pypomes-iam 0.2.9__py3-none-any.whl → 0.7.0__py3-none-any.whl

pypomes_iam/token_pomes.py

@@ -7,8 +7,49 @@ from pypomes_core import exc_format
 from typing import Any
 
 
+def token_get_claims(token: str,
+                     errors: list[str] = None,
+                     logger: Logger = None) -> dict[str, dict[str, Any]] | None:
+    """
+    Retrieve the claims set of a JWT *token*.
+
+    Any well-constructed JWT token may be provided in *token*.
+    Note that neither the token's signature nor its expiration is verified.
+
+    :param token: the refrence token
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the token's claimset, or *None* if error
+    """
+    # initialize the return variable
+    result: dict[str, dict[str, Any]] | None = None
+
+    if logger:
+        logger.debug(msg="Retrieve claims for token")
+
+    try:
+        header: dict[str, Any] = jwt.get_unverified_header(jwt=token)
+        payload: dict[str, Any] = jwt.decode(jwt=token,
+                                             options={"verify_signature": False})
+        result = {
+            "header": header,
+            "payload": payload
+        }
+    except Exception as e:
+        exc_err: str = exc_format(exc=e,
+                                  exc_info=sys.exc_info())
+        if logger:
+            logger.error(msg=f"Error retrieving the token's claims: {exc_err}")
+        if isinstance(errors, list):
+            errors.append(exc_err)
+
+    return result
+
+
 def token_validate(token: str,
                    issuer: str = None,
+                   recipient_id: str = None,
+                   recipient_attr: str = None,
                    public_key: str | bytes | PyJWK | RSAPublicKey = None,
                    errors: list[str] = None,
                    logger: Logger = None) -> dict[str, dict[str, Any]] | None:
@@ -24,15 +65,21 @@ def token_validate(token: str,
     If an asymmetric algorithm was used to sign the token and *public_key* is provided, then
     the token is validated, by using the data in its *signature* section.
 
+    The parameters *recipient_id* and *recipient_attr* refer the token's expected subject, respectively,
+    the subject's identification and the attribute in the token's payload data identifying its subject.
+    If both are provided, *recipient_id* is validated.
+
     On failure, *errors* will contain the reason(s) for rejecting *token*.
     On success, return the token's claims (*header* and *payload*).
 
     :param token: the token to be validated
     :param public_key: optional public key used to sign the token, in *PEM* format
     :param issuer: optional value to compare with the token's *iss* (issuer) attribute in its *payload*
+    :param recipient_id: identification of the expected token subject
+    :param recipient_attr: attribute in the token's payload holding the expected subject's identification
     :param errors: incidental error messages
     :param logger: optional logger
-    :return: The token's claims (*header* and *payload*) if it is valid, *None* otherwise
+    :return: The token's claims (*header* and *payload*), or *None* if error
     """
     # initialize the return variable
     result: dict[str, dict[str, Any]] | None = None
@@ -70,8 +117,6 @@ def token_validate(token: str,
             "verify_nbf": False,
             "verify_signature": token_alg in ["RS256", "RS512"] and public_key is not None
         }
-        if issuer:
-            options["require"].append("iss")
         try:
             # raises:
             #   InvalidTokenError: token is invalid
@@ -87,10 +132,17 @@ def token_validate(token: str,
                                                  algorithms=[token_alg],
                                                  options=options,
                                                  issuer=issuer)
-            result = {
-                "header": token_header,
-                "payload": payload
-            }
+            if recipient_id and recipient_attr and \
+                    payload.get(recipient_attr) and recipient_id != payload.get(recipient_attr):
+                msg: str = f"Token was issued to '{payload.get(recipient_attr)}', not to '{recipient_id}'"
+                if logger:
+                    logger.error(msg=msg)
+                errors.append(msg)
+            else:
+                result = {
+                    "header": token_header,
+                    "payload": payload
+                }
         except Exception as e:
             exc_err: str = exc_format(exc=e,
                                       exc_info=sys.exc_info())

{pypomes_iam-0.2.9.dist-info → pypomes_iam-0.7.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.2.9
+Version: 0.7.0
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues
@@ -10,7 +10,6 @@ Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
 Classifier: Programming Language :: Python :: 3
 Requires-Python: >=3.12
-Requires-Dist: cachetools>=6.2.1
 Requires-Dist: flask>=3.1.2
 Requires-Dist: pyjwt>=2.10.1
 Requires-Dist: pypomes-core>=2.8.1

