PyPI - pypomes-iam - Versions diffs - 0.1.6__tar.gz → 0.1.8__tar.gz - Mend

pypomes-iam 0.1.6tar.gz → 0.1.8tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pypomes-iam might be problematic. Click here for more details.

Files changed (12) hide show

{pypomes_iam-0.1.6 → pypomes_iam-0.1.8}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.1.6
+Version: 0.1.8
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues

{pypomes_iam-0.1.6 → pypomes_iam-0.1.8}/pyproject.toml RENAMED Viewed

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 [project]
 name = "pypomes_iam"
-version = "0.1.6"
+version = "0.1.8"
 authors = [
   { name="GT Nunes", email="wisecoder01@gmail.com" }
 ]

pypomes_iam-0.1.8/src/pypomes_iam/common_pomes.py ADDED Viewed

@@ -0,0 +1,111 @@
+import json
+import requests
+from datetime import datetime
+from flask import Request
+from logging import Logger
+from pypomes_core import TZ_LOCAL
+from typing import Any
+def _get_public_key(registry: dict[str, Any],
+                    url: str,
+                    logger: Logger | None) -> bytes:
+    """
+    Obtain the public key used by the *IAM* to sign the authentication tokens.
+    The public key is saved in *registry*.
+    :param url: the base URL to request the public key
+    :return: the public key, in *DER* format
+    """
+    from pypomes_crypto import crypto_jwk_convert
+    # initialize the return variable
+    result: bytes | None = None
+    now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+    if now > registry.get("key-expiration"):
+        # obtain a new public key
+        url: str = f"{url}/protocol/openid-connect/certs"
+        if logger:
+            logger.debug(msg=f"GET '{url}'")
+        response: requests.Response = requests.get(url=url)
+        if response.status_code == 200:
+            # request succeeded
+            if logger:
+                logger.debug(msg=f"GET success, status {response.status_code}")
+            reply: dict[str, Any] = response.json()
+            result = crypto_jwk_convert(jwk=reply["keys"][0],
+                                        fmt="DER")
+            registry["public-key"] = result
+            duration: int = registry.get("key-lifetime") or 0
+            registry["key-expiration"] = now + duration
+        elif logger:
+            msg: str = f"GET failure, status {response.status_code}, reason '{response.reason}'"
+            if hasattr(response, "content") and response.content:
+                msg += f", content '{response.content}'"
+            logger.error(msg=msg)
+    else:
+        result = registry.get("public-key")
+    return result
+def _get_login_timeout(registry: dict[str, Any]) -> int | None:
+    """
+    Retrieve from *registry* the timeout currently applicable for the login operation.
+    :return: the current login timeout, or *None* if none has been set.
+    """
+    timeout: int = registry.get("client-timeout")
+    return timeout if isinstance(timeout, int) and timeout > 0 else None
+def _get_user_data(registry: dict[str, Any],
+                   user_id: str,
+                   logger: Logger | None) -> dict[str, Any]:
+    """
+    Retrieve the data for *user_id* from *registry*.
+    If an entry is not found for *user_id* in the registry, it is created.
+    It will remain there until the user is logged out.
+    :param user_id:
+    :return: the data for *user_id* in the registry
+    """
+    result: dict[str, Any] = registry["users"].get(user_id)
+    if not result:
+        result = {"access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp())}
+        registry["users"][user_id] = result
+        if logger:
+            logger.debug(msg=f"Entry for user '{user_id}' added to the registry")
+    elif logger:
+        logger.debug(msg=f"Entry for user '{user_id}' obtained from the registry")
+    return result
+def _user_logout(registry: dict[str, Any],
+                 user_id: str,
+                 logger: Logger | None) -> None:
+    """
+    Remove all data associating *user_id* from *registry*.
+    """
+    # remove the user data
+    if user_id and user_id in registry.get("users"):
+        registry["users"].pop(user_id)
+        if logger:
+            logger.debug(msg=f"User '{user_id}' removed from the registry")
+def _log_init(request: Request) -> str:
+    """
+    Build the messages for logging the request entry.
+    :param request: the Request object
+    :return: the log message
+    """
+    params: str = json.dumps(obj=request.args,
+                             ensure_ascii=False)
+    return f"Request {request.method}:{request.path}, params {params}"

{pypomes_iam-0.1.6 → pypomes_iam-0.1.8}/src/pypomes_iam/jusbr_pomes.py RENAMED Viewed

