planar 0.5.0__py3-none-any.whl → 0.8.0__py3-none-any.whl

planar/scaffold_templates/planar.dev.yaml.j2

@@ -11,12 +11,12 @@ storage:
   directory: .files
 
 sse_hub: true
-
-cors:
-  allow_origins: "^(?:https://(?:[a-zA-Z0-9-]+\\.)+coplane\\.(dev|com)|http://127.0.0.1:3000)$"
-  allow_credentials: true
-  allow_methods: ["*"]
-  allow_headers: ["*"]
+security:
+  cors:
+    allow_origins: ["https://app.coplane.com"]
+    allow_credentials: true
+    allow_methods: ["*"]
+    allow_headers: ["*"]
 
 ai_providers:
   openai:

planar/scaffold_templates/planar.prod.yaml.j2

@@ -17,11 +17,15 @@ storage:
 
 sse_hub: true
 
-cors:
-  allow_origins: "^(?:https://(?:[a-zA-Z0-9-]+\\.)+coplane\\.(dev|com)|http://127.0.0.1:3000)$"
-  allow_credentials: true
-  allow_methods: ["*"]
-  allow_headers: ["*"]
+security:
+  cors:
+    allow_origins: ["https://app.coplane.com"]
+    allow_credentials: true
+    allow_methods: ["*"]
+    allow_headers: ["*"]
+  jwt:
+    client_id: ${WORKOS_CLIENT_ID}
+    org_id: ${WORKOS_ORG_ID}
 
 ai_providers:
   openai:

planar/scaffold_templates/pyproject.toml.j2

@@ -3,7 +3,7 @@ name = "{{ name }}"
 version = "0.1.0"
 requires-python = ">=3.12"
 dependencies = [
-    "planar>=0.1.0",
+    "planar>=0.6.0",
 ]
 
 [[tool.uv.index]]

planar/security/auth_context.py

@@ -5,6 +5,7 @@ This module provides context variables and utilities for managing the current
 authenticated principal (user) throughout the request lifecycle.
 """
 
+import time
 from contextlib import contextmanager
 from contextvars import ContextVar
 from typing import Any, Iterator
@@ -71,6 +72,26 @@ class Principal(BaseModel):
 
         return cls(**principal_data)
 
+    @classmethod
+    def from_service_token(cls, token: str) -> "Principal":
+        """Create a Principal from a service token."""
+        # TO-DO Potentially lookup token in database to get org_id, org_name, user_first_name, user_last_name, user_email, role, permissions
+        return cls(
+            sub="service_token",
+            iss="service_token",
+            exp=int(time.time()) + 3600,
+            iat=int(time.time()),
+            sid="service_token",
+            jti="service_token",
+            org_id="service_token",
+            org_name="service_token",
+            user_first_name="service_token",
+            user_last_name="service_token",
+            user_email="service_token",
+            role="service_token",
+            permissions=["service_token"],
+        )
+
 
 # Context variable for the current principal
 principal_var: ContextVar[Principal | None] = ContextVar("principal", default=None)

planar/security/{jwt_middleware.py → auth_middleware.py}

@@ -4,34 +4,39 @@ from fastapi.responses import JSONResponse
 from starlette.middleware.base import BaseHTTPMiddleware
 
 from planar.logging import get_logger
-from planar.security.auth_context import Principal, clear_principal, set_principal
+from planar.security.auth_context import (
+    Principal,
+    clear_principal,
+    set_principal,
+)
 
 logger = get_logger(__name__)
 
 BASE_JWKS_URL = "https://auth-api.coplane.com/sso/jwks"
 EXPECTED_ISSUER = "https://auth-api.coplane.com"
+SERVICE_TOKEN_HEADER_PREFIX = "Bearer plt_"
 
 
-class JWTMiddleware(BaseHTTPMiddleware):
+class AuthMiddleware(BaseHTTPMiddleware):
     def __init__(
         self,
         app: FastAPI,
         client_id: str,
-        org_id: str | None = None,
+        org_id: str,
         additional_exclusion_paths: list[str] | None = None,
+        service_token: str | None = None,
     ):
         super().__init__(app)
-        self.client_id = client_id
         self.org_id = org_id
         self.additional_exclusion_paths = additional_exclusion_paths or []
+        self.client = jwt.PyJWKClient(f"{BASE_JWKS_URL}/{client_id}", cache_keys=True)
+        self.service_token = service_token
 
