tigrbl-auth 0.3.2.dev2__py3-none-any.whl → 0.4.0.dev2__py3-none-any.whl

tigrbl_auth/__init__.py

@@ -1,218 +1,109 @@
-"""tigrbl_auth – OAuth utilities and helpers.
+"""tigrbl_auth
 
-This package aggregates optional helpers for various OAuth 2.0 RFCs such as
-RFC 7636 (PKCE), RFC 8705 (mutual-TLS client authentication), and RFC 9396
-(Rich Authorization Requests).
+Tigrbl-native authentication and authorization package checkpoint.
+
+This package keeps top-level imports lightweight for governance and report
+workflows while still exposing the dependency-light RFC helper surface expected
+by the repository tests and previous checkpoints.
 """
 
-from .rfc.rfc7636_pkce import (
-    makeCodeChallenge,
-    makeCodeVerifier,
-    verify_code_challenge,
-    create_code_challenge,
-    create_code_verifier,
-)
-from .rfc.rfc8628 import (
-    generate_device_code,
-    generate_user_code,
-    validate_user_code,
-    RFC8628_SPEC_URL,
-)
-from .rfc.rfc9396 import (
-    AuthorizationDetail,
-    parse_authorization_details,
-    RFC9396_SPEC_URL,
-)
-
-from .rfc.rfc6750 import extract_bearer_token
-from .rfc import rfc7662, rfc7591, rfc7592, rfc9101
-from .rfc.rfc7662 import introspect_token, register_token, reset_tokens
-from .rfc.rfc9207 import RFC9207_SPEC_URL, extract_issuer
-from .rfc.rfc8932 import RFC8932_SPEC_URL, enforce_encrypted_dns
-from .orm.pushed_authorization_request import DEFAULT_PAR_EXPIRY
-from .rfc.rfc8707 import extract_resource, RFC8707_SPEC_URL
-from .rfc.rfc8705 import (
-    RFC8705_SPEC_URL,
-    thumbprint_from_cert_pem,
-    validate_certificate_binding,
-)
-from .rfc.rfc8252 import is_native_redirect_uri, validate_native_redirect_uri
-from .rfc.rfc7638 import jwk_thumbprint, verify_jwk_thumbprint
-from .rfc.rfc7800 import add_cnf_claim, verify_proof_of_possession
-from .rfc.rfc8291 import encrypt_push_message, decrypt_push_message, RFC8291_SPEC_URL
-from .rfc.rfc8812 import (
-    is_webauthn_algorithm,
-    WEBAUTHN_ALGORITHMS,
-    RFC8812_SPEC_URL,
-)
-from .rfc.rfc9068 import add_rfc9068_claims, validate_rfc9068_claims
-from .rfc.rfc8037 import sign_eddsa, verify_eddsa, RFC8037_SPEC_URL
-from .rfc.rfc8176 import (
-    validate_amr_claim,
-    AMR_VALUES,
-    RFC8176_SPEC_URL,
-)
-
-from .rfc.rfc7515 import sign_jws, verify_jws
-from .rfc.rfc7516 import encrypt_jwe, decrypt_jwe
-from .rfc.rfc7517 import load_signing_jwk, load_public_jwk
-from .rfc.rfc7518 import supported_algorithms
-from .rfc.rfc7519 import encode_jwt, decode_jwt
-
-from .rfc.rfc7520 import jws_then_jwe, jwe_then_jws, RFC7520_SPEC_URL
-from .rfc.rfc7591 import RFC7591_SPEC_URL
-from .rfc.rfc7592 import RFC7592_SPEC_URL
-
-from .rfc.rfc7521 import validate_jwt_assertion, RFC7521_SPEC_URL
-from .rfc.rfc7523 import validate_client_jwt_bearer, RFC7523_SPEC_URL
