sysnet-auth 0.2.3__tar.gz → 0.2.4__tar.gz

{sysnet_auth-0.2.3/sysnet_auth.egg-info → sysnet_auth-0.2.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sysnet-auth
-Version: 0.2.3
+Version: 0.2.4
 Summary: Sdilena autentizacni knihovna pro FastAPI mikrosluzby s Keycloack (OIDC/JWT).
 Author: SYSNET s.r.o.
 License: GNU Affero General Public License v3
@@ -21,19 +21,19 @@ Classifier: License :: OSI Approved :: GNU Affero General Public License v3
 Requires-Python: >=3.11
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: fastapi>=0.115
-Requires-Dist: pydantic>=2.9
-Requires-Dist: pydantic-settings>=2.3
-Requires-Dist: pyjwt[crypto]>=2.9
-Requires-Dist: httpx>=0.27
+Requires-Dist: fastapi<1,>=0.115
+Requires-Dist: pydantic<3,>=2.9
+Requires-Dist: pydantic-settings<3,>=2.3
+Requires-Dist: pyjwt[crypto]<3,>=2.9
+Requires-Dist: httpx<1,>=0.27
 Requires-Dist: sysnet-pyutils>=0.1
 Provides-Extra: dev
-Requires-Dist: pytest>=8.0; extra == "dev"
-Requires-Dist: pytest-asyncio>=0.23; extra == "dev"
-Requires-Dist: pytest-cov>=5.0; extra == "dev"
-Requires-Dist: cryptography>=42.0; extra == "dev"
-Requires-Dist: mypy>=1.11; extra == "dev"
-Requires-Dist: ruff>=0.6; extra == "dev"
+Requires-Dist: pytest<10,>=8.0; extra == "dev"
+Requires-Dist: pytest-asyncio<1,>=0.23; extra == "dev"
+Requires-Dist: pytest-cov<8,>=5.0; extra == "dev"
+Requires-Dist: cryptography<48,>=42.0; extra == "dev"
+Requires-Dist: mypy<2,>=1.11; extra == "dev"
+Requires-Dist: ruff<1,>=0.6; extra == "dev"
 Dynamic: license-file
 
 # sysnet-auth (import path: `auth_lib`)

{sysnet_auth-0.2.3 → sysnet_auth-0.2.4}/auth_lib/__init__.py

@@ -9,7 +9,8 @@ Verzovani:
     se cte pres ``importlib.metadata``, aby nedochazelo k drift mezi nimi.
 """
 
-from importlib.metadata import PackageNotFoundError, version as _pkg_version
+from importlib.metadata import PackageNotFoundError
+from importlib.metadata import version as _pkg_version
 
 from auth_lib.config import AuthSettings, get_settings
 from auth_lib.dependencies import (

{sysnet_auth-0.2.3 → sysnet_auth-0.2.4}/auth_lib/config.py

@@ -76,6 +76,15 @@ class AuthSettings(BaseSettings):
         ),
     )
 
+    verify_keycloak: bool = Field(
+        default=True,
+        description=(
+            "Pokud False, preskoci se overovani podpisu JWT vuci Keycloak JWKS. "
+            "Vhodne pro lokalni vyvoj a testovani bez beziciho Keycloaku. "
+            "NIKDY nepouzivat v produkci."
+        ),
+    )
+
     @field_validator("keycloak_url")
     @classmethod
     def _strip_trailing_slash(cls, v: str) -> str:
@@ -89,6 +98,7 @@ class AuthSettings(BaseSettings):
             s = v.strip()
             if s.startswith("["):
                 import json
+
                 try:
                     parsed = json.loads(s)
                     if isinstance(parsed, list):
@@ -111,4 +121,4 @@ class AuthSettings(BaseSettings):
 @lru_cache(maxsize=1)
 def get_settings() -> AuthSettings:
     """Vrati cachovanou instanci settings. Reset pres get_settings.cache_clear()."""
-    return AuthSettings()  # type: ignore[call-arg]
+    return AuthSettings()

{sysnet_auth-0.2.3 → sysnet_auth-0.2.4}/auth_lib/dependencies.py

@@ -61,33 +61,48 @@ async def _decode_token(
         raise InvalidTokenError(f"Malformed token header: {exc}") from exc
 
     kid = header.get("kid")
-    if not kid:
+    if settings.verify_keycloak and not kid:
         raise InvalidTokenError("Token header missing 'kid'")
 
