pypomes-iam 0.7.2__py3-none-any.whl → 0.8.0__py3-none-any.whl

pypomes_iam/provider_pomes.py

@@ -4,8 +4,13 @@ import sys
 from base64 import b64encode
 from datetime import datetime
 from enum import StrEnum
+from flask import Flask, Response, request, jsonify
 from logging import Logger
-from pypomes_core import TZ_LOCAL, exc_format
+from pypomes_core import (
+    APP_PREFIX, TZ_LOCAL,
+    env_get_str, env_get_strs, env_get_obj, exc_format,
+    func_capture_params, func_defaulted_params
+)
 from threading import Lock
 from typing import Any, Final
 
@@ -14,16 +19,67 @@ class ProviderParam(StrEnum):
     """
     Parameters for configuring a *JWT* token provider.
     """
-    URL = "url"
-    USER = "user"
-    PWD = "pwd"
+    BODY_DATA = "body-data"
     CUSTOM_AUTH = "custom-auth"
     HEADER_DATA = "headers-data"
-    BODY_DATA = "body-data"
+    USER_ID = "user-id"
+    USER_SECRET = "user-secret"
     ACCESS_TOKEN = "access-token"
     ACCESS_EXPIRATION = "access-expiration"
     REFRESH_TOKEN = "refresh-token"
     REFRESH_EXPIRATION = "refresh-expiration"
+    URL_AUTH = "url-auth"
+
+
+# the logger for IAM service operations
+# (used exclusively at the HTTP endpoints - all other functions receive the logger as parameter)
+__JWT_LOGGER: Logger | None = None
+
+
+def __get_provider_data() -> dict[str, dict[ProviderParam, Any]]:
+    """
+    Obtain the configuration data for select *JWT* providers.
+
+    The configuration parameters for the JWT providers are specified with environment variables,
+    or dynamically with *provider_setup_server()*. Specifying configuration parameters with
+    environment variables can be done by following these steps:
+
+    1. Specify *<APP_PREFIX>_IAM_PROVIDERS* with a list of names (typically, in lower-case), and the data set
+       below for each providers, where *<JWT>* stands for the provider's name in upper-case:
+          - *<APP_PREFIX>_<JWT>_BODY_DATA*            (optional)
+          - *<APP_PREFIX>_<JWT>_CUSTOM_AUTH*          (optional)
+          - *<APP_PREFIX>_<JWT>_HEADER_DATA*          (optional)
+          - *<APP_PREFIX>_<JWT>_USER_ID*              (required)
+          - *<APP_PREFIX>_<JWT>_USER_SECRET*          (required)
+          - *<APP_PREFIX>_<JWT>_URL_TOKEN*            (required)
+
+    2. The special environment variable *<APP_PREFIX>_IAM_PROVIDER_ENDPOINT* identifies the endpoint from which
+       to obtain JWT tokens. It is not part of the *JWT* providers' setup, but is meant to be used
+       by function *provider_setup_endpoint()*, wherein the value in that variable would represent the
+       default value for its parameter.
+
+    :return: the configuration data for the select *JWT* providers.
+    """
+    # initialize the return variable
+    result: dict[str, dict[ProviderParam, Any]] = {}
+
+    servers: list[str] = env_get_strs(key=f"{APP_PREFIX}_IAM_PROVIDERS") or []
+    for server in servers:
+        prefix = server.upper()
+        result[server] = {
+            ProviderParam.BODY_DATA: env_get_obj(key=f"{APP_PREFIX}_{prefix}_BODY_DATA"),
+            ProviderParam.CUSTOM_AUTH: env_get_strs(key=f"{APP_PREFIX}_{prefix}_CUSTOM_AUTH"),
+            ProviderParam.HEADER_DATA: env_get_obj(key=f"{APP_PREFIX}_{prefix}_HEADER_DATA"),
+            ProviderParam.USER_ID: env_get_str(key=f"{APP_PREFIX}_{prefix}_USER_ID"),
+            ProviderParam.USER_SECRET: env_get_str(key=f"{APP_PREFIX}_{prefix}_USER_SECRET"),
+            ProviderParam.URL_AUTH: env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_AUTH"),
+            ProviderParam.ACCESS_TOKEN: None,
+            ProviderParam.ACCESS_EXPIRATION: 0,
+            ProviderParam.REFRESH_TOKEN: None,
+            ProviderParam.REFRESH_EXPIRATION: 0
+        }
+
+    return result
 