@@ -1,3 +1,4 @@
+import json
 import requests
 import secrets
 import string
@@ -11,6 +12,10 @@ from pypomes_core import (
 )
 from typing import Any, Final
+from .common_pomes import (
+    _get_login_timeout, _get_public_key, _get_user_data, _user_logout, _log_init
+)
 JUSBR_CLIENT_ID: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_CLIENT_ID")
 JUSBR_CLIENT_SECRET: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_CLIENT_SECRET")
 JUSBR_CLIENT_TIMEOUT: Final[int] = env_get_int(key=f"{APP_PREFIX}_JUSBR_CLIENT_TIMEOUT")
@@ -34,17 +39,19 @@ JUSBR_URL_AUTH_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_URL_A
 #    "client-id": <str>,
 #    "client-secret": <str>,
 #    "client-timeout": <int>,
-#    "public_key": <str>,
+#    "public_key": <bytes>,
+#    "key-lifetime": <int>,
 #    "key-expiration": <int>,
-#    "auth-url": <str>,
+#    "base-url": <str>,
 #    "callback-url": <str>,
 #    "users": {
 #       "<user-id>": {
 #         "cache-obj": <Cache>,
 #         "oauth-scope": <str>,
 #         "access-expiration": <timestamp>,
+#         "login-expiration": <int>,  <-- transient
+#         "login-id": <str>,          <-- transient
 #         data in <Cache>:
-#           "oauth-state": <str>
 #           "access-token": <str>
 #           "refresh-token": <str>
 #       }
@@ -65,7 +72,7 @@ def jusbr_setup(flask_app: Flask,
                 token_endpoint: str = JUSBR_ENDPOINT_TOKEN,
                 login_endpoint: str = JUSBR_ENDPOINT_LOGIN,
                 logout_endpoint: str = JUSBR_ENDPOINT_LOGOUT,
-                auth_url: str = JUSBR_URL_AUTH_BASE,
+                base_url: str = JUSBR_URL_AUTH_BASE,
                 callback_url: str = JUSBR_URL_AUTH_CALLBACK,
                 logger: Logger = None) -> None:
     """
@@ -82,7 +89,7 @@ def jusbr_setup(flask_app: Flask,
     :param token_endpoint: endpoint for retrieving the JusBR authentication token
     :param login_endpoint: endpoint for redirecting user to JusBR login page
     :param logout_endpoint: endpoint for terminating user access to JusBR
-    :param auth_url: base URL to request the JusBR services
+    :param base_url: base URL to request the JusBR services
     :param callback_url: URL for JusBR to callback on login
     :param logger: optional logger
     """
@@ -96,7 +103,7 @@ def jusbr_setup(flask_app: Flask,
         "client-id": client_id,
         "client-secret": client_secret,
         "client-timeout": client_timeout,
-        "auth-url": auth_url,
+        "base-url": base_url,
         "callback-url": callback_url,
         "key-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
         "key-lifetime": public_key_lifetime,
@@ -138,32 +145,44 @@ def service_login() -> Response:
     """
     global _jusbr_registry
-    # retrieve user data (if not provided, 'user_id' is temporarily set to 'oauth_state'
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+    # retrieve user data (if not provided, 'user_id' is temporarily set to 'oauth_state')
     input_params: dict[str, Any] = request.values
     oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
     user_id: str = input_params.get("user-id") or input_params.get("login") or oauth_state
-    # obtain user data
-    user_data: dict[str, Any] = __get_user_data(user_id=user_id,
-                                                logger=_logger)
-    # build redirect url
-    timeout: int = __get_login_timeout()
+    # obtain the user data
+    user_data: dict[str, Any] = _get_user_data(registry=_jusbr_registry,
+                                               user_id=user_id,
+                                               logger=_logger)
+    # build the redirect url
+    timeout: int = _get_login_timeout(registry=_jusbr_registry)
     safe_cache: Cache
     if timeout:
         safe_cache = TTLCache(maxsize=16,
-                              ttl=600)
+                              ttl=timeout)
     else:
         safe_cache = FIFOCache(maxsize=16)
     safe_cache["oauth-state"] = oauth_state
     user_data["cache-obj"] = safe_cache
-    auth_url: str = (f"{_jusbr_registry["auth-url"]}/protocol/openid-connect/auth?response_type=code"
+    auth_url: str = (f"{_jusbr_registry["base-url"]}/protocol/openid-connect/auth?response_type=code"
                      f"&client_id={_jusbr_registry["client-id"]}"
                      f"&redirect_uri={_jusbr_registry["callback-url"]}"
                      f"&state={oauth_state}")
     if user_data.get("oauth-scope"):
         auth_url += f"&scope={user_data.get("oauth-scope")}"
-    # redirect request
-    return redirect(location=auth_url)
+    # redirect the request
+    result: Response = redirect(location=auth_url)
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+    return result
 # @flask_app.route(rule=<login_endpoint>,  # JUSBR_LOGIN_ENDPOINT: /iam/jusbr:logout
@@ -178,17 +197,27 @@ def service_logout() -> Response:
     """
     global _jusbr_registry
-    # retrieve user id
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+    # retrieve the user id
