PyPI - pypomes-iam - Versions diffs - 0.5.6__py3-none-any.whl → 0.5.8__py3-none-any.whl - Mend

pypomes-iam 0.5.6py3-none-any.whl → 0.5.8py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

pypomes_iam/__init__.py +6 -16
pypomes_iam/iam_actions.py +357 -47
pypomes_iam/iam_common.py +213 -52
pypomes_iam/iam_pomes.py +111 -63
pypomes_iam/iam_services.py +90 -5
pypomes_iam/provider_pomes.py +46 -26
pypomes_iam/token_pomes.py +0 -2
{pypomes_iam-0.5.6.dist-info → pypomes_iam-0.5.8.dist-info}/METADATA +1 -1
pypomes_iam-0.5.8.dist-info/RECORD +11 -0
pypomes_iam/jusbr_pomes.py +0 -125
pypomes_iam/keycloak_pomes.py +0 -136
pypomes_iam-0.5.6.dist-info/RECORD +0 -13
{pypomes_iam-0.5.6.dist-info → pypomes_iam-0.5.8.dist-info}/WHEEL +0 -0
{pypomes_iam-0.5.6.dist-info → pypomes_iam-0.5.8.dist-info}/licenses/LICENSE +0 -0

pypomes_iam/iam_common.py CHANGED Viewed

@@ -1,9 +1,12 @@
 import requests
 import sys
 from datetime import datetime
-from enum import StrEnum
+from enum import StrEnum, auto
 from logging import Logger
-from pypomes_core import TZ_LOCAL, exc_format
+from pypomes_core import (
+    APP_PREFIX, TZ_LOCAL,
+    env_get_int, env_get_str, env_get_enum, env_get_enums, exc_format
+)
 from pypomes_crypto import crypto_jwk_convert
 from threading import RLock
 from typing import Any, Final
@@ -13,8 +16,120 @@ class IamServer(StrEnum):
     """
     Supported IAM servers.
     """
-    IAM_JUSRBR = "iam-jusbr",
-    IAM_KEYCLOAK = "iam-keycloak"
+    JUSRBR = auto()
+    KEYCLOAK = auto()
+class IamParam(StrEnum):
+    """
+    Parameters for configuring *IAM* servers.
+    """
+    ADMIN_ID = "admin-id"
+    ADMIN_SECRET = "admin-secret"
+    CLIENT_ID = "client-id"
+    CLIENT_REALM = "client-realm"
+    CLIENT_SECRET = "client-secret"
+    ENDPOINT_CALLBACK = "endpoint-callback"
+    ENDPOINT_LOGIN = "endpoint-login"
+    ENDPOINT_LOGOUT = "endpoint_logout"
+    ENDPOINT_TOKEN = "endpoint-token"
+    ENDPOINT_EXCHANGE = "endpoint-exchange"
+    LOGIN_TIMEOUT = "login-timeout"
+    PK_EXPIRATION = "pk-expiration"
+    PK_LIFETIME = "pk-lifetime"
+    PUBLIC_KEY = "public-key"
+    RECIPIENT_ATTR = "recipient-attr"
+    URL_BASE = "url-base"
+    USERS = "users"
+class UserParam(StrEnum):
+    """
+    Parameters for handling *IAM* users.
+    """
+    ACCESS_TOKEN = "access-token"
+    REFRESH_TOKEN = "refresh-token"
+    ACCESS_EXPIRATION = "access-expiration"
+    REFRESH_EXPIRATION = "refresh-expiration"
+    # transient attributes
+    LOGIN_EXPIRATION = "login-expiration"
+    LOGIN_ID = "login-id"
+    REDIRECT_URI = "redirect-uri"
+def __get_iam_data() -> dict[IamServer, dict[IamParam, Any]]:
+    """
+    Establish the configuration data for select *IAM* servers, from environment variables.
+    The preferred way to specify configuration parameters is dynamically with *iam_setup()*;.