-    jwk = await jwks_client.get_key(kid)
-    public_key = _jwk_to_public_key(jwk)
+    public_key = None
+    if settings.verify_keycloak:
+        jwk = await jwks_client.get_key(kid)
+        public_key = _jwk_to_public_key(jwk)
 
     try:
+        # Robustní audience: PyJWT neumí nativně list v aud, pokud hledáme string.
+        # Vypneme nativní kontrolu a uděláme ji ručně níže.
+        decode_options = {
+            "require": ["exp", "iat", "iss", "aud", "sub"],
+            "verify_signature": settings.verify_keycloak,
+            "verify_exp": True,
+            "verify_iat": True,
+            "verify_iss": True,
+            "verify_aud": False,  # Manuálně
+        }
+
         claims = jwt.decode(
             token,
             key=public_key,
             algorithms=settings.algorithms,
-            audience=settings.audience,
             issuer=settings.issuer,
             leeway=settings.leeway_seconds,
-            options={
-                "require": ["exp", "iat", "iss", "aud", "sub"],
-                "verify_signature": True,
-                "verify_exp": True,
-                "verify_iat": True,
-                "verify_iss": True,
-                "verify_aud": True,
-            },
+            options=decode_options,
         )
+
+        # Manuální kontrola audience (podpora pro list i string)
+        token_aud = claims.get("aud")
+        target_aud = settings.audience
+        if isinstance(token_aud, list):
+            if target_aud not in token_aud:
+                raise jwt.InvalidAudienceError(f"Audience {target_aud!r} not in token {token_aud!r}")
+        elif token_aud != target_aud:
+            raise jwt.InvalidAudienceError(f"Audience mismatch: expected {target_aud!r}, got {token_aud!r}")
+
     except jwt.ExpiredSignatureError as exc:
         raise InvalidTokenError("Token has expired") from exc
     except jwt.InvalidAudienceError as exc:
-        raise InvalidTokenError("Invalid token audience") from exc
+        raise InvalidTokenError(str(exc)) from exc
     except jwt.InvalidIssuerError as exc:
         raise InvalidTokenError("Invalid token issuer") from exc
     except jwt.InvalidSignatureError as exc:
@@ -101,7 +116,6 @@ async def _decode_token(
 
 
 async def get_current_user(
-    request: Request,
     credentials: HTTPAuthorizationCredentials | None = Depends(_bearer_scheme),
     settings: AuthSettings = Depends(get_settings),
 ) -> AuthenticatedUser:
@@ -114,8 +128,6 @@ async def get_current_user(
     Pokud settings.resource_client je nastaveny, role se mergujou z:
         realm_access.roles + resource_access.<resource_client>.roles
     """
-    _ = request
-
     if credentials is None or not credentials.credentials:
         exc = InvalidTokenError("Missing Authorization bearer token")
         _emit_rejected(exc)

{sysnet_auth-0.2.3 → sysnet_auth-0.2.4}/auth_lib/observability.py

@@ -56,7 +56,7 @@ def remove_listener(fn: Callable[..., None]) -> None:
     """Odebere callback ze vsech registru."""
     for registry in (_on_validated, _on_rejected, _on_jwks_refresh):
         if fn in registry:
-            registry.remove(fn)  # type: ignore[arg-type]
+            registry.remove(fn)
 
 
 def clear_listeners() -> None:
@@ -82,7 +82,7 @@ def install_sysnet_logging() -> None:
 
     logger = Log().logger
 
-    def _on_ok(user: "AuthenticatedUser") -> None:
+    def _on_ok(user: AuthenticatedUser) -> None:
         logger.info("auth_lib: token validated (sub=%s, roles=%d)", user.sub, len(user.roles))
 
     def _on_err(exc: BaseException) -> None:
@@ -104,7 +104,7 @@ def install_sysnet_logging() -> None:
 # ----- interni emitery (vola knihovna) --------------------------------
 
 
-def _emit_validated(user: "AuthenticatedUser") -> None:
+def _emit_validated(user: AuthenticatedUser) -> None:
     for h in list(_on_validated):
         try:
             h(user)

{sysnet_auth-0.2.3 → sysnet_auth-0.2.4}/pyproject.toml

@@ -3,9 +3,9 @@ requires = ["setuptools>=68", "wheel"]
 build-backend = "setuptools.build_meta"
 
