pypomes-iam 0.1.8__py3-none-any.whl → 0.2.0__py3-none-any.whl

pypomes_iam/__init__.py

@@ -1,6 +1,9 @@
 from .jusbr_pomes import (
     jusbr_setup, jusbr_get_token, jusbr_set_scope
 )
+from .keycloak_pomes import (
+    keycloak_setup, keycloak_get_token, keycloak_set_scope
+)
 from .provider_pomes import (
     provider_register, provider_get_token
 )
@@ -11,6 +14,8 @@ from .token_pomes import (
 __all__ = [
     # jusbr_pomes
     "jusbr_setup", "jusbr_get_token", "jusbr_set_scope",
+    # keycloak_pomes
+    "keycloak_setup", "keycloak_get_token", "keycloak_set_scope",
     # provider_pomes
     "provider_register", "provider_get_token",
     # token_pomes

pypomes_iam/common_pomes.py

@@ -1,21 +1,233 @@
 import json
 import requests
+import secrets
+import string
+import sys
+from cachetools import Cache
 from datetime import datetime
 from flask import Request
 from logging import Logger
-from pypomes_core import TZ_LOCAL
+from pypomes_core import TZ_LOCAL, exc_format
 from typing import Any
 
+# registry structure:
+# {
+#    "client-id": <str>,
+#    "client-secret": <str>,
+#    "client-timeout": <int>,
+#    "public_key": <str>,
+#    "key-lifetime": <int>,
+#    "key-expiration": <int>,
+#    "base-url": <str>,
+#    "callback-url": <str>,
+#    "safe-cache": <FIFOCache>
+# }
+# data in "safe-cache":
+# {
+#    "users": {
+#       "<user-id>": {
+#         "access-token": <str>
+#         "refresh-token": <str>
+#         "access-expiration": <timestamp>,
+#         "login-expiration": <timestamp>,   <-- transient
+#         "login-id": <str>,                 <-- transient
+#         "oauth-scope": <str>               <-- optional
+#       }
+#    }
+# }
+
+
+def _service_callback(registry: dict[str, Any],
+                      args: dict[str, Any],
+                      errors: list[str],
+                      logger: Logger | None) -> tuple[str, str]:
+    """
+    Entry point for the callback from JusBR on authentication operation.
+
+    :param registry: the registry holding the authentication data
+    :param args: the arguments passed when requesting the service
+    :param errors: incidental errors
+    :param logger: optional logger
+    """
+    from .token_pomes import token_validate
+
+    # initialize the return variable
+    result: tuple[str, str] | None = None
+
+    # retrieve the users authentication data
+    cache: Cache = registry["safe-cache"]
+    users: dict[str, dict[str, Any]] = cache.get("users")
+
+    # validate the OAuth2 state
+    oauth_state: str = args.get("state")
+    user_data: dict[str, Any] | None = None
+    if oauth_state:
+        for user, data in users.items():
+            if user == oauth_state:
+                user_data = data
+                break
+
+    # exchange 'code' for the token
+    if user_data:
+        users.pop(oauth_state)
+        code: str = args.get("code")
+        body_data: dict[str, Any] = {
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirect_uri": registry.get("callback-url"),
+        }
+        token = _post_for_token(registry=registry,
+                                user_data=user_data,
+                                body_data=body_data,
+                                errors=errors,
+                                logger=logger)
+        # retrieve the token's claims
+        if not errors:
+            public_key: bytes = _get_public_key(registry=registry,
+                                                logger=logger)
+            token_claims: dict[str, dict[str, Any]] = token_validate(token=token,
+                                                                     issuer=registry["base-url"],
+                                                                     public_key=public_key,
+                                                                     errors=errors,
+                                                                     logger=logger)
+            if not errors:
+                token_user: str = token_claims["payload"].get("preferred_username")
+                if token_user == oauth_state:
+                    users[token_user] = user_data
+                    result = (token_user, token)
+                else:
+                    errors.append(f"Token was issued to user '{token_user}'")
+    else:
+        msg: str = "Unknown OAuth2 code received"
+        if _get_login_timeout(registry=registry):
+            msg += " - possible operation timeout"
+        errors.append(msg)
+
+    return result
+
+
+def _service_login(registry: dict[str, Any],
+                   args: dict[str, Any],
+                   logger: Logger | None) -> str:
+    """
