healthcheck_filter": {
+                "()": HealthCheckFilter,
+            }
+        },
         "handlers": {
             "console": {
                 "class": "logging.StreamHandler",
@@ -54,17 +65,30 @@ def get_logging_config(settings: Settings, cli_mode: bool = False) -> dict:
                 "handlers": [handler],
                 "level": log_level,
                 "propagate": False,
+                "filters": ["healthcheck_filter"],
             },
             "gunicorn.error": {
                 "handlers": [handler],
                 "level": log_level,
                 "propagate": False,
             },
+            "uvicorn.access": {
+                "handlers": [handler],
+                "level": log_level,
+                "propagate": False,
+                "filters": ["healthcheck_filter"],
+            },
             "mrok": {
                 "handlers": [mrok_handler],
                 "level": log_level,
                 "propagate": False,
             },
+            "mrok.access": {
+                "handlers": [mrok_handler],
+                "level": log_level,
+                "propagate": False,
+                "filters": ["healthcheck_filter"],
+            },
         },
     }
 

mrok/proxy/app.py

@@ -57,7 +57,7 @@ class ProxyAppBase(abc.ABC):
             return
 
         if scope.get("type") != "http":
-            await self._send_error(send, 500, "Unsupported")
+            await self.send_error_response(scope, send, 500, "Unsupported")
             return
 
         try:
@@ -105,15 +105,23 @@ class ProxyAppBase(abc.ABC):
             await response.aclose()
 
         except ProxyError as pe:
-            await self._send_error(send, pe.http_status, pe.message)
+            await self.send_error_response(scope, send, pe.http_status, pe.message)
 
         except Exception:
             logger.exception("Unexpected error in forwarder")
-            await self._send_error(send, 502, "Bad Gateway")
+            await self.send_error_response(scope, send, 502, "Bad Gateway")
 
-    async def _send_error(self, send: ASGISend, http_status: int, body: str):
+    async def send_error_response(
+        self,
+        scope: Scope,
+        send: ASGISend,
+        http_status: int,
+        body: str,
+        headers: list[tuple[bytes, bytes]] | None = None,
+    ):
+        headers = headers or [(b"content-type", b"text/plain")]
         try:
-            await send({"type": "http.response.start", "status": http_status, "headers": []})
+            await send({"type": "http.response.start", "status": http_status, "headers": headers})
             await send({"type": "http.response.body", "body": body.encode()})
         except Exception as e:  # pragma: no cover
             logger.error(f"Cannot send error response: {e}")

mrok/ziti/api.py

@@ -38,7 +38,7 @@ class ZitiBadRequestError(ZitiAPIError):
 class BaseZitiAPI(ABC):
     def __init__(self, settings: Settings):
         self.settings = settings
-        self.limit = self.settings.pagination.limit
+        self.limit = self.settings.controller.pagination.limit
         self.token = None
 
     @property
@@ -263,7 +263,7 @@ class ZitiIdentityAuth(BaseZitiAuth):
 class ZitiManagementAPI(BaseZitiAPI):
     @property
     def base_url(self):
-        return f"{self.settings.ziti.api.management}/edge/management/v1"
+        return f"{self.settings.ziti.base_urls.management}/edge/management/v1"
 
     def services(
         self,
@@ -465,7 +465,7 @@ class ZitiManagementAPI(BaseZitiAPI):
 class ZitiClientAPI(BaseZitiAPI):
     @property
     def base_url(self):
-        return f"{self.settings.ziti.api.client}/edge/client/v1"
+        return f"{self.settings.ziti.base_urls.client}/edge/client/v1"
 
     async def enroll_identity(self, jti: str, csr_pem: str) -> dict[str, Any]:
         response = await self.httpx_client.post(

mrok/ziti/identities.py

@@ -69,7 +69,7 @@ async def register_identity(
         mrok={
             "extension": service_name,
             "instance": identity_name,
-            "domain": settings.proxy.domain,
+            "domain": settings.frontend.domain,
             "tags": identity_tags,
         },
     )

mrok/ziti/services.py

@@ -19,15 +19,15 @@ async def register_service(
 ) -> dict[str, Any]:
     service_name = external_id.lower()
     registered = False
-    proxy_identity = await mgmt_api.search_identity(settings.proxy.identity)
+    proxy_identity = await mgmt_api.search_identity(settings.frontend.identity)
     if not proxy_identity:
         raise ProxyIdentityNotFoundError(
-            f"Identity for proxy `{settings.proxy.identity}` not found.",
+            f"Identity for proxy `{settings.frontend.identity}` not found.",
         )
 
