pydantic-rpc 0.9.0__py3-none-any.whl → 0.10.0__py3-none-any.whl

pydantic_rpc/__init__.py

@@ -14,6 +14,11 @@ from .decorators import (
     get_method_options,
     has_http_option,
 )
+from .tls import (
+    GrpcTLSConfig,
+    extract_peer_identity,
+    extract_peer_certificate_chain,
+)
 
 __all__ = [
     "Server",
@@ -26,6 +31,9 @@ __all__ = [
     "proto_option",
     "get_method_options",
     "has_http_option",
+    "GrpcTLSConfig",
+    "extract_peer_identity",
+    "extract_peer_certificate_chain",
 ]
 
 # Optional MCP support

pydantic_rpc/core.py

@@ -15,6 +15,7 @@ from pathlib import Path
 from posixpath import basename
 from typing import (
     Any,
+    Optional,
     TypeAlias,
     get_args,
     get_origin,
@@ -36,6 +37,7 @@ from grpc_reflection.v1alpha import reflection
 from grpc_tools import protoc
 from pydantic import BaseModel, ValidationError
 from .decorators import get_method_options, has_http_option
+from .tls import GrpcTLSConfig
 
 ###############################################################################
 # 1. Message definitions & converter extensions
@@ -2602,13 +2604,19 @@ def generate_combined_descriptor_set(
 class Server:
     """A simple gRPC server that uses ThreadPoolExecutor for concurrency."""
 
-    def __init__(self, max_workers: int = 8, *interceptors: Any) -> None:
+    def __init__(
+        self,
+        max_workers: int = 8,
+        *interceptors: Any,
+        tls: Optional["GrpcTLSConfig"] = None,
+    ) -> None:
         self._server: grpc.Server = grpc.server(
             futures.ThreadPoolExecutor(max_workers), interceptors=interceptors
         )
         self._service_names: list[str] = []
         self._package_name: str = ""
         self._port: int = 50051
+        self._tls_config = tls
 
     def set_package_name(self, package_name: str):
         """Set the package name for .proto generation."""
@@ -2658,7 +2666,16 @@ class Server:
         health_pb2_grpc.add_HealthServicer_to_server(health_servicer, self._server)
         reflection.enable_server_reflection(SERVICE_NAMES, self._server)
 
-        self._server.add_insecure_port(f"[::]:{self._port}")
+        if self._tls_config:
+            # Use secure port with TLS
+            credentials = self._tls_config.to_server_credentials()
+            self._server.add_secure_port(f"[::]:{self._port}", credentials)
+            print(f"gRPC server starting with TLS on port {self._port}...")
+        else:
+            # Use insecure port
+            self._server.add_insecure_port(f"[::]:{self._port}")
+            print(f"gRPC server starting on port {self._port}...")
+
         self._server.start()
 
         def handle_signal(signum: signal.Signals, frame: Any):
@@ -2680,11 +2697,16 @@ class Server:
 class AsyncIOServer:
     """An async gRPC server using asyncio."""
 
-    def __init__(self, *interceptors: grpc.ServerInterceptor) -> None:
+    def __init__(
+        self,
+        *interceptors: grpc.ServerInterceptor,
+        tls: Optional["GrpcTLSConfig"] = None,
+    ) -> None:
         self._server: grpc.aio.Server = grpc.aio.server(interceptors=interceptors)
         self._service_names: list[str] = []
         self._package_name: str = ""
         self._port: int = 50051
+        self._tls_config = tls
 
     def set_package_name(self, package_name: str):
         """Set the package name for .proto generation."""
@@ -2736,7 +2758,16 @@ class AsyncIOServer:
         health_pb2_grpc.add_HealthServicer_to_server(health_servicer, self._server)
         reflection.enable_server_reflection(SERVICE_NAMES, self._server)
 
-        _ = self._server.add_insecure_port(f"[::]:{self._port}")
+        if self._tls_config:
+            # Use secure port with TLS
+            credentials = self._tls_config.to_server_credentials()
+            _ = self._server.add_secure_port(f"[::]:{self._port}", credentials)
+            print(f"gRPC server starting with TLS on port {self._port}...")
+        else:
+            # Use insecure port
+            _ = self._server.add_insecure_port(f"[::]:{self._port}")
+            print(f"gRPC server starting on port {self._port}...")
+
         await self._server.start()
 
         shutdown_event = asyncio.Event()

