PyPI - pypomes-iam - Versions diffs - 0.3.5__tar.gz → 0.3.7__tar.gz - Mend

pypomes-iam 0.3.5tar.gz → 0.3.7tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pypomes-iam might be problematic. Click here for more details.

Files changed (15) hide show

{pypomes_iam-0.3.5 → pypomes_iam-0.3.7}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.3.5
+Version: 0.3.7
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues

{pypomes_iam-0.3.5 → pypomes_iam-0.3.7}/pyproject.toml RENAMED Viewed

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 [project]
 name = "pypomes_iam"
-version = "0.3.5"
+version = "0.3.7"
 authors = [
   { name="GT Nunes", email="wisecoder01@gmail.com" }
 ]

{pypomes_iam-0.3.5 → pypomes_iam-0.3.7}/src/pypomes_iam/iam_common.py RENAMED Viewed

@@ -5,6 +5,7 @@ from enum import StrEnum
 from logging import Logger
 from pypomes_core import TZ_LOCAL, exc_format
 from pypomes_crypto import crypto_jwk_convert
+from threading import Lock
 from typing import Any, Final
@@ -16,7 +17,8 @@ class IamServer(StrEnum):
     IAM_KEYCLOAK = "iam-keycloak"
-# the logger for IAM operations
+# the logger for IAM service operations
+# (used exclusively at the HTTP endpoint - all other functions receive the lgger as parameter)
 __IAM_LOGGER: Logger | None = None
 # registry structure:
@@ -51,11 +53,18 @@ __IAM_LOGGER: Logger | None = None
 # }
 _IAM_SERVERS: Final[dict[IamServer, dict[str, Any]]] = {}
+# the lock protecting the data in '_IAM_SERVER'
+# (because it is 'Final' and set at declaration time, it can be accessed through simple imports)
+_iam_lock: Final[Lock] = Lock()
 def _get_logger() -> Logger | None:
     """
     Retrieve the registered logger for *IAM* operations.
+    This function is invoked exclusively from the HTTP endpoints.
+    All other functions receive the logger as parameter.
     :return: the registered logger for *IAM* operations.
     """
     return __IAM_LOGGER

{pypomes_iam-0.3.5 → pypomes_iam-0.3.7}/src/pypomes_iam/iam_pomes.py RENAMED Viewed

