PyPI - pypomes-iam - Versions diffs - 0.2.3__py3-none-any.whl → 0.7.0__py3-none-any.whl - Mend

pypomes-iam 0.2.3py3-none-any.whl → 0.7.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pypomes-iam might be problematic. Click here for more details.

Files changed (15) hide show

pypomes_iam/__init__.py +20 -8
pypomes_iam/iam_actions.py +878 -0
pypomes_iam/iam_common.py +388 -0
pypomes_iam/iam_pomes.py +137 -157
pypomes_iam/iam_services.py +394 -0
pypomes_iam/provider_pomes.py +175 -72
pypomes_iam/token_pomes.py +63 -8
{pypomes_iam-0.2.3.dist-info → pypomes_iam-0.7.0.dist-info}/METADATA +1 -2
pypomes_iam-0.7.0.dist-info/RECORD +11 -0
pypomes_iam/common_pomes.py +0 -397
pypomes_iam/jusbr_pomes.py +0 -167
pypomes_iam/keycloak_pomes.py +0 -170
pypomes_iam-0.2.3.dist-info/RECORD +0 -11
{pypomes_iam-0.2.3.dist-info → pypomes_iam-0.7.0.dist-info}/WHEEL +0 -0
{pypomes_iam-0.2.3.dist-info → pypomes_iam-0.7.0.dist-info}/licenses/LICENSE +0 -0

pypomes_iam/token_pomes.py CHANGED Viewed

@@ -7,8 +7,49 @@ from pypomes_core import exc_format
 from typing import Any
+def token_get_claims(token: str,
+                     errors: list[str] = None,
+                     logger: Logger = None) -> dict[str, dict[str, Any]] | None:
+    """
+    Retrieve the claims set of a JWT *token*.
+    Any well-constructed JWT token may be provided in *token*.
+    Note that neither the token's signature nor its expiration is verified.
+    :param token: the refrence token
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the token's claimset, or *None* if error
+    """
+    # initialize the return variable
+    result: dict[str, dict[str, Any]] | None = None
+    if logger:
+        logger.debug(msg="Retrieve claims for token")
+    try:
+        header: dict[str, Any] = jwt.get_unverified_header(jwt=token)
+        payload: dict[str, Any] = jwt.decode(jwt=token,
+                                             options={"verify_signature": False})
+        result = {
+            "header": header,
+            "payload": payload
+        }
+    except Exception as e:
+        exc_err: str = exc_format(exc=e,
+                                  exc_info=sys.exc_info())
+        if logger:
+            logger.error(msg=f"Error retrieving the token's claims: {exc_err}")
+        if isinstance(errors, list):
+            errors.append(exc_err)
+    return result
 def token_validate(token: str,
                    issuer: str = None,
+                   recipient_id: str = None,
+                   recipient_attr: str = None,
                    public_key: str | bytes | PyJWK | RSAPublicKey = None,
                    errors: list[str] = None,
                    logger: Logger = None) -> dict[str, dict[str, Any]] | None:
@@ -24,15 +65,21 @@ def token_validate(token: str,
     If an asymmetric algorithm was used to sign the token and *public_key* is provided, then
     the token is validated, by using the data in its *signature* section.
+    The parameters *recipient_id* and *recipient_attr* refer the token's expected subject, respectively,
+    the subject's identification and the attribute in the token's payload data identifying its subject.
+    If both are provided, *recipient_id* is validated.
     On failure, *errors* will contain the reason(s) for rejecting *token*.
     On success, return the token's claims (*header* and *payload*).
     :param token: the token to be validated
     :param public_key: optional public key used to sign the token, in *PEM* format
     :param issuer: optional value to compare with the token's *iss* (issuer) attribute in its *payload*
+    :param recipient_id: identification of the expected token subject
+    :param recipient_attr: attribute in the token's payload holding the expected subject's identification
     :param errors: incidental error messages
     :param logger: optional logger
-    :return: The token's claims (*header* and *payload*) if it is valid, *None* otherwise
+    :return: The token's claims (*header* and *payload*), or *None* if error
     """
     # initialize the return variable
     result: dict[str, dict[str, Any]] | None = None
@@ -58,8 +105,11 @@ def token_validate(token: str,
     # validate the token
     if not errors:
         token_alg: str = token_header.get("alg")
+        require: list[str] = ["exp", "iat"]
+        if issuer:
+            require.append("iss")
         options: dict[str, Any] = {
-            "require": ["exp", "iat"],
+            "require": require,
             "verify_aud": False,
             "verify_exp": True,
             "verify_iat": True,
@@ -67,8 +117,6 @@ def token_validate(token: str,
             "verify_nbf": False,
             "verify_signature": token_alg in ["RS256", "RS512"] and public_key is not None
         }
-        if issuer:
-            options["require"].append("iss")
         try:
             # raises:
             #   InvalidTokenError: token is invalid
@@ -84,10 +132,17 @@ def token_validate(token: str,
                                                  algorithms=[token_alg],
                                                  options=options,
                                                  issuer=issuer)
-            result = {
-                "header": token_header,
-                "payload": payload
-            }
+            if recipient_id and recipient_attr and \
+                    payload.get(recipient_attr) and recipient_id != payload.get(recipient_attr):
+                msg: str = f"Token was issued to '{payload.get(recipient_attr)}', not to '{recipient_id}'"
+                if logger:
+                    logger.error(msg=msg)
+                errors.append(msg)
+            else:
+                result = {
+                    "header": token_header,
+                    "payload": payload
+                }
         except Exception as e:
             exc_err: str = exc_format(exc=e,
                                       exc_info=sys.exc_info())

