pypomes-iam 0.8.5__py3-none-any.whl → 0.8.9__py3-none-any.whl

pypomes_iam/__init__.py

@@ -3,7 +3,7 @@ from .iam_actions import (
     iam_login, iam_logout, iam_get_token, iam_userinfo
 )
 from .iam_common import (
-    IamServer, IamParam
+    IamServer, ServerParam
 )
 from .iam_pomes import (
     iam_setup_server, iam_setup_endpoints
@@ -15,8 +15,9 @@ from .iam_services import (
     service_exchange, service_callback_exchange
 )
 from .provider_pomes import (
+    IamProvider, ProviderParam,
     service_get_token, provider_get_token,
-    provider_setup_endpoint, provider_setup_logger, provider_setup_server
+    iam_setup_provider, provider_setup_endpoint, provider_setup_logger
 )
 from .token_pomes import (
     token_get_claims, token_get_values, token_validate
@@ -27,7 +28,7 @@ __all__ = [
     "iam_callback", "iam_exchange",
     "iam_login", "iam_logout", "iam_get_token", "iam_userinfo",
     # iam_commons
-    "IamServer", "IamParam",
+    "IamServer", "ServerParam",
     # iam_pomes
     "iam_setup_server", "iam_setup_endpoints",
     # iam_services
@@ -36,8 +37,9 @@ __all__ = [
     "service_get_token", "service_userinfo", "service_callback",
     "service_exchange", "service_callback_exchange",
     # provider_pomes
-    "provider_setup_server", "provider_get_token",
-    "provider_setup_endpoint", "provider_setup_logger", "provider_setup_server",
+    "IamProvider", "ProviderParam",
+    "service_get_token", "provider_get_token",
+    "iam_setup_provider", "provider_setup_endpoint", "provider_setup_logger",
     # token_pomes
     "token_get_claims", "token_get_values", "token_validate"
 ]

pypomes_iam/iam_actions.py

@@ -9,7 +9,7 @@ from pypomes_core import TZ_LOCAL, exc_format
 from typing import Any
 
 from .iam_common import (
-    IamServer, IamParam, UserParam, _iam_lock,
+    IamServer, ServerParam, UserParam, _iam_lock,
     _get_iam_users, _get_iam_registry, _get_public_key,
     _get_login_timeout, _get_user_data, _iam_server_from_issuer
 )
@@ -56,7 +56,7 @@ def iam_login(iam_server: IamServer,
     # ('oauth_state' is a randomly-generated string, thus 'user_data' is always a new entry)
     oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
     if target_idp:
-        oauth_state += f"#idp={target_idp}"
+        oauth_state += f"_{target_idp}"
 