-    config_type = await mgmt_api.search_config_type(f"{settings.proxy.mode}.proxy.v1")
+    config_type = await mgmt_api.search_config_type(f"{settings.frontend.mode}.proxy.v1")
     if not config_type:
-        raise ConfigTypeNotFoundError(f"Config type `{settings.proxy.mode}.proxy.v1` not found.")
+        raise ConfigTypeNotFoundError(f"Config type `{settings.frontend.mode}.proxy.v1` not found.")
 
     config = await mgmt_api.search_config(service_name)
     if not config:
@@ -43,7 +43,7 @@ async def register_service(
     else:
         service_id = service["id"]
     proxy_identity_id = proxy_identity["id"]
-    service_policy_name = f"{service_name}:{settings.proxy.identity}:dial"
+    service_policy_name = f"{service_name}:{settings.frontend.identity}:dial"
     dial_service_policy = await mgmt_api.search_service_policy(service_policy_name)
     if not dial_service_policy:
         await mgmt_api.create_dial_service_policy(
@@ -75,7 +75,7 @@ async def unregister_service(
     if router_policy:
         await mgmt_api.delete_service_router_policy(router_policy["id"])
 
-    service_policy_name = f"{service_name}:{settings.proxy.identity}:dial"
+    service_policy_name = f"{service_name}:{settings.frontend.identity}:dial"
 
     dial_service_policy = await mgmt_api.search_service_policy(service_policy_name)
     if dial_service_policy:

{mrok-0.7.0.dist-info → mrok-0.8.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mrok
-Version: 0.7.0
+Version: 0.8.0
 Summary: MPT Extensions OpenZiti Orchestrator
 Author: SoftwareOne AG
 License:                                  Apache License
@@ -225,7 +225,7 @@ Requires-Dist: pyzmq<28.0.0,>=27.1.0
 Requires-Dist: rich<15.0.0,>=14.1.0
 Requires-Dist: textual-serve<2.0.0,>=1.1.3
 Requires-Dist: textual[syntax]<8.0.0,>=7.2.0
-Requires-Dist: typer<0.20.0,>=0.19.2
+Requires-Dist: typer<1.0.0,>=0.21.1
 Requires-Dist: uvicorn-worker<0.5.0,>=0.4.0
 Description-Content-Type: text/markdown
 

