pypomes-iam 0.7.9__tar.gz → 0.8.5__tar.gz

{pypomes_iam-0.7.9 → pypomes_iam-0.8.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.7.9
+Version: 0.8.5
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues
@@ -12,6 +12,6 @@ Classifier: Programming Language :: Python :: 3
 Requires-Python: >=3.12
 Requires-Dist: flask>=3.1.2
 Requires-Dist: pyjwt>=2.10.1
-Requires-Dist: pypomes-core>=2.8.4
+Requires-Dist: pypomes-core>=2.8.6
 Requires-Dist: pypomes-crypto>=0.4.8
 Requires-Dist: requests>=2.32.5

{pypomes_iam-0.7.9 → pypomes_iam-0.8.5}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "pypomes_iam"
-version = "0.7.9"
+version = "0.8.5"
 authors = [
   { name="GT Nunes", email="wisecoder01@gmail.com" }
 ]
@@ -21,7 +21,7 @@ classifiers = [
 dependencies = [
     "Flask>=3.1.2",
     "PyJWT>=2.10.1",
-    "pypomes-core>=2.8.4",
+    "pypomes-core>=2.8.6",
     "pypomes-crypto>=0.4.8",
     "requests>=2.32.5"
 ]

{pypomes_iam-0.7.9 → pypomes_iam-0.8.5}/src/pypomes_iam/__init__.py

@@ -1,6 +1,6 @@
 from .iam_actions import (
     iam_callback, iam_exchange,
-    iam_login, iam_logout, iam_get_token
+    iam_login, iam_logout, iam_get_token, iam_userinfo
 )
 from .iam_common import (
     IamServer, IamParam
@@ -10,10 +10,9 @@ from .iam_pomes import (
 )
 from .iam_services import (
     jwt_required, iam_setup_logger,
-    service_setup_server, service_get_token,
-    service_login, service_logout,
-    service_callback, service_exchange,
-    service_callback_exchange
+    service_setup_server, service_login, service_logout,
+    service_get_token, service_userinfo, service_callback,
+    service_exchange, service_callback_exchange
 )
 from .provider_pomes import (
     service_get_token, provider_get_token,
@@ -26,17 +25,16 @@ from .token_pomes import (
 __all__ = [
     # iam_actions
     "iam_callback", "iam_exchange",
-    "iam_login", "iam_logout", "iam_get_token",
+    "iam_login", "iam_logout", "iam_get_token", "iam_userinfo",
     # iam_commons
     "IamServer", "IamParam",
     # iam_pomes
     "iam_setup_server", "iam_setup_endpoints",
     # iam_services
     "jwt_required", "iam_setup_logger",
-    "service_setup_server", "service_get_token",
-    "service_login", "service_logout",
-    "service_callback", "service_exchange",
-    "service_callback_exchange",
+    "service_setup_server", "service_login", "service_logout",
+    "service_get_token", "service_userinfo", "service_callback",
+    "service_exchange", "service_callback_exchange",
     # provider_pomes
     "provider_setup_server", "provider_get_token",
     "provider_setup_endpoint", "provider_setup_logger", "provider_setup_server",

{pypomes_iam-0.7.9 → pypomes_iam-0.8.5}/src/pypomes_iam/iam_actions.py

@@ -100,9 +100,9 @@ def iam_logout(iam_server: IamServer,
     """
     Logout the user, by removing all data associating it from *iam_server*'s registry.
 
-    The user is identified by the attribute *user-id* or "login", provided in *args*.
-    If successful, remove all data relating to the user from the *IAM* server's registry.
-    Otherwise, this operation fails silently, unless an error has ocurred.
+    The user is identified by the attribute *user-id* or *login*, provided in *args*.
+    A logout request is sent to *iam_server* and, if successful, remove all data relating to the user
+    from the *IAM* server's registry.
 
     :param iam_server: the reference registered *IAM* server
     :param args: the arguments passed when requesting the service
@@ -114,14 +114,65 @@ def iam_logout(iam_server: IamServer,
 
