PyPI - python3-commons - Versions diffs - 0.18.21__tar.gz → 0.19.0__tar.gz - Mend

python3-commons 0.18.21tar.gz → 0.19.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

{python3_commons-0.18.21 → python3_commons-0.19.0}/.env_template RENAMED Viewed

@@ -17,3 +17,9 @@ DB_DSN=postgresql+asyncpg://dev:dev@localhost:5432/fastapi-project-template
 API_AUTH_ENABLED=false
 OIDC_AUTHORITY_URL=https://oidc.provider.com/auth
 OIDC_CLIENT_ID=12345-54321
+TEST_OIDC_AUTHORITY_URL=https://oidc.provider.com/auth
+TEST_OIDC_CLIENT_ID=12345-54321
+TEST_OIDC_CLIENT_SECRET=
+TEST_OIDC_USERNAME=testuser
+TEST_OIDC_PASSWORD=

{python3_commons-0.18.21/src/python3_commons.egg-info → python3_commons-0.19.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python3-commons
-Version: 0.18.21
+Version: 0.19.0
 Summary: Re-usable Python3 code
 Author-email: Oleg Korsak <kamikaze.is.waiting.you@gmail.com>
 License-Expression: GPL-3.0

python3_commons-0.19.0/src/python3_commons/auth.py ADDED Viewed

@@ -0,0 +1,241 @@
+import logging
+import threading
+from collections.abc import Mapping, Sequence
+from http import HTTPStatus
+from typing import Any, Self, TypeVar
+from pydantic import HttpUrl
+from python3_commons.helpers import replace_origin
+try:
+    import aiohttp
+except ImportError as e:
+    msg = 'Install python3-commons[authn] to use this feature'
+    raise RuntimeError(msg) from e
+import msgspec
+from python3_commons.conf import oidc_settings
+logger = logging.getLogger(__name__)
+_OIDC_LOCK = threading.Lock()
+class TokenData(msgspec.Struct):
+    exp: int
+    iat: int
+    iss: str
+    sub: str
+    aud: str | Sequence[str] | None = None
+    email: str | None = None
+    name: str | None = None
+    preferred_username: str | None = None
+    realm_access: dict[str, Sequence[str]] | None = None
+    resource_access: dict[str, dict[str, Sequence[str]]] | None = None
+    @property
+    def roles(self) -> list[str]:
+        roles_list = []
+        if self.realm_access:
+            roles_list.extend(self.realm_access.get('roles', []))
+        if self.resource_access:
+            for client in self.resource_access.values():
+                roles_list.extend(client.get('roles', []))
+        return list(set(roles_list))
+T = TypeVar('T', bound=TokenData)
+class OIDCTokenResponse(msgspec.Struct):
+    access_token: str
+    token_type: str
+    expires_in: int
+    refresh_token: str
+    scope: str
+    id_token: str
+    error: str | None = None
+    error_description: str | None = None
+class OIDCError(Exception):
+    pass
+class OIDCAuthError(OIDCError):
+    pass
+# TODO: use api_client
+class OIDCClient:
+    def __init__(
+        self,
+        authority_url: HttpUrl,
+        client_id: str,
+        client_secret: str | None = None,
+        *,
+        timeout: float = 10.0,
+        verify_ssl: bool = True,
+        connection_limit: int = 100,
+    ) -> None:
+        if oidc_settings.authority_internal_host:
+            authority_url = replace_origin(authority_url, oidc_settings.authority_internal_host)
+        self._authority_url = authority_url
+        self._client_id = client_id
+        self._client_secret = client_secret
+        self._oidc_config: Mapping[str, Any] | None = None
+        self._connection_limit = connection_limit
+        self._session: aiohttp.ClientSession | None = None
+        self._timeout = timeout
+        self._verify_ssl = verify_ssl
+    def get_session(self) -> aiohttp.ClientSession:
+        if self._session:
+            return self._session
+        with _OIDC_LOCK:
+            if self._session:
+                return self._session
+            connector = aiohttp.TCPConnector(verify_ssl=self._verify_ssl, limit=self._connection_limit)
+            timeout = aiohttp.ClientTimeout(total=self._timeout)
+            session = aiohttp.ClientSession(connector=connector, timeout=timeout)
+            self._session = session
+            return session
+    async def __aenter__(self) -> Self:
+        self.get_session()
+        return self
+    async def __aexit__(self, *_: object) -> None:
+        if self._session:
+            await self._session.close()
+    async def _fetch_openid_config(self) -> dict:
+        """
