PyPI - querysource - Versions diffs - 4.1.12__tar.gz → 4.2.0__tar.gz - Mend

querysource 4.1.12tar.gz → 4.2.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (437) hide show

{querysource-4.1.12/querysource.egg-info → querysource-4.2.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: querysource
-Version: 4.1.12
+Version: 4.2.0
 Summary: Aiohttp web service for querying several databases easily
 Author-email: Jesus Lara <jesuslarag@gmail.com>
 License: BSD-3-Clause

{querysource-4.1.12 → querysource-4.2.0}/app.py RENAMED Viewed

@@ -4,9 +4,11 @@ This file will be auto-generated by code
 """
 from navconfig.logging import logging
 from navigator.handlers.types import AppHandler
+from navigator_auth import AuthHandler
 from querysource.services import QuerySource
 logging.getLogger(name='traitlets').setLevel(logging.ERROR)
 class Main(AppHandler):
@@ -20,13 +22,14 @@ class Main(AppHandler):
     def configure(self):
         super(Main, self).configure()
-        # version
-        # Loading QUerySource
-        qry = QuerySource(
-            lazy=False,
-            loop=self.event_loop()
-        )
+        # Loading QuerySource — no need to pass the event loop; it is captured
+        # automatically from aiohttp's running loop on startup.
+        qry = QuerySource(lazy=False)
         qry.setup(self.app)
+        ### Auth System
+        # create a new instance of Auth System
+        auth = AuthHandler()
+        auth.setup(self.app)  # configure this Auth system into App.
     @classmethod
     def evt(cls):

querysource-4.2.0/policies/datasources.yaml ADDED Viewed

@@ -0,0 +1,24 @@
+version: "1.0"
+defaults:
+  effect: deny
+# Add allow policies for non-admin groups here.
+policies: []
+# ─── Example (uncomment and customise) ──────────────────────────────────────
+# policies:
+#   - name: analysts_use_postgres
+#     effect: allow
+#     description: "Analysts may use the read-only postgres datasource."
+#     resources:
+#       - "datasource:postgres"
+#     actions:
+#       - "datasource:use"
+#       - "datasource:list"
+#     subjects:
+#       groups:
+#         - analysts
+#     priority: 30
+#     enforcing: false
+# ────────────────────────────────────────────────────────────────────────────

querysource-4.2.0/policies/defaults.yaml ADDED Viewed

@@ -0,0 +1,31 @@
+version: "1.0"
+defaults:
+  effect: deny
+policies:
+  - name: admin_full_access
+    effect: allow
+    description: >
+      Superuser and admin groups have unrestricted access to all
+      QuerySource resources. Without this policy, no user can execute
+      any slug, raw query, datasource, or driver.
+    resources:
+      - "slug:*"
+      - "datasource:*"
+      - "driver:*"
+      - "raw_query"
+    actions:
+      - "slug:execute"
+      - "slug:list"
+      - "datasource:use"
+      - "datasource:list"
+      - "driver:use"
+      - "driver:list"
+      - "raw_query:execute"
+    subjects:
+      groups:
+        - superuser
+        - admin
+    priority: 100
+    enforcing: true

querysource-4.2.0/policies/drivers.yaml ADDED Viewed

@@ -0,0 +1,24 @@
+version: "1.0"
+defaults:
+  effect: deny
+# Add allow policies for non-admin groups here.
+policies: []
+# ─── Example (uncomment and customise) ──────────────────────────────────────
+# policies:
+#   - name: analysts_use_pg_driver
+#     effect: allow
+#     description: "Analysts may use the pg (asyncpg) driver."
+#     resources:
+#       - "driver:pg"
+#     actions:
+#       - "driver:use"
+#       - "driver:list"
+#     subjects:
+#       groups:
+#         - analysts
+#     priority: 30
+#     enforcing: false
+# ────────────────────────────────────────────────────────────────────────────

querysource-4.2.0/policies/raw_queries.yaml ADDED Viewed

@@ -0,0 +1,24 @@
+version: "1.0"
+defaults:
+  effect: deny
+# Add allow policies for non-admin groups here.
+# Raw queries grant inline SQL execution — grant sparingly.
+policies: []
+# ─── Example (uncomment and customise) ──────────────────────────────────────
+# policies:
+#   - name: data_engineers_raw_queries
+#     effect: allow
+#     description: "Data engineers can run inline raw queries."
+#     resources:
+#       - "raw_query"
+#     actions:
+#       - "raw_query:execute"
+#     subjects:
+#       groups:
+#         - data-engineers
+#     priority: 50
+#     enforcing: true
+# ────────────────────────────────────────────────────────────────────────────