+    Build the callback URL for redirecting the request to the IAM's authentication page.
+
+    :param registry: the registry holding the authentication data
+    :param args: the arguments passed when requesting the service
+    :param logger: optional logger
+    :return: the callback URL, with the appropriate parameters
+    """
+
+    # retrieve user data
+    oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
+
+    # build the user data
+    #   ('oauth_state' is a randomly-generated string, thus 'user_data' is always a new entry)
+    user_data: dict[str, Any] = _get_user_data(registry=registry,
+                                               user_id=oauth_state,
+                                               logger=logger)
+    user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
+    user_data["login-id"] = user_id
+    timeout: int = _get_login_timeout(registry=registry)
+    user_data["login-expiration"] = int(datetime.now(tz=TZ_LOCAL).timestamp()) + timeout if timeout else None
+
+    # build the redirect url
+    result: str = (f"{registry["base-url"]}/protocol/openid-connect/auth?response_type=code"
+                   f"&client_id={registry["client-id"]}"
+                   f"&redirect_uri={registry["callback-url"]}"
+                   f"&state={oauth_state}")
+    scope: str = _get_user_scope(registry=registry,
+                                 user_id=user_id)
+    if scope:
+        user_data["oauth-scope"] = scope
+        result += f"&scope={scope}"
+
+    # logout the user
+    _service_logout(registry=registry,
+                    args=args,
+                    logger=logger)
+    return result
+
+
+def _service_logout(registry: dict[str, Any],
+                    args: dict[str, Any],
+                    logger: Logger | None) -> None:
+    """
+    Remove all data associating *user_id* from *registry*.
+
+    :param registry: the registry holding the authentication data
+    :param args: the arguments passed when requesting the service
+    :param logger: optional logger
+    """
+    # remove the user data
+    user_id: str = args.get("user-id") or args.get("login")
+    if user_id:
+        cache: Cache = registry["safe-cache"]
+        users: dict[str, dict[str, Any]] = cache.get("users")
+        if user_id in users:
+            users.pop(user_id)
+            if logger:
+                logger.debug(msg=f"User '{user_id}' removed from the registry")
+
+
+def _service_token(registry: dict[str, Any],
+                   args: dict[str, Any],
+                   errors: list[str] = None,
+                   logger: Logger = None) -> str:
+    """
+    Retrieve the authentication token for user *user_id*.
+
+    :param registry: the registry holding the authentication data
+    :param args: the arguments passed when requesting the service
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the token for *user_id*, or *None* if error
+    """
+    # initialize the return variable
+    result: str | None = None
+
+    user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
+    user_data: dict[str, Any] = _get_user_data(registry=registry,
+                                               user_id=user_id,
+                                               logger=logger)
+    token: str = user_data["access-token"]
+    if token:
+        access_expiration: int = user_data.get("access-expiration")
+        now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+        if now < access_expiration:
+            result = token
+        else:
+            # access token has expired
+            refresh_token: str = user_data["refresh-token"]
+            if refresh_token:
+                body_data: dict[str, str] = {
+                    "grant_type": "refresh_token",
+                    "refresh_token": refresh_token
+                }
+                result = _post_for_token(registry=registry,
+                                         user_data=user_data,
+                                         body_data=body_data,
+                                         errors=errors,
+                                         logger=logger)
+
+    elif logger or isinstance(errors, list):
+        err_msg: str = f"User '{user_id}' not authenticated"
+        if isinstance(errors, list):
+            errors.append(err_msg)
+        if logger:
+            logger.error(msg=err_msg)
+
+    return result
+
 
 def _get_public_key(registry: dict[str, Any],
-                    url: str,
                     logger: Logger | None) -> bytes:
     """
     Obtain the public key used by the *IAM* to sign the authentication tokens.
 
     The public key is saved in *registry*.
 