 
 # structure:
@@ -32,7 +88,7 @@ class ProviderParam(StrEnum):
 #      "url": <strl>,
 #      "user": <str>,
 #      "pwd": <str>,
-#      "custom-auth": <bool>,
+#      "custom-auth": <tuple[str, str]>,
 #      "headers-data": <dict[str, str]>,
 #      "body-data": <dict[str, str],
 #      "access-token": <str>,
@@ -41,22 +97,26 @@ class ProviderParam(StrEnum):
 #      "refresh-expiration": <timestamp>
 #    }
 # }
-_provider_registry: Final[dict[str, dict[str, Any]]] = {}
+_provider_registry: Final[dict[str, dict[str, Any]]] = __get_provider_data()
 
 # the lock protecting the data in '_provider_registry'
 # (because it is 'Final' and set at declaration time, it can be accessed through simple imports)
 _provider_lock: Final[Lock] = Lock()
 
 
-def provider_register(provider_id: str,
-                      auth_url: str,
-                      auth_user: str,
-                      auth_pwd: str,
-                      custom_auth: tuple[str, str] = None,
-                      headers_data: dict[str, str] = None,
-                      body_data: dict[str, str] = None) -> None:
+@func_capture_params
+def provider_setup_server(provider_id: str,
+                          user_id: str = None,
+                          user_secret: str = None,
+                          custom_auth: tuple[str, str] = None,
+                          header_data: dict[str, str] = None,
+                          body_data: dict[str, str] = None,
+                          url_auth: str = None) -> None:
     """
-    Register an external authentication token provider.
+    Setup the *JWT* provider *provider_id*.
+
+    For the parameters not effectively passed, an attempt is made to obtain a value from the corresponding
+    environment variable.
 
     If specified, *custom_auth* provides key names for sending credentials (username and password, in this order)
     as key-value pairs in the body of the request. Otherwise, the external provider *provider_id* uses the standard
@@ -67,23 +127,42 @@ def provider_register(provider_id: str,
     (such as ['grant_type', 'client_credentials']), to be added to the request body, may be specified in *body_data*.
 
     :param provider_id: the provider's identification
-    :param auth_url: the url to request authentication tokens with
-    :param auth_user: the basic authorization user
-    :param auth_pwd: the basic authorization password
+    :param user_id: the basic authorization user
+    :param user_secret: the basic authorization password
     :param custom_auth: optional key names for sending the credentials as key-value pairs in the body of the request
-    :param headers_data: optional key-value pairs to be added to the request headers
+    :param header_data: optional key-value pairs to be added to the request headers
     :param body_data: optional key-value pairs to be added to the request body
+    :param url_auth: the url to request *JWT* tokens with
     """
     global _provider_registry
 
