PyPI - pypomes-iam - Versions diffs - 0.2.9__py3-none-any.whl → 0.7.0__py3-none-any.whl - Mend

pypomes-iam 0.2.9py3-none-any.whl → 0.7.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pypomes-iam might be problematic. Click here for more details.

Files changed (14) hide show

pypomes_iam/__init__.py +20 -8
pypomes_iam/iam_actions.py +878 -0
pypomes_iam/iam_common.py +295 -334
pypomes_iam/iam_pomes.py +135 -192
pypomes_iam/iam_services.py +394 -0
pypomes_iam/provider_pomes.py +175 -72
pypomes_iam/token_pomes.py +59 -7
{pypomes_iam-0.2.9.dist-info → pypomes_iam-0.7.0.dist-info}/METADATA +1 -2
pypomes_iam-0.7.0.dist-info/RECORD +11 -0
pypomes_iam/jusbr_pomes.py +0 -114
pypomes_iam/keycloak_pomes.py +0 -117
pypomes_iam-0.2.9.dist-info/RECORD +0 -11
{pypomes_iam-0.2.9.dist-info → pypomes_iam-0.7.0.dist-info}/WHEEL +0 -0
{pypomes_iam-0.2.9.dist-info → pypomes_iam-0.7.0.dist-info}/licenses/LICENSE +0 -0

pypomes_iam/iam_common.py CHANGED Viewed

@@ -1,427 +1,388 @@
-import json
 import requests
-import secrets
-import string
 import sys
-from cachetools import Cache
 from datetime import datetime
-from enum import StrEnum
-from flask import Request
+from enum import StrEnum, auto
 from logging import Logger
 from pypomes_core import TZ_LOCAL, exc_format
 from pypomes_crypto import crypto_jwk_convert
+from threading import RLock
 from typing import Any, Final
 class IamServer(StrEnum):
-    IAM_JUSRBR = "iam-jusbr",
-    IAM_KEYCLOAK = "iam-keycloak"
+    """
+    Supported IAM servers.
+    """
+    JUSBR = auto()
+    KEYCLOAK = auto()
+class IamParam(StrEnum):
+    """
+    Parameters for configuring *IAM* servers.
+    """
+    ADMIN_ID = "admin-id"
+    ADMIN_SECRET = "admin-secret"
+    CLIENT_ID = "client-id"
+    CLIENT_REALM = "client-realm"
+    CLIENT_SECRET = "client-secret"
+    ENDPOINT_CALLBACK = "endpoint-callback"
+    ENDPOINT_LOGIN = "endpoint-login"
+    ENDPOINT_LOGOUT = "endpoint_logout"
+    ENDPOINT_TOKEN = "endpoint-token"
+    ENDPOINT_EXCHANGE = "endpoint-exchange"
+    LOGIN_TIMEOUT = "login-timeout"
+    PK_EXPIRATION = "pk-expiration"
+    PK_LIFETIME = "pk-lifetime"
+    PUBLIC_KEY = "public-key"
+    RECIPIENT_ATTR = "recipient-attr"
+    URL_BASE = "url-base"
+    USERS = "users"
+class UserParam(StrEnum):
+    """
+    Parameters for handling *IAM* users.
