pypomes-iam 0.1.6__py3-none-any.whl → 0.1.8__py3-none-any.whl

pypomes_iam/common_pomes.py

@@ -0,0 +1,111 @@
+import json
+import requests
+from datetime import datetime
+from flask import Request
+from logging import Logger
+from pypomes_core import TZ_LOCAL
+from typing import Any
+
+
+def _get_public_key(registry: dict[str, Any],
+                    url: str,
+                    logger: Logger | None) -> bytes:
+    """
+    Obtain the public key used by the *IAM* to sign the authentication tokens.
+
+    The public key is saved in *registry*.
+
+    :param url: the base URL to request the public key
+    :return: the public key, in *DER* format
+    """
+    from pypomes_crypto import crypto_jwk_convert
+
+    # initialize the return variable
+    result: bytes | None = None
+
+    now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+    if now > registry.get("key-expiration"):
+        # obtain a new public key
+        url: str = f"{url}/protocol/openid-connect/certs"
+        if logger:
+            logger.debug(msg=f"GET '{url}'")
+        response: requests.Response = requests.get(url=url)
+        if response.status_code == 200:
+            # request succeeded
+            if logger:
+                logger.debug(msg=f"GET success, status {response.status_code}")
+            reply: dict[str, Any] = response.json()
+            result = crypto_jwk_convert(jwk=reply["keys"][0],
+                                        fmt="DER")
+            registry["public-key"] = result
+            duration: int = registry.get("key-lifetime") or 0
+            registry["key-expiration"] = now + duration
+        elif logger:
+            msg: str = f"GET failure, status {response.status_code}, reason '{response.reason}'"
+            if hasattr(response, "content") and response.content:
+                msg += f", content '{response.content}'"
+            logger.error(msg=msg)
+    else:
+        result = registry.get("public-key")
+
+    return result
+
+
+def _get_login_timeout(registry: dict[str, Any]) -> int | None:
+    """
+    Retrieve from *registry* the timeout currently applicable for the login operation.
+
+    :return: the current login timeout, or *None* if none has been set.
+    """
+    timeout: int = registry.get("client-timeout")
+    return timeout if isinstance(timeout, int) and timeout > 0 else None
+
+
+def _get_user_data(registry: dict[str, Any],
+                   user_id: str,
+                   logger: Logger | None) -> dict[str, Any]:
+    """
+    Retrieve the data for *user_id* from *registry*.
+
+    If an entry is not found for *user_id* in the registry, it is created.
+    It will remain there until the user is logged out.
+
+    :param user_id:
+    :return: the data for *user_id* in the registry
+    """
+    result: dict[str, Any] = registry["users"].get(user_id)
+    if not result:
+        result = {"access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp())}
+        registry["users"][user_id] = result
+        if logger:
+            logger.debug(msg=f"Entry for user '{user_id}' added to the registry")
+    elif logger:
+        logger.debug(msg=f"Entry for user '{user_id}' obtained from the registry")
+
+    return result
+
+
+def _user_logout(registry: dict[str, Any],
+                 user_id: str,
+                 logger: Logger | None) -> None:
+    """
+    Remove all data associating *user_id* from *registry*.
+    """
+    # remove the user data
+    if user_id and user_id in registry.get("users"):
+        registry["users"].pop(user_id)
+        if logger:
+            logger.debug(msg=f"User '{user_id}' removed from the registry")
+
+
+def _log_init(request: Request) -> str:
+    """
+    Build the messages for logging the request entry.
+
+    :param request: the Request object
+    :return: the log message
+    """
+
+    params: str = json.dumps(obj=request.args,
+                             ensure_ascii=False)
+    return f"Request {request.method}:{request.path}, params {params}"

pypomes_iam/jusbr_pomes.py

@@ -1,3 +1,4 @@
+import json
 import requests
 import secrets
 import string
@@ -11,6 +12,10 @@ from pypomes_core import (
 )
 from typing import Any, Final
 