     if user_id:
         with _iam_lock:
-            # retrieve the data for all users in the IAM server's registry
-            users: dict[str, dict[str, Any]] = _get_iam_users(iam_server=iam_server,
-                                                              errors=errors,
-                                                              logger=logger) or {}
-            if user_id in users:
-                users.pop(user_id)
-                if logger:
-                    logger.debug(msg=f"User '{user_id}' removed from {iam_server}'s registry")
+            # retrieve the IAM server's registry and the data for all users therein
+            registry: dict[str, Any] = _get_iam_registry(iam_server,
+                                                         errors=errors,
+                                                         logger=logger)
+            users: dict[str, dict[str, Any]] = registry[IamParam.USERS] if registry else {}
+            user_data: dict[str, Any] = users.get(user_id)
+            if user_data:
+                # request the IAM server to logout 'client_id'
+                client_secret: str = __get_client_secret(iam_server=iam_server,
+                                                         errors=errors,
+                                                         logger=logger)
+                if client_secret:
+                    url: str = (f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+                                "/protocol/openid-connect/logout")
+                    header_data: dict[str, str] = {
+                        "Content-Type": "application/x-www-form-urlencoded"
+                    }
+                    body_data: dict[str, Any] = {
+                        "client_id": registry[IamParam.CLIENT_ID],
+                        "client_secret": client_secret,
+                        "refresh_token": user_data[UserParam.REFRESH_TOKEN]
+                    }
+                    #  log the POST
+                    if logger:
+                        logger.debug(msg=f"POST {url}")
+                    try:
+                        response: requests.Response = requests.post(url=url,
+                                                                    headers=header_data,
+                                                                    data=body_data)
+                        if response.status_code in [200, 204]:
+                            # request succeeded
+                            if logger:
+                                logger.debug(msg=f"POST success")
+                        else:
+                            # request failed, report the problem
+                            msg: str = f"POST failure, status {response.status_code}, reason {response.reason}"
+                            if logger:
+                                logger.error(msg=msg)
+                            if isinstance(errors, list):
+                                errors.append(msg)
+                    except Exception as e:
+                        # the operation raised an exception
+                        msg: str = exc_format(exc=e,
+                                              exc_info=sys.exc_info())
+                        if logger:
+                            logger.error(msg=msg)
+                        if isinstance(errors, list):
+                            errors.append(msg)
+
+                    if not errors and user_id in users:
+                        users.pop(user_id)
+                        if logger:
+                            logger.debug(msg=f"User '{user_id}' removed from {iam_server}'s registry")
+    else:
+        msg: str = "User identification not provided"
+        if logger:
+            logger.error(msg=msg)
+        if isinstance(errors, list):
+            errors.append(msg)
 
 
 def iam_get_token(iam_server: IamServer,
@@ -176,7 +227,7 @@ def iam_get_token(iam_server: IamServer,
                         refresh_expiration: int = user_data[UserParam.REFRESH_EXPIRATION]
                         if now < refresh_expiration:
                             header_data: dict[str, str] = {
-                                "Content-Type": "application/json"
+                                "Content-Type": "application/x-www-form-urlencoded"
                             }
                             body_data: dict[str, str] = {
                                 "grant_type": "refresh_token",
@@ -306,8 +357,8 @@ def iam_callback(iam_server: IamServer,
                         registry: dict[str, Any] = _get_iam_registry(iam_server,
                                                                      errors=errors,
                                                                      logger=logger)
-                        url: str = f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
-                        url += f"/broker/{target_idp}/token"
+                        url: str = (f"{registry[IamParam.URL_BASE]}/realms/"
+                                    f"{registry[IamParam.CLIENT_REALM]}/broker/{target_idp}/token")
                         header_data: dict[str, str] = {
                             "Authorization": f"Bearer {result[1]}",
                             "Content-Type": "application/json"
@@ -429,6 +480,60 @@ def iam_exchange(iam_server: IamServer,
     return result
 
 
+def iam_userinfo(iam_server: IamServer,
+                 args: dict[str, Any],
+                 errors: list[str] = None,
+                 logger: Logger = None) -> dict[str, Any] | None:
+    """
+    Obtain user data from *iam_server*.
+
+    The user is identified by the attribute *user-id* or *login*, provided in *args*.
+
+    :param iam_server: the reference registered *IAM* server
+    :param args: the arguments passed when requesting the service
+    :param errors: incidental error messages
+    :param logger: optional logger
+    :return: the user information requested, or *None* if error
+    """
+    # initialize the return variable
+    result: dict[str, Any] | None = None
+
+    # obtain the user's identification
+    user_id: str = args.get("user-id") or args.get("login")
+
+    err_msg: str | None = None
+    if user_id:
+        with _iam_lock:
+            # retrieve the IAM server's registry and the user data therein
+            registry: dict[str, Any] = _get_iam_registry(iam_server,
+                                                         errors=errors,
+                                                         logger=logger)
+            user_data: dict[str, Any] = registry[IamParam.USERS].get(user_id)
+            if user_data:
+                url: str = (f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+                            "/protocol/openid-connect/userinfo")
+                header_data: dict[str, str] = {
+                    "Authorization": f"Bearer {args.get('access-token')}"
+                }
+                result = __get_for_data(url=url,
+                                        header_data=header_data,
+                                        params=None,
+                                        errors=errors,
+                                        logger=logger)
+            else:
+                err_msg = f"Unknown user '{user_id}'"
+    else:
+        err_msg: str = "User identification not provided"
+
+    if err_msg:
+        if logger:
+            logger.error(msg=err_msg)
+        if isinstance(errors, list):
+            errors.append(err_msg)
+
+    return result
+
+
 def __assert_link(iam_server: IamServer,
                   user_id: str,
                   token: str,
@@ -814,8 +919,8 @@ def __post_for_token(iam_server: IamServer,
                 body_data["client_id"] = registry[IamParam.CLIENT_ID]
 