+    # obtain the defaulted parameters
+    defaulted_params: list[str] = func_defaulted_params.get()
+
+    # read from the environment variables
+    prefix: str = provider_id.upper()
+    if "user_id" in defaulted_params:
+        user_id = env_get_str(key=f"{APP_PREFIX}_{prefix}_USER_ID")
+    if "user_secret" in defaulted_params:
+        user_secret = env_get_str(key=f"{APP_PREFIX}_{prefix}_USER_SECRET")
+    if "custom_auth" in defaulted_params:
+        custom_auth = env_get_strs(key=f"{APP_PREFIX}_{prefix}_CUSTOM_AUTH")
+    if "header_data" in defaulted_params:
+        header_data = env_get_obj(key=f"{APP_PREFIX}_{prefix}_HEADER_DATA")
+    if "body_data" in defaulted_params:
+        body_data = env_get_obj(key=f"{APP_PREFIX}_{prefix}_BODY_DATA")
+    if "url_auth" in defaulted_params:
+        url_auth = env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_AUTH")
+
     with _provider_lock:
         _provider_registry[provider_id] = {
-            ProviderParam.URL: auth_url,
-            ProviderParam.USER: auth_user,
-            ProviderParam.PWD: auth_pwd,
+            ProviderParam.URL_AUTH: url_auth,
+            ProviderParam.USER_ID: user_id,
+            ProviderParam.USER_SECRET: user_secret,
             ProviderParam.CUSTOM_AUTH: custom_auth,
-            ProviderParam.HEADER_DATA: headers_data,
+            ProviderParam.HEADER_DATA: header_data,
             ProviderParam.BODY_DATA: body_data,
+            # dynamically set
             ProviderParam.ACCESS_TOKEN: None,
             ProviderParam.ACCESS_EXPIRATION: 0,
             ProviderParam.REFRESH_TOKEN: None,
@@ -91,17 +170,105 @@ def provider_register(provider_id: str,
         }
 
 
+@func_capture_params
+def provider_setup_endpoint(flask_app: Flask,
+                            provider_endpoint: str = None) -> None:
+    """
+    Setup the endpoint for requesting token from the registered *JWT* providers.
+
+    if *provider_endpoint* is not effectively passed, an attempt is made to obtain a value from the corresponding
+    environment variable.
+
+    :param flask_app: the Flask application
+    :param provider_endpoint: endpoint for requenting tokens to provider
+    """
+    # obtain the defaulted parameters
+    defaulted_params: list[str] = func_defaulted_params.get()
+
+    # read from the environment variable
+    if "provider_endpoint" in defaulted_params:
+        provider_endpoint = env_get_str(key=f"{APP_PREFIX}_IAM_PROVIDER_ENDPOINT")
+
+    # establish the endpoints
+    if provider_endpoint:
+        flask_app.add_url_rule(rule=provider_endpoint,
+                               endpoint=f"jwt-callback",
+                               view_func=service_get_token,
+                               methods=["GET"])
+
+
+def provider_setup_logger(logger: Logger) -> None:
+    """
+    Register the logger for HTTP services.
+
+    :param logger: the logger to be registered
+    """
+    global __JWT_LOGGER
+    __JWT_LOGGER = logger
+
+
+# @flask_app.route(rule=<token_endpoint>,  # IAM_PROVIDER_ENDPOINT_TOKEN
+#                  methods=["GET"])
+def service_get_token() -> Response:
+    """
+    Entry point for retrieving a token from the *JWT* provider.
+
+    The provider is identified by the request parameter *jwt-provider*.
+
+    On success, the returned *Response* will contain the following JSON:
+        {
+            "access-token": <token>
+        }
+
+    :return: *Response* containing the JWT token, or *BAD REQUEST*
+    """
+    # log the request
+    if __JWT_LOGGER:
+        params: str = json.dumps(obj=request.args,
+                                 ensure_ascii=False)
+        __JWT_LOGGER.debug(msg=f"Request {request.method}:{request.path}, params {params}")
+
+    # obtain the provider JWT
+    provider_id: str = request.args.get("jwt-provider")
+
+    # retrieve the token
+    token: str | None = None
+    errors: list[str] = []
+    if provider_id:
+        token: str = provider_get_token(provider_id=provider_id,
+                                        errors=errors,
+                                        logger=__JWT_LOGGER)
+    else:
+        msg: str = "JWT provider not informed"
+        errors.append(msg)
+        if __JWT_LOGGER:
+            __JWT_LOGGER.error(msg=msg)
+
+    result: Response
+    if errors:
+        result = Response(response="; ".join(errors),
+                          status=400)
+    else:
+        result = jsonify({"access-token": token})
+    if __JWT_LOGGER:
+        # log the response (the returned data is not logged, as it contains the token)
+        __JWT_LOGGER.debug(msg=f"Response {result}")
+
+    return result
+
+
 def provider_get_token(provider_id: str,
                        errors: list[str] = None,
                        logger: Logger = None) -> str | None:
     """
-    Obtain an authentication token from the external provider *provider_id*.
+    Obtain an JWT token from the external provider *provider_id*.
 
