rampart-python 0.1.0__tar.gz

rampart_python-0.1.0/.gitignore

@@ -0,0 +1,72 @@
+# Binaries
+bin/
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test
+*.test
+*.out
+coverage.out
+coverage.txt
+coverage.html
+
+# Go
+vendor/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Environment
+.env
+.env.local
+.env.*.local
+
+# Node (UI)
+node_modules/
+package-lock.json
+.next/
+dist/
+build/
+adapters/**/dist/
+samples/**/node_modules/
+samples/**/dist/
+
+# Signing keys
+*.pem
+
+# Vite cache
+.vite/
+*/.vite/
+
+# Playwright MCP
+.playwright-mcp/
+
+# Claude Code
+CLAUDE.md
+.claude/
+.mcp.json
+
+# Internal plans (local only)
+plans/
+
+# Screenshots and snapshots (dev testing artifacts)
+*.png
+!docs/screenshots/*.png
+repo-snapshot.md
+SECURITY_AUDIT.md
+
+# Docker
+docker-compose.override.yml
+firebase-debug.log
+/rampart

rampart_python-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mani Movassagh
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

rampart_python-0.1.0/PKG-INFO

@@ -0,0 +1,153 @@
+Metadata-Version: 2.4
+Name: rampart-python
+Version: 0.1.0
+Summary: Python middleware adapter for Rampart IAM — JWT verification for FastAPI and Flask
+License-Expression: MIT
+License-File: LICENSE
+Requires-Python: >=3.9
+Requires-Dist: cryptography>=41.0.0
+Requires-Dist: pyjwt>=2.8.0
+Requires-Dist: requests>=2.31.0
+Provides-Extra: dev
+Requires-Dist: pytest-asyncio>=0.21.0; extra == 'dev'
+Requires-Dist: pytest>=7.0.0; extra == 'dev'
+Requires-Dist: responses>=0.23.0; extra == 'dev'
+Provides-Extra: fastapi
+Requires-Dist: fastapi>=0.100.0; extra == 'fastapi'
+Provides-Extra: flask
+Requires-Dist: flask>=2.3.0; extra == 'flask'
+Description-Content-Type: text/markdown
+
+# Rampart Python Middleware
+
+JWT verification middleware for [Rampart](https://github.com/manimovassagh/rampart) IAM server. Supports **FastAPI** and **Flask**.
+
+## Installation
+
+```bash
+# Core (PyJWT + cryptography)
+pip install rampart-python
+
+# With FastAPI support
+pip install rampart-python[fastapi]
+
+# With Flask support
+pip install rampart-python[flask]
+```
+
+## FastAPI
+
+### Basic Authentication
+
+```python
+from fastapi import Depends, FastAPI
+from rampart import RampartClaims
+from rampart.fastapi import rampart_auth
+
+app = FastAPI()
+auth = rampart_auth("https://auth.example.com")
+
+@app.get("/me")
+async def me(claims: RampartClaims = Depends(auth)):
+    return {
+        "user_id": claims.sub,
+        "email": claims.email,
+        "roles": claims.roles,
+    }
+```
+
+### Role-Based Access Control
+
+```python
+from rampart.fastapi import rampart_auth, require_roles_from_claims
+
+auth = rampart_auth("https://auth.example.com")
+check_admin = require_roles_from_claims("admin")
+
+@app.get("/admin/users")
+async def list_users(claims: RampartClaims = Depends(auth)):
+    check_admin(claims)  # Raises 403 if "admin" role is missing
+    return {"users": ["..."]}
+```
+
+## Flask
+
+### Basic Authentication
+
+```python
+from flask import Flask, g
+from rampart.flask import rampart_auth
+
+app = Flask(__name__)
+
+@app.route("/me")
+@rampart_auth("https://auth.example.com")
+def me():
+    return {
+        "user_id": g.auth.sub,
+        "email": g.auth.email,
+        "roles": g.auth.roles,
+    }
+```
+
+### Role-Based Access Control
+
+```python
+from rampart.flask import rampart_auth, require_roles
+
+@app.route("/admin/users")
+@rampart_auth("https://auth.example.com")
+@require_roles("admin")
+def list_users():
+    return {"users": ["..."]}
+```
+
+## Direct Usage (No Framework)
+
+```python
+from rampart import RampartAuth
+
+auth = RampartAuth(issuer="https://auth.example.com")
+claims = auth.verify_token(raw_jwt_string)
+
+print(claims.sub)       # "user-123"
+print(claims.email)     # "user@example.com"
+print(claims.roles)     # ["admin", "user"]
+print(claims.org_id)    # "org-456"
+```
+
+## Claims
+
+Verified tokens return a `RampartClaims` dataclass:
+
+| Field                | Type           | Description                    |
+|----------------------|----------------|--------------------------------|
+| `sub`                | `str`          | Subject (user ID)              |
+| `iss`                | `str`          | Issuer URL                     |
+| `iat`                | `int`          | Issued-at timestamp            |
+| `exp`                | `int`          | Expiration timestamp           |
+| `org_id`             | `str | None`   | Organization / tenant ID       |
+| `preferred_username` | `str | None`   | Username                       |
+| `email`              | `str | None`   | Email address                  |
+| `email_verified`     | `bool | None`  | Whether email is verified      |
+| `given_name`         | `str | None`   | First name                     |
+| `family_name`        | `str | None`   | Last name                      |
+| `roles`              | `list[str]`    | Assigned roles                 |
+
+## Configuration Options
+
+```python
+RampartAuth(
+    issuer="https://auth.example.com",  # Required: Rampart server URL
+    audience="my-api",                   # Optional: expected audience claim
+    jwks_cache_ttl=300,                  # JWKS cache lifetime in seconds (default: 300)
+    algorithms=["RS256"],                # Allowed JWT algorithms (default: ["RS256"])
+)
+```
+
+## Running Tests
+
+```bash
+pip install -e ".[dev]"
+pytest tests/
+```