 [project]
-# Distribucni nazev na internim PyPi. Import path zustava ``auth_lib``.
+# Distribucni nazev na internim PyPi. Import path zustava \`\`auth_lib\`\`.
 name = "sysnet-auth"
-version = "0.2.3"
+version = "0.2.4"
 description = "Sdilena autentizacni knihovna pro FastAPI mikrosluzby s Keycloack (OIDC/JWT)."
 readme = "README.md"
 requires-python = ">=3.11"
@@ -27,22 +27,22 @@ classifiers = [
 ]
 
 dependencies = [
-    "fastapi>=0.115",
-    "pydantic>=2.9",
-    "pydantic-settings>=2.3",
-    "pyjwt[crypto]>=2.9",
-    "httpx>=0.27",
+    "fastapi>=0.115,<1",
+    "pydantic>=2.9,<3",
+    "pydantic-settings>=2.3,<3",
+    "pyjwt[crypto]>=2.9,<3",
+    "httpx>=0.27,<1",
     "sysnet-pyutils>=0.1",
 ]
 
 [project.optional-dependencies]
 dev = [
-    "pytest>=8.0",
-    "pytest-asyncio>=0.23",
-    "pytest-cov>=5.0",
-    "cryptography>=42.0",
-    "mypy>=1.11",
-    "ruff>=0.6",
+    "pytest>=8.0,<10",
+    "pytest-asyncio>=0.23,<1",
+    "pytest-cov>=5.0,<8",
+    "cryptography>=42.0,<48",
+    "mypy>=1.11,<2",
+    "ruff>=0.6,<1",
 ]
 
 [project.urls]
@@ -60,7 +60,9 @@ exclude = ["tests*"]
 "auth_lib" = ["py.typed"]
 
 [tool.pytest.ini_options]
+# Explicitne vyzadujeme asyncio pro testy
 asyncio_mode = "auto"
+asyncio_default_fixture_loop_scope = "function"
 testpaths = ["tests"]
 addopts = "-ra --strict-markers"
 
@@ -70,7 +72,7 @@ target-version = "py311"
 
 [tool.ruff.lint]
 select = ["E", "F", "W", "I", "B", "UP", "ASYNC", "S", "SIM"]
-ignore = ["S101"]  # asserts v testech jsou ok
+ignore = ["S101", "B008"]
 
 [tool.ruff.lint.per-file-ignores]
 "tests/*" = ["S", "B"]
@@ -84,6 +86,10 @@ show_error_codes = true
 disallow_any_generics = true
 plugins = ["pydantic.mypy"]
 
+[[tool.mypy.overrides]]
+module = ["tests.*", "scripts.*"]
+ignore_errors = true
+
 [[tool.mypy.overrides]]
 module = "jwt.*"
 ignore_missing_imports = true
@@ -91,3 +97,7 @@ ignore_missing_imports = true
 [[tool.mypy.overrides]]
 module = "sysnet_pyutils.*"
 ignore_missing_imports = true
+
+[[tool.mypy.overrides]]
+module = "tomli.*"
+ignore_missing_imports = true

{sysnet_auth-0.2.3 → sysnet_auth-0.2.4/sysnet_auth.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sysnet-auth
-Version: 0.2.3
+Version: 0.2.4
 Summary: Sdilena autentizacni knihovna pro FastAPI mikrosluzby s Keycloack (OIDC/JWT).
 Author: SYSNET s.r.o.
 License: GNU Affero General Public License v3
@@ -21,19 +21,19 @@ Classifier: License :: OSI Approved :: GNU Affero General Public License v3
 Requires-Python: >=3.11
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: fastapi>=0.115
-Requires-Dist: pydantic>=2.9
-Requires-Dist: pydantic-settings>=2.3
-Requires-Dist: pyjwt[crypto]>=2.9
-Requires-Dist: httpx>=0.27
+Requires-Dist: fastapi<1,>=0.115
+Requires-Dist: pydantic<3,>=2.9
+Requires-Dist: pydantic-settings<3,>=2.3
+Requires-Dist: pyjwt[crypto]<3,>=2.9
+Requires-Dist: httpx<1,>=0.27
 Requires-Dist: sysnet-pyutils>=0.1
 Provides-Extra: dev
-Requires-Dist: pytest>=8.0; extra == "dev"
-Requires-Dist: pytest-asyncio>=0.23; extra == "dev"
-Requires-Dist: pytest-cov>=5.0; extra == "dev"
-Requires-Dist: cryptography>=42.0; extra == "dev"
-Requires-Dist: mypy>=1.11; extra == "dev"
-Requires-Dist: ruff>=0.6; extra == "dev"
+Requires-Dist: pytest<10,>=8.0; extra == "dev"
+Requires-Dist: pytest-asyncio<1,>=0.23; extra == "dev"
+Requires-Dist: pytest-cov<8,>=5.0; extra == "dev"
+Requires-Dist: cryptography<48,>=42.0; extra == "dev"
+Requires-Dist: mypy<2,>=1.11; extra == "dev"
+Requires-Dist: ruff<1,>=0.6; extra == "dev"
 Dynamic: license-file
 
