PyPI - pypomes-iam - Versions diffs - 0.2.9__py3-none-any.whl → 0.7.0__py3-none-any.whl - Mend

pypomes-iam 0.2.9py3-none-any.whl → 0.7.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pypomes-iam might be problematic. Click here for more details.

Files changed (14) hide show

pypomes_iam/__init__.py +20 -8
pypomes_iam/iam_actions.py +878 -0
pypomes_iam/iam_common.py +295 -334
pypomes_iam/iam_pomes.py +135 -192
pypomes_iam/iam_services.py +394 -0
pypomes_iam/provider_pomes.py +175 -72
pypomes_iam/token_pomes.py +59 -7
{pypomes_iam-0.2.9.dist-info → pypomes_iam-0.7.0.dist-info}/METADATA +1 -2
pypomes_iam-0.7.0.dist-info/RECORD +11 -0
pypomes_iam/jusbr_pomes.py +0 -114
pypomes_iam/keycloak_pomes.py +0 -117
pypomes_iam-0.2.9.dist-info/RECORD +0 -11
{pypomes_iam-0.2.9.dist-info → pypomes_iam-0.7.0.dist-info}/WHEEL +0 -0
{pypomes_iam-0.2.9.dist-info → pypomes_iam-0.7.0.dist-info}/licenses/LICENSE +0 -0