+    """
+    ACCESS_TOKEN = "access-token"
+    REFRESH_TOKEN = "refresh-token"
+    ACCESS_EXPIRATION = "access-expiration"
+    REFRESH_EXPIRATION = "refresh-expiration"
+    # transient attributes
+    LOGIN_EXPIRATION = "login-expiration"
+    LOGIN_ID = "login-id"
+    REDIRECT_URI = "redirect-uri"
+# The configuration parameters for the IAM servers are specified dynamically dynamically with *iam_setup()*
+# Specifying configuration parameters with environment variables can be done in two ways:
+#
+# 1. for a single *IAM* server, specify the data set
+#       - *<APP_PREFIX>_IAM_ADMIN_ID*             (optional, needed if administrative duties are performed)
+#       - *<APP_PREFIX>_IAM_ADMIN_PWD*            (optional, needed if administrative duties are performed)
+#       - *<APP_PREFIX>_IAM_CLIENT_ID*            (required)
+#       - *<APP_PREFIX>_IAM_CLIENT_REALM*         (required)
+#       - *<APP_PREFIX>_IAM_CLIENT_SECRET*        (required)
+#       - *<APP_PREFIX>_IAM_ENDPOINT_CALLBACK*    (required)
+#       - *<APP_PREFIX>_IAM_ENDPOINT_EXCHANGE*    (required)
+#       - *<APP_PREFIX>_IAM_ENDPOINT_LOGIN*       (required)
+#       - *<APP_PREFIX>_IAM_ENDPOINT_LOGOUT*      (required)
+#       - *<APP_PREFIX>_IAM_ENDPOINT_PROVIDER*    (optional, needed if requesting tokens to providers)
+#       - *<APP_PREFIX>_IAM_ENDPOINT_TOKEN*       (required)
+#       - *<APP_PREFIX>_IAM_LOGIN_TIMEOUT*        (optional, defaults to no timeout)
+#       - *<APP_PREFIX>_IAM_PK_LIFETIME*          (optional, defaults to non-terminating lifetime)
+#       - *<APP_PREFIX>_IAM_RECIPIENT_ATTR*       (required)
+#       - *<APP_PREFIX>_IAM_URL_BASE*             (required)
+#
+# 2. for multiple *IAM* servers, specify the data set above for each server,
+#    respectively replacing *IAM* with a name in *IamServer* (currently, *JUSBR* and *KEYCLOAK* are supported).
+#
+# 3. the parameters *PUBLIC_KEY*, *PK_EXPIRATION*, and *USERS* cannot be assigned values,
+#    as they are reserved for internal use
 # registry structure:
 # { <IamServer>:
 #    {
+#       "base-url": <str>,
+#       "admin-id": <str>,
+#       "admin-secret": <str>,
 #       "client-id": <str>,
 #       "client-secret": <str>,
+#       "client-realm": <str,
 #       "client-timeout": <int>,
-#       "public_key": <str>,
+#       "recipient-attr": <str>,
+#       "public-key": <str>,
 #       "pk-lifetime": <int>,
 #       "pk-expiration": <int>,
-#       "base-url": <str>,
-#       "logger": <Logger>,
-#       "cache": <FIFOCache>,
-#       "redirect-uri": <str>  <-- transient
+#       "users": {}
 #    },
 #    ...
 # }
-# data in "cache":
+# data in "users":
 # {
-#    "users": {
-#       "<user-id>": {
-#          "access-token": <str>
-#          "refresh-token": <str>
-#          "access-expiration": <timestamp>,
-#          "refresh-expiration": <timestamp>,
-#          "login-expiration": <timestamp>,    <-- transient
-#          "login-id": <str>,                  <-- transient
-#       }
-#    },
+#   "<user-id>": {
+#      "access-token": <str>
+#      "refresh-token": <str>
+#      "access-expiration": <timestamp>,
+#      "refresh-expiration": <timestamp>,
+#      # transient attributes
+#      "login-expiration": <timestamp>,
+#      "login-id": <str>,
+#      "redirect-uri": <str>
+#   },
 #   ...
 # }
-IAM_SERVERS: Final[dict[IamServer, dict[str, Any]]] = {}
+_IAM_SERVERS: Final[dict[IamServer, dict[IamParam, Any]]] = {}
-def _service_login(registry: dict[str, Any],
-                   args: dict[str, Any],
-                   logger: Logger | None) -> dict[str, str]:
-    """
-    Build the callback URL for redirecting the request to the IAM's authentication page.