     with _iam_lock:
         # retrieve the user data from the IAM server's registry
@@ -80,10 +80,10 @@ def iam_login(iam_server: IamServer,
                                                              errors=errors,
                                                              logger=logger)
                 if registry:
-                    base_url: str = f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+                    base_url: str = f"{registry[ServerParam.URL_BASE]}/realms/{registry[ServerParam.CLIENT_REALM]}"
                     result = (f"{base_url}/protocol/openid-connect/auth"
                               f"?response_type=code&scope=openid"
-                              f"&client_id={registry[IamParam.CLIENT_ID]}"
+                              f"&client_id={registry[ServerParam.CLIENT_ID]}"
                               f"&redirect_uri={redirect_uri}"
                               f"&state={oauth_state}")
                     if target_idp:
@@ -118,7 +118,7 @@ def iam_logout(iam_server: IamServer,
             registry: dict[str, Any] = _get_iam_registry(iam_server,
                                                          errors=errors,
                                                          logger=logger)
-            users: dict[str, dict[str, Any]] = registry[IamParam.USERS] if registry else {}
+            users: dict[str, dict[str, Any]] = registry[ServerParam.USERS] if registry else {}
             user_data: dict[str, Any] = users.get(user_id)
             if user_data:
                 # request the IAM server to logout 'client_id'
@@ -126,13 +126,13 @@ def iam_logout(iam_server: IamServer,
                                                          errors=errors,
                                                          logger=logger)
                 if client_secret:
-                    url: str = (f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+                    url: str = (f"{registry[ServerParam.URL_BASE]}/realms/{registry[ServerParam.CLIENT_REALM]}"
                                 "/protocol/openid-connect/logout")
                     header_data: dict[str, str] = {
                         "Content-Type": "application/x-www-form-urlencoded"
                     }
                     body_data: dict[str, Any] = {
-                        "client_id": registry[IamParam.CLIENT_ID],
+                        "client_id": registry[ServerParam.CLIENT_ID],
                         "client_secret": client_secret,
                         "refresh_token": user_data[UserParam.REFRESH_TOKEN]
                     }
@@ -322,9 +322,9 @@ def iam_callback(iam_server: IamServer,
             if int(datetime.now(tz=TZ_LOCAL).timestamp()) > expiration:
                 errors.append("Operation timeout")
             else:
-                pos: int = oauth_state.rfind("#idp=")
-                target_idp: str = oauth_state[pos+4:] if pos > 0 else None
-                target_iam = IamServer(target_idp) if target_idp in IamServer else None
+                pos: int = oauth_state.rfind("_")
+                target_idp: str = oauth_state[pos+1:] if pos > 0 else None
+                target_iam: IamServer = IamServer(target_idp) if target_idp in IamServer else None
                 target_data: dict[str, Any] = user_data.copy() if target_iam else None
                 users.pop(oauth_state)
                 code: str = args.get("code")
@@ -357,8 +357,8 @@ def iam_callback(iam_server: IamServer,
                         registry: dict[str, Any] = _get_iam_registry(iam_server,
                                                                      errors=errors,
                                                                      logger=logger)
-                        url: str = (f"{registry[IamParam.URL_BASE]}/realms/"
-                                    f"{registry[IamParam.CLIENT_REALM]}/broker/{target_idp}/token")
+                        url: str = (f"{registry[ServerParam.URL_BASE]}/realms/"
+                                    f"{registry[ServerParam.CLIENT_REALM]}/broker/{target_idp}/token")
                         header_data: dict[str, str] = {
                             "Authorization": f"Bearer {result[1]}",
                             "Content-Type": "application/json"
@@ -426,7 +426,6 @@ def iam_exchange(iam_server: IamServer,
                                                 errors=errors,
                                                 logger=logger)
     if not errors:
-        # HAZARD: only 'IAM_KEYCLOAK' is currently supported
         with _iam_lock:
             # retrieve the IAM server's registry
             registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
@@ -452,7 +451,7 @@ def iam_exchange(iam_server: IamServer,
                         "subject_token": token,
                         "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
                         "requested_token_type": "urn:ietf:params:oauth:token-type:access_token",
-                        "audience": registry[IamParam.CLIENT_ID],
+                        "audience": registry[ServerParam.CLIENT_ID],
                         "subject_issuer": token_issuer
                     }
                     now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
@@ -508,9 +507,9 @@ def iam_userinfo(iam_server: IamServer,
             registry: dict[str, Any] = _get_iam_registry(iam_server,
                                                          errors=errors,
                                                          logger=logger)
-            user_data: dict[str, Any] = registry[IamParam.USERS].get(user_id)
+            user_data: dict[str, Any] = registry[ServerParam.USERS].get(user_id)
             if user_data:
-                url: str = (f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+                url: str = (f"{registry[ServerParam.URL_BASE]}/realms/{registry[ServerParam.CLIENT_REALM]}"
                             "/protocol/openid-connect/userinfo")
                 header_data: dict[str, str] = {
                     "Authorization": f"Bearer {args.get('access-token')}"
@@ -566,7 +565,7 @@ def __assert_link(iam_server: IamServer,
         if logger:
             logger.debug(msg="Obtaining internal identification "
                              f"for user '{user_id}' in IAM server '{iam_server}'")
-        url: str = f"{registry[IamParam.URL_BASE]}/admin/realms/{registry[IamParam.CLIENT_REALM]}/users"
+        url: str = f"{registry[ServerParam.URL_BASE]}/admin/realms/{registry[ServerParam.CLIENT_REALM]}/users"
         header_data: dict[str, str] = {
             "Authorization": f"Bearer {admin_token}",
             "Content-Type": "application/json"
@@ -587,8 +586,8 @@ def __assert_link(iam_server: IamServer,
             if logger:
                 logger.debug(msg="Obtaining the providers federated in IAM server "
                                  f"'{iam_server}', for internal identification '{internal_id}'")
-            url = (f"{registry[IamParam.URL_BASE]}/admin/realms/"
-                   f"{registry[IamParam.CLIENT_REALM]}/users/{internal_id}/federated-identity")
+            url = (f"{registry[ServerParam.URL_BASE]}/admin/realms/"
+                   f"{registry[ServerParam.CLIENT_REALM]}/users/{internal_id}/federated-identity")
             providers: list[dict[str, Any]] = __get_for_data(url=url,
                                                              header_data=header_data,
                                                              params=None,
@@ -651,14 +650,14 @@ def __get_administrative_token(iam_server: IamServer,
                                                  errors=errors,
                                                  logger=logger)
     if registry:
-        if registry[IamParam.ADMIN_ID] and registry[IamParam.ADMIN_SECRET]:
+        if registry[ServerParam.ADMIN_ID] and registry[ServerParam.ADMIN_SECRET]:
             header_data: dict[str, str] = {
                 "Content-Type": "application/x-www-form-urlencoded"
             }
             body_data: dict[str, str] = {
                 "grant_type": "password",
-                "username": registry[IamParam.ADMIN_ID],
-                "password": registry[IamParam.ADMIN_SECRET],
+                "username": registry[ServerParam.ADMIN_ID],
+                "password": registry[ServerParam.ADMIN_SECRET],
                 "client_id": "admin-cli"
             }
             token_data: dict[str, Any] = __post_for_token(iam_server=iam_server,
@@ -674,7 +673,7 @@ def __get_administrative_token(iam_server: IamServer,
 
         elif logger or isinstance(errors, list):
             msg: str = ("Credentials for administrator of realm "
-                        f"'{registry[IamParam.CLIENT_REALM]}' "
+                        f"'{registry[ServerParam.CLIENT_REALM]}' "
                         f"at IAM server '{iam_server}' not provided")
             if logger:
                 logger.error(msg=msg)
@@ -710,7 +709,7 @@ def __get_client_secret(iam_server: IamServer,
     registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
                                                  errors=errors,
                                                  logger=logger)
-    result: str = registry[IamParam.CLIENT_SECRET] if registry else None
+    result: str = registry[ServerParam.CLIENT_SECRET] if registry else None
 