-    def get_signing_key_from_jwt(self, client_id: str, token: str):
-        jwks_url = f"{BASE_JWKS_URL}/{client_id}"
-        jwks_client = jwt.PyJWKClient(jwks_url, cache_keys=True)
-        return jwks_client.get_signing_key_from_jwt(token)
+    def get_signing_key_from_jwt(self, token: str):
+        return self.client.get_signing_key_from_jwt(token)
 
     def validate_jwt_token(self, token: str):
-        signing_key = self.get_signing_key_from_jwt(self.client_id, token)
+        signing_key = self.get_signing_key_from_jwt(token)
 
         payload = jwt.decode(
             token,
@@ -46,7 +51,12 @@ class JWTMiddleware(BaseHTTPMiddleware):
         )
 
         org_id_from_token = payload.get("org_id")
-        if self.org_id and org_id_from_token != self.org_id:
+
+        if (
+            org_id_from_token is None
+            or org_id_from_token == ""
+            or org_id_from_token != self.org_id
+        ):
             raise HTTPException(
                 status_code=401,
                 detail="Invalid organization",
@@ -56,18 +66,61 @@ class JWTMiddleware(BaseHTTPMiddleware):
         return payload
 
     async def dispatch(self, request: Request, call_next):
-        if (
-            request.url.path
-            in [
-                "/docs",
-                "/redoc",
-                "/openapi.json",
+        if request.url.path in (
+            [
                 "/planar/v1/health",
             ]
-            or request.url.path in self.additional_exclusion_paths
+            + self.additional_exclusion_paths
         ):
             return await call_next(request)
 
+        authorization = request.headers.get("Authorization")
+        if authorization and authorization.startswith(SERVICE_TOKEN_HEADER_PREFIX):
+            return await self.dispatch_service_token(request, call_next)
+        else:
+            return await self.dispatch_jwt(request, call_next)
+
+    async def dispatch_service_token(self, request: Request, call_next):
+        authorization = request.headers.get("Authorization")
+        if not authorization or not authorization.startswith(
+            SERVICE_TOKEN_HEADER_PREFIX
+        ):
+            return JSONResponse(
+                status_code=401,
+                content={"detail": "Invalid authentication scheme"},
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+
+        token_from_header = authorization.replace("Bearer ", "")
+        if token_from_header != self.service_token:
+            return JSONResponse(
+                status_code=401,
+                content={
+                    "detail": "Invalid authentication credentials for service token"
+                },
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+
+        principal_token = None
+        payload = {
+            "sub": "service_token",
+        }
+        # Store payload in request state for backward compatibility
+        request.state.user = payload
+        # Create and set the principal in context
+        principal = Principal.from_service_token(token_from_header)
+        principal_token = set_principal(principal)
+
+        try:
+            response = await call_next(request)
+        finally:
+            # Clean up the principal context
+            if principal_token is not None:
+                clear_principal(principal_token)
+
+        return response
+
+    async def dispatch_jwt(self, request: Request, call_next):
         principal_token = None
         try:
             authorization = request.headers.get("Authorization")

planar/security/authorization.py

@@ -357,22 +357,16 @@ def validate_authorization_for(
     entity: CedarEntity | None = None
 
     match action:
-        case WorkflowAction():
-            if isinstance(resource_descriptor, WorkflowResource):
-                entity = CedarEntity.from_workflow(resource_descriptor.function_name)
-        case AgentAction():
-            if isinstance(resource_descriptor, AgentResource):
-                entity = CedarEntity.from_agent(resource_descriptor.id)
-        case RuleAction():
-            if isinstance(resource_descriptor, RuleResource):
-                entity = CedarEntity.from_rule(resource_descriptor.rule_name)
+        case WorkflowAction() if isinstance(resource_descriptor, WorkflowResource):
+            entity = CedarEntity.from_workflow(resource_descriptor.function_name)
+        case AgentAction() if isinstance(resource_descriptor, AgentResource):
+            entity = CedarEntity.from_agent(resource_descriptor.id)
+        case RuleAction() if isinstance(resource_descriptor, RuleResource):
+            entity = CedarEntity.from_rule(resource_descriptor.rule_name)
         case _:
-            raise ValueError(f"Invalid action type: {action}")
-
-    if not entity:
-        raise ValueError(
-            f"Invalid resource descriptor {type(resource_descriptor).__name__} for action {action}"
-        )
+            raise ValueError(
+                f"Invalid resource descriptor {type(resource_descriptor).__name__} for action {action}"
+            )
 
