PyPI - navigator-auth - Versions diffs - 0.4.7__tar.gz → 0.16.0__tar.gz - Mend

navigator-auth 0.4.7tar.gz → 0.16.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (164) hide show

{navigator-auth-0.4.7 → navigator_auth-0.16.0}/MANIFEST.in RENAMED Viewed

@@ -3,7 +3,7 @@ include LICENSE
 include CHANGES.rst
 include README.md
 include Makefile
-graft navigator_session
+graft navigator_auth
 graft docs
 graft tests
 global-exclude *.pyc

navigator_auth-0.16.0/Makefile ADDED Viewed

@@ -0,0 +1,89 @@
+# Navigator-Auth Makefile
+.PHONY: venv install develop release format lint test clean distclean lock sync check-deps
+# Python version to use
+PYTHON_VERSION := 3.11
+# Auto-detect available tools
+HAS_UV := $(shell command -v uv 2> /dev/null)
+# Install uv if missing
+install-uv:
+	curl -LsSf https://astral.sh/uv/install.sh | sh
+	@echo "uv installed! You may need to restart your shell or run 'source ~/.bashrc'"
+# Create virtual environment
+venv:
+	uv venv --python $(PYTHON_VERSION) .venv
+	@echo 'run `source .venv/bin/activate` to start develop Navigator-Auth'
+# Install production dependencies using lock file
+install:
+	uv sync --frozen --no-dev
+	@echo "Production dependencies installed."
+# Generate lock files
+lock:
+ifdef HAS_UV
+	uv lock
+else
+	@echo "Lock files require uv. Install with: make install-uv"
+endif
+# Install all dependencies including dev dependencies
+develop:
+	uv sync --frozen --extra uvloop --dev
+# Alternative: install without lock file (faster for development)
+develop-fast:
+	uv pip install -e .[uvloop]
+	uv pip install -e .[dev]
+# Compile Cython extensions
+compile:
+	python setup.py build_ext --inplace
+# Build and publish release
+release: lint test clean
+	uv build
+	uv publish
+# Format code
+format:
+	uv run black navigator_auth
+# Lint code
+lint:
+	uv run pylint --rcfile .pylintrc navigator_auth/*.py
+	uv run black --check navigator_auth
+# Run tests
+test:
+	uv run coverage run -m pytest tests
+	uv run coverage report
+	uv run mypy navigator_auth/*.py
+# Performance tests
+perf:
+	uv run python -m unittest -v navigator_auth.tests.perf
+# Clean build artifacts
+clean:
+	rm -rf build/
+	rm -rf dist/
+	rm -rf *.egg-info/
+	find . -name "*.pyc" -delete
+	find . -name "*.pyo" -delete
+	find . -name "*.so" -delete
+	find . -type d -name __pycache__ -delete
+	@echo "Clean complete."
+# Remove virtual environment
+distclean:
+	rm -rf .venv
+	rm -rf uv.lock
+# Show project info
+info:
+	uv tree