pypomes_iam-0.7.0.dist-info/RECORD

@@ -0,0 +1,11 @@
+pypomes_iam/__init__.py,sha256=_6tSFfjuU-5p6TAMqNLHSL6IQmaJMSYuEW-TG3ybhTI,1044
+pypomes_iam/iam_actions.py,sha256=5nomjeylTUSEtLCAvRnM1ayblsVx2hGDYzQn2twk8kk,42727
+pypomes_iam/iam_common.py,sha256=ki_-m6fqJqUbGjgTD41r9zaE-FOXgA_c_tLisIYYTfU,15457
+pypomes_iam/iam_pomes.py,sha256=_kLnrZG25XhJsIv3wqDl_2sIJ2ho_2TIMKrPCyPmA7Q,7362
+pypomes_iam/iam_services.py,sha256=uUD333SaTbo8MGRyIp5GGil7HAupK73ym4_bKtGkPFg,15878
+pypomes_iam/provider_pomes.py,sha256=3mMj5LQs53YEINUEOfFBAxOwOP3aOR_szlE4daEBLK0,10523
+pypomes_iam/token_pomes.py,sha256=K4nSAotKUoHIE2s3ltc_nVimlNeKS9tnD-IlslkAvkk,6626
+pypomes_iam-0.7.0.dist-info/METADATA,sha256=H2XjOEqG8t1umbwLIj8CM4AU0G9ufNN0mbEPIHfH4ko,661
+pypomes_iam-0.7.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+pypomes_iam-0.7.0.dist-info/licenses/LICENSE,sha256=YvUELgV8qvXlaYsy9hXG5EW3Bmsrkw-OJmmILZnonAc,1086
+pypomes_iam-0.7.0.dist-info/RECORD,,

pypomes_iam/jusbr_pomes.py

@@ -1,114 +0,0 @@
-from cachetools import Cache, FIFOCache
-from datetime import datetime
-from flask import Flask
-from logging import Logger
-from pypomes_core import (
-    APP_PREFIX, TZ_LOCAL, env_get_int, env_get_str
-)
-from typing import Any, Final
-
-from .iam_common import IAM_SERVERS, IamServer, _service_token
-
-JUSBR_CLIENT_ID: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_CLIENT_ID")
-JUSBR_CLIENT_SECRET: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_CLIENT_SECRET")
-JUSBR_CLIENT_TIMEOUT: Final[int] = env_get_int(key=f"{APP_PREFIX}_JUSBR_CLIENT_TIMEOUT")
-
-JUSBR_ENDPOINT_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_ENDPOINT_CALLBACK",
-                                                  def_value="/iam/jusbr:callback")
-JUSBR_ENDPOINT_LOGIN: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_ENDPOINT_LOGIN",
-                                               def_value="/iam/jusbr:login")
-JUSBR_ENDPOINT_LOGOUT: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_ENDPOINT_LOGOUT",
-                                                def_value="/iam/jusbr:logout")
-JUSBR_ENDPOINT_TOKEN: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_ENDPOINT_TOKEN",
-                                               def_value="/iam/jusbr:get-token")
-
-JUSBR_PUBLIC_KEY_LIFETIME: Final[int] = env_get_int(key=f"{APP_PREFIX}_JUSBR_PUBLIC_KEY_LIFETIME",
-                                                    def_value=86400)  # 24 hours
-JUSBR_URL_AUTH_BASE: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_URL_AUTH_BASE")
-
-
-def jusbr_setup(flask_app: Flask,
-                client_id: str = JUSBR_CLIENT_ID,
-                client_secret: str = JUSBR_CLIENT_SECRET,
-                client_timeout: int = JUSBR_CLIENT_TIMEOUT,
-                public_key_lifetime: int = JUSBR_PUBLIC_KEY_LIFETIME,
-                callback_endpoint: str = JUSBR_ENDPOINT_CALLBACK,
-                token_endpoint: str = JUSBR_ENDPOINT_TOKEN,
-                login_endpoint: str = JUSBR_ENDPOINT_LOGIN,
-                logout_endpoint: str = JUSBR_ENDPOINT_LOGOUT,
-                base_url: str = JUSBR_URL_AUTH_BASE,
-                logger: Logger = None) -> None:
-    """
-    Configure the JusBR IAM.
-
-    This should be invoked only once, before the first access to a JusBR service.
-
-    :param flask_app: the Flask application
-    :param client_id: the client's identification with JusBR
-    :param client_secret: the client's password with JusBR
-    :param client_timeout: timeout for login authentication (in seconds,defaults to no timeout)
-    :param public_key_lifetime: how long to use JusBR's public key, before refreshing it (in seconds)
-    :param callback_endpoint: endpoint for the callback from JusBR
-    :param token_endpoint: endpoint for retrieving the JusBR authentication token
-    :param login_endpoint: endpoint for redirecting user to JusBR login page
-    :param logout_endpoint: endpoint for terminating user access to JusBR
-    :param base_url: base URL to request the JusBR services
-    :param logger: optional logger
-    """
-    from .iam_pomes import service_login, service_logout, service_callback, service_token
-
-    # configure the JusBR registry
-    cache: Cache = FIFOCache(maxsize=1048576)
-    cache["users"] = {}
-    IAM_SERVERS[IamServer.IAM_JUSRBR] = {
-        "client-id": client_id,
-        "client-secret": client_secret,
-        "client-timeout": client_timeout,
-        "base-url": base_url,
-        "pk-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
-        "pk-lifetime": public_key_lifetime,
-        "cache": cache,
-        "logger": logger,
-        "redirect-uri": None
-    }
-
-    # establish the endpoints
-    if login_endpoint:
-        flask_app.add_url_rule(rule=login_endpoint,
-                               endpoint="jusbr-login",
-                               view_func=service_login,
-                               methods=["GET"])
-    if logout_endpoint:
-        flask_app.add_url_rule(rule=logout_endpoint,
-                               endpoint="jusbr-logout",
-                               view_func=service_logout,
-                               methods=["GET"])
-    if callback_endpoint:
-        flask_app.add_url_rule(rule=callback_endpoint,
-                               endpoint="jusbr-callback",
-                               view_func=service_callback,
-                               methods=["GET", "POST"])
-    if token_endpoint:
-        flask_app.add_url_rule(rule=token_endpoint,
-                               endpoint="jusbr-token",
-                               view_func=service_token,
-                               methods=["GET"])
-
-
-def jusbr_get_token(user_id: str,
-                    errors: list[str] = None,
-                    logger: Logger = None) -> str:
-    """
-    Retrieve a JusBR authentication token for *user_id*.
-
-    :param user_id: the user's identification
-    :param errors: incidental errors
-    :param logger: optional logger
-    :return: the uthentication tokem
-    """
-    # retrieve the token
-    args: dict[str, Any] = {"user-id": user_id}
-    return _service_token(registry=IAM_SERVERS[IamServer.IAM_JUSRBR],
-                          args=args,
-                          errors=errors,
-                          logger=logger)

