PyPI - pypomes-iam - Versions diffs - 0.3.0__py3-none-any.whl → 0.3.2__py3-none-any.whl - Mend

pypomes-iam 0.3.0py3-none-any.whl → 0.3.2py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pypomes-iam might be problematic. Click here for more details.

Files changed (12) hide show

pypomes_iam/__init__.py +5 -0
pypomes_iam/iam_common.py +241 -302
pypomes_iam/iam_pomes.py +279 -169
pypomes_iam/iam_services.py +243 -0
pypomes_iam/jusbr_pomes.py +20 -14
pypomes_iam/keycloak_pomes.py +38 -21
pypomes_iam/token_pomes.py +19 -4
{pypomes_iam-0.3.0.dist-info → pypomes_iam-0.3.2.dist-info}/METADATA +1 -1
pypomes_iam-0.3.2.dist-info/RECORD +12 -0
pypomes_iam-0.3.0.dist-info/RECORD +0 -11
{pypomes_iam-0.3.0.dist-info → pypomes_iam-0.3.2.dist-info}/WHEEL +0 -0
{pypomes_iam-0.3.0.dist-info → pypomes_iam-0.3.2.dist-info}/licenses/LICENSE +0 -0

pypomes_iam/iam_pomes.py CHANGED Viewed

@@ -1,216 +1,326 @@
-import json
-import requests
-from flask import Response, request, jsonify
+import secrets
+import string
+import sys
+from cachetools import Cache
+from datetime import datetime
 from logging import Logger
+from pypomes_core import TZ_LOCAL
 from typing import Any
 from .iam_common import (
-    IAM_SERVERS, IamServer,
-    _service_login, _service_logout,
-    _service_callback, _service_token, _log_init
+    IamServer,
+    _register_logger, _post_for_token,
+    _get_iam_cache, _get_iam_registry,
+    _get_login_timeout, _get_user_data, _get_public_key
 )
-# @flask_app.route(rule=<login_endpoint>,  # JUSBR_LOGIN_ENDPOINT: /iam/jusbr:login
-#                  methods=["GET"])
-# @flask_app.route(rule=<login_endpoint>,  # KEYCLOAK_LOGIN_ENDPOINT: /iam/keycloak:logout
-#                  methods=["GET"])
-def service_login() -> Response:
+def register_logger(logger: Logger) -> None:
     """
-    Entry point for the JusBR login service.
+    Register the logger for IAM operations.
-    Redirect the request to the JusBR authentication page, with the appropriate parameters.
-    :return: the response from the redirect operation
+    :param logger: the logger to be registered
     """
-    # retrieve logger and registry
-    registry: dict[str, Any] = __get_iam_registry(endpoint=request.endpoint)
-    logger: Logger = registry["logger"]
-    # log the request
-    if logger:
-        logger.debug(msg=_log_init(request=request))
+    _register_logger(logger=logger)
-    # obtain the login URL
-    login_data: dict[str,  str] = _service_login(registry=registry,
-                                                 args=request.args,
-                                                 logger=logger)
-    result = jsonify(login_data)
-    # log the response
-    if logger:
-        logger.debug(msg=f"Response {result}")
+def user_login(iam_server: IamServer,
+               args: dict[str, Any],
+               errors: list[str] = None,
+               logger: Logger = None) -> dict[str, str]:
+    """
+    Build the callback URL for redirecting the request to *iam_server*'s authentication page.