+        Fetch the OpenID configuration (including JWKS URI) from OIDC authority.
+        """
+        if self._session is None:
+            msg = 'ClientSession not initialized'
+            raise RuntimeError(msg)
+        oidc_config_url = f'{self._authority_url}/.well-known/openid-configuration'
+        logger.debug('Fetching OpenID configuration from: %s', oidc_config_url)
+        async with self._session.get(oidc_config_url) as response:
+            if response.status != HTTPStatus.OK:
+                _msg = 'Failed to fetch OpenID configuration'
+                raise RuntimeError(_msg)
+            return await response.json()
+    async def fetch_jwks(self, jwks_uri: str) -> dict:
+        """
+        Fetch the JSON Web Key Set (JWKS) for validating the token's signature.
+        """
+        if self._session is None:
+            msg = 'ClientSession not initialized'
+            raise RuntimeError(msg)
+        if authority_internal_host := oidc_settings.authority_internal_host:
+            logger.debug('Received jwks_uri: %s', jwks_uri)
+            logger.debug('Replacing OIDC authority host with: %s', authority_internal_host)
+            jwks_uri = str(replace_origin(HttpUrl(jwks_uri), authority_internal_host))
+            logger.debug('Modified jwks_uri: %s', jwks_uri)
+        async with self._session.get(jwks_uri) as response:
+            if response.status != HTTPStatus.OK:
+                _msg = 'Failed to fetch JWKS'
+                raise RuntimeError(_msg)
+            return await response.json()
+    async def get_openid_config(self) -> Mapping[str, Any]:
+        if self._oidc_config:
+            return self._oidc_config
+        with _OIDC_LOCK:
+            if self._oidc_config:
+                return self._oidc_config
+            oidc_config = await self._fetch_openid_config()
+            self._oidc_config = oidc_config
+            return oidc_config
+    async def fetch_token(
+        self,
+        *,
+        username: str,
+        password: str,
+        scope: str = 'openid profile email',
+    ) -> OIDCTokenResponse:
+        if self._session is None:
+            msg = 'ClientSession not initialized'
+            raise RuntimeError(msg)
+        data = {
+            'grant_type': 'password',
+            'username': username,
+            'password': password,
+            'client_id': self._client_id,
+            'scope': scope,
+        }
+        if self._client_secret:
+            data['client_secret'] = self._client_secret
+        openid_config = await self.get_openid_config()
+        try:
+            async with self._session.post(
+                openid_config['token_endpoint'],
+                data=data,
+                headers={'Content-Type': 'application/x-www-form-urlencoded'},
+            ) as response:
+                payload = await response.read()
+                try:
+                    body = msgspec.json.decode(payload)
+                except Exception as e:
+                    msg = f'Non-JSON response from OIDC provider: {payload[:300]!r}'
+                    raise OIDCError(msg) from e
+                if response.status >= 400:
+                    error = None
+                    description = None
+                    if isinstance(body, dict):
+                        error = body.get('error') or body.get('code')
+                        description = body.get('error_description') or body.get('message') or ''
+                    error = error or f'http_{response.status}'
+                    if error in {'invalid_grant', 'invalid_client'}:
+                        msg = f'{error}: {description}'
+                        raise OIDCAuthError(msg)
+                    msg = f'{error}: {description}'
+                    raise OIDCError(msg)
+                decoder = msgspec.json.Decoder(OIDCTokenResponse)
+                return decoder.decode(payload)
+        except TimeoutError as e:
+            msg = 'OIDC request timed out'
+            raise OIDCError(msg) from e
+        except aiohttp.ClientError as e:
+            msg = 'OIDC transport error'
+            raise OIDCError(msg) from e

{python3_commons-0.18.21 → python3_commons-0.19.0}/src/python3_commons/helpers.py RENAMED Viewed