             # build the URL
-            base_url: str = f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
-            url: str = f"{base_url}/protocol/openid-connect/token"
+            url: str = (f"{registry[IamParam.URL_BASE]}/realms/"
+                        f"{registry[IamParam.CLIENT_REALM]}/protocol/openid-connect/token")
             #  'client_secret' data must not be shown in log
             msg: str = f"POST {url}, {json.dumps(obj=body_data,
                                                  ensure_ascii=False)}"

{pypomes_iam-0.7.9 → pypomes_iam-0.8.5}/src/pypomes_iam/iam_common.py

@@ -68,7 +68,7 @@ def __get_iam_data() -> dict[IamServer, dict[IamParam, Any]]:
     or dynamically with calls to *iam_setup_server()*. Specifying configuration parameters with environment
     variables can be done by following these steps:
 
-    1. Specify *<APP_PREFIX>_IAM_SERVERS* with a list of names among the values found in *IamServer* class
+    1. Specify *<APP_PREFIX>_AUTH_SERVERS* with a list of names among the values found in *IamServer* class
        (currently, *jusbr* and *keycloak* are supported), and the data set below for each server, where
        *<IAM>* stands for the server's name as presented in *IamServer* class:
           - *<APP_PREFIX>_<IAM>_ADMIN_ID*           (optional, required if administrative duties are performed)
@@ -91,13 +91,14 @@ def __get_iam_data() -> dict[IamServer, dict[IamParam, Any]]:
           - *<APP_PREFIX>_<IAM>_ENDPOINT_LOGIN*
           - *<APP_PREFIX>_<IAM>_ENDPOINT_LOGOUT*
           - *<APP_PREFIX>_<IAM>_ENDPOINT_TOKEN*
+          - *<APP_PREFIX>_<IAM>_ENDPOINT_USERINFO*
 
     :return: the configuration data for the select *IAM* servers.
     """
     # initialize the return variable
     result: dict[IamServer, dict[IamParam, Any]] = {}
 
-    servers: list[IamServer] = env_get_enums(key=f"{APP_PREFIX}_IAM_SERVERS",
+    servers: list[IamServer] = env_get_enums(key=f"{APP_PREFIX}_AUTH_SERVERS",
                                              enum_class=IamServer) or []
     for server in servers:
         prefix = server.name
@@ -108,7 +109,7 @@ def __get_iam_data() -> dict[IamServer, dict[IamParam, Any]]:
             IamParam.CLIENT_REALM: env_get_str(key=f"{APP_PREFIX}_{prefix}_CLIENT_REALM"),
             IamParam.CLIENT_SECRET: env_get_str(key=f"{APP_PREFIX}_{prefix}_CLIENT_SECRET"),
             IamParam.LOGIN_TIMEOUT: env_get_str(key=f"{APP_PREFIX}_{prefix}_LOGIN_TIMEOUT"),
-            IamParam.PK_LIFETIME: env_get_int(key=f"{APP_PREFIX}_{prefix}_PUBLIC_KEY_LIFETIME"),
+            IamParam.PK_LIFETIME: env_get_int(key=f"{APP_PREFIX}_{prefix}_PK_LIFETIME"),
             IamParam.RECIPIENT_ATTR: env_get_str(key=f"{APP_PREFIX}_{prefix}_RECIPIENT_ATTR"),
             IamParam.URL_BASE: env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_AUTH_BASE"),
             # dynamically set

{pypomes_iam-0.7.9 → pypomes_iam-0.8.5}/src/pypomes_iam/iam_pomes.py

@@ -1,7 +1,8 @@
 from flask import Flask
 from pypomes_core import (
     APP_PREFIX,
-    env_get_int, env_get_str, func_get_defaulted_params
+    env_get_int, env_get_str,
+    func_capture_params, func_defaulted_params
 )
 
 from .iam_common import (
@@ -9,10 +10,12 @@ from .iam_common import (
 )
 from .iam_services import (
     service_login, service_logout,
-    service_callback, service_callback_exchange, service_exchange, service_get_token
+    service_callback, service_callback_exchange,
+    service_exchange, service_get_token, service_userinfo
 )
 
 
+@func_capture_params
 def iam_setup_server(iam_server: IamServer,
                      admin_id: str = None,
                      admin_secret: str = None,
@@ -50,7 +53,7 @@ def iam_setup_server(iam_server: IamServer,
     :param url_base: base URL to request services
     """
     # obtain the defaulted parameters
-    defaulted_params: list[str] = func_get_defaulted_params()
+    defaulted_params: list[str] = func_defaulted_params.get()
 
     # read from the environment variables
     prefix: str = iam_server.name
@@ -92,6 +95,7 @@ def iam_setup_server(iam_server: IamServer,
         }
 
 
+@func_capture_params
 def iam_setup_endpoints(flask_app: Flask,
                         iam_server: IamServer,
                         callback_endpoint: str = None,
@@ -99,7 +103,8 @@ def iam_setup_endpoints(flask_app: Flask,
                         exchange_endpoint: str = None,
                         login_endpoint: str = None,
                         logout_endpoint: str = None,
-                        token_endpoint: str = None) -> None:
+                        token_endpoint: str = None,
+                        userinfo_endpoint: str = None) -> None:
     """
     Setup the endpoints for accessing the services provided by *iam_server*.
 