rampart_python-0.1.0/README.md

@@ -0,0 +1,133 @@
+# Rampart Python Middleware
+
+JWT verification middleware for [Rampart](https://github.com/manimovassagh/rampart) IAM server. Supports **FastAPI** and **Flask**.
+
+## Installation
+
+```bash
+# Core (PyJWT + cryptography)
+pip install rampart-python
+
+# With FastAPI support
+pip install rampart-python[fastapi]
+
+# With Flask support
+pip install rampart-python[flask]
+```
+
+## FastAPI
+
+### Basic Authentication
+
+```python
+from fastapi import Depends, FastAPI
+from rampart import RampartClaims
+from rampart.fastapi import rampart_auth
+
+app = FastAPI()
+auth = rampart_auth("https://auth.example.com")
+
+@app.get("/me")
+async def me(claims: RampartClaims = Depends(auth)):
+    return {
+        "user_id": claims.sub,
+        "email": claims.email,
+        "roles": claims.roles,
+    }
+```
+
+### Role-Based Access Control
+
+```python
+from rampart.fastapi import rampart_auth, require_roles_from_claims
+
+auth = rampart_auth("https://auth.example.com")
+check_admin = require_roles_from_claims("admin")
+
+@app.get("/admin/users")
+async def list_users(claims: RampartClaims = Depends(auth)):
+    check_admin(claims)  # Raises 403 if "admin" role is missing
+    return {"users": ["..."]}
+```
+
+## Flask
+
+### Basic Authentication
+
+```python
+from flask import Flask, g
+from rampart.flask import rampart_auth
+
+app = Flask(__name__)
+
+@app.route("/me")
+@rampart_auth("https://auth.example.com")
+def me():
+    return {
+        "user_id": g.auth.sub,
+        "email": g.auth.email,
+        "roles": g.auth.roles,
+    }
+```
+
+### Role-Based Access Control
+
+```python
+from rampart.flask import rampart_auth, require_roles
+
+@app.route("/admin/users")
+@rampart_auth("https://auth.example.com")
+@require_roles("admin")
+def list_users():
+    return {"users": ["..."]}
+```
+
+## Direct Usage (No Framework)
+
+```python
+from rampart import RampartAuth
+
+auth = RampartAuth(issuer="https://auth.example.com")
+claims = auth.verify_token(raw_jwt_string)
+
+print(claims.sub)       # "user-123"
+print(claims.email)     # "user@example.com"
+print(claims.roles)     # ["admin", "user"]
+print(claims.org_id)    # "org-456"
+```
+
+## Claims
+
+Verified tokens return a `RampartClaims` dataclass:
+
+| Field                | Type           | Description                    |
+|----------------------|----------------|--------------------------------|
+| `sub`                | `str`          | Subject (user ID)              |
+| `iss`                | `str`          | Issuer URL                     |
+| `iat`                | `int`          | Issued-at timestamp            |
+| `exp`                | `int`          | Expiration timestamp           |
+| `org_id`             | `str | None`   | Organization / tenant ID       |
+| `preferred_username` | `str | None`   | Username                       |
+| `email`              | `str | None`   | Email address                  |
+| `email_verified`     | `bool | None`  | Whether email is verified      |
+| `given_name`         | `str | None`   | First name                     |
+| `family_name`        | `str | None`   | Last name                      |
+| `roles`              | `list[str]`    | Assigned roles                 |
+
+## Configuration Options
+
+```python
+RampartAuth(
+    issuer="https://auth.example.com",  # Required: Rampart server URL
+    audience="my-api",                   # Optional: expected audience claim
+    jwks_cache_ttl=300,                  # JWKS cache lifetime in seconds (default: 300)
+    algorithms=["RS256"],                # Allowed JWT algorithms (default: ["RS256"])
+)
+```
+
+## Running Tests
+
+```bash
+pip install -e ".[dev]"
+pytest tests/
+```

