pypomes-iam 0.1.8__py3-none-any.whl → 0.1.9__py3-none-any.whl

pypomes_iam/__init__.py

@@ -1,6 +1,9 @@
 from .jusbr_pomes import (
     jusbr_setup, jusbr_get_token, jusbr_set_scope
 )
+from .keycloak_pomes import (
+    keycloak_setup, keycloak_get_token, keycloak_set_scope
+)
 from .provider_pomes import (
     provider_register, provider_get_token
 )
@@ -11,6 +14,8 @@ from .token_pomes import (
 __all__ = [
     # jusbr_pomes
     "jusbr_setup", "jusbr_get_token", "jusbr_set_scope",
+    # keycloak_pomes
+    "keycloak_setup", "keycloak_get_token", "keycloak_set_scope",
     # provider_pomes
     "provider_register", "provider_get_token",
     # token_pomes

pypomes_iam/common_pomes.py

@@ -1,21 +1,233 @@
 import json
 import requests
+import secrets
+import string
+import sys
+from cachetools import Cache
 from datetime import datetime
 from flask import Request
 from logging import Logger
-from pypomes_core import TZ_LOCAL
+from pypomes_core import TZ_LOCAL, exc_format
 from typing import Any
 
+# registry structure:
+# {
+#    "client-id": <str>,
+#    "client-secret": <str>,
+#    "client-timeout": <int>,
+#    "public_key": <str>,
+#    "key-lifetime": <int>,
+#    "key-expiration": <int>,
+#    "base-url": <str>,
+#    "callback-url": <str>,
+#    "safe-cache": <FIFOCache>
+# }
+# data in "safe-cache":
+# {
+#    "users": {
+#       "<user-id>": {
+#         "access-token": <str>
+#         "refresh-token": <str>
+#         "access-expiration": <timestamp>,
+#         "login-expiration": <timestamp>,   <-- transient
+#         "login-id": <str>,                 <-- transient
+#         "oauth-scope": <str>               <-- optional
+#       }
+#    }
+# }
+
+
+def _service_callback(registry: dict[str, Any],
+                      args: dict[str, Any],
+                      errors: list[str],
+                      logger: Logger | None) -> tuple[str, str]:
+    """
+    Entry point for the callback from JusBR on authentication operation.
+
+    :param registry: the registry holding the authentication data
+    :param args: the arguments passed when requesting the service
+    :param errors: incidental errors
+    :param logger: optional logger
+    """
+    from .token_pomes import token_validate
+
+    # initialize the return variable
+    result: tuple[str, str] | None = None
+
+    # retrieve the users authentication data
+    cache: Cache = registry["safe-cache"]
+    users: dict[str, dict[str, Any]] = cache.get("users")
+
+    # validate the OAuth2 state
+    oauth_state: str = args.get("state")
+    user_data: dict[str, Any] | None = None
+    if oauth_state:
+        for user, data in users.items():
+            if user == oauth_state:
+                user_data = data
+                break
+
+    # exchange 'code' for the token
+    if user_data:
+        users.pop(oauth_state)
+        code: str = args.get("code")
+        body_data: dict[str, Any] = {
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirect_uri": registry.get("callback-url"),
+        }
+        token = _post_for_token(registry=registry,
+                                user_data=user_data,
+                                body_data=body_data,
+                                errors=errors,
+                                logger=logger)
+        # retrieve the token's claims
+        if not errors:
+            public_key: bytes = _get_public_key(registry=registry,
+                                                logger=logger)
+            token_claims: dict[str, dict[str, Any]] = token_validate(token=token,
+                                                                     issuer=registry["base-url"],
+                                                                     public_key=public_key,
+                                                                     errors=errors,
+                                                                     logger=logger)
+            if not errors:
+                token_user: str = token_claims["payload"].get("preferred_username")
+                if token_user == oauth_state:
+                    users[token_user] = user_data
+                    result = (token_user, token)
+                else:
+                    errors.append(f"Token was issued to user '{token_user}'")
+    else:
+        msg: str = "Unknown OAuth2 code received"
+        if _get_login_timeout(registry=registry):
+            msg += " - possible operation timeout"
+        errors.append(msg)
+
+    return result
+
+
+def _service_login(registry: dict[str, Any],
+                   args: dict[str, Any],
+                   logger: Logger | None) -> str:
+    """
+    Build the callback URL for redirecting the request to the IAM's authentication page.
+
+    :param registry: the registry holding the authentication data
+    :param args: the arguments passed when requesting the service
+    :param logger: optional logger
+    :return: the callback URL, with the appropriate parameters
+    """
+
+    # retrieve user data
+    oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
+
+    # build the user data
+    #   ('oauth_state' is a randomly-generated string, thus 'user_data' is always a new entry)
+    user_data: dict[str, Any] = _get_user_data(registry=registry,
+                                               user_id=oauth_state,
+                                               logger=logger)
+    user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
+    user_data["login-id"] = user_id
+    timeout: int = _get_login_timeout(registry=registry)
+    user_data["login-expiration"] = int(datetime.now(tz=TZ_LOCAL).timestamp()) + timeout if timeout else None
+
+    # build the redirect url
+    result: str = (f"{registry["base-url"]}/protocol/openid-connect/auth?response_type=code"
+                   f"&client_id={registry["client-id"]}"
+                   f"&redirect_uri={registry["callback-url"]}"
+                   f"&state={oauth_state}")
+    scope: str = _get_user_scope(registry=registry,
+                                 user_id=user_id)
+    if scope:
+        user_data["oauth-scope"] = scope
+        result += f"&scope={scope}"
+
+    # logout the user
+    _service_logout(registry=registry,
+                    args=args,
+                    logger=logger)
+    return result
+
+
+def _service_logout(registry: dict[str, Any],
+                    args: dict[str, Any],
+                    logger: Logger | None) -> None:
+    """
+    Remove all data associating *user_id* from *registry*.
+
+    :param registry: the registry holding the authentication data
+    :param args: the arguments passed when requesting the service
+    :param logger: optional logger
+    """
+    # remove the user data
+    user_id: str = args.get("user-id") or args.get("login")
+    if user_id:
+        cache: Cache = registry["safe-cache"]
+        users: dict[str, dict[str, Any]] = cache.get("users")
+        if user_id in users:
+            users.pop(user_id)
+            if logger:
+                logger.debug(msg=f"User '{user_id}' removed from the registry")
+
+
+def _service_token(registry: dict[str, Any],
+                   args: dict[str, Any],
+                   errors: list[str] = None,
+                   logger: Logger = None) -> str:
+    """
+    Retrieve the authentication token for user *user_id*.
+
+    :param registry: the registry holding the authentication data
+    :param args: the arguments passed when requesting the service
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the token for *user_id*, or *None* if error
+    """
+    # initialize the return variable
+    result: str | None = None
+
+    user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
+    user_data: dict[str, Any] = _get_user_data(registry=registry,
+                                               user_id=user_id,
+                                               logger=logger)
+    token: str = user_data["access-token"]
+    if token:
+        access_expiration: int = user_data.get("access-expiration")
+        now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+        if now < access_expiration:
+            result = token
+        else:
+            # access token has expired
+            refresh_token: str = user_data["refresh-token"]
+            if refresh_token:
+                body_data: dict[str, str] = {
+                    "grant_type": "refresh_token",
+                    "refresh_token": refresh_token
+                }
+                result = _post_for_token(registry=registry,
+                                         user_data=user_data,
+                                         body_data=body_data,
+                                         errors=errors,
+                                         logger=logger)
+
+    elif logger or isinstance(errors, list):
+        err_msg: str = f"User '{user_id}' not authenticated"
+        if isinstance(errors, list):
+            errors.append(err_msg)
+        if logger:
+            logger.error(msg=err_msg)
+
+    return result
+
 