     if not result and not errors:
         # obtain a token with administrative rights
@@ -718,13 +717,13 @@ def __get_client_secret(iam_server: IamServer,
                                                 errors=errors,
                                                 logger=logger)
         if token:
-            realm: str = registry[IamParam.CLIENT_REALM]
-            client_id: str = registry[IamParam.CLIENT_ID]
+            realm: str = registry[ServerParam.CLIENT_REALM]
+            client_id: str = registry[ServerParam.CLIENT_ID]
             if logger:
                 logger.debug(msg=f"Obtaining the UUID for client '{client_id}', "
                                  f"in realm '{realm}' at IAM server '{iam_server}'")
             # obtain the client UUID
-            url: str = f"{registry[IamParam.URL_BASE]}/realms/{realm}/clients"
+            url: str = f"{registry[ServerParam.URL_BASE]}/realms/{realm}/clients"
             header_data: dict[str, str] = {
                 "Authorization": f"Bearer {token}",
                 "Content-Type": "application/json"
@@ -752,7 +751,7 @@ def __get_client_secret(iam_server: IamServer,
                 if reply:
                     # store the client's secret password and return it
                     result = reply["value"]
-                    registry[IamParam.CLIENT_ID] = result
+                    registry[ServerParam.CLIENT_ID] = result
     return result
 
 
@@ -916,11 +915,11 @@ def __post_for_token(iam_server: IamServer,
         if registry:
             # complete the data to send in body of request
             if body_data["grant_type"] != "password":
-                body_data["client_id"] = registry[IamParam.CLIENT_ID]
+                body_data["client_id"] = registry[ServerParam.CLIENT_ID]
 
             # build the URL
-            url: str = (f"{registry[IamParam.URL_BASE]}/realms/"
-                        f"{registry[IamParam.CLIENT_REALM]}/protocol/openid-connect/token")
+            url: str = (f"{registry[ServerParam.URL_BASE]}/realms/"
+                        f"{registry[ServerParam.CLIENT_REALM]}/protocol/openid-connect/token")
             #  'client_secret' data must not be shown in log
             msg: str = f"POST {url}, {json.dumps(obj=body_data,
                                                  ensure_ascii=False)}"
@@ -1021,9 +1020,9 @@ def __validate_and_store(iam_server: IamServer,
             public_key: str = _get_public_key(iam_server=iam_server,
                                               errors=errors,
                                               logger=logger)
-            recipient_attr = registry[IamParam.RECIPIENT_ATTR]
+            recipient_attr = registry[ServerParam.RECIPIENT_ATTR]
             login_id = user_data.pop("login-id", None)
-            base_url: str = f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+            base_url: str = f"{registry[ServerParam.URL_BASE]}/realms/{registry[ServerParam.CLIENT_REALM]}"
             claims: dict[str, dict[str, Any]] = token_validate(token=token,
                                                                issuer=base_url,
                                                                recipient_id=login_id,

pypomes_iam/iam_common.py

@@ -1,26 +1,23 @@
 import requests
 import sys
 from datetime import datetime
-from enum import StrEnum, auto
+from enum import StrEnum
 from logging import Logger
 from pypomes_core import (
     APP_PREFIX, TZ_LOCAL, exc_format,
-    env_get_str,  env_get_int, env_get_enums
+    env_get_int, env_get_str, env_get_strs
 )
 from pypomes_crypto import crypto_jwk_convert
 from threading import RLock
 from typing import Any, Final
 
-
-class IamServer(StrEnum):
-    """
-    Supported IAM servers.
-    """
-    JUSBR = auto()
-    KEYCLOAK = auto()
+_members: dict[str, str] = {key.upper(): key.lower() for key in
+                            env_get_strs(key=f"{APP_PREFIX}_AUTH_SERVERS")}
+IamServer: type[StrEnum] = StrEnum("IamServer", _members)
+del _members
 
 
-class IamParam(StrEnum):
+class ServerParam(StrEnum):
     """
     Parameters for configuring *IAM* servers.
     """
@@ -60,7 +57,7 @@ class UserParam(StrEnum):
     REDIRECT_URI = "redirect-uri"
 
 
-def __get_iam_data() -> dict[IamServer, dict[IamParam, Any]]:
+def __get_iam_data() -> dict[IamServer, dict[ServerParam, Any]]:
     """
     Obtain the configuration data for select *IAM* servers.
 
@@ -69,8 +66,8 @@ def __get_iam_data() -> dict[IamServer, dict[IamParam, Any]]:
     variables can be done by following these steps:
 
     1. Specify *<APP_PREFIX>_AUTH_SERVERS* with a list of names among the values found in *IamServer* class
-       (currently, *jusbr* and *keycloak* are supported), and the data set below for each server, where
-       *<IAM>* stands for the server's name as presented in *IamServer* class:
+       and the data set below for each server, where *<IAM>* stands for the server's name as presented in
+       *IamServer* class:
           - *<APP_PREFIX>_<IAM>_ADMIN_ID*           (optional, required if administrative duties are performed)
           - *<APP_PREFIX>_<IAM>_ADMIN_PWD*          (optional, required if administrative duties are performed)
           - *<APP_PREFIX>_<IAM>_CLIENT_ID*          (required)
@@ -96,26 +93,24 @@ def __get_iam_data() -> dict[IamServer, dict[IamParam, Any]]:
     :return: the configuration data for the select *IAM* servers.
     """
     # initialize the return variable
-    result: dict[IamServer, dict[IamParam, Any]] = {}
+    result: dict[IamServer, dict[ServerParam, Any]] = {}
 
