object-storage-proxy 0.3.1__tar.gz → 0.3.3__tar.gz

{object_storage_proxy-0.3.1 → object_storage_proxy-0.3.3}/.gitignore

@@ -4,4 +4,5 @@
 .env
 .venv
 .DS_Store
-*.pem
+*.pem
+*/with_*.log

{object_storage_proxy-0.3.1 → object_storage_proxy-0.3.3}/Cargo.lock

@@ -1701,7 +1701,7 @@ dependencies = [
 
 [[package]]
 name = "object-storage-proxy"
-version = "0.3.1"
+version = "0.3.3"
 dependencies = [
  "async-trait",
  "chrono",

{object_storage_proxy-0.3.1 → object_storage_proxy-0.3.3}/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "object-storage-proxy"
-version = "0.3.1"
+version = "0.3.3"
 edition = "2024"
 
 [dependencies]

object_storage_proxy-0.3.3/LICENSE

@@ -0,0 +1,16 @@
+Personal Use License
+
+Copyright (c) 2025 [Flexworks].
+
+This software is free for private, personal, non-commercial use by individuals.
+
+Commercial use, including use by companies, organizations, governments, or educational institutions, requires a paid commercial license.
+
+You may not:
+- Use this software in any organization, business, or government setting without a commercial license.
+- Sell, sublicense, redistribute, or publicly host this software.
+- Modify and distribute modifications of this software.
+
+To obtain a commercial license, please contact: [jeroen@flexworks.eu].
+
+All rights not explicitly granted are reserved by the copyright holder.

{object_storage_proxy-0.3.1 → object_storage_proxy-0.3.3}/PKG-INFO

@@ -1,6 +1,7 @@
 Metadata-Version: 2.4
 Name: object-storage-proxy
-Version: 0.3.1
+Version: 0.3.3
+Classifier: License :: Other/Proprietary License
 Classifier: Programming Language :: Rust
 Classifier: Programming Language :: Python :: Implementation :: CPython
 Classifier: Programming Language :: Python :: Implementation :: PyPy
@@ -9,7 +10,7 @@ Requires-Dist: patchelf>=0.17.2.2 ; sys_platform == 'linux'
 License-File: LICENSE
 Summary: <object-storage-proxy ⚡> Yet Another Object Storage Proxy
 Author-email: Jeroen <jeroen@flexworks.eu>
-License: MIT
+License: Personal Use License
 Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 Project-URL: Homepage, https://github.com/opensourceworks-org/object-storage-proxy
@@ -30,16 +31,40 @@ Project-URL: BugTracker, https://github.com/opensourceworks-org/object-storage-p
 
 A fast and safe in-process reverse proxy server, based on Cloudflare's [pingora](https://github.com/cloudflare/pingora?tab=readme-ov-file), to reverse proxy AWS and IBM Cloud Object Storage buckets and integrate your Authentication and Authorization services.
 
-Decouples frontend from backend authentication and authorization. 
+- Compatible with AWS SDK -> aws cli/boto3, polars, spark, datafusion, ...
+- Decouples frontend from backend authentication and authorization. 
+- Python interface: pass in callables for credentials fetching, validation, lookup secret for access_key (with cache).
+- Compatibility Gateway between systems that support only 1 hmac credentials pair, and multi-credentials buckets backend.
 
 
-- [x] Takes a Python authorization callable (allows you to plug in your own authorization services) and api_key fetch callback function and cos bucket dictionary.
-- [x] The validation is cached with optional ttl (default 5min, keep it short). 
-- [x] The apikey is used to authenticate against IBM's IAM endpoint and is cached and renewed on expiration. (IBM only)
-- [x] If no apikey or hmac keypair is provided, a Python function can be passed in to fetch the apikey or hmac keys for any given bucket (run once).
-- [x] HMAC support: passing in access and secret id keys (or as json string from python credentials callable), will be used to sign the upstream request (AWS/IBM/..)
-- [x] frontend request is signed with your own custom keypair
-- [x] supports running in cloud environments / proxy headers for request signature validation
+## Implementation
+The Server Config accepts the following:
+
+    proxy_server_config = ProxyServerConfig(
+        cos_map=cos_map,
+        bucket_creds_fetcher=do_hmac_creds,
+        validator=do_validation,
+        http_port=6190,
+        https_port=8443,
+        threads=1,
+        verify=False,
+        hmac_keystore=hmac_keys,
+        skip_signature_validation=False,
+        hmac_fetcher=lookup_secret_key
+    )
+
+| argument | description | optional | default value |
+| -------- | ----------- | -------- | ------------- |
+| cos_map | bucket configuration, see below | | NA |
+| bucket_creds_fetcher | python callable to retrieve credentials for a given bucket, to return either api key or hmac key pair | ✅ | NA |
+| validator | python callable, validates access for a given token/bucket combination | ✅ | NA |
+| http_port | server listener port on http | ✅ at least http_port or https_port, or both | NA |
+| https_port | server listener port on https | ✅ at least http_port or https_port, or both | NA |
+| threads | number of service threads | ✅ | 1 |
+| verify | ignore ssl verification errors on backend storage (IBM/AWS) (for dev purposes) | ✅ | False |
+| hmac_keystore | | | |
+| skip_signature_validation | ignore ssl verification errors on frontend (for dev purposes) | ✅ | False |
+
 