@@ -172,7 +172,7 @@ def replace_origin(url: HttpUrl, host_url: HttpUrl) -> HttpUrl:
         scheme=host_url.scheme,
         host=host_url.host,
         port=host_url.port,
-        path=url.path,
+        path=url_path.lstrip('/') if (url_path := url.path) else url_path,
         query=url.query,
         fragment=url.fragment,
     )

{python3_commons-0.18.21 → python3_commons-0.19.0/src/python3_commons.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python3-commons
-Version: 0.18.21
+Version: 0.19.0
 Summary: Re-usable Python3 code
 Author-email: Oleg Korsak <kamikaze.is.waiting.you@gmail.com>
 License-Expression: GPL-3.0

{python3_commons-0.18.21 → python3_commons-0.19.0}/src/python3_commons.egg-info/SOURCES.txt RENAMED Viewed

@@ -59,6 +59,8 @@ src/python3_commons/serializers/msgpack.py
 src/python3_commons/serializers/msgspec.py
 tests/__init__.py
 tests/integration/__init__.py
+tests/integration/conftest.py
+tests/integration/test_auth.py
 tests/integration/test_cache.py
 tests/integration/test_osc.py
 tests/unit/__init__.py

python3_commons-0.19.0/tests/integration/conftest.py ADDED Viewed

@@ -0,0 +1,29 @@
+from os import getenv
+import pytest
+from pydantic import HttpUrl
+@pytest.fixture(scope='session')
+def authority_url() -> HttpUrl:
+    return HttpUrl(getenv('TEST_OIDC_AUTHORITY_URL', ''))
+@pytest.fixture(scope='session')
+def client_id() -> str:
+    return getenv('TEST_OIDC_CLIENT_ID', '')
+@pytest.fixture(scope='session')
+def client_secret() -> str:
+    return getenv('TEST_OIDC_CLIENT_SECRET', '')
+@pytest.fixture(scope='session')
+def oidc_username() -> str:
+    return getenv('TEST_OIDC_USERNAME', '')
+@pytest.fixture(scope='session')
+def oidc_password() -> str:
+    return getenv('TEST_OIDC_PASSWORD', '')

python3_commons-0.19.0/tests/integration/test_auth.py ADDED Viewed

@@ -0,0 +1,29 @@
+from typing import TYPE_CHECKING
+import pytest
+if TYPE_CHECKING:
+    from pydantic import HttpUrl
+from python3_commons.auth import OIDCClient
+@pytest.mark.asyncio
+async def test_get_token_cognito(
+    authority_url: HttpUrl, client_id: str, client_secret: str, oidc_username: str, oidc_password: str
+) -> None:
+    async with (
+        OIDCClient(
+            authority_url=authority_url,
+            client_id=client_id,
+            client_secret=client_secret,
+            verify_ssl=False,
+            timeout=10,
+        ) as client,
+    ):
+        token = await client.fetch_token(
+            username=oidc_username,
+            password=oidc_password,
+        )
+        assert token.access_token