{mrok-0.7.0.dist-info → mrok-0.8.0.dist-info}/RECORD

@@ -1,13 +1,13 @@
 mrok/__init__.py,sha256=D1PUs3KtMCqG4bFLceVNG62L3RN53NS95uSCNXpgvzs,181
-mrok/conf.py,sha256=_5Z-A5LyojQeY8J7W8C0QidsmrPl99r9qKYEoMf4kcI,840
+mrok/conf.py,sha256=5AgRgwE_Yq0Dv7xDv0SWakhPSr3nnUNjIIgnn0Zgf9c,1057
 mrok/constants.py,sha256=QXaMw4LuHijj_TUTCsM5uUjpgT04HBvd0wRbjvn1z9A,449
 mrok/errors.py,sha256=ruNMDFr2_0ezCGXuCG1OswCEv-bHOIzMMd02J_0ABcs,37
-mrok/logging.py,sha256=4F5rviPK1-MWWMZuHfzNNQmGxg-emAPRdKz0PsWDSww,2261
+mrok/logging.py,sha256=PS_x0uAQDsIPF_tbF11fIyijwLS03DQwJzzUHMdVdnE,3000
 mrok/agent/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 mrok/agent/ziticorn.py,sha256=eHUYs9QaSp35rBzYHRV-SrYxF5ySyECaQg7U-XbdINE,1025
 mrok/agent/devtools/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 mrok/agent/devtools/inspector/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-mrok/agent/devtools/inspector/__main__.py,sha256=MyaIi81D-ubdxuvLV1mCpA8cSVwtq07zc5xuArPU2Dw,73
+mrok/agent/devtools/inspector/__main__.py,sha256=vof04S9fwiU8lGjt7YiM6O9YOXEW_lT1AxGoXyF4bg8,97
 mrok/agent/devtools/inspector/app.py,sha256=TxBBIy8lXHj6h8KmQHCeLiIM2QqMzMsCpSWFjH8cGu4,25636
 mrok/agent/devtools/inspector/server.py,sha256=C4uD6_1psSHMjJLUDCMPGvKdQYKaEwYTw27NAbwuuA0,636
 mrok/agent/devtools/inspector/utils.py,sha256=K-_4rTyB54Y0faEIGgutMEHGyP1W7eOhbcuUKxNnsYA,4261
@@ -17,37 +17,41 @@ mrok/agent/sidecar/main.py,sha256=jeJzrCbltfXOYsKSCjcw8h5lxh4_bGT87kCC5dV4kYU,21
 mrok/cli/__init__.py,sha256=mtFEa8IeS1x6Gm4dUYoSnAxyEzNqbUVSmWxtuZUMR84,61
 mrok/cli/main.py,sha256=T029FYxK_jDrwiA14oX-Onoqp_X14XHRAA_4bbaOgV8,3123
 mrok/cli/rich.py,sha256=P3Dyu8EArUR9_0j7DPK7LRx85TWdYdZ1SaJzD_S1ZCE,511
-mrok/cli/utils.py,sha256=m_olScdIUGks5IoC6p2F9D6CQIucWZ7LHyrvwm2bkJw,106
+mrok/cli/utils.py,sha256=FXqyNef0cRFy_d-63ZY-kT3uqmDOK3USSNgBSZyKXIE,831
 mrok/cli/commands/__init__.py,sha256=-UOGzh38oWX7fPeI2nc5I9z8LylRdQAt868q4G6rNGk,140
 mrok/cli/commands/admin/__init__.py,sha256=WU49jpMF9p18UONjYywWEFzjF57zLpLKJ0qAZvrzcR4,414
-mrok/cli/commands/admin/bootstrap.py,sha256=9ADSeiVbFAZXh6GxHEf9h2g_XHGOIlMmg1rgsxMfdow,1699
+mrok/cli/commands/admin/bootstrap.py,sha256=McIGngjpRQSsI2CqW_LBTF1lBeGXvTbbt31jYS35xIY,1705
 mrok/cli/commands/admin/utils.py,sha256=Z7YTAFZKOi6nkw2oX4rJoGoUD41RYL3AOqEDhlV3jR0,1357
 mrok/cli/commands/admin/list/__init__.py,sha256=kjCMcpn1gopcrQaaHxfFh8Kyngldepnle8R2br5dJ_0,195
 mrok/cli/commands/admin/list/extensions.py,sha256=16fhDB5ucL8su2WQnSaQ1E6MhgC4vkP9-nuHAcPpzyE,4405
 mrok/cli/commands/admin/list/instances.py,sha256=kaqeyidwUxgYqfaHXqp2m76rm5h2ErBsYyZcNeaBRwY,5912
 mrok/cli/commands/admin/register/__init__.py,sha256=5Jb_bc2L47MEpQIrOcquzduTFWQ01Jd1U1MpqaR-Ekw,209
-mrok/cli/commands/admin/register/extensions.py,sha256=dxciVA_S31rZSm0A7lkecn2mI9TMlWDhcJTgwgNXbM4,1460
-mrok/cli/commands/admin/register/instances.py,sha256=raF57jPUTryWdvNqGCosth1C-8jjv9IbA0UuNbDel3A,2220
+mrok/cli/commands/admin/register/extensions.py,sha256=3ooHR-zfFImtqAZ-06kS0555v9gQLQ1G5-ARe_mJ9e4,1353
+mrok/cli/commands/admin/register/instances.py,sha256=KjyLJX1mSXK-6ZmkW9I4PJFYNfgsOyAmJWh92XxSkYg,1982
