odg-client 0.1.0__py3-none-any.whl

delivery/__init__.py

@@ -0,0 +1,62 @@
+import time
+
+import jwt as jwt_mod  # avoid overwriting delivery.jwt
+
+import delivery.client
+
+
+def _create_github_jwt(
+    github_app_id: int,
+    github_app_private_key: str | bytes,
+    ttl_seconds: int = 600,  # 10m
+    algorithm: str = 'RS256',
+) -> str:
+    if isinstance(github_app_private_key, str):
+        github_app_private_key = github_app_private_key.encode('utf-8')
+
+    github_app_id = int(github_app_id)  # validate input
+    now = int(time.time()) - 60  # set to 60s in the past to prevent clock skew failures
+
+    payload = {
+        'iat': now,
+        'exp': now + ttl_seconds,
+        'iss': str(github_app_id),
+    }
+
+    return jwt_mod.encode(
+        payload=payload,
+        key=github_app_private_key,
+        algorithm=algorithm,
+    )
+
+
+def client_from_github_app_secret(
+    github_app_id: int,
+    github_app_private_key: str | bytes,
+    github_api_url: str,
+    delivery_service_base_url: str,
+) -> delivery.client.DeliveryServiceClient:
+    """
+    an opinionated factory-function creating DeliveryService-Client-instances using a
+    GitHub-App for authentication. This is deemed especially useful for usage in GitHub-Actions
+    pipelines, where usage of Service-Accounts is not desirable.
+
+    github_api_url must match the GH(E)-Instance the used GitHub-App is installed on. The targettted
+    Delivery-Service must offer a configuration for this GH(E)-Instance.
+    """
+
+    def token_lookup(api_url: str, /):
+        if api_url != github_api_url:
+            return None
+
+        return _create_github_jwt(
+            github_app_id=github_app_id,
+            github_app_private_key=github_app_private_key,
+        )
+
+    return delivery.client.DeliveryServiceClient(
+        routes=delivery.client.DeliveryServiceRoutes(
+            base_url=delivery_service_base_url,
+        ),
+        auth_token_lookup=token_lookup,
+    )