pypomes_iam/keycloak_pomes.py

@@ -1,117 +0,0 @@
-from cachetools import Cache, FIFOCache
-from datetime import datetime
-from flask import Flask
-from logging import Logger
-from pypomes_core import (
-    APP_PREFIX, TZ_LOCAL, env_get_int, env_get_str
-)
-from typing import Any, Final
-
-from .iam_common import IAM_SERVERS, IamServer, _service_token
-
-KEYCLOAK_CLIENT_ID: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_ID")
-KEYCLOAK_CLIENT_SECRET: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_SECRET")
-KEYCLOAK_CLIENT_TIMEOUT: Final[int] = env_get_int(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_TIMEOUT")
-
-KEYCLOAK_ENDPOINT_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_CALLBACK",
-                                                     def_value="/iam/keycloak:callback")
-KEYCLOAK_ENDPOINT_LOGIN: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_LOGIN",
-                                                  def_value="/iam/keycloak:login")
-KEYCLOAK_ENDPOINT_LOGOUT: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_LOGOUT",
-                                                   def_value="/iam/keycloak:logout")
-KEYCLOAK_ENDPOINT_TOKEN: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_ENDPOINT_TOKEN",
-                                                  def_value="/iam/keycloak:get-token")
-
-KEYCLOAK_PUBLIC_KEY_LIFETIME: Final[int] = env_get_int(key=f"{APP_PREFIX}_KEYCLOAK_PUBLIC_KEY_LIFETIME",
-                                                       def_value=86400)  # 24 hours
-KEYCLOAK_REALM: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_REALM")
-KEYCLOAK_URL_AUTH_BASE: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_URL_AUTH_BASE")
-
-
-def keycloak_setup(flask_app: Flask,
-                   client_id: str = KEYCLOAK_CLIENT_ID,
-                   client_secret: str = KEYCLOAK_CLIENT_SECRET,
-                   client_timeout: int = KEYCLOAK_CLIENT_TIMEOUT,
-                   public_key_lifetime: int = KEYCLOAK_PUBLIC_KEY_LIFETIME,
-                   realm: str = KEYCLOAK_REALM,
-                   callback_endpoint: str = KEYCLOAK_ENDPOINT_CALLBACK,
-                   token_endpoint: str = KEYCLOAK_ENDPOINT_TOKEN,
-                   login_endpoint: str = KEYCLOAK_ENDPOINT_LOGIN,
-                   logout_endpoint: str = KEYCLOAK_ENDPOINT_LOGOUT,
-                   base_url: str = KEYCLOAK_URL_AUTH_BASE,
-                   logger: Logger = None) -> None:
-    """
-    Configure the Keycloak IAM.
-
-    This should be invoked only once, before the first access to a Keycloak service.
-
-    :param flask_app: the Flask application
-    :param client_id: the client's identification with JusBR
-    :param client_secret: the client's password with JusBR
-    :param client_timeout: timeout for login authentication (in seconds,defaults to no timeout)
-    :param public_key_lifetime: how long to use Keycloak's public key, before refreshing it (in seconds)
-    :param realm: the Keycloak realm
-    :param callback_endpoint: endpoint for the callback from JusBR
-    :param token_endpoint: endpoint for retrieving the JusBR authentication token
-    :param login_endpoint: endpoint for redirecting user to JusBR login page
-    :param logout_endpoint: endpoint for terminating user access to JusBR