-
-# New RFC implementations
-from .rfc.rfc8523 import (
-    validate_enhanced_jwt_bearer,
-    makeClientAssertionJwt,
-    is_jwt_replay,
-    RFC8523_SPEC_URL,
-    create_client_assertion_jwt,
-)
-from .rfc.rfc7952 import (
-    makeSecurityEventToken,
-    validate_security_event_token,
-    extract_event_data,
-    get_set_subject_identifiers,
-    makeAccountDisabledSet,
-    makeSessionRevokedSet,
-    SET_EVENT_TYPES,
-    RFC7952_SPEC_URL,
-    create_security_event_token,
-    create_account_disabled_set,
-    create_session_revoked_set,
-)
-from .rfc.rfc8693 import (
-    TokenExchangeRequest,
-    TokenExchangeResponse,
-    TokenType,
-    validate_token_exchange_request,
-    validate_subject_token,
-    exchange_token,
-    makeImpersonationToken,
-    makeDelegationToken,
-    TOKEN_EXCHANGE_GRANT_TYPE,
-    RFC8693_SPEC_URL,
-    include_rfc8693,
-    create_impersonation_token,
-    create_delegation_token,
-)
-from .rfc.rfc8932 import (
-    get_enhanced_authorization_server_metadata,
-    validate_metadata_consistency,
-    get_capability_matrix,
-)
-
-from .oidc_id_token import mint_id_token, verify_id_token
-
-__all__ = [
-    "makeCodeVerifier",
-    "makeCodeChallenge",
-    "verify_code_challenge",
-    "create_code_verifier",
-    "create_code_challenge",
-    "generate_user_code",
-    "validate_user_code",
-    "generate_device_code",
-    "RFC8628_SPEC_URL",
-    "parse_authorization_details",
-    "AuthorizationDetail",
-    "RFC9396_SPEC_URL",
-    "extract_bearer_token",
-    "extract_issuer",
-    "extract_resource",
-    "RFC8707_SPEC_URL",
-    "RFC8705_SPEC_URL",
-    "RFC9207_SPEC_URL",
-    "enforce_encrypted_dns",
-    "RFC8932_SPEC_URL",
-    "introspect_token",
-    "register_token",
-    "reset_tokens",
-    "DEFAULT_PAR_EXPIRY",
-    "thumbprint_from_cert_pem",
-    "validate_certificate_binding",
-    "add_rfc9068_claims",
-    "validate_rfc9068_claims",
-    "is_native_redirect_uri",
-    "validate_native_redirect_uri",
-    "sign_jws",
-    "verify_jws",
-    "encrypt_jwe",
-    "decrypt_jwe",
-    "load_signing_jwk",
-    "load_public_jwk",
-    "supported_algorithms",
-    "encode_jwt",
-    "decode_jwt",
-    "jws_then_jwe",
-    "jwe_then_jws",
-    "RFC7591_SPEC_URL",
-    "RFC7592_SPEC_URL",
-    "jwk_thumbprint",
-    "verify_jwk_thumbprint",
-    "add_cnf_claim",
-    "verify_proof_of_possession",
-    "encrypt_push_message",
-    "decrypt_push_message",
-    "RFC8291_SPEC_URL",
-    "is_webauthn_algorithm",
-    "WEBAUTHN_ALGORITHMS",
-    "RFC8812_SPEC_URL",
-    "validate_jwt_assertion",
-    "RFC7521_SPEC_URL",
-    "RFC7520_SPEC_URL",
-    "sign_eddsa",
-    "verify_eddsa",
-    "RFC8037_SPEC_URL",
-    "validate_amr_claim",
-    "AMR_VALUES",
-    "RFC8176_SPEC_URL",