+from .common_pomes import (
+    _get_login_timeout, _get_public_key, _get_user_data, _user_logout, _log_init
+)
+
 JUSBR_CLIENT_ID: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_CLIENT_ID")
 JUSBR_CLIENT_SECRET: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_CLIENT_SECRET")
 JUSBR_CLIENT_TIMEOUT: Final[int] = env_get_int(key=f"{APP_PREFIX}_JUSBR_CLIENT_TIMEOUT")
@@ -34,17 +39,19 @@ JUSBR_URL_AUTH_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_URL_A
 #    "client-id": <str>,
 #    "client-secret": <str>,
 #    "client-timeout": <int>,
-#    "public_key": <str>,
+#    "public_key": <bytes>,
+#    "key-lifetime": <int>,
 #    "key-expiration": <int>,
-#    "auth-url": <str>,
+#    "base-url": <str>,
 #    "callback-url": <str>,
 #    "users": {
 #       "<user-id>": {
 #         "cache-obj": <Cache>,
 #         "oauth-scope": <str>,
 #         "access-expiration": <timestamp>,
+#         "login-expiration": <int>,  <-- transient
+#         "login-id": <str>,          <-- transient
 #         data in <Cache>:
-#           "oauth-state": <str>
 #           "access-token": <str>
 #           "refresh-token": <str>
 #       }
@@ -65,7 +72,7 @@ def jusbr_setup(flask_app: Flask,
                 token_endpoint: str = JUSBR_ENDPOINT_TOKEN,
                 login_endpoint: str = JUSBR_ENDPOINT_LOGIN,
                 logout_endpoint: str = JUSBR_ENDPOINT_LOGOUT,
-                auth_url: str = JUSBR_URL_AUTH_BASE,
+                base_url: str = JUSBR_URL_AUTH_BASE,
                 callback_url: str = JUSBR_URL_AUTH_CALLBACK,
                 logger: Logger = None) -> None:
     """
@@ -82,7 +89,7 @@ def jusbr_setup(flask_app: Flask,
     :param token_endpoint: endpoint for retrieving the JusBR authentication token
     :param login_endpoint: endpoint for redirecting user to JusBR login page
     :param logout_endpoint: endpoint for terminating user access to JusBR
-    :param auth_url: base URL to request the JusBR services
+    :param base_url: base URL to request the JusBR services
     :param callback_url: URL for JusBR to callback on login
     :param logger: optional logger
     """
@@ -96,7 +103,7 @@ def jusbr_setup(flask_app: Flask,
         "client-id": client_id,
         "client-secret": client_secret,
         "client-timeout": client_timeout,
-        "auth-url": auth_url,
+        "base-url": base_url,
         "callback-url": callback_url,
         "key-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
         "key-lifetime": public_key_lifetime,
@@ -138,32 +145,44 @@ def service_login() -> Response:
     """
     global _jusbr_registry
 
-    # retrieve user data (if not provided, 'user_id' is temporarily set to 'oauth_state'
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+
+    # retrieve user data (if not provided, 'user_id' is temporarily set to 'oauth_state')
     input_params: dict[str, Any] = request.values
     oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
     user_id: str = input_params.get("user-id") or input_params.get("login") or oauth_state
-    # obtain user data
-    user_data: dict[str, Any] = __get_user_data(user_id=user_id,
-                                                logger=_logger)
-    # build redirect url
-    timeout: int = __get_login_timeout()
+    # obtain the user data
+    user_data: dict[str, Any] = _get_user_data(registry=_jusbr_registry,
+                                               user_id=user_id,
+                                               logger=_logger)
+    # build the redirect url
+    timeout: int = _get_login_timeout(registry=_jusbr_registry)
     safe_cache: Cache
     if timeout:
         safe_cache = TTLCache(maxsize=16,
-                              ttl=600)
+                              ttl=timeout)
     else:
         safe_cache = FIFOCache(maxsize=16)
     safe_cache["oauth-state"] = oauth_state
     user_data["cache-obj"] = safe_cache
-    auth_url: str = (f"{_jusbr_registry["auth-url"]}/protocol/openid-connect/auth?response_type=code"
+    auth_url: str = (f"{_jusbr_registry["base-url"]}/protocol/openid-connect/auth?response_type=code"
                      f"&client_id={_jusbr_registry["client-id"]}"
                      f"&redirect_uri={_jusbr_registry["callback-url"]}"
                      f"&state={oauth_state}")
     if user_data.get("oauth-scope"):
         auth_url += f"&scope={user_data.get("oauth-scope")}"
 