     input_params: dict[str, Any] = request.args
     user_id: str = input_params.get("user-id") or input_params.get("login")
-    # remove user data
-    if user_id and user_id in _jusbr_registry.get("users"):
-        _jusbr_registry["users"].pop(user_id)
-        if _logger:
-            _logger.debug(f"User '{user_id}' removed from the registry")
+    # logout the user
+    _user_logout(registry=_jusbr_registry,
+                 user_id=user_id,
+                 logger=_logger)
-    return Response(status=200)
+    result: Response = Response(status=200)
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+    return result
 # @flask_app.route(rule=<callback_endpoint>,  # JUSBR_CALLBACK_ENDPOINT: /iam/jusbr:callback
@@ -202,6 +231,11 @@ def service_callback() -> Response:
     global _jusbr_registry
     from .token_pomes import token_validate
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
     # validate the OAuth2 state
     oauth_state: str = request.args.get("state")
     user_id: str | None = None
@@ -225,7 +259,7 @@ def service_callback() -> Response:
         body_data: dict[str, Any] = {
             "grant_type": "authorization_code",
             "code": code,
-            "redirec_url": _jusbr_registry.get("callback-url"),
+            "redirect_uri": _jusbr_registry.get("callback-url"),
         }
         token = __post_jusbr(user_data=user_data,
                              body_data=body_data,
@@ -233,9 +267,12 @@ def service_callback() -> Response:
                              logger=_logger)
         # retrieve the token's claims
         if not errors:
+            public_key: bytes = _get_public_key(registry=_jusbr_registry,
+                                                url=_jusbr_registry["base-url"],
+                                                logger=_logger)
             token_claims: dict[str, dict[str, Any]] = token_validate(token=token,
-                                                                     issuer=_jusbr_registry.get("auth-url"),
-                                                                     public_key=_jusbr_registry.get("public_key"),
+                                                                     issuer=_jusbr_registry["base-url"],
+                                                                     public_key=public_key,
                                                                      errors=errors,
                                                                      logger=_logger)
             if not errors:
@@ -247,7 +284,7 @@ def service_callback() -> Response:
                     errors.append(f"Token was issued to user '{token_user}'")
     else:
         msg: str = "Unknown OAuth2 code received"
-        if __get_login_timeout():
+        if _get_login_timeout(registry=_jusbr_registry):
             msg += " - possible operation timeout"
         errors.append(msg)
@@ -260,6 +297,10 @@ def service_callback() -> Response:
             "user_id": user_id,
             "access_token": token})
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
     return result
@@ -271,11 +312,14 @@ def service_token() -> Response:
     :return: the response containing the token, or *UNAUTHORIZED*
     """
-    # retrieve user id
-    input_params: dict[str, Any] = request.args
-    user_id: str = input_params.get("user-id") or input_params.get("login")
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
     # retrieve the token
+    input_params: dict[str, Any] = request.args
+    user_id: str = input_params.get("user-id") or input_params.get("login")
     errors: list[str] = []
     token: str = jusbr_get_token(user_id=user_id,
                                  logger=_logger)
@@ -286,6 +330,10 @@ def service_token() -> Response:
         result = Response("; ".join(errors))
         result.status_code = 401
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
     return result
@@ -305,8 +353,9 @@ def jusbr_get_token(user_id: str,
     # initialize the return variable
     result: str | None = None
-    user_data: dict[str, Any] = __get_user_data(user_id=user_id,
-                                                logger=logger)
+    user_data: dict[str, Any] = _get_user_data(registry=_jusbr_registry,
+                                               user_id=user_id,
+                                               logger=logger)
     safe_cache: Cache = user_data.get("cache-obj")
     if safe_cache:
         access_expiration: int = user_data.get("access-expiration")
@@ -350,83 +399,13 @@ def jusbr_set_scope(user_id: str,
     global _jusbr_registry
     # retrieve user data
-    user_data: dict[str, Any] = __get_user_data(user_id=user_id,
-                                                logger=logger)
+    user_data: dict[str, Any] = _get_user_data(registry=_jusbr_registry,
+                                               user_id=user_id,
+                                               logger=logger)
     # set the OAuth2 scope
     user_data["oauth-scope"] = scope
     if logger:
-        logger.debug(f"Scope for user '{user_id}' set to '{scope}'")