 mrok/cli/commands/admin/unregister/__init__.py,sha256=-GjjCPX1pISbWmJK6GpKO3ijGsDQb21URjU1hNu99O4,215
-mrok/cli/commands/admin/unregister/extensions.py,sha256=GR3Iwzeksk_R0GkgmCSG7iHRcUrI7ABqDi25Gbes64Y,1016
-mrok/cli/commands/admin/unregister/instances.py,sha256=-28wL8pTXTWHVHtw93y8-dqi-Dlf0OZOnlBCKOyGo80,1138
+mrok/cli/commands/admin/unregister/extensions.py,sha256=xL2yX0kn8dhitQL7NcLTn83bbPZfgPJNzHjZAdiP8yM,891
+mrok/cli/commands/admin/unregister/instances.py,sha256=sLBfBhHDgR7Qw5Zc-EVOSuQUgfLMgh7cFnOP-73iM70,1167
 mrok/cli/commands/agent/__init__.py,sha256=ZAi7eTkKQtfwwV1c1mv3uvEEsyMMrhCQ_-id_0wksAQ,218
 mrok/cli/commands/agent/dev/__init__.py,sha256=ZfreyRuaLqO0AwPS8Ll1DIpsKacsu7_dTmbxV5QecOM,172
 mrok/cli/commands/agent/dev/console.py,sha256=rrKAGoKXVQQBOC75H0JSuX1sYyvc2QSrV-dfMPK49p4,673
 mrok/cli/commands/agent/dev/web.py,sha256=O9dYk-o1FV2E_sKLOezdEmLsnexwbJNDdsYL5pATZRQ,1028
 mrok/cli/commands/agent/run/__init__.py,sha256=E_IJCl3BfMffqFASe8gzJwhhQgt5bQfjhuyekVwdEBA,164
-mrok/cli/commands/agent/run/asgi.py,sha256=dCgzwJtTLv2eyEIP7v1tDfe_PrFBS02SfN5dSDw1Jzg,2054
+mrok/cli/commands/agent/run/asgi.py,sha256=FzM3suWJPRqQ08SoDrF9mLfjiBJ6huSbfP3wkTbh3Uo,2054
 mrok/cli/commands/agent/run/sidecar.py,sha256=UOewegTLFwAZ70VFJb6_9kV0LmsvnXuq-yqgrMlTeZo,4182
 mrok/cli/commands/controller/__init__.py,sha256=2xw-YVN0akiLiuGUU3XbYyZZ0ugOjQ6XhtTkzEKSmMA,161
 mrok/cli/commands/controller/openapi.py,sha256=QLjVao9UkB2vBaGkFi_q_jrlg4Np4ldMRwDIJsrJ7A8,1175
 mrok/cli/commands/controller/run.py,sha256=yl1p7oRHhQINWWjUKlRHtMIWUCV0KsxYdyVyazhX834,2406
 mrok/cli/commands/frontend/__init__.py,sha256=0kK37yG6qs7yAa8TYlKZUA-nHrWsO4y5CjbVkXafnuk,123
-mrok/cli/commands/frontend/run.py,sha256=_X1ylMe4-YCTghsu0XY-PB4nk3PL-PQq9YIgbkgJok8,2796
+mrok/cli/commands/frontend/run.py,sha256=E6vJC9LprGyPetGLfyfJm8GDemEIRVnqetao4V3W9Kk,2796
 mrok/controller/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-mrok/controller/app.py,sha256=XxCIB7N1YE52vSYfvGW2UPgEEOZ9jxDMe2l9D2SfXi8,1866
-mrok/controller/auth.py,sha256=hYa0OPJ5X0beGxRP6qbxwJOVXj5TmzHjmam2OjTBKn4,2704
+mrok/controller/app.py,sha256=JgyfEFbQeGLpHCrjFKQjdP8TRfV4YVec7Re8i0P4FE8,2040
 mrok/controller/pagination.py,sha256=raYpYa34q8Ckl4BXBOEdpWlKkFj6z7e6QLWr2HT7dzI,2187
 mrok/controller/schemas.py,sha256=PZPEsSJNrGSuplfjCPF_E-VJ721AzgR1Jj8P-Shw1cg,1699
+mrok/controller/auth/__init__.py,sha256=st0q-NHQEQwYlvLEnQdonMVsDmczeL5cS4hkVK7NT6s,412
+mrok/controller/auth/backends.py,sha256=xwiF7qFHh5okhqbTld4P2jSnFkSPZlGR4gfQu598Xrg,2288
+mrok/controller/auth/base.py,sha256=NWEVtc9Y8I56NnyYrBiNzxHZxFSzVEbmkMY2u6RCANs,1131
+mrok/controller/auth/manager.py,sha256=VQwov4UiAOXHBl_a9oPG90_QKRMNz2tWONF3JFR5RmM,1118
+mrok/controller/auth/registry.py,sha256=VmwPPI6E2-oyB2MZDkK_G39EaAeU3Uq-b14GGKz1E-A,485
 mrok/controller/dependencies/__init__.py,sha256=voewk6gjkA0OarL6HFmfT_RLqBns0Fpl-VIqK5xVAEI,202
 mrok/controller/dependencies/conf.py,sha256=2Pa8fxJHkZ29q6UL-w6hUP_wr7WnNELfw5LlzWg1Tec,162
 mrok/controller/dependencies/ziti.py,sha256=fYoxeJb4s6p2_3gxbExbFSRabjpvp_gZMBb3ocXZV3Y,702