 def _get_public_key(registry: dict[str, Any],
-                    url: str,
                     logger: Logger | None) -> bytes:
     """
     Obtain the public key used by the *IAM* to sign the authentication tokens.
 
     The public key is saved in *registry*.
 
-    :param url: the base URL to request the public key
+    :param registry: the registry holding the authentication data
     :return: the public key, in *DER* format
     """
     from pypomes_crypto import crypto_jwk_convert
@@ -24,9 +236,9 @@ def _get_public_key(registry: dict[str, Any],
     result: bytes | None = None
 
     now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-    if now > registry.get("key-expiration"):
+    if now > registry["key-expiration"]:
         # obtain a new public key
-        url: str = f"{url}/protocol/openid-connect/certs"
+        url: str = f"{registry["base-url"]}/protocol/openid-connect/certs"
         if logger:
             logger.debug(msg=f"GET '{url}'")
         response: requests.Response = requests.get(url=url)
@@ -38,7 +250,7 @@ def _get_public_key(registry: dict[str, Any],
             result = crypto_jwk_convert(jwk=reply["keys"][0],
                                         fmt="DER")
             registry["public-key"] = result
-            duration: int = registry.get("key-lifetime") or 0
+            duration: int = registry["key-lifetime"] or 0
             registry["key-expiration"] = now + duration
         elif logger:
             msg: str = f"GET failure, status {response.status_code}, reason '{response.reason}'"
@@ -46,7 +258,7 @@ def _get_public_key(registry: dict[str, Any],
                 msg += f", content '{response.content}'"
             logger.error(msg=msg)
     else:
-        result = registry.get("public-key")
+        result = registry["public-key"]
 
     return result
 
@@ -55,6 +267,7 @@ def _get_login_timeout(registry: dict[str, Any]) -> int | None:
     """
     Retrieve from *registry* the timeout currently applicable for the login operation.
 
+    :param registry: the registry holding the authentication data
     :return: the current login timeout, or *None* if none has been set.
     """
     timeout: int = registry.get("client-timeout")
@@ -70,13 +283,19 @@ def _get_user_data(registry: dict[str, Any],
     If an entry is not found for *user_id* in the registry, it is created.
     It will remain there until the user is logged out.
 