{navigator-auth-0.4.7 → navigator_auth-0.16.0}/PKG-INFO RENAMED Viewed

@@ -1,33 +1,52 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.4
 Name: navigator-auth
-Version: 0.4.7
+Version: 0.16.0
 Summary: Navigator Auth is an Authentication/Authorization Toolkit for aiohttp.
-Home-page: https://github.com/phenobarbital/navigator-auth
-Author: Jesus Lara
-Author-email: jesuslarag@gmail.com
-License: Apache 2.0 license
+Author-email: Jesus Lara Gimenez <jesuslarag@gmail.com>
+License: Apache 2.0 License
+Project-URL: Homepage, https://github.com/phenobarbital/navigator-auth
 Project-URL: Source, https://github.com/phenobarbital/navigator-auth
 Project-URL: Funding, https://paypal.me/phenobarbital
-Project-URL: Say Thanks!, https://saythanks.io/to/phenobarbital
-Keywords: asyncio,auth,aioredis,aiohttp,authz,authentication,authorization
-Platform: POSIX
-Classifier: Development Status :: 3 - Alpha
+Project-URL: Tracker, https://github.com/phenobarbital/navigator-auth/issues
+Project-URL: Documentation, https://github.com/phenobarbital/navigator-auth
+Classifier: Development Status :: 4 - Beta
 Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
 Classifier: Operating System :: POSIX :: Linux
-Classifier: License :: OSI Approved :: Apache Software License
 Classifier: Environment :: Web Environment
 Classifier: Topic :: Software Development :: Build Tools
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
 Classifier: Topic :: System :: Systems Administration
 Classifier: Topic :: System :: Networking
-Classifier: Programming Language :: Python :: 3.8
 Classifier: Programming Language :: Python :: 3.9
-Classifier: Programming Language :: Python :: Implementation :: PyPy
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Classifier: Framework :: AsyncIO
 Classifier: Framework :: aiohttp
-Requires-Python: >=3.8.0
+Classifier: License :: OSI Approved :: Apache Software License
+Requires-Python: >=3.9.16
 Description-Content-Type: text/markdown
 License-File: LICENSE
+Requires-Dist: Cython>=3.0.11
+Requires-Dist: PyNaCl>=1.5.0
+Requires-Dist: aiohttp>=3.9.5
+Requires-Dist: aiohttp-cors==0.8.1
+Requires-Dist: PyJWT>=2.10.1
+Requires-Dist: pycryptodome>=3.21.0
+Requires-Dist: rncryptor>=3.3.0
+Requires-Dist: msal<=1.32.0,>=1.28.0
+Requires-Dist: aiogoogle>=5.17.0
+Requires-Dist: okta-jwt-verifier>=0.2.5
+Requires-Dist: python-slugify>=8.0.1
+Requires-Dist: asyncdb>=2.8.0
+Requires-Dist: navconfig>=1.7.0
+Requires-Dist: navigator-session>=0.6.5
+Requires-Dist: navigator-api>=0.5.0
+Provides-Extra: uvloop
+Requires-Dist: uvloop>=0.20.0; extra == "uvloop"
+Dynamic: license-file
 # Navigator Auth #
@@ -65,5 +84,3 @@ Navigator Auth is an Authentication/Authorization toolkit for aiohttp or Navigat
 ### License ###
 Navigator_Auth is copyright of Jesus Lara (https://phenobarbital.info) and is under Apache 2 license. I am providing code in this repository under an open source license, remember, this is my personal repository; the license that you receive is from me and not from my employeer.

navigator_auth-0.16.0/docs/requirements-dev.txt ADDED Viewed

@@ -0,0 +1,21 @@
+aiounittest==1.4.2
+black==24.3.0
+build==1.0.3
+coverage[toml]==7.2.7
+flit==3.9.0
+hypothesis==6.111.0
+ipython==8.22.1
+lint==1.2.1
+mypy==1.7.1
+pylint==3.2.6
+pyperf==2.6.2
+pytest>=6.0.0
+pytest-asyncio==0.23.8
+pytest-cov==4.0.0
+pytest-cython==0.3.1
+pytest-xdist==3.5.0
+pytest-assume==2.4.3
+sdist==0.0.0
+sphinx==6.1.3
+tox==4.18.0
+twine==5.1.1

navigator_auth-0.16.0/navigator_auth/__init__.py ADDED Viewed

@@ -0,0 +1,14 @@
+"""
+  Navigator Auth.
+  Basic Toolkit for authentication/Authorization for aiohttp,
+  using AsyncDB for Storage access.
+"""
+from .version import __author__, __description__, __title__, __version__, get_version
+from .auth import AuthHandler
+from .uv import install_uvloop
+install_uvloop()
+__all__ = ("AuthHandler", )

navigator_auth-0.16.0/navigator_auth/abac/__init__.py ADDED Viewed

@@ -0,0 +1,7 @@
+"""ABAC Proof of Concept.
+"""
+from .policies import Policy, PolicyEffect
+__all__ = ['Policy', 'PolicyEffect']