-    :param url: the base URL to request the public key
+    :param registry: the registry holding the authentication data
     :return: the public key, in *DER* format
     """
     from pypomes_crypto import crypto_jwk_convert
@@ -24,9 +236,9 @@ def _get_public_key(registry: dict[str, Any],
     result: bytes | None = None
 
     now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-    if now > registry.get("key-expiration"):
+    if now > registry["key-expiration"]:
         # obtain a new public key
-        url: str = f"{url}/protocol/openid-connect/certs"
+        url: str = f"{registry["base-url"]}/protocol/openid-connect/certs"
         if logger:
             logger.debug(msg=f"GET '{url}'")
         response: requests.Response = requests.get(url=url)
@@ -38,7 +250,7 @@ def _get_public_key(registry: dict[str, Any],
             result = crypto_jwk_convert(jwk=reply["keys"][0],
                                         fmt="DER")
             registry["public-key"] = result
-            duration: int = registry.get("key-lifetime") or 0
+            duration: int = registry["key-lifetime"] or 0
             registry["key-expiration"] = now + duration
         elif logger:
             msg: str = f"GET failure, status {response.status_code}, reason '{response.reason}'"
@@ -46,7 +258,7 @@ def _get_public_key(registry: dict[str, Any],
                 msg += f", content '{response.content}'"
             logger.error(msg=msg)
     else:
-        result = registry.get("public-key")
+        result = registry["public-key"]
 
     return result
 
@@ -55,6 +267,7 @@ def _get_login_timeout(registry: dict[str, Any]) -> int | None:
     """
     Retrieve from *registry* the timeout currently applicable for the login operation.
 
+    :param registry: the registry holding the authentication data
     :return: the current login timeout, or *None* if none has been set.
     """
     timeout: int = registry.get("client-timeout")
@@ -70,13 +283,19 @@ def _get_user_data(registry: dict[str, Any],
     If an entry is not found for *user_id* in the registry, it is created.
     It will remain there until the user is logged out.
 
-    :param user_id:
+    :param registry: the registry holding the authentication data
     :return: the data for *user_id* in the registry
     """
-    result: dict[str, Any] = registry["users"].get(user_id)
+    cache: Cache = registry["safe-cache"]
+    users: dict[str, dict[str, Any]] = cache.get("users")
+    result: dict[str, Any] = users.get(user_id)
     if not result:
-        result = {"access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp())}
-        registry["users"][user_id] = result
+        result = {
+            "access-token": None,
+            "refresh-token": None,
+            "access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp())
+        }
+        users[user_id] = result
         if logger:
             logger.debug(msg=f"Entry for user '{user_id}' added to the registry")
     elif logger:
@@ -85,17 +304,110 @@ def _get_user_data(registry: dict[str, Any],
     return result
 