delivery/client.py

@@ -0,0 +1,807 @@
+import collections.abc
+import dataclasses
+import datetime
+import logging
+import time
+import typing
+
+import dacite
+import requests.exceptions
+import requests.sessions
+
+import ocm
+
+import delivery.jwt
+import delivery.model as dm
+import delivery.util
+
+
+logger = logging.getLogger(__name__)
+
+
+class DeliveryServiceRoutes:
+    def __init__(self, base_url: str):
+        self._base_url = base_url
+
+    def auth(self):
+        return delivery.util.urljoin(
+            self._base_url,
+            'auth',
+        )
+
+    def auth_configs(self):
+        return delivery.util.urljoin(
+            self._base_url,
+            'auth',
+            'configs',
+        )
+
+    def openid_configuration(self):
+        """
+        endpoint according to OpenID provider configuration request
+        https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
+        """
+        return delivery.util.urljoin(
+            self._base_url,
+            '.well-known',
+            'openid-configuration',
+        )
+
+    def component_descriptor(self):
+        return delivery.util.urljoin(
+            self._base_url,
+            'ocm',
+            'component',
+        )
+
+    def greatest_component_versions(self):
+        return delivery.util.urljoin(
+            self._base_url,
+            'ocm',
+            'component',
+            'versions',
+        )
+
+    def component_responsibles(self):
+        return delivery.util.urljoin(
+            self._base_url,
+            'ocm',
+            'component',
+            'responsibles',
+        )
+
+    def _delivery(self, *suffix: collections.abc.Iterable[str]):
+        return delivery.util.urljoin(
+            self._base_url,
+            'delivery',
+            *suffix,
+        )
+
+    def sprint_infos(self):
+        return self._delivery('sprint-infos')
+
+    def sprint_current(self):
+        return self._delivery('sprint-infos', 'current')
+
+    def artefact_metadata(self):
+        return delivery.util.urljoin(
+            self._base_url,
+            'artefacts',
+            'metadata',
+        )
+
+    def artefact_metadata_query(self):
+        return delivery.util.urljoin(
+            self._base_url,
+            'artefacts',
+            'metadata',
+            'query',
+        )
+
+    def cache(self):
+        return delivery.util.urljoin(
+            self._base_url,
+            'cache',
+        )
+
+    def backlog_items(self):
+        return delivery.util.urljoin(
+            self._base_url,
+            'service-extensions',
+            'backlog-items',
+        )
+
+    def blob(self):
+        return delivery.util.urljoin(
+            self._base_url,
+            'blob',
+        )
+
+
+Url: typing.TypeAlias = str
+AuthToken: typing.TypeAlias = str
+"""
+A lookup crafted slightly special-cased for auth-token-based authentication. Implementations *must*
+accept a single positional parameter, which is the URL for which the lookup should return a (valid)
+auth-token.
+If the lookup cannot offer an authtoken for a given URL, it *must* return None. Exceptions raised
+by lookups are not handled.
+"""
+AuthTokenLookup: typing.TypeAlias = typing.Callable[[Url], AuthToken]
+
+
+class DeliveryServiceClient:
+    def __init__(
+        self,
+        routes: DeliveryServiceRoutes,
+        auth_token_lookup: AuthTokenLookup | None = None,
+        auth_token: str | None = None,
+        api_url: str | None = None,
+    ):
+        """
+        Initialises a client which can be used to interact with the delivery-service.
+
+        :param DeliveryServiceRoutes routes
+            object which contains information of the base url of the desired instance of the
+            delivery-service as well as the available routes
+        :param AuthTokenLookup auth_token_lookup (optional)
+            the lookup to use for retrieving auth-tokens against oauth-endpoints
+        :param str auth_token (optional)
+            the auth-token to use for authentication
+        :param str api_url (optional)
+            the (GitHub) API URL to use for authentication. Only considered if `auth_token` is set
+        """
+
+        if auth_token_lookup and auth_token:
+            raise ValueError('at most one of `auth_token_lookup` or `auth_token` must be provided')
+
+        self._routes = routes
+        self.auth_token_lookup = auth_token_lookup
+        self.auth_token = auth_token
+        self.api_url = api_url
+        self.auth_credentials: dm.GitHubAuthCredentials = None  # filled lazily as needed
+
+        self._bearer_token = None
+        self._session = requests.sessions.Session()
+
+    def _openid_configuration(self):
+        """
+        response according to OpenID provider configuration response
+        https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
+        """
+        res = self._session.get(
+            url=self._routes.openid_configuration(),
+            timeout=(4, 31),
+        )
+
+        res.raise_for_status()
+
+        return res.json()
+
+    def _openid_jwks(self):
+        openid_configuration = self._openid_configuration()
+
+        res = self._session.get(
+            url=openid_configuration.get('jwks_uri'),
+            timeout=(4, 31),
+        )
+
+        res.raise_for_status()
+
+        return res.json()
+
+    def _authenticate(self):
+        if self._bearer_token and not delivery.jwt.is_jwt_token_expired(
+            token=self._bearer_token,
+            token_expiration_buffer_seconds=30,
+        ):
+            return
+
+        if not self.auth_token_lookup and not self.auth_token:
+            logger.info(
+                'Delivery-Service-Client has no auth-token-lookup or auth-token - '
+                'attempting anonymous auth',
+            )
+            return
+
+        if (
+            self.auth_credentials
+            and self.auth_credentials.auth_token.startswith('ey')
+            and delivery.jwt.is_jwt_token_expired(
+                token=self.auth_credentials.auth_token,
+                token_expiration_buffer_seconds=30,
+            )
+        ):
+            self.auth_credentials = None
+