@@ -114,9 +119,10 @@ def iam_setup_endpoints(flask_app: Flask,
     :param login_endpoint: endpoint for redirecting user to the *IAM* server's login page
     :param logout_endpoint: endpoint for terminating user access
     :param token_endpoint: endpoint for retrieving authentication token
+    :param userinfo_endpoint: endpoint for retrieving user data
     """
     # obtain the defaulted parameters
-    defaulted_params: list[str] = func_get_defaulted_params()
+    defaulted_params: list[str] = func_defaulted_params.get()
 
     # read from the environment variables
     prefix: str = iam_server.name
@@ -132,6 +138,8 @@ def iam_setup_endpoints(flask_app: Flask,
         logout_endpoint = env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_LOGOUT")
     if "token_endpoint" in defaulted_params:
         token_endpoint = env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_TOKEN")
+    if "userinfo_endpoint" in defaulted_params:
+        userinfo_endpoint = env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_USERINFO")
 
     # establish the endpoints
     if callback_endpoint:
@@ -158,9 +166,14 @@ def iam_setup_endpoints(flask_app: Flask,
         flask_app.add_url_rule(rule=logout_endpoint,
                                endpoint=f"{iam_server}-logout",
                                view_func=service_logout,
-                               methods=["GET"])
+                               methods=["POST"])
     if token_endpoint:
         flask_app.add_url_rule(rule=token_endpoint,
                                endpoint=f"{iam_server}-token",
                                view_func=service_get_token,
                                methods=["GET"])
+    if userinfo_endpoint:
+        flask_app.add_url_rule(rule=userinfo_endpoint,
+                               endpoint=f"{iam_server}-userinfo",
+                               view_func=service_userinfo,
+                               methods=["GET"])

{pypomes_iam-0.7.9 → pypomes_iam-0.8.5}/src/pypomes_iam/iam_services.py

@@ -9,10 +9,9 @@ from .iam_common import (
     _iam_server_from_endpoint, _iam_server_from_issuer
 )
 from .iam_actions import (
-    iam_login, iam_logout,
-    iam_get_token, iam_exchange, iam_callback
+    iam_login, iam_logout, iam_callback,
+    iam_exchange, iam_get_token, iam_userinfo
 )
-from .iam_pomes import iam_setup_server
 from .token_pomes import token_get_claims, token_validate
 
 # the logger for IAM service operations
@@ -24,7 +23,10 @@ def jwt_required(func: callable) -> callable:
     """
     Create a decorator to authenticate service endpoints with JWT tokens.
 
+    The decorated function must be a registered endpoint to a *Flask* application.
+
     :param func: the function being decorated
+    :return: the return from the call to *func*, or a *Response NOT AUTHORIZED* if the authentication failed
     """
     # ruff: noqa: ANN003 - Missing type annotation for *{name}
     def wrapper(*args, **kwargs) -> Response:
@@ -45,19 +47,16 @@ def __request_validate(request: Request) -> Response:
     Because this code has a high usage frequency, only authentication failures are logged.
 
     :param request: the *request* to be verified
-    :return: *None* if the *request* is valid, otherwise a *Response* reporting the error
+    :return: *None* if the *request* is valid, otherwise a *Response NOT AUTHORIZED*
     """
     # initialize the return variable
     result: Response | None = None
 
-    # retrieve the authorization from the request header
-    auth_header: str = request.headers.get("Authorization")
-
     # validate the authorization token
     bad_token: bool = True
-    if auth_header and auth_header.startswith("Bearer "):
-        # extract and validate the JWT access token
-        token: str = auth_header.split(" ")[1]
+    token: str = __get_bearer_token(request=request)
+    if token:
+        # extract token claims
         claims: dict[str, Any] = token_get_claims(token=token)
         if claims:
             issuer: str = claims["payload"].get("iss")
@@ -101,6 +100,26 @@ def __request_validate(request: Request) -> Response:
     return result
 
 
+def __get_bearer_token(request: Request) -> str:
+    """
+    Retrieve the bearer token sent in the header of *request*.
+
+    This implementation assumes that HTTP requests are handled with the *Flask* framework.
+
+    :param request: the *request* to retrieve the token from
+    :return: the bearer token, or *None* if not found
+    """
+    # initialize the return variable
+    result: str | None = None
+
+    # retrieve the authorization from the request header
+    auth_header: str = request.headers.get("Authorization")
+    if auth_header and auth_header.startswith("Bearer "):
+        result: str = auth_header.split(" ")[1]
+
+    return result
+
+
 def iam_setup_logger(logger: Logger) -> None:
     """
     Register the logger for HTTP services.
@@ -143,14 +162,15 @@ def service_setup_server() -> Response:
 