 
-def _user_logout(registry: dict[str, Any],
-                 user_id: str,
-                 logger: Logger | None) -> None:
+def _get_user_scope(registry: dict[str, Any],
+                    user_id: str) -> str | None:
     """
-    Remove all data associating *user_id* from *registry*.
+    Retrieve the OAuth2 scope associated with *user_id*.
+
+    :param registry: the registry holding the authentication data
+    :param user_id:
+    :return: the OAuth2 scope associated with *user_id*, or *None* if it does not exist
     """
-    # remove the user data
-    if user_id and user_id in registry.get("users"):
-        registry["users"].pop(user_id)
+    # initialize the return variable
+    result: str | None = None
+
+    if user_id:
+        cache: Cache = registry["safe-cache"]
+        users: dict[str, dict[str, Any]] = cache.get("users")
+        if user_id in users:
+            result = users[user_id].get("oauth2-scope")
+
+    return result
+
+
+def _post_for_token(registry: dict[str, Any],
+                    user_data: dict[str, Any],
+                    body_data: dict[str, Any],
+                    errors: list[str] | None,
+                    logger: Logger | None) -> str | None:
+    """
+    Send a POST request to obtain the authentication token data, and return the access token.
+
+    For token exchange, *body_data* will have the attributes
+        - "grant_type": "authorization_code"
+        - "code": <16-character-random-code>
+        - "redirect_uri": <callback-url>
+    For token refresh, *body_data* will have the attributes
+        - "grant_type": "refresh_token"
+        - "refresh_token": <current-refresh-token>
+
+    If the operation is successful, the token data is stored in the registry.
+    Otherwise, *errors* will contain the appropriate error message.
+
+    :param registry: the registry holding the authentication data
+    :param user_data: the user's data in the registry
+    :param body_data: the data to send in the body of the request
+    :param errors: incidental errors
+    :param logger: optional logger
+    :return: the access token obtained, or *None* if error
+    """
+    # initialize the return variable
+    result: str | None = None
+
+    # complete the data to send in body of request
+    body_data["client_id"] = registry["client-id"]
+    client_secret: str = registry["client-secret"]
+    if client_secret:
+        body_data["client_secret"] = client_secret
+
+    # obtain the token
+    err_msg: str | None = None
+    url: str = registry["base-url"] + "/protocol/openid-connect/token"
+    now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+    if logger:
+        logger.debug(msg=f"POST '{url}', data {json.dumps(obj=body_data,
+                                                          ensure_ascii=False)}")
+    try:
+        # typical return on a token request:
+        # {
+        #   "token_type": "Bearer",
+        #   "access_token": <str>,
+        #   "expires_in": <number-of-seconds>,
+        #   "refresh_token": <str>
+        # }
+        response: requests.Response = requests.post(url=url,
+                                                    data=body_data)
+        if response.status_code == 200:
+            # request succeeded
+            if logger:
+                logger.debug(msg=f"POST success, status {response.status_code}")
+            reply: dict[str, Any] = response.json()
+            result = reply.get("access_token")
+            user_data["access-token"] = result
+            # on token refresh, keep current refresh token if a new one is not provided
+            user_data["refresh-token"] = reply.get("refresh_token") or body_data.get("refresh_token")
+            user_data["access-expiration"] = now + reply.get("expires_in")
+        else:
+            # request resulted in error
+            err_msg = f"POST failure, status {response.status_code}, reason '{response.reason}'"
+            if hasattr(response, "content") and response.content:
+                err_msg += f", content '{response.content}'"
+            if response.status_code == 400 and body_data.get("grant_type") == "refresh_token":
+                # refresh token is no longer valid
+                user_data["refresh-token"] = None
+    except Exception as e:
+        # the operation raised an exception
+        err_msg = exc_format(exc=e,
+                             exc_info=sys.exc_info())
+        err_msg = f"POST '{url}': error '{err_msg}'"
+
+    if err_msg:
+        if isinstance(errors, list):
+            errors.append(err_msg)
         if logger:
-            logger.debug(msg=f"User '{user_id}' removed from the registry")
+            logger.error(msg=err_msg)
+
+    return result
 
 
 def _log_init(request: Request) -> str:

pypomes_iam/iam_pomes.py

@@ -0,0 +1,176 @@
+from flask import Response, redirect, request, jsonify
+from logging import Logger
+from typing import Any
+
+from .common_pomes import (
+    _service_login, _service_logout,
+    _service_callback, _service_token, _log_init
+)
+from .jusbr_pomes import _jusbr_logger, _jusbr_registry
+from .keycloak_pomes import _keycloak_logger, _keycloak_registry
+
+
+# @flask_app.route(rule=<login_endpoint>,  # JUSBR_LOGIN_ENDPOINT: /iam/jusbr:login
+#                  methods=["GET"])
+# @flask_app.route(rule=<login_endpoint>,  # KEYCLOAK_LOGIN_ENDPOINT: /iam/keycloak:logout
+#                  methods=["GET"])
+def service_login() -> Response:
+    """
+    Entry point for the JusBR login service.
+
+    Redirect the request to the JusBR authentication page, with the appropriate parameters.
+
+    :return: the response from the redirect operation
+    """
+    logger: Logger
+    registry: dict[str, Any]
+    if request.endpoint == "jusbr-login":
+        logger = _jusbr_logger
+        registry = _jusbr_registry
+    else:
+        logger = _keycloak_logger
+        registry = _keycloak_registry
+
+    # log the request
+    if logger:
+        logger.debug(msg=_log_init(request=request))
+
+    # obtain the redirect URL
+    auth_url: str = _service_login(registry=registry,
+                                   args=request.args,
+                                   logger=logger)
+    # redirect the request
+    result: Response = redirect(location=auth_url)
+
+    # log the response
+    if logger:
+        logger.debug(msg=f"Response {result}")
+
+    return result
+
+
+# @flask_app.route(rule=<logout_endpoint>,  # JUSBR_LOGOUT_ENDPOINT: /iam/jusbr:logout
+#                  methods=["GET"])
+# @flask_app.route(rule=<login_endpoint>,  # KEYCLOAK_LOGOUT_ENDPOINT: /iam/keycloak:logout
+#                  methods=["GET"])
+def service_logout() -> Response:
+    """
+    Entry point for the JusBR logout service.
+
+    Remove all data associating the user with JusBR from the registry.
+
+    :return: response *OK*
+    """
+    logger: Logger
+    registry: dict[str, Any]
+    if request.endpoint == "jusbr-logout":
+        logger = _jusbr_logger
+        registry = _jusbr_registry
+    else:
+        logger = _keycloak_logger
+        registry = _keycloak_registry
+
+    # log the request
+    if logger:
+        logger.debug(msg=_log_init(request=request))
+
+    # logout the user
+    _service_logout(registry=registry,
+                    args=request.args,
+                    logger=logger)
+
+    result: Response = Response(status=200)
+
+    # log the response
+    if logger:
+        logger.debug(msg=f"Response {result}")
+
+    return result
+
+
+# @flask_app.route(rule=<callback_endpoint>,  # JUSBR_CALLBACK_ENDPOINT: /iam/jusbr:callback
+#                  methods=["GET", "POST"])
+# @flask_app.route(rule=<callback_endpoint>,  # KEYCLOAK_CALLBACK_ENDPOINT: /iam/keycloak:callback
+#                  methods=["POST"])
+def service_callback() -> Response:
+    """
+    Entry point for the callback from JusBR on authentication operation.
+
+    :return: the response containing the token, or *BAD REQUEST*
+    """
+    logger: Logger
+    registry: dict[str, Any]
+    if request.endpoint == "jusbr-callback":
+        logger = _jusbr_logger
+        registry = _jusbr_registry
+    else:
+        logger = _keycloak_logger
+        registry = _keycloak_registry
+
+    # log the request
+    if logger:
+        logger.debug(msg=_log_init(request=request))
+
+    # process the callback operation
+    errors: list[str] = []
+    token_data: tuple[str, str] = _service_callback(registry=registry,
+                                                    args=request.args,
+                                                    errors=errors,
+                                                    logger=logger)
+    result: Response
+    if errors:
+        result = jsonify({"errors": "; ".join(errors)})
+        result.status_code = 400
+    else:
+        result = jsonify({
+            "user_id": token_data[0],
+            "access_token": token_data[1]})
+
+    # log the response
+    if logger:
+        logger.debug(msg=f"Response {result}")
+
+    return result
+
+
+# @flask_app.route(rule=<token_endpoint>,  # JUSBR_TOKEN_ENDPOINT: /iam/jusbr:get-token
+#                  methods=["GET"])
+# @flask_app.route(rule=<token_endpoint>,  # JUSBR_TOKEN_ENDPOINT: /iam/jusbr:get-token
+#                  methods=["GET"])
+def service_token() -> Response:
+    """
+    Entry point for retrieving the JusBR token.
+
+    :return: the response containing the token, or *UNAUTHORIZED*
+    """
+    logger: Logger
+    registry: dict[str, Any]
+    if request.endpoint == "jusbr-token":
+        logger = _jusbr_logger
+        registry = _jusbr_registry
+    else:
+        logger = _keycloak_logger
+        registry = _keycloak_registry
+
+    # log the request
+    if logger:
+        logger.debug(msg=_log_init(request=request))
+
+    # retrieve the token
+    errors: list[str] = []
+    token: str = _service_token(registry=registry,
+                                args=request.args,
+                                errors=errors,
+                                logger=logger)
+    result: Response
+    if token:
+        result = jsonify({"token": token})
+    else:
+        result = Response("; ".join(errors))
+        result.status_code = 401
+
+    # log the response
+    if logger:
+        logger.debug(msg=f"Response {result}")
+
+    return result