-    :param registry: the registry holding the authentication data
-    :param args: the arguments passed when requesting the service
-    :param logger: optional logger
-    :return: the callback URL, with the appropriate parameters
-    """
-    # retrieve user data
-    oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
-    # build the user data
-    #   ('oauth_state' is a randomly-generated string, thus 'user_data' is always a new entry)
-    user_data: dict[str, Any] = _get_user_data(registry=registry,
-                                               user_id=oauth_state,
-                                               logger=logger)
-    user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
-    user_data["login-id"] = user_id
-    timeout: int = _get_login_timeout(registry=registry)
-    user_data["login-expiration"] = int(datetime.now(tz=TZ_LOCAL).timestamp()) + timeout if timeout else None
-    redirect_uri: str = args.get("redirect-uri")
-    registry["redirect-uri"] = redirect_uri
-    # build the login url
-    return {
-        "login-url": (f"{registry["base-url"]}/protocol/openid-connect/auth"
-                      f"?response_type=code&scope=openid"
-                      f"&client_id={registry["client-id"]}"
-                      f"&redirect_uri={redirect_uri}"
-                      f"&state={oauth_state}")
-    }
-def _service_logout(registry: dict[str, Any],
-                    args: dict[str, Any],
-                    logger: Logger | None) -> None:
-    """
-    Remove all data associating *user_id* from *registry*.
-    :param registry: the registry holding the authentication data
-    :param args: the arguments passed when requesting the service
-    :param logger: optional logger
-    """
-    # remove the user data
-    user_id: str = args.get("user-id") or args.get("login")
-    if user_id:
-        cache: Cache = registry["cache"]
-        users: dict[str, dict[str, Any]] = cache.get("users")
-        if user_id in users:
-            users.pop(user_id)
-            if logger:
-                logger.debug(msg=f"User '{user_id}' removed from the registry")
+# the lock protecting the data in '_IAM_SERVERS'
+# (because it is 'Final' and set at declaration time, it can be accessed through simple imports)
+_iam_lock: Final[RLock] = RLock()
-def _service_callback(registry: dict[str, Any],
-                      args: dict[str, Any],
-                      errors: list[str],
-                      logger: Logger | None) -> tuple[str, str]:
+def _iam_server_from_endpoint(endpoint: str,
+                              errors: list[str] | None,
+                              logger: Logger | None) -> IamServer | None:
     """
-    Entry point for the callback from JusBR via the front-end application on authentication operation.
+    Retrieve the registered *IAM* server associated with the service's invocation *endpoint*.
-    :param registry: the registry holding the authentication data
-    :param args: the arguments passed when requesting the service
-    :param errors: incidental errors
+    :param endpoint: the service's invocation endpoint
+    :param errors: incidental error messages
     :param logger: optional logger
+    :return: the corresponding *IAM* server, or *None* if one could not be obtained
     """
-    from .token_pomes import token_validate
     # initialize the return variable
-    result: tuple[str, str] | None = None
-    # retrieve the users authentication data
-    cache: Cache = registry["cache"]
-    users: dict[str, dict[str, Any]] = cache.get("users")
-    # validate the OAuth2 state
-    oauth_state: str = args.get("state")
-    user_data: dict[str, Any] | None = None
-    if oauth_state:
-        for user, data in users.items():
-            if user == oauth_state:
-                user_data = data
-                break
-    # exchange 'code' for the token
-    if user_data:
-        expiration: int = user_data["login-expiration"] or sys.maxsize
-        if int(datetime.now(tz=TZ_LOCAL).timestamp()) > expiration:
-            errors.append("Operation timeout")
-        else:
-            users.pop(oauth_state)
-            code: str = args.get("code")
-            body_data: dict[str, Any] = {
-                "grant_type": "authorization_code",
-                "code": code,
-                "redirect_uri": registry.get("redirect-uri"),
-            }
-            token = _post_for_token(registry=registry,
-                                    user_data=user_data,
-                                    body_data=body_data,
-                                    errors=errors,
-                                    logger=logger)
-            # retrieve the token's claims
-            if not errors:
-                public_key: str = _get_public_key(registry=registry,
-                                                  logger=logger)
-                token_claims: dict[str, dict[str, Any]] = token_validate(token=token,
-                                                                         issuer=registry["base-url"],
-                                                                         public_key=public_key,
-                                                                         errors=errors,
-                                                                         logger=logger)
-                if not errors:
-                    token_user: str = token_claims["payload"].get("preferred_username")
-                    login_id = user_data.pop("login-id", None)
-                    if not login_id or (login_id == token_user):
-                        users[token_user] = user_data
-                        result = (token_user, token)
-                    else:
-                        errors.append(f"Token was issued to user '{token_user}'")
-    else:
-        errors.append("Unknown state received")
+    result: IamServer | None = None
-    if errors and logger:
-        logger.error(msg="; ".join(errors))
+    for iam_server in _IAM_SERVERS:
+        if endpoint.startswith(iam_server):
+            result = iam_server
+            break
+    if not result:
+        msg: str = f"Unable to find a IAM server to service endpoint '{endpoint}'"
+        if logger:
+            logger.error(msg=msg)
+        if isinstance(errors, list):
+            errors.append(msg)
     return result
-def _service_token(registry: dict[str, Any],
-                   args: dict[str, Any],
-                   errors: list[str] = None,
-                   logger: Logger = None) -> str:
+def _iam_server_from_issuer(issuer: str,
+                            errors: list[str] | None,
+                            logger: Logger | None) -> IamServer | None:
     """
-    Retrieve the authentication token for user *user_id*.