{pypomes_iam-0.2.3.dist-info → pypomes_iam-0.7.0.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.2.3
+Version: 0.7.0
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues
@@ -10,7 +10,6 @@ Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
 Classifier: Programming Language :: Python :: 3
 Requires-Python: >=3.12
-Requires-Dist: cachetools>=6.2.1
 Requires-Dist: flask>=3.1.2
 Requires-Dist: pyjwt>=2.10.1
 Requires-Dist: pypomes-core>=2.8.1

pypomes_iam-0.7.0.dist-info/RECORD ADDED Viewed

@@ -0,0 +1,11 @@
+pypomes_iam/__init__.py,sha256=_6tSFfjuU-5p6TAMqNLHSL6IQmaJMSYuEW-TG3ybhTI,1044
+pypomes_iam/iam_actions.py,sha256=5nomjeylTUSEtLCAvRnM1ayblsVx2hGDYzQn2twk8kk,42727
+pypomes_iam/iam_common.py,sha256=ki_-m6fqJqUbGjgTD41r9zaE-FOXgA_c_tLisIYYTfU,15457
+pypomes_iam/iam_pomes.py,sha256=_kLnrZG25XhJsIv3wqDl_2sIJ2ho_2TIMKrPCyPmA7Q,7362
+pypomes_iam/iam_services.py,sha256=uUD333SaTbo8MGRyIp5GGil7HAupK73ym4_bKtGkPFg,15878
+pypomes_iam/provider_pomes.py,sha256=3mMj5LQs53YEINUEOfFBAxOwOP3aOR_szlE4daEBLK0,10523
+pypomes_iam/token_pomes.py,sha256=K4nSAotKUoHIE2s3ltc_nVimlNeKS9tnD-IlslkAvkk,6626
+pypomes_iam-0.7.0.dist-info/METADATA,sha256=H2XjOEqG8t1umbwLIj8CM4AU0G9ufNN0mbEPIHfH4ko,661
+pypomes_iam-0.7.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+pypomes_iam-0.7.0.dist-info/licenses/LICENSE,sha256=YvUELgV8qvXlaYsy9hXG5EW3Bmsrkw-OJmmILZnonAc,1086
+pypomes_iam-0.7.0.dist-info/RECORD,,