-    servers: list[IamServer] = env_get_enums(key=f"{APP_PREFIX}_AUTH_SERVERS",
-                                             enum_class=IamServer) or []
-    for server in servers:
+    for server in IamServer:
         prefix = server.name
         result[server] = {
-            IamParam.ADMIN_ID: env_get_str(key=f"{APP_PREFIX}_{prefix}_ADMIN_ID"),
-            IamParam.ADMIN_SECRET: env_get_str(key=f"{APP_PREFIX}_{prefix}_ADMIN_SECRET"),
-            IamParam.CLIENT_ID: env_get_str(key=f"{APP_PREFIX}_{prefix}_CLIENT_ID"),
-            IamParam.CLIENT_REALM: env_get_str(key=f"{APP_PREFIX}_{prefix}_CLIENT_REALM"),
-            IamParam.CLIENT_SECRET: env_get_str(key=f"{APP_PREFIX}_{prefix}_CLIENT_SECRET"),
-            IamParam.LOGIN_TIMEOUT: env_get_str(key=f"{APP_PREFIX}_{prefix}_LOGIN_TIMEOUT"),
-            IamParam.PK_LIFETIME: env_get_int(key=f"{APP_PREFIX}_{prefix}_PK_LIFETIME"),
-            IamParam.RECIPIENT_ATTR: env_get_str(key=f"{APP_PREFIX}_{prefix}_RECIPIENT_ATTR"),
-            IamParam.URL_BASE: env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_AUTH_BASE"),
+            ServerParam.ADMIN_ID: env_get_str(key=f"{APP_PREFIX}_{prefix}_ADMIN_ID"),
+            ServerParam.ADMIN_SECRET: env_get_str(key=f"{APP_PREFIX}_{prefix}_ADMIN_SECRET"),
+            ServerParam.CLIENT_ID: env_get_str(key=f"{APP_PREFIX}_{prefix}_CLIENT_ID"),
+            ServerParam.CLIENT_REALM: env_get_str(key=f"{APP_PREFIX}_{prefix}_CLIENT_REALM"),
+            ServerParam.CLIENT_SECRET: env_get_str(key=f"{APP_PREFIX}_{prefix}_CLIENT_SECRET"),
+            ServerParam.LOGIN_TIMEOUT: env_get_str(key=f"{APP_PREFIX}_{prefix}_LOGIN_TIMEOUT"),
+            ServerParam.PK_LIFETIME: env_get_int(key=f"{APP_PREFIX}_{prefix}_PK_LIFETIME"),
+            ServerParam.RECIPIENT_ATTR: env_get_str(key=f"{APP_PREFIX}_{prefix}_RECIPIENT_ATTR"),
+            ServerParam.URL_BASE: env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_BASE"),
             # dynamically set
-            IamParam.PK_EXPIRATION: 0,
-            IamParam.PUBLIC_KEY: None,
-            IamParam.USERS: {}
+            ServerParam.PK_EXPIRATION: 0,
+            ServerParam.PUBLIC_KEY: None,
+            ServerParam.USERS: {}
         }
 
     return result
@@ -154,7 +149,7 @@ def __get_iam_data() -> dict[IamServer, dict[IamParam, Any]]:
 #   },
 #   ...
 # }
-_IAM_SERVERS: Final[dict[IamServer, dict[IamParam, Any]]] = __get_iam_data()
+_IAM_SERVERS: Final[dict[IamServer, dict[ServerParam, Any]]] = __get_iam_data()
 
 
 # the lock protecting the data in '_<IAM>_SERVERS'
@@ -174,7 +169,7 @@ def _iam_server_from_endpoint(endpoint: str,
     :return: the corresponding *IAM* server, or *None* if one could not be obtained
     """
     # initialize the return variable
-    result: IamServer | None = None
+    result: type(IamServer) | None = None
 
     for iam_server in _IAM_SERVERS:
         if endpoint.startswith(iam_server):
@@ -203,12 +198,12 @@ def _iam_server_from_issuer(issuer: str,
     :return: the corresponding *IAM* server, or *None* if one could not be obtained
     """
     # initialize the return variable
-    result: IamServer | None = None
+    result: type(IamServer) | None = None
 
     for iam_server, registry in _IAM_SERVERS.items():
-        base_url: str = f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+        base_url: str = f"{registry[ServerParam.URL_BASE]}/realms/{registry[ServerParam.CLIENT_REALM]}"
         if base_url == issuer:
-            result = IamServer(iam_server)
+            result = type(IamServer)(iam_server)
             break
 
     if not result:
@@ -269,9 +264,9 @@ def _get_public_key(iam_server: IamServer,
                                                  logger=logger)
     if registry:
         now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-        if now > registry[IamParam.PK_EXPIRATION]:
+        if now > registry[ServerParam.PK_EXPIRATION]:
             # obtain the JWKS (JSON Web Key Set) from the token issuer
-            base_url: str = f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+            base_url: str = f"{registry[ServerParam.URL_BASE]}/realms/{registry[ServerParam.CLIENT_REALM]}"
             url: str = f"{base_url}/protocol/openid-connect/certs"
             if logger:
                 logger.debug(msg=f"Obtaining signature public key used by IAM server '{iam_server}'")
@@ -293,9 +288,9 @@ def _get_public_key(iam_server: IamServer,
                         # convert from 'JWK' to 'PEM' and save it for further use
                         result = crypto_jwk_convert(jwk=jwk,
                                                     fmt="PEM")
-                        registry[IamParam.PUBLIC_KEY] = result
-                        lifetime: int = registry[IamParam.PK_LIFETIME] or 0
-                        registry[IamParam.PK_EXPIRATION] = now + lifetime if lifetime else sys.maxsize
+                        registry[ServerParam.PUBLIC_KEY] = result
+                        lifetime: int = registry[ServerParam.PK_LIFETIME] or 0
+                        registry[ServerParam.PK_EXPIRATION] = now + lifetime if lifetime else sys.maxsize
                         if logger:
                             logger.debug("Public key obtained and saved")
                     else:
@@ -320,7 +315,7 @@ def _get_public_key(iam_server: IamServer,
                 if isinstance(errors, list):
                     errors.append(msg)
         else:
-            result = registry[IamParam.PUBLIC_KEY]
+            result = registry[ServerParam.PUBLIC_KEY]
 