+    Specifying configuration parameters with environment variables can be done in two ways:
+    1. for a single *IAM* server, specify the data set
+          - *<APP_PREFIX>_IAM_SERVER*               (required, one of *jusbr*, *keycloak*)
+          - *<APP_PREFIX>_IAM_ADMIN_ID*             (optional, needed only if administrative duties are performed)
+          - *<APP_PREFIX>_IAM_ADMIN_PWD*            (optional, needed only if administrative duties are performed)
+          - *<APP_PREFIX>_IAM_CLIENT_ID*            (required)
+          - *<APP_PREFIX>_IAM_CLIENT_REALM*         (required)
+          - *<APP_PREFIX>_IAM_CLIENT_SECRET*        (required)
+          - *<APP_PREFIX>_IAM_ENDPOINT_CALLBACK*    (optional)
+          - *<APP_PREFIX>_IAM_ENDPOINT_LOGIN*       (optional)
+          - *<APP_PREFIX>_IAM_ENDPOINT_LOGOUT*      (optional)
+          - *<APP_PREFIX>_IAM_ENDPOINT_TOKEN*       (optional)
+          - *<APP_PREFIX>_IAM_ENDPOINT_EXCHANGE*    (optional)
+          - *<APP_PREFIX>_IAM_LOGIN_TIMEOUT*        (optional, defaults to no timeout)
+          - *<APP_PREFIX>_IAM_PK_LIFETIME*          (optional, defaults to non-terminating lifetime)
+          - *<APP_PREFIX>_IAM_RECIPIENT_ATTR*       (required)
+          - *<APP_PREFIX>_IAM_URL_BASE*             (required)
+    2. the parameters *PUBLIC_KEY*, *PK_EXPIRATION*, and *USERS* cannot be assigned values,
+       as they are reserved for internal use
+    3. for multiple *IAM* servers, specify a comma-separated list of servers in
+       *<APP_PREFIX>_IAM_SERVERS*, and for each server, specify the data set above,
+       respectively replacing *_IAM_* with *_JUSBR_* or *_KEYCLOAK_*, for the servers listed above
+    :return: the configuration data for the selected *IAM* servers
+    """
+    # initialize the return valiable
+    result: dict[IamServer, dict[IamParam, Any]] = {}
+    servers: list[IamServer] = []
+    single_server: IamServer = env_get_enum(key=f"{APP_PREFIX}_IAM_SERVER",
+                                            enum_class=IamServer)
+    if single_server:
+        default_setup: bool = True
+        servers.append(single_server)
+    else:
+        default_setup: bool = False
+        multi_servers: list[IamServer] = env_get_enums(key=f"{APP_PREFIX}_IAM_SERVERS",
+                                                       enum_class=IamServer)
+        if multi_servers:
+            servers.extend(multi_servers)
+    for server in servers:
+        if default_setup:
+            prefix: str = "IAM"
+            default_setup = False
+        else:
+            prefix: str = server
+        result[server] = {
+            IamParam.ADMIN_ID: env_get_str(key=f"{APP_PREFIX}_{prefix}_ADMIN_ID"),
+            IamParam.ADMIN_SECRET: env_get_str(key=f"{APP_PREFIX}_{prefix}_ADMIN_PWD"),
+            IamParam.CLIENT_ID: env_get_str(key=f"{APP_PREFIX}_{prefix}_CLIENT_ID"),
+            IamParam.CLIENT_REALM: env_get_str(key=f"{APP_PREFIX}_{prefix}_CLIENT_REALM"),
+            IamParam.CLIENT_SECRET: env_get_str(key=f"{APP_PREFIX}_{prefix}_CLIENT_SECRET"),
+            IamParam.LOGIN_TIMEOUT: env_get_int(key=f"{APP_PREFIX}_{prefix}_CLIENT_TIMEOUT"),
+            IamParam.ENDPOINT_CALLBACK: env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_CALLBACK"),
+            IamParam.ENDPOINT_LOGIN: env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_LOGIN"),
+            IamParam.ENDPOINT_LOGOUT: env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_LOGOUT"),
+            IamParam.ENDPOINT_TOKEN: env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_TOKEN"),
+            IamParam.ENDPOINT_EXCHANGE: env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_EXCHANGE"),
+            IamParam.PK_LIFETIME: env_get_str(key=f"{APP_PREFIX}_{prefix}_PK_LIFETIME"),
+            IamParam.RECIPIENT_ATTR: env_get_str(key=f"{APP_PREFIX}_{prefix}_RECIPIENT_ATTR"),
+            IamParam.URL_BASE: env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_BASE")
+        }
+    return result
 # registry structure:
@@ -23,32 +138,32 @@ class IamServer(StrEnum):