-    # redirect request
-    return redirect(location=auth_url)
+    # redirect the request
+    result: Response = redirect(location=auth_url)
+
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+
+    return result
 
 
 # @flask_app.route(rule=<login_endpoint>,  # JUSBR_LOGIN_ENDPOINT: /iam/jusbr:logout
@@ -178,17 +197,27 @@ def service_logout() -> Response:
     """
     global _jusbr_registry
 
-    # retrieve user id
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+
+    # retrieve the user id
     input_params: dict[str, Any] = request.args
     user_id: str = input_params.get("user-id") or input_params.get("login")
 
-    # remove user data
-    if user_id and user_id in _jusbr_registry.get("users"):
-        _jusbr_registry["users"].pop(user_id)
-        if _logger:
-            _logger.debug(f"User '{user_id}' removed from the registry")
+    # logout the user
+    _user_logout(registry=_jusbr_registry,
+                 user_id=user_id,
+                 logger=_logger)
 
-    return Response(status=200)
+    result: Response = Response(status=200)
+
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+
+    return result
 
 
 # @flask_app.route(rule=<callback_endpoint>,  # JUSBR_CALLBACK_ENDPOINT: /iam/jusbr:callback
@@ -202,6 +231,11 @@ def service_callback() -> Response:
     global _jusbr_registry
     from .token_pomes import token_validate
 
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+
     # validate the OAuth2 state
     oauth_state: str = request.args.get("state")
     user_id: str | None = None
@@ -225,7 +259,7 @@ def service_callback() -> Response:
         body_data: dict[str, Any] = {
             "grant_type": "authorization_code",
             "code": code,
-            "redirec_url": _jusbr_registry.get("callback-url"),
+            "redirect_uri": _jusbr_registry.get("callback-url"),
         }
         token = __post_jusbr(user_data=user_data,
                              body_data=body_data,
@@ -233,9 +267,12 @@ def service_callback() -> Response:
                              logger=_logger)
         # retrieve the token's claims
         if not errors:
+            public_key: bytes = _get_public_key(registry=_jusbr_registry,
+                                                url=_jusbr_registry["base-url"],
+                                                logger=_logger)
             token_claims: dict[str, dict[str, Any]] = token_validate(token=token,
-                                                                     issuer=_jusbr_registry.get("auth-url"),
-                                                                     public_key=_jusbr_registry.get("public_key"),
+                                                                     issuer=_jusbr_registry["base-url"],
+                                                                     public_key=public_key,
                                                                      errors=errors,
                                                                      logger=_logger)
             if not errors:
@@ -247,7 +284,7 @@ def service_callback() -> Response:
                     errors.append(f"Token was issued to user '{token_user}'")
     else:
         msg: str = "Unknown OAuth2 code received"
-        if __get_login_timeout():
+        if _get_login_timeout(registry=_jusbr_registry):
             msg += " - possible operation timeout"
         errors.append(msg)
 
@@ -260,6 +297,10 @@ def service_callback() -> Response:
             "user_id": user_id,
             "access_token": token})
 
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+
     return result
 
 
@@ -271,11 +312,14 @@ def service_token() -> Response:
 
     :return: the response containing the token, or *UNAUTHORIZED*
     """
-    # retrieve user id
-    input_params: dict[str, Any] = request.args
-    user_id: str = input_params.get("user-id") or input_params.get("login")
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
 
     # retrieve the token
+    input_params: dict[str, Any] = request.args
+    user_id: str = input_params.get("user-id") or input_params.get("login")
     errors: list[str] = []
     token: str = jusbr_get_token(user_id=user_id,
                                  logger=_logger)
@@ -286,6 +330,10 @@ def service_token() -> Response:
         result = Response("; ".join(errors))
         result.status_code = 401
 