navigator_auth-0.16.0/navigator_auth/abac/audit.py ADDED Viewed

@@ -0,0 +1,64 @@
+import asyncio
+from datetime import datetime
+import socket
+from navconfig.logging import logger
+from asyncdb import AsyncDB
+from asyncdb.exceptions import DriverError
+from navigator_auth.exceptions import ConfigError
+from navigator_auth.conf import (
+    ENVIRONMENT,
+    DOMAIN,
+    AUDIT_BACKEND,
+    AUDIT_CREDENTIALS,
+    ENABLE_AUDIT_LOG
+)
+class AuditLog:
+    def __init__(self):
+        self.loop = asyncio.get_event_loop()
+        if ENABLE_AUDIT_LOG is True:
+            try:
+                self.logger = AsyncDB(
+                    AUDIT_BACKEND,
+                    params=AUDIT_CREDENTIALS,
+                    loop=self.loop
+                )
+                self.host = socket.gethostbyname(socket.gethostname())
+            except DriverError as ex:
+                raise ConfigError(
+                    f"Unable to start Audit Backend: {ex}"
+                ) from ex
+        else:
+            self.logger = logger
+    async def log(self, answer, status, user):
+        start_time = datetime.utcnow()
+        if ENABLE_AUDIT_LOG is True:
+            async with await self.logger.connection() as conn:
+                try:
+                    data = {
+                        "measurement": 'audit',
+                        "location": ENVIRONMENT,
+                        "domain": DOMAIN,
+                        "timestamp": start_time,
+                        "fields": {
+                            "status": status
+                        },
+                        "tags": {
+                            "host": self.host,
+                            "region": ENVIRONMENT,
+                            "message": answer.response,
+                            "answer": answer,
+                            "username": user.username,
+                            "user": user.id
+                        }
+                    }
+                    await conn.write(data, bucket=AUDIT_CREDENTIALS['bucket'])
+                except (TypeError, AttributeError, ValueError, DriverError) as ex:
+                    logger.error(
+                        f'Error saving Audit Log: {ex}'
+                    )
+        else:
+            message = f'Access {status} by: {answer.response} to user {user.username}'
+            self.logger.info(message)

navigator_auth-0.16.0/navigator_auth/abac/context.py ADDED Viewed

@@ -0,0 +1,111 @@
+from typing import Any
+from collections.abc import MutableMapping, Iterator
+from aiohttp import web
+from datamodel import BaseModel
+class EvalContext(dict, MutableMapping):
+    """EvalContext.
+    Build The Evaluation Context from Request and User Data.
+    """
+    def __init__(
+        self,
+        request: web.Request,
+        user: Any,
+        userinfo: Any,
+        session: Any,
+        *args,
+        **kwargs
+    ):
+        ## initialize the mutable mapping:
+        self.store = dict()
+        self.store['request'] = request
+        self.store['ip_addr'] = request.remote
+        self.store['method'] = request.method
+        self.store['referer'] = request.headers.get('referer', None)
+        self.store['path_qs'] = request.path_qs
+        self.store['path'] = request.path
+        self.store['headers'] = request.headers
+        self.store['url'] = request.rel_url
+        try:
+            self.store['is_authenticated'] = request.is_authenticated
+        except AttributeError:
+            if user is not None:
+                self.store['is_authenticated'] = True
+            else:
+                self.store['is_authenticated'] = False
+        self.store['user'] = user
+        if isinstance(user, BaseModel):
+            self.store['user_keys'] = user.get_fields()
+        else:
+            self.store['user_keys'] = user.__dict__.keys()
+        self.store['userinfo'] = userinfo
+        if isinstance(userinfo, dict):
+            self.store['userinfo_keys'] = list(userinfo.keys())
+        else:
+            try:
+                self.store['userinfo_keys'] = userinfo.__dict__.keys()
+            except AttributeError:
+                self.store['userinfo_keys'] = []
+        self.store['session'] = session
+        self.update(*args, **kwargs)
+        self._columns = list(self.store.keys())
+    def __missing__(self, key):
+        return False
+    def items(self) -> zip:  # type: ignore
+        return zip(self._columns, self.store)
+    def keys(self) -> list:
+        return self._columns
+    def set(self, key, value) -> None:
+        self.store[key] = value
+        if key not in self._columns:
+            self._columns.append(key)
+    ### Section: Simple magic methods
+    def __len__(self) -> int:
+        return len(self.store)
+    def __str__(self) -> str:
+        return f"<{type(self).__name__}({self.store})>"
+    def __repr__(self) -> str:
+        return f"<{type(self).__name__}({self.store})>"
+    def __contains__(self, key: str) -> bool:
+        return key in self._columns
+    def __iter__(self) -> Iterator:
+        for value in self.store:
+            yield value
+    def __delitem__(self, key) -> None:
+        value = self.store[key]
+        del self.store[key]
+        self._columns.pop(value, None)
+    def __setitem__(self, key, value):
+        self.store[key] = value
+        if key not in self._columns:
+            self._columns.append(key)
+    def __getattr__(self, key):
+        try:
+            return super().__getattribute__('store')[key]
+        except KeyError as ex:
+            raise AttributeError(key) from ex
+    def __setattr__(self, key, value):
+        if key == 'store':
+            super().__setattr__(key, value)
+        else:
+            self.store[key] = value
+    def __delattr__(self, key):
+        try:
+            del self.store[key]
+        except KeyError as ex:
+            raise AttributeError(key) from ex

