pypomes-iam 0.5.6__tar.gz → 0.5.7__tar.gz

{pypomes_iam-0.5.6 → pypomes_iam-0.5.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.5.6
+Version: 0.5.7
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues

{pypomes_iam-0.5.6 → pypomes_iam-0.5.7}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "pypomes_iam"
-version = "0.5.6"
+version = "0.5.7"
 authors = [
   { name="GT Nunes", email="wisecoder01@gmail.com" }
 ]

{pypomes_iam-0.5.6 → pypomes_iam-0.5.7}/src/pypomes_iam/__init__.py

@@ -5,11 +5,8 @@ from .iam_actions import (
 from .iam_common import (
     IamServer
 )
-from .iam_pomes import (
-    jwt_required
-)
 from .iam_services import (
-     logger_register
+     jwt_required, logger_register
 )
 from .jusbr_pomes import (
     jusbr_setup, jusbr_get_token
@@ -30,10 +27,8 @@ __all__ = [
     "action_login", "action_logout", "action_token",
     # iam_commons
     "IamServer",
-    # iam_pomes
-    "jwt_required",
     # iam_services
-    "logger_register",
+    "jwt_required", "logger_register",
     # jusbr_pomes
     "jusbr_setup", "jusbr_get_token",
     # keycloak_pomes

{pypomes_iam-0.5.6 → pypomes_iam-0.5.7}/src/pypomes_iam/iam_common.py

@@ -119,12 +119,39 @@ def _get_public_key(iam_server: IamServer,
     """
     Obtain the public key used by *iam_server* to sign the authentication tokens.
 
-    The public key is saved in *iam_server*'s registry.
+    This is accomplished by requesting the token issuer for its *JWKS* (JSON Web Key Set),
+    containing the public keys used for various purposes, as indicated in the attribute *use*:
+        - *enc*: the key is intended for encryption
+        - *sig*: the key is intended for digital signature
+        - *wrap*: the key is intended for key wrapping
+
+    A typical JWKS set has the following format (for simplicity, 'n' and 'x5c' are truncated):
+        {
+            "keys": [
+                {
+                    "kid": "X2QEcSQ4Tg2M2EK6s2nhRHZH_GwD_zxZtiWVwP4S0tg",
+                    "kty": "RSA",
+                    "alg": "RSA256",
+                    "use": "sig",
+                    "n": "tQmDmyM3tMFt5FMVMbqbQYpaDPf6A5l4e_kTVDBiHrK_bRlGfkk8hYm5SNzNzCZ...",
+                    "e": "AQAB",
+                    "x5c": [
+                        "MIIClzCCAX8CBgGZY0bqrTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARpanVk..."
+                    ],
+                    "x5t": "MHfVp4kBjEZuYOtiaaGsfLCL15Q",
+                    "x5t#S256": "QADezSLgD8emuonBz8hn8ghTnxo7AHX4NVNkr4luEhk"
+                },
+                ...
+            ]
+        }
+
+    Once the signature key is obtained, it is converted from its original *JWK* (JSON Web Key) format
+    to *PEM* (Privacy-Enhanced Mail) format. The public key is saved in *iam_server*'s registry.
 