-    "validate_client_jwt_bearer",
-    "RFC7523_SPEC_URL",
-    # New RFC implementations
-    "validate_enhanced_jwt_bearer",
-    "makeClientAssertionJwt",
-    "is_jwt_replay",
-    "RFC8523_SPEC_URL",
-    "makeSecurityEventToken",
-    "validate_security_event_token",
-    "extract_event_data",
-    "get_set_subject_identifiers",
-    "makeAccountDisabledSet",
-    "makeSessionRevokedSet",
-    "SET_EVENT_TYPES",
-    "RFC7952_SPEC_URL",
-    "TokenExchangeRequest",
-    "TokenExchangeResponse",
-    "TokenType",
-    "validate_token_exchange_request",
-    "validate_subject_token",
-    "exchange_token",
-    "makeImpersonationToken",
-    "makeDelegationToken",
-    "TOKEN_EXCHANGE_GRANT_TYPE",
-    "RFC8693_SPEC_URL",
-    "include_rfc8693",
-    "create_client_assertion_jwt",
-    "create_security_event_token",
-    "create_account_disabled_set",
-    "create_session_revoked_set",
-    "create_impersonation_token",
-    "create_delegation_token",
-    "get_enhanced_authorization_server_metadata",
-    "validate_metadata_consistency",
-    "get_capability_matrix",
-    "RFC8932_SPEC_URL",
-    "rfc7591",
-    "rfc7592",
-    "rfc7662",
-    "rfc9101",
-    "mint_id_token",
-    "verify_id_token",
-]
+from __future__ import annotations
+
+import sys
+from http import HTTPStatus as _HTTPStatus
+from importlib import import_module
+from typing import Any
+
+
+def _install_tomllib_alias() -> None:
+    """Backfill ``tomllib`` on Python 3.10 using ``tomli`` if available."""
+
+    if sys.version_info >= (3, 11):
+        return
+    try:  # pragma: no cover - exercised on Python 3.10 CI lanes
+        import tomllib as _tomllib  # noqa: F401
+    except ModuleNotFoundError:
+        try:
+            import tomli as _tomllib  # type: ignore[no-redef]
+        except ModuleNotFoundError:
+            return
+        sys.modules.setdefault("tomllib", _tomllib)
+
+
+def _install_http_status_aliases() -> None:
+    """Provide Starlette-style ``HTTP_<code>_<NAME>`` aliases on ``HTTPStatus``.
+
+    The repository tests and some release-path modules historically rely on the
+    constant-style names exported by Starlette/FastAPI. Tigrbl uses the stdlib
+    ``http.HTTPStatus`` enum, so install integer aliases once at package import
+    time to keep both surfaces compatible.
+    """
+
+    for item in _HTTPStatus:
+        alias = f"HTTP_{int(item)}_{item.name}"
+        if not hasattr(_HTTPStatus, alias):
+            setattr(_HTTPStatus, alias, int(item))
+
+_install_tomllib_alias()
+_install_http_status_aliases()
+
+_MODULE_EXPORTS = {
+    "framework": "tigrbl_auth.framework",
+    "runtime_cfg": "tigrbl_auth.runtime_cfg",
+    "rfc7591": "tigrbl_auth.rfc.rfc7591",
+    "rfc7592": "tigrbl_auth.rfc.rfc7592",
+    "rfc7662": "tigrbl_auth.rfc.rfc7662",