 #       "base-url": <str>,
 #       "client-id": <str>,
 #       "client-secret": <str>,
+#       "client-realm": <str,
 #       "client-timeout": <int>,
 #       "recipient-attr": <str>,
 #       "public-key": <str>,
 #       "pk-lifetime": <int>,
 #       "pk-expiration": <int>,
-#       "cache": <FIFOCache>
+#       "users": {}
 #    },
 #    ...
 # }
-# data in "cache":
+# data in "users":
 # {
-#    "users": {
-#       "<user-id>": {
-#          "access-token": <str>
-#          "refresh-token": <str>
-#          "access-expiration": <timestamp>,
-#          "refresh-expiration": <timestamp>,
-#          # transient attributes:
-#          "login-expiration": <timestamp>,
-#          "login-id": <str>,
-#          "redirect-uri": <str>
-#       }
-#    },
+#   "<user-id>": {
+#      "access-token": <str>
+#      "refresh-token": <str>
+#      "access-expiration": <timestamp>,
+#      "refresh-expiration": <timestamp>,
+#      # transient attributes
+#      "login-expiration": <timestamp>,
+#      "login-id": <str>,
+#      "redirect-uri": <str>
+#   },
 #   ...
 # }
-_IAM_SERVERS: Final[dict[IamServer, dict[str, Any]]] = {}
+_IAM_SERVERS: Final[dict[IamServer, dict[IamParam, Any]]] = __get_iam_data()
 # the lock protecting the data in '_IAM_SERVERS'
 # (because it is 'Final' and set at declaration time, it can be accessed through simple imports)
@@ -66,15 +181,15 @@ def _iam_server_from_endpoint(endpoint: str,
     :param logger: optional logger
     :return: the corresponding *IAM* server, or *None* if one could not be obtained
     """
-    # declare the return variable
-    result: IamServer | None
+    # initialize the return variable
+    result: IamServer | None = None
-    if endpoint.startswith("jusbr"):
-        result = IamServer.IAM_JUSRBR
-    elif endpoint.startswith("keycloak"):
-        result = IamServer.IAM_KEYCLOAK
-    else:
-        result = None
+    for iam_server in _IAM_SERVERS:
+        if endpoint.startswith(iam_server):
+            result = IamServer.JUSRBR
+            break
+    if not result:
         msg: str = f"Unable to find a IAM server to service endpoint '{endpoint}'"
         if logger:
             logger.error(msg=msg)
@@ -98,8 +213,9 @@ def _iam_server_from_issuer(issuer: str,
     # initialize the return variable
     result: IamServer | None = None
-    for iam_server, server_data in _IAM_SERVERS.items():
-        if server_data["base-url"] == issuer:
+    for iam_server, registry in _IAM_SERVERS.items():
+        base_url: str = f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+        if base_url == issuer:
             result = IamServer(iam_server)
             break
@@ -119,12 +235,39 @@ def _get_public_key(iam_server: IamServer,
     """
     Obtain the public key used by *iam_server* to sign the authentication tokens.
-    The public key is saved in *iam_server*'s registry.
+    This is accomplished by requesting the token issuer for its *JWKS* (JSON Web Key Set),
+    containing the public keys used for various purposes, as indicated in the attribute *use*:
+        - *enc*: the key is intended for encryption
+        - *sig*: the key is intended for digital signature
+        - *wrap*: the key is intended for key wrapping
+    A typical JWKS set has the following format (for simplicity, 'n' and 'x5c' are truncated):
+        {
+            "keys": [
+                {
+                    "kid": "X2QEcSQ4Tg2M2EK6s2nhRHZH_GwD_zxZtiWVwP4S0tg",
+                    "kty": "RSA",
+                    "alg": "RSA256",
+                    "use": "sig",
+                    "n": "tQmDmyM3tMFt5FMVMbqbQYpaDPf6A5l4e_kTVDBiHrK_bRlGfkk8hYm5SNzNzCZ...",
+                    "e": "AQAB",
+                    "x5c": [
+                        "MIIClzCCAX8CBgGZY0bqrTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARpanVk..."
+                    ],
+                    "x5t": "MHfVp4kBjEZuYOtiaaGsfLCL15Q",
+                    "x5t#S256": "QADezSLgD8emuonBz8hn8ghTnxo7AHX4NVNkr4luEhk"
+                },
+                ...
+            ]
+        }
+    Once the signature key is obtained, it is converted from its original *JWK* (JSON Web Key) format
+    to *PEM* (Privacy-Enhanced Mail) format. The public key is saved in *iam_server*'s registry.