+    :param iam_server: the reference registered *IAM* server
+    :param args: the arguments passed when requesting the service
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the callback URL, with the appropriate parameters, of *None* if error
+    """
+    # initialize the return variable
+    result: dict[str, str] | None = None
+    # obtain the optional user's identification
+    user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
+    # build the user data
+    # ('oauth_state' is a randomly-generated string, thus 'user_data' is always a new entry)
+    oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
+    user_data: dict[str, Any] = _get_user_data(iam_server=iam_server,
+                                               user_id=oauth_state,
+                                               errors=errors,
+                                               logger=logger)
+    if user_data:
+        user_data["login-id"] = user_id
+        timeout: int = _get_login_timeout(iam_server=iam_server,
+                                          errors=errors,
+                                          logger=logger)
+        if not errors:
+            user_data["login-expiration"] = int(datetime.now(tz=TZ_LOCAL).timestamp()) + timeout if timeout else None
+            redirect_uri: str = args.get("redirect-uri")
+            # build the login url
+            registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                         errors=errors,
+                                                         logger=logger)
+            if registry:
+                registry["redirect-uri"] = redirect_uri
+                result = {"login-url": (f"{registry["base-url"]}/protocol/openid-connect/auth"
+                                        f"?response_type=code&scope=openid"
+                                        f"&client_id={registry["client-id"]}"
+                                        f"&redirect_uri={redirect_uri}"
+                                        f"&state={oauth_state}")}
     return result
-# @flask_app.route(rule=<logout_endpoint>,  # JUSBR_LOGOUT_ENDPOINT: /iam/jusbr:logout
-#                  methods=["GET"])
-# @flask_app.route(rule=<login_endpoint>,  # KEYCLOAK_LOGOUT_ENDPOINT: /iam/keycloak:logout
-#                  methods=["GET"])
-def service_logout() -> Response:
+def user_logout(iam_server: IamServer,
+                args: dict[str, Any],
+                errors: list[str] = None,
+                logger: Logger = None) -> None:
     """
-    Entry point for the JusBR logout service.
+    Logout the user, by removing all data associating it from *iam_server*'s registry.
-    Remove all data associating the user with JusBR from the registry.
+    The user is identified by the attribute *user-id*, *user_id*, or "login", provided in *args*.
+    If unsuccessful, this operation fails silently, unless an error has ocurred.
-    :return: response *OK*
+    :param iam_server: the reference registered *IAM* server
+    :param args: the arguments passed when requesting the service
+    :param errors: incidental error messages
+    :param logger: optional logger
     """
-    # retrieve logger and registry
-    registry: dict[str, Any] = __get_iam_registry(endpoint=request.endpoint)
-    logger: Logger = registry["logger"]
-    # log the request
-    if logger:
-        logger.debug(msg=_log_init(request=request))
-    # logout the user
-    _service_logout(registry=registry,
-                    args=request.args,
-                    logger=logger)
-    result: Response = Response(status=200)
-    # log the response
-    if logger:
-        logger.debug(msg=f"Response {result}")
-    return result
-# @flask_app.route(rule=<callback_endpoint>,  # JUSBR_CALLBACK_ENDPOINT: /iam/jusbr:callback
-#                  methods=["GET", "POST"])
-# @flask_app.route(rule=<callback_endpoint>,  # KEYCLOAK_CALLBACK_ENDPOINT: /iam/keycloak:callback
-#                  methods=["POST"])
-def service_callback() -> Response:
+    # obtain the user's identification
+    user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
+    if user_id:
+        # retrieve the IAM server's cache storage
+        cache: Cache = _get_iam_cache(iam_server=iam_server,
+                                      errors=errors,
+                                      logger=logger)
+        if cache:
+            users: dict[str, dict[str, Any]] = cache.get("users") or {}
+            if user_id in users:
+                users.pop(user_id)
+                if logger:
+                    logger.debug(msg=f"User '{user_id}' removed from {iam_server}'s registry")
+def user_token(iam_server: IamServer,
+               args: dict[str, Any],
+               errors: list[str] = None,
+               logger: Logger = None) -> str:
     """
-    Entry point for the callback from JusBR on authentication operation.
+    Retrieve the authentication token for the user, from *iam_server*.
-    This callback is typically invoked from a front-end application after a successful login at the
-    JusBR login page, forwarding the data received.