@@ -58,10 +62,12 @@ mrok/controller/routes/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3
 mrok/controller/routes/extensions.py,sha256=zoY4sNz_BIZcbly6WXM7Rbpn2jmB89njS_0xdJkoKfs,9192
 mrok/controller/routes/instances.py,sha256=v-fn_F6JHbDZ4YUNCIZzClgHp6aC1Eu5HB7k7qBG5pk,2202
 mrok/frontend/__init__.py,sha256=SN3LoFwAye18lfJ8OKNNS-7kLc2A9OxPGIEIEYYtAOA,54
-mrok/frontend/app.py,sha256=I2cvEI2ZGhbeazFhF6LavxBYywsv-4QkuNxCDo6-dkA,2627
-mrok/frontend/main.py,sha256=0KtchIGLn70A_Oxekmhr_qSYUg5QqIMfrdYcyFdpj9s,1717
+mrok/frontend/app.py,sha256=_FLz5fqZdlFc1tdBBMwhmvjGa0UnNeaNj6EnYEnuPAQ,5280
+mrok/frontend/main.py,sha256=zvfCh7NDx-mkpN-ppM2AqWmgKn1cBrNOCky8UgjLou4,1833
+mrok/frontend/middleware.py,sha256=xTXt5gYikr9RCXaI4uVKgxFhlH49RNY3MD3eZPcX9cc,1161
+mrok/frontend/utils.py,sha256=Oh987pCpg7ZIIIpRWcpX7Nrh8FGbJ4cH4ciiG1xRoQI,2120
 mrok/proxy/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-mrok/proxy/app.py,sha256=flnVPoUO3pSF3b0nYFBhKjZ9jp5ljijo2a-5e37gACs,6016
+mrok/proxy/app.py,sha256=HU-YRKA3ijY2AW9v-NwfUnbSgdI-XqsnkQ90TocZ1Ts,6257
 mrok/proxy/asgi.py,sha256=2uw5bLquyUsiYlNwq8RhJd8OqVvSJDvYjzOVGLLB3Cs,3528
 mrok/proxy/backend.py,sha256=dRmIUJin2DM3PUxrVX0j4t1oB6DOX7N9JV2lIcopE38,1649
 mrok/proxy/event_publisher.py,sha256=TAuwEqIhRYxgazJFgC3DekwUAXlJ2UFjbdx_A9vwA1g,2511
@@ -77,15 +83,15 @@ mrok/types/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 mrok/types/proxy.py,sha256=40Yds4tUykMpzsoQbMtHG85r8xtm5Q3fQZ17bp7cDiM,818
 mrok/types/ziti.py,sha256=EeQnTbDEJ-Y-KMS6zu1Xjxb58Up2VxUwqzUwy3H28JY,36
 mrok/ziti/__init__.py,sha256=20OWMiexRhOovZOX19zlX87-V78QyWnEnSZfyAftUdE,263
-mrok/ziti/api.py,sha256=CRblQUyfX_421cppA9D-LRnjh4N9P7aYVK4fG7UzQE4,16102
+mrok/ziti/api.py,sha256=Z6Hs17-UaKtcRc6uMowhvQW5fbyW6wFr-7lAvI3aZm0,16125
 mrok/ziti/bootstrap.py,sha256=RSL8nZfI-MZ_z6h0F-rNevQoE6g9oGKLr6HlZF696_c,2499
 mrok/ziti/constants.py,sha256=Urq1X3bCBQZfw8NbnEa1pqmY4oq1wmzkwPfzam3kbTw,339
 mrok/ziti/errors.py,sha256=yYCbVDwktnR0AYduqtynIjo73K3HOhIrwA_vQimvEd4,368
-mrok/ziti/identities.py,sha256=5-7Iof5a8SfkAYsy-SPirDEJKE68ZSn1Kw1wXYQbK9Q,6880
+mrok/ziti/identities.py,sha256=cOMv-Jv8MEjtzyjRcWOF8Ziz4HJY2Z-uHXWpZRqgPxs,6883
 mrok/ziti/pki.py,sha256=o2tySqHC8-7bvFuI2Tqxg9vX6H6ZSxWxfP_9x29e19M,1954
-mrok/ziti/services.py,sha256=TukG0vAZxgjbS8OLiyg7u1GwuVeGTco-rb9ne6a4PUA,3213
-mrok-0.7.0.dist-info/METADATA,sha256=bswj6K1HG4vnUbkCpqQfuH6BoAgcyrMKY3U6XIotlnI,15979
-mrok-0.7.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-mrok-0.7.0.dist-info/entry_points.txt,sha256=tloXwvU1uJicBJR2h-8HoVclPgwJWDwuREMHN8Zq-nU,38
-mrok-0.7.0.dist-info/licenses/LICENSE.txt,sha256=6PaICaoA3yNsZKLv5G6OKqSfLSoX7MakYqTDgJoTCBs,11346
-mrok-0.7.0.dist-info/RECORD,,
+mrok/ziti/services.py,sha256=P2c9qRUyUFu1pSKPdT8L6s3yTKYVpTabRiHPWqbBIiU,3231
+mrok-0.8.0.dist-info/METADATA,sha256=SmmFB0ZpkWORFIvUKENkpOszVnFjgqVZS6p7rbPyIwc,15978
+mrok-0.8.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+mrok-0.8.0.dist-info/entry_points.txt,sha256=tloXwvU1uJicBJR2h-8HoVclPgwJWDwuREMHN8Zq-nU,38
+mrok-0.8.0.dist-info/licenses/LICENSE.txt,sha256=6PaICaoA3yNsZKLv5G6OKqSfLSoX7MakYqTDgJoTCBs,11346
+mrok-0.8.0.dist-info/RECORD,,