     :return: *Response OK*
     """
+    # retrieve the request arguments
+    args: dict[str, Any] = (dict(request.json) if request.is_json else dict(request.form)) or {}
+
     # log the request
     if __IAM_LOGGER:
-        __IAM_LOGGER.debug(msg=f"{_log_init(request=request)}; {json.dumps(obj=request.args,
-                                                                           ensure_ascii=False)}")
-    # retrieve the arguments
-    args: dict[str, Any] = request.json if request.is_json else request.form
-
+        __IAM_LOGGER.debug(msg=f"Request {request.method}:{request.path}; {json.dumps(obj=args,
+                                                                                      ensure_ascii=False)}")
     # setup the server
+    from .iam_pomes import iam_setup_server
     iam_setup_server(**args)
     result = Response(status=200)
 
@@ -188,10 +208,13 @@ def service_login() -> Response:
     # declare the return variable
     result: Response | None = None
 
+    # retrieve the request arguments
+    args: dict[str, Any] = dict(request.args) or {}
+
     # log the request
     if __IAM_LOGGER:
-        __IAM_LOGGER.debug(msg=_log_init(request=request))
-
+        __IAM_LOGGER.debug(msg=f"Request {request.method}:{request.path}; {json.dumps(obj=args,
+                                                                                      ensure_ascii=False)}")
     errors: list[str] = []
     with _iam_lock:
         # retrieve the IAM server
@@ -201,7 +224,7 @@ def service_login() -> Response:
         if iam_server:
             # obtain the login URL
             login_url: str = iam_login(iam_server=iam_server,
-                                       args=request.args,
+                                       args=args,
                                        errors=errors,
                                        logger=__IAM_LOGGER)
             if login_url:
@@ -218,7 +241,8 @@ def service_login() -> Response:
 
 
 # @flask_app.route(rule=<logout_endpoint>,  # IAM_ENDPOINT_LOGOUT
-#                  methods=["GET"])
+#                  methods=["POST"])
+@jwt_required
 def service_logout() -> Response:
     """
     Entry point for the *IAM* server's logout service.
@@ -236,10 +260,13 @@ def service_logout() -> Response:
     # declare the return variable
     result: Response | None
 
+    # retrieve the request arguments
+    args: dict[str, Any] = dict(request.args) or {}
+
     # log the request
     if __IAM_LOGGER:
-        __IAM_LOGGER.debug(msg=_log_init(request=request))
-
+        __IAM_LOGGER.debug(msg=f"Request {request.method}:{request.path}; {json.dumps(obj=args,
+                                                                                      ensure_ascii=False)}")
     errors: list[str] = []
     with _iam_lock:
         # retrieve the IAM server
@@ -249,7 +276,7 @@ def service_logout() -> Response:
         if iam_server:
             # logout the user
             iam_logout(iam_server=iam_server,
-                       args=request.args,
+                       args=args,
                        errors=errors,
                        logger=__IAM_LOGGER)
     if errors:
@@ -291,10 +318,13 @@ def service_callback() -> Response:
 
     :return: *Response* containing the reference user identification and the token, or *BAD REQUEST*
     """
+    # retrieve the request arguments
+    args: dict[str, Any] = dict(request.args) or {}
+
     # log the request
     if __IAM_LOGGER:
-        __IAM_LOGGER.debug(msg=_log_init(request=request))
-
+        __IAM_LOGGER.debug(msg=f"Request {request.method}:{request.path}; {json.dumps(obj=args,
+                                                                                      ensure_ascii=False)}")
     errors: list[str] = []
     token_data: tuple[str, str] | None = None
     with _iam_lock:
@@ -305,7 +335,7 @@ def service_callback() -> Response:
         if iam_server:
             # process the callback operation
             token_data = iam_callback(iam_server=iam_server,
-                                      args=request.args,
+                                      args=args,
                                       errors=errors,
                                       logger=__IAM_LOGGER)
     result: Response
@@ -347,10 +377,13 @@ def service_exchange() -> Response:
 
     :return: *Response* containing the reference user identification and the token, or *BAD REQUEST*
     """
+    # retrieve the request arguments
+    args: dict[str, Any] = dict(request.args) or {}
+
     # log the request
     if __IAM_LOGGER:
-        __IAM_LOGGER.debug(msg=_log_init(request=request))
-
+        __IAM_LOGGER.debug(msg=f"Request {request.method}:{request.path}; {json.dumps(obj=args,
+                                                                                      ensure_ascii=False)}")
     errors: list[str] = []
     with _iam_lock:
         # retrieve the IAM server
@@ -362,7 +395,7 @@ def service_exchange() -> Response:
         if iam_server:
             errors: list[str] = []
             token_info = iam_exchange(iam_server=iam_server,
-                                      args=request.args,
+                                      args=args,
                                       errors=errors,
                                       logger=__IAM_LOGGER)
     result: Response
@@ -412,10 +445,13 @@ def service_callback_exchange() -> Response:
     # declare the return variable
     result: Response | None = None
 