+        if not self.auth_credentials:
+            res = self._session.get(
+                url=self._routes.auth_configs(),
+                timeout=(4, 31),
+            )
+
+            res.raise_for_status()
+
+            auth_configs = res.json()
+
+            for auth_config in auth_configs:
+                api_url = auth_config.get('api_url')
+
+                if (auth_token := self.auth_token) and (not self.api_url or api_url == self.api_url):
+                    break
+                elif self.auth_token_lookup and (auth_token := self.auth_token_lookup(api_url)):
+                    break
+            else:
+                logger.info('no valid credentials found - attempting anonymous-auth')
+                return
+
+            self.auth_credentials = dm.GitHubAuthCredentials(
+                api_url=api_url,
+                auth_token=auth_token,
+            )
+
+        params = {
+            'access_token': self.auth_credentials.auth_token,
+            'api_url': self.auth_credentials.api_url,
+        }
+
+        res = self._session.get(
+            url=self._routes.auth(),
+            params=params,
+            timeout=(4, 31),
+        )
+
+        if not res.ok:
+            logger.warning(
+                'authentication against delivery-service failed: '
+                f'{res.status_code=} {res.reason=} {res.content=}',
+            )
+
+        res.raise_for_status()
+
+        self._bearer_token = res.cookies.get(delivery.jwt.JWT_KEY)
+
+        if not self._bearer_token:
+            raise ValueError('delivery-service returned no bearer token upon authentication')
+
+    def request(
+        self,
+        url: str,
+        method: str = 'GET',
+        headers: dict = None,
+        **kwargs,
+    ):
+        try:
+            self._authenticate()
+        except requests.exceptions.HTTPError as e:
+            if e.response.status_code != 400:
+                raise
+            if e.response.json().get('error_id') != 'feature-inactive':
+                raise
+            logger.info('delivery-service authentication feature is inactive')
+
+        headers = headers or {}
+
+        if self._bearer_token:
+            headers = {
+                'Authorization': f'Bearer {self._bearer_token}',
+                **headers,
+            }
+
+        try:
+            timeout = kwargs.pop('timeout')
+        except KeyError:
+            timeout = (4, 31)
+
+        res = self._session.request(
+            method=method,
+            url=url,
+            headers=headers,
+            timeout=timeout,
+            **kwargs,
+        )
+
+        return res
+
+    def component_descriptor(
+        self,
+        name: str,
+        version: str,
+        ocm_repo_url: str = None,
+        version_filter: str | None = None,
+        validation_mode: ocm.ValidationMode | None = None,
+    ):
+        params = {
+            'component_name': name,
+            'version': version,
+        }
+        if ocm_repo_url:
+            params['ocm_repo_url'] = ocm_repo_url
+        if version_filter is not None:
+            params['version_filter'] = version_filter
+
+        res = self.request(
+            url=self._routes.component_descriptor(),
+            params=params,
+        )
+
+        res.raise_for_status()
+
+        return ocm.ComponentDescriptor.from_dict(
+            res.json(),
+            validation_mode=validation_mode,
+        )
+
+    def greatest_component_versions(
+        self,
+        component_name: str,
+        max_versions: int = 5,
+        greatest_version: str = None,
+        ocm_repo: ocm.OcmRepository = None,
+        version_filter: str | None = None,
+        start_date: datetime.date = None,
+        end_date: datetime.date = None,
+        timeout: tuple[float, float] = (4.0, 121.0),
+    ):
+        params = {
+            'component_name': component_name,
+            'max': max_versions,
+        }
+        if greatest_version:
+            params['version'] = greatest_version
+        if ocm_repo:
+            if not isinstance(ocm_repo, ocm.OciOcmRepository):
+                raise NotImplementedError(ocm_repo)
+            params['ocm_repo_url'] = ocm_repo.oci_ref
+        if version_filter is not None:
+            params['version_filter'] = version_filter
+
+        if start_date:
+            params['start_date'] = start_date.isoformat()
+
+        if end_date:
+            params['end_date'] = end_date.isoformat()
+
+        res = self.request(
+            url=self._routes.greatest_component_versions(),
+            params=params,
+            timeout=timeout,
+        )
+
+        res.raise_for_status()
+
+        return res.json()
+
+    def update_metadata(
+        self,
+        data: collections.abc.Iterable[typing.Union[dict, 'ArtefactMetadata']],
+    ):
+        headers = {
+            'Content-Type': 'application/json',
+        }
+
+        data, headers = delivery.util.encode_request(
+            json={
+                'entries': [
+                    dataclasses.asdict(
+                        artefact_metadata,
+                        dict_factory=delivery.util.dict_to_json_factory,
+                    )
+                    if dataclasses.is_dataclass(artefact_metadata)
+                    else artefact_metadata
+                    for artefact_metadata in data
+                ],
+            },
+            headers=headers,
+        )
+
+        res = self.request(
+            url=self._routes.artefact_metadata(),
+            method='PUT',
+            headers=headers,
+            data=data,
+            timeout=None,
+        )
+
+        res.raise_for_status()
+
+    def delete_metadata(
+        self,
+        data: collections.abc.Iterable[typing.Union[dict, 'ArtefactMetadata']],
+    ):
+        headers = {
+            'Content-Type': 'application/json',
+        }
+
+        data, headers = delivery.util.encode_request(
+            json={
+                'entries': [
+                    dataclasses.asdict(
+                        artefact_metadata,
+                        dict_factory=delivery.util.dict_to_json_factory,
+                    )
+                    if dataclasses.is_dataclass(artefact_metadata)