-    :param user_id:
+    :param registry: the registry holding the authentication data
     :return: the data for *user_id* in the registry
     """
-    result: dict[str, Any] = registry["users"].get(user_id)
+    cache: Cache = registry["safe-cache"]
+    users: dict[str, dict[str, Any]] = cache.get("users")
+    result: dict[str, Any] = users.get(user_id)
     if not result:
-        result = {"access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp())}
-        registry["users"][user_id] = result
+        result = {
+            "access-token": None,
+            "refresh-token": None,
+            "access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp())
+        }
+        users[user_id] = result
         if logger:
             logger.debug(msg=f"Entry for user '{user_id}' added to the registry")
     elif logger:
@@ -85,17 +304,110 @@ def _get_user_data(registry: dict[str, Any],
     return result
 
 
-def _user_logout(registry: dict[str, Any],
-                 user_id: str,
-                 logger: Logger | None) -> None:
+def _get_user_scope(registry: dict[str, Any],
+                    user_id: str) -> str | None:
     """
-    Remove all data associating *user_id* from *registry*.
+    Retrieve the OAuth2 scope associated with *user_id*.
+
+    :param registry: the registry holding the authentication data
+    :param user_id:
+    :return: the OAuth2 scope associated with *user_id*, or *None* if it does not exist
     """
-    # remove the user data
-    if user_id and user_id in registry.get("users"):
-        registry["users"].pop(user_id)
+    # initialize the return variable
+    result: str | None = None
+
+    if user_id:
+        cache: Cache = registry["safe-cache"]
+        users: dict[str, dict[str, Any]] = cache.get("users")
+        if user_id in users:
+            result = users[user_id].get("oauth2-scope")
+
+    return result
+
+
+def _post_for_token(registry: dict[str, Any],
+                    user_data: dict[str, Any],
+                    body_data: dict[str, Any],
+                    errors: list[str] | None,
+                    logger: Logger | None) -> str | None:
+    """
+    Send a POST request to obtain the authentication token data, and return the access token.
+
+    For token exchange, *body_data* will have the attributes
+        - "grant_type": "authorization_code"
+        - "code": <16-character-random-code>
+        - "redirect_uri": <callback-url>
+    For token refresh, *body_data* will have the attributes
+        - "grant_type": "refresh_token"
+        - "refresh_token": <current-refresh-token>
+
+    If the operation is successful, the token data is stored in the registry.
+    Otherwise, *errors* will contain the appropriate error message.
+
+    :param registry: the registry holding the authentication data
+    :param user_data: the user's data in the registry
+    :param body_data: the data to send in the body of the request
+    :param errors: incidental errors
+    :param logger: optional logger
+    :return: the access token obtained, or *None* if error
+    """
+    # initialize the return variable
+    result: str | None = None
+
+    # complete the data to send in body of request
+    body_data["client_id"] = registry["client-id"]
+    client_secret: str = registry["client-secret"]
+    if client_secret:
+        body_data["client_secret"] = client_secret
+
+    # obtain the token
+    err_msg: str | None = None
+    url: str = registry["base-url"] + "/protocol/openid-connect/token"
+    now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+    if logger:
+        logger.debug(msg=f"POST '{url}', data {json.dumps(obj=body_data,
+                                                          ensure_ascii=False)}")
+    try:
+        # typical return on a token request:
+        # {
+        #   "token_type": "Bearer",
+        #   "access_token": <str>,
+        #   "expires_in": <number-of-seconds>,
+        #   "refresh_token": <str>
+        # }
+        response: requests.Response = requests.post(url=url,
+                                                    data=body_data)
+        if response.status_code == 200:
+            # request succeeded
+            if logger:
+                logger.debug(msg=f"POST success, status {response.status_code}")
+            reply: dict[str, Any] = response.json()
+            result = reply.get("access_token")
+            user_data["access-token"] = result
+            # on token refresh, keep current refresh token if a new one is not provided
+            user_data["refresh-token"] = reply.get("refresh_token") or body_data.get("refresh_token")
+            user_data["access-expiration"] = now + reply.get("expires_in")
+        else:
+            # request resulted in error
+            err_msg = f"POST failure, status {response.status_code}, reason '{response.reason}'"
+            if hasattr(response, "content") and response.content:
+                err_msg += f", content '{response.content}'"
+            if response.status_code == 400 and body_data.get("grant_type") == "refresh_token":
+                # refresh token is no longer valid
+                user_data["refresh-token"] = None
+    except Exception as e:
+        # the operation raised an exception
+        err_msg = exc_format(exc=e,
+                             exc_info=sys.exc_info())
+        err_msg = f"POST '{url}': error '{err_msg}'"
+
+    if err_msg:
+        if isinstance(errors, list):
+            errors.append(err_msg)
         if logger:
-            logger.debug(msg=f"User '{user_id}' removed from the registry")
+            logger.error(msg=err_msg)
+
+    return result
 
 
 def _log_init(request: Request) -> str:

pypomes_iam/jusbr_pomes.py

@@ -1,19 +1,16 @@
-import json
-import requests
-import secrets
-import string
-import sys
-from cachetools import Cache, FIFOCache, TTLCache
+from cachetools import FIFOCache
 from datetime import datetime
 from flask import Flask, Response, redirect, request, jsonify
 from logging import Logger
 from pypomes_core import (
-    APP_PREFIX, TZ_LOCAL, env_get_int, env_get_str, exc_format
+    APP_PREFIX, TZ_LOCAL, env_get_int, env_get_str
 )
 from typing import Any, Final
 
 from .common_pomes import (
-    _get_login_timeout, _get_public_key, _get_user_data, _user_logout, _log_init
+    _service_login, _service_logout,
+    _service_callback, _service_token,
+    _get_user_data, _log_init
 )
 