     :param iam_server: the reference registered *IAM* server
     :param errors: incidental error messages
     :param logger: optional logger
-    :return: the public key in *PEM* format, or *None* if the server is unknown
+    :return: the public key in *PEM* format, or *None* if error
     """
     # initialize the return variable
     result: str | None = None
@@ -134,10 +277,12 @@ def _get_public_key(iam_server: IamServer,
                                                  logger=logger)
     if registry:
         now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-        if now > registry["pk-expiration"]:
-            # obtain a new public key
-            url: str = f"{registry["base-url"]}/protocol/openid-connect/certs"
+        if now > registry[IamParam.PK_EXPIRATION]:
+            # obtain the JWKS (JSON Web Key Set) from the token issuer
+            base_url: str = f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+            url: str = f"{base_url}/protocol/openid-connect/certs"
             if logger:
+                logger.debug(msg=f"Obtaining signature public key used by IAM server '{iam_server}'")
                 logger.debug(msg=f"GET {url}")
             try:
                 response: requests.Response = requests.get(url=url)
@@ -145,12 +290,28 @@ def _get_public_key(iam_server: IamServer,
                     # request succeeded
                     if logger:
                         logger.debug(msg=f"GET success, status {response.status_code}")
-                    reply: dict[str, Any] = response.json()
-                    result = crypto_jwk_convert(jwk=reply["keys"][0],
-                                                fmt="PEM")
-                    registry["public-key"] = result
-                    lifetime: int = registry["pk-lifetime"] or 0
-                    registry["pk-expiration"] = now + lifetime
+                    # select the appropriate JWK
+                    reply: dict[str, list[dict[str, str]]] = response.json()
+                    jwk: dict[str, str] | None = None
+                    for key in reply["keys"]:
+                        if key.get("use") == "sig":
+                            jwk = key
+                            break
+                    if jwk:
+                        # convert from 'JWK' to 'PEM' and save it for further use
+                        result = crypto_jwk_convert(jwk=jwk,
+                                                    fmt="PEM")
+                        registry[IamParam.PUBLIC_KEY] = result
+                        lifetime: int = registry[IamParam.PK_LIFETIME] or 0
+                        registry[IamParam.PK_EXPIRATION] = now + lifetime if lifetime else sys.maxsize
+                        if logger:
+                            logger.debug("Public key obtained and saved")
+                    else:
+                        msg = "Signature public key missing from the token issuer's JWKS"
+                        if logger:
+                            logger.error(msg=msg)
+                        if isinstance(errors, list):
+                            errors.append(msg)
                 elif logger:
                     msg: str = f"GET failure, status {response.status_code}, reason {response.reason}"
                     if hasattr(response, "content") and response.content:
@@ -167,7 +328,7 @@ def _get_public_key(iam_server: IamServer,
                 if isinstance(errors, list):
                     errors.append(msg)
         else:
-            result = registry["public-key"]
+            result = registry[IamParam.PUBLIC_KEY]
     return result
@@ -222,10 +383,10 @@ def _get_user_data(iam_server: IamServer,
         result = users.get(user_id)
         if not result:
             result = {
-                "access-token": None,
-                "refresh-token": None,
-                "access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
-                "refresh-expiration": sys.maxsize
+                UserParam.ACCESS_TOKEN: None,
+                UserParam.REFRESH_TOKEN: None,
+                UserParam.ACCESS_EXPIRATION: int(datetime.now(tz=TZ_LOCAL).timestamp()),
+                UserParam.REFRESH_EXPIRATION: sys.maxsize
             }
             users[user_id] = result
             if logger:
@@ -251,10 +412,10 @@ def _get_iam_registry(iam_server: IamServer,
     result: dict[str, Any] | None
     match iam_server:
-        case IamServer.IAM_JUSRBR:
-            result = _IAM_SERVERS[IamServer.IAM_JUSRBR]
-        case IamServer.IAM_KEYCLOAK:
-            result = _IAM_SERVERS[IamServer.IAM_KEYCLOAK]
+        case IamServer.JUSRBR:
+            result = _IAM_SERVERS[IamServer.JUSRBR]
+        case IamServer.KEYCLOAK:
+            result = _IAM_SERVERS[IamServer.KEYCLOAK]
         case _:
             result = None
             msg = f"Unknown IAM server '{iam_server}'"
@@ -270,14 +431,14 @@ def _get_iam_users(iam_server: IamServer,
                    errors: list[str] | None,
                    logger: Logger | None) -> dict[str, dict[str, Any]]:
     """
-    Retrieve the cache storage in *iam_server*'s registry.