pydantic_rpc/tls.py

@@ -0,0 +1,96 @@
+"""TLS configuration for gRPC servers."""
+
+from dataclasses import dataclass
+from typing import Optional, Any
+import grpc
+
+
+@dataclass
+class GrpcTLSConfig:
+    """Configuration for gRPC server TLS.
+
+    Args:
+        cert_chain: The PEM-encoded server certificate chain.
+        private_key: The PEM-encoded private key for the server certificate.
+        root_certs: Optional PEM-encoded root certificates for verifying client certificates.
+                   If provided with require_client_cert=True, enables mTLS.
+        require_client_cert: If True, requires and verifies client certificates (mTLS).
+    """
+
+    cert_chain: bytes
+    private_key: bytes
+    root_certs: Optional[bytes] = None
+    require_client_cert: bool = False
+
+    def to_server_credentials(self) -> grpc.ServerCredentials:
+        """Convert to gRPC ServerCredentials."""
+        private_key_certificate_chain_pairs = [(self.private_key, self.cert_chain)]
+
+        if self.require_client_cert and self.root_certs:
+            # mTLS: require and verify client certificates
+            return grpc.ssl_server_credentials(
+                private_key_certificate_chain_pairs,
+                root_certificates=self.root_certs,
+                require_client_auth=True,
+            )
+        elif self.root_certs:
+            # Optional client certificates
+            return grpc.ssl_server_credentials(
+                private_key_certificate_chain_pairs,
+                root_certificates=self.root_certs,
+                require_client_auth=False,
+            )
+        else:
+            # Server TLS only, no client certificate validation
+            return grpc.ssl_server_credentials(private_key_certificate_chain_pairs)
+
+
+def extract_peer_identity(context: grpc.ServicerContext) -> Optional[str]:
+    """Extract the peer identity from the ServicerContext.
+
+    For mTLS connections, this returns the client's certificate subject.
+
+    Args:
+        context: The gRPC ServicerContext from a request handler.
+
+    Returns:
+        The peer identity string if available, None otherwise.
+    """
+    auth_context: Any = context.auth_context()
+    if auth_context:
+        # The peer identity is typically stored under the 'x509_common_name' key
+        # or 'x509_subject_alternative_name' for SANs
+        identities = auth_context.get("x509_common_name")
+        if identities and len(identities) > 0:
+            # Return the first identity (there's usually only one CN)
+            # gRPC returns bytes, so we decode to string
+            identity_bytes: bytes = identities[0]
+            return identity_bytes.decode("utf-8")
+
+        # Fallback to SAN if CN is not available
+        san_identities = auth_context.get("x509_subject_alternative_name")
+        if san_identities and len(san_identities) > 0:
+            # gRPC returns bytes, so we decode to string
+            san_bytes: bytes = san_identities[0]
+            return san_bytes.decode("utf-8")
+
+    return None
+
+
+def extract_peer_certificate_chain(context: grpc.ServicerContext) -> Optional[bytes]:
+    """Extract the peer's certificate chain from the ServicerContext.
+
+    Args:
+        context: The gRPC ServicerContext from a request handler.
+
+    Returns:
+        The peer's certificate chain in PEM format if available, None otherwise.
+    """
+    auth_context: Any = context.auth_context()
+    if auth_context:
+        cert_chain = auth_context.get("x509_peer_certificate")
+        if cert_chain and len(cert_chain) > 0:
+            cert_bytes: bytes = cert_chain[0]
+            return cert_bytes
+
+    return None

{pydantic_rpc-0.9.0.dist-info → pydantic_rpc-0.10.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: pydantic-rpc
-Version: 0.9.0
+Version: 0.10.0
 Summary: A Python library for building gRPC/ConnectRPC services with Pydantic models.
 Author: Yasushi Itoh
 Requires-Dist: annotated-types==0.7.0
@@ -901,8 +901,43 @@ class GoodMessage(Message):
 - Test error cases thoroughly
 - Be aware that errors fail silently
 
+### 🔒 TLS/mTLS Support
+
+PydanticRPC provides built-in support for TLS (Transport Layer Security) and mTLS (mutual TLS) for secure gRPC communication.
+
+```python
+from pydantic_rpc import AsyncIOServer, GrpcTLSConfig, extract_peer_identity
+import grpc
+
+# Basic TLS (server authentication only)
+tls_config = GrpcTLSConfig(
+    cert_chain=server_cert_bytes,
+    private_key=server_key_bytes,
+    require_client_cert=False
+)
+
+# mTLS (mutual authentication)
+tls_config = GrpcTLSConfig(
+    cert_chain=server_cert_bytes,
+    private_key=server_key_bytes,
+    root_certs=ca_cert_bytes,  # CA to verify client certificates
+    require_client_cert=True
+)
+
+# Create server with TLS
+server = AsyncIOServer(tls=tls_config)
+
+# Extract client identity in service methods
+class SecureService:
+    async def secure_method(self, request, context: grpc.ServicerContext):
+        client_identity = extract_peer_identity(context)
+        if client_identity:
+            print(f"Authenticated client: {client_identity}")
+```
+
+For a complete example, see [examples/tls_server.py](examples/tls_server.py) and [examples/tls_client.py](examples/tls_client.py).
+
 ### 🔗 Multiple Services with Custom Interceptors
->>>>>>> origin/main
 
