python3-commons 0.18.22__py3-none-any.whl → 0.19.0__py3-none-any.whl

python3_commons/auth.py

@@ -1,9 +1,8 @@
-from __future__ import annotations
-
 import logging
-from collections.abc import Sequence
+import threading
+from collections.abc import Mapping, Sequence
 from http import HTTPStatus
-from typing import Self, TypeVar
+from typing import Any, Self, TypeVar
 
 from pydantic import HttpUrl
 
@@ -20,6 +19,7 @@ import msgspec
 from python3_commons.conf import oidc_settings
 
 logger = logging.getLogger(__name__)
+_OIDC_LOCK = threading.Lock()
 
 
 class TokenData(msgspec.Struct):
@@ -62,49 +62,6 @@ class OIDCTokenResponse(msgspec.Struct):
     error_description: str | None = None
 
 
-async def fetch_openid_config() -> dict:
-    """
-    Fetch the OpenID configuration (including JWKS URI) from OIDC authority.
-    """
-    if (authority_url := oidc_settings.authority_url) is None:
-        msg = 'OIDC authority URL is required'
-        raise ValueError(msg)
-
-    if oidc_settings.authority_internal_host:
-        authority_url = replace_origin(authority_url, oidc_settings.authority_internal_host)
-
-    oidc_config_url = f'{authority_url}/.well-known/openid-configuration'
-
-    logger.debug('Fetching OpenID configuration from: %s', oidc_config_url)
-
-    async with aiohttp.ClientSession() as session, session.get(oidc_config_url) as response:
-        if response.status != HTTPStatus.OK:
-            _msg = 'Failed to fetch OpenID configuration'
-
-            raise RuntimeError(_msg)
-
-        return await response.json()
-
-
-async def fetch_jwks(jwks_uri: str) -> dict:
-    """
-    Fetch the JSON Web Key Set (JWKS) for validating the token's signature.
-    """
-    if authority_internal_host := oidc_settings.authority_internal_host:
-        logger.debug('Received jwks_uri: %s', jwks_uri)
-        logger.debug('Replacing OIDC authority host with: %s', authority_internal_host)
-        jwks_uri = str(replace_origin(HttpUrl(jwks_uri), authority_internal_host))
-        logger.debug('Modified jwks_uri: %s', jwks_uri)
-
-    async with aiohttp.ClientSession() as session, session.get(jwks_uri) as response:
-        if response.status != HTTPStatus.OK:
-            _msg = 'Failed to fetch JWKS'
-
-            raise RuntimeError(_msg)
-
-        return await response.json()
-
-
 class OIDCError(Exception):
     pass
 
@@ -117,29 +74,106 @@ class OIDCAuthError(OIDCError):
 class OIDCClient:
     def __init__(
         self,
-        authority_url: str,
+        authority_url: HttpUrl,
         client_id: str,
         client_secret: str | None = None,
         *,
         timeout: float = 10.0,
-        session: aiohttp.ClientSession | None = None,
+        verify_ssl: bool = True,
+        connection_limit: int = 100,
     ) -> None:
-        self._token_url = f'{authority_url}/protocol/openid-connect/token'  # TODO: get it from openid-configuration
+        if oidc_settings.authority_internal_host:
+            authority_url = replace_origin(authority_url, oidc_settings.authority_internal_host)
+
+        self._authority_url = authority_url
         self._client_id = client_id
         self._client_secret = client_secret
-        self._timeout = aiohttp.ClientTimeout(total=timeout)
-        self._session = session
-        self._owns_session = session is None
+        self._oidc_config: Mapping[str, Any] | None = None
+
+        self._connection_limit = connection_limit
+        self._session: aiohttp.ClientSession | None = None
+        self._timeout = timeout
+        self._verify_ssl = verify_ssl
+
+    def get_session(self) -> aiohttp.ClientSession:
+        if self._session:
+            return self._session
+
+        with _OIDC_LOCK:
+            if self._session:
+                return self._session
+
+            connector = aiohttp.TCPConnector(verify_ssl=self._verify_ssl, limit=self._connection_limit)
+            timeout = aiohttp.ClientTimeout(total=self._timeout)
+            session = aiohttp.ClientSession(connector=connector, timeout=timeout)
+            self._session = session
+
+            return session
 
     async def __aenter__(self) -> Self:
-        if self._session is None:
-            self._session = aiohttp.ClientSession(timeout=self._timeout)
+        self.get_session()
+
         return self
 
     async def __aexit__(self, *_: object) -> None:
-        if self._owns_session and self._session:
+        if self._session:
             await self._session.close()
 