navigator_auth-0.16.0/navigator_auth/abac/decorators.py ADDED Viewed

@@ -0,0 +1,203 @@
+from functools import wraps
+from typing import Any, TypeVar
+from collections.abc import Callable
+from aiohttp import web, hdrs
+from aiohttp.abc import AbstractView
+import inspect
+from navigator_session import get_session
+from navigator_auth.conf import AUTH_SESSION_OBJECT
+from navigator_auth.decorators import _apply_decorator
+from navigator_auth.abac.context import EvalContext
+from navigator_auth.abac.policies.resources import ResourceType
+F = TypeVar("F", bound=Callable[..., Any])
+def groups_protected(groups: list, content_type: str = "application/json") -> Callable:
+    """Restrict the Handler only to certain Groups in User information."""
+    def _wrapper(handler: F):
+        @wraps(handler)
+        async def _wrap(*args, **kwargs) -> web.StreamResponse:
+            # Supports class based views see web.View
+            if isinstance(args[0], AbstractView):
+                request = args[0].request
+            else:
+                request = args[-1]
+            if request is None:
+                raise ValueError(
+                    f"web.Request was not found in arguments. {handler!s}"
+                )
+            if request.get("authenticated", False) is False:
+                # check credentials:
+                raise web.HTTPUnauthorized(
+                    reason="Access Denied",
+                    headers={
+                        hdrs.CONTENT_TYPE: content_type,
+                        hdrs.CONNECTION: "keep-alive",
+                    },
+                )
+            else:
+                session = await get_session(request)
+                member = False
+                try:
+                    userinfo = session[AUTH_SESSION_OBJECT]
+                except KeyError:
+                    member = False
+                if "groups" in userinfo:
+                    member = bool(not set(userinfo["groups"]).isdisjoint(groups))
+                else:
+                    user = session.decode("user")
+                    for group in user.groups:
+                        if group.group in groups:
+                            member = True
+                if member is True:
+                    ## Check Groups belong to User
+                    return await handler(*args, **kwargs)
+                else:
+                    raise web.HTTPUnauthorized(
+                        reason="Access Denied",
+                        headers={
+                            hdrs.CONTENT_TYPE: content_type,
+                            hdrs.CONNECTION: "keep-alive",
+                        },
+                    )
+        return _wrap
+    return _wrapper
+def requires_permission(
+    resource_type: ResourceType,
+    action: str,
+    resource_name_param: str = None
+):
+    """
+    Decorator for methods that require permission checks.
+    Example:
+        @requires_permission(ResourceType.KB, "kb:query", "kb_name")
+        async def query_knowledge_base(self, kb_name: str, question: str, ctx: EvalContext):
+            ...
+    """
+    def _func_wrapper(handler):
+        @wraps(handler)
+        async def _wrap(*args, **kwargs) -> web.StreamResponse:
+            # Safe way: inspect args for EvalContext
+            ctx = kwargs.get('ctx')
+            if ctx is None:
+                for arg in args:
+                    if isinstance(arg, EvalContext):
+                        ctx = arg
+                        break
+            # If not found, we cannot proceed as per spec
+            if ctx is None:
+                 raise ValueError("EvalContext required for permission check")
+            # Resource Name logic
+            resource_name = "*"
+            if resource_name_param:
+                resource_name = kwargs.get(resource_name_param)
+                if resource_name is None and args:
+                    try:
+                        # Inspect the handler to find parameter index
+                        sig = inspect.signature(handler)
+                        params = list(sig.parameters.keys())