+    # retrieve the request arguments
+    args: dict[str, Any] = dict(request.args) or {}
+
     # log the request
     if __IAM_LOGGER:
-        __IAM_LOGGER.debug(msg=_log_init(request=request))
-
+        __IAM_LOGGER.debug(msg=f"Request {request.method}:{request.path}; {json.dumps(obj=args,
+                                                                                      ensure_ascii=False)}")
     errors: list[str] = []
     with _iam_lock:
         # retrieve the IAM server
@@ -424,7 +460,7 @@ def service_callback_exchange() -> Response:
                                                           logger=__IAM_LOGGER)
         # obtain the login URL
         token_info: tuple[str,  str] = iam_callback(iam_server=iam_server,
-                                                    args=request.args,
+                                                    args=args,
                                                     errors=errors,
                                                     logger=__IAM_LOGGER)
         if token_info:
@@ -474,13 +510,13 @@ def service_get_token() -> Response:
 
     :return: *Response* containing the user reference identification and the token, or *BAD REQUEST*
     """
+    # retrieve the request arguments
+    args: dict[str, Any] = dict(request.args) or {}
+
     # log the request
     if __IAM_LOGGER:
-        __IAM_LOGGER.debug(msg=_log_init(request=request))
-
-    # obtain the request arguments
-    args: dict[str, Any] = request.args
-
+        __IAM_LOGGER.debug(msg=f"Request {request.method}:{request.path}; {json.dumps(obj=args,
+                                                                                      ensure_ascii=False)}")
     errors: list[str] = []
     token_info: dict[str, str] | None = None
     with _iam_lock:
@@ -508,14 +544,55 @@ def service_get_token() -> Response:
     return result
 
 
-def _log_init(request: Request) -> str:
+# @flask_app.route(rule=<token_endpoint>,  # IAM_ENDPOINT_USERINFO
+#                  methods=["GET"])
+@jwt_required
+def service_userinfo() -> Response:
     """
-    Build the messages for logging the request entry.
+    Entry point for retrieving user data from the *IAM* server.
 
-    :param request: the Request object
-    :return: the log message
+    When registering this endpoint, the name used in *Flask*'s *endpoint* parameter must be prefixed with
+    the name of the *IAM* server in charge of handling this service. This prefixing is done automatically
+    if the endpoint is established with a call to *iam_setup_endpoints()*.
+
+    The user is identified by the attribute *user-id* or "login", provided as a request parameter.
+
+    On success, the returned *Response* will contain a JSON with information kept by *iam_server* about *user_id*.
+
+    :return: *Response* containing user data, or *BAD REQUEST*
     """
+    # retrieve the request arguments
+    args: dict[str, Any] = dict(request.args) or {}
 
-    params: str = json.dumps(obj=request.args,
-                             ensure_ascii=False)
-    return f"Request {request.method}:{request.path}, params {params}"
+    # log the request
+    if __IAM_LOGGER:
+        __IAM_LOGGER.debug(msg=f"Request {request.method}:{request.path}; {json.dumps(obj=args,
+                                                                                      ensure_ascii=False)}")
+    # retrieve the bearer token
+    args["access-token"] = __get_bearer_token(request=request)
+
+    errors: list[str] = []
+    user_info: dict[str, str] | None = None
+    with _iam_lock:
+        # retrieve the IAM server
+        iam_server: IamServer = _iam_server_from_endpoint(endpoint=request.endpoint,
+                                                          errors=errors,
+                                                          logger=__IAM_LOGGER)
+        if iam_server:
+            # retrieve the token
+            errors: list[str] = []
+            user_info = iam_userinfo(iam_server=iam_server,
+                                     args=args,
+                                     errors=errors,
+                                     logger=__IAM_LOGGER)
+    result: Response
+    if errors:
+        result = Response(response="; ".join(errors),
+                          status=400)
+    else:
+        result = jsonify(user_info)
+    if __IAM_LOGGER:
+        # log the response
+        __IAM_LOGGER.debug(msg=f"Response {result}; {json.dumps(obj=user_info,
+                                                                ensure_ascii=False)}")
+    return result

{pypomes_iam-0.7.9 → pypomes_iam-0.8.5}/src/pypomes_iam/provider_pomes.py

@@ -8,8 +8,8 @@ from flask import Flask, Response, request, jsonify
 from logging import Logger
 from pypomes_core import (
     APP_PREFIX, TZ_LOCAL,
-    env_get_str, env_get_strs, env_get_obj,
-    exc_format, func_get_defaulted_params
+    env_get_str, env_get_strs, env_get_obj, exc_format,
+    func_capture_params, func_defaulted_params
 )
 from threading import Lock
 from typing import Any, Final
@@ -28,7 +28,7 @@ class ProviderParam(StrEnum):
     ACCESS_EXPIRATION = "access-expiration"
     REFRESH_TOKEN = "refresh-token"
     REFRESH_EXPIRATION = "refresh-expiration"
-    URL_AUTH = "url-auth"
+    URL_TOKEN = "url-token"
 
 
 # the logger for IAM service operations
@@ -44,7 +44,7 @@ def __get_provider_data() -> dict[str, dict[ProviderParam, Any]]:
     or dynamically with *provider_setup_server()*. Specifying configuration parameters with
     environment variables can be done by following these steps:
 