python3_commons-0.18.21/src/python3_commons/auth.py DELETED Viewed

@@ -1,198 +0,0 @@
-from __future__ import annotations
-import logging
-from collections.abc import Sequence
-from http import HTTPStatus
-from typing import Self, TypeVar
-from pydantic import HttpUrl
-from python3_commons.helpers import replace_origin
-try:
-    import aiohttp
-except ImportError as e:
-    msg = 'Install python3-commons[authn] to use this feature'
-    raise RuntimeError(msg) from e
-import msgspec
-from python3_commons.conf import oidc_settings
-logger = logging.getLogger(__name__)
-class TokenData(msgspec.Struct):
-    exp: int
-    iat: int
-    iss: str
-    sub: str
-    aud: str | Sequence[str] | None = None
-    email: str | None = None
-    name: str | None = None
-    preferred_username: str | None = None
-    realm_access: dict[str, Sequence[str]] | None = None
-    resource_access: dict[str, dict[str, Sequence[str]]] | None = None
-    @property
-    def roles(self) -> list[str]:
-        roles_list = []
-        if self.realm_access:
-            roles_list.extend(self.realm_access.get('roles', []))
-        if self.resource_access:
-            for client in self.resource_access.values():
-                roles_list.extend(client.get('roles', []))
-        return list(set(roles_list))
-T = TypeVar('T', bound=TokenData)
-class OIDCTokenResponse(msgspec.Struct):
-    access_token: str
-    token_type: str
-    expires_in: int
-    refresh_token: str
-    scope: str
-    id_token: str
-    error: str | None = None
-    error_description: str | None = None
-async def fetch_openid_config() -> dict:
-    """
-    Fetch the OpenID configuration (including JWKS URI) from OIDC authority.
-    """
-    if (authority_url := oidc_settings.authority_url) is None:
-        msg = 'OIDC authority URL is required'
-        raise ValueError(msg)
-    if oidc_settings.authority_internal_host:
-        authority_url = replace_origin(authority_url, oidc_settings.authority_internal_host)
-    oidc_config_url = f'{authority_url}.well-known/openid-configuration'
-    logger.debug('Fetching OpenID configuration from: %s', oidc_config_url)
-    async with aiohttp.ClientSession() as session, session.get(oidc_config_url) as response:
-        if response.status != HTTPStatus.OK:
-            _msg = 'Failed to fetch OpenID configuration'
-            raise RuntimeError(_msg)
-        return await response.json()
-async def fetch_jwks(jwks_uri: str) -> dict:
-    """
-    Fetch the JSON Web Key Set (JWKS) for validating the token's signature.
-    """
-    if authority_internal_host := oidc_settings.authority_internal_host:
-        logger.debug('Received jwks_uri: %s', jwks_uri)
-        logger.debug('Replacing OIDC authority host with: %s', authority_internal_host)
-        jwks_uri = str(replace_origin(HttpUrl(jwks_uri), authority_internal_host))
-        logger.debug('Modified jwks_uri: %s', jwks_uri)
-    async with aiohttp.ClientSession() as session, session.get(jwks_uri) as response:
-        if response.status != HTTPStatus.OK:
-            _msg = 'Failed to fetch JWKS'
-            raise RuntimeError(_msg)
-        return await response.json()
-class OIDCError(Exception):
-    pass
-class OIDCAuthError(OIDCError):
-    pass
-# TODO: use api_client
-class OIDCClient:
-    def __init__(
-        self,
-        authority_url: str,
-        client_id: str,
-        client_secret: str | None = None,
-        *,
-        timeout: float = 10.0,
-        session: aiohttp.ClientSession | None = None,
-    ) -> None:
-        self._token_url = f'{authority_url}/protocol/openid-connect/token'  # TODO: get it from openid-configuration
-        self._client_id = client_id
-        self._client_secret = client_secret
-        self._timeout = aiohttp.ClientTimeout(total=timeout)
-        self._session = session
-        self._owns_session = session is None
-    async def __aenter__(self) -> Self:
-        if self._session is None:
-            self._session = aiohttp.ClientSession(timeout=self._timeout)
-        return self
-    async def __aexit__(self, *_: object) -> None:
-        if self._owns_session and self._session:
-            await self._session.close()
-    async def fetch_token(
-        self,
-        *,
-        username: str,
-        password: str,
-        scope: str = 'openid profile email',
-    ) -> OIDCTokenResponse:
-        if self._session is None:
-            msg = 'ClientSession not initialized'
-            raise RuntimeError(msg)
-        data = {
-            'grant_type': 'password',
-            'username': username,
-            'password': password,
-            'client_id': self._client_id,
-            'scope': scope,
-        }
-        if self._client_secret:
-            data['client_secret'] = self._client_secret
-        try:
-            async with self._session.post(
-                self._token_url,
-                data=data,
-                headers={'Content-Type': 'application/x-www-form-urlencoded'},
-            ) as resp:
-                payload = await resp.read()
-                decoder = msgspec.json.Decoder(type=OIDCTokenResponse)
-                token = decoder.decode(payload)
-        except TimeoutError as e:
-            msg = 'OIDC request timed out'
-            raise OIDCError(msg) from e
-        except aiohttp.ClientError as e:
-            msg = 'OIDC transport error'
-            raise OIDCError(msg) from e
-        if not resp.ok:
-            error = token.error
-            description = token.error_description
-            if error in {'invalid_grant', 'invalid_client'}:
-                msg = f'{error}: {description}'
-                raise OIDCAuthError(msg)
-            msg = f'{error}: {description}'
-            raise OIDCError(msg)
-        return token