 The bucket dict contains for each bucket:
 
@@ -81,6 +106,7 @@ cos_map = {
 ```
 
 The Python callables take two arguments: 
+    TODO: add prefix for fine-grained validation
 
     - token: parsed from the original aws request's authorization header
     - bucket: parsed from the uri path
@@ -90,11 +116,8 @@ The Python callables take two arguments:
     def your_request_authorizer(token: str, bucket: str) -> bool
 ```
 
-Proxy Configuration
-
-
-
 
+## The Problem
 
 ### secrets
 IBM COS Storage is built in a way where buckets are grouped by a cos (Cloud Object Storage) instance.  Access to a bucket is managed by either an api key or hmac secrets, configured on the cos instance.  
@@ -153,8 +176,8 @@ s3 =
 ~/.aws/credentials
 ```ini
 [osp]
-aws_access_key_id = MYLOCAL123  # <-- this could be an openid connect/oauth2 token or anything that makes sense for your business, encode it if required
-aws_secret_access_key = nothingmeaningful # <-- used for compatibility with aws sdk, to sign original request, but is ignored later
+aws_access_key_id = MYLOCAL123  # <-- this could be an internal client identifier, to fetch openid connect/oauth2 token or anything that makes sense for your business
+aws_secret_access_key = nothingmeaningful # <-- private key to sign original request
 ```
 
 Set up a minimal server implementation:
@@ -224,7 +247,7 @@ def lookup_secret_key(access_key: str) -> str | None:
 def do_validation(token: str, bucket: str) -> bool:
     """ Authorize the request based on token for the given bucket. 
         You can plug in your own authorization service here.
-        The token is the authorization token passed in the request.
+        The token is a client identifier used to fetch an authorization token and further authenticate/authorize.
         The bucket is the bucket name.
         The function should return True if the request is authorized, False otherwise.
     """

{object_storage_proxy-0.3.1 → object_storage_proxy-0.3.3}/README.md

@@ -11,16 +11,40 @@
 
 A fast and safe in-process reverse proxy server, based on Cloudflare's [pingora](https://github.com/cloudflare/pingora?tab=readme-ov-file), to reverse proxy AWS and IBM Cloud Object Storage buckets and integrate your Authentication and Authorization services.
 
-Decouples frontend from backend authentication and authorization. 
+- Compatible with AWS SDK -> aws cli/boto3, polars, spark, datafusion, ...
+- Decouples frontend from backend authentication and authorization. 
+- Python interface: pass in callables for credentials fetching, validation, lookup secret for access_key (with cache).
+- Compatibility Gateway between systems that support only 1 hmac credentials pair, and multi-credentials buckets backend.
 
 
-- [x] Takes a Python authorization callable (allows you to plug in your own authorization services) and api_key fetch callback function and cos bucket dictionary.
-- [x] The validation is cached with optional ttl (default 5min, keep it short). 
-- [x] The apikey is used to authenticate against IBM's IAM endpoint and is cached and renewed on expiration. (IBM only)
-- [x] If no apikey or hmac keypair is provided, a Python function can be passed in to fetch the apikey or hmac keys for any given bucket (run once).
-- [x] HMAC support: passing in access and secret id keys (or as json string from python credentials callable), will be used to sign the upstream request (AWS/IBM/..)
-- [x] frontend request is signed with your own custom keypair
-- [x] supports running in cloud environments / proxy headers for request signature validation
+## Implementation
+The Server Config accepts the following:
+
+    proxy_server_config = ProxyServerConfig(
+        cos_map=cos_map,
+        bucket_creds_fetcher=do_hmac_creds,
+        validator=do_validation,
+        http_port=6190,
+        https_port=8443,
+        threads=1,
+        verify=False,
+        hmac_keystore=hmac_keys,
+        skip_signature_validation=False,
+        hmac_fetcher=lookup_secret_key
+    )
+
+| argument | description | optional | default value |
+| -------- | ----------- | -------- | ------------- |
+| cos_map | bucket configuration, see below | | NA |
+| bucket_creds_fetcher | python callable to retrieve credentials for a given bucket, to return either api key or hmac key pair | ✅ | NA |
+| validator | python callable, validates access for a given token/bucket combination | ✅ | NA |
+| http_port | server listener port on http | ✅ at least http_port or https_port, or both | NA |
+| https_port | server listener port on https | ✅ at least http_port or https_port, or both | NA |
+| threads | number of service threads | ✅ | 1 |
+| verify | ignore ssl verification errors on backend storage (IBM/AWS) (for dev purposes) | ✅ | False |
+| hmac_keystore | | | |
+| skip_signature_validation | ignore ssl verification errors on frontend (for dev purposes) | ✅ | False |
+
 