+    async def _fetch_openid_config(self) -> dict:
+        """
+        Fetch the OpenID configuration (including JWKS URI) from OIDC authority.
+        """
+        if self._session is None:
+            msg = 'ClientSession not initialized'
+            raise RuntimeError(msg)
+
+        oidc_config_url = f'{self._authority_url}/.well-known/openid-configuration'
+
+        logger.debug('Fetching OpenID configuration from: %s', oidc_config_url)
+
+        async with self._session.get(oidc_config_url) as response:
+            if response.status != HTTPStatus.OK:
+                _msg = 'Failed to fetch OpenID configuration'
+
+                raise RuntimeError(_msg)
+
+            return await response.json()
+
+    async def fetch_jwks(self, jwks_uri: str) -> dict:
+        """
+        Fetch the JSON Web Key Set (JWKS) for validating the token's signature.
+        """
+        if self._session is None:
+            msg = 'ClientSession not initialized'
+            raise RuntimeError(msg)
+
+        if authority_internal_host := oidc_settings.authority_internal_host:
+            logger.debug('Received jwks_uri: %s', jwks_uri)
+            logger.debug('Replacing OIDC authority host with: %s', authority_internal_host)
+            jwks_uri = str(replace_origin(HttpUrl(jwks_uri), authority_internal_host))
+            logger.debug('Modified jwks_uri: %s', jwks_uri)
+
+        async with self._session.get(jwks_uri) as response:
+            if response.status != HTTPStatus.OK:
+                _msg = 'Failed to fetch JWKS'
+
+                raise RuntimeError(_msg)
+
+            return await response.json()
+
+    async def get_openid_config(self) -> Mapping[str, Any]:
+        if self._oidc_config:
+            return self._oidc_config
+
+        with _OIDC_LOCK:
+            if self._oidc_config:
+                return self._oidc_config
+
+            oidc_config = await self._fetch_openid_config()
+            self._oidc_config = oidc_config
+
+            return oidc_config
+
     async def fetch_token(
         self,
         *,
@@ -149,7 +183,6 @@ class OIDCClient:
     ) -> OIDCTokenResponse:
         if self._session is None:
             msg = 'ClientSession not initialized'
-
             raise RuntimeError(msg)
 
         data = {
@@ -163,36 +196,46 @@ class OIDCClient:
         if self._client_secret:
             data['client_secret'] = self._client_secret
 
+        openid_config = await self.get_openid_config()
+
         try:
             async with self._session.post(
-                self._token_url,
+                openid_config['token_endpoint'],
                 data=data,
                 headers={'Content-Type': 'application/x-www-form-urlencoded'},
-            ) as resp:
-                payload = await resp.read()
-                decoder = msgspec.json.Decoder(type=OIDCTokenResponse)
-                token = decoder.decode(payload)
+            ) as response:
+                payload = await response.read()
 
-        except TimeoutError as e:
-            msg = 'OIDC request timed out'
+                try:
+                    body = msgspec.json.decode(payload)
+                except Exception as e:
+                    msg = f'Non-JSON response from OIDC provider: {payload[:300]!r}'
+                    raise OIDCError(msg) from e
 
-            raise OIDCError(msg) from e
-        except aiohttp.ClientError as e:
-            msg = 'OIDC transport error'
+                if response.status >= 400:
+                    error = None
+                    description = None
 
-            raise OIDCError(msg) from e
+                    if isinstance(body, dict):
+                        error = body.get('error') or body.get('code')
+                        description = body.get('error_description') or body.get('message') or ''
 
-        if not resp.ok:
-            error = token.error
-            description = token.error_description
+                    error = error or f'http_{response.status}'
 
-            if error in {'invalid_grant', 'invalid_client'}:
-                msg = f'{error}: {description}'
+                    if error in {'invalid_grant', 'invalid_client'}:
+                        msg = f'{error}: {description}'
+                        raise OIDCAuthError(msg)
 
-                raise OIDCAuthError(msg)
+                    msg = f'{error}: {description}'
+                    raise OIDCError(msg)
 
-            msg = f'{error}: {description}'
+                decoder = msgspec.json.Decoder(OIDCTokenResponse)
 
-            raise OIDCError(msg)
+                return decoder.decode(payload)
 