 JUSBR_CLIENT_ID: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_CLIENT_ID")
@@ -39,21 +36,23 @@ JUSBR_URL_AUTH_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_URL_A
 #    "client-id": <str>,
 #    "client-secret": <str>,
 #    "client-timeout": <int>,
-#    "public_key": <bytes>,
+#    "public_key": <str>,
 #    "key-lifetime": <int>,
 #    "key-expiration": <int>,
 #    "base-url": <str>,
 #    "callback-url": <str>,
+#    "cache-obj": <FIFOCache>
+# }
+# data in "cache-obj":
+# {
 #    "users": {
 #       "<user-id>": {
-#         "cache-obj": <Cache>,
-#         "oauth-scope": <str>,
+#         "access-token": <str>
+#         "refresh-token": <str>
 #         "access-expiration": <timestamp>,
-#         "login-expiration": <int>,  <-- transient
-#         "login-id": <str>,          <-- transient
-#         data in <Cache>:
-#           "access-token": <str>
-#           "refresh-token": <str>
+#         "login-expiration": <timestamp>,   <-- transient
+#         "login-id": <str>,                 <-- transient
+#         "oauth-scope": <str>               <-- optional
 #       }
 #    }
 # }
@@ -107,7 +106,7 @@ def jusbr_setup(flask_app: Flask,
         "callback-url": callback_url,
         "key-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
         "key-lifetime": public_key_lifetime,
-        "users": {}
+        "cache-obj": FIFOCache(maxsize=1048576)
     }
 
     # establish the endpoints
@@ -147,34 +146,12 @@ def service_login() -> Response:
 
     # log the request
     if _logger:
-        msg: str = _log_init(request=request)
-        _logger.debug(msg=msg)
-
-    # retrieve user data (if not provided, 'user_id' is temporarily set to 'oauth_state')
-    input_params: dict[str, Any] = request.values
-    oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
-    user_id: str = input_params.get("user-id") or input_params.get("login") or oauth_state
-    # obtain the user data
-    user_data: dict[str, Any] = _get_user_data(registry=_jusbr_registry,
-                                               user_id=user_id,
-                                               logger=_logger)
-    # build the redirect url
-    timeout: int = _get_login_timeout(registry=_jusbr_registry)
-    safe_cache: Cache
-    if timeout:
-        safe_cache = TTLCache(maxsize=16,
-                              ttl=timeout)
-    else:
-        safe_cache = FIFOCache(maxsize=16)
-    safe_cache["oauth-state"] = oauth_state
-    user_data["cache-obj"] = safe_cache
-    auth_url: str = (f"{_jusbr_registry["base-url"]}/protocol/openid-connect/auth?response_type=code"
-                     f"&client_id={_jusbr_registry["client-id"]}"
-                     f"&redirect_uri={_jusbr_registry["callback-url"]}"
-                     f"&state={oauth_state}")
-    if user_data.get("oauth-scope"):
-        auth_url += f"&scope={user_data.get("oauth-scope")}"
+        _logger.debug(msg=_log_init(request=request))
 
+    # obtain the redirect URL
+    auth_url: str = _service_login(registry=_jusbr_registry,
+                                   args=request.args,
+                                   logger=_logger)
     # redirect the request
     result: Response = redirect(location=auth_url)
 
@@ -199,17 +176,12 @@ def service_logout() -> Response:
 
     # log the request
     if _logger:
-        msg: str = _log_init(request=request)
-        _logger.debug(msg=msg)
-
-    # retrieve the user id
-    input_params: dict[str, Any] = request.args
-    user_id: str = input_params.get("user-id") or input_params.get("login")
+        _logger.debug(msg=_log_init(request=request))
 
     # logout the user
-    _user_logout(registry=_jusbr_registry,
-                 user_id=user_id,
-                 logger=_logger)
+    _service_logout(registry=_jusbr_registry,
+                    args=request.args,
+                    logger=_logger)
 
     result: Response = Response(status=200)
 
@@ -226,76 +198,28 @@ def service_callback() -> Response:
     """
     Entry point for the callback from JusBR on authentication operation.
 
-    :return: the response containing the token, or *NOT AUTHORIZED*
+    :return: the response containing the token, or *BAD REQUEST*
     """
     global _jusbr_registry
-    from .token_pomes import token_validate
 
     # log the request
     if _logger:
-        msg: str = _log_init(request=request)
-        _logger.debug(msg=msg)
-
-    # validate the OAuth2 state
-    oauth_state: str = request.args.get("state")
-    user_id: str | None = None
-    user_data: dict[str, Any] | None = None
-    if oauth_state:
-        for user, data in _jusbr_registry.get("users").items():
-            safe_cache: Cache = data.get("cache-obj")
-            if user == oauth_state or \
-                    (safe_cache and oauth_state == safe_cache.get("oauth-state")):
-                user_id = user
-                user_data = data
-                # 'oauth-state' is to be used only once
-                safe_cache["oauth-state"] = None
-                break
-
-    # exchange 'code' for the token
-    token: str | None = None
-    errors: list[str] = []
-    if user_data:
-        code: str = request.args.get("code")
-        body_data: dict[str, Any] = {
-            "grant_type": "authorization_code",
-            "code": code,
-            "redirect_uri": _jusbr_registry.get("callback-url"),
-        }
-        token = __post_jusbr(user_data=user_data,
-                             body_data=body_data,
-                             errors=errors,
-                             logger=_logger)
-        # retrieve the token's claims
-        if not errors:
-            public_key: bytes = _get_public_key(registry=_jusbr_registry,
-                                                url=_jusbr_registry["base-url"],
-                                                logger=_logger)
-            token_claims: dict[str, dict[str, Any]] = token_validate(token=token,
-                                                                     issuer=_jusbr_registry["base-url"],
-                                                                     public_key=public_key,
-                                                                     errors=errors,
-                                                                     logger=_logger)
-            if not errors:
-                token_user: str = token_claims["payload"].get("preferred_username")
-                if user_id == oauth_state:
-                    user_id = token_user
-                    _jusbr_registry["users"][user_id] = _jusbr_registry["users"].pop(oauth_state)
-                elif token_user != user_id:
-                    errors.append(f"Token was issued to user '{token_user}'")
-    else:
-        msg: str = "Unknown OAuth2 code received"
-        if _get_login_timeout(registry=_jusbr_registry):
-            msg += " - possible operation timeout"
-        errors.append(msg)
+        _logger.debug(msg=_log_init(request=request))
 
