usso 0.28.14__py3-none-any.whl → 0.28.16__py3-none-any.whl

usso/auth/api_key.py

@@ -20,11 +20,11 @@ def _handle_exception(error_type: str, **kwargs):
 
 
 @cachetools.func.ttl_cache(maxsize=128, ttl=10 * 60)
-def fetch_api_key_data(jwk_url: str, api_key: str):
+def fetch_api_key_data(jwks_url: str, api_key: str):
     """Fetch user data using an API key.
 
     Args:
-        jwk_url: The JWK URL to use for verification
+        jwks_url: The JWK URL to use for verification
         api_key: The API key to verify
 
     Returns:
@@ -34,7 +34,7 @@ def fetch_api_key_data(jwk_url: str, api_key: str):
         USSOException: If the API key is invalid or verification fails
     """
     try:
-        parsed = urlparse(jwk_url)
+        parsed = urlparse(jwks_url)
         url = f"{parsed.scheme}://{parsed.netloc}/api_key/verify"
         response = httpx.post(url, json={"api_key": api_key})
         response.raise_for_status()

usso/auth/authorization.py

@@ -0,0 +1,183 @@
+import fnmatch
+from urllib.parse import parse_qs, urlparse
+
+PRIVILEGE_LEVELS = {
+    "read": 10,
+    "create": 20,
+    "update": 30,
+    "delete": 40,
+    "manage": 50,
+    "owner": 90,
+    "*": 90,
+}
+
+
+def parse_scope(scope: str) -> tuple[str, list[str], dict[str, str]]:
+    """
+    Parse a scope string into (action, path_parts, filters).
+
+    Examples:
+        "read:media/files/transaction?user_id=123" ->
+            ("read", ["media", "files", "transaction"], {"user_id": "123"})
+
+        "media/files/transaction?user_id=123" ->
+            ("", ["media", "files", "transaction"], {"user_id": "123"})
+
+        "*:*" ->
+            ("*", ["*"], {})
+
+    Returns:
+        - action: str (could be empty string if no scheme present)
+        - path_parts: list[str]
+        - filters: dict[str, str]
+    """
+
+    parsed = urlparse(scope)
+    path = parsed.path
+    query = parsed.query
+    filters = {k: v[0] for k, v in parse_qs(query).items()}
+    path_parts = path.split("/") if path else ["*"]
+    return parsed.scheme, path_parts, filters
+
+
+def is_path_match(
+    user_path: list[str] | str,
+    requested_path: list[str] | str,
+    strict: bool = False,
+) -> bool:
+    """
+    Match resource paths from right to left, supporting wildcards (*).
+
+    Rules:
+    - The final resource name must match exactly or via fnmatch.
+    - Upper-level path parts are matched from right to left.
+    - Wildcards are allowed in any part.
+
+    Examples = [
+        ("files", "files", True),
+        ("file-manager/files", "files", True),
+        ("media/file-manager/files", "files", True),
+        ("media//files", "files", True),
+        ("media//files", "file-manager/files", True),
+        ("files", "file-manager/files", True),
+        ("*/files", "file-manager/files", True),
+        ("*//files", "file-manager/files", True),
+        ("//files", "file-manager/files", True),
+        ("//files", "media/file-manager/files", True),
+        ("media//files", "media/file-manager/files", True),
+        ("media/files/*", "media/files/transactions", True),
+        ("*/*/transactions", "media/files/transactions", True),
+        ("media/*/transactions", "media/images/transactions", True),
+        ("media//files", "media/files", True), # attention
+
+        ("files", "file", False),
+        ("files", "files/transactions", False),
+        ("files", "media/files/transactions", False),
+        ("media/files", "media/files/transactions", False),
+    ]
+    """
+    if isinstance(user_path, str):
+        user_parts = user_path.split("/")
+    elif isinstance(user_path, list):
+        user_parts = user_path
+    else:
+        raise ValueError(f"Invalid path type: {type(user_path)}")
+
+    if isinstance(requested_path, str):
+        req_parts = requested_path.split("/")
+    elif isinstance(requested_path, list):
+        req_parts = requested_path
+    else:
+        raise ValueError(f"Invalid path type: {type(requested_path)}")
+
+    # Match resource name (rightmost)
+    if not fnmatch.fnmatch(req_parts[-1], user_parts[-1]):
+        return False
+
+    # Match rest of the path from right to left
+    user_path_parts = user_parts[:-1]
+    req_path_parts = req_parts[:-1]
+
+    for u, r in zip(
+        reversed(user_path_parts),
+        reversed(req_path_parts),
+        strict=strict,
+    ):
+        if r and u and r != "*" and not fnmatch.fnmatch(r, u):
+            return False
+
+    return True
+
+
+def is_filter_match(user_filters: dict, requested_filters: dict):
+    """All user filters must match requested filters."""
+    for k, v in user_filters.items():
+        if k not in requested_filters or not fnmatch.fnmatch(
+            str(requested_filters[k]), v
+        ):
+            return False
+    return True
+
+
+def is_authorized(
+    user_scope: str,
+    requested_path: str,
+    requested_action: str | None = None,
+    reuested_filter: dict[str, str] | None = None,
+    *,
+    strict: bool = False,
+):
+    user_action, user_path, user_filters = parse_scope(user_scope)
+
+    if not is_path_match(user_path, requested_path, strict=strict):
+        return False
+
+    if not is_filter_match(user_filters, reuested_filter):
+        return False
+
+    if requested_action:
+        user_level = PRIVILEGE_LEVELS.get(user_action or "*", 999)
+        req_level = PRIVILEGE_LEVELS.get(requested_action, 0)
+        return user_level >= req_level
+
+    return True
+
+
+def check_access(
+    user_scopes: list[str],
+    resource_path: str,
+    action: str | None = None,
+    *,
+    filters: list[dict[str, str]] | dict[str, str] | None = None,
+    strict: bool = False,
+):
+    """
+    Check if the user has the required access to a resource.
+
+    Args:
+        user_scopes: list of user scope strings
+        resource_path: resource path like "media/files/transactions"
+        action: requested action like "read", "update", etc.
+        filters: optional dict of filters like {"user_id": "abc