+                    else artefact_metadata
+                    for artefact_metadata in data
+                ],
+            },
+            headers=headers,
+        )
+
+        res = self.request(
+            url=self._routes.artefact_metadata(),
+            method='DELETE',
+            headers=headers,
+            data=data,
+            timeout=None,
+        )
+
+        res.raise_for_status()
+
+    def component_responsibles(
+        self,
+        name: str = None,
+        version: str = None,
+        ocm_repo_url: str = None,
+        version_filter: str | None = None,
+        component: ocm.Component | ocm.ComponentDescriptor = None,
+        artifact: ocm.Artifact | str = None,
+        absent_ok: bool = False,
+    ) -> tuple[list[dict] | None, list[dm.Status] | None]:
+        """
+        retrieves component-responsibles and optional status info.
+        Status info can be used to communicate additional information, e.g. that responsible-label
+        was malformed.
+        Responsibles are returned as a list of typed user identities. Optionally, an artifact
+        (or artifact name) may be passed. In this case, responsibles are filtered for the given
+        resource definition. Note that an error will be raised if the given artifact does not declare
+        a artifact of the given name.
+
+        known types: githubUser, emailAddress, personalName
+        example (single user entry): [
+            {type: githubUser, username: <username>, source: <url>, github_hostname: <hostname>},
+            {type: emailAddress, email: <email-addr>, source: <url>},
+            {type: peronalName, firstName, lastName, source: <url>},
+        ]
+        """
+
+        if any((name, version, ocm_repo_url)):
+            if component:
+                raise ValueError('must pass either name (and version and ocm_repo_url) OR component')
+        elif component and (component := component.component):
+            name = component.name
+            version = component.version
+        else:
+            raise ValueError('must either pass component or name, version (and ocm_repo_url)')
+
+        url = self._routes.component_responsibles()
+
+        params = {
+            'component_name': name,
+        }
+        if version:
+            params['version'] = version
+        if ocm_repo_url:
+            params['ocm_repo_url'] = ocm_repo_url
+        if version_filter is not None:
+            params['version_filter'] = version_filter
+
+        if artifact:
+            if isinstance(artifact, ocm.Artifact):
+                artifact_name = artifact.name
+            else:
+                artifact_name = artifact
+
+            params['artifact_name'] = artifact_name
+
+        if component:
+            logger.info(f'{component.identity()=} {params=}')
+        else:
+            logger.info(f'{params=}')
+
+        # wait for responsibles result
+        # -> delivery service is waiting up to ~2 min for contributor statistics
+        for _ in range(24):
+            resp = self.request(
+                url=url,
+                params=params,
+                timeout=(4, 121),
+            )
+            if resp.status_code != 202:
+                break
+            time.sleep(5)
+        else:
+            raise TimeoutError(f'timed out waiting for responsibles with {params=}')
+
+        try:
+            resp.raise_for_status()
+        except requests.exceptions.HTTPError as e:
+            if e.response.status_code == 404 and absent_ok:
+                logger.warning(f'delivery service returned 404 for responsibles with {params=}')
+                return None, None
+            raise
+
+        resp_json: dict = resp.json()
+
+        responsibles = resp_json['responsibles']
+        statuses_raw = resp_json.get('statuses', [])
+        statuses = [
+            dacite.from_dict(
+                data_class=dm.Status,
+                data=status_raw,
+                config=dacite.Config(
+                    cast=[
+                        dm.StatusType,
+                    ],
+                ),
+            )
+            for status_raw in statuses_raw
+        ]
+
+        return responsibles, statuses
+
+    def sprints(self) -> list[dm.Sprint]:
+        resp = self.request(
+            url=self._routes.sprint_infos(),
+        )
+
+        resp.raise_for_status()
+
+        sprints_raw = resp.json()['sprints']
+
+        return [dm.Sprint.from_dict(sprint_info) for sprint_info in sprints_raw]
+
+    def sprint_current(self, offset: int = 0, before: datetime.date = None) -> dm.Sprint:
+        extra_args = {}
+        if before:
+            if isinstance(before, datetime.date) or isinstance(before, datetime.date):
+                extra_args['before'] = before.isoformat()
+            else:
+                extra_args['before'] = before
+
+        resp = self.request(
+            url=self._routes.sprint_current(),
+            params={'offset': offset, **extra_args},
+        )
+
+        resp.raise_for_status()
+
+        return dm.Sprint.from_dict(resp.json())
+
+    def query_metadata(
+        self,
+        components: collections.abc.Iterable[ocm.Component] = (),
+        artefacts: collections.abc.Iterable[typing.Union[dict, 'ComponentArtefactId']] = (),
+        type: str | collections.abc.Sequence[str] = None,
+        referenced_type: str | collections.abc.Sequence[str] = None,
+    ) -> tuple[dict]:
+        """
+        Query artefact metadata from the delivery-db.
+
+        @param components:      component identities used for filtering; if no identities are
+                                specified, no component filtering is done
+        @param type:            datatype(s) used for filtering; if no datatype(s) is (are)
+                                specified, no datatype filtering is done
+        @param referenced_type: referenced datatype(s) used for filtering (only applies to artefact
+                                metadata of type `rescorings`); if no datatype(s) is (are)
+                                specified, no referenced datatype filtering is done
+        """
+        if components and artefacts:
+            raise ValueError('at most one of `artefacts` or `components` must be specified')
+
+        params = dict()
+
+        if type:
+            params['type'] = type
+
+        if referenced_type:
+            params['referenced_type'] = referenced_type
+
+        headers = {
+            'Content-Type': 'application/json',
+        }
+
+        if components:
+            entries = [
+                {
+                    'component_name': c.name,
+                    'component_version': c.version,
+                }
+                for c in components
+            ]
+        else:
+            entries = [
+                dataclasses.asdict(artefact) if dataclasses.is_dataclass(artefact) else artefact
+                for artefact in artefacts
+            ]
+
+        data, headers = delivery.util.encode_request(
+            json={'entries': entries},
+            headers=headers,
+        )
+
+        res = self.request(
+            url=self._routes.artefact_metadata_query(),
+            method='POST',
+            headers=headers,
+            data=data,
+            params=params,
+            timeout=None,
+        )
+
+        res.raise_for_status()
+
+        artefact_metadata_raw = res.json()
+
+        return tuple(artefact_metadata_raw)
+
+    def mark_cache_for_deletion(
+        self,
+        id: str | None = None,
+        descriptor: dict | None = None,
+        delete_after: datetime.datetime | None = None,
+    ):
+        if not id and not descriptor:
+            raise ValueError('either `id` or `descriptor` must be specified')
+
+        params = dict()
+
+        if id:
+            params['id'] = id
+
+        if delete_after:
+            params['deleteAfter'] = delete_after.isoformat()
+
+        res = self.request(
+            url=self._routes.cache(),
+            method='DELETE',
+            params=params,
+            json=descriptor,
+        )
+
+        res.raise_for_status()
+
+    def create_backlog_item(
+        self,
+        service: str,
+        artefacts: collections.abc.Iterable[typing.Union[dict, 'ComponentArtefactId']] = (),
+        priority: str | None = None,  # see delivery-service k8s/backlog for allowed priorities
+    ):
+        headers = {
+            'Content-Type': 'application/json',
+        }
+
+        params = {
+            'service': service,
+        }
+
+        if priority:
+            params['priority'] = priority
+
+        data, headers = delivery.util.encode_request(
+            json={
+                'artefacts': [
+                    dataclasses.asdict(artefact) if dataclasses.is_dataclass(artefact) else artefact
+                    for artefact in artefacts
+                ],
+            },
+            headers=headers,
+        )
+
+        res = self.request(
+            url=self._routes.backlog_items(),
+            method='POST',
+            headers=headers,
+            data=data,
+            params=params,
+        )
+        res.raise_for_status()
+
+    def upload_blob(
+        self,
+        data: bytes | collections.abc.Iterable[bytes],
+        digest: str,
+        size: int,
+        mime_type: str,
+    ) -> requests.Response:
+        headers = {
+            'Digest': digest,
+            'Content-Length': str(size),
+            'Content-Type': mime_type,
+        }
+
+        res = self.request(
+            url=self._routes.blob(),
+            method='POST',
+            headers=headers,
+            data=data,
+        )
+
+        res.raise_for_status()
+        return res
+
+    def blob_metadata(
+        self,
+        digest: str,
+    ) -> requests.Response:
+        res = self.request(
+            url=self._routes.blob(),
+            method='HEAD',
+            params={
+                'digest': digest,
+            },
+        )
+
+        res.raise_for_status()
+        return res
+
+    def get_blob(
+        self,
+        digest: str,
+        chunk_size: int = 8192,
+    ) -> collections.abc.Generator[bytes, None, None]:
+        res = self.request(
+            url=self._routes.blob(),
+            params={
+                'digest': digest,
+            },
+            stream=True,
+        )
+
+        res.raise_for_status()
+        return res.iter_content(chunk_size=chunk_size)
+
+    def delete_blob(
+        self,
+        digest: str,
+    ):
+        res = self.request(
+            url=self._routes.blob(),
+            method='DELETE',
+            params={
+                'digest': digest,
+            },
+        )
+
+        res.raise_for_status()
+
+
+def _normalise_github_hostname(github_url: str):
+    # hack: for github.com, we might get a different subdomain (api.github.com)
+    github_hostname = delivery.util.urlparse(github_url).hostname
+    parts = github_hostname.strip('.').split('.')
+    if parts[0] == 'api':
+        parts = parts[1:]
+    github_hostname = '.'.join(parts)
+
+    return github_hostname.lower()
+
+
+def github_usernames_from_responsibles(
+    responsibles: collections.abc.Iterable[dict],
+    github_url: str = None,
+) -> collections.abc.Generator[str, None, None]:
+    """
+    returns a generator yielding all github-users from the given `responsibles`.
+    use `DeliveryServiceClient.component_responsibles` to retrieve responsibles
+    if github_url is given, only github-users on a matching github-host are returned.
+    This is useful if the returned users should exist on a certain target github-instance.
+    github_url is gracefully parsed down to relevant hostname. It is okay to pass-in, e.g.
+    a repository- or github-user-URL for convenience.
+    """
+    if github_url:
+        target_github_hostname = _normalise_github_hostname(github_url)
+    else:
+        target_github_hostname = None
+
+    for responsible in responsibles:
+        for responsible_info in responsible:
+            if not responsible_info['type'] == 'githubUser':
+                continue
+            username = responsible_info['username']
+            github_hostname = _normalise_github_hostname(responsible_info['github_hostname'])
+
+            if target_github_hostname and target_github_hostname != github_hostname:
+                continue
+
+            yield username