+    # process the callback operation
+    errors: list[str] = []
+    token_data: tuple[str, str] = _service_callback(registry=_jusbr_registry,
+                                                    args=request.args,
+                                                    errors=errors,
+                                                    logger=_logger)
     result: Response
     if errors:
         result = jsonify({"errors": "; ".join(errors)})
         result.status_code = 400
     else:
         result = jsonify({
-            "user_id": user_id,
-            "access_token": token})
+            "user_id": token_data[0],
+            "access_token": token_data[1]})
 
     # log the response
     if _logger:
@@ -312,17 +236,18 @@ def service_token() -> Response:
 
     :return: the response containing the token, or *UNAUTHORIZED*
     """
+    global _jusbr_registry
+
     # log the request
     if _logger:
-        msg: str = _log_init(request=request)
-        _logger.debug(msg=msg)
+        _logger.debug(msg=_log_init(request=request))
 
     # retrieve the token
-    input_params: dict[str, Any] = request.args
-    user_id: str = input_params.get("user-id") or input_params.get("login")
     errors: list[str] = []
-    token: str = jusbr_get_token(user_id=user_id,
-                                 logger=_logger)
+    token: str = _service_token(registry=_jusbr_registry,
+                                args=request.args,
+                                errors=errors,
+                                logger=_logger)
     result: Response
     if token:
         result = jsonify({"token": token})
@@ -341,54 +266,26 @@ def jusbr_get_token(user_id: str,
                     errors: list[str] = None,
                     logger: Logger = None) -> str:
     """
-    Retrieve the authentication token for user *user_id*.
+    Retrieve a JusBR authentication token for *user_id*.
 
     :param user_id: the user's identification
-    :param errors: incidental error messages
+    :param errors: incidental errors
     :param logger: optional logger
-    :return: the token for *user_id*, or *None* if error
+    :return: the uthentication tokem
     """
     global _jusbr_registry
 
-    # initialize the return variable
-    result: str | None = None
-
-    user_data: dict[str, Any] = _get_user_data(registry=_jusbr_registry,
-                                               user_id=user_id,
-                                               logger=logger)
-    safe_cache: Cache = user_data.get("cache-obj")
-    if safe_cache:
-        access_expiration: int = user_data.get("access-expiration")
-        now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-        if now < access_expiration:
-            result = safe_cache.get("access-token")
-        else:
-            # access token has expired
-            safe_cache["access-token"] = None
-            refresh_token: str = safe_cache.get("refresh-token")
-            if refresh_token:
-                body_data: dict[str, str] = {
-                    "grant_type": "refresh_token",
-                    "refresh_token": refresh_token
-                }
-                result = __post_jusbr(user_data=user_data,
-                                      body_data=body_data,
-                                      errors=errors,
-                                      logger=logger)
-
-    elif logger or isinstance(errors, list):
-        err_msg: str = f"User '{user_id}' not authenticated with JusBR"
-        if isinstance(errors, list):
-            errors.append(err_msg)
-        if logger:
-            logger.error(msg=err_msg)
-
-    return result
+    # retrieve the token
+    args: dict[str, Any] = {"user-id": user_id}
+    return _service_token(registry=_jusbr_registry,
+                          args=args,
+                          errors=errors,
+                          logger=logger)
 
 
 def jusbr_set_scope(user_id: str,
                     scope: str,
-                    logger: Logger | None) -> None:
+                    logger: Logger = None) -> None:
     """
     Set the OAuth2 scope of *user_id* to *scope*.
 