 PydanticRPC supports defining and running multiple gRPC services in a single server:
 

pydantic_rpc-0.10.0.dist-info/RECORD

@@ -0,0 +1,13 @@
+pydantic_rpc/__init__.py,sha256=a8c4ed1a731b7f601006cbbd4aff16d43bbca0b7ffb02c698f1c79dccefe2f8e,781
+pydantic_rpc/core.py,sha256=b2867838460a23b1ce302c9d7e6ef2a2e711c6c84887a50e3ad40b94ff5dc53c,112505
+pydantic_rpc/decorators.py,sha256=2f2dc3f642a6e40d05187901e75269415a70b8f18d555e6c7ac923dee149d34c,3852
+pydantic_rpc/mcp/__init__.py,sha256=f05ad62cc38db5c5972e16870c484523c58c5ac650d8454706f1ce4539cc7a52,123
+pydantic_rpc/mcp/converter.py,sha256=b60dcaf82e6bff6be4b2ab8b1e9f2d16e09cb98d8f00182a4f6f73d1a78848a4,4158
+pydantic_rpc/mcp/exporter.py,sha256=20833662f9a973ed9e1a705b9b59aaa2533de6c514ebd87ef66664a430a0d04f,10239
+pydantic_rpc/options.py,sha256=6094036184a500b92715fd91d31ecc501460a56de47dcf6024c6335ae8e5d6e3,4561
+pydantic_rpc/py.typed,sha256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,0
+pydantic_rpc/tls.py,sha256=0eb290cc09c8ebedc71e7a97c01736d9675a314f70ebd80a2ce73e3f1689d359,3567
+pydantic_rpc-0.10.0.dist-info/WHEEL,sha256=ab6157bc637547491fb4567cd7ddf26b04d63382916ca16c29a5c8e94c9c9ef7,79
+pydantic_rpc-0.10.0.dist-info/entry_points.txt,sha256=72a47b1d2cae3abc045710fe0c2c2e6dfbb051fbf6960c22b62488004e9188ba,57
+pydantic_rpc-0.10.0.dist-info/METADATA,sha256=8819d19940dcb5a2718e9455725e976babebeeee32ba2b016135f29ba3dda67c,32096
+pydantic_rpc-0.10.0.dist-info/RECORD,,

pydantic_rpc-0.9.0.dist-info/RECORD

@@ -1,12 +0,0 @@
-pydantic_rpc/__init__.py,sha256=cd21549eab234e0bc3b3744713c65486b00a63e9ca8d4696506b819099fc1f79,590
-pydantic_rpc/core.py,sha256=ccc7a5f91dc471a0ecc253a5fd766a24878308be7905532ee7c6b9b51b9a1b8e,111436
-pydantic_rpc/decorators.py,sha256=2f2dc3f642a6e40d05187901e75269415a70b8f18d555e6c7ac923dee149d34c,3852
-pydantic_rpc/mcp/__init__.py,sha256=f05ad62cc38db5c5972e16870c484523c58c5ac650d8454706f1ce4539cc7a52,123
-pydantic_rpc/mcp/converter.py,sha256=b60dcaf82e6bff6be4b2ab8b1e9f2d16e09cb98d8f00182a4f6f73d1a78848a4,4158
-pydantic_rpc/mcp/exporter.py,sha256=20833662f9a973ed9e1a705b9b59aaa2533de6c514ebd87ef66664a430a0d04f,10239
-pydantic_rpc/options.py,sha256=6094036184a500b92715fd91d31ecc501460a56de47dcf6024c6335ae8e5d6e3,4561
-pydantic_rpc/py.typed,sha256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,0
-pydantic_rpc-0.9.0.dist-info/WHEEL,sha256=ab6157bc637547491fb4567cd7ddf26b04d63382916ca16c29a5c8e94c9c9ef7,79
-pydantic_rpc-0.9.0.dist-info/entry_points.txt,sha256=72a47b1d2cae3abc045710fe0c2c2e6dfbb051fbf6960c22b62488004e9188ba,57
-pydantic_rpc-0.9.0.dist-info/METADATA,sha256=7a022eb4a99c02b665ceb0dca3d48ad587ade87f9be0f08f7b6c378738bd043e,30976
-pydantic_rpc-0.9.0.dist-info/RECORD,,