 # sysnet-auth (import path: `auth_lib`)

sysnet_auth-0.2.4/sysnet_auth.egg-info/requires.txt

@@ -0,0 +1,14 @@
+fastapi<1,>=0.115
+pydantic<3,>=2.9
+pydantic-settings<3,>=2.3
+pyjwt[crypto]<3,>=2.9
+httpx<1,>=0.27
+sysnet-pyutils>=0.1
+
+[dev]
+pytest<10,>=8.0
+pytest-asyncio<1,>=0.23
+pytest-cov<8,>=5.0
+cryptography<48,>=42.0
+mypy<2,>=1.11
+ruff<1,>=0.6

{sysnet_auth-0.2.3 → sysnet_auth-0.2.4}/tests/test_edges.py

@@ -13,8 +13,6 @@ Pokryva:
 from __future__ import annotations
 
 import json
-import types
-from typing import Any
 
 import httpx
 import pytest
@@ -26,7 +24,6 @@ from auth_lib.config import AuthSettings
 from auth_lib.dependencies import _jwk_to_public_key, install_exception_handlers
 from auth_lib.jwks import JWKSClient, reset_jwks_client
 
-
 # ----- _fetch happy path + malformed --------------------------------
 
 

{sysnet_auth-0.2.3 → sysnet_auth-0.2.4}/tests/test_features.py

@@ -13,7 +13,6 @@ from __future__ import annotations
 
 import time
 import types
-from typing import Any
 
 import httpx
 import pytest
@@ -35,7 +34,6 @@ from auth_lib import (
 )
 from auth_lib import observability as obs
 
-
 # ---------- Observability hooks ----------
 
 
@@ -115,6 +113,7 @@ def test_install_sysnet_logging_is_idempotent():
 def test_jwks_refresh_hook_fires(test_settings, public_jwk):
     """Fire kdyz _fetch uspesne dobehne."""
     import json
+
     clear_listeners()
     captured: list[int] = []
 
@@ -132,6 +131,7 @@ def test_jwks_refresh_hook_fires(test_settings, public_jwk):
     http = httpx.AsyncClient(transport=_T())
 
     import asyncio
+
     async def run():
         c = JWKSClient(test_settings, http_client=http)
         await c.refresh()
@@ -194,9 +194,10 @@ def test_install_exception_handlers_returns_error_model_shape():
 def test_resource_client_merges_client_roles(public_jwk, private_pem):
     """get_current_user pri AUTH_RESOURCE_CLIENT=my-api mergne client role."""
     import jwt as pyjwt
+
+    from auth_lib import jwks as jwks_mod
     from auth_lib.config import AuthSettings
     from auth_lib.dependencies import get_current_user
-    from auth_lib import jwks as jwks_mod
     from auth_lib.jwks import JWKSClient
 
     settings = AuthSettings(
@@ -238,6 +239,7 @@ def test_resource_client_merges_client_roles(public_jwk, private_pem):
     # novy prepsal po ni. Obnovim do puvodniho pri exitu.
     try:
         from auth_lib.config import get_settings
+
         app.dependency_overrides[get_settings] = lambda: settings
         c = TestClient(app)
         r = c.get("/who", headers={"Authorization": f"Bearer {token}"})
@@ -265,7 +267,7 @@ async def test_kid_miss_cooldown_refreshes_when_enabled(public_jwk):
     # Fresh cache ale bez hledaneho kidu
     c._keys_by_kid = {"old-kid": {"kid": "old-kid"}}
     c._expires_at = time.monotonic() + 3600
-    c._last_refresh_at = 0.0  # cooldown uplynul
+    c._last_refresh_at = -9999.0  # cooldown uplynul (zarucene na jakemkoliv systemu)
 
     fetch_calls: list[int] = [0]
     new_kid = public_jwk["kid"]
@@ -343,6 +345,7 @@ def test_emit_rejected_hook_error_is_swallowed(client, token_factory):
 def test_emit_jwks_refresh_hook_error_is_swallowed(test_settings, public_jwk):
     import asyncio
     import json
+
     clear_listeners()
 