     return result
 
@@ -427,4 +422,4 @@ def _get_iam_users(iam_server: IamServer,
     registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
                                                  errors=errors,
                                                  logger=logger)
-    return registry[IamParam.USERS] if registry else None
+    return registry[ServerParam.USERS] if registry else None

pypomes_iam/iam_pomes.py

@@ -6,7 +6,7 @@ from pypomes_core import (
 )
 
 from .iam_common import (
-    _IAM_SERVERS, IamServer, IamParam, _iam_lock
+    _IAM_SERVERS, IamServer, ServerParam, _iam_lock
 )
 from .iam_services import (
     service_login, service_logout,
@@ -41,7 +41,7 @@ def iam_setup_server(iam_server: IamServer,
     it is not provided, but *admin_id* and *admin_secret* are, it is obtained from the *IAM* server itself
     the first time it is needed.
 
-    :param iam_server: identifies the supported *IAM* server (currently, *jusbr* or *keycloak*)
+    :param iam_server: identifies the supported *IAM* server
     :param admin_id: identifies the realm administrator
     :param admin_secret: password for the realm administrator
     :param client_id: the client's identification with the *IAM* server
@@ -70,28 +70,28 @@ def iam_setup_server(iam_server: IamServer,
     if "login_timeout" in defaulted_params:
         login_timeout = env_get_str(key=f"{APP_PREFIX}_{prefix}_LOGIN_TIMEOUT")
     if "pk_lifetime" in defaulted_params:
-        pk_lifetime = env_get_int(key=f"{APP_PREFIX}_{prefix}_PUBLIC_KEY_LIFETIME")
+        pk_lifetime = env_get_int(key=f"{APP_PREFIX}_{prefix}_PK_LIFETIME")
     if "recipient_attr" in defaulted_params:
         recipient_attr = env_get_str(key=f"{APP_PREFIX}_{prefix}_RECIPIENT_ATTR")
     if "url_base" in defaulted_params:
-        url_base = env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_AUTH_BASE")
+        url_base = env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_BASE")
 
-    # configure the Keycloak registry
+    # configure the IAM server's registry
     with _iam_lock:
         _IAM_SERVERS[iam_server] = {
-            IamParam.CLIENT_ID: client_id,
-            IamParam.CLIENT_REALM: client_realm,
-            IamParam.CLIENT_SECRET: client_secret,
-            IamParam.RECIPIENT_ATTR: recipient_attr,
-            IamParam.ADMIN_ID: admin_id,
-            IamParam.ADMIN_SECRET: admin_secret,
-            IamParam.LOGIN_TIMEOUT: login_timeout,
-            IamParam.PK_LIFETIME: pk_lifetime,
-            IamParam.URL_BASE: url_base,
+            ServerParam.CLIENT_ID: client_id,
+            ServerParam.CLIENT_REALM: client_realm,
+            ServerParam.CLIENT_SECRET: client_secret,
+            ServerParam.RECIPIENT_ATTR: recipient_attr,
+            ServerParam.ADMIN_ID: admin_id,
+            ServerParam.ADMIN_SECRET: admin_secret,
+            ServerParam.LOGIN_TIMEOUT: login_timeout,
+            ServerParam.PK_LIFETIME: pk_lifetime,
+            ServerParam.URL_BASE: url_base,
             # dynamic attributes
-            IamParam.PK_EXPIRATION: 0,
-            IamParam.PUBLIC_KEY: None,
-            IamParam.USERS: {}
+            ServerParam.PK_EXPIRATION: 0,
+            ServerParam.PUBLIC_KEY: None,
+            ServerParam.USERS: {}
         }
 
 
@@ -112,7 +112,7 @@ def iam_setup_endpoints(flask_app: Flask,
     environment variables.
 
     :param flask_app: the Flask application
-    :param iam_server: identifies the supported *IAM* server (currently, *jusbr* or *keycloak*)
+    :param iam_server: identifies the supported *IAM* server
     :param callback_endpoint: endpoint for the callback from the front end
     :param callback_exchange_endpoint: endpoint for the combination callback and exchange
     :param exchange_endpoint: endpoint for requesting token exchange
@@ -131,7 +131,7 @@ def iam_setup_endpoints(flask_app: Flask,
     if "callback_exchange_endpoint" in defaulted_params:
         callback_exchange_endpoint = env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_CALLBACK_EXCHANGE")
     if "exchange_endpoint" in defaulted_params:
-        callback_endpoint = env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_EXCHANGE")
+        exchange_endpoint = env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_EXCHANGE")
     if "login_endpoint" in defaulted_params:
         login_endpoint = env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_LOGIN")
     if "logout_endpoint" in defaulted_params:
@@ -146,7 +146,7 @@ def iam_setup_endpoints(flask_app: Flask,
         flask_app.add_url_rule(rule=callback_endpoint,
                                endpoint=f"{iam_server}-callback",
                                view_func=service_callback,
-                               methods=["GET"])
+                               methods=["GET", "POST"])
     if callback_exchange_endpoint:
         flask_app.add_url_rule(rule=callback_exchange_endpoint,
                                endpoint=f"{iam_server}-callback-exchange",