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+
     return result
 
 
@@ -305,8 +353,9 @@ def jusbr_get_token(user_id: str,
     # initialize the return variable
     result: str | None = None
 
-    user_data: dict[str, Any] = __get_user_data(user_id=user_id,
-                                                logger=logger)
+    user_data: dict[str, Any] = _get_user_data(registry=_jusbr_registry,
+                                               user_id=user_id,
+                                               logger=logger)
     safe_cache: Cache = user_data.get("cache-obj")
     if safe_cache:
         access_expiration: int = user_data.get("access-expiration")
@@ -350,83 +399,13 @@ def jusbr_set_scope(user_id: str,
     global _jusbr_registry
 
     # retrieve user data
-    user_data: dict[str, Any] = __get_user_data(user_id=user_id,
-                                                logger=logger)
+    user_data: dict[str, Any] = _get_user_data(registry=_jusbr_registry,
+                                               user_id=user_id,
+                                               logger=logger)
     # set the OAuth2 scope
     user_data["oauth-scope"] = scope
     if logger:
-        logger.debug(f"Scope for user '{user_id}' set to '{scope}'")
-
-
-def __get_public_key(url: str,
-                     logger: Logger | None) -> str:
-    """
-    Obtain the public key used by JusBR to sign the authentication tokens.
-
-    :param url: the base URL to request the public key
-    :return: the public key, in *PEM* format
-    """
-    from pypomes_crypto import crypto_jwk_convert
-    global _jusbr_registry
-
-    # initialize the return variable
-    result: str | None = None
-
-    now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-    if now > _jusbr_registry.get("key-expiration"):
-        # obtain a new public key
-        url: str = f"{url}/protocol/openid-connect/certs"
-        response: requests.Response = requests.get(url=url)
-        if response.status_code == 200:
-            # request succeeded
-            reply: dict[str, Any] = response.json()
-            result = crypto_jwk_convert(jwk=reply["keys"][0],
-                                        fmt="PEM")
-            _jusbr_registry["public-key"] = result
-            duration: int = _jusbr_registry.get("key-lifetime") or 0
-            _jusbr_registry["key-expiration"] = now + duration
-        elif logger:
-            logger.error(msg=f"GET '{url}': failed, "
-                             f"status {response.status_code}, reason '{response.reason}'")
-    else:
-        result = _jusbr_registry.get("public-key")
-
-    return result
-
-
-def __get_login_timeout() -> int | None:
-    """
-    Retrieve the timeout currently applicable for the login operation.
-
-    :return: the current login timeout, or *None* if none has been set.
-    """
-    global _jusbr_registry
-
-    timeout: int = _jusbr_registry.get("client-timeout")
-    return timeout if isinstance(timeout, int) and timeout > 0 else None
-
-
-def __get_user_data(user_id: str,
-                    logger: Logger | None) -> dict[str, Any]:
-    """
-    Retrieve the data for *user_id* from the registry.
-
-    If an entry is not found for *user_id* in the registry, it is created.
-    It will remain there until the user is logged out.
-
-    :param user_id:
-    :return: the data for *user_id* in the registry
-    """
-    global _jusbr_registry
-
-    result: dict[str, Any] = _jusbr_registry["users"].get(user_id)
-    if not result:
-        result = {"access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp())}
-        _jusbr_registry["users"][user_id] = result
-        if logger:
-            logger.debug(f"Entry for user '{user_id}' added to registry")
-
-    return result
+        logger.debug(msg=f"Scope for user '{user_id}' set to '{scope}'")
 
 
 def __post_jusbr(user_data: dict[str, Any],
@@ -436,7 +415,7 @@ def __post_jusbr(user_data: dict[str, Any],
     """
     Send a POST request to JusBR to obtain the authentication token data, and return the access token.
 