     # Get current principal and check authorization on current resource
     principal: Principal | None = get_current_principal()

planar/security/tests/test_auth_middleware.py

@@ -0,0 +1,162 @@
+from unittest.mock import Mock, patch
+
+import pytest
+from fastapi import FastAPI, HTTPException
+from fastapi.responses import JSONResponse
+
+from planar.security.auth_middleware import AuthMiddleware
+
+
+@pytest.fixture
+def app():
+    return FastAPI()
+
+
+@pytest.fixture
+def auth_middleware(app):
+    return AuthMiddleware(
+        app=app,
+        client_id="test-client-id",
+        org_id="test-org-id",
+        additional_exclusion_paths=["/test/exclude"],
+        service_token="plt_test-service-token",
+    )
+
+
+class TestAuthMiddleware:
+    def test_org_id_validation_none(self, auth_middleware):
+        """Test that org_id validation fails when token has None org_id"""
+        with (
+            patch.object(auth_middleware, "get_signing_key_from_jwt"),
+            patch("jwt.decode") as mock_decode,
+        ):
+            mock_decode.return_value = {"org_id": None}
+
+            with pytest.raises(HTTPException) as exc_info:
+                auth_middleware.validate_jwt_token("fake-token")
+
+            assert exc_info.value.status_code == 401
+            assert exc_info.value.detail == "Invalid organization"
+
+    def test_org_id_validation_empty_string(self, auth_middleware):
+        """Test that org_id validation fails when token has empty string org_id"""
+        with (
+            patch.object(auth_middleware, "get_signing_key_from_jwt"),
+            patch("jwt.decode") as mock_decode,
+        ):
+            mock_decode.return_value = {"org_id": ""}
+
+            with pytest.raises(HTTPException) as exc_info:
+                auth_middleware.validate_jwt_token("fake-token")
+
+            assert exc_info.value.status_code == 401
+            assert exc_info.value.detail == "Invalid organization"
+
+    def test_org_id_validation_mismatch(self, auth_middleware):
+        """Test that org_id validation fails when token org_id doesn't match"""
+        with (
+            patch.object(auth_middleware, "get_signing_key_from_jwt"),
+            patch("jwt.decode") as mock_decode,
+        ):
+            mock_decode.return_value = {"org_id": "different-org-id"}
+
+            with pytest.raises(HTTPException) as exc_info:
+                auth_middleware.validate_jwt_token("fake-token")
+
+            assert exc_info.value.status_code == 401
+            assert exc_info.value.detail == "Invalid organization"
+
+    def test_org_id_validation_success(self, auth_middleware):
+        """Test that org_id validation succeeds when token org_id matches"""
+        with (
+            patch.object(auth_middleware, "get_signing_key_from_jwt"),
+            patch("jwt.decode") as mock_decode,
+        ):
+            expected_payload = {"org_id": "test-org-id", "user_id": "test-user"}
+            mock_decode.return_value = expected_payload
+
+            result = auth_middleware.validate_jwt_token("fake-token")
+
+            assert result == expected_payload
+
+    @pytest.mark.asyncio
+    async def test_service_token_validation_success(self, auth_middleware):
+        """Test that service token validation succeeds when token matches"""
+        mock_request = Mock()
+        mock_request.url.path = "/planar/v1/something"
+        mock_request.headers = {"Authorization": "Bearer plt_test-service-token"}
+        mock_call_next = Mock()
+        mock_call_next.return_value = JSONResponse(
+            status_code=200, content={"message": "success"}
+        )
+
+        async def mock_call_next_func(request):
+            return mock_call_next(request)
+
+        result = await auth_middleware.dispatch(mock_request, mock_call_next_func)
+        mock_call_next.assert_called_once_with(mock_request)
+        assert result is not None
+        assert result.status_code == 200
+
+    @pytest.mark.asyncio
+    async def test_service_token_validation_failure(self, auth_middleware):
+        """Test that service token validation succeeds when token matches"""
+        mock_request = Mock()
+        mock_request.url.path = "/planar/v1/something"
+        mock_request.headers = {"Authorization": "Bearer plt_wrong-token"}
+        mock_call_next = Mock()
+        mock_call_next.return_value = JSONResponse(
+            status_code=200, content={"message": "success"}
+        )
+
+        async def mock_call_next_func(request):
+            return mock_call_next(request)
+
+        result = await auth_middleware.dispatch(mock_request, mock_call_next_func)
+        mock_call_next.assert_not_called()
+        assert result is not None
+        assert result.status_code == 401
+
+    @pytest.mark.asyncio
+    async def test_exclusion_paths_includes_health_and_additional(self, app):
+        """Test that exclusion paths include health endpoint and additional paths"""
+        middleware = AuthMiddleware(
+            app=app,
+            client_id="test-client-id",
+            org_id="test-org-id",
+            additional_exclusion_paths=["/custom/path", "/another/path"],
+        )
+
+        mock_request = Mock()
+        mock_call_next = Mock()
+
+        async def mock_call_next_func(request):
+            return mock_call_next(request)
+
+        expected_paths = ["/planar/v1/health", "/custom/path", "/another/path"]
+        for path in expected_paths:
+            mock_request.url.path = path
+            mock_call_next.reset_mock()
+
+            await middleware.dispatch(mock_request, mock_call_next_func)  # type: ignore
+
+            mock_call_next.assert_called_once_with(mock_request)
+
+        # Test that non-excluded paths are not excluded
+        mock_request.url.path = "/not-excluded"
+        mock_call_next.reset_mock()
+        result = await middleware.dispatch(mock_request, mock_call_next_func)
+        assert result is not None
+        assert result.status_code == 401
+        mock_call_next.assert_not_called()
+
+    def test_required_org_id_parameter(self, app):
+        """Test that org_id parameter is required (not optional)"""
+        # This test ensures org_id cannot be None based on type hints
+        # The actual enforcement is at the type level, so we just verify
+        # the constructor works with a valid org_id
+        middleware = AuthMiddleware(
+            app=app, client_id="test-client-id", org_id="required-org-id"
+        )
+
+        assert middleware.org_id == "required-org-id"