+    Retrieve the registered *IAM* server associated with the token's *issuer*.
-    :param registry: the registry holding the authentication data
-    :param args: the arguments passed when requesting the service
+    :param issuer: the token's issuer
     :param errors: incidental error messages
     :param logger: optional logger
-    :return: the token for *user_id*, or *None* if error
+    :return: the corresponding *IAM* server, or *None* if one could not be obtained
     """
     # initialize the return variable
-    result: str | None = None
+    result: IamServer | None = None
-    user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
-    user_data: dict[str, Any] = _get_user_data(registry=registry,
-                                               user_id=user_id,
-                                               logger=logger)
-    err_msg: str | None = None
-    token: str = user_data["access-token"]
-    if token:
-        access_expiration: int = user_data.get("access-expiration")
-        now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-        if now < access_expiration:
-            result = token
-        else:
-            # access token has expired
-            refresh_token: str = user_data["refresh-token"]
-            if refresh_token:
-                refresh_expiration = user_data["refresh-expiration"]
-                if now < refresh_expiration:
-                    body_data: dict[str, str] = {
-                        "grant_type": "refresh_token",
-                        "refresh_token": refresh_token
-                    }
-                    result = _post_for_token(registry=registry,
-                                             user_data=user_data,
-                                             body_data=body_data,
-                                             errors=errors,
-                                             logger=logger)
-                else:
-                    # refresh token has expired
-                    err_msg = "Access and refresh tokens expired"
-            else:
-                err_msg = "Access token expired, no refresh token available"
-    else:
-        err_msg = f"User '{user_id}' not authenticated"
-    if err_msg and (logger or isinstance(errors, list)):
-        err_msg: str = f"User '{user_id}' not authenticated"
-        if isinstance(errors, list):
-            errors.append(err_msg)
+    for iam_server, registry in _IAM_SERVERS.items():
+        base_url: str = f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+        if base_url == issuer:
+            result = IamServer(iam_server)
+            break
+    if not result:
+        msg: str = f"Unable to find a IAM server associated with token issuer '{issuer}'"
         if logger:
-            logger.error(msg=err_msg)
-            logger.error(msg=err_msg)
+            logger.error(msg=msg)
+        if isinstance(errors, list):
+            errors.append(msg)
     return result
-def _get_public_key(registry: dict[str, Any],
+def _get_public_key(iam_server: IamServer,
+                    errors: list[str] | None,
                     logger: Logger | None) -> str:
     """
-    Obtain the public key used by the *IAM* to sign the authentication tokens.
+    Obtain the public key used by *iam_server* to sign the authentication tokens.
+    This is accomplished by requesting the token issuer for its *JWKS* (JSON Web Key Set),
+    containing the public keys used for various purposes, as indicated in the attribute *use*:
+        - *enc*: the key is intended for encryption
+        - *sig*: the key is intended for digital signature
+        - *wrap*: the key is intended for key wrapping
+    A typical JWKS set has the following format (for simplicity, 'n' and 'x5c' are truncated):
+        {
+            "keys": [
+                {
+                    "kid": "X2QEcSQ4Tg2M2EK6s2nhRHZH_GwD_zxZtiWVwP4S0tg",
+                    "kty": "RSA",
+                    "alg": "RSA256",
+                    "use": "sig",
+                    "n": "tQmDmyM3tMFt5FMVMbqbQYpaDPf6A5l4e_kTVDBiHrK_bRlGfkk8hYm5SNzNzCZ...",
+                    "e": "AQAB",
+                    "x5c": [
+                        "MIIClzCCAX8CBgGZY0bqrTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARpanVk..."