 The bucket dict contains for each bucket:
 
@@ -62,6 +86,7 @@ cos_map = {
 ```
 
 The Python callables take two arguments: 
+    TODO: add prefix for fine-grained validation
 
     - token: parsed from the original aws request's authorization header
     - bucket: parsed from the uri path
@@ -71,11 +96,8 @@ The Python callables take two arguments:
     def your_request_authorizer(token: str, bucket: str) -> bool
 ```
 
-Proxy Configuration
-
-
-
 
+## The Problem
 
 ### secrets
 IBM COS Storage is built in a way where buckets are grouped by a cos (Cloud Object Storage) instance.  Access to a bucket is managed by either an api key or hmac secrets, configured on the cos instance.  
@@ -134,8 +156,8 @@ s3 =
 ~/.aws/credentials
 ```ini
 [osp]
-aws_access_key_id = MYLOCAL123  # <-- this could be an openid connect/oauth2 token or anything that makes sense for your business, encode it if required
-aws_secret_access_key = nothingmeaningful # <-- used for compatibility with aws sdk, to sign original request, but is ignored later
+aws_access_key_id = MYLOCAL123  # <-- this could be an internal client identifier, to fetch openid connect/oauth2 token or anything that makes sense for your business
+aws_secret_access_key = nothingmeaningful # <-- private key to sign original request
 ```
 
 Set up a minimal server implementation:
@@ -205,7 +227,7 @@ def lookup_secret_key(access_key: str) -> str | None:
 def do_validation(token: str, bucket: str) -> bool:
     """ Authorize the request based on token for the given bucket. 
         You can plug in your own authorization service here.
-        The token is the authorization token passed in the request.
+        The token is a client identifier used to fetch an authorization token and further authenticate/authorize.
         The bucket is the bucket name.
         The function should return True if the request is authorized, False otherwise.
     """

{object_storage_proxy-0.3.1 → object_storage_proxy-0.3.3}/pyproject.toml

@@ -7,11 +7,12 @@ name = "object-storage-proxy"
 description = "<object-storage-proxy ⚡> Yet Another Object Storage Proxy"
 readme = { file = "README.md", content-type = "text/markdown" }
 authors = [{ name = "Jeroen", email = "jeroen@flexworks.eu" }]
-license = "MIT"
+license = "Personal Use License"
 
 
 requires-python = ">=3.10"
 classifiers = [
+  "License :: Other/Proprietary License",
   "Programming Language :: Rust",
   "Programming Language :: Python :: Implementation :: CPython",
   "Programming Language :: Python :: Implementation :: PyPy",

{object_storage_proxy-0.3.1 → object_storage_proxy-0.3.3}/src/lib.rs

@@ -7,6 +7,7 @@ use http::uri::Authority;
 use parsers::cos_map::{CosMapItem, parse_cos_map};
 use parsers::keystore::parse_hmac_list;
 use pingora::http::ResponseHeader;
+use pingora::protocols::ALPN;
 use pingora::Result;
 use pingora::proxy::{ProxyHttp, Session};
 use pingora::server::Server;
@@ -268,6 +269,17 @@ impl ProxyHttp for MyProxy {
         let addr = (endpoint.clone(), port);
 
         let mut peer = Box::new(HttpPeer::new(addr, true, endpoint.clone()));
+        peer.options.alpn = ALPN::H2;
+
+        peer.options.max_h2_streams = 32;
+        peer.options.h2_ping_interval = Some(Duration::from_secs(30));
+
+        // todo: make ths configurable
+
+        // peer.options.idle_timeout          = Some(Duration::from_secs(300));
+        // peer.options.connection_timeout    = Some(Duration::from_secs(30));
+        // peer.options.read_timeout          = Some(Duration::from_secs(300));
+        // peer.options.write_timeout         = Some(Duration::from_secs(300));
 
         debug!("peer: {:#?}", &peer);
 

object_storage_proxy-0.3.1/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2025 Jeroen Van Renterghem
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.