@@ -406,91 +303,3 @@ def jusbr_set_scope(user_id: str,
     user_data["oauth-scope"] = scope
     if logger:
         logger.debug(msg=f"Scope for user '{user_id}' set to '{scope}'")
-
-
-def __post_jusbr(user_data: dict[str, Any],
-                 body_data: dict[str, Any],
-                 errors: list[str] | None,
-                 logger: Logger | None) -> str | None:
-    """
-    Send a POST request to JusBR to obtain the authentication token data, and return the access token.
-
-    For token exchange, *body_data* will have the attributes
-        - "grant_type": "authorization_code"
-        - "code": <16-character-random-code>
-        - "redirect_uri": <callback-url>
-    For token refresh, *body_data* will have the attributes
-        - "grant_type": "refresh_token"
-        - "refresh_token": <current-refresh-token>
-
-    If the operation is successful, the token data is stored in the registry.
-    Otherwise, *errors* will contain the appropriate error message.
-
-    :param user_data: the user's data in the registry
-    :param body_data: the data to send in the body of the request
-    :param errors: incidental errors
-    :param logger: optional logger
-    :return: the access token obtained, or *None* if error
-    """
-    global _jusbr_registry
-
-    # initialize the return variable
-    result: str | None = None
-
-    # complete the data to send in body of request
-    body_data["client_id"] = _jusbr_registry.get("client-id")
-    client_secret: str = _jusbr_registry.get("client-secret")
-    if client_secret:
-        body_data["client_secret"] = client_secret
-
-    # obtain the token
-    err_msg: str | None = None
-    safe_cache: Cache = user_data.get("cache-obj")
-    url: str = _jusbr_registry.get("base-url") + "/protocol/openid-connect/token"
-    now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-    if logger:
-        logger.debug(msg=f"POST '{url}', data {json.dumps(obj=body_data,
-                                                          ensure_ascii=False)}")
-    try:
-        # JusBR return on a token request:
-        # {
-        #   "token_type": "Bearer",
-        #   "access_token": <str>,
-        #   "expires_in": <number-of-seconds>,
-        #   "refresh_token": <str>,
-        # }
-        response: requests.Response = requests.post(url=url,
-                                                    data=body_data)
-        if response.status_code == 200:
-            # request succeeded
-            if logger:
-                logger.debug(msg=f"POST success, status {response.status_code}")
-            reply: dict[str, Any] = response.json()
-            result = reply.get("access_token")
-            safe_cache: Cache = FIFOCache(maxsize=1024)
-            safe_cache["access-token"] = result
-            # on token refresh, keep current refresh token if a new one is not provided
-            safe_cache["refresh-token"] = reply.get("refresh_token") or body_data.get("refresh_token")
-            user_data["cache-obj"] = safe_cache
-            user_data["access-expiration"] = now + reply.get("expires_in")
-        else:
-            # request resulted in error
-            err_msg = f"POST failure, status {response.status_code}, reason '{response.reason}'"
-            if hasattr(response, "content") and response.content:
-                err_msg += f", content '{response.content}'"
-            if response.status_code == 401 and "refresh_token" in body_data:
-                # refresh token is no longer valid
-                safe_cache["refresh-token"] = None
-    except Exception as e:
-        # the operation raised an exception
-        err_msg = exc_format(exc=e,
-                             exc_info=sys.exc_info())
-        err_msg = f"POST '{url}': error '{err_msg}'"
-
-    if err_msg:
-        if isinstance(errors, list):
-            errors.append(err_msg)
-        if logger:
-            logger.error(msg=err_msg)
-
-    return result

pypomes_iam/keycloak_pomes.py

@@ -1,6 +1,3 @@
-import secrets
-import string
-# import sys
 from cachetools import FIFOCache
 from datetime import datetime
 from flask import Flask, Response, redirect, request, jsonify
@@ -11,7 +8,9 @@ from pypomes_core import (
 from typing import Any, Final
 
 from .common_pomes import (
-    _get_login_timeout, _get_public_key, _get_user_data, _user_logout, _log_init
+    _service_login, _service_logout,
+    _service_callback, _service_token,
+    _get_user_data, _log_init
 )
 
 KEYCLOAK_CLIENT_ID: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_ID")
@@ -43,15 +42,18 @@ KEYCLOAK_URL_AUTH_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK
 #    "key-expiration": <int>,
 #    "base-url": <str>,
 #    "callback-url": <str>,
+#    "safe-cache": <FIFOCache>
+# }
+# data in "safe-cache":
+# {
 #    "users": {
 #       "<user-id>": {
-#         "cache-obj": <FIFOCache>,
+#         "access-token": <str>
+#         "refresh-token": <str>
 #         "access-expiration": <timestamp>,
-#         "login-expiration": <int>,  <-- transient
-#         "login-id": <str>,          <-- transient
-#         data in <FIFOCache>:
-#           "access-token": <str>
-#           "refresh-token": <str>
+#         "login-expiration": <timestamp>,   <-- transient
+#         "login-id": <str>,                 <-- transient
+#         "oauth-scope": <str>               <-- optional
 #       }
 #    }
 # }
@@ -108,7 +110,7 @@ def keycloak_setup(flask_app: Flask,
         "callback-url": callback_url,
         "key-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
         "key-lifetime": public_key_lifetime,
-        "users": []
+        "safe-cache": FIFOCache(maxsize=1048576)
     }
 
     # establish the endpoints
@@ -148,32 +150,12 @@ def service_login() -> Response:
 
     # log the request
     if _logger:
-        msg: str = _log_init(request=request)
-        _logger.debug(msg=msg)
-
-    # build the OAuth2 state, and temporarily use it as 'user_id'
-    oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
-    # obtain the user data
-    user_data: dict[str, Any] = _get_user_data(registry=_keycloak_registry,
-                                               user_id=oauth_state,
-                                               logger=_logger)
-    # build the redirect url
-    timeout: int = _get_login_timeout(registry=_keycloak_registry)
-    safe_cache: FIFOCache
-    if timeout:
-        safe_cache = FIFOCache(maxsize=16)
-    else:
-        safe_cache = FIFOCache(maxsize=16)
-    safe_cache["valid"] = True
-    user_data["cache-obj"] = safe_cache
-    auth_url: str = (
-        f"{_keycloak_registry["base-url"]}/protocol/openid-connect/auth"
-        f"?client_id={_keycloak_registry["client-id"]}"
-        f"&response_type=code"
-        f"&scope=openid"
-        f"&redirect_uri={_keycloak_registry["callback-url"]}"
-    )
+        _logger.debug(msg=_log_init(request=request))
 