planar/sse/proxy.py

@@ -65,7 +65,6 @@ class SSEProxy:
         self.config = config
         self.enable_builtin_hub = False
         self.hub_url = ""
-        self.transport: httpx.AsyncHTTPTransport | None = None
         self.stream_tasks: WeakSet[Task] = WeakSet()
 
         if isinstance(sse_hub, str):
@@ -127,12 +126,11 @@ class SSEProxy:
         if self.enable_builtin_hub:
             self.start_builtin_hub()
 
-        self.transport, self.hub_url = parse_hub_url(self.hub_url)
-        forward_url = f"{self.hub_url}/push"
-
         async def forward():
+            transport, hub_url = parse_hub_url(self.hub_url)
+            forward_url = f"{hub_url}/push"
             logger.debug("sse event forwarding task started", url=forward_url)
-            async with httpx.AsyncClient(transport=self.transport) as client:
+            async with httpx.AsyncClient(transport=transport) as client:
                 while True:
                     event = await self.queue.get()
                     logger.debug(
@@ -206,11 +204,8 @@ class SSEProxy:
     @asynccontextmanager
     async def connect(self, query: str = "", headers: dict[str, str] = {}):
         logger.debug("sseproxy connect called", query=query, headers=headers)
-        if not self.hub_url or not self.transport:
-            raise ValueError("hub_url is not set")
 