+    "rfc9101": "tigrbl_auth.rfc.rfc9101",
+}
+
+_SYMBOL_EXPORTS = {
+    "encode_jwt": ("tigrbl_auth.standards.jose.rfc7519", "encode_jwt"),
+    "decode_jwt": ("tigrbl_auth.standards.jose.rfc7519", "decode_jwt"),
+    "encrypt_jwe": ("tigrbl_auth.standards.jose.rfc7516", "encrypt_jwe"),
+    "decrypt_jwe": ("tigrbl_auth.standards.jose.rfc7516", "decrypt_jwe"),
+    "sign_jws": ("tigrbl_auth.standards.jose.rfc7515", "sign_jws"),
+    "verify_jws": ("tigrbl_auth.standards.jose.rfc7515", "verify_jws"),
+    "load_signing_jwk": ("tigrbl_auth.standards.jose.rfc7517", "load_signing_jwk"),
+    "load_public_jwk": ("tigrbl_auth.standards.jose.rfc7517", "load_public_jwk"),
+    "supported_algorithms": ("tigrbl_auth.standards.jose.rfc7518", "supported_algorithms"),
+    "RFC7520_SPEC_URL": ("tigrbl_auth.rfc.rfc7520", "RFC7520_SPEC_URL"),
+    "jws_then_jwe": ("tigrbl_auth.rfc.rfc7520", "jws_then_jwe"),
+    "jwe_then_jws": ("tigrbl_auth.rfc.rfc7520", "jwe_then_jws"),
+    "makeCodeVerifier": ("tigrbl_auth.rfc.rfc7636_pkce", "makeCodeVerifier"),
+    "makeCodeChallenge": ("tigrbl_auth.rfc.rfc7636_pkce", "makeCodeChallenge"),
+    "verify_code_challenge": ("tigrbl_auth.rfc.rfc7636_pkce", "verify_code_challenge"),
+    "RFC8628_SPEC_URL": ("tigrbl_auth.rfc.rfc8628", "RFC8628_SPEC_URL"),
+    "generate_user_code": ("tigrbl_auth.rfc.rfc8628", "generate_user_code"),
+    "validate_user_code": ("tigrbl_auth.rfc.rfc8628", "validate_user_code"),
+    "generate_device_code": ("tigrbl_auth.rfc.rfc8628", "generate_device_code"),
+    "RFC9207_SPEC_URL": ("tigrbl_auth.rfc.rfc9207", "RFC9207_SPEC_URL"),
+    "extract_issuer": ("tigrbl_auth.rfc.rfc9207", "extract_issuer"),
+    "AuthorizationDetail": ("tigrbl_auth.rfc.rfc9396", "AuthorizationDetail"),
+    "RFC9396_SPEC_URL": ("tigrbl_auth.rfc.rfc9396", "RFC9396_SPEC_URL"),
+    "parse_authorization_details": ("tigrbl_auth.rfc.rfc9396", "parse_authorization_details"),
+    "RFC8932_SPEC_URL": ("tigrbl_auth.rfc.rfc8932", "RFC8932_SPEC_URL"),
+    "enforce_encrypted_dns": ("tigrbl_auth.rfc.rfc8932", "enforce_encrypted_dns"),
+}
+
+
+def __getattr__(name: str) -> Any:
+    module_name = _MODULE_EXPORTS.get(name)
+    if module_name is not None:
+        module = import_module(module_name)
+        globals()[name] = module
+        return module
+    symbol = _SYMBOL_EXPORTS.get(name)
+    if symbol is not None:
+        module_name, attr_name = symbol
+        module = import_module(module_name)
+        value = getattr(module, attr_name)
+        globals()[name] = value
+        return value
+    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")
+
+
+def __dir__() -> list[str]:
+    return sorted(set(globals()) | set(_MODULE_EXPORTS) | set(_SYMBOL_EXPORTS))
+
+
+__all__ = sorted(set(_MODULE_EXPORTS) | set(_SYMBOL_EXPORTS))