+                    ],
+                    "x5t": "MHfVp4kBjEZuYOtiaaGsfLCL15Q",
+                    "x5t#S256": "QADezSLgD8emuonBz8hn8ghTnxo7AHX4NVNkr4luEhk"
+                },
+                ...
+            ]
+        }
-    The public key is saved in *registry*.
+    Once the signature key is obtained, it is converted from its original *JWK* (JSON Web Key) format
+    to *PEM* (Privacy-Enhanced Mail) format. The public key is saved in *iam_server*'s registry.
-    :param registry: the registry holding the authentication data
-    :return: the public key, in *PEM* format
+    :param iam_server: the reference registered *IAM* server
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the public key in *PEM* format, or *None* if error
     """
     # initialize the return variable
     result: str | None = None
-    now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-    if now > registry["pk-expiration"]:
-        # obtain a new public key
-        url: str = f"{registry["base-url"]}/protocol/openid-connect/certs"
-        if logger:
-            logger.debug(msg=f"GET '{url}'")
-        response: requests.Response = requests.get(url=url)
-        if response.status_code == 200:
-            # request succeeded
+    registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                 errors=errors,
+                                                 logger=logger)
+    if registry:
+        now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+        if now > registry[IamParam.PK_EXPIRATION]:
+            # obtain the JWKS (JSON Web Key Set) from the token issuer
+            base_url: str = f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+            url: str = f"{base_url}/protocol/openid-connect/certs"
             if logger:
-                logger.debug(msg=f"GET success, status {response.status_code}")
-            reply: dict[str, Any] = response.json()
-            result = crypto_jwk_convert(jwk=reply["keys"][0],
-                                        fmt="PEM")
-            registry["public-key"] = result
-            lifetime: int = registry["pk-lifetime"] or 0
-            registry["pk-expiration"] = now + lifetime
-        elif logger:
-            msg: str = f"GET failure, status {response.status_code}, reason '{response.reason}'"
-            if hasattr(response, "content") and response.content:
-                msg += f", content '{response.content}'"
-            logger.error(msg=msg)
-    else:
-        result = registry["public-key"]
+                logger.debug(msg=f"Obtaining signature public key used by IAM server '{iam_server}'")
+                logger.debug(msg=f"GET {url}")
+            try:
+                response: requests.Response = requests.get(url=url)
+                if response.status_code == 200:
+                    # request succeeded
+                    if logger:
+                        logger.debug(msg=f"GET success, status {response.status_code}")
+                    # select the appropriate JWK
+                    reply: dict[str, list[dict[str, str]]] = response.json()
+                    jwk: dict[str, str] | None = None
+                    for key in reply["keys"]:
+                        if key.get("use") == "sig":
+                            jwk = key
+                            break
+                    if jwk:
+                        # convert from 'JWK' to 'PEM' and save it for further use
+                        result = crypto_jwk_convert(jwk=jwk,
+                                                    fmt="PEM")
+                        registry[IamParam.PUBLIC_KEY] = result
+                        lifetime: int = registry[IamParam.PK_LIFETIME] or 0
+                        registry[IamParam.PK_EXPIRATION] = now + lifetime if lifetime else sys.maxsize
+                        if logger:
+                            logger.debug("Public key obtained and saved")
+                    else:
+                        msg = "Signature public key missing from the token issuer's JWKS"
+                        if logger:
+                            logger.error(msg=msg)
+                        if isinstance(errors, list):
+                            errors.append(msg)
+                elif logger:
+                    msg: str = f"GET failure, status {response.status_code}, reason {response.reason}"
+                    if hasattr(response, "content") and response.content:
+                        msg += f", content {response.content}"
+                    logger.error(msg=msg)
+                    if isinstance(errors, list):
+                        errors.append(msg)
+            except Exception as e:
+                # the operation raised an exception
+                msg = exc_format(exc=e,
+                                 exc_info=sys.exc_info())
+                if logger:
+                    logger.error(msg=msg)
+                if isinstance(errors, list):
+                    errors.append(msg)
+        else:
+            result = registry[IamParam.PUBLIC_KEY]
     return result
-def _get_login_timeout(registry: dict[str, Any]) -> int | None:
+def _get_login_timeout(iam_server: IamServer,
+                       errors: list[str] | None,
+                       logger: Logger) -> int | None:
     """
-    Retrieve from *registry* the timeout currently applicable for the login operation.