rampart_python-0.1.0/pyproject.toml

@@ -0,0 +1,28 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.backends"
+
+[project]
+name = "rampart-python"
+version = "0.1.0"
+description = "Python middleware adapter for Rampart IAM — JWT verification for FastAPI and Flask"
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.9"
+dependencies = [
+    "PyJWT>=2.8.0",
+    "cryptography>=41.0.0",
+    "requests>=2.31.0",
+]
+
+[project.optional-dependencies]
+fastapi = ["fastapi>=0.100.0"]
+flask = ["flask>=2.3.0"]
+dev = [
+    "pytest>=7.0.0",
+    "pytest-asyncio>=0.21.0",
+    "responses>=0.23.0",
+]
+
+[tool.hatch.build.targets.wheel]
+packages = ["rampart"]

rampart_python-0.1.0/tests/test_middleware.py

@@ -0,0 +1,203 @@
+"""Tests for Rampart Python middleware."""
+
+from __future__ import annotations
+
+import json
+import time
+from dataclasses import asdict
+from typing import Any, Dict
+
+import jwt as pyjwt
+import pytest
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+
+from rampart.middleware import RampartAuth, RampartClaims
+
+# ---------------------------------------------------------------------------
+# Helpers: generate RSA keys and JWKS for testing
+# ---------------------------------------------------------------------------
+
+ISSUER = "https://auth.example.com"
+
+
+def _generate_rsa_keypair():
+    """Generate an RSA private key and its public key."""
+    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    return private_key
+
+
+def _private_key_pem(private_key) -> bytes:
+    return private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.NoEncryption(),
+    )
+
+
+def _build_jwks_response(private_key) -> Dict[str, Any]:
+    """Build a JWKS JSON response from an RSA private key."""
+    from jwt.algorithms import RSAAlgorithm
+
+    public_key = private_key.public_key()
+    jwk_dict = json.loads(RSAAlgorithm.to_jwk(public_key))
+    jwk_dict["kid"] = "test-key-1"
+    jwk_dict["use"] = "sig"
+    jwk_dict["alg"] = "RS256"
+    return {"keys": [jwk_dict]}
+
+
+def _sign_token(private_key, claims: Dict[str, Any]) -> str:
+    """Sign a JWT with the given private key."""
+    return pyjwt.encode(
+        claims,
+        _private_key_pem(private_key),
+        algorithm="RS256",
+        headers={"kid": "test-key-1"},
+    )
+
+
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
+
+@pytest.fixture()
+def rsa_key():
+    return _generate_rsa_keypair()
+
+
+@pytest.fixture()
+def jwks_json(rsa_key):
+    return _build_jwks_response(rsa_key)
+
+
+@pytest.fixture()
+def valid_claims() -> Dict[str, Any]:
+    now = int(time.time())
+    return {
+        "sub": "user-123",
+        "iss": ISSUER,
+        "iat": now,
+        "exp": now + 3600,
+        "org_id": "org-456",
+        "preferred_username": "jdoe",
+        "email": "jdoe@example.com",
+        "email_verified": True,
+        "given_name": "Jane",
+        "family_name": "Doe",
+        "roles": ["admin", "user"],
+    }
+
+
+# ---------------------------------------------------------------------------
+# Unit tests for RampartClaims
+# ---------------------------------------------------------------------------
+
+
+class TestRampartClaims:
+    def test_defaults(self):
+        claims = RampartClaims(sub="u1", iss=ISSUER, iat=0, exp=0)
+        assert claims.roles == []
+        assert claims.org_id is None
+        assert claims.email is None
+
+    def test_full_claims(self, valid_claims):
+        claims = RampartClaims(**valid_claims)
+        assert claims.sub == "user-123"
+        assert claims.roles == ["admin", "user"]
+        assert claims.email_verified is True