     :param provider_id: the provider's identification
     :param errors: incidental error messages
     :param logger: optional logger
+    :return: the JWT token, or *None* if error
     """
-    global _provider_registry  # noqa: PLW0602
+    global _provider_registry
 
     # initialize the return variable
     result: str | None = None
@@ -117,7 +284,7 @@ def provider_get_token(provider_id: str,
                 # access token has expired
                 header_data: dict[str, str] | None = None
                 body_data: dict[str, str] | None = None
-                url: str = provider.get(ProviderParam.URL)
+                url: str = provider.get(ProviderParam.URL_AUTH)
                 refresh_token: str = provider.get(ProviderParam.REFRESH_TOKEN)
                 if refresh_token:
                     # refresh token exists
@@ -133,9 +300,9 @@ def provider_get_token(provider_id: str,
                         }
                 if not body_data:
                     # refresh token does not exist or has expired
-                    user: str = provider.get(ProviderParam.USER)
-                    pwd: str = provider.get(ProviderParam.PWD)
-                    headers_data: dict[str, str] = provider.get(ProviderParam.HEADER_DATA) or {}
+                    user: str = provider.get(ProviderParam.USER_ID)
+                    pwd: str = provider.get(ProviderParam.USER_SECRET)
+                    header_data: dict[str, str] = provider.get(ProviderParam.HEADER_DATA) or {}
                     body_data: dict[str, str] = provider.get(ProviderParam.BODY_DATA) or {}
                     custom_auth: tuple[str, str] = provider.get(ProviderParam.CUSTOM_AUTH)
                     if custom_auth:
@@ -143,7 +310,7 @@ def provider_get_token(provider_id: str,
                         body_data[custom_auth[1]] = pwd
                     else:
                         enc_bytes: bytes = b64encode(f"{user}:{pwd}".encode())
-                        headers_data["Authorization"] = f"Basic {enc_bytes.decode()}"
+                        header_data["Authorization"] = f"Basic {enc_bytes.decode()}"
 
                 # obtain the token
                 token_data: dict[str, Any] = __post_for_token(url=url,

pypomes_iam/token_pomes.py

@@ -46,6 +46,33 @@ def token_get_claims(token: str,
     return result
 
 
+def token_get_values(token: str,
+                     keys: tuple[str, ...],
+                     errors: list[str] = None,
+                     logger: Logger = None) -> tuple:
+    """
+    Retrieve the values of *keys* in the token's payload.
+
+    Ther values are returned in the same order as requested in *keys*.
+    For a claim not found, *None* is returned in its position.
+
+    :param token: the reference token
+    :param keys: the names of the claims whose values are to be returned
+    :param errors: incidental errors
+    :param logger: optiona logger
+    :return: a tuple containing the respective values of *claims* in *token*.
+    """
+    token_claims: dict[str, dict[str, Any]] = token_get_claims(token=token,
+                                                               errors=errors,
+                                                               logger=logger)
+    payload: dict[str, Any] = token_claims["payload"]
+    values: list[Any] = []
+    for key in keys:
+        values.append(payload.get(key))
+
+    return tuple(values)
+
+
 def token_validate(token: str,
                    issuer: str = None,
                    recipient_id: str = None,