-        return token
+        except TimeoutError as e:
+            msg = 'OIDC request timed out'
+            raise OIDCError(msg) from e
+        except aiohttp.ClientError as e:
+            msg = 'OIDC transport error'
+            raise OIDCError(msg) from e

{python3_commons-0.18.22.dist-info → python3_commons-0.19.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python3-commons
-Version: 0.18.22
+Version: 0.19.0
 Summary: Re-usable Python3 code
 Author-email: Oleg Korsak <kamikaze.is.waiting.you@gmail.com>
 License-Expression: GPL-3.0

{python3_commons-0.18.22.dist-info → python3_commons-0.19.0.dist-info}/RECORD

@@ -2,7 +2,7 @@ python3_commons/__init__.py,sha256=0KgaYU46H_IMKn-BuasoRN3C4Hi45KlkHHoPbU9cwiA,1
 python3_commons/api_client.py,sha256=yerFJNY_SHhYo9FGLv29oHVIGgeXDNzTzMNfFYZpZ0w,5501
 python3_commons/async_functools.py,sha256=A2HvwFzZHxOWTp4IQM5UiBY2yg1S_0U1CWra5BWK0gk,9101
 python3_commons/audit.py,sha256=uGoCwenDJ0Gdwbr_VNOZm5scT8luxW1weprJbbMoHo0,2608
-python3_commons/auth.py,sha256=1dSD5GhcI9hPcomIEkf6fRM8c4LrXqwkqpJI-pDzfFE,5625
+python3_commons/auth.py,sha256=rrjkUAvOb7C6h38lJoD7DDlrX6QaSluN9qM9rox6Wh4,7274
 python3_commons/cache.py,sha256=lowiXJqFgFy1Yg86wi9IhuoNqIUGP6nc5eNibmf0dfY,8018
 python3_commons/conf.py,sha256=5WzGLwCixc5SMdWvq3j4YBcytqYwcTcCJkFzSPp8fK4,2984
 python3_commons/exceptions.py,sha256=EGjHZVBnsM6CeBfPMqhL0IPMKjDJ_2-Z-aSPXwq91LE,36
@@ -27,9 +27,9 @@ python3_commons/serializers/common.py,sha256=VkA7C6wODvHk0QBXVX_x2JieDstihx3U__U
 python3_commons/serializers/json.py,sha256=UPkC3ps13x2C_NxwVV-K7Ewp4VjkVHSSUkJVw5k7Wiw,712
 python3_commons/serializers/msgpack.py,sha256=zESFBX34GsZ8rDu6Zk5V6CLT6P0mPilU0r04Ka6TblI,1474
 python3_commons/serializers/msgspec.py,sha256=upy5CBmK66-8hYnK5bAM_sZvZY5CAqZmzCw9GIF346I,2988
-python3_commons-0.18.22.dist-info/licenses/AUTHORS.rst,sha256=3R9JnfjfjH5RoPWOeqKFJgxVShSSfzQPIrEr1nxIo9Q,90
-python3_commons-0.18.22.dist-info/licenses/LICENSE,sha256=xxILuojHm4fKQOrMHPSslbyy6WuKAN2RiG74HbrYfzM,34575
-python3_commons-0.18.22.dist-info/METADATA,sha256=2FabtGqH5D6_GjdPMpT6E98vi0XAQqvdh4gMRKyteI0,2334
-python3_commons-0.18.22.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
-python3_commons-0.18.22.dist-info/top_level.txt,sha256=lJI6sCBf68eUHzupCnn2dzG10lH3jJKTWM_hrN1cQ7M,16
-python3_commons-0.18.22.dist-info/RECORD,,
+python3_commons-0.19.0.dist-info/licenses/AUTHORS.rst,sha256=3R9JnfjfjH5RoPWOeqKFJgxVShSSfzQPIrEr1nxIo9Q,90
+python3_commons-0.19.0.dist-info/licenses/LICENSE,sha256=xxILuojHm4fKQOrMHPSslbyy6WuKAN2RiG74HbrYfzM,34575
+python3_commons-0.19.0.dist-info/METADATA,sha256=UXJKgK1zXPhoqS4SBGnZJoxgvPO0Z1_aXCKL5Rp04kQ,2333
+python3_commons-0.19.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+python3_commons-0.19.0.dist-info/top_level.txt,sha256=lJI6sCBf68eUHzupCnn2dzG10lH3jJKTWM_hrN1cQ7M,16
+python3_commons-0.19.0.dist-info/RECORD,,