pypomes_iam/iam_services.py

@@ -4,7 +4,7 @@ from logging import Logger
 from typing import Any
 
 from .iam_common import (
-    IamServer, IamParam, _iam_lock,
+    IamServer, ServerParam, _iam_lock,
     _get_iam_registry, _get_public_key,
     _iam_server_from_endpoint, _iam_server_from_issuer
 )
@@ -74,7 +74,7 @@ def __request_validate(request: Request) -> Response:
                                                                      errors=None,
                                                                      logger=__IAM_LOGGER)
                         if registry:
-                            recipient_attr = registry[IamParam.RECIPIENT_ATTR]
+                            recipient_attr = registry[ServerParam.RECIPIENT_ATTR]
                     public_key = _get_public_key(iam_server=iam_server,
                                                  errors=None,
                                                  logger=__IAM_LOGGER)
@@ -137,7 +137,7 @@ def service_setup_server() -> Response:
     Entry point to setup a *IAM* server.
 
     These are the expected parameters in the request's body, in a JSON or as form data:
-        - *iam_server*: identifies the supported *IAM* server (currently, *jusbr* or *keycloak*)
+        - *iam_server*: identifies the supported *IAM* server
         - *admin_id*: identifies the realm administrator
         - *admin_secret*: password for the realm administrator
         - *client_id*: the client's identification with the *IAM* server
@@ -181,7 +181,7 @@ def service_setup_server() -> Response:
     return result
 
 
-# @flask_app.route(rule=<login_endpoint>,  # IAM_ENDPOINT_LOGIN
+# @flask_app.route(rule=<login_endpoint>,
 #                  methods=["GET"])
 def service_login() -> Response:
     """
@@ -240,7 +240,7 @@ def service_login() -> Response:
     return result
 
 
-# @flask_app.route(rule=<logout_endpoint>,  # IAM_ENDPOINT_LOGOUT
+# @flask_app.route(rule=<logout_endpoint>,
 #                  methods=["POST"])
 @jwt_required
 def service_logout() -> Response:
@@ -292,7 +292,7 @@ def service_logout() -> Response:
     return result
 
 
-# @flask_app.route(rule=<callback_endpoint>,  # IAM_ENDPOINT_CALLBACK
+# @flask_app.route(rule=<callback_endpoint>,
 #                  methods=["GET", "POST"])
 def service_callback() -> Response:
     """
@@ -352,7 +352,7 @@ def service_callback() -> Response:
     return result
 
 
-# @flask_app.route(rule=<callback_endpoint>,  # KEYCLOAK_ENDPOINT_EXCHANGE
+# @flask_app.route(rule=<callback_endpoint>,
 #                  methods=["POST"])
 def service_exchange() -> Response:
     """
@@ -490,7 +490,7 @@ def service_callback_exchange() -> Response:
     return result
 
 
-# @flask_app.route(rule=<token_endpoint>,  # IAM_ENDPOINT_TOKEN
+# @flask_app.route(rule=<token_endpoint>,
 #                  methods=["GET"])
 def service_get_token() -> Response:
     """
@@ -544,7 +544,7 @@ def service_get_token() -> Response:
     return result
 
 
-# @flask_app.route(rule=<token_endpoint>,  # IAM_ENDPOINT_USERINFO
+# @flask_app.route(rule=<token_endpoint>,
 #                  methods=["GET"])
 @jwt_required
 def service_userinfo() -> Response:

pypomes_iam/provider_pomes.py

@@ -14,6 +14,11 @@ from pypomes_core import (
 from threading import Lock
 from typing import Any, Final
 
+_members: dict[str, str] = {key.upper(): key.lower() for key in
+                            env_get_strs(key=f"{APP_PREFIX}_AUTH_PROVIDERS")}
+IamProvider: type[StrEnum] = StrEnum("IamProvider", _members)
+del _members
+
 
 class ProviderParam(StrEnum):
     """
@@ -36,37 +41,36 @@ class ProviderParam(StrEnum):
 __JWT_LOGGER: Logger | None = None
 
 
-def __get_provider_data() -> dict[str, dict[ProviderParam, Any]]:
+def __get_provider_data() -> dict[IamProvider, dict[ProviderParam, Any]]:
     """
-    Obtain the configuration data for select *JWT* providers.
+    Obtain the configuration data for select *IAM* providers.
 
-    The configuration parameters for the JWT providers are specified with environment variables,
+    The configuration parameters for the *IAM* providers are specified with environment variables,
     or dynamically with *provider_setup_server()*. Specifying configuration parameters with
     environment variables can be done by following these steps:
 