     :param iam_server: the reference registered *IAM* server
     :param errors: incidental error messages
     :param logger: optional logger
-    :return: the public key in *PEM* format, or *None* if the server is unknown
+    :return: the public key in *PEM* format, or *None* if error
     """
     # initialize the return variable
     result: str | None = None
@@ -135,9 +162,10 @@ def _get_public_key(iam_server: IamServer,
     if registry:
         now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
         if now > registry["pk-expiration"]:
-            # obtain a new public key
+            # obtain the JWKS (JSON Web Key Set) from the token issuer
             url: str = f"{registry["base-url"]}/protocol/openid-connect/certs"
             if logger:
+                logger.debug(msg=f"Obtaining signature public key used by IAM server '{iam_server}'")
                 logger.debug(msg=f"GET {url}")
             try:
                 response: requests.Response = requests.get(url=url)
@@ -145,12 +173,29 @@ def _get_public_key(iam_server: IamServer,
                     # request succeeded
                     if logger:
                         logger.debug(msg=f"GET success, status {response.status_code}")
+                    # select the appropriate JWK
                     reply: dict[str, Any] = response.json()
-                    result = crypto_jwk_convert(jwk=reply["keys"][0],
-                                                fmt="PEM")
-                    registry["public-key"] = result
-                    lifetime: int = registry["pk-lifetime"] or 0
-                    registry["pk-expiration"] = now + lifetime
+                    jwk: dict[str, str] | None = None
+                    # replay["keys"]: list[dict[str, str]]
+                    for key in reply["keys"]:
+                        if key.get("use") == "sig":
+                            jwk = key
+                            break
+                    if jwk:
+                        # convert from 'JWK' to 'PEM' and save it for further use
+                        result = crypto_jwk_convert(jwk=jwk,
+                                                    fmt="PEM")
+                        registry["public-key"] = result
+                        lifetime: int = registry["pk-lifetime"] or 0
+                        registry["pk-expiration"] = now + lifetime if lifetime else sys.maxsize
+                        if logger:
+                            logger.debug(f"Public key obtained and saved")
+                    else:
+                        msg = "Signature public key missing from the token issuer's JWKS"
+                        if logger:
+                            logger.error(msg=msg)
+                        if isinstance(errors, list):
+                            errors.append(msg)
                 elif logger:
                     msg: str = f"GET failure, status {response.status_code}, reason {response.reason}"
                     if hasattr(response, "content") and response.content:

{pypomes_iam-0.5.6 → pypomes_iam-0.5.7}/src/pypomes_iam/iam_services.py

@@ -3,17 +3,102 @@ from flask import Request, Response, request, jsonify
 from logging import Logger
 from typing import Any
 
-from .iam_common import IamServer, _iam_lock, _iam_server_from_endpoint
+from .iam_common import (
+    IamServer, _iam_lock,
+    _get_iam_registry, _get_public_key,
+    _iam_server_from_endpoint, _iam_server_from_issuer
+)
 from .iam_actions import (
     action_login, action_logout,
     action_token, action_exchange, action_callback
 )
+from .token_pomes import token_get_claims, token_validate
 
 # the logger for IAM service operations
 # (used exclusively at the HTTP endpoints - all other functions receive the logger as parameter)
 __IAM_LOGGER: Logger | None = None
 
 
+def jwt_required(func: callable) -> callable:
+    """
+    Create a decorator to authenticate service endpoints with JWT tokens.
+
+    :param func: the function being decorated
+    """
+    # ruff: noqa: ANN003 - Missing type annotation for *{name}
+    def wrapper(*args, **kwargs) -> Response:
+        response: Response = __request_validate(request=request)
+        return response if response else func(*args, **kwargs)
+
+    # prevent a rogue error ("View function mapping is overwriting an existing endpoint function")
+    wrapper.__name__ = func.__name__
+
+    return wrapper
+
+
+def __request_validate(request: Request) -> Response:
+    """
+    Verify whether the HTTP *request* has the proper authorization, as per the JWT standard.
+
+    This implementation assumes that HTTP requests are handled with the *Flask* framework.
+    Because this code has a high usage frequency, only authentication failures are logged.
+
+    :param request: the *request* to be verified
+    :return: *None* if the *request* is valid, otherwise a *Response* reporting the error
+    """
+    # initialize the return variable
+    result: Response | None = None
+
+    # retrieve the authorization from the request header
+    auth_header: str = request.headers.get("Authorization")
+
+    # validate the authorization token
+    bad_token: bool = True
+    if auth_header and auth_header.startswith("Bearer "):
+        # extract and validate the JWT access token
+        token: str = auth_header.split(" ")[1]
+        claims: dict[str, Any] = token_get_claims(token=token)
+        if claims:
+            issuer: str = claims["payload"].get("iss")
+            recipient_attr: str | None = None
+            recipient_id: str = request.values.get("user-id") or request.values.get("login")
+            with _iam_lock:
+                iam_server: IamServer = _iam_server_from_issuer(issuer=issuer,
+                                                                errors=None,
+                                                                logger=__IAM_LOGGER)
+                if iam_server:
+                    # validate the token's recipient only if a user identification is provided
+                    if recipient_id:
+                        registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                                     errors=None,
+                                                                     logger=__IAM_LOGGER)
+                        if registry:
+                            recipient_attr = registry["recipient-attr"]
+                    public_key: str = _get_public_key(iam_server=iam_server,
+                                                      errors=None,
+                                                      logger=__IAM_LOGGER)
+            # validate the token (log errors, only)
+            errors: list[str] = []
+            if public_key and token_validate(token=token,
+                                             issuer=issuer,
+                                             recipient_id=recipient_id,
+                                             recipient_attr=recipient_attr,
+                                             public_key=public_key,
+                                             errors=errors):
+                # token is valid
+                bad_token = False
+            elif __IAM_LOGGER:
+                __IAM_LOGGER.error("; ".join(errors))
+        if bad_token and __IAM_LOGGER:
+            __IAM_LOGGER.error(f"authorization refused for token {token}")
+
+    # deny the authorization
+    if bad_token:
+        result = Response(response="Authorization failed",
+                          status=401)
+    return result
+
+
 def logger_register(logger: Logger) -> None:
     """
     Register the logger for HTTP services.