+
+    def test_asdict(self, valid_claims):
+        claims = RampartClaims(**valid_claims)
+        d = asdict(claims)
+        assert d["sub"] == "user-123"
+        assert isinstance(d["roles"], list)
+
+
+# ---------------------------------------------------------------------------
+# Unit tests for RampartAuth.verify_token
+# ---------------------------------------------------------------------------
+
+
+class TestRampartAuthVerifyToken:
+    def test_verify_valid_token(self, rsa_key, jwks_json, valid_claims, responses_mock):
+        """A correctly signed token with valid claims should verify successfully."""
+        responses_mock.get(
+            f"{ISSUER}/.well-known/jwks.json",
+            json=jwks_json,
+        )
+        auth = RampartAuth(issuer=ISSUER)
+        token = _sign_token(rsa_key, valid_claims)
+        result = auth.verify_token(token)
+
+        assert result.sub == "user-123"
+        assert result.iss == ISSUER
+        assert result.roles == ["admin", "user"]
+        assert result.email == "jdoe@example.com"
+
+    def test_expired_token_raises(self, rsa_key, jwks_json, valid_claims, responses_mock):
+        """An expired token should raise ExpiredSignatureError."""
+        responses_mock.get(f"{ISSUER}/.well-known/jwks.json", json=jwks_json)
+        auth = RampartAuth(issuer=ISSUER)
+
+        valid_claims["exp"] = int(time.time()) - 3600
+        token = _sign_token(rsa_key, valid_claims)
+
+        with pytest.raises(pyjwt.ExpiredSignatureError):
+            auth.verify_token(token)
+
+    def test_wrong_issuer_raises(self, rsa_key, jwks_json, valid_claims, responses_mock):
+        """A token with a different issuer should be rejected."""
+        responses_mock.get(f"{ISSUER}/.well-known/jwks.json", json=jwks_json)
+        auth = RampartAuth(issuer=ISSUER)
+
+        valid_claims["iss"] = "https://evil.example.com"
+        token = _sign_token(rsa_key, valid_claims)
+
+        with pytest.raises(pyjwt.InvalidIssuerError):
+            auth.verify_token(token)
+
+    def test_roles_as_string_normalized(self, rsa_key, jwks_json, valid_claims, responses_mock):
+        """If roles is a single string, it should be wrapped in a list."""
+        responses_mock.get(f"{ISSUER}/.well-known/jwks.json", json=jwks_json)
+        auth = RampartAuth(issuer=ISSUER)
+
+        valid_claims["roles"] = "admin"
+        token = _sign_token(rsa_key, valid_claims)
+        result = auth.verify_token(token)
+
+        assert result.roles == ["admin"]
+
+    def test_missing_optional_claims(self, rsa_key, jwks_json, responses_mock):
+        """Tokens without optional claims should still verify."""
+        responses_mock.get(f"{ISSUER}/.well-known/jwks.json", json=jwks_json)
+        auth = RampartAuth(issuer=ISSUER)
+
+        now = int(time.time())
+        minimal_claims = {
+            "sub": "user-minimal",
+            "iss": ISSUER,
+            "iat": now,
+            "exp": now + 3600,
+        }
+        token = _sign_token(rsa_key, minimal_claims)
+        result = auth.verify_token(token)
+
+        assert result.sub == "user-minimal"
+        assert result.roles == []
+        assert result.email is None
+        assert result.org_id is None
+
+
+# ---------------------------------------------------------------------------
+# Pytest fixture for `responses` library
+# ---------------------------------------------------------------------------
+
+
+@pytest.fixture()
+def responses_mock():
+    """Activate the responses library to mock HTTP requests."""
+    import responses
+
+    with responses.RequestsMock() as rsps:
+        yield rsps