+    # obtain the redirect URL
+    auth_url: str = _service_login(registry=_keycloak_registry,
+                                   args=request.args,
+                                   logger=_logger)
     # redirect the request
     result: Response = redirect(location=auth_url)
 
@@ -198,17 +180,12 @@ def service_logout() -> Response:
 
     # log the request
     if _logger:
-        msg: str = _log_init(request=request)
-        _logger.debug(msg=msg)
-
-    # retrieve the user id
-    input_params: dict[str, Any] = request.args
-    user_id: str = input_params.get("user-id") or input_params.get("login")
+        _logger.debug(msg=_log_init(request=request))
 
     # logout the user
-    _user_logout(registry=_keycloak_registry,
-                 user_id=user_id,
-                 logger=_logger)
+    _service_logout(registry=_keycloak_registry,
+                    args=request.args,
+                    logger=_logger)
 
     result: Response = Response(status=200)
 
@@ -228,73 +205,25 @@ def service_callback() -> Response:
     :return: the response containing the token, or *NOT AUTHORIZED*
     """
     global _keycloak_registry
-    from .token_pomes import token_validate
 
     # log the request
     if _logger:
-        msg: str = _log_init(request=request)
-        _logger.debug(msg=msg)
-
-    # validate the OAuth2 state
-    oauth_state: str = request.args.get("state")
-    user_id: str | None = None
-    user_data: dict[str, Any] | None = None
-    if oauth_state:
-        for user, data in _keycloak_registry.get("users").items():
-            safe_cache: FIFOCache = data.get("cache-obj")
-            if user == oauth_state:
-                if data.get("valid"):
-                    user_id = user
-                    user_data = data
-                else:
-                    msg = "Operation timeout"
-                break
-
-    # exchange 'code' for the token
-    token: str | None = None
-    errors: list[str] = []
-    if user_data:
-        code: str = request.args.get("code")
-        body_data: dict[str, Any] = {
-            "grant_type": "authorization_code",
-            "code": code,
-            "redirec_url": _keycloak_registry.get("callback-url"),
-        }
-        # token = __post_jusbr(user_data=user_data,
-        #                      body_data=body_data,
-        #                      errors=errors,
-        #                      logger=_logger)
-        # retrieve the token's claims
-        if not errors:
-            public_key: bytes = _get_public_key(registry=_keycloak_registry,
-                                                url=_keycloak_registry["base-url"],
-                                                logger=_logger)
-            token_claims: dict[str, dict[str, Any]] = token_validate(token=token,
-                                                                     issuer=_keycloak_registry["base-url"],
-                                                                     public_key=public_key,
-                                                                     errors=errors,
-                                                                     logger=_logger)
-            if not errors:
-                token_user: str = token_claims["payload"].get("preferred_username")
-                if user_id == oauth_state:
-                    user_id = token_user
-                    _keycloak_registry["users"][user_id] = _keycloak_registry["users"].pop(oauth_state)
-                elif token_user != user_id:
-                    errors.append(f"Token was issued to user '{token_user}'")
-    else:
-        msg: str = "Unknown OAuth2 code received"
-        if _get_login_timeout(registry=_keycloak_registry):
-            msg += " - possible operation timeout"
-        errors.append(msg)
+        _logger.debug(msg=_log_init(request=request))
 
+    # process the callback operation
+    errors: list[str] = []
+    token_data: tuple[str, str] = _service_callback(registry=_keycloak_registry,
+                                                    args=request.args,
+                                                    errors=errors,
+                                                    logger=_logger)
     result: Response
     if errors:
         result = jsonify({"errors": "; ".join(errors)})
         result.status_code = 400
     else:
         result = jsonify({
-            "user_id": user_id,
-            "access_token": token})
+            "user_id": token_data[0],
+            "access_token": token_data[1]})
 
     # log the response
     if _logger:
@@ -311,30 +240,70 @@ def service_token() -> Response:
 
     :return: the response containing the token, or *UNAUTHORIZED*
     """
+    global _keycloak_registry
+
     # log the request
     if _logger:
-        msg: str = _log_init(request=request)
-        _logger.debug(msg=msg)
+        _logger.debug(msg=_log_init(request=request))
 
-    # retrieve the user id
-    input_params: dict[str, Any] = request.args
-    _user_id: str = input_params.get("user-id") or input_params.get("login")
-    return Response()
+    # retrieve the token
+    errors: list[str] = []
+    token: str = _service_token(registry=_keycloak_registry,
+                                args=request.args,
+                                errors=errors,
+                                logger=_logger)
+    result: Response
+    if token:
+        result = jsonify({"token": token})
+    else:
+        result = Response("; ".join(errors))
+        result.status_code = 401
+
+    # log the response
+    if _logger:
+        _logger.debug(msg=f"Response {result}")
+
+    return result
 
 
 def keycloak_get_token(user_id: str,
                        errors: list[str] = None,
                        logger: Logger = None) -> str:
     """
-    Retrieve the authentication token for user *user_id*.
+    Retrieve a Keycloak authentication token for *user_id*.
 