{pypomes_iam-0.7.2.dist-info → pypomes_iam-0.8.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.7.2
+Version: 0.8.0
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues
@@ -12,6 +12,6 @@ Classifier: Programming Language :: Python :: 3
 Requires-Python: >=3.12
 Requires-Dist: flask>=3.1.2
 Requires-Dist: pyjwt>=2.10.1
-Requires-Dist: pypomes-core>=2.8.1
+Requires-Dist: pypomes-core>=2.8.6
 Requires-Dist: pypomes-crypto>=0.4.8
 Requires-Dist: requests>=2.32.5

pypomes_iam-0.8.0.dist-info/RECORD

@@ -0,0 +1,11 @@
+pypomes_iam/__init__.py,sha256=CbAH4lmonMxJTa3mWsWqA-pztmMb5-4Vsb4yA7HJ-hw,1561
+pypomes_iam/iam_actions.py,sha256=Le0uzKU9OfI9a5U0q2FvGDGrVwskMuV_e_kb5ZOveFQ,46227
+pypomes_iam/iam_common.py,sha256=xT1OFxX8wdRUN7GURL2kr6yBsh5j_Zb3iyqKykWEMYA,17523
+pypomes_iam/iam_pomes.py,sha256=IUwxMevYvDsH-PVNkbOF-b0U_W_5ACi-REBjm1ZT2PE,8421
+pypomes_iam/iam_services.py,sha256=bWPxzIsZFD9fP7bkLKqgi7Z23h107Qd_GKgL2KjQzuE,22995
+pypomes_iam/provider_pomes.py,sha256=gkE0LvOzfPASDCilPRhqSql4LhU6sCilucE5zbM3lF8,17534
+pypomes_iam/token_pomes.py,sha256=KiTlBNj3HURbZS_Rmti2RC6hny8VFPpbXeIO--HZ-fI,7703
+pypomes_iam-0.8.0.dist-info/METADATA,sha256=olIXbMd6htlsfw0TuEd4aSYEFwNuL_dne4tphUxwILM,661
+pypomes_iam-0.8.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+pypomes_iam-0.8.0.dist-info/licenses/LICENSE,sha256=YvUELgV8qvXlaYsy9hXG5EW3Bmsrkw-OJmmILZnonAc,1086
+pypomes_iam-0.8.0.dist-info/RECORD,,

pypomes_iam-0.7.2.dist-info/RECORD

@@ -1,11 +0,0 @@
-pypomes_iam/__init__.py,sha256=_6tSFfjuU-5p6TAMqNLHSL6IQmaJMSYuEW-TG3ybhTI,1044
-pypomes_iam/iam_actions.py,sha256=qUX8DdTBOUVfJpWtE7qg4rSBh6ZQNG_4VnMA7uebnV4,42781
-pypomes_iam/iam_common.py,sha256=ki_-m6fqJqUbGjgTD41r9zaE-FOXgA_c_tLisIYYTfU,15457
-pypomes_iam/iam_pomes.py,sha256=_kLnrZG25XhJsIv3wqDl_2sIJ2ho_2TIMKrPCyPmA7Q,7362
-pypomes_iam/iam_services.py,sha256=AzrZux2Pt_FoCNcTcXfWphHb587vB3WIbKYG7RFf5zE,15821
-pypomes_iam/provider_pomes.py,sha256=3mMj5LQs53YEINUEOfFBAxOwOP3aOR_szlE4daEBLK0,10523
-pypomes_iam/token_pomes.py,sha256=K4nSAotKUoHIE2s3ltc_nVimlNeKS9tnD-IlslkAvkk,6626
-pypomes_iam-0.7.2.dist-info/METADATA,sha256=7amJ095DkifMRQeC7uX5C6rsU7jzgCA7Bnn3uu6N6q4,661
-pypomes_iam-0.7.2.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-pypomes_iam-0.7.2.dist-info/licenses/LICENSE,sha256=YvUELgV8qvXlaYsy9hXG5EW3Bmsrkw-OJmmILZnonAc,1086
-pypomes_iam-0.7.2.dist-info/RECORD,,