pypomes_iam/iam_pomes.py CHANGED Viewed

@@ -1,213 +1,156 @@
-import json
-import requests
-from flask import Response, request, jsonify
+from flask import Flask
 from logging import Logger
+from pypomes_core import APP_PREFIX, env_get_int, env_get_str
 from typing import Any
 from .iam_common import (
-    IAM_SERVERS, IamServer,
-    _service_login, _service_logout,
-    _service_callback, _service_token, _log_init
+    _IAM_SERVERS, IamServer, IamParam, _iam_lock
+)
+from .iam_actions import action_token
+from .iam_services import (
+    service_login, service_logout, service_callback, service_exchange, service_token
 )
-# @flask_app.route(rule=<login_endpoint>,  # JUSBR_LOGIN_ENDPOINT: /iam/jusbr:login
-#                  methods=["GET"])
-# @flask_app.route(rule=<login_endpoint>,  # KEYCLOAK_LOGIN_ENDPOINT: /iam/keycloak:logout
-#                  methods=["GET"])
-def service_login() -> Response:
-    """
-    Entry point for the JusBR login service.
-    Redirect the request to the JusBR authentication page, with the appropriate parameters.
-    :return: the response from the redirect operation
-    """
-    # retrieve logger and registry
-    registry: dict[str, Any] = __get_iam_registry(endpoint=request.endpoint)
-    logger: Logger = registry["logger"]
-    # log the request
-    if logger:
-        logger.debug(msg=_log_init(request=request))
-    # obtain the login URL
-    login_data: dict[str,  str] = _service_login(registry=registry,
-                                                 args=request.args,
-                                                 logger=logger)
-    result = jsonify(login_data)
-    # log the response
-    if logger:
-        logger.debug(msg=f"Response {result}")
-    return result
-# @flask_app.route(rule=<logout_endpoint>,  # JUSBR_LOGOUT_ENDPOINT: /iam/jusbr:logout
-#                  methods=["GET"])
-# @flask_app.route(rule=<login_endpoint>,  # KEYCLOAK_LOGOUT_ENDPOINT: /iam/keycloak:logout
-#                  methods=["GET"])
-def service_logout() -> Response:
+def iam_setup(flask_app: Flask,
+              iam_server: IamServer,
+              base_url: str,
+              client_id: str,
+              client_realm: str,
+              client_secret: str | None,
+              recipient_attribute: str,
+              admin_id: str = None,
+              admin_secret: str = None,
+              login_timeout: int = None,
+              public_key_lifetime: int = None,
+              callback_endpoint: str = None,
+              exchange_endpoint: str = None,
+              login_endpoint: str = None,
+              logout_endpoint: str = None,
+              token_endpoint: str = None) -> None:
     """
-    Entry point for the JusBR logout service.
-    Remove all data associating the user with JusBR from the registry.
-    :return: response *OK*
+    Establish the provided parameters for configuring the *IAM* server *iam_server*.
+    The parameters *admin_id* and *admin_* are required only if administrative are task are planned.
+    The optional parameter *client_timeout* refers to the maximum time in seconds allowed for the
+    user to login at the *IAM* server's login page, and defaults to no time limit.
+    The parameter *client_secret* is required in most requests to the *IAM* server. In the case
+    it is not provided, but *admin_id* and *admin_secret* are, it is obtained from the *IAM* server itself
+    the first time it is needed.
+    :param flask_app: the Flask application
+    :param iam_server: identifies the supported *IAM* server (currently, *jusbr* or *keycloak*)
+    :param base_url: base URL to request services
+    :param client_id: the client's identification with the *IAM* server
+    :param client_realm: the client realm
+    :param client_secret: the client's password with the *IAM* server
+    :param recipient_attribute: attribute in the token's payload holding the token's subject
+    :param admin_id: identifies the realm administrator
+    :param admin_secret: password for the realm administrator
+    :param login_timeout: timeout for login authentication (in seconds,defaults to no timeout)
+    :param public_key_lifetime: how long to use *IAM* server's public key, before refreshing it (in seconds)
+    :param callback_endpoint: endpoint for the callback from the front end
+    :param exchange_endpoint: endpoint for requesting token exchange
+    :param login_endpoint: endpoint for redirecting user to the *IAM* server's login page
+    :param logout_endpoint: endpoint for terminating user access
+    :param token_endpoint: endpoint for retrieving authentication token
     """
-    # retrieve logger and registry
-    registry: dict[str, Any] = __get_iam_registry(endpoint=request.endpoint)
-    logger: Logger = registry["logger"]
-    # log the request
-    if logger:
-        logger.debug(msg=_log_init(request=request))
-    # logout the user
-    _service_logout(registry=registry,
-                    args=request.args,
-                    logger=logger)
-    result: Response = Response(status=200)
-    # log the response
-    if logger:
-        logger.debug(msg=f"Response {result}")
-    return result
+    # configure the Keycloak registry
+    with _iam_lock:
+        _IAM_SERVERS[iam_server] = {
+            IamParam.URL_BASE: base_url,
+            IamParam.CLIENT_ID: client_id,
+            IamParam.CLIENT_REALM: client_realm,
+            IamParam.CLIENT_SECRET: client_secret,
+            IamParam.RECIPIENT_ATTR: recipient_attribute,
+            IamParam.ADMIN_ID: admin_id,
+            IamParam.ADMIN_SECRET: admin_secret,
+            IamParam.LOGIN_TIMEOUT: login_timeout,
+            IamParam.PK_LIFETIME: public_key_lifetime,
+            IamParam.PK_EXPIRATION: 0,
+            IamParam.PUBLIC_KEY: None,
+            IamParam.USERS: {}
+        }
-# @flask_app.route(rule=<callback_endpoint>,  # JUSBR_CALLBACK_ENDPOINT: /iam/jusbr:callback
-#                  methods=["GET", "POST"])
-# @flask_app.route(rule=<callback_endpoint>,  # KEYCLOAK_CALLBACK_ENDPOINT: /iam/keycloak:callback
-#                  methods=["POST"])
-def service_callback() -> Response:
+    # establish the endpoints
+    if callback_endpoint:
+        flask_app.add_url_rule(rule=callback_endpoint,
+                               endpoint=f"{iam_server}-callback",
+                               view_func=service_callback,
+                               methods=["GET"])
+    if login_endpoint:
+        flask_app.add_url_rule(rule=login_endpoint,
+                               endpoint=f"{iam_server}-login",
+                               view_func=service_login,
+                               methods=["GET"])
+    if logout_endpoint:
+        flask_app.add_url_rule(rule=logout_endpoint,
+                               endpoint=f"{iam_server}-logout",
+                               view_func=service_logout,
+                               methods=["GET"])
+    if token_endpoint:
+        flask_app.add_url_rule(rule=token_endpoint,
+                               endpoint=f"{iam_server}-token",
+                               view_func=service_token,
+                               methods=["GET"])
+    if exchange_endpoint:
+        flask_app.add_url_rule(rule=exchange_endpoint,
+                               endpoint=f"{iam_server}-exchange",
+                               view_func=service_exchange,
+                               methods=["POST"])
+def iam_get_env_parameters(iam_prefix: str = None) -> dict[str, Any]:
     """