tigrbl_auth/app.py

@@ -1,75 +1,5 @@
-"""
-tigrbl_auth.app
-===============
-
-FastAPI application factory for the **tigrbl-auth** service.
-
-Features
---------
-* Async SQLAlchemy engine (SQLite or Postgres driven by `DATABASE_URL`)
-* Auto-generated CRUD router for Tenant / Client / User / ApiKey
-* Public credential routes  (/register, /login, /logout, …)
-* OIDC discovery (`/.well-known/openid-configuration`) + `jwks.json`
-* System diagnostics endpoints (healthz, methodz, hookz, kernelz)
-"""
-
 from __future__ import annotations
 
-from tigrbl_auth.deps import TigrblApp
-import inspect
-
-from .routers.surface import surface_api
-from .db import dsn
-from .runtime_cfg import settings
-from .rfc.rfc8414 import include_rfc8414
-from .oidc_discovery import include_oidc_discovery
-from .rfc.rfc8693 import include_rfc8693
-from .oidc_userinfo import include_oidc_userinfo
-from .rfc.rfc7009 import include_rfc7009
-
-
-import logging
-
-logging.getLogger("uvicorn").setLevel(logging.DEBUG)
-# --------------------------------------------------------------------
-# TigrblApp application
-# --------------------------------------------------------------------
-app = TigrblApp(
-    title="Tigrbl-Auth",
-    version="0.1.0",
-    openapi_url="/openapi.json",
-    docs_url="/docs",
-    engine=dsn,
-)
-
-# Mount routers
-surface_api.mount_jsonrpc(prefix="/rpc")
-surface_api.attach_diagnostics(prefix="/system")
-app.include_router(surface_api)  # /authn/<model> resources & flows
-
-
-include_oidc_userinfo(app)
-
-if settings.enable_rfc8693:
-    include_rfc8693(app)
-
-if settings.enable_rfc7009:
-    include_rfc7009(app)
-
-if settings.enable_rfc8414:
-    include_rfc8414(app)
-    include_oidc_discovery(app)
-
-
-async def _startup() -> None:
-    # 1 – metadata validation / SQLite convenience mode
-    # When running on SQLite, attach the same file under the "authn" alias
-    # so schema-qualified tables like "authn.tenants" work.
-    # this should work without sqlite_attachments, if sqlite_attachments are required use:
-    # > await surface_api.initialize(sqlite_attachments={"authn": "./authn.db"})
-    init = surface_api.initialize()
-    if inspect.isawaitable(init):
-        await init
-
+from tigrbl_identity_server.app import app, build_app, build_application_runtime_plan
 
-app.add_event_handler("startup", _startup)
+__all__ = ["app", "build_app", "build_application_runtime_plan"]

tigrbl_auth/cli.py

@@ -0,0 +1,5 @@
+from __future__ import annotations
+
+from tigrbl_identity_operator.cli.main import main
+
+__all__ = ["main"]

tigrbl_auth/gateway.py

@@ -0,0 +1,17 @@
+from __future__ import annotations
+
+from tigrbl_identity_server.gateway import (
+    app,
+    build_app,
+    build_gateway,
+    build_gateway_runtime_plan,
+    resolve_gateway_deployment,
+)
+
+__all__ = [
+    "app",
+    "build_app",
+    "build_gateway",
+    "build_gateway_runtime_plan",
+    "resolve_gateway_deployment",
+]

tigrbl_auth/plugin.py

@@ -0,0 +1,5 @@
+from __future__ import annotations
+
+from tigrbl_identity_server.plugin import TigrblAuthPlugin, install
+
+__all__ = ["TigrblAuthPlugin", "install"]

tigrbl_auth-0.4.0.dev2.dist-info/METADATA

@@ -0,0 +1,20 @@
+Metadata-Version: 2.4
+Name: tigrbl-auth
+Version: 0.4.0.dev2
+Summary: Compatibility facade for the Tigrbl identity package suite.
+License-Expression: Apache-2.0
+Requires-Python: >=3.10,<3.15
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Description-Content-Type: text/markdown
+
+# tigrbl-auth
+
+Compatibility facade for the Tigrbl identity package suite.
+
+This package uses the independent import root `tigrbl_auth`.
+

tigrbl_auth-0.4.0.dev2.dist-info/RECORD

@@ -0,0 +1,8 @@
+tigrbl_auth/__init__.py,sha256=k1HF9z4ZOE76gs4FpjfEVFZogKysOdurthGRQ44gEcg,4589
+tigrbl_auth/app.py,sha256=Rnd2NgRZ-2MtmbP7fEmYg5duu4EryPrb34Ktj2mXIck,188
+tigrbl_auth/cli.py,sha256=4vT1N_fCWxbM8CPSbgL6GItoxqV043qJyBe1V8fwSpE,107
+tigrbl_auth/gateway.py,sha256=E5zqsuKzMN_mVWfL8W7-2XoDG_2qA8_8xkQ5T7aQ-UY,322
+tigrbl_auth/plugin.py,sha256=qY_XeIAC3qoWFeQwtUrA8AnyCrSuFGU4gfUtor-vepU,147
+tigrbl_auth-0.4.0.dev2.dist-info/METADATA,sha256=BIZRVp8GBAN-wiupFRryMdnrO_ESE15pKMy2yUesxgU,672
+tigrbl_auth-0.4.0.dev2.dist-info/WHEEL,sha256=EGEvSphFYqXKs23-kQBeyNoJP1nrT8ZJKQoi5p5DYL8,88
+tigrbl_auth-0.4.0.dev2.dist-info/RECORD,,