pypomes_iam/common_pomes.py DELETED Viewed

@@ -1,397 +0,0 @@
-import json
-import requests
-import secrets
-import string
-import sys
-from cachetools import Cache
-from datetime import datetime
-from flask import Request
-from logging import Logger
-from pypomes_core import TZ_LOCAL, exc_format
-from pypomes_crypto import crypto_jwk_convert
-from typing import Any
-# registry structure:
-# {
-#    "client-id": <str>,
-#    "client-secret": <str>,
-#    "client-timeout": <int>,
-#    "public_key": <str>,
-#    "key-lifetime": <int>,
-#    "key-expiration": <int>,
-#    "base-url": <str>,
-#    "callback-url": <str>,
-#    "safe-cache": <FIFOCache>
-# }
-# data in "safe-cache":
-# {
-#    "users": {
-#       "<user-id>": {
-#         "access-token": <str>
-#         "refresh-token": <str>
-#         "access-expiration": <timestamp>,
-#         "login-expiration": <timestamp>,   <-- transient
-#         "login-id": <str>,                 <-- transient
-#       }
-#    }
-# }
-def _service_login(registry: dict[str, Any],
-                   args: dict[str, Any],
-                   logger: Logger | None) -> str:
-    """
-    Build the callback URL for redirecting the request to the IAM's authentication page.
-    :param registry: the registry holding the authentication data
-    :param args: the arguments passed when requesting the service
-    :param logger: optional logger
-    :return: the callback URL, with the appropriate parameters
-    """
-    # retrieve user data
-    oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
-    # build the user data
-    #   ('oauth_state' is a randomly-generated string, thus 'user_data' is always a new entry)
-    user_data: dict[str, Any] = _get_user_data(registry=registry,
-                                               user_id=oauth_state,
-                                               logger=logger)
-    user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
-    user_data["login-id"] = user_id
-    timeout: int = _get_login_timeout(registry=registry)
-    user_data["login-expiration"] = int(datetime.now(tz=TZ_LOCAL).timestamp()) + timeout if timeout else None
-    # build the redirect url
-    result: str = (f"{registry["base-url"]}/protocol/openid-connect/auth"
-                   f"?response_type=code&scope=openid"
-                   f"&client_id={registry["client-id"]}"
-                   f"&redirect_uri={registry["callback-url"]}"
-                   f"&state={oauth_state}")
-    # logout the user
-    _service_logout(registry=registry,
-                    args=args,
-                    logger=logger)
-    return result
-def _service_logout(registry: dict[str, Any],
-                    args: dict[str, Any],
-                    logger: Logger | None) -> None:
-    """
-    Remove all data associating *user_id* from *registry*.
-    :param registry: the registry holding the authentication data
-    :param args: the arguments passed when requesting the service
-    :param logger: optional logger
-    """
-    # remove the user data
-    user_id: str = args.get("user-id") or args.get("login")
-    if user_id:
-        cache: Cache = registry["safe-cache"]
-        users: dict[str, dict[str, Any]] = cache.get("users")
-        if user_id in users:
-            users.pop(user_id)
-            if logger:
-                logger.debug(msg=f"User '{user_id}' removed from the registry")
-def _service_callback(registry: dict[str, Any],
-                      args: dict[str, Any],
-                      errors: list[str],
-                      logger: Logger | None) -> tuple[str, str]:
-    """
-    Entry point for the callback from JusBR on authentication operation.
-    :param registry: the registry holding the authentication data
-    :param args: the arguments passed when requesting the service
-    :param errors: incidental errors
-    :param logger: optional logger
-    """
-    from .token_pomes import token_validate
-    # initialize the return variable
-    result: tuple[str, str] | None = None
-    # retrieve the users authentication data
-    cache: Cache = registry["safe-cache"]
-    users: dict[str, dict[str, Any]] = cache.get("users")
-    # validate the OAuth2 state
-    oauth_state: str = args.get("state")
-    user_data: dict[str, Any] | None = None
-    if oauth_state:
-        for user, data in users.items():
-            if user == oauth_state:
-                user_data = data
-                break
-    # exchange 'code' for the token
-    if user_data:
-        expiration: int = user_data["login-expiration"] or sys.maxsize
-        if int(datetime.now(tz=TZ_LOCAL).timestamp()) > expiration:
-            errors.append("Operation timeout")
-        else:
-            users.pop(oauth_state)
-            code: str = args.get("code")
-            body_data: dict[str, Any] = {
-                "grant_type": "authorization_code",
-                "code": code,
-                "redirect_uri": registry.get("callback-url"),
-            }
-            token = _post_for_token(registry=registry,
-                                    user_data=user_data,
-                                    body_data=body_data,
-                                    errors=errors,
-                                    logger=logger)