-def __get_public_key(url: str,
-                     logger: Logger | None) -> str:
-    """
-    Obtain the public key used by JusBR to sign the authentication tokens.
-    :param url: the base URL to request the public key
-    :return: the public key, in *PEM* format
-    """
-    from pypomes_crypto import crypto_jwk_convert
-    global _jusbr_registry
-    # initialize the return variable
-    result: str | None = None
-    now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-    if now > _jusbr_registry.get("key-expiration"):
-        # obtain a new public key
-        url: str = f"{url}/protocol/openid-connect/certs"
-        response: requests.Response = requests.get(url=url)
-        if response.status_code == 200:
-            # request succeeded
-            reply: dict[str, Any] = response.json()
-            result = crypto_jwk_convert(jwk=reply["keys"][0],
-                                        fmt="PEM")
-            _jusbr_registry["public-key"] = result
-            duration: int = _jusbr_registry.get("key-lifetime") or 0
-            _jusbr_registry["key-expiration"] = now + duration
-        elif logger:
-            logger.error(msg=f"GET '{url}': failed, "
-                             f"status {response.status_code}, reason '{response.reason}'")
-    else:
-        result = _jusbr_registry.get("public-key")
-    return result
-def __get_login_timeout() -> int | None:
-    """
-    Retrieve the timeout currently applicable for the login operation.
-    :return: the current login timeout, or *None* if none has been set.
-    """
-    global _jusbr_registry
-    timeout: int = _jusbr_registry.get("client-timeout")
-    return timeout if isinstance(timeout, int) and timeout > 0 else None
-def __get_user_data(user_id: str,
-                    logger: Logger | None) -> dict[str, Any]:
-    """
-    Retrieve the data for *user_id* from the registry.
-    If an entry is not found for *user_id* in the registry, it is created.
-    It will remain there until the user is logged out.
-    :param user_id:
-    :return: the data for *user_id* in the registry
-    """
-    global _jusbr_registry
-    result: dict[str, Any] = _jusbr_registry["users"].get(user_id)
-    if not result:
-        result = {"access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp())}
-        _jusbr_registry["users"][user_id] = result
-        if logger:
-            logger.debug(f"Entry for user '{user_id}' added to registry")
-    return result
+        logger.debug(msg=f"Scope for user '{user_id}' set to '{scope}'")
 def __post_jusbr(user_data: dict[str, Any],
@@ -436,7 +415,7 @@ def __post_jusbr(user_data: dict[str, Any],
     """
     Send a POST request to JusBR to obtain the authentication token data, and return the access token.
-    For code for token exchange, *body_data* will have the attributes
+    For token exchange, *body_data* will have the attributes
         - "grant_type": "authorization_code"
         - "code": <16-character-random-code>
         - "redirect_uri": <callback-url>
@@ -467,8 +446,11 @@ def __post_jusbr(user_data: dict[str, Any],
     # obtain the token
     err_msg: str | None = None
     safe_cache: Cache = user_data.get("cache-obj")
-    url: str = _jusbr_registry.get("auth-url") + "/protocol/openid-connect/token"
+    url: str = _jusbr_registry.get("base-url") + "/protocol/openid-connect/token"
     now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+    if logger:
+        logger.debug(msg=f"POST '{url}', data {json.dumps(obj=body_data,
+                                                          ensure_ascii=False)}")
     try:
         # JusBR return on a token request:
         # {
@@ -481,6 +463,8 @@ def __post_jusbr(user_data: dict[str, Any],
                                                     data=body_data)
         if response.status_code == 200:
             # request succeeded
+            if logger:
+                logger.debug(msg=f"POST success, status {response.status_code}")
             reply: dict[str, Any] = response.json()
             result = reply.get("access_token")
             safe_cache: Cache = FIFOCache(maxsize=1024)
@@ -489,12 +473,9 @@ def __post_jusbr(user_data: dict[str, Any],
             safe_cache["refresh-token"] = reply.get("refresh_token") or body_data.get("refresh_token")
             user_data["cache-obj"] = safe_cache
             user_data["access-expiration"] = now + reply.get("expires_in")
-            if logger:
-                logger.debug(msg=f"POST '{url}': status {response.status_code}")
         else:
             # request resulted in error
-            err_msg = (f"POST '{url}': failed, "
-                       f"status {response.status_code}, reason '{response.reason}'")
+            err_msg = f"POST failure, status {response.status_code}, reason '{response.reason}'"
             if hasattr(response, "content") and response.content:
                 err_msg += f", content '{response.content}'"
             if response.status_code == 401 and "refresh_token" in body_data:

pypomes_iam-0.1.8/src/pypomes_iam/keycloak_pomes.py ADDED Viewed

@@ -0,0 +1,340 @@
+import secrets
+import string
+# import sys
+from cachetools import FIFOCache
+from datetime import datetime
+from flask import Flask, Response, redirect, request, jsonify
+from logging import Logger
+from pypomes_core import (
+    APP_PREFIX, TZ_LOCAL, env_get_int, env_get_str
+)
+from typing import Any, Final
+from .common_pomes import (
+    _get_login_timeout, _get_public_key, _get_user_data, _user_logout, _log_init
+)
+KEYCLOAK_CLIENT_ID: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_ID")
+KEYCLOAK_CLIENT_SECRET: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_SECRET")
+KEYCLOAK_CLIENT_TIMEOUT: Final[int] = env_get_int(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_TIMEOUT")
+KEYCLOAK_ENDPOINT_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_CALLBACK",
+                                                     def_value="/iam/keycloak:callback")
+KEYCLOAK_ENDPOINT_LOGIN: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_LOGIN",
+                                                  def_value="/iam/keycloak:login")
+KEYCLOAK_ENDPOINT_LOGOUT: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_LOGOUT",
+                                                   def_value="/iam/keycloak:logout")
+KEYCLOAK_ENDPOINT_TOKEN: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_TOKEN",
+                                                  def_value="/iam/keycloak:get-token")
+KEYCLOAK_PUBLIC_KEY_LIFETIME: Final[int] = env_get_int(key=f"{APP_PREFIX}_KEYCLOAK_PUBLIC_KEY_LIFETIME",
+                                                       def_value=86400)  # 24 hours
+KEYCLOAK_REALM: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_REALM")
+KEYCLOAK_URL_AUTH_BASE: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_URL_AUTH_BASE")
+KEYCLOAK_URL_AUTH_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_URL_AUTH_CALLBACK")
+# registry structure:
+# {
+#    "client-id": <str>,
+#    "client-secret": <str>,
+#    "client-timeout": <int>,
+#    "public_key": <str>,
+#    "key-lifetime": <int>,
+#    "key-expiration": <int>,
+#    "base-url": <str>,
+#    "callback-url": <str>,
+#    "users": {
+#       "<user-id>": {
+#         "cache-obj": <FIFOCache>,
+#         "access-expiration": <timestamp>,
+#         "login-expiration": <int>,  <-- transient
+#         "login-id": <str>,          <-- transient
+#         data in <FIFOCache>:
+#           "access-token": <str>
+#           "refresh-token": <str>
+#       }
+#    }
+# }
+_keycloak_registry: dict[str, Any] = {}
+# dafault logger
+_logger: Logger | None = None
+def keycloak_setup(flask_app: Flask,
+                   client_id: str = KEYCLOAK_CLIENT_ID,
+                   client_secret: str = KEYCLOAK_CLIENT_SECRET,
+                   client_timeout: int = KEYCLOAK_CLIENT_TIMEOUT,
+                   public_key_lifetime: int = KEYCLOAK_PUBLIC_KEY_LIFETIME,
+                   realm: str = KEYCLOAK_REALM,
+                   callback_endpoint: str = KEYCLOAK_ENDPOINT_CALLBACK,
+                   token_endpoint: str = KEYCLOAK_ENDPOINT_TOKEN,
+                   login_endpoint: str = KEYCLOAK_ENDPOINT_LOGIN,
+                   logout_endpoint: str = KEYCLOAK_ENDPOINT_LOGOUT,
+                   base_url: str = KEYCLOAK_URL_AUTH_BASE,
+                   callback_url: str = KEYCLOAK_URL_AUTH_CALLBACK,
+                   logger: Logger = None) -> None:
+    """
+    Configure the Keycloak IAM.
+    This should be invoked only once, before the first access to a Keycloak service.
+    :param flask_app: the Flask application
+    :param client_id: the client's identification with JusBR
+    :param client_secret: the client's password with JusBR
+    :param client_timeout: timeout for login authentication (in seconds,defaults to no timeout)
+    :param public_key_lifetime: how long to use Keycloak's public key, before refreshing it (in seconds)
+    :param realm: the Keycloak realm
+    :param callback_endpoint: endpoint for the callback from JusBR
+    :param token_endpoint: endpoint for retrieving the JusBR authentication token
+    :param login_endpoint: endpoint for redirecting user to JusBR login page
+    :param logout_endpoint: endpoint for terminating user access to JusBR
+    :param base_url: base URL to request the JusBR services
+    :param callback_url: URL for Keycloak to callback on login
+    :param logger: optional logger
+    """
+    global _keycloak_registry
+    # establish the logger
+    global _logger
+    _logger = logger
+    # configure the JusBR registry
+    _keycloak_registry = {
+        "client-id": client_id,
+        "client-secret": client_secret,
+        "client-timeout": client_timeout,
+        "base-url": f"{base_url}/realms/{realm}",
+        "callback-url": callback_url,
+        "key-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
+        "key-lifetime": public_key_lifetime,
+        "users": []
+    }
+    # establish the endpoints
+    if token_endpoint:
+        flask_app.add_url_rule(rule=token_endpoint,
+                               endpoint="keycloak-token",
+                               view_func=service_token,
+                               methods=["GET"])
+    if login_endpoint:
+        flask_app.add_url_rule(rule=login_endpoint,
+                               endpoint="keycloak-login",
+                               view_func=service_login,
+                               methods=["GET"])
+    if logout_endpoint:
+        flask_app.add_url_rule(rule=logout_endpoint,
+                               endpoint="keycloak-logout",
+                               view_func=service_logout,
+                               methods=["GET"])
+    if callback_endpoint:
+        flask_app.add_url_rule(rule=callback_endpoint,
+                               endpoint="keycloak-callback",
+                               view_func=service_callback,
+                               methods=["POST"])
+# @flask_app.route(rule=<login_endpoint>,  # KEYCLOAK_LOGIN_ENDPOINT: /iam/keycloak:login
+#                  methods=["GET"])
+def service_login() -> Response:
+    """
+    Entry point for the Keycloak login service.
+    Redirect the request to the Keycloak authentication page, with the appropriate parameters.
+    :return: the response from the redirect operation