@@ -3,14 +3,13 @@ import requests
 import secrets
 import string
 import sys
-from cachetools import Cache
 from datetime import datetime
 from logging import Logger
 from pypomes_core import TZ_LOCAL, exc_format
 from typing import Any
 from .iam_common import (
-    IamServer,
+    IamServer, _iam_lock,
     _register_logger, _get_iam_users, _get_iam_registry,
     _get_login_timeout, _get_user_data, _get_public_key
 )
@@ -48,30 +47,34 @@ def user_login(iam_server: IamServer,
     # build the user data
     # ('oauth_state' is a randomly-generated string, thus 'user_data' is always a new entry)
     oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
-    user_data: dict[str, Any] = _get_user_data(iam_server=iam_server,
-                                               user_id=oauth_state,
-                                               errors=errors,
-                                               logger=logger)
-    if user_data:
-        user_data["login-id"] = user_id
-        timeout: int = _get_login_timeout(iam_server=iam_server,
-                                          errors=errors,
-                                          logger=logger)
-        if not errors:
-            user_data["login-expiration"] = int(datetime.now(tz=TZ_LOCAL).timestamp()) + timeout if timeout else None
-            redirect_uri: str = args.get("redirect-uri")
-            # build the login url
-            registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
-                                                         errors=errors,
-                                                         logger=logger)
-            if registry:
-                registry["redirect-uri"] = redirect_uri
-                result = {"login-url": (f"{registry["base-url"]}/protocol/openid-connect/auth"
-                                        f"?response_type=code&scope=openid"
-                                        f"&client_id={registry["client-id"]}"
-                                        f"&redirect_uri={redirect_uri}"
-                                        f"&state={oauth_state}")}
+    with _iam_lock:
+        # retrieve the user data from the IAM server's registry
+        user_data: dict[str, Any] = _get_user_data(iam_server=iam_server,
+                                                   user_id=oauth_state,
+                                                   errors=errors,
+                                                   logger=logger)
+        if user_data:
+            user_data["login-id"] = user_id
+            timeout: int = _get_login_timeout(iam_server=iam_server,
+                                              errors=errors,
+                                              logger=logger)
+            if not errors:
+                user_data["login-expiration"] = int(datetime.now(tz=TZ_LOCAL).timestamp()) + timeout \
+                    if timeout else None
+                redirect_uri: str = args.get("redirect-uri")
+                # build the login url
+                registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                             errors=errors,
+                                                             logger=logger)
+                if registry:
+                    registry["redirect-uri"] = redirect_uri
+                    result = {"login-url": (f"{registry["base-url"]}/protocol/openid-connect/auth"
+                                            f"?response_type=code&scope=openid"
+                                            f"&client_id={registry["client-id"]}"
+                                            f"&redirect_uri={redirect_uri}"
+                                            f"&state={oauth_state}")}
     return result
@@ -94,14 +97,15 @@ def user_logout(iam_server: IamServer,
     user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
     if user_id:
-        # retrieve the IAM server's cache storage
-        users: dict[str, dict[str, Any]] = _get_iam_users(iam_server=iam_server,
-                                                          errors=errors,
-                                                          logger=logger) or {}
-        if user_id in users:
-            users.pop(user_id)
-            if logger:
-                logger.debug(msg=f"User '{user_id}' removed from {iam_server}'s registry")
+        with _iam_lock:
+            # retrieve the data for all users in the IAM server's registry
+            users: dict[str, dict[str, Any]] = _get_iam_users(iam_server=iam_server,
+                                                              errors=errors,
+                                                              logger=logger) or {}
+            if user_id in users:
+                users.pop(user_id)
+                if logger:
+                    logger.debug(msg=f"User '{user_id}' removed from {iam_server}'s registry")
 def user_token(iam_server: IamServer,
@@ -111,7 +115,7 @@ def user_token(iam_server: IamServer,
     """
     Retrieve the authentication token for the user, from *iam_server*.
-    The user is identified by the attribute *user-id*, *user_id*, or "login", provided in *args*.
+    The user is identified by the attribute *user-id*, *user_id*, or *login*, provided in *args*.
     :param iam_server: the reference registered *IAM* server
     :param args: the arguments passed when requesting the service
@@ -127,56 +131,58 @@ def user_token(iam_server: IamServer,
     err_msg: str | None = None
     if user_id:
-        user_data: dict[str, Any] = _get_user_data(iam_server=iam_server,
-                                                   user_id=user_id,
-                                                   errors=errors,
-                                                   logger=logger)
-        token: str = user_data["access-token"] if user_data else None
-        if token:
-            access_expiration: int = user_data.get("access-expiration")
-            now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-            if now < access_expiration:
-                result = token
-            else:
-                # access token has expired
-                refresh_token: str = user_data["refresh-token"]
-                if refresh_token:
-                    refresh_expiration = user_data["refresh-expiration"]
-                    if now < refresh_expiration:
-                        body_data: dict[str, str] = {
-                            "grant_type": "refresh_token",
-                            "refresh_token": refresh_token
-                        }
-                        now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-                        token_data: dict[str, Any] = __post_for_token(iam_server=iam_server,
-                                                                      body_data=body_data,
-                                                                      errors=errors,
-                                                                      logger=logger)
-                        # validate and store the token data
-                        if token_data:
-                            token_info: tuple[str, str] = __validate_and_store(iam_server=iam_server,
-                                                                               user_data=user_data,
-                                                                               token_data=token_data,
-                                                                               now=now,
-                                                                               errors=errors,
-                                                                               logger=logger)
-                            result = token_info[1]
+        with _iam_lock:
+            # retrieve the user data in the IAM server's registry
+            user_data: dict[str, Any] = _get_user_data(iam_server=iam_server,
+                                                       user_id=user_id,
+                                                       errors=errors,
+                                                       logger=logger)
+            token: str = user_data["access-token"] if user_data else None
+            if token:
+                access_expiration: int = user_data.get("access-expiration")
+                now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+                if now < access_expiration:
+                    result = token
+                else:
+                    # access token has expired
+                    refresh_token: str = user_data["refresh-token"]
+                    if refresh_token:
+                        refresh_expiration = user_data["refresh-expiration"]
+                        if now < refresh_expiration:
+                            body_data: dict[str, str] = {
+                                "grant_type": "refresh_token",
+                                "refresh_token": refresh_token
+                            }
+                            now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+                            token_data: dict[str, Any] = __post_for_token(iam_server=iam_server,
+                                                                          body_data=body_data,
+                                                                          errors=errors,
+                                                                          logger=logger)
+                            # validate and store the token data
+                            if token_data:
+                                token_info: tuple[str, str] = __validate_and_store(iam_server=iam_server,
+                                                                                   user_data=user_data,
+                                                                                   token_data=token_data,
+                                                                                   now=now,
+                                                                                   errors=errors,
+                                                                                   logger=logger)
+                                result = token_info[1]
+                            else:
+                                # refresh token is no longer valid
+                                user_data["refresh-token"] = None
                         else:
-                            # refresh token is no longer valid
-                            user_data["refresh-token"] = None
+                            # refresh token has expired
+                            err_msg = "Access and refresh tokens expired"
+                            if logger:
+                                logger.error(msg=err_msg)
                     else:
-                        # refresh token has expired
-                        err_msg = "Access and refresh tokens expired"
+                        err_msg = "Access token expired, no refresh token available"
                         if logger:
                             logger.error(msg=err_msg)
-                else:
-                    err_msg = "Access token expired, no refresh token available"
-                    if logger:
-                        logger.error(msg=err_msg)
-        else:
-            err_msg = f"User '{user_id}' not authenticated"
-            if logger:
-                logger.error(msg=err_msg)
+            else:
+                err_msg = f"User '{user_id}' not authenticated"
+                if logger:
+                    logger.error(msg=err_msg)
     else:
         err_msg = "User identification not provided"
         if logger:
@@ -193,7 +199,11 @@ def login_callback(iam_server: IamServer,
                    errors: list[str] = None,
                    logger: Logger = None) -> tuple[str, str] | None:
     """
-    Entry point for the callback from *iam_server* via the front-end application, on authentication operation.
+    Entry point for the callback from *iam_server* via the front-end application, on authentication operations.
+    The relevant arguments received are:
+        - *state*: used to enhance security during the authorization process, typically to provide *CSRF* protection
+        - *code*: the temporary authorization code, to be exchanged for the token
     :param iam_server: the reference registered *IAM* server
     :param args: the arguments passed when requesting the service
@@ -204,15 +214,13 @@ def login_callback(iam_server: IamServer,
     # initialize the return variable
     result: tuple[str, str] | None = None
-    # retrieve the users authentication data
-    registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
-                                                 errors=errors,
-                                                 logger=logger)
-    cache: Cache = registry["cache"] if registry else None
-    if cache:
-        users: dict[str, dict[str, Any]] = cache.get("users")
-        # validate the OAuth2 state
+    with _iam_lock:
+        # retrieve the IAM server's registry and the data for all users therein
+        registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                     errors=errors,
+                                                     logger=logger)
+        users: dict[str, dict[str, Any]] = (registry["cache"]["users"] or {}) if registry else {}
+        # retrieve the OAuth2 state
         oauth_state: str = args.get("state")
         user_data: dict[str, Any] | None = None
         if oauth_state:
@@ -221,7 +229,7 @@ def login_callback(iam_server: IamServer,
                     user_data = data
                     break
-        # exchange 'code' for the token
+        # exchange 'code' received for the token
         if user_data:
             expiration: int = user_data["login-expiration"] or sys.maxsize
             if int(datetime.now(tz=TZ_LOCAL).timestamp()) > expiration:
@@ -268,6 +276,15 @@ def token_exchange(iam_server: IamServer,
         - client-id: identification for the reference user (aliases: 'client_id', 'login')
         - token: the token to be exchanged
+    The typical data set returned contains the following attributes:
+        {
+            "token_type": "Bearer",
+            "access_token": <str>,
+            "expires_in": <number-of-seconds>,
+            "refresh_token": <str>,
+            "refesh_expires_in": <number-of-seconds>
+        }
     :param iam_server: the reference registered *IAM* server
     :param args: the arguments passed when requesting the service
     :param errors: incidental errors
@@ -280,40 +297,41 @@ def token_exchange(iam_server: IamServer,
     # obtain the user's identification
     user_id: str = args.get("user-id") or args.get("user_id") or args.get("login")
-    # retrieve the token to be exchanges
+    # obtain the token to be exchanges
     token: str = args.get("token")
     if user_id and token:
         # HAZARD: only 'IAM_KEYCLOAK' is currently supported
-        registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
-                                                     errors=errors,
-                                                     logger=logger)
-        if registry:
-            body_data: dict[str, str] = {
-                "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
-                "subject_token": token,
-                "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
-                "requested_token_type": "urn:ietf:params:oauth:token-type:access_token",
-                "audience": registry["client-id"],
-                "subject_issuer": "oidc"
-            }
-            now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-            token_data: dict[str, Any] = __post_for_token(iam_server=IamServer.IAM_KEYCLOAK,
-                                                          body_data=body_data,
-                                                          errors=errors,
-                                                          logger=logger)
-            # validate and store the token data
-            if token_data:
-                user_data: dict[str, Any] = {}
-                result = __validate_and_store(iam_server=iam_server,
-                                              user_data=user_data,
-                                              token_data=token_data,
-                                              now=now,
-                                              errors=errors,
-                                              logger=logger)
+        with _iam_lock:
+            # retrieve the IAM server's registry
+            registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                         errors=errors,
+                                                         logger=logger)
+            if registry:
+                body_data: dict[str, str] = {
+                    "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
+                    "subject_token": token,
+                    "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
+                    "requested_token_type": "urn:ietf:params:oauth:token-type:access_token",
+                    "audience": registry["client-id"],
+                    "subject_issuer": "oidc"
+                }
+                now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
+                token_data: dict[str, Any] = __post_for_token(iam_server=IamServer.IAM_KEYCLOAK,
+                                                              body_data=body_data,
+                                                              errors=errors,
+                                                              logger=logger)
+                # validate and store the token data
+                if token_data:
+                    user_data: dict[str, Any] = {}
+                    result = __validate_and_store(iam_server=iam_server,
+                                                  user_data=user_data,
+                                                  token_data=token_data,
+                                                  now=now,
+                                                  errors=errors,
+                                                  logger=logger)
     else:
-        msg: str = "User identification and token must be provided"
+        msg: str = "User identification or token not provided"
         if logger:
             logger.error(msg=msg)
         if isinstance(errors, list):
@@ -353,7 +371,7 @@ def __post_for_token(iam_server: IamServer,
     If the operation is successful, the token data is stored in the *IAM* server's registry, and returned.
     Otherwise, *errors* will contain the appropriate error message.
-    The typical data returned contains the following attributes:
+    The typical data set returned contains the following attributes:
         {
             "token_type": "Bearer",
             "access_token": <str>,
@@ -371,52 +389,53 @@ def __post_for_token(iam_server: IamServer,
     # initialize the return variable
     result: dict[str, Any] | None = None
-    # PBTAIN THE iam SERVER'S REGISTRY
-    registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
-                                                 errors=errors,
-                                                 logger=logger)
     err_msg: str | None = None
-    if registry:
-        # complete the data to send in body of request
-        body_data["client_id"] = registry["client-id"]
-        client_secret: str = registry["client-secret"]
-        if client_secret:
-            body_data["client_secret"] = client_secret
-        # obtain the token
-        url: str = registry["base-url"] + "/protocol/openid-connect/token"
-        if logger:
-            logger.debug(msg=f"POST '{url}', data {json.dumps(obj=body_data,
-                                                              ensure_ascii=False)}")
-        try:
-            # typical return on a token request:
-            # {
-            #   "token_type": "Bearer",
-            #   "access_token": <str>,
-            #   "expires_in": <number-of-seconds>,
-            #   "refresh_token": <str>,
-            #   "refesh_expires_in": <number-of-seconds>
-            # }
-            response: requests.Response = requests.post(url=url,
-                                                        data=body_data)
-            if response.status_code == 200:
-                # request succeeded
-                if logger:
-                    logger.debug(msg=f"POST success, status {response.status_code}")
-                result = response.json()
-            else:
-                # request resulted in error
-                err_msg = f"POST failure, status {response.status_code}, reason '{response.reason}'"
-                if hasattr(response, "content") and response.content:
-                    err_msg += f", content '{response.content}'"
+    with _iam_lock:
+        # retrieve the IAM server's registry
+        registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                     errors=errors,
+                                                     logger=logger)
+        if registry:
+            # complete the data to send in body of request
+            body_data["client_id"] = registry["client-id"]
+            client_secret: str = registry["client-secret"]
+            if client_secret:
+                body_data["client_secret"] = client_secret
+            # obtain the token
+            url: str = registry["base-url"] + "/protocol/openid-connect/token"
+            if logger:
+                logger.debug(msg=f"POST '{url}', data {json.dumps(obj=body_data,
+                                                                  ensure_ascii=False)}")
+            try:
+                # typical return on a token request:
+                # {
+                #   "token_type": "Bearer",
+                #   "access_token": <str>,
+                #   "expires_in": <number-of-seconds>,
+                #   "refresh_token": <str>,
+                #   "refesh_expires_in": <number-of-seconds>
+                # }
+                response: requests.Response = requests.post(url=url,
+                                                            data=body_data)
+                if response.status_code == 200:
+                    # request succeeded
+                    if logger:
+                        logger.debug(msg=f"POST success, status {response.status_code}")
+                    result = response.json()
+                else:
+                    # request resulted in error
+                    err_msg = f"POST failure, status {response.status_code}, reason '{response.reason}'"
+                    if hasattr(response, "content") and response.content:
+                        err_msg += f", content '{response.content}'"
+                    if logger:
+                        logger.error(msg=err_msg)
+            except Exception as e:
+                # the operation raised an exception
+                err_msg = exc_format(exc=e,
+                                     exc_info=sys.exc_info())
                 if logger:
                     logger.error(msg=err_msg)
-        except Exception as e:
-            # the operation raised an exception
-            err_msg = exc_format(exc=e,
-                                 exc_info=sys.exc_info())
-            if logger:
-                logger.error(msg=err_msg)
     if err_msg and isinstance(errors, list):
         errors.append(err_msg)
@@ -452,38 +471,39 @@ def __validate_and_store(iam_server: IamServer,
     # initialize the return variable
     result: tuple[str, str] | None = None
-    # retrieve the IAM server's registry
-    registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
-                                                 errors=errors,
-                                                 logger=logger)
-    if registry:
-        token: str = token_data.get("access_token")
-        user_data["access-token"] = token
-        # keep current refresh token if a new one is not provided
-        if token_data.get("refresh_token"):
-            user_data["refresh-token"] = token_data.get("refresh_token")
-        user_data["access-expiration"] = now + token_data.get("expires_in")
-        refresh_exp: int = user_data.get("refresh_expires_in")
-        user_data["refresh-expiration"] = (now + refresh_exp) if refresh_exp else sys.maxsize
-        public_key: str = _get_public_key(iam_server=iam_server,
-                                          errors=errors,
-                                          logger=logger)
-        if public_key:
-            recipient_attr = registry["recipient_attr"]
-            login_id = user_data.pop("login-id", None)
-            claims: dict[str, dict[str, Any]] = token_validate(token=token,
-                                                               issuer=registry["base-url"],
-                                                               recipient_id=login_id,
-                                                               recipient_attr=recipient_attr,
-                                                               public_key=public_key,
-                                                               errors=errors,
-                                                               logger=logger)
-            if claims:
-                users: dict[str, dict[str, Any]] = _get_iam_users(iam_server=iam_server,
-                                                                  errors=errors,
-                                                                  logger=logger)
-                if users:
-                    user_id: str = login_id if login_id else claims["payload"][recipient_attr]
-                    users[user_id] = user_data
-                    result = (user_id, token)
+    with _iam_lock:
+        # retrieve the IAM server's registry
+        registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                     errors=errors,
+                                                     logger=logger)
+        if registry:
+            token: str = token_data.get("access_token")
+            user_data["access-token"] = token
+            # keep current refresh token if a new one is not provided
+            if token_data.get("refresh_token"):
+                user_data["refresh-token"] = token_data.get("refresh_token")
+            user_data["access-expiration"] = now + token_data.get("expires_in")
+            refresh_exp: int = user_data.get("refresh_expires_in")
+            user_data["refresh-expiration"] = (now + refresh_exp) if refresh_exp else sys.maxsize
+            public_key: str = _get_public_key(iam_server=iam_server,
+                                              errors=errors,
+                                              logger=logger)
+            if public_key:
+                recipient_attr = registry["recipient_attr"]
+                login_id = user_data.pop("login-id", None)
+                claims: dict[str, dict[str, Any]] = token_validate(token=token,
+                                                                   issuer=registry["base-url"],
+                                                                   recipient_id=login_id,
+                                                                   recipient_attr=recipient_attr,
+                                                                   public_key=public_key,
+                                                                   errors=errors,
+                                                                   logger=logger)
+                if claims:
+                    users: dict[str, dict[str, Any]] = _get_iam_users(iam_server=iam_server,
+                                                                      errors=errors,
+                                                                      logger=logger)
+                    if users:
+                        user_id: str = login_id if login_id else claims["payload"][recipient_attr]
+                        users[user_id] = user_data
+                        result = (user_id, token)
     return result

pypomes-iam 0.3.5__tar.gz → 0.3.7__tar.gz

Potentially problematic release.

pypomes-iam 0.3.5tar.gz → 0.3.7tar.gz