+    Retrieve the timeout currently applicable for the login operation.
-    :param registry: the registry holding the authentication data
-    :return: the current login timeout, or *None* if none has been set.
+    :param iam_server: the reference registered *IAM* server
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the current login timeout, or *None* if the server is unknown or none has been set.
     """
-    timeout: int = registry.get("client-timeout")
-    return timeout if isinstance(timeout, int) and timeout > 0 else None
+    # initialize the return variable
+    result: int | None = None
+    registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                 errors=errors,
+                                                 logger=logger)
+    if registry:
+        timeout: int = registry.get("client-timeout")
+        if isinstance(timeout, int) and timeout > 0:
+            result = timeout
+    return result
-def _get_user_data(registry: dict[str, Any],
+def _get_user_data(iam_server: IamServer,
                    user_id: str,
-                   logger: Logger | None) -> dict[str, Any]:
+                   errors: list[str] | None,
+                   logger: Logger | None) -> dict[str, Any] | None:
     """
-    Retrieve the data for *user_id* from *registry*.
+    Retrieve the data for *user_id* from *iam_server*'s registry.
     If an entry is not found for *user_id* in the registry, it is created.
     It will remain there until the user is logged out.
-    :param registry: the registry holding the authentication data
-    :return: the data for *user_id* in the registry
+    :param iam_server: the reference registered *IAM* server
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the data for *user_id* in *iam_server*'s registry, or *None* if the server is unknown
     """
-    cache: Cache = registry["cache"]
-    users: dict[str, dict[str, Any]] = cache.get("users")
-    result: dict[str, Any] = users.get(user_id)
-    if not result:
-        result = {
-            "access-token": None,
-            "refresh-token": None,
-            "access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
-            "refresh-expiration": sys.maxsize
-        }
-        users[user_id] = result
-        if logger:
-            logger.debug(msg=f"Entry for '{user_id}' added to the registry")
-    elif logger:
-        logger.debug(msg=f"Entry for '{user_id}' obtained from the registry")
+    # initialize the return variable
+    result: dict[str, Any] | None = None
+    users: dict[str, dict[str, Any]] = _get_iam_users(iam_server=iam_server,
+                                                      errors=errors,
+                                                      logger=logger)
+    if isinstance(users, dict):
+        result = users.get(user_id)
+        if not result:
+            result = {
+                UserParam.ACCESS_TOKEN: None,
+                UserParam.REFRESH_TOKEN: None,
+                UserParam.ACCESS_EXPIRATION: int(datetime.now(tz=TZ_LOCAL).timestamp()),
+                UserParam.REFRESH_EXPIRATION: sys.maxsize
+            }
+            users[user_id] = result
+            if logger:
+                logger.debug(msg=f"Entry for '{user_id}' added to {iam_server}'s registry")
+        elif logger:
+            logger.debug(msg=f"Entry for '{user_id}' obtained from {iam_server}'s registry")
     return result
-def _post_for_token(registry: dict[str, Any],
-                    user_data: dict[str, Any],
-                    body_data: dict[str, Any],
-                    errors: list[str] | None,
-                    logger: Logger | None) -> str | None:
+def _get_iam_registry(iam_server: IamServer,
+                      errors: list[str] | None,
+                      logger: Logger | None) -> dict[str, Any]:
     """
-    Send a POST request to obtain the authentication token data, and return the access token.
-    For token exchange, *body_data* will have the attributes
-        - "grant_type": "authorization_code"
-        - "code": <16-character-random-code>
-        - "redirect_uri": <redirect-uri>
-    For token refresh, *body_data* will have the attributes
-        - "grant_type": "refresh_token"
-        - "refresh_token": <current-refresh-token>
-    If the operation is successful, the token data is stored in the registry.