+    The user is identified by the attribute *user-id*, *user_id*, or "login", provided in *args*.
-    :return: the response containing the token, or *BAD REQUEST*
+    :param iam_server: the reference registered *IAM* server
+    :param args: the arguments passed when requesting the service
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the token for *user_id*, or *None* if error
     """
-    # retrieve logger and registry
-    registry: dict[str, Any] = __get_iam_registry(endpoint=request.endpoint)
-    logger: Logger = registry["logger"]
-    # log the request
-    if logger:
-        logger.debug(msg=_log_init(request=request))
-    # process the callback operation
-    errors: list[str] = []
-    token_data: tuple[str, str] = _service_callback(registry=registry,
-                                                    args=request.args,
-                                                    errors=errors,
-                                                    logger=logger)
-    # exchange the token
-    if request.endpoint.startswith("jusbr-"):
-        keycloak_registry: dict[str, Any] = __get_iam_registry(endpoint="keycloak-token")
-        payload: dict[str, str] = {
-            "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
-            "subject_token": token_data[1],
-            "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
-            "client_id": keycloak_registry["client-id"],
-            "client_secret": keycloak_registry["client-secret"],
-            "requested_token_type": "urn:ietf:params:oauth:token-type:access_token",
-            "audience": token_data[0],
-            "subject_issuer": "oidc"
-        }
-        exchange_url = f"{keycloak_registry['base-url']}/protocol/openid-connect/token"
-        if logger:
-            logger.debug(msg=f"POST '{exchange_url}', data {json.dumps(obj=payload,
-                                                                       ensure_ascii=False)}")
-        headers: dict[str, str] = {
-            "Content-Type": "application/x-www-form-urlencoded"
-        }
-        response: requests.Response = requests.post(url=exchange_url,
-                                                    data=payload,
-                                                    headers=headers)
-        if response.status_code == 200:
-            # request succeeded
-            if logger:
-                logger.debug(msg=f"POST success, status {response.status_code}")
-            reply: dict[str, Any] = response.json()
-            token_data = (token_data[0], reply.get("access_token"))
+    # initialize the return variable
+    result: str | None = None
+    # obtain the user's identification
+    user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
+    err_msg: str | None = None
+    if user_id:
+        user_data: dict[str, Any] = _get_user_data(iam_server=iam_server,
+                                                   user_id=user_id,
+                                                   errors=errors,
+                                                   logger=logger)
+        token: str = user_data["access-token"] if user_data else None
+        if token:
+            access_expiration: int = user_data.get("access-expiration")
+            now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+            if now < access_expiration:
+                result = token
+            else:
+                # access token has expired
+                refresh_token: str = user_data["refresh-token"]
+                if refresh_token:
+                    refresh_expiration = user_data["refresh-expiration"]
+                    if now < refresh_expiration:
+                        body_data: dict[str, str] = {
+                            "grant_type": "refresh_token",
+                            "refresh_token": refresh_token
+                        }
+                        token_data: dict[str, Any] = _post_for_token(iam_server=iam_server,
+                                                                     body_data=body_data,
+                                                                     errors=errors,
+                                                                     logger=logger)
+                        if token_data:
+                            result = token_data.get("access_token")
+                            user_data["access-token"] = result
+                            # keep current refresh token if a new one is not provided
+                            user_data["refresh-token"] = (token_data.get("refresh_token") or
+                                                          body_data.get("refresh_token"))
+                            user_data["access-expiration"] = now + token_data.get("expires_in")
+                            refresh_expiration: int = user_data.get("refresh_expires_in")
+                            user_data["refresh-expiration"] = (now + refresh_expiration) \
+                                if refresh_expiration else sys.maxsize