{tigrbl_auth-0.3.2.dev2.dist-info → tigrbl_auth-0.4.0.dev2.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: poetry-core 2.3.1
+Generator: poetry-core 2.4.0
 Root-Is-Purelib: true
 Tag: py3-none-any

tigrbl_auth/adapters/__init__.py

@@ -1,14 +0,0 @@
-# tigrbl_auth/v2/adapters/__init__.py
-def __getattr__(name):
-    if name == "RemoteAuthNAdapter":
-        from .remote_adapter import RemoteAuthNAdapter
-
-        return RemoteAuthNAdapter
-    if name == "LocalAuthNAdapter":
-        from .local_adapter import LocalAuthNAdapter
-
-        return LocalAuthNAdapter
-    raise AttributeError(name)
-
-
-__all__ = ["LocalAuthNAdapter", "RemoteAuthNAdapter"]

tigrbl_auth/adapters/auth_context.py

@@ -1,28 +0,0 @@
-from __future__ import annotations
-
-from tigrbl_auth.deps import Request, TIGRBL_AUTH_CONTEXT_ATTR
-
-
-def set_auth_context(request: Request, principal: dict | None) -> None:
-    """Populate request.state with the auth context expected by Tigrbl.
-
-    Parameters
-    ----------
-    request:
-        Incoming FastAPI request whose state should be populated.
-    principal:
-        Principal dictionary containing ``tenant_id`` (``tid``) and ``user_id``
-        (``sub``). May be ``None`` when no authenticated principal is present.
-    """
-    ctx: dict[str, str] = {}
-    if principal:
-        tid = principal.get("tid") or principal.get("tenant_id")
-        uid = principal.get("sub") or principal.get("user_id")
-        if tid is not None:
-            ctx["tenant_id"] = tid
-        if uid is not None:
-            ctx["user_id"] = uid
-    setattr(request.state, TIGRBL_AUTH_CONTEXT_ATTR, ctx)
-
-
-__all__ = ["set_auth_context"]

tigrbl_auth/adapters/local_adapter.py

@@ -1,47 +0,0 @@
-"""
-tigrbl_auth.adapters.local_adapter
-──────────────────
-Concrete implementation of the ``AuthNProvider`` ABC declared by
-``tigrbl.authn_abc``.  It merely **adapts** the public helpers that already
-exist in *tigrbl_auth* so that Tigrbl can consume them automatically.
-
-Usage
------
->>> from tigrbl import TigrblApi
->>> from tigrbl_auth.adapters import LocalAuthNAdapter
->>> api = TigrblApi(engine=ENGINE, authn=LocalAuthNAdapter())
-"""
-
-from __future__ import annotations
-
-from tigrbl_auth.deps import AuthNProvider, Request
-from ..fastapi_deps import get_principal
-from ..principal_ctx import principal_var  # noqa: F401  # ensure ContextVar is initialised
-from .auth_context import set_auth_context
-
-
-class LocalAuthNAdapter(AuthNProvider):
-    """
-    Thin wrapper that plugs existing *tigrbl_auth* functions into
-    the abstract interface expected by Tigrbl.
-    """
-
-    # ------------------------------------------------------------------ #
-    # FastAPI dependency (mandatory)                                     #
-    # ------------------------------------------------------------------ #
-    async def get_principal(self, request: Request) -> dict:  # noqa: D401
-        """
-        Delegate to ``tigrbl_auth.fastapi_deps.get_principal`` and forward
-        whatever dict it returns.
-
-        Raises
-        ------
-        fastapi.HTTPException(401)
-            If the API‑key / bearer token is invalid or expired.
-        """
-        principal = await get_principal(request)  # type: ignore[arg-type]
-        set_auth_context(request, principal)
-        return principal
-
-
-__all__ = ["LocalAuthNAdapter"]