-    1. Specify *<APP_PREFIX>_IAM_PROVIDERS* with a list of names (typically, in lower-case), and the data set
+    1. Specify *<APP_PREFIX>_AUTH_PROVIDERS* with a list of names (typically, in lower-case), and the data set
        below for each providers, where *<JWT>* stands for the provider's name in upper-case:
           - *<APP_PREFIX>_<JWT>_BODY_DATA*            (optional)
           - *<APP_PREFIX>_<JWT>_CUSTOM_AUTH*          (optional)
@@ -53,26 +53,26 @@ def __get_provider_data() -> dict[str, dict[ProviderParam, Any]]:
           - *<APP_PREFIX>_<JWT>_USER_SECRET*          (required)
           - *<APP_PREFIX>_<JWT>_URL_TOKEN*            (required)
 
-    2. The special environment variable *<APP_PREFIX>_IAM_PROVIDER_ENDPOINT* identifies the endpoint from which
-       to obtain JWT tokens. It is not part of the *JWT* providers' setup, but is meant to be used
-       by function *provider_setup_endpoint()*, wherein the value in that variable would represent the
-       default value for its parameter.
+    2. The special environment variable *<APP_PREFIX>_PROVIDER_ENDPOINT_TOKEN* identifies the endpoint
+       from which to obtain JWT tokens. It is not part of the *JWT* providers' setup, but is meant to be
+       used by function *provider_setup_endpoint()*, wherein the value in that variable would represent
+       the default value for its parameter.
 
     :return: the configuration data for the select *JWT* providers.
     """
     # initialize the return variable
     result: dict[str, dict[ProviderParam, Any]] = {}
 
-    servers: list[str] = env_get_strs(key=f"{APP_PREFIX}_IAM_PROVIDERS") or []
+    servers: list[str] = env_get_strs(key=f"{APP_PREFIX}_AUTH_PROVIDERS") or []
     for server in servers:
         prefix = server.upper()
         result[server] = {
+            ProviderParam.USER_ID: env_get_str(key=f"{APP_PREFIX}_{prefix}_USER_ID"),
+            ProviderParam.USER_SECRET: env_get_str(key=f"{APP_PREFIX}_{prefix}_USER_SECRET"),
             ProviderParam.BODY_DATA: env_get_obj(key=f"{APP_PREFIX}_{prefix}_BODY_DATA"),
             ProviderParam.CUSTOM_AUTH: env_get_strs(key=f"{APP_PREFIX}_{prefix}_CUSTOM_AUTH"),
             ProviderParam.HEADER_DATA: env_get_obj(key=f"{APP_PREFIX}_{prefix}_HEADER_DATA"),
-            ProviderParam.USER_ID: env_get_str(key=f"{APP_PREFIX}_{prefix}_USER_ID"),
-            ProviderParam.USER_SECRET: env_get_str(key=f"{APP_PREFIX}_{prefix}_USER_SECRET"),
-            ProviderParam.URL_AUTH: env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_AUTH"),
+            ProviderParam.URL_TOKEN: env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_TOKEN"),
             ProviderParam.ACCESS_TOKEN: None,
             ProviderParam.ACCESS_EXPIRATION: 0,
             ProviderParam.REFRESH_TOKEN: None,
@@ -85,12 +85,13 @@ def __get_provider_data() -> dict[str, dict[ProviderParam, Any]]:
 # structure:
 # {
 #    <provider-id>: {
-#      "url": <strl>,
-#      "user": <str>,
-#      "pwd": <str>,
+#      "body-data": <dict[str, str],
 #      "custom-auth": <tuple[str, str]>,
 #      "headers-data": <dict[str, str]>,
-#      "body-data": <dict[str, str],
+#      "user-id": <str>,
+#      "user-secret": <str>,
+#      "url-token": <strl>,
+#      # dinamically set
 #      "access-token": <str>,
 #      "access-expiration": <timestamp>,
 #      "refresh-token": <str>,
@@ -104,13 +105,14 @@ _provider_registry: Final[dict[str, dict[str, Any]]] = __get_provider_data()
 _provider_lock: Final[Lock] = Lock()
 
 
+@func_capture_params
 def provider_setup_server(provider_id: str,
                           user_id: str = None,
                           user_secret: str = None,
                           custom_auth: tuple[str, str] = None,
                           header_data: dict[str, str] = None,
                           body_data: dict[str, str] = None,
-                          url_auth: str = None) -> None:
+                          url_token: str = None) -> None:
     """
     Setup the *JWT* provider *provider_id*.
 
@@ -121,9 +123,10 @@ def provider_setup_server(provider_id: str,
     as key-value pairs in the body of the request. Otherwise, the external provider *provider_id* uses the standard
     HTTP Basic Authorization scheme, wherein the credentials are B64-encoded and sent in the request headers.
 
-    Optional constant key-value pairs (such as ['Content-Type', 'application/x-www-form-urlencoded']), to be
-    added to the request headers, may be specified in *headers_data*. Likewise, optional constant key-value pairs
-    (such as ['grant_type', 'client_credentials']), to be added to the request body, may be specified in *body_data*.
+    Optional constant key-value pairs (such as *['Content-Type', 'application/x-www-form-urlencoded']*),
+    to be added to the request headers, may be specified in *headers_data*. Likewise, optional constant
+    key-value pairs (such as *['grant_type', 'client_credentials']*), to be added to the request body,
+    may be specified in *body_data*.
 