+    """
+    global _keycloak_registry
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+    # build the OAuth2 state, and temporarily use it as 'user_id'
+    oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
+    # obtain the user data
+    user_data: dict[str, Any] = _get_user_data(registry=_keycloak_registry,
+                                               user_id=oauth_state,
+                                               logger=_logger)
+    # build the redirect url
+    timeout: int = _get_login_timeout(registry=_keycloak_registry)
+    safe_cache: FIFOCache
+    if timeout:
+        safe_cache = FIFOCache(maxsize=16)
+    else:
+        safe_cache = FIFOCache(maxsize=16)
+    safe_cache["valid"] = True
+    user_data["cache-obj"] = safe_cache
+    auth_url: str = (
+        f"{_keycloak_registry["base-url"]}/protocol/openid-connect/auth"
+        f"?client_id={_keycloak_registry["client-id"]}"
+        f"&response_type=code"
+        f"&scope=openid"
+        f"&redirect_uri={_keycloak_registry["callback-url"]}"
+    )
+    # redirect the request
+    result: Response = redirect(location=auth_url)
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+    return result
+# @flask_app.route(rule=<login_endpoint>,  # KEYCLOAK_LOGIN_ENDPOINT: /iam/keycloak:logout
+#                  methods=["GET"])
+def service_logout() -> Response:
+    """
+    Entry point for the Keycloak logout service.
+    Remove all data associating the user with Keycloak from the registry.
+    :return: response *OK*
+    """
+    global _keycloak_registry
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+    # retrieve the user id
+    input_params: dict[str, Any] = request.args
+    user_id: str = input_params.get("user-id") or input_params.get("login")
+    # logout the user
+    _user_logout(registry=_keycloak_registry,
+                 user_id=user_id,
+                 logger=_logger)
+    result: Response = Response(status=200)
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+    return result
+# @flask_app.route(rule=<callback_endpoint>,  # KEYCLOAK_CALLBACK_ENDPOINT: /iam/keycloak:callback
+#                  methods=["POST"])
+def service_callback() -> Response:
+    """
+    Entry point for the callback from Keycloak on authentication operation.
+    :return: the response containing the token, or *NOT AUTHORIZED*
+    """
+    global _keycloak_registry
+    from .token_pomes import token_validate
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+    # validate the OAuth2 state
+    oauth_state: str = request.args.get("state")
+    user_id: str | None = None
+    user_data: dict[str, Any] | None = None
+    if oauth_state:
+        for user, data in _keycloak_registry.get("users").items():
+            safe_cache: FIFOCache = data.get("cache-obj")
+            if user == oauth_state:
+                if data.get("valid"):
+                    user_id = user
+                    user_data = data
+                else:
+                    msg = "Operation timeout"
+                break
+    # exchange 'code' for the token
+    token: str | None = None
+    errors: list[str] = []
+    if user_data:
+        code: str = request.args.get("code")
+        body_data: dict[str, Any] = {
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirec_url": _keycloak_registry.get("callback-url"),
+        }
+        # token = __post_jusbr(user_data=user_data,
+        #                      body_data=body_data,
+        #                      errors=errors,
+        #                      logger=_logger)
+        # retrieve the token's claims
+        if not errors:
+            public_key: bytes = _get_public_key(registry=_keycloak_registry,
+                                                url=_keycloak_registry["base-url"],
+                                                logger=_logger)
+            token_claims: dict[str, dict[str, Any]] = token_validate(token=token,
+                                                                     issuer=_keycloak_registry["base-url"],
+                                                                     public_key=public_key,
+                                                                     errors=errors,
+                                                                     logger=_logger)
+            if not errors:
+                token_user: str = token_claims["payload"].get("preferred_username")
+                if user_id == oauth_state:
+                    user_id = token_user
+                    _keycloak_registry["users"][user_id] = _keycloak_registry["users"].pop(oauth_state)
+                elif token_user != user_id:
+                    errors.append(f"Token was issued to user '{token_user}'")
+    else:
+        msg: str = "Unknown OAuth2 code received"
+        if _get_login_timeout(registry=_keycloak_registry):
+            msg += " - possible operation timeout"
+        errors.append(msg)
+    result: Response
+    if errors:
+        result = jsonify({"errors": "; ".join(errors)})
+        result.status_code = 400
+    else:
+        result = jsonify({
+            "user_id": user_id,
+            "access_token": token})
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+    return result
+# @flask_app.route(rule=<token_endpoint>,  # JUSBR_TOKEN_ENDPOINT: /iam/jusbr:get-token
+#                  methods=["GET"])
+def service_token() -> Response:
+    """
+    Entry point for retrieving the Keycloak token.
+    :return: the response containing the token, or *UNAUTHORIZED*
+    """
+    # log the request
+    if _logger:
+        msg: str = _log_init(request=request)
+        _logger.debug(msg=msg)
+    # retrieve the user id
+    input_params: dict[str, Any] = request.args
+    _user_id: str = input_params.get("user-id") or input_params.get("login")
+    return Response()
+def keycloak_get_token(user_id: str,
+                       errors: list[str] = None,
+                       logger: Logger = None) -> str:
+    """
+    Retrieve the authentication token for user *user_id*.
+    :param user_id: the user's identification
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the token for *user_id*, or *None* if error
+    """
+    global _keycloak_registry
+    # initialize the return variable
+    result: str | None = None
+    return result