     :param user_id: the user's identification
-    :param errors: incidental error messages
+    :param errors: incidental errors
     :param logger: optional logger
-    :return: the token for *user_id*, or *None* if error
+    :return: the uthentication tokem
     """
     global _keycloak_registry
 
-    # initialize the return variable
-    result: str | None = None
-    return result
+    # retrieve the token
+    args: dict[str, Any] = {"user-id": user_id}
+    return _service_token(registry=_keycloak_registry,
+                          args=args,
+                          errors=errors,
+                          logger=logger)
+
+
+def keycloak_set_scope(user_id: str,
+                       scope: str,
+                       logger: Logger | None) -> None:
+    """
+    Set the OAuth2 scope of *user_id* to *scope*.
+
+    :param user_id: the user's identification
+    :param scope: the OAuth2 scope to set to the user
+    :param logger: optional logger
+    """
+    global _keycloak_registry
+
+    # retrieve user data
+    user_data: dict[str, Any] = _get_user_data(registry=_keycloak_registry,
+                                               user_id=user_id,
+                                               logger=logger)
+    # set the OAuth2 scope
+    user_data["oauth-scope"] = scope
+    if logger:
+        logger.debug(msg=f"Scope for user '{user_id}' set to '{scope}'")

{pypomes_iam-0.1.8.dist-info → pypomes_iam-0.1.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.1.8
+Version: 0.1.9
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues
@@ -13,6 +13,6 @@ Requires-Python: >=3.12
 Requires-Dist: cachetools>=6.2.1
 Requires-Dist: flask>=3.1.2
 Requires-Dist: pyjwt>=2.10.1
-Requires-Dist: pypomes-core>=2.8.0
+Requires-Dist: pypomes-core>=2.8.1
 Requires-Dist: pypomes-crypto>=0.4.8
 Requires-Dist: requests>=2.32.5

pypomes_iam-0.1.9.dist-info/RECORD

@@ -0,0 +1,10 @@
+pypomes_iam/__init__.py,sha256=ieysDaKOQc3B50PvChh8DLDG5R3XgbTzX3bU0ekGoUk,760
+pypomes_iam/common_pomes.py,sha256=bLDaoWM5KLccxsNSyiK5UbXRNBgqsQ7TB0Q4Nc72QoI,16415
+pypomes_iam/jusbr_pomes.py,sha256=zpvSfQwteY7aL5noG7ARlLT9yNadfuCMdCZB89yvgI4,10932
+pypomes_iam/keycloak_pomes.py,sha256=2KfAQb_-p8C7cXeKSqjHwMIh1ThncinM8VOLEB_JEng,11381
+pypomes_iam/provider_pomes.py,sha256=eP8XzjTUEpwejTkO0wmDiqKjqbIEOzRNCR2ju5E15og,5856
+pypomes_iam/token_pomes.py,sha256=McjKB8omCjuicenwvDVPiWYu3-7gQeLg1AzgAVKK32M,4309
+pypomes_iam-0.1.9.dist-info/METADATA,sha256=i0F_RcCVWNIfAjKhOlPl2t8-oGk-6bDfPPqURYPvJJo,694
+pypomes_iam-0.1.9.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+pypomes_iam-0.1.9.dist-info/licenses/LICENSE,sha256=YvUELgV8qvXlaYsy9hXG5EW3Bmsrkw-OJmmILZnonAc,1086
+pypomes_iam-0.1.9.dist-info/RECORD,,

pypomes_iam-0.1.8.dist-info/RECORD

@@ -1,10 +0,0 @@
-pypomes_iam/__init__.py,sha256=lHnqNqW1stQjcM6cr9wf3GGnw5_zGf1HN3zyHGb8PCA,577
-pypomes_iam/common_pomes.py,sha256=kdzyEJX275SmMa_zi6AJaC9gVxlXcOailyantPvNOyQ,3908
-pypomes_iam/jusbr_pomes.py,sha256=kNgAgQAMDdODoNO4XKrSggFwQ7R2ID-LLz7tmT3PXH4,19510
-pypomes_iam/keycloak_pomes.py,sha256=m4jM_4c_McVg74T7JG7j3tbMo9Yxp6IKgt8TuauIp7o,13204
-pypomes_iam/provider_pomes.py,sha256=eP8XzjTUEpwejTkO0wmDiqKjqbIEOzRNCR2ju5E15og,5856
-pypomes_iam/token_pomes.py,sha256=McjKB8omCjuicenwvDVPiWYu3-7gQeLg1AzgAVKK32M,4309
-pypomes_iam-0.1.8.dist-info/METADATA,sha256=fjisTEC7XbvWn37I-2Jez6vtk7Uo83Q1WCjq172hOok,694
-pypomes_iam-0.1.8.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-pypomes_iam-0.1.8.dist-info/licenses/LICENSE,sha256=YvUELgV8qvXlaYsy9hXG5EW3Bmsrkw-OJmmILZnonAc,1086
-pypomes_iam-0.1.8.dist-info/RECORD,,