-        hub_url = self.hub_url
-        transport = self.transport
+        transport, hub_url = parse_hub_url(self.hub_url)
 
         client = httpx.AsyncClient(
             transport=transport, base_url=hub_url, timeout=httpx.Timeout(None)

planar/test_app.py

@@ -1,11 +1,16 @@
+from unittest.mock import Mock, patch
+
+import pytest
 from dotenv import load_dotenv
 from fastapi import APIRouter
-from pydantic import BaseModel
+from pydantic import BaseModel, ValidationError
 
 from examples.simple_service.models import (
     Invoice,
 )
 from planar import PlanarApp, sqlite_config
+from planar.app import setup_auth_middleware
+from planar.config import Environment, JWTConfig, SecurityConfig
 
 load_dotenv()
 
@@ -49,3 +54,89 @@ def test_register_model_deduplication():
     # Verify that the model in the registry is the Invoice model
     registered_models = app._object_registry.get_entities()
     assert any(model.__name__ == "Invoice" for model in registered_models)
+
+
+class TestJWTSetup:
+    def test_setup_jwt_middleware_production_requires_config(self):
+        """Test that JWT setup throws ValueError in production without proper config"""
+        mock_app = Mock()
+        mock_app.config.environment = Environment.PROD
+        mock_app.config.security = SecurityConfig()
+
+        with pytest.raises(
+            ValueError,
+            match="Auth middleware is required in production. Please set the JWT config and optionally service token config.",
+        ):
+            setup_auth_middleware(mock_app)
+
+    def test_setup_jwt_middleware_production_requires_client_id(self):
+        """Test that JWT setup throws ValueError in production without client_id"""
+        with pytest.raises(
+            ValidationError,
+            match="Both client_id and org_id required to enable JWT",
+        ):
+            JWTConfig(client_id=None, org_id="test-org")
+
+    def test_setup_jwt_middleware_production_requires_org_id(self):
+        """Test that JWT setup throws ValueError in production without org_id"""
+        with pytest.raises(
+            ValidationError,
+            match="Both client_id and org_id required to enable JWT",
+        ):
+            JWTConfig(client_id="test-client-id", org_id=None)
+
+    @patch("planar.app.logger")
+    def test_setup_jwt_middleware_success_with_all_fields(self, mock_logger):
+        """Test that JWT setup succeeds with all required fields"""
+        mock_app = Mock()
+        mock_app.config.environment = Environment.PROD
+        mock_app.config.security = SecurityConfig(
+            jwt=JWTConfig(
+                client_id="test-client-id",
+                org_id="test-org-id",
+                additional_exclusion_paths=["/test/path"],
+            )
+        )
+
+        setup_auth_middleware(mock_app)
+
+        # Verify middleware was added to app.fastapi
+        mock_app.fastapi.add_middleware.assert_called_once()
+
+        # Check that info log was called
+        mock_logger.info.assert_called_once_with(
+            "Auth middleware enabled",
+            client_id="test-client-id",
+            org_id="test-org-id",
+            additional_exclusion_paths=["/test/path"],
+        )
+
+    @patch("planar.app.logger")
+    def test_setup_jwt_middleware_dev_environment_allows_missing_config(
+        self, mock_logger
+    ):
+        """Test that JWT setup is skipped in dev environment without config"""
+        mock_app = Mock()
+        mock_app.config.environment = Environment.DEV
+        mock_app.config.security = SecurityConfig()
+
+        setup_auth_middleware(mock_app)
+
+        # Verify warning was logged and no middleware added
+        mock_logger.warning.assert_called_once_with("Auth middleware disabled")
+        mock_app.fastapi.add_middleware.assert_not_called()
+
+    @patch("planar.app.logger")
+    def test_setup_jwt_middleware_dev_environment_allows_disabled_jwt(
+        self, mock_logger
+    ):
+        """Test that JWT setup is skipped in dev environment with disabled JWT"""
+        mock_app = Mock()
+        mock_app.config.environment = Environment.DEV
+        mock_app.config.security = SecurityConfig()
+
+        setup_auth_middleware(mock_app)
+
+        # Verify warning was logged and no middleware added
+        mock_logger.warning.assert_called_once_with("Auth middleware disabled")
+        mock_app.fastapi.add_middleware.assert_not_called()