pypomes_iam-0.1.6/src/pypomes_iam/keycloak_pomes.py DELETED Viewed

@@ -1,213 +0,0 @@
-# import requests
-# import secrets
-# import string
-# import sys
-# from cachetools import Cache, FIFOCache, TTLCache
-# from datetime import datetime
-from flask import Flask, Response, redirect, request, jsonify
-from logging import Logger
-from pypomes_core import (
-    APP_PREFIX, TZ_LOCAL, env_get_int, env_get_str, exc_format
-)
-from typing import Any, Final
-KEYCLOAK_CLIENT_ID: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_ID")
-KEYCLOAK_CLIENT_SECRET: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_SECRET")
-KEYCLOAK_CLIENT_TIMEOUT: Final[int] = env_get_int(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_TIMEOUT")
-KEYCLOAK_ENDPOINT_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_CALLBACK",
-                                                     def_value="/iam/keycloak:callback")
-KEYCLOAK_ENDPOINT_LOGIN: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_LOGIN",
-                                                  def_value="/iam/keycloak:login")
-KEYCLOAK_ENDPOINT_LOGOUT: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_LOGOUT",
-                                                   def_value="/iam/keycloak:logout")
-KEYCLOAK_ENDPOINT_TOKEN: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_TOKEN",
-                                                  def_value="/iam/keycloak:get-token")
-KEYCLOAK_REALM: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_REALM")
-KEYCLOAK_URL_AUTH_BASE: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_URL_AUTH_BASE")
-KEYCLOAK_URL_AUTH_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_URL_AUTH_CALLBACK")
-# registry structure:
-# {
-#    "client-id": <str>,
-#    "client-secret": <str>,
-#    "client-timeout": <int>,
-#    "realm": <str>,
-#    "auth-url": <str>,
-#    "callback-url": <str>,
-#    "users": {
-#       "<user-id>": {
-#         "cache-obj": <Cache>,
-#         "oauth-scope": <str>,
-#         "access-expiration": <timestamp>,
-#         data in <Cache>:
-#           "oauth-state": <str>
-#           "access-token": <str>
-#           "refresh-token": <str>
-#       }
-#    }
-# }
-_keycloak_registry: dict[str, Any] = {
-    "client-id": None,
-    "client-secret": None,
-    "client-timeout": None,
-    "realm": None,
-    "auth-url": None,
-    "callback-url": None,
-    "users": {}
-}
-# dafault logger
-_logger: Logger | None = None
-def keycloak_setup(flask_app: Flask,
-                   client_id: str = KEYCLOAK_CLIENT_ID,
-                   client_secret: str = KEYCLOAK_CLIENT_SECRET,
-                   client_timeout: int = KEYCLOAK_CLIENT_TIMEOUT,
-                   realm: str = KEYCLOAK_REALM,
-                   callback_endpoint: str = KEYCLOAK_ENDPOINT_CALLBACK,
-                   token_endpoint: str = KEYCLOAK_ENDPOINT_TOKEN,
-                   login_endpoint: str = KEYCLOAK_ENDPOINT_LOGIN,
-                   logout_endpoint: str = KEYCLOAK_ENDPOINT_LOGOUT,
-                   auth_url: str = KEYCLOAK_URL_AUTH_BASE,
-                   callback_url: str = KEYCLOAK_URL_AUTH_CALLBACK,
-                   logger: Logger = None) -> None:
-    """
-    Configure the Keycloak IAM.
-    This should be invoked only once, before the first access to a Keycloak service.
-    :param flask_app: the Flask application
-    :param client_id: the client's identification with JusBR
-    :param client_secret: the client's password with JusBR
-    :param client_timeout: timeout for login authentication (in seconds,defaults to no timeout)
-    :param realm: the Keycloak reals
-    :param callback_endpoint: endpoint for the callback from JusBR
-    :param token_endpoint: endpoint for retrieving the JusBR authentication token
-    :param login_endpoint: endpoint for redirecting user to JusBR login page
-    :param logout_endpoint: endpoint for terminating user access to JusBR
-    :param auth_url: base URL to request the JusBR services
-    :param callback_url: URL for Keycloak to callback on login
-    :param logger: optional logger
-    """
-    global _keycloak_registry
-    # establish the logger
-    global _logger
-    _logger = logger
-    # configure the JusBR registry
-    _keycloak_registry.update({
-        "client-id": client_id,
-        "client-secret": client_secret,
-        "client-timeout": client_timeout,