querysource-4.2.0/policies/slugs.yaml ADDED Viewed

@@ -0,0 +1,24 @@
+version: "1.0"
+defaults:
+  effect: deny
+# Add allow policies for non-admin groups here.
+policies: []
+# ─── Example (uncomment and customise) ──────────────────────────────────────
+# policies:
+#   - name: analysts_run_finance_slugs
+#     effect: allow
+#     description: "Analysts can execute all finance-prefixed slugs."
+#     resources:
+#       - "slug:finance_*"
+#     actions:
+#       - "slug:execute"
+#       - "slug:list"
+#     subjects:
+#       groups:
+#         - analysts
+#     priority: 30
+#     enforcing: false
+# ────────────────────────────────────────────────────────────────────────────

querysource-4.2.0/policies/superusers.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+version: "1.0"
+defaults:
+  effect: deny
+# Per-user exemptions for codebase owners and service accounts.
+# Use this file for user-level (not group-level) allow rules.
+policies: []
+# ─── Example (uncomment and customise) ──────────────────────────────────────
+# policies:
+#   - name: service_account_full_access
+#     effect: allow
+#     description: "Service account used by CI/CD has unrestricted access."
+#     resources:
+#       - "slug:*"
+#       - "datasource:*"
+#       - "driver:*"
+#       - "raw_query"
+#     actions:
+#       - "slug:execute"
+#       - "slug:list"
+#       - "datasource:use"
+#       - "datasource:list"
+#       - "driver:use"
+#       - "driver:list"
+#       - "raw_query:execute"
+#     subjects:
+#       users:
+#         - ci-service@example.com
+#     priority: 90
+#     enforcing: true
+# ────────────────────────────────────────────────────────────────────────────

{querysource-4.1.12 → querysource-4.2.0}/pyproject.toml RENAMED Viewed

@@ -171,6 +171,9 @@ addopts = [
     "--strict-config",
     "--strict-markers",
 ]
+markers = [
+    "perf: performance regression tests (opt-in via -m perf)",
+]
 filterwarnings = [
     "error",
     'ignore:The loop argument is deprecated since Python 3\.8, and scheduled for removal in Python 3\.10:DeprecationWarning:asyncio',
@@ -193,3 +196,6 @@ features = ["pyo3/extension-module"]
 # producing ModuleNotFoundError: No module named '<pkg>.<native>' at import.
 [tool.uv]
 link-mode = "copy"
+[tool.uv.sources]
+navigator-auth = { path = "../../navigator/navigator-auth", editable = true }

{querysource-4.1.12 → querysource-4.2.0}/pytest.ini RENAMED Viewed

@@ -3,3 +3,5 @@
 asyncio_mode = auto
 filterwarnings =
     ignore::DeprecationWarning
+markers =
+    perf: performance regression tests (opt-in via -m perf)

{querysource-4.1.12 → querysource-4.2.0}/querysource/_version.py RENAMED Viewed

@@ -18,7 +18,7 @@ version_tuple: tuple[int | str, ...]
 commit_id: str | None
 __commit_id__: str | None
-__version__ = version = '4.1.13.dev0+gd6d474e05.d20260424'
-__version_tuple__ = version_tuple = (4, 1, 13, 'dev0', 'gd6d474e05.d20260424')
+__version__ = version = '4.2.1.dev0+g47a6b9db9.d20260430'
+__version_tuple__ = version_tuple = (4, 2, 1, 'dev0', 'g47a6b9db9.d20260430')
-__commit_id__ = commit_id = 'gd6d474e05'
+__commit_id__ = commit_id = 'g47a6b9db9'

querysource-4.2.0/querysource/auth/__init__.py ADDED Viewed

@@ -0,0 +1,21 @@
+"""
+querysource.auth — Policy-based access control (PBAC) for QuerySource.
+This package wires navigator-auth's PBAC engine into QuerySource handlers
+and provides a per-user credential resolver for the driver layer.
+Public surface:
+- ``CredentialResolver``  — per-user credential resolver (TASK-628)
+- ``ResolvedCredentials`` — credential dataclass (TASK-628)
+- ``setup_pbac()``        — PBAC bootstrap (TASK-629)
+- ``ResourceType``        — resource-type enum/shim (TASK-631)
+"""
+import logging
+logger = logging.getLogger(__name__)
+from querysource.auth.credentials import CredentialResolver, ResolvedCredentials  # noqa: E402
+from querysource.auth.pbac import setup_pbac  # noqa: E402
+from querysource.auth._resource_types import ResourceType  # noqa: E402
+__all__ = ("CredentialResolver", "ResolvedCredentials", "setup_pbac", "ResourceType", "logger")