+                        if resource_name_param in params:
+                            idx = params.index(resource_name_param)
+                            if idx < len(args):
+                                resource_name = args[idx]
+                    except ValueError:
+                        pass
+            # Policy Evaluator retrieval
+            # For function handlers, we check if the first arg has an evaluator (e.g. self-like object)
+            # or if the handler itself has one attached?
+            # In aiohttp cbv, the view instance is args[0] for method calls, but here we are in _func_wrapper.
+            # However, _apply_decorator might pass the view instance if logic allows?
+            # Actually, _apply_decorator uses _method_wrapper for methods.
+            # So _func_wrapper handles pure functions. Pure functions likely rely on context or global evaluators?
+            # Or maybe args[0] is 'self' if it's a bound method passed as function?
+            evaluator = None
+            if args and hasattr(args[0], '_policy_evaluator'):
+                evaluator = getattr(args[0], '_policy_evaluator')
+            elif args and hasattr(args[0], 'policy_evaluator'):
+                 evaluator = getattr(args[0], 'policy_evaluator')
+            if evaluator is None:
+                 # fallback/warning
+                 return await handler(*args, **kwargs)
+            result = evaluator.check_access(
+                ctx=ctx,
+                resource_type=resource_type,
+                resource_name=resource_name,
+                action=action
+            )
+            if not result.allowed:
+                raise web.HTTPForbidden(
+                    reason=f"Access denied: {resource_type.value}:{resource_name} - {result.reason}"
+                )
+            return await handler(*args, **kwargs)
+        return _wrap
+    def _method_wrapper(method):
+        @wraps(method)
+        async def _wrap(self, *args, **kwargs):
+            # Find context
+            ctx = kwargs.get('ctx')
+            if ctx is None:
+                for arg in args:
+                    if isinstance(arg, EvalContext):
+                        ctx = arg
+                        break
+            if ctx is None:
+                raise ValueError("EvalContext required for permission check")
+            # Resource name
+            resource_name = "*"
+            if resource_name_param:
+                resource_name = kwargs.get(resource_name_param)
+                if resource_name is None and args:
+                    try:
+                        sig = inspect.signature(method)
+                        params = list(sig.parameters.keys())
+                        if resource_name_param in params:
+                            idx = params.index(resource_name_param)
+                            # method signature usually has self as first param?
+                            # If bound method is inspected, self is matching params[0]?
+                            if params and params[0] == 'self':
+                                idx = idx - 1
+                            if idx >= 0 and idx < len(args):
+                                resource_name = args[idx]
+                    except ValueError:
+                        pass
+            # Evaluator from self
+            evaluator = getattr(self, '_policy_evaluator', getattr(self, 'policy_evaluator', None))
+            if evaluator is None:
+                return await method(self, *args, **kwargs)
+            result = evaluator.check_access(
+                ctx=ctx,
+                resource_type=resource_type,
+                resource_name=resource_name,
+                action=action
+            )
+            if not result.allowed:
+                 raise web.HTTPForbidden(
+                    reason=f"Access denied: {resource_type.value}:{resource_name} - {result.reason}"
+                )
+            return await method(self, *args, **kwargs)
+        return _wrap
+    return lambda handler: _apply_decorator(handler, _func_wrapper, _method_wrapper)