-        "realm": realm,
-        "auth-url": auth_url,
-        "callback-url": callback_url,
-        "users": []
-    })
-    # establish the endpoints
-    if token_endpoint:
-        flask_app.add_url_rule(rule=token_endpoint,
-                               endpoint="keycloak-token",
-                               view_func=service_token,
-                               methods=["GET"])
-    if login_endpoint:
-        flask_app.add_url_rule(rule=login_endpoint,
-                               endpoint="keycloak-login",
-                               view_func=service_login,
-                               methods=["GET"])
-    if logout_endpoint:
-        flask_app.add_url_rule(rule=logout_endpoint,
-                               endpoint="keycloak-logout",
-                               view_func=service_logout,
-                               methods=["GET"])
-    if callback_endpoint:
-        flask_app.add_url_rule(rule=callback_endpoint,
-                               endpoint="keycloak-callback",
-                               view_func=service_callback,
-                               methods=["POST"])
-# @flask_app.route(rule=<login_endpoint>,  # KEYCLOAK_LOGIN_ENDPOINT: /iam/keycloak:login
-#                  methods=["GET"])
-def service_login() -> Response:
-    """
-    Entry point for the Keycloak login service.
-    Redirect the request to the Keycloak authentication page, with the appropriate parameters.
-    :return: the response from the redirect operation
-    """
-    global _keycloak_registry
-    # retrieve user id
-    input_params: dict[str, Any] = request.args
-    _user_id: str = input_params.get("user-id") or input_params.get("login")
-    return Response()
-# @flask_app.route(rule=<login_endpoint>,  # KEYCLOAK_LOGIN_ENDPOINT: /iam/keycloak:logout
-#                  methods=["GET"])
-def service_logout() -> Response:
-    """
-    Entry point for the JusBR logout service.
-    Remove all data associating the user with JusBR from the registry.
-    :return: response *OK*
-    """
-    global _keycloak_registry
-    # retrieve user id
-    input_params: dict[str, Any] = request.args
-    _user_id: str = input_params.get("user-id") or input_params.get("login")
-    return Response()
-# @flask_app.route(rule=<callback_endpoint>,  # KEYCLOAK_CALLBACK_ENDPOINT: /iam/keycloak:callback
-#                  methods=["POST"])
-def service_callback() -> Response:
-    """
-    Entry point for the callback from Keycloak on authentication operation.
-    :return: the response containing the token, or *NOT AUTHORIZED*
-    """
-    global _keycloak_registry
-    return Response()
-# @flask_app.route(rule=<token_endpoint>,  # JUSBR_TOKEN_ENDPOINT: /iam/jusbr:get-token
-#                  methods=["GET"])
-def service_token() -> Response:
-    """
-    Entry point for retrieving the Keycloak token.
-    :return: the response containing the token, or *UNAUTHORIZED*
-    """
-    # retrieve user id
-    input_params: dict[str, Any] = request.args
-    _user_id: str = input_params.get("user-id") or input_params.get("login")
-    return Response()
-def keycloak_get_token(user_id: str,
-                       errors: list[str] = None,
-                       logger: Logger = None) -> str:
-    """
-    Retrieve the authentication token for user *user_id*.
-    :param user_id: the user's identification
-    :param errors: incidental error messages
-    :param logger: optional logger
-    :return: the token for *user_id*, or *None* if error
-    """
-    global _keycloak_registry
-    # initialize the return variable
-    result: str | None = None
-    return result

{pypomes_iam-0.1.6 → pypomes_iam-0.1.8}/.gitignore RENAMED Viewed

File without changes

{pypomes_iam-0.1.6 → pypomes_iam-0.1.8}/LICENSE RENAMED Viewed

File without changes

{pypomes_iam-0.1.6 → pypomes_iam-0.1.8}/README.md RENAMED Viewed

File without changes

{pypomes_iam-0.1.6 → pypomes_iam-0.1.8}/src/pypomes_iam/__init__.py RENAMED Viewed

File without changes

{pypomes_iam-0.1.6 → pypomes_iam-0.1.8}/src/pypomes_iam/provider_pomes.py RENAMED Viewed

File without changes

{pypomes_iam-0.1.6 → pypomes_iam-0.1.8}/src/pypomes_iam/token_pomes.py RENAMED Viewed

File without changes

pypomes-iam 0.1.6__tar.gz → 0.1.8__tar.gz

Potentially problematic release.

pypomes-iam 0.1.6tar.gz → 0.1.8tar.gz