delivery/jwt.py

@@ -0,0 +1,162 @@
+"""
+This module comprises model classes to define JSON Web Keys according
+to https://datatracker.ietf.org/doc/html/rfc7518 as well as convenience
+functions to it.
+"""
+
+import base64
+import dataclasses
+import datetime
+import enum
+import functools
+import logging
+import typing
+
+import Crypto.PublicKey.RSA
+import Crypto.Util.number
+import dacite
+import jwt
+
+
+logger = logging.getLogger(__name__)
+JWT_KEY = 'bearer_token'
+REFRESH_TOKEN_KEY = 'refresh_token'
+
+
+class KeyType(enum.StrEnum):
+    RSA = 'RSA'
+    OCTET_SEQUENCE = 'oct'  # used to represent symmetric keys
+
+
+class Use(enum.StrEnum):
+    SIGNATURE = 'sig'
+    ENCRYPTION = 'enc'
+
+
+class Algorithm(enum.StrEnum):
+    RS256 = 'RS256'
+    HS256 = 'HS256'
+
+
+@dataclasses.dataclass(frozen=True)
+class JSONWebKey:
+    kty: KeyType
+    use: Use
+    alg: Algorithm
+    kid: str
+
+    @property
+    def key(self) -> bytes:
+        # has to be defined by derived classes
+        raise NotImplementedError
+
+    @staticmethod
+    def from_dict(data: dict) -> typing.Self:
+        algorithm = Algorithm(data.get('alg'))
+
+        class_by_algorithm = {
+            Algorithm.RS256: RSAPublicKey,
+            Algorithm.HS256: SymmetricKey,
+        }
+
+        return dacite.from_dict(
+            data_class=class_by_algorithm.get(algorithm),
+            data=data,
+            config=dacite.Config(
+                cast=[enum.Enum],
+            ),
+        )
+
+
+@dataclasses.dataclass(frozen=True, kw_only=True)
+class RSAPublicKey(JSONWebKey):
+    n: str  # modulus (Base64urlUInt encoded)
+    e: str  # exponent (Base64urlUInt encoded)
+    kty: KeyType = KeyType.RSA
+    alg: Algorithm = Algorithm.RS256
+
+    @property
+    def key(self) -> bytes:
+        return Crypto.PublicKey.RSA.construct(
+            rsa_components=(
+                decodeBase64urlUInt(self.n),
+                decodeBase64urlUInt(self.e),
+            ),
+        ).export_key(format='PEM')
+
+
+@dataclasses.dataclass(frozen=True, kw_only=True)
+class SymmetricKey(JSONWebKey):
+    k: str  # key value (base64url encoded)
+    kty: KeyType = KeyType.OCTET_SEQUENCE
+    alg: Algorithm = Algorithm.HS256
+
+    @property
+    def key(self) -> bytes:
+        return decodeBase64url(self.k)
+
+
+def encodeBase64url(b: bytes) -> str:
+    url_encoding = base64.urlsafe_b64encode(b)
+
+    return url_encoding.rstrip(b'=').decode('utf-8')
+
+
+def decodeBase64url(s: str) -> bytes:
+    return base64.urlsafe_b64decode(s + '==')
+
+
+def encodeBase64urlUInt(number: int) -> str:
+    b = Crypto.Util.number.long_to_bytes(number)
+
+    return encodeBase64url(b)
+
+
+def decodeBase64urlUInt(s: str) -> int:
+    b = decodeBase64url(s)
+
+    return Crypto.Util.number.bytes_to_long(b)
+
+
+@functools.cache
+def decode_jwt(
+    token: str,
+    verify_signature: bool = True,
+    json_web_key: JSONWebKey | None = None,
+    **kwargs,
+) -> dict:
+    """
+    This is just a convenience wrapper for `jwt.decode` which eases
+    signature validation of a given `token` using a `JSONWebKey`.
+    """
+    if verify_signature and not json_web_key:
+        raise ValueError('`json_web_key` must be specified if `verify_signature` is `True`')
+
+    return jwt.decode(
+        jwt=token,
+        key=json_web_key.key if json_web_key else None,
+        algorithms=[json_web_key.alg if json_web_key else None],
+        options={
+            'verify_signature': verify_signature,
+        },
+        **kwargs,
+    )
+
+
+def is_jwt_token_expired(
+    token: str,
+    token_expiration_buffer_seconds: int = 0,
+) -> bool:
+    decoded_jwt = decode_jwt(
+        token=token,
+        verify_signature=False,
+    )
+
+    expiration_date = datetime.datetime.fromtimestamp(
+        timestamp=decoded_jwt.get('exp'),
+        tz=datetime.timezone.utc,
+    )
+
+    now = datetime.datetime.now(tz=datetime.timezone.utc)
+
+    return now + datetime.timedelta(seconds=token_expiration_buffer_seconds) > expiration_date