-    For code for token exchange, *body_data* will have the attributes
+    For token exchange, *body_data* will have the attributes
         - "grant_type": "authorization_code"
         - "code": <16-character-random-code>
         - "redirect_uri": <callback-url>
@@ -467,8 +446,11 @@ def __post_jusbr(user_data: dict[str, Any],
     # obtain the token
     err_msg: str | None = None
     safe_cache: Cache = user_data.get("cache-obj")
-    url: str = _jusbr_registry.get("auth-url") + "/protocol/openid-connect/token"
+    url: str = _jusbr_registry.get("base-url") + "/protocol/openid-connect/token"
     now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+    if logger:
+        logger.debug(msg=f"POST '{url}', data {json.dumps(obj=body_data,
+                                                          ensure_ascii=False)}")
     try:
         # JusBR return on a token request:
         # {
@@ -481,6 +463,8 @@ def __post_jusbr(user_data: dict[str, Any],
                                                     data=body_data)
         if response.status_code == 200:
             # request succeeded
+            if logger:
+                logger.debug(msg=f"POST success, status {response.status_code}")
             reply: dict[str, Any] = response.json()
             result = reply.get("access_token")
             safe_cache: Cache = FIFOCache(maxsize=1024)
@@ -489,12 +473,9 @@ def __post_jusbr(user_data: dict[str, Any],
             safe_cache["refresh-token"] = reply.get("refresh_token") or body_data.get("refresh_token")
             user_data["cache-obj"] = safe_cache
             user_data["access-expiration"] = now + reply.get("expires_in")
-            if logger:
-                logger.debug(msg=f"POST '{url}': status {response.status_code}")
         else:
             # request resulted in error
-            err_msg = (f"POST '{url}': failed, "
-                       f"status {response.status_code}, reason '{response.reason}'")
+            err_msg = f"POST failure, status {response.status_code}, reason '{response.reason}'"
             if hasattr(response, "content") and response.content:
                 err_msg += f", content '{response.content}'"
             if response.status_code == 401 and "refresh_token" in body_data:

pypomes_iam/keycloak_pomes.py

@@ -1,16 +1,19 @@
-# import requests
-# import secrets
-# import string
+import secrets
+import string
 # import sys
-# from cachetools import Cache, FIFOCache, TTLCache
-# from datetime import datetime
+from cachetools import FIFOCache
+from datetime import datetime
 from flask import Flask, Response, redirect, request, jsonify
 from logging import Logger
 from pypomes_core import (
-    APP_PREFIX, TZ_LOCAL, env_get_int, env_get_str, exc_format
+    APP_PREFIX, TZ_LOCAL, env_get_int, env_get_str
 )
 from typing import Any, Final
 
+from .common_pomes import (
+    _get_login_timeout, _get_public_key, _get_user_data, _user_logout, _log_init
+)
+
 KEYCLOAK_CLIENT_ID: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_ID")
 KEYCLOAK_CLIENT_SECRET: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_SECRET")
 KEYCLOAK_CLIENT_TIMEOUT: Final[int] = env_get_int(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_TIMEOUT")
@@ -24,6 +27,8 @@ KEYCLOAK_ENDPOINT_LOGOUT: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_E
 KEYCLOAK_ENDPOINT_TOKEN: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_TOKEN",
                                                   def_value="/iam/keycloak:get-token")
 
+KEYCLOAK_PUBLIC_KEY_LIFETIME: Final[int] = env_get_int(key=f"{APP_PREFIX}_KEYCLOAK_PUBLIC_KEY_LIFETIME",
+                                                       def_value=86400)  # 24 hours
 KEYCLOAK_REALM: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_REALM")
 KEYCLOAK_URL_AUTH_BASE: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_URL_AUTH_BASE")
 KEYCLOAK_URL_AUTH_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_URL_AUTH_CALLBACK")
@@ -33,30 +38,24 @@ KEYCLOAK_URL_AUTH_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK
 #    "client-id": <str>,
 #    "client-secret": <str>,
 #    "client-timeout": <int>,
-#    "realm": <str>,
-#    "auth-url": <str>,
+#    "public_key": <str>,
+#    "key-lifetime": <int>,
+#    "key-expiration": <int>,
+#    "base-url": <str>,
 #    "callback-url": <str>,
 #    "users": {
 #       "<user-id>": {
-#         "cache-obj": <Cache>,
-#         "oauth-scope": <str>,
+#         "cache-obj": <FIFOCache>,
 #         "access-expiration": <timestamp>,
-#         data in <Cache>:
-#           "oauth-state": <str>
+#         "login-expiration": <int>,  <-- transient
+#         "login-id": <str>,          <-- transient
+#         data in <FIFOCache>:
 #           "access-token": <str>
 #           "refresh-token": <str>
 #       }
 #    }
 # }
-_keycloak_registry: dict[str, Any] = {
-    "client-id": None,
-    "client-secret": None,
-    "client-timeout": None,
-    "realm": None,
-    "auth-url": None,
-    "callback-url": None,
-    "users": {}
-}
+_keycloak_registry: dict[str, Any] = {}
 