-            # retrieve the token's claims
-            if not errors:
-                public_key: bytes = _get_public_key(registry=registry,
-                                                    logger=logger)
-                token_claims: dict[str, dict[str, Any]] = token_validate(token=token,
-                                                                         issuer=registry["base-url"],
-                                                                         public_key=public_key,
-                                                                         errors=errors,
-                                                                         logger=logger)
-                if not errors:
-                    token_user: str = token_claims["payload"].get("preferred_username")
-                    if token_user == oauth_state:
-                        users[token_user] = user_data
-                        result = (token_user, token)
-                    else:
-                        errors.append(f"Token was issued to user '{token_user}'")
-    else:
-        errors.append("Unknown state received")
-    return result
-def _service_token(registry: dict[str, Any],
-                   args: dict[str, Any],
-                   errors: list[str] = None,
-                   logger: Logger = None) -> str:
-    """
-    Retrieve the authentication token for user *user_id*.
-    :param registry: the registry holding the authentication data
-    :param args: the arguments passed when requesting the service
-    :param errors: incidental error messages
-    :param logger: optional logger
-    :return: the token for *user_id*, or *None* if error
-    """
-    # initialize the return variable
-    result: str | None = None
-    user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
-    user_data: dict[str, Any] = _get_user_data(registry=registry,
-                                               user_id=user_id,
-                                               logger=logger)
-    token: str = user_data["access-token"]
-    if token:
-        access_expiration: int = user_data.get("access-expiration")
-        now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-        if now < access_expiration:
-            result = token
-        else:
-            # access token has expired
-            refresh_token: str = user_data["refresh-token"]
-            if refresh_token:
-                body_data: dict[str, str] = {
-                    "grant_type": "refresh_token",
-                    "refresh_token": refresh_token
-                }
-                result = _post_for_token(registry=registry,
-                                         user_data=user_data,
-                                         body_data=body_data,
-                                         errors=errors,
-                                         logger=logger)
-    elif logger or isinstance(errors, list):
-        err_msg: str = f"User '{user_id}' not authenticated"
-        if isinstance(errors, list):
-            errors.append(err_msg)
-        if logger:
-            logger.error(msg=err_msg)
-    return result
-def _get_public_key(registry: dict[str, Any],
-                    logger: Logger | None) -> bytes:
-    """
-    Obtain the public key used by the *IAM* to sign the authentication tokens.
-    The public key is saved in *registry*.
-    :param registry: the registry holding the authentication data
-    :return: the public key, in *DER* format
-    """
-    # initialize the return variable
-    result: bytes | None = None
-    now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-    if now > registry["key-expiration"]:
-        # obtain a new public key
-        url: str = f"{registry["base-url"]}/protocol/openid-connect/certs"
-        if logger:
-            logger.debug(msg=f"GET '{url}'")
-        response: requests.Response = requests.get(url=url)
-        if response.status_code == 200:
-            # request succeeded
-            if logger:
-                logger.debug(msg=f"GET success, status {response.status_code}")
-            reply: dict[str, Any] = response.json()
-            result = crypto_jwk_convert(jwk=reply["keys"][0],
-                                        fmt="DER")
-            registry["public-key"] = result
-            duration: int = registry["key-lifetime"] or 0
-            registry["key-expiration"] = now + duration
-        elif logger:
-            msg: str = f"GET failure, status {response.status_code}, reason '{response.reason}'"
-            if hasattr(response, "content") and response.content:
-                msg += f", content '{response.content}'"
-            logger.error(msg=msg)
-    else:
-        result = registry["public-key"]
-    return result
-def _get_login_timeout(registry: dict[str, Any]) -> int | None:
-    """
-    Retrieve from *registry* the timeout currently applicable for the login operation.
-    :param registry: the registry holding the authentication data
-    :return: the current login timeout, or *None* if none has been set.
-    """
-    timeout: int = registry.get("client-timeout")
-    return timeout if isinstance(timeout, int) and timeout > 0 else None