-    Otherwise, *errors* will contain the appropriate error message.
-    :param registry: the registry holding the authentication data
-    :param user_data: the user's data in the registry
-    :param body_data: the data to send in the body of the request
-    :param errors: incidental errors
+    Retrieve the registry associated with *iam_server*.
+    :param iam_server: the reference registered *IAM* server
+    :param errors: incidental error messages
     :param logger: optional logger
-    :return: the access token obtained, or *None* if error
+    :return: the registry associated with *iam_server*, or *None* if the server is unknown
     """
-    # initialize the return variable
-    result: str | None = None
+    # assign the return variable
+    result: dict[str, Any] = _IAM_SERVERS.get(iam_server)
-    # complete the data to send in body of request
-    body_data["client_id"] = registry["client-id"]
-    client_secret: str = registry["client-secret"]
-    if client_secret:
-        body_data["client_secret"] = client_secret
-    # obtain the token
-    err_msg: str | None = None
-    url: str = registry["base-url"] + "/protocol/openid-connect/token"
-    now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-    if logger:
-        logger.debug(msg=f"POST '{url}', data {json.dumps(obj=body_data,
-                                                          ensure_ascii=False)}")
-    try:
-        # typical return on a token request:
-        # {
-        #   "token_type": "Bearer",
-        #   "access_token": <str>,
-        #   "expires_in": <number-of-seconds>,
-        #   "refresh_token": <str>,
-        #   "refesh_expires_in": <number-of-seconds>
-        # }
-        response: requests.Response = requests.post(url=url,
-                                                    data=body_data)
-        if response.status_code == 200:
-            # request succeeded
-            if logger:
-                logger.debug(msg=f"POST success, status {response.status_code}")
-            reply: dict[str, Any] = response.json()
-            result = reply.get("access_token")
-            user_data["access-token"] = result
-            # on token refresh, keep current refresh token if a new one is not provided
-            user_data["refresh-token"] = reply.get("refresh_token") or body_data.get("refresh_token")
-            user_data["access-expiration"] = now + reply.get("expires_in")
-            refresh_expiration: int = user_data.get("refresh_expires_in")
-            user_data["refresh-expiration"] = (now + refresh_expiration) if refresh_expiration else sys.maxsize
-        else:
-            # request resulted in error
-            err_msg = f"POST failure, status {response.status_code}, reason '{response.reason}'"
-            if hasattr(response, "content") and response.content:
-                err_msg += f", content '{response.content}'"
-            if response.status_code == 400 and body_data.get("grant_type") == "refresh_token":
-                # refresh token is no longer valid
-                user_data["refresh-token"] = None
-    except Exception as e:
-        # the operation raised an exception
-        err_msg = exc_format(exc=e,
-                             exc_info=sys.exc_info())
-        err_msg = f"POST '{url}': error '{err_msg}'"
-    if err_msg:
-        if isinstance(errors, list):
-            errors.append(err_msg)
+    if not result:
+        msg = f"Unknown IAM server '{iam_server}'"
         if logger:
-            logger.error(msg=err_msg)
+            logger.error(msg=msg)
+        if isinstance(errors, list):
+            errors.append(msg)
     return result
-def _log_init(request: Request) -> str:
+def _get_iam_users(iam_server: IamServer,
+                   errors: list[str] | None,
+                   logger: Logger | None) -> dict[str, dict[str, Any]]:
     """
-    Build the messages for logging the request entry.
+    Retrieve the users data storage in *iam_server*'s registry.
-    :param request: the Request object
-    :return: the log message
+    :param iam_server: the reference registered *IAM* server
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the users data storage in *iam_server*'s registry, or *None* if the server is unknown
     """
-    params: str = json.dumps(obj=request.args,
-                             ensure_ascii=False)
-    return f"Request {request.method}:{request.path}, params {params}"
+    registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                 errors=errors,
+                                                 logger=logger)
+    return registry[IamParam.USERS] if registry else None

pypomes-iam 0.2.9__py3-none-any.whl → 0.7.0__py3-none-any.whl

Potentially problematic release.

pypomes-iam 0.2.9py3-none-any.whl → 0.7.0py3-none-any.whl