 # dafault logger
 _logger: Logger | None = None
@@ -66,12 +65,13 @@ def keycloak_setup(flask_app: Flask,
                    client_id: str = KEYCLOAK_CLIENT_ID,
                    client_secret: str = KEYCLOAK_CLIENT_SECRET,
                    client_timeout: int = KEYCLOAK_CLIENT_TIMEOUT,
+                   public_key_lifetime: int = KEYCLOAK_PUBLIC_KEY_LIFETIME,
                    realm: str = KEYCLOAK_REALM,
                    callback_endpoint: str = KEYCLOAK_ENDPOINT_CALLBACK,
                    token_endpoint: str = KEYCLOAK_ENDPOINT_TOKEN,
                    login_endpoint: str = KEYCLOAK_ENDPOINT_LOGIN,
                    logout_endpoint: str = KEYCLOAK_ENDPOINT_LOGOUT,
-                   auth_url: str = KEYCLOAK_URL_AUTH_BASE,
+                   base_url: str = KEYCLOAK_URL_AUTH_BASE,
                    callback_url: str = KEYCLOAK_URL_AUTH_CALLBACK,
                    logger: Logger = None) -> None:
     """
@@ -83,12 +83,13 @@ def keycloak_setup(flask_app: Flask,
     :param client_id: the client's identification with JusBR
     :param client_secret: the client's password with JusBR
     :param client_timeout: timeout for login authentication (in seconds,defaults to no timeout)
-    :param realm: the Keycloak reals
+    :param public_key_lifetime: how long to use Keycloak's public key, before refreshing it (in seconds)
+    :param realm: the Keycloak realm
     :param callback_endpoint: endpoint for the callback from JusBR
     :param token_endpoint: endpoint for retrieving the JusBR authentication token
     :param login_endpoint: endpoint for redirecting user to JusBR login page
     :param logout_endpoint: endpoint for terminating user access to JusBR
-    :param auth_url: base URL to request the JusBR services
+    :param base_url: base URL to request the JusBR services
     :param callback_url: URL for Keycloak to callback on login
     :param logger: optional logger
     """
@@ -99,15 +100,16 @@ def keycloak_setup(flask_app: Flask,
     _logger = logger
 
     # configure the JusBR registry
-    _keycloak_registry.update({
+    _keycloak_registry = {
         "client-id": client_id,
         "client-secret": client_secret,
         "client-timeout": client_timeout,
-        "realm": realm,
-        "auth-url": auth_url,
+        "base-url": f"{base_url}/realms/{realm}",
         "callback-url": callback_url,
+        "key-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
+        "key-lifetime": public_key_lifetime,
         "users": []
-    })
+    }
 
     # establish the endpoints
     if token_endpoint:
@@ -144,28 +146,77 @@ def service_login() -> Response:
     """
     global _keycloak_registry
 