delivery/model.py

@@ -0,0 +1,67 @@
+import dataclasses
+import datetime
+import enum
+
+import dacite
+import dateutil.parser
+
+
+def _parse_datetime_if_present(date: str):
+    if not date:
+        return None
+    return dateutil.parser.isoparse(date).replace(tzinfo=datetime.UTC)
+
+
+@dataclasses.dataclass(frozen=True)
+class SprintDate:
+    name: str
+    display_name: str
+    value: datetime.datetime
+
+
+@dataclasses.dataclass(frozen=True)  # TODO: deduplicate w/ modelclass in delivery-service/yp.py
+class Sprint:
+    name: str
+    dates: frozenset[SprintDate]
+
+    def find_sprint_date(
+        self,
+        name: str,
+        absent_ok: bool = False,
+    ) -> SprintDate | None:
+        for sprint_date in self.dates:
+            if sprint_date.name == name:
+                return sprint_date
+
+        if absent_ok:
+            return None
+
+        raise RuntimeError(f'did not find {name=} in {self=}')
+
+    @staticmethod
+    def from_dict(raw: dict):
+        return dacite.from_dict(
+            data_class=Sprint,
+            data=raw,
+            config=dacite.Config(
+                type_hooks={datetime.datetime: _parse_datetime_if_present},
+                cast=[frozenset],
+            ),
+        )
+
+
+class StatusType(enum.StrEnum):
+    ERROR = enum.auto()
+    INFO = enum.auto()
+
+
+@dataclasses.dataclass(frozen=True)  # TODO: deduplicate with model-class delivery-service
+class Status:
+    type: StatusType
+    msg: str
+
+
+@dataclasses.dataclass(frozen=True)
+class GitHubAuthCredentials:
+    api_url: str
+    auth_token: str