querysource-4.2.0/querysource/auth/_resource_types.py ADDED Viewed

@@ -0,0 +1,48 @@
+"""
+querysource.auth._resource_types — ResourceType shim for PBAC enforcement.
+Tries to import ResourceType from navigator-auth (available once TASK-640
+upstream PR is merged and navigator-auth >= 0.20.0 is pinned). Falls back to
+a plain-string stand-in that preserves the same attribute interface.
+Usage::
+    from querysource.auth._resource_types import ResourceType
+    await self._enforce_pbac(request, ResourceType.SLUG, slug, "slug:execute")
+Once TASK-640 lands, the try-branch is taken automatically and this shim
+becomes a transparent pass-through — no handler changes required.
+"""
+from __future__ import annotations
+try:
+    from navigator_auth.abac.policies.resources import ResourceType
+    # Validate that the expected QS-specific attrs are present.
+    # Raises AttributeError if the upstream PR hasn't landed yet.
+    _check = (
+        ResourceType.SLUG,       # noqa: WPS226
+        ResourceType.DATASOURCE,
+        ResourceType.DRIVER,
+        ResourceType.RAW_QUERY,
+    )
+    del _check
+except (ImportError, AttributeError):
+    # navigator-auth not installed, or SLUG/DATASOURCE/DRIVER/RAW_QUERY not
+    # yet added upstream. Use a lightweight string-based stand-in.
+    class _StringResourceType(str):  # type: ignore[misc]
+        """String subclass so isinstance checks still pass for str."""
+        __slots__ = ()
+    class ResourceType:  # type: ignore[no-redef]
+        """String-shim ResourceType for QuerySource PBAC enforcement.
+        Attributes mirror the planned navigator-auth ResourceType enum values
+        (FEAT-091 TASK-640 upstream PR). Switch to the real enum once merged.
+        """
+        SLUG = _StringResourceType("slug")
+        DATASOURCE = _StringResourceType("datasource")
+        DRIVER = _StringResourceType("driver")
+        RAW_QUERY = _StringResourceType("raw_query")
+__all__ = ("ResourceType",)