     1. Specify *<APP_PREFIX>_AUTH_PROVIDERS* with a list of names (typically, in lower-case), and the data set
-       below for each providers, where *<JWT>* stands for the provider's name in upper-case:
-          - *<APP_PREFIX>_<JWT>_BODY_DATA*            (optional)
-          - *<APP_PREFIX>_<JWT>_CUSTOM_AUTH*          (optional)
-          - *<APP_PREFIX>_<JWT>_HEADER_DATA*          (optional)
-          - *<APP_PREFIX>_<JWT>_USER_ID*              (required)
-          - *<APP_PREFIX>_<JWT>_USER_SECRET*          (required)
-          - *<APP_PREFIX>_<JWT>_URL_TOKEN*            (required)
+       below for each providers, where *<IAM>* stands for the provider's name in upper-case:
+          - *<APP_PREFIX>_<IAM>_BODY_DATA*            (optional)
+          - *<APP_PREFIX>_<IAM>_CUSTOM_AUTH*          (optional)
+          - *<APP_PREFIX>_<IAM>_HEADER_DATA*          (optional)
+          - *<APP_PREFIX>_<IAM>_USER_ID*              (required)
+          - *<APP_PREFIX>_<IAM>_USER_SECRET*          (required)
+          - *<APP_PREFIX>_<IAM>_URL_TOKEN*            (required)
 
     2. The special environment variable *<APP_PREFIX>_PROVIDER_ENDPOINT_TOKEN* identifies the endpoint
        from which to obtain JWT tokens. It is not part of the *JWT* providers' setup, but is meant to be
        used by function *provider_setup_endpoint()*, wherein the value in that variable would represent
        the default value for its parameter.
 
-    :return: the configuration data for the select *JWT* providers.
+    :return: the configuration data for the select *IAM* providers.
     """
     # initialize the return variable
     result: dict[str, dict[ProviderParam, Any]] = {}
 
-    servers: list[str] = env_get_strs(key=f"{APP_PREFIX}_AUTH_PROVIDERS") or []
-    for server in servers:
-        prefix = server.upper()
-        result[server] = {
+    for provider in IamProvider:
+        prefix = provider.name
+        result[provider] = {
             ProviderParam.USER_ID: env_get_str(key=f"{APP_PREFIX}_{prefix}_USER_ID"),
             ProviderParam.USER_SECRET: env_get_str(key=f"{APP_PREFIX}_{prefix}_USER_SECRET"),
             ProviderParam.BODY_DATA: env_get_obj(key=f"{APP_PREFIX}_{prefix}_BODY_DATA"),
@@ -98,7 +102,7 @@ def __get_provider_data() -> dict[str, dict[ProviderParam, Any]]:
 #      "refresh-expiration": <timestamp>
 #    }
 # }
-_provider_registry: Final[dict[str, dict[str, Any]]] = __get_provider_data()
+_provider_registry: Final[dict[IamProvider, dict[str, Any]]] = __get_provider_data()
 
 # the lock protecting the data in '_provider_registry'
 # (because it is 'Final' and set at declaration time, it can be accessed through simple imports)
@@ -106,15 +110,15 @@ _provider_lock: Final[Lock] = Lock()
 
 
 @func_capture_params
-def provider_setup_server(provider_id: str,
-                          user_id: str = None,
-                          user_secret: str = None,
-                          custom_auth: tuple[str, str] = None,
-                          header_data: dict[str, str] = None,
-                          body_data: dict[str, str] = None,
-                          url_token: str = None) -> None:
+def iam_setup_provider(iam_provider: IamProvider,
+                       user_id: str = None,
+                       user_secret: str = None,
+                       custom_auth: tuple[str, str] = None,
+                       header_data: dict[str, str] = None,
+                       body_data: dict[str, str] = None,
+                       url_token: str = None) -> None:
     """
-    Setup the *JWT* provider *provider_id*.
+    Setup the *IAM* provider *iam_provider*.
 
     For the parameters not effectively passed, an attempt is made to obtain a value from the corresponding
     environment variable.
@@ -128,7 +132,7 @@ def provider_setup_server(provider_id: str,
     key-value pairs (such as *['grant_type', 'client_credentials']*), to be added to the request body,
     may be specified in *body_data*.
 
-    :param provider_id: the provider's identification
+    :param iam_provider: the provider's identification
     :param user_id: the basic authorization user
     :param user_secret: the basic authorization password
     :param custom_auth: optional key names for sending the credentials as key-value pairs in the body of the request
@@ -142,7 +146,7 @@ def provider_setup_server(provider_id: str,
     defaulted_params: list[str] = func_defaulted_params.get()
 
     # read from the environment variables
-    prefix: str = provider_id.upper()
+    prefix: str = iam_provider.name
     if "user_id" in defaulted_params:
         user_id = env_get_str(key=f"{APP_PREFIX}_{prefix}_USER_ID")
     if "user_secret" in defaulted_params:
@@ -157,7 +161,7 @@ def provider_setup_server(provider_id: str,
         url_token = env_get_str(key=f"{APP_PREFIX}_{prefix}_URL_TOKEN")
 
     with _provider_lock:
-        _provider_registry[provider_id] = {
+        _provider_registry[iam_provider] = {
             ProviderParam.BODY_DATA: body_data,
             ProviderParam.CUSTOM_AUTH: custom_auth,
             ProviderParam.HEADER_DATA: header_data,
@@ -209,7 +213,7 @@ def provider_setup_logger(logger: Logger) -> None:
     __JWT_LOGGER = logger
 
 
-# @flask_app.route(rule=<token_endpoint>,  # IAM_PROVIDER_ENDPOINT_TOKEN
+# @flask_app.route(rule=<token_endpoint>,
 #                  methods=["GET"])
 def service_get_token() -> Response:
     """
@@ -233,17 +237,18 @@ def service_get_token() -> Response:
                                                                                       ensure_ascii=False)}")
 
     # obtain the provider JWT
-    provider_id: str = args.get("jwt-provider")
+    provider_id: str = args.get("iam-provider")
+    iam_provider: IamProvider = IamProvider(provider_id) if provider_id in IamProvider else None
 