navigator_auth-0.16.0/navigator_auth/abac/errors.py ADDED Viewed

@@ -0,0 +1,94 @@
+from typing import Union, Optional, Any
+from aiohttp import web, hdrs
+from navconfig.logging import logger
+from navigator_auth.libs.json import json_encoder
+def default_headers(message: str, exception: BaseException = None) -> dict:
+    headers = {
+        "X-ABAC-RESPONSE": message,
+        hdrs.CONNECTION: "keep-alive",
+    }
+    if exception:
+        headers['X-ERROR'] = str(exception)
+    return headers
+def auth_error(
+    reason: Optional[Union[str, dict]] = None,
+    exception: Exception = None,
+    status: int = 400,
+    headers: dict = None,
+    content_type: str = 'application/json',
+    **kwargs,
+) -> web.HTTPError:
+    """auth_error.
+    Basic Function to build an HTTP Error object.
+    Args:
+        reason (dict, optional): message passed as error.
+        exception (Exception, optional): exception raised. Defaults to None.
+        status (int, optional): current HTTP Status. Defaults to 400.
+        headers (dict, optional): dictionary of headers. Defaults to None.
+        content_type (str, optional): default mime type. Defaults to 'application/json'.
+        kwargs: (dict, optional): any other argument passed to HTTPError.
+    Returns:
+        web.HTTPError: _description_
+    """
+    if headers:
+        headers = {**default_headers(message=str(reason), exception=exception), **headers}
+    else:
+        headers = default_headers(message=str(reason), exception=exception)
+    # TODO: process the exception object
+    response_obj = {
+        "status": status
+    }
+    if exception:
+        response_obj["error"] = str(exception)
+    args = {
+        "content_type": content_type,
+        "headers": headers,
+        **kwargs
+    }
+    if isinstance(reason, dict):
+        response_obj = {**response_obj, **reason}
+        # args["content_type"] = "application/json"
+        args["body"] = json_encoder(response_obj)
+    else:
+        response_obj['reason'] = reason
+        args["body"] = json_encoder(response_obj)
+    # defining the error
+    if status == 400:  # bad request
+        obj = web.HTTPBadRequest(**args)
+    elif status == 401:  # unauthorized
+        obj = web.HTTPUnauthorized(**args)
+    elif status == 403:  # forbidden
+        obj = web.HTTPForbidden(**args)
+    elif status == 404:  # not found
+        obj = web.HTTPNotFound(**args)
+    elif status == 406: # Not acceptable
+        obj = web.HTTPNotAcceptable(**args)
+    elif status == 412:
+        obj = web.HTTPPreconditionFailed(**args)
+    elif status == 428:
+        obj = web.HTTPPreconditionRequired(**args)
+    else:
+        obj = web.HTTPBadRequest(**args)
+    return obj
+def PreconditionFailed(reason: Union[str, dict], **kwargs) -> web.HTTPError:
+    msg = f"Error: Some preconditions failed: {reason}"
+    return auth_error(
+        reason=msg, **kwargs, status=428
+    )
+def AccessDenied(reason: Union[str, dict], **kwargs) -> web.HTTPError:
+    return auth_error(
+        reason=reason, **kwargs, status=403
+    )
+def Unauthorized(reason: Union[str, dict], **kwargs) -> web.HTTPError:
+    logger.error(
+        reason
+    )
+    return auth_error(
+        reason=reason, **kwargs, status=401
+    )

navigator-auth 0.4.7__tar.gz → 0.16.0__tar.gz

navigator-auth 0.4.7tar.gz → 0.16.0tar.gz