     :param provider_id: the provider's identification
     :param user_id: the basic authorization user
@@ -131,12 +134,12 @@ def provider_setup_server(provider_id: str,
     :param custom_auth: optional key names for sending the credentials as key-value pairs in the body of the request
     :param header_data: optional key-value pairs to be added to the request headers
     :param body_data: optional key-value pairs to be added to the request body
-    :param url_auth: the url to request *JWT* tokens with
+    :param url_token: the url to request *JWT* tokens with
     """
     global _provider_registry
 
     # obtain the defaulted parameters
-    defaulted_params: list[str] = func_get_defaulted_params()
+    defaulted_params: list[str] = func_defaulted_params.get()
 
     # read from the environment variables
     prefix: str = provider_id.upper()
@@ -150,17 +153,17 @@ def provider_setup_server(provider_id: str,
         header_data = env_get_obj(key=f"{APP_PREFIX}_{prefix}_HEADER_DATA")
     if "body_data" in defaulted_params:
         body_data = env_get_obj(key=f"{APP_PREFIX}_{prefix}_BODY_DATA")
-    if "url_auth" in defaulted_params:
-        url_auth = env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_AUTH")
+    if "url_token" in defaulted_params:
+        url_token = env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_TOKEN")
 
     with _provider_lock:
         _provider_registry[provider_id] = {
-            ProviderParam.URL_AUTH: url_auth,
-            ProviderParam.USER_ID: user_id,
-            ProviderParam.USER_SECRET: user_secret,
+            ProviderParam.BODY_DATA: body_data,
             ProviderParam.CUSTOM_AUTH: custom_auth,
             ProviderParam.HEADER_DATA: header_data,
-            ProviderParam.BODY_DATA: body_data,
+            ProviderParam.USER_ID: user_id,
+            ProviderParam.USER_SECRET: user_secret,
+            ProviderParam.URL_TOKEN: url_token,
             # dynamically set
             ProviderParam.ACCESS_TOKEN: None,
             ProviderParam.ACCESS_EXPIRATION: 0,
@@ -169,6 +172,7 @@ def provider_setup_server(provider_id: str,
         }
 
 
+@func_capture_params
 def provider_setup_endpoint(flask_app: Flask,
                             provider_endpoint: str = None) -> None:
     """
@@ -181,16 +185,16 @@ def provider_setup_endpoint(flask_app: Flask,
     :param provider_endpoint: endpoint for requenting tokens to provider
     """
     # obtain the defaulted parameters
-    defaulted_params: list[str] = func_get_defaulted_params()
+    defaulted_params: list[str] = func_defaulted_params.get()
 
     # read from the environment variable
     if "provider_endpoint" in defaulted_params:
-        provider_endpoint = env_get_str(key=f"{APP_PREFIX}_IAM_PROVIDER_ENDPOINT")
+        provider_endpoint = env_get_str(key=f"{APP_PREFIX}_PROVIDER_ENDPOINT_TOKEN")
 
     # establish the endpoints
     if provider_endpoint:
         flask_app.add_url_rule(rule=provider_endpoint,
-                               endpoint=f"jwt-callback",
+                               endpoint=f"provider-get-token",
                                view_func=service_get_token,
                                methods=["GET"])
 
@@ -220,14 +224,16 @@ def service_get_token() -> Response:
 
     :return: *Response* containing the JWT token, or *BAD REQUEST*
     """
+    # retrieve the request arguments
+    args: dict[str, Any] = dict(request.args) or {}
+
     # log the request
     if __JWT_LOGGER:
-        params: str = json.dumps(obj=request.args,
-                                 ensure_ascii=False)
-        __JWT_LOGGER.debug(msg=f"Request {request.method}:{request.path}, params {params}")
+        __JWT_LOGGER.debug(msg=f"Request {request.method}:{request.path}; {json.dumps(obj=args,
+                                                                                      ensure_ascii=False)}")
 
     # obtain the provider JWT
-    provider_id: str = request.args.get("jwt-provider")
+    provider_id: str = args.get("jwt-provider")
 
     # retrieve the token
     token: str | None = None
@@ -282,7 +288,7 @@ def provider_get_token(provider_id: str,
                 # access token has expired
                 header_data: dict[str, str] | None = None
                 body_data: dict[str, str] | None = None
-                url: str = provider.get(ProviderParam.URL_AUTH)
+                url: str = provider.get(ProviderParam.URL_TOKEN)
                 refresh_token: str = provider.get(ProviderParam.REFRESH_TOKEN)
                 if refresh_token:
                     # refresh token exists
@@ -296,7 +302,7 @@ def provider_get_token(provider_id: str,
                             "grant_type": "refresh_token",
                             "refresh_token": refresh_token
                         }
-                if not body_data:
+                if not header_data:
                     # refresh token does not exist or has expired
                     user: str = provider.get(ProviderParam.USER_ID)
                     pwd: str = provider.get(ProviderParam.USER_SECRET)