-    :param base_url: base URL to request the JusBR services
-    :param logger: optional logger
-    """
-    from .iam_pomes import service_login, service_logout, service_callback, service_token
-
-    # configure the Keycloak registry
-    cache: Cache = FIFOCache(maxsize=1048576)
-    cache["users"] = {}
-    IAM_SERVERS[IamServer.IAM_KEYCLOAK] = {
-        "client-id": client_id,
-        "client-secret": client_secret,
-        "client-timeout": client_timeout,
-        "base-url": f"{base_url}/realms/{realm}",
-        "pk-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
-        "pk-lifetime": public_key_lifetime,
-        "cache": cache,
-        "logger": logger,
-        "redirect-uri": None
-    }
-
-    # establish the endpoints
-    if login_endpoint:
-        flask_app.add_url_rule(rule=login_endpoint,
-                               endpoint="keycloak-login",
-                               view_func=service_login,
-                               methods=["GET"])
-    if logout_endpoint:
-        flask_app.add_url_rule(rule=logout_endpoint,
-                               endpoint="keycloak-logout",
-                               view_func=service_logout,
-                               methods=["GET"])
-    if callback_endpoint:
-        flask_app.add_url_rule(rule=callback_endpoint,
-                               endpoint="keycloak-callback",
-                               view_func=service_callback,
-                               methods=["POST"])
-    if token_endpoint:
-        flask_app.add_url_rule(rule=token_endpoint,
-                               endpoint="keycloak-token",
-                               view_func=service_token,
-                               methods=["GET"])
-
-
-def keycloak_get_token(user_id: str,
-                       errors: list[str] = None,
-                       logger: Logger = None) -> str:
-    """
-    Retrieve a Keycloak authentication token for *user_id*.
-
-    :param user_id: the user's identification
-    :param errors: incidental errors
-    :param logger: optional logger
-    :return: the uthentication tokem
-    """
-    # retrieve the token
-    args: dict[str, Any] = {"user-id": user_id}
-    return _service_token(registry=IAM_SERVERS[IamServer.IAM_KEYCLOAK],
-                          args=args,
-                          errors=errors,
-                          logger=logger)

pypomes_iam-0.2.9.dist-info/RECORD

@@ -1,11 +0,0 @@
-pypomes_iam/__init__.py,sha256=u-gNGbsayMf-2SWTB8VcoTCADoczZuwNEH50BPxTZZ8,682
-pypomes_iam/iam_common.py,sha256=_3Fx8kAJCthRTvQtlZg1gx0hWlUn4ko_ASROwsU9dJM,17017
-pypomes_iam/iam_pomes.py,sha256=iiJrqS_np2aUyY4JS0Vi1QEcGHBQfnPkdMpTyctceUk,7722
-pypomes_iam/jusbr_pomes.py,sha256=Zh4nbKiBD2c4slYxgXoricCSScI8SROQproFfZ_55BI,5322
-pypomes_iam/keycloak_pomes.py,sha256=zVoLG0yNKGW1CP1bCf3yQiFw-8ZtOG7YG3VGZDq9_3c,5681
-pypomes_iam/provider_pomes.py,sha256=eP8XzjTUEpwejTkO0wmDiqKjqbIEOzRNCR2ju5E15og,5856
-pypomes_iam/token_pomes.py,sha256=OSllw00XnU-sE9EKXo8jZAto0zfFLBi83dvllLs-Sc0,4402
-pypomes_iam-0.2.9.dist-info/METADATA,sha256=fBxgk8sTkXy8Sky-zZMj6V0ZKE2Af3ksVZt94WtDFhk,694
-pypomes_iam-0.2.9.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-pypomes_iam-0.2.9.dist-info/licenses/LICENSE,sha256=YvUELgV8qvXlaYsy9hXG5EW3Bmsrkw-OJmmILZnonAc,1086
-pypomes_iam-0.2.9.dist-info/RECORD,,