+                        else:
+                            # refresh token is no longer valid
+                            user_data["refresh-token"] = None
+                    else:
+                        # refresh token has expired
+                        err_msg = "Access and refresh tokens expired"
+                        if logger:
+                            logger.error(msg=err_msg)
+                else:
+                    err_msg = "Access token expired, no refresh token available"
+                    if logger:
+                        logger.error(msg=err_msg)
         else:
-            # request resulted in error
-            err_msg = f"POST failure, status {response.status_code}, reason '{response.reason}'"
-            if hasattr(response, "content") and response.content:
-                err_msg += f", content '{response.content}'"
-            errors.append(err_msg)
-    result: Response
-    if errors:
-        result = jsonify({"errors": "; ".join(errors)})
-        result.status_code = 400
-        if logger:
-            logger.error(msg=json.dumps(obj=result))
+            err_msg = f"User '{user_id}' not authenticated"
+            if logger:
+                logger.error(msg=err_msg)
     else:
-        result = jsonify({
-            "user-id": token_data[0],
-            "access-token": token_data[1]})
+        err_msg = "User identification not provided"
+        if logger:
+            logger.error(msg=err_msg)
-    # log the response
-    if logger:
-        logger.debug(msg=f"Response {result}")
+    if err_msg and isinstance(errors, list):
+        errors.append(err_msg)
     return result
-# @flask_app.route(rule=<token_endpoint>,  # JUSBR_TOKEN_ENDPOINT: /iam/jusbr:get-token
-#                  methods=["GET"])
-# @flask_app.route(rule=<token_endpoint>,  # JUSBR_TOKEN_ENDPOINT: /iam/jusbr:get-token
-#                  methods=["GET"])
-def service_token() -> Response:
+def login_callback(iam_server: IamServer,
+                   args: dict[str, Any],
+                   errors: list[str] = None,
+                   logger: Logger = None) -> tuple[str, str] | None:
     """
-    Entry point for retrieving the JusBR token.
+    Entry point for the callback from *iam_server* via the front-end application, on authentication operation.
-    :return: the response containing the token, or *UNAUTHORIZED*
+    :param iam_server: the reference registered *IAM* server
+    :param args: the arguments passed when requesting the service
+    :param errors: incidental errors
+    :param logger: optional logger
+    :return: a tuple cotaining the reference user identification and the token obtained, or *None* if error
     """
-    # retrieve logger and registry
-    registry: dict[str, Any] = __get_iam_registry(endpoint=request.endpoint)
-    logger: Logger = registry["logger"]
-    # log the request
-    if logger:
-        logger.debug(msg=_log_init(request=request))
-    # retrieve the token
-    errors: list[str] = []
-    token: str = _service_token(registry=registry,
-                                args=request.args,
-                                errors=errors,
-                                logger=logger)
-    result: Response
-    if token:
-        result = jsonify({"token": token})
-    else:
-        result = Response("; ".join(errors))
-        result.status_code = 401
+    from .token_pomes import token_validate
+    # initialize the return variable
+    result: tuple[str, str] | None = None
-    # log the response
-    if logger:
-        logger.debug(msg=f"Response {result}")
+    # retrieve the users authentication data
+    registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                 errors=errors,
+                                                 logger=logger)
+    cache: Cache = registry["cache"] if registry else None
+    if cache:
+        users: dict[str, dict[str, Any]] = cache.get("users")
+        # validate the OAuth2 state
+        oauth_state: str = args.get("state")
+        user_data: dict[str, Any] | None = None
+        if oauth_state:
+            for user, data in users.items():
+                if user == oauth_state:
+                    user_data = data
+                    break
+        # exchange 'code' for the token
+        if user_data:
+            expiration: int = user_data["login-expiration"] or sys.maxsize
+            if int(datetime.now(tz=TZ_LOCAL).timestamp()) > expiration:
+                errors.append("Operation timeout")
+            else:
+                users.pop(oauth_state)
+                code: str = args.get("code")
+                body_data: dict[str, Any] = {
+                    "grant_type": "authorization_code",
+                    "code": code,
+                    "redirect_uri": registry["redirect-uri"]
+                }
+                now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+                token_data: dict[str, Any] = _post_for_token(iam_server=iam_server,