+    Retrieve the users data storage in *iam_server*'s registry.
     :param iam_server: the reference registered *IAM* server
     :param errors: incidental error messages
     :param logger: optional logger
-    :return: the cache storage in *iam_server*'s registry, or *None* if the server is unknown
+    :return: the users data storage in *iam_server*'s registry, or *None* if the server is unknown
     """
     registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
                                                  errors=errors,
                                                  logger=logger)
-    return registry["cache"]["users"] if registry else None
+    return registry[IamParam.USERS] if registry else None

pypomes_iam/iam_pomes.py CHANGED Viewed

@@ -1,82 +1,130 @@
-from flask import Request, Response, request
+from flask import Flask
+from logging import Logger
 from typing import Any
 from .iam_common import (
-    IamServer, _iam_lock, _get_iam_registry,
-    _iam_server_from_issuer  # _get_public_key
+    _IAM_SERVERS, IamServer, IamParam, _iam_lock
+)
+from .iam_actions import action_token
+from .iam_services import (
+    service_login, service_logout, service_callback, service_exchange, service_token
 )
-from .token_pomes import token_get_claims, token_validate
-def jwt_required(func: callable) -> callable:
-    """
-    Create a decorator to authenticate service endpoints with JWT tokens.
-    :param func: the function being decorated
+def iam_setup(flask_app: Flask,
+              iam_server: IamServer,
+              base_url: str,
+              client_id: str,
+              client_realm: str,
+              recipient_attribute: str,
+              client_secret: str = None,
+              login_timeout: int = None,
+              admin_id: str = None,
+              admin_secret: str = None,
+              public_key_lifetime: int = None,
+              callback_endpoint: str = None,
+              login_endpoint: str = None,
+              logout_endpoint: str = None,
+              token_endpoint: str = None,
+              exchange_endpoint: str = None) -> None:
     """
-    # ruff: noqa: ANN003 - Missing type annotation for *{name}
-    def wrapper(*args, **kwargs) -> Response:
-        response: Response = __request_validate(request=request)
-        return response if response else func(*args, **kwargs)
-    # prevent a rogue error ("View function mapping is overwriting an existing endpoint function")
-    wrapper.__name__ = func.__name__
+    Establish the provided parameters for configuring the *IAM* server *iam_server*.
-    return wrapper
+    The parameters *admin_id* and *admin_* are required only if administrative are task are planned.
+    The optional parameter *client_timeout* refers to the maximum time in seconds allowed for the
+    user to login at the *IAM* server's login page, and defaults to no time limit.
+    The parameter *client_secret* is required in most requests to the *IAM* server. In the case
+    it is not provided, but *admin_id* and *admin_secret* are, it is obtained from the *IAM* server itself
+    the first time it is needed.
-def __request_validate(request: Request) -> Response:
+    :param flask_app: the Flask application
+    :param iam_server: identifies the supported *IAM* server (*jusbr* or *keycloak*)
+    :param base_url: base URL to request services
+    :param client_id: the client's identification with the *IAM* server
+    :param client_realm: the client realm
+    :param recipient_attribute: attribute in the token's payload holding the token's subject
+    :param client_secret: the client's password with the *IAM* server
+    :param login_timeout: timeout for login authentication (in seconds,defaults to no timeout)
+    :param admin_id: identifies the realm administrator
+    :param admin_secret: password for the realm administrator
+    :param public_key_lifetime: how long to use *IAM* server's public key, before refreshing it (in seconds)
+    :param callback_endpoint: endpoint for the callback from the front end
+    :param login_endpoint: endpoint for redirecting user to the *IAM* server's login page
+    :param logout_endpoint: endpoint for terminating user access
+    :param token_endpoint: endpoint for retrieving authentication token
+    :param exchange_endpoint: endpoint for requesting token exchange
     """
-    Verify whether the HTTP *request* has the proper authorization, as per the JWT standard.
-    This implementation assumes that HTTP requests are handled with the *Flask* framework.