pypomes_iam-0.5.6/src/pypomes_iam/iam_pomes.py

@@ -1,82 +0,0 @@
-from flask import Request, Response, request
-from typing import Any
-
-from .iam_common import (
-    IamServer, _iam_lock, _get_iam_registry,
-    _iam_server_from_issuer  # _get_public_key
-)
-from .token_pomes import token_get_claims, token_validate
-
-
-def jwt_required(func: callable) -> callable:
-    """
-    Create a decorator to authenticate service endpoints with JWT tokens.
-
-    :param func: the function being decorated
-    """
-    # ruff: noqa: ANN003 - Missing type annotation for *{name}
-    def wrapper(*args, **kwargs) -> Response:
-        response: Response = __request_validate(request=request)
-        return response if response else func(*args, **kwargs)
-
-    # prevent a rogue error ("View function mapping is overwriting an existing endpoint function")
-    wrapper.__name__ = func.__name__
-
-    return wrapper
-
-
-def __request_validate(request: Request) -> Response:
-    """
-    Verify whether the HTTP *request* has the proper authorization, as per the JWT standard.
-
-    This implementation assumes that HTTP requests are handled with the *Flask* framework.
-
-    :param request: the *request* to be verified
-    :return: *None* if the *request* is valid, otherwise a *Response* reporting the error
-    """
-    # initialize the return variable
-    result: Response | None = None
-
-    # retrieve the authorization from the request header
-    auth_header: str = request.headers.get("Authorization")
-
-    # validate the authorization token
-    bad_token: bool = True
-    if auth_header and auth_header.startswith("Bearer "):
-        # extract and validate the JWT access token
-        token: str = auth_header.split(" ")[1]
-        claims: dict[str, Any] = token_get_claims(token=token)
-        if claims:
-            issuer: str = claims["payload"].get("iss")
-            recipient_attr: str | None = None
-            recipient_id: str = request.values.get("user-id") or request.values.get("login")
-            with _iam_lock:
-                iam_server: IamServer = _iam_server_from_issuer(issuer=issuer,
-                                                                errors=None,
-                                                                logger=None)
-                # public_key: str = _get_public_key(iam_server=iam_server,
-                #                                   errors=errors,
-                #                                   logger=logger)
-                public_key = None
-
-                # validate the token's recipient only if a user identification is provided
-                if recipient_id:
-                    registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
-                                                                 errors=None,
-                                                                 logger=None)
-                    recipient_attr = registry["recipient-attr"]
-
-            # validate the token
-            if token_validate(token=token,
-                              issuer=issuer,
-                              recipient_id=recipient_id,
-                              recipient_attr=recipient_attr,
-                              public_key=public_key):
-                # token is valid
-                bad_token = False
-
-    # deny the authorization
-    if bad_token:
-        result = Response(response="Authorization failed",
-                          status=401)
-    return result