     # retrieve the token
     token: str | None = None
     errors: list[str] = []
-    if provider_id:
-        token: str = provider_get_token(provider_id=provider_id,
+    if iam_provider:
+        token: str = provider_get_token(iam_provider=iam_provider,
                                         errors=errors,
                                         logger=__JWT_LOGGER)
     else:
-        msg: str = "JWT provider not informed"
+        msg: str = "IAM provider unknown or not informed"
         errors.append(msg)
         if __JWT_LOGGER:
             __JWT_LOGGER.error(msg=msg)
@@ -261,13 +266,13 @@ def service_get_token() -> Response:
     return result
 
 
-def provider_get_token(provider_id: str,
+def provider_get_token(iam_provider: IamProvider,
                        errors: list[str] = None,
                        logger: Logger = None) -> str | None:
     """
     Obtain an JWT token from the external provider *provider_id*.
 
-    :param provider_id: the provider's identification
+    :param iam_provider: the provider's identification
     :param errors: incidental error messages
     :param logger: optional logger
     :return: the JWT token, or *None* if error
@@ -278,7 +283,7 @@ def provider_get_token(provider_id: str,
     result: str | None = None
 
     with _provider_lock:
-        provider: dict[str, Any] = _provider_registry.get(provider_id)
+        provider: dict[str, Any] = _provider_registry.get(iam_provider)
         if provider:
             now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
             if now < provider.get(ProviderParam.ACCESS_EXPIRATION):
@@ -334,7 +339,7 @@ def provider_get_token(provider_id: str,
                             if refresh_exp else sys.maxsize
 
         elif logger or isinstance(errors, list):
-            msg: str = f"Unknown provider '{provider_id}'"
+            msg: str = f"Unknown provider '{iam_provider}'"
             if logger:
                 logger.error(msg=msg)
             if isinstance(errors, list):

{pypomes_iam-0.8.5.dist-info → pypomes_iam-0.8.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.8.5
+Version: 0.8.9
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues

pypomes_iam-0.8.9.dist-info/RECORD

@@ -0,0 +1,11 @@
+pypomes_iam/__init__.py,sha256=TU9WVKe9CdfEH2bFnLv249Hzo9xIq6NT8SgIUzWYlZE,1685
+pypomes_iam/iam_actions.py,sha256=NY3gsZK72JQAUAwt8LsaSYhrbXdxyIcbzaG1U-VNF70,51234
+pypomes_iam/iam_common.py,sha256=P2IzDQhfrf40VZBkC4p4pOUbR0IW7kq5_xmcAzPvW5s,17546
+pypomes_iam/iam_pomes.py,sha256=2yLTOY_A8bkM7QsOynJOdmVoMu8ZSwFaO7RmxHVDDsU,8931
+pypomes_iam/iam_services.py,sha256=4k2MEKQG5xwHuZylVLFGyohXRlraB4BXBOVPWxig2tg,26689
+pypomes_iam/provider_pomes.py,sha256=uhH8tqdA6AVC8TiPfFdH5gkrrEw_cpkLerRFICdks58,17954
+pypomes_iam/token_pomes.py,sha256=KiTlBNj3HURbZS_Rmti2RC6hny8VFPpbXeIO--HZ-fI,7703
+pypomes_iam-0.8.9.dist-info/METADATA,sha256=y586FcTfUOqMNv9YRjmm_ssEbPVmNxxuQMrTrdDA5Kk,661
+pypomes_iam-0.8.9.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+pypomes_iam-0.8.9.dist-info/licenses/LICENSE,sha256=YvUELgV8qvXlaYsy9hXG5EW3Bmsrkw-OJmmILZnonAc,1086
+pypomes_iam-0.8.9.dist-info/RECORD,,

pypomes_iam-0.8.5.dist-info/RECORD

@@ -1,11 +0,0 @@
-pypomes_iam/__init__.py,sha256=kkHvF3P79h21dNBmJ566Mp-L27oejhBcJa2VquyVsdg,1619
-pypomes_iam/iam_actions.py,sha256=ORuHoiuMPnrMabvnCUcMeqHI4xfqbTErED1LydOPBCg,51191
-pypomes_iam/iam_common.py,sha256=lJAx0J7xjAyzaMI9WXUXRq2qO7bUGIUP85h1hNE2-RE,17569
-pypomes_iam/iam_pomes.py,sha256=VwqK3FoGj76SHKLARuBmIhziYnd_hoMWoUteMGRjuSc,8963
-pypomes_iam/iam_services.py,sha256=_oAAk3y6iw_2gxDkbcNJDmj6Mk8HByhqX8fUT6Qg9kU,26865
-pypomes_iam/provider_pomes.py,sha256=e2AFGQgEajDOvr47LJYAqJ9Eaf0G0MrBAKKC4JK2Jp0,17705
-pypomes_iam/token_pomes.py,sha256=KiTlBNj3HURbZS_Rmti2RC6hny8VFPpbXeIO--HZ-fI,7703
-pypomes_iam-0.8.5.dist-info/METADATA,sha256=z0_4gG_jLZVliMWrQzcRw9AJD58V703MZjT4ZIfKXEo,661
-pypomes_iam-0.8.5.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-pypomes_iam-0.8.5.dist-info/licenses/LICENSE,sha256=YvUELgV8qvXlaYsy9hXG5EW3Bmsrkw-OJmmILZnonAc,1086
-pypomes_iam-0.8.5.dist-info/RECORD,,