mrok/controller/auth.py

@@ -1,87 +0,0 @@
-import logging
-from typing import Annotated
-
-import httpx
-import jwt
-from fastapi import Depends, HTTPException, Request, status
-from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
-
-from mrok.controller.dependencies.conf import AppSettings
-
-logger = logging.getLogger("mrok.controller")
-
-UNAUTHORIZED_EXCEPTION = HTTPException(
-    status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized."
-)
-
-
-class JWTCredentials(HTTPAuthorizationCredentials):
-    pass
-
-
-class JWTBearer(HTTPBearer):
-    def __init__(self):
-        super().__init__(auto_error=False)
-
-    async def __call__(self, request: Request) -> JWTCredentials:
-        credentials = await super().__call__(request)
-        if not credentials:
-            raise UNAUTHORIZED_EXCEPTION
-        try:
-            return JWTCredentials(
-                scheme=credentials.scheme,
-                credentials=credentials.credentials,
-            )
-        except jwt.InvalidTokenError:
-            raise UNAUTHORIZED_EXCEPTION
-
-
-async def authenticate(
-    settings: AppSettings,
-    credentials: Annotated[JWTCredentials, Depends(JWTBearer())],
-):
-    async with httpx.AsyncClient(
-        timeout=httpx.Timeout(
-            connect=0.25,
-            read=settings.auth.read_timeout,
-            write=2.0,
-            pool=5.0,
-        ),
-    ) as client:
-        try:
-            config_resp = await client.get(settings.auth.openid_config_url)
-            config_resp.raise_for_status()
-            config = config_resp.json()
-            issuer = config["issuer"]
-            jwks_uri = config["jwks_uri"]
-
-            jwks_resp = await client.get(jwks_uri)
-            jwks_resp.raise_for_status()
-            jwks = jwks_resp.json()
-
-            header = jwt.get_unverified_header(credentials.credentials)
-            kid = header["kid"]
-
-            key_data = next((k for k in jwks["keys"] if k["kid"] == kid), None)
-        except Exception:
-            logger.exception("Error fetching openid-config/jwks")
-            raise UNAUTHORIZED_EXCEPTION
-    if key_data is None:
-        logger.error("Key ID not found in JWKS")
-        raise UNAUTHORIZED_EXCEPTION
-
-    try:
-        payload = jwt.decode(
-            credentials.credentials,
-            jwt.PyJWK(key_data),
-            algorithms=[header["alg"]],
-            issuer=issuer,
-            audience=settings.auth.audience,
-        )
-        return payload
-    except jwt.InvalidKeyError as e:
-        logger.error(f"Invalid jwt token: {e} ({credentials.credentials})")
-        raise UNAUTHORIZED_EXCEPTION
-    except jwt.InvalidTokenError as e:
-        logger.error(f"Invalid jwt token: {e} ({credentials.credentials})")
-        raise UNAUTHORIZED_EXCEPTION