delivery/util.py

@@ -0,0 +1,115 @@
+import collections.abc
+import datetime
+import enum
+import io
+import json as js
+import typing
+import urllib.parse
+import zlib
+
+
+class EncodingMethod(enum.StrEnum):
+    GZIP = 'gzip'
+
+
+def encode_request(
+    data: str | bytes | dict | typing.IO = None,
+    json: dict = None,
+    headers: dict[str, str] = None,
+    encoding_method: EncodingMethod = EncodingMethod.GZIP,
+) -> tuple[bytes, dict[str, str]] | bytes:
+    """
+    Encodes the given `data` or `json` property based on the selected `encoding_method`. Only one of
+    `data` or `json` must be set, otherwise a `ValueError` is raised.
+
+    The corresponding `Content-Encoding` header is patched-in to the provided headers dictionary.
+
+    If `headers` is provided and not `None`, the response is a tuple of the compression result and
+    the patched headers, otherwise only the compression result is returned.
+    """
+    if not (data is not None ^ json is not None):
+        raise ValueError('Exactly one of `data` or `json` must be set')
+
+    if isinstance(data, dict) and encoding_method == EncodingMethod.GZIP:
+        raise ValueError('`data` of type `dict` is not supported for gzip encoding')
+
+    if json is not None:
+        data = js.dumps(json)
+
+    def _encode(obj, encoding: str = 'utf-8') -> bytes:
+        if isinstance(obj, bytes):
+            return obj
+        elif isinstance(obj, str):
+            return obj.encode(encoding=encoding)
+        elif isinstance(obj, dict):
+            return js.dumps(obj).encode(encoding=encoding)
+        else:
+            raise ValueError(f'Encoding of type {type(obj)} is not (yet) supported')
+
+    def _compress(data, encoding_method) -> collections.abc.Generator[bytes, None, None]:
+        if isinstance(data, io.BufferedIOBase):
+            if encoding_method == EncodingMethod.GZIP:
+                compressor = zlib.compressobj(wbits=31)
+                data.seek(0)
+
+                while chunk := data.read(4096):
+                    yield compressor.compress(chunk)
+                yield compressor.flush()
+
+            else:
+                raise ValueError(encoding_method)
+
+        elif hasattr(data, '__iter__') and not isinstance(data, (str, bytes, dict)):
+            raise ValueError(f'Encoding of iterable {type(data)} is not (yet) supported')
+
+        else:
+            data = _encode(data)
+
+            if encoding_method == EncodingMethod.GZIP:
+                compressor = zlib.compressobj(wbits=31)
+                yield compressor.compress(data) + compressor.flush()
+
+            else:
+                raise ValueError(encoding_method)
+
+    compressed_data = b''.join(_compress(data, encoding_method))
+    content_length = len(compressed_data)
+
+    if headers is not None:
+        headers['Content-Encoding'] = encoding_method
+        headers['Content-Length'] = str(content_length)
+        return compressed_data, headers
+
+    return compressed_data
+
+
+def urljoin(*parts):
+    if len(parts) == 1:
+        return parts[0]
+    first = parts[0]
+    last = parts[-1]
+    middle = parts[1:-1]
+
+    first = first.rstrip('/')
+    middle = list(map(lambda s: s.strip('/'), middle))
+    last = last.lstrip('/')
+
+    return '/'.join([first] + middle + [last])
+
+
+def urlparse(url: str) -> urllib.parse.ParseResult:
+    if '://' not in url:
+        url = f'x://{url}'
+
+    return urllib.parse.urlparse(url)
+
+
+def dict_to_json_factory(data):
+    def convert_value(obj):
+        if isinstance(obj, (datetime.date, datetime.datetime)):
+            return obj.isoformat()
+        elif isinstance(obj, enum.Enum):
+            return obj.value
+        return obj
+
+    return dict((k, convert_value(v)) for k, v in data)

odg_client-0.1.0.dist-info/LICENSE

@@ -0,0 +1,73 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.
+
+"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
+
+     (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
+
+     (b) You must cause any modified files to carry prominent notices stating that You changed the files; and
+
+     (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and
+
+     (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.
+
+     You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!)  The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives.
+
+Copyright [yyyy] [name of copyright owner]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

odg_client-0.1.0.dist-info/METADATA

@@ -0,0 +1,15 @@
+Metadata-Version: 2.1
+Name: odg-client
+Version: 0.1.0
+Summary: Client library for the Open Delivery Gear
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: dacite
+Requires-Dist: gardener-ocm
+Requires-Dist: pycryptodome
+Requires-Dist: pyjwt
+Requires-Dist: python-dateutil
+Requires-Dist: requests
+
+Client library for the Delivery Service (part of the Open Delivery Gear)

odg_client-0.1.0.dist-info/RECORD

@@ -0,0 +1,10 @@
+delivery/__init__.py,sha256=1o3aMK95dBf_Y__WkG-yjkhE3ooSk6QW-897Nu7o244,1865
+delivery/client.py,sha256=6t1iPiXOF8B6KDu5xjRmHFIyEwgeEW6yWuvt44aoCv4,24147
+delivery/jwt.py,sha256=HXBQgmG-_8ZwpuiGIV-ubsYw7AWgJ3GzyO4gGXnwIsw,3858
+delivery/model.py,sha256=YEdkY2jb01QzDP7SkGm0sfrHs1l0W5CJrZTg6SAErSg,1496
+delivery/util.py,sha256=CdF1R8w9OCZxsQGUDWk_1aarMdoI2iUYljkhqSnz_1Q,3638
+odg_client-0.1.0.dist-info/LICENSE,sha256=B05uMshqTA74s-0ltyHKI6yoPfJ3zYgQbvcXfDVGFf8,10280
+odg_client-0.1.0.dist-info/METADATA,sha256=fsjn_xXRGqMI2YRIuxpN7fn_SGz5zo4eWvkzsgXoaQ8,419
+odg_client-0.1.0.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+odg_client-0.1.0.dist-info/top_level.txt,sha256=tRd7Uz_gfvbKgZoDaVY8pKvaxBce9g_Jt4e26NvQ1FM,9
+odg_client-0.1.0.dist-info/RECORD,,

odg_client-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: bdist_wheel (0.42.0)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

odg_client-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+delivery