-def _get_user_data(registry: dict[str, Any],
-                   user_id: str,
-                   logger: Logger | None) -> dict[str, Any]:
-    """
-    Retrieve the data for *user_id* from *registry*.
-    If an entry is not found for *user_id* in the registry, it is created.
-    It will remain there until the user is logged out.
-    :param registry: the registry holding the authentication data
-    :return: the data for *user_id* in the registry
-    """
-    cache: Cache = registry["safe-cache"]
-    users: dict[str, dict[str, Any]] = cache.get("users")
-    result: dict[str, Any] = users.get(user_id)
-    if not result:
-        result = {
-            "access-token": None,
-            "refresh-token": None,
-            "access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp())
-        }
-        users[user_id] = result
-        if logger:
-            logger.debug(msg=f"Entry for user '{user_id}' added to the registry")
-    elif logger:
-        logger.debug(msg=f"Entry for user '{user_id}' obtained from the registry")
-    return result
-def _post_for_token(registry: dict[str, Any],
-                    user_data: dict[str, Any],
-                    body_data: dict[str, Any],
-                    errors: list[str] | None,
-                    logger: Logger | None) -> str | None:
-    """
-    Send a POST request to obtain the authentication token data, and return the access token.
-    For token exchange, *body_data* will have the attributes
-        - "grant_type": "authorization_code"
-        - "code": <16-character-random-code>
-        - "redirect_uri": <callback-url>
-    For token refresh, *body_data* will have the attributes
-        - "grant_type": "refresh_token"
-        - "refresh_token": <current-refresh-token>
-    If the operation is successful, the token data is stored in the registry.
-    Otherwise, *errors* will contain the appropriate error message.
-    :param registry: the registry holding the authentication data
-    :param user_data: the user's data in the registry
-    :param body_data: the data to send in the body of the request
-    :param errors: incidental errors
-    :param logger: optional logger
-    :return: the access token obtained, or *None* if error
-    """
-    # initialize the return variable
-    result: str | None = None
-    # complete the data to send in body of request
-    body_data["client_id"] = registry["client-id"]
-    client_secret: str = registry["client-secret"]
-    if client_secret:
-        body_data["client_secret"] = client_secret
-    # obtain the token
-    err_msg: str | None = None
-    url: str = registry["base-url"] + "/protocol/openid-connect/token"
-    now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-    if logger:
-        logger.debug(msg=f"POST '{url}', data {json.dumps(obj=body_data,
-                                                          ensure_ascii=False)}")
-    try:
-        # typical return on a token request:
-        # {
-        #   "token_type": "Bearer",
-        #   "access_token": <str>,
-        #   "expires_in": <number-of-seconds>,
-        #   "refresh_token": <str>
-        # }
-        response: requests.Response = requests.post(url=url,
-                                                    data=body_data)
-        if response.status_code == 200:
-            # request succeeded
-            if logger:
-                logger.debug(msg=f"POST success, status {response.status_code}")
-            reply: dict[str, Any] = response.json()
-            result = reply.get("access_token")
-            user_data["access-token"] = result
-            # on token refresh, keep current refresh token if a new one is not provided
-            user_data["refresh-token"] = reply.get("refresh_token") or body_data.get("refresh_token")
-            user_data["access-expiration"] = now + reply.get("expires_in")
-        else:
-            # request resulted in error
-            err_msg = f"POST failure, status {response.status_code}, reason '{response.reason}'"
-            if hasattr(response, "content") and response.content:
-                err_msg += f", content '{response.content}'"
-            if response.status_code == 400 and body_data.get("grant_type") == "refresh_token":
-                # refresh token is no longer valid
-                user_data["refresh-token"] = None
-    except Exception as e:
-        # the operation raised an exception
-        err_msg = exc_format(exc=e,
-                             exc_info=sys.exc_info())
-        err_msg = f"POST '{url}': error '{err_msg}'"
-    if err_msg:
-        if isinstance(errors, list):
-            errors.append(err_msg)
-        if logger:
-            logger.error(msg=err_msg)
-    return result
-def _log_init(request: Request) -> str:
-    """
-    Build the messages for logging the request entry.
-    :param request: the Request object
-    :return: the log message
-    """
-    params: str = json.dumps(obj=request.args,
-                             ensure_ascii=False)
-    return f"Request {request.method}:{request.path}, params {params}"

pypomes-iam 0.2.3__py3-none-any.whl → 0.7.0__py3-none-any.whl

Potentially problematic release.

pypomes-iam 0.2.3py3-none-any.whl → 0.7.0py3-none-any.whl