-    # retrieve user id
-    input_params: dict[str, Any] = request.args
-    _user_id: str = input_params.get("user-id") or input_params.get("login")
-    return Response()
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+
+    # build the OAuth2 state, and temporarily use it as 'user_id'
+    oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
+    # obtain the user data
+    user_data: dict[str, Any] = _get_user_data(registry=_keycloak_registry,
+                                               user_id=oauth_state,
+                                               logger=_logger)
+    # build the redirect url
+    timeout: int = _get_login_timeout(registry=_keycloak_registry)
+    safe_cache: FIFOCache
+    if timeout:
+        safe_cache = FIFOCache(maxsize=16)
+    else:
+        safe_cache = FIFOCache(maxsize=16)
+    safe_cache["valid"] = True
+    user_data["cache-obj"] = safe_cache
+    auth_url: str = (
+        f"{_keycloak_registry["base-url"]}/protocol/openid-connect/auth"
+        f"?client_id={_keycloak_registry["client-id"]}"
+        f"&response_type=code"
+        f"&scope=openid"
+        f"&redirect_uri={_keycloak_registry["callback-url"]}"
+    )
+
+    # redirect the request
+    result: Response = redirect(location=auth_url)
+
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+
+    return result
 
 
 # @flask_app.route(rule=<login_endpoint>,  # KEYCLOAK_LOGIN_ENDPOINT: /iam/keycloak:logout
 #                  methods=["GET"])
 def service_logout() -> Response:
     """
-    Entry point for the JusBR logout service.
+    Entry point for the Keycloak logout service.
 
-    Remove all data associating the user with JusBR from the registry.
+    Remove all data associating the user with Keycloak from the registry.
 
     :return: response *OK*
     """
     global _keycloak_registry
 
-    # retrieve user id
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+
+    # retrieve the user id
     input_params: dict[str, Any] = request.args
-    _user_id: str = input_params.get("user-id") or input_params.get("login")
-    return Response()
+    user_id: str = input_params.get("user-id") or input_params.get("login")
+
+    # logout the user
+    _user_logout(registry=_keycloak_registry,
+                 user_id=user_id,
+                 logger=_logger)
+
+    result: Response = Response(status=200)
+
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+
+    return result
 
 
 # @flask_app.route(rule=<callback_endpoint>,  # KEYCLOAK_CALLBACK_ENDPOINT: /iam/keycloak:callback
@@ -177,7 +228,79 @@ def service_callback() -> Response:
     :return: the response containing the token, or *NOT AUTHORIZED*
     """
     global _keycloak_registry
-    return Response()
+    from .token_pomes import token_validate
+
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+
+    # validate the OAuth2 state
+    oauth_state: str = request.args.get("state")
+    user_id: str | None = None
+    user_data: dict[str, Any] | None = None
+    if oauth_state:
+        for user, data in _keycloak_registry.get("users").items():
+            safe_cache: FIFOCache = data.get("cache-obj")
+            if user == oauth_state:
+                if data.get("valid"):
+                    user_id = user
+                    user_data = data
+                else:
+                    msg = "Operation timeout"
+                break
+
+    # exchange 'code' for the token
+    token: str | None = None
+    errors: list[str] = []
+    if user_data:
+        code: str = request.args.get("code")
+        body_data: dict[str, Any] = {
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirec_url": _keycloak_registry.get("callback-url"),
+        }
+        # token = __post_jusbr(user_data=user_data,
+        #                      body_data=body_data,
+        #                      errors=errors,
+        #                      logger=_logger)
+        # retrieve the token's claims
+        if not errors:
+            public_key: bytes = _get_public_key(registry=_keycloak_registry,
+                                                url=_keycloak_registry["base-url"],
+                                                logger=_logger)
+            token_claims: dict[str, dict[str, Any]] = token_validate(token=token,
+                                                                     issuer=_keycloak_registry["base-url"],
+                                                                     public_key=public_key,
+                                                                     errors=errors,
+                                                                     logger=_logger)
+            if not errors:
+                token_user: str = token_claims["payload"].get("preferred_username")
+                if user_id == oauth_state:
+                    user_id = token_user
+                    _keycloak_registry["users"][user_id] = _keycloak_registry["users"].pop(oauth_state)
+                elif token_user != user_id:
+                    errors.append(f"Token was issued to user '{token_user}'")
+    else:
+        msg: str = "Unknown OAuth2 code received"
+        if _get_login_timeout(registry=_keycloak_registry):
+            msg += " - possible operation timeout"
+        errors.append(msg)
+
+    result: Response
+    if errors:
+        result = jsonify({"errors": "; ".join(errors)})
+        result.status_code = 400
+    else:
+        result = jsonify({
+            "user_id": user_id,
+            "access_token": token})
+
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+
+    return result
 