+                                                             body_data=body_data,
+                                                             errors=errors,
+                                                             logger=logger)
+                # process the token data
+                if token_data:
+                    token: str = token_data.get("access_token")
+                    user_data["access-token"] = token
+                    # keep current refresh token if a new one is not provided
+                    user_data["refresh-token"] = token_data.get("refresh_token") or body_data.get("refresh_token")
+                    user_data["access-expiration"] = now + token_data.get("expires_in")
+                    refresh_exp: int = user_data.get("refresh_expires_in")
+                    user_data["refresh-expiration"] = (now + refresh_exp) if refresh_exp else sys.maxsize
+                    public_key: str = _get_public_key(iam_server=iam_server,
+                                                      errors=errors,
+                                                      logger=logger)
+                    if public_key:
+                        recipient_attr = registry["recipient_attr"]
+                        login_id = user_data.pop("login-id", None)
+                        token_claims: dict[str, dict[str, Any]] = token_validate(token=token,
+                                                                                 issuer=registry["base-url"],
+                                                                                 recipient_id=login_id,
+                                                                                 recipient_attr=recipient_attr,
+                                                                                 public_key=public_key,
+                                                                                 errors=errors,
+                                                                                 logger=logger)
+                        if token_claims:
+                            token_user: str = token_claims["payload"].get(recipient_attr)
+                            result = (token_user, token)
+        else:
+            msg: str = "Unknown state received"
+            if logger:
+                logger.error(msg=msg)
+            if isinstance(errors, list):
+                errors.append(msg)
     return result
-def __get_iam_registry(endpoint: str) -> dict[str, Any]:
+def token_exchange(iam_server: IamServer,
+                   args: dict[str, Any],
+                   errors: list[str] = None,
+                   logger: Logger = None) -> dict[str, Any]:
     """
-    Retrieve the registry associated the the IAM identifies by *endpoint*.
+    Requst *iam_server* to issue a token in exchange for the token obtained from another *IAM* server.
-    :param endpoint: the service enpoint identifying the IAM.
-    :return: the tuple (*logger*, *registry*) associated with *endpoint*
+    :param iam_server: the reference registered *IAM* server
+    :param args: the arguments passed when requesting the service
+    :param errors: incidental errors
+    :param logger: optional logger
+    :return: the data for the new token, or *None* if error
     """
     # initialize the return variable
     result: dict[str, Any] | None = None
-    if endpoint.startswith("jusbr-"):
-        result = IAM_SERVERS[IamServer.IAM_JUSRBR]
-    elif endpoint.startswith("keycloak-"):
-        result = IAM_SERVERS[IamServer.IAM_KEYCLOAK]
+    # obtain the user's identification
+    user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
+    # retrieve the token to be exchanges
+    token: str = args.get("token")
+    if user_id and token:
+        # HAZARD: only 'IAM_KEYCLOAK' supported
+        registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                     errors=errors,
+                                                     logger=logger)
+        if registry:
+            body_data: dict[str, str] = {
+                "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
+                "subject_token": token,
+                "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
+                "requested_token_type": "urn:ietf:params:oauth:token-type:access_token",
+                "audience": registry["client-id"],
+                "subject_issuer": "oidc"
+            }
+            result = _post_for_token(iam_server=IamServer.IAM_KEYCLOAK,
+                                     body_data=body_data,
+                                     errors=errors,
+                                     logger=logger)
+    else:
+        msg: str = "User identification and token must be provided"
+        if logger:
+            logger.error(msg=msg)
+        if isinstance(errors, list):
+            errors.append(msg)
     return result

pypomes-iam 0.3.0__py3-none-any.whl → 0.3.2__py3-none-any.whl

Potentially problematic release.

pypomes-iam 0.3.0py3-none-any.whl → 0.3.2py3-none-any.whl