     @on_jwks_refresh
@@ -354,6 +357,7 @@ def test_emit_jwks_refresh_hook_error_is_swallowed(test_settings, public_jwk):
             return httpx.Response(200, content=json.dumps({"keys": [public_jwk]}).encode())
 
     from auth_lib.jwks import JWKSClient
+
     http = httpx.AsyncClient(transport=_T())
 
     async def run():
@@ -371,9 +375,9 @@ async def test_get_jwks_client_singleton_single_flight():
     """Overime, ze paralelni volani vrati tentyz singleton."""
     import asyncio
 
-    from auth_lib.jwks import get_jwks_client, reset_jwks_client
     from auth_lib import jwks as jwks_mod
-    from auth_lib.config import get_settings, AuthSettings
+    from auth_lib.config import AuthSettings, get_settings
+    from auth_lib.jwks import get_jwks_client, reset_jwks_client
 
     # Nastavime settings pro proces
     get_settings.cache_clear()
@@ -382,15 +386,12 @@ async def test_get_jwks_client_singleton_single_flight():
 
     # Potrebujeme env pro AuthSettings() - prepiseme cache direct
     settings = AuthSettings(keycloak_url="https://kc", realm="r", audience="a")
-    from functools import lru_cache
     original = get_settings
     try:
         # Prepiseme lru_cache - vratime stejny settings
         jwks_mod.get_settings = lambda: settings
 
-        results = await asyncio.gather(
-            get_jwks_client(), get_jwks_client(), get_jwks_client()
-        )
+        results = await asyncio.gather(get_jwks_client(), get_jwks_client(), get_jwks_client())
         assert all(r is results[0] for r in results)
     finally:
         jwks_mod.get_settings = original

{sysnet_auth-0.2.3 → sysnet_auth-0.2.4}/tests/test_jwt.py

@@ -86,7 +86,10 @@ def test_malformed_token_returns_401(client: TestClient) -> None:
 
 
 @pytest.mark.asyncio
-async def test_jwks_cache_fetches_once_under_concurrency(mocked_jwks_client, public_jwk: dict) -> None:
+async def test_jwks_cache_fetches_once_under_concurrency(
+    mocked_jwks_client,
+    public_jwk: dict,
+) -> None:
     """Single-flight chovani JWKS cache - 50 soubeznych volani = 1 fetch."""
     import asyncio
     import time as _time
@@ -114,10 +117,11 @@ async def test_jwks_cache_fetches_once_under_concurrency(mocked_jwks_client, pub
 @pytest.mark.asyncio
 async def test_jwks_kid_missing_after_refresh_is_invalid_token(test_settings, public_jwk) -> None:
     """Stale cache, refresh doplni cache, ale bez hledaneho kidu -> InvalidTokenError."""
-    import types
     import time as _time
-    from auth_lib.jwks import JWKSClient
+    import types
+
     from auth_lib.exceptions import InvalidTokenError
+    from auth_lib.jwks import JWKSClient
 
     client = JWKSClient(test_settings)
 
@@ -136,11 +140,11 @@ async def test_jwks_kid_missing_after_refresh_is_invalid_token(test_settings, pu
 @pytest.mark.asyncio
 async def test_jwks_refresh_network_error_maps_to_config_error(test_settings) -> None:
     """Fetch selhe -> AuthConfigurationError (500)."""
-    import types
-    from auth_lib.jwks import JWKSClient
-    from auth_lib.exceptions import AuthConfigurationError
     import httpx
 
+    from auth_lib.exceptions import AuthConfigurationError
+    from auth_lib.jwks import JWKSClient
+
     client = JWKSClient(test_settings)
 
     async def broken_get(url):
@@ -157,8 +161,9 @@ async def test_jwks_refresh_network_error_maps_to_config_error(test_settings) ->
 @pytest.mark.asyncio
 async def test_jwks_refresh_invalidates_and_reloads(mocked_jwks_client, public_jwk: dict) -> None:
     """invalidate() + refresh() -> nova data v cache."""
-    import types
     import time as _time
+    import types
+
     from tests.conftest import TEST_KID
 
     async def fake_fetch(self) -> None:

sysnet_auth-0.2.3/sysnet_auth.egg-info/requires.txt

@@ -1,14 +0,0 @@
-fastapi>=0.115
-pydantic>=2.9
-pydantic-settings>=2.3
-pyjwt[crypto]>=2.9
-httpx>=0.27
-sysnet-pyutils>=0.1
-
-[dev]
-pytest>=8.0
-pytest-asyncio>=0.23
-pytest-cov>=5.0
-cryptography>=42.0
-mypy>=1.11
-ruff>=0.6