 
 # @flask_app.route(rule=<token_endpoint>,  # JUSBR_TOKEN_ENDPOINT: /iam/jusbr:get-token
@@ -188,7 +311,12 @@ def service_token() -> Response:
 
     :return: the response containing the token, or *UNAUTHORIZED*
     """
-    # retrieve user id
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+
+    # retrieve the user id
     input_params: dict[str, Any] = request.args
     _user_id: str = input_params.get("user-id") or input_params.get("login")
     return Response()
@@ -210,4 +338,3 @@ def keycloak_get_token(user_id: str,
     # initialize the return variable
     result: str | None = None
     return result
-

{pypomes_iam-0.1.6.dist-info → pypomes_iam-0.1.8.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.1.6
+Version: 0.1.8
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues

pypomes_iam-0.1.8.dist-info/RECORD

@@ -0,0 +1,10 @@
+pypomes_iam/__init__.py,sha256=lHnqNqW1stQjcM6cr9wf3GGnw5_zGf1HN3zyHGb8PCA,577
+pypomes_iam/common_pomes.py,sha256=kdzyEJX275SmMa_zi6AJaC9gVxlXcOailyantPvNOyQ,3908
+pypomes_iam/jusbr_pomes.py,sha256=kNgAgQAMDdODoNO4XKrSggFwQ7R2ID-LLz7tmT3PXH4,19510
+pypomes_iam/keycloak_pomes.py,sha256=m4jM_4c_McVg74T7JG7j3tbMo9Yxp6IKgt8TuauIp7o,13204
+pypomes_iam/provider_pomes.py,sha256=eP8XzjTUEpwejTkO0wmDiqKjqbIEOzRNCR2ju5E15og,5856
+pypomes_iam/token_pomes.py,sha256=McjKB8omCjuicenwvDVPiWYu3-7gQeLg1AzgAVKK32M,4309
+pypomes_iam-0.1.8.dist-info/METADATA,sha256=fjisTEC7XbvWn37I-2Jez6vtk7Uo83Q1WCjq172hOok,694
+pypomes_iam-0.1.8.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+pypomes_iam-0.1.8.dist-info/licenses/LICENSE,sha256=YvUELgV8qvXlaYsy9hXG5EW3Bmsrkw-OJmmILZnonAc,1086
+pypomes_iam-0.1.8.dist-info/RECORD,,

pypomes_iam-0.1.6.dist-info/RECORD

@@ -1,9 +0,0 @@
-pypomes_iam/__init__.py,sha256=lHnqNqW1stQjcM6cr9wf3GGnw5_zGf1HN3zyHGb8PCA,577
-pypomes_iam/jusbr_pomes.py,sha256=152ugJ0OygQLMsfr35-KiKkSv2mBdP0IGsV5SxRIU0M,20385
-pypomes_iam/keycloak_pomes.py,sha256=4vLaYQNY9S9xHmyiv9Ii8jgL5jA1-MgAgWduicCyofw,8059
-pypomes_iam/provider_pomes.py,sha256=eP8XzjTUEpwejTkO0wmDiqKjqbIEOzRNCR2ju5E15og,5856
-pypomes_iam/token_pomes.py,sha256=McjKB8omCjuicenwvDVPiWYu3-7gQeLg1AzgAVKK32M,4309
-pypomes_iam-0.1.6.dist-info/METADATA,sha256=vc4SRenbHL2SJ6IM9LKgWKq4roIyW963ie3EwxqZIlI,694
-pypomes_iam-0.1.6.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-pypomes_iam-0.1.6.dist-info/licenses/LICENSE,sha256=YvUELgV8qvXlaYsy9hXG5EW3Bmsrkw-OJmmILZnonAc,1086
-pypomes_iam-0.1.6.dist-info/RECORD,,