-    Entry point for the callback from JusBR on authentication operation.
+    Retrieve the set parameters for a *IAM* server from the environment.
-    This callback is typically invoked from a front-end application after a successful login at the
-    JusBR login page, forwarding the data received.
+    the parameters are returned ready to be used as a '**kwargs' parameter set in a call to *iam_setup()*,
+    and sorted in the order appropriate to use them instead with a '*args' parameter set.
-    :return: the response containing the token, or *BAD REQUEST*
+    :param iam_prefix: the prefix classifying the parameters
+    :return: the sorted parameters classified by *prefix*
     """
-    # retrieve logger and registry
-    registry: dict[str, Any] = __get_iam_registry(endpoint=request.endpoint)
-    logger: Logger = registry["logger"]
-    # log the request
-    if logger:
-        logger.debug(msg=_log_init(request=request))
-    # process the callback operation
-    errors: list[str] = []
-    token_data: tuple[str, str] = _service_callback(registry=registry,
-                                                    args=request.args,
-                                                    errors=errors,
-                                                    logger=logger)
-    # exchange the token
-    if request.endpoint.startswith("jusbr-"):
-        keycloak_registry: dict[str, Any] = __get_iam_registry(endpoint="keycloak-token")
-        payload: dict[str, str] = {
-            "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
-            "subject_token": token_data[1],
-            "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
-            "client_id": keycloak_registry["client-id"],
-            "client_secret": keycloak_registry["client-secret"],
-            "requested_token_type": "urn:ietf:params:oauth:token-type:access_token",
-            "audience": token_data[0]
-        }
-        exchange_url = f"{keycloak_registry['base-url']}/protocol/openid-connect/token"
-        if logger:
-            logger.debug(msg=f"POST '{exchange_url}', data {json.dumps(obj=payload,
-                                                                       ensure_ascii=False)}")
-        headers: dict[str, str] = {
-            "Content-Type": "application/x-www-form-urlencoded"
-        }
-        response: requests.Response = requests.post(url=exchange_url,
-                                                    data=payload,
-                                                    headers=headers)
-        if response.status_code == 200:
-            # request succeeded
-            if logger:
-                logger.debug(msg=f"POST success, status {response.status_code}")
-            reply: dict[str, Any] = response.json()
-            token_data = (token_data[0], reply.get("access_token"))
-        else:
-            # request resulted in error
-            err_msg = f"POST failure, status {response.status_code}, reason '{response.reason}'"
-            if hasattr(response, "content") and response.content:
-                err_msg += f", content '{response.content}'"
-            errors.append(err_msg)
-    result: Response
-    if errors:
-        result = jsonify({"errors": "; ".join(errors)})
-        result.status_code = 400
-    else:
-        result = jsonify({
-            "user-id": token_data[0],
-            "access-token": token_data[1]})
-    # log the response
-    if logger:
-        logger.debug(msg=f"Response {result}")
-    return result
-# @flask_app.route(rule=<token_endpoint>,  # JUSBR_TOKEN_ENDPOINT: /iam/jusbr:get-token
-#                  methods=["GET"])
-# @flask_app.route(rule=<token_endpoint>,  # JUSBR_TOKEN_ENDPOINT: /iam/jusbr:get-token
-#                  methods=["GET"])
-def service_token() -> Response:
+    return {
+        "base_url": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_URL_AUTH_BASE"),
+        "client_id": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_CLIENT_ID"),
+        "client_realm": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_CLIENT_REALM"),
+        "client_secret": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_CLIENT_SECRET"),
+        "recipient_attribute": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_RECIPIENT_ATTR"),
+        "admin_id": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ADMIN_ID"),
+        "admin_secret": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ADMIN_SECRET"),
+        "login_timeout": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_LOGIN_TIMEOUT"),
+        "public_key_lifetime": env_get_int(key=f"{APP_PREFIX}_{iam_prefix}_PUBLIC_KEY_LIFETIME"),
+        "callback_endpoint": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ENDPOINT_CALLBACK"),
+        "exchange_endpoint": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ENDPOINT_EXCHANGE"),
+        "login_endpoint": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ENDPOINT_LOGIN"),
+        "logout_endpoint": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ENDPOINT_LOGOUT"),
+        "token_endpoint": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ENDPOINT_TOKEN")
+    }
+def iam_get_token(iam_server: IamServer,
+                  user_id: str,
+                  errors: list[str] = None,
+                  logger: Logger = None) -> str:
     """
-    Entry point for retrieving the JusBR token.
+    Retrieve an authentication token for *user_id*.
-    :return: the response containing the token, or *UNAUTHORIZED*
+    :param iam_server: identifies the *IAM* server
+    :param user_id: identifies the user
+    :param errors: incidental errors
+    :param logger: optional logger
+    :return: the uthentication tokem
     """
-    # retrieve logger and registry
-    registry: dict[str, Any] = __get_iam_registry(endpoint=request.endpoint)
-    logger: Logger = registry["logger"]
-    # log the request
-    if logger:
-        logger.debug(msg=_log_init(request=request))
+    # declare the return variable
+    result: str
     # retrieve the token
-    errors: list[str] = []
-    token: str = _service_token(registry=registry,
-                                args=request.args,
-                                errors=errors,
-                                logger=logger)
-    result: Response
-    if token:
-        result = jsonify({"token": token})
-    else:
-        result = Response("; ".join(errors))
-        result.status_code = 401
-    # log the response
-    if logger:
-        logger.debug(msg=f"Response {result}")
+    args: dict[str, Any] = {"user-id": user_id}
+    with _iam_lock:
+        result = action_token(iam_server=iam_server,
+                              args=args,
+                              errors=errors,
+                              logger=logger)
     return result
-def __get_iam_registry(endpoint: str) -> dict[str, Any]:
-    """
-    Retrieve the registry associated the the IAM identifies by *endpoint*.
-    :param endpoint: the service enpoint identifying the IAM.
-    :return: the tuple (*logger*, *registry*) associated with *endpoint*
-    """
-    # initialize the return variable
-    result: dict[str, Any] | None = None
-    if endpoint.startswith("jusbr-"):
-        result = IAM_SERVERS[IamServer.IAM_JUSRBR]
-    elif endpoint.startswith("keycloak-"):
-        result = IAM_SERVERS[IamServer.IAM_KEYCLOAK]
-    return result

pypomes-iam 0.2.9__py3-none-any.whl → 0.7.0__py3-none-any.whl

Potentially problematic release.

pypomes-iam 0.2.9py3-none-any.whl → 0.7.0py3-none-any.whl