querysource-4.2.0/querysource/auth/credentials.py ADDED Viewed

@@ -0,0 +1,224 @@
+"""
+querysource.auth.credentials — Per-user credential resolver for driver layer.
+Implements a three-tier env-var lookup:
+  1. Per-user:  ``<PREFIX>_<SANITIZED_USERNAME>_HOST/PORT/USER/PASSWORD/DATABASE``
+  2. Profile:   ``<PREFIX>_<SANITIZED_PROFILE>_HOST/PORT/USER/PASSWORD/DATABASE``
+  3. Default:   ``<PREFIX>_HOST/PORT/USER/PASSWORD/DATABASE``
+Group-tier lookup is explicitly out of scope (FEAT-091 v1).
+"""
+import os
+import logging
+from dataclasses import dataclass
+from typing import Optional
+@dataclass(slots=True)
+class ResolvedCredentials:
+    """Connection parameters resolved by CredentialResolver.
+    Args:
+        host: Database hostname.
+        port: Database port.
+        user: Database user.
+        password: Database password.
+        database: Database name.
+        source: Resolution tier used — one of:
+            ``"user-override"``, ``"profile:<name>"``,
+            or ``"default:<prefix>"``.
+    """
+    host: str
+    port: int
+    user: str
+    password: str
+    database: str
+    source: str
+class CredentialResolver:
+    """Resolves driver connection params from session + env using a 3-tier lookup.
+    Resolution order:
+      1. Per-user env vars: ``<PREFIX>_<USERNAME>_HOST`` etc.
+      2. Profile-from-policy env vars: ``<PREFIX>_<PROFILE>_HOST`` etc.
+      3. Datasource default: ``<PREFIX>_HOST`` etc.
+    Partial sets (only some of the 5 required vars set) fall through to the
+    next tier. A warning is logged once per (tier, missing-key-set) pair.
+    """
+    _REQUIRED_FIELDS = ("HOST", "PORT", "USER", "PASSWORD", "DATABASE")
+    def __init__(self, logger: Optional[logging.Logger] = None) -> None:
+        """Initialise the resolver.
+        Args:
+            logger: Optional logger; defaults to ``logging.getLogger(__name__)``.
+        """
+        self._logger = logger or logging.getLogger(__name__)
+        # Dedup set: frozenset of (tier_label, missing_key) tuples already warned.
+        self._warned: set = set()
+    @staticmethod
+    def sanitize(value: str) -> str:
+        """Canonicalize a username or profile name for env-var key construction.
+        Rules: uppercase; ``.``, ``-``, ``@`` → ``_``.
+        Args:
+            value: Raw username or profile string.
+        Returns:
+            Sanitized uppercase string safe for env-var lookup.
+        """
+        return value.upper().replace(".", "_").replace("-", "_").replace("@", "_")
+    def _extract_username(self, session) -> Optional[str]:
+        """Extract the username (or user_id) from a session dict.
+        Args:
+            session: Session object (dict-like).
+        Returns:
+            Username string, or None if not found.
+        """
+        if session is None:
+            return None
+        if hasattr(session, "get"):
+            username = session.get("username") or session.get("user_id")
+            if username:
+                return str(username)
+        return None
+    def _lookup(self, prefix: str, segment: Optional[str]) -> Optional[dict]:
+        """Look up the five required credential env vars for a given prefix+segment.
+        Constructs keys like ``<PREFIX>_<SEGMENT>_HOST`` (with segment) or
+        ``<PREFIX>_HOST`` (without segment). Returns ``None`` if any key is
+        missing or if the PORT cannot be coerced to int.
+        Args:
+            prefix: E.g. ``"PG"`` or ``"DB"``.
+            segment: Sanitized username/profile, or ``None`` for the default tier.
+        Returns:
+            Dict with keys ``host``, ``port``, ``user``, ``password``,
+            ``database`` on full success; ``None`` on partial or missing set.
+        """
+        base = f"{prefix}_{segment}_" if segment else f"{prefix}_"
+        values = {}
+        missing = []
+        for field in self._REQUIRED_FIELDS:
+            key = f"{base}{field}"
+            val = os.environ.get(key)
+            if val is None:
+                missing.append(key)
+            else:
+                values[field] = val
+        if missing:
+            if values:
+                # Partial set — warn once per (segment, missing keys) combo.
+                dedup_key = frozenset(missing)
+                tier_label = f"{prefix}_{segment}" if segment else prefix
+                warn_key = (tier_label, dedup_key)
+                if warn_key not in self._warned:
+                    self._warned.add(warn_key)
+                    self._logger.warning(
+                        "CredentialResolver: partial credential set for %s — "
+                        "missing env vars %s; falling through to next tier.",
+                        tier_label,
+                        sorted(missing),
+                    )
+            return None
+        try:
+            port = int(values["PORT"])
+        except (ValueError, TypeError):
+            tier_label = f"{prefix}_{segment}" if segment else prefix
+            dedup_key = frozenset([f"{base}PORT_invalid"])
+            warn_key = (tier_label, dedup_key)
+            if warn_key not in self._warned:
+                self._warned.add(warn_key)
+                self._logger.warning(
+                    "CredentialResolver: invalid PORT value for %s; "
+                    "falling through to next tier.",
+                    tier_label,
+                )
+            return None
+        return {
+            "host": values["HOST"],
+            "port": port,
+            "user": values["USER"],
+            "password": values["PASSWORD"],
+            "database": values["DATABASE"],
+        }
+    def _build(self, source: str, creds: dict) -> ResolvedCredentials:
+        """Construct a ResolvedCredentials from a raw dict + source label.
+        Args:
+            source: One of ``"user-override"``, ``"profile:<name>"``, or
+                ``"default:<prefix>"``.
+            creds: Dict with keys ``host``, ``port``, ``user``, ``password``,
+                ``database``.
+        Returns:
+            ResolvedCredentials instance.
+        """
+        return ResolvedCredentials(
+            host=creds["host"],
+            port=creds["port"],
+            user=creds["user"],
+            password=creds["password"],
+            database=creds["database"],
+            source=source,
+        )
+    def resolve(
+        self,
+        prefix: str,
+        session,
+        credential_profile: Optional[str] = None,
+    ) -> Optional[ResolvedCredentials]:
+        """Resolve connection credentials using 3-tier env-var lookup.
+        Resolution order:
+          1. Per-user: ``<PREFIX>_<USERNAME>_*`` (if session has a username).
+          2. Profile:  ``<PREFIX>_<PROFILE>_*`` (if credential_profile provided).
+          3. Default:  ``<PREFIX>_*``.
+        Partial sets fall through silently (with one warning per unique gap).
+        If no tier resolves, returns ``None``.
+        Args:
+            prefix: Env-var prefix, e.g. ``"PG"`` or ``"DB"``.
+            session: Dict-like session object; may be ``None``.
+            credential_profile: Optional profile name from policy attributes.
+        Returns:
+            ResolvedCredentials or None.
+        """
+        # Tier 1: per-user
+        if session is not None:
+            username = self._extract_username(session)
+            if username:
+                creds = self._lookup(prefix, self.sanitize(username))
+                if creds is not None:
+                    return self._build("user-override", creds)
+        # Tier 2: profile from policy
+        if credential_profile:
+            creds = self._lookup(prefix, self.sanitize(credential_profile))
+            if creds is not None:
+                return self._build(f"profile:{credential_profile}", creds)
+        # Tier 3: datasource default
+        creds = self._lookup(prefix, None)
+        if creds is not None:
+            return self._build(f"default:{prefix}", creds)
+        return None

querysource 4.1.12__tar.gz → 4.2.0__tar.gz

querysource 4.1.12tar.gz → 4.2.0tar.gz