+    # configure the Keycloak registry
+    with _iam_lock:
+        _IAM_SERVERS[iam_server] = {
+            IamParam.URL_BASE: base_url,
+            IamParam.CLIENT_ID: client_id,
+            IamParam.CLIENT_REALM: client_realm,
+            IamParam.CLIENT_SECRET: client_secret,
+            IamParam.LOGIN_TIMEOUT: login_timeout,
+            IamParam.RECIPIENT_ATTR: recipient_attribute,
+            IamParam.PK_EXPIRATION: 0,
+            IamParam.PUBLIC_KEY: None,
+            IamParam.USERS: {}
+        }
+        if admin_id and admin_secret:
+            IamParam.ADMIN_ID = admin_id
+            IamParam.ADMIN_SECRET = admin_secret
-    :param request: the *request* to be verified
-    :return: *None* if the *request* is valid, otherwise a *Response* reporting the error
-    """
-    # initialize the return variable
-    result: Response | None = None
+        if public_key_lifetime:
+            IamParam.PK_LIFETIME = public_key_lifetime
-    # retrieve the authorization from the request header
-    auth_header: str = request.headers.get("Authorization")
+    # establish the endpoints
+    if callback_endpoint:
+        flask_app.add_url_rule(rule=callback_endpoint,
+                               endpoint=f"{iam_server}-callback",
+                               view_func=service_callback,
+                               methods=["GET"])
+    if login_endpoint:
+        flask_app.add_url_rule(rule=login_endpoint,
+                               endpoint=f"{iam_server}-login",
+                               view_func=service_login,
+                               methods=["GET"])
+    if logout_endpoint:
+        flask_app.add_url_rule(rule=logout_endpoint,
+                               endpoint=f"{iam_server}-logout",
+                               view_func=service_logout,
+                               methods=["GET"])
+    if token_endpoint:
+        flask_app.add_url_rule(rule=token_endpoint,
+                               endpoint=f"{iam_server}-token",
+                               view_func=service_token,
+                               methods=["GET"])
+    if exchange_endpoint:
+        flask_app.add_url_rule(rule=exchange_endpoint,
+                               endpoint=f"{iam_server}-exchange",
+                               view_func=service_exchange,
+                               methods=["POST"])
-    # validate the authorization token
-    bad_token: bool = True
-    if auth_header and auth_header.startswith("Bearer "):
-        # extract and validate the JWT access token
-        token: str = auth_header.split(" ")[1]
-        claims: dict[str, Any] = token_get_claims(token=token)
-        if claims:
-            issuer: str = claims["payload"].get("iss")
-            recipient_attr: str | None = None
-            recipient_id: str = request.values.get("user-id") or request.values.get("login")
-            with _iam_lock:
-                iam_server: IamServer = _iam_server_from_issuer(issuer=issuer,
-                                                                errors=None,
-                                                                logger=None)
-                # public_key: str = _get_public_key(iam_server=iam_server,
-                #                                   errors=errors,
-                #                                   logger=logger)
-                public_key = None
-                # validate the token's recipient only if a user identification is provided
-                if recipient_id:
-                    registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
-                                                                 errors=None,
-                                                                 logger=None)
-                    recipient_attr = registry["recipient-attr"]
+def iam_get_token(iam_server: IamServer,
+                  user_id: str,
+                  errors: list[str] = None,
+                  logger: Logger = None) -> str:
+    """
+    Retrieve an authentication token for *user_id*.
-            # validate the token
-            if token_validate(token=token,
-                              issuer=issuer,
-                              recipient_id=recipient_id,
-                              recipient_attr=recipient_attr,
-                              public_key=public_key):
-                # token is valid
-                bad_token = False
+    :param iam_server: identifies the *IAM* server
+    :param user_id: identifies the user
+    :param errors: incidental errors
+    :param logger: optional logger
+    :return: the uthentication tokem
+    """
+    # declare the return variable
+    result: str
-    # deny the authorization
-    if bad_token:
-        result = Response(response="Authorization failed",
-                          status=401)
+    # retrieve the token
+    args: dict[str, Any] = {"user-id": user_id}
+    with _iam_lock:
+        result = action_token(iam_server=iam_server,
+                              args=args,
+                              errors=errors,
+                              logger=logger)
     return result

pypomes-iam 0.5.6__py3-none-any.whl → 0.5.8__py3-none-any.whl

pypomes-iam 0.5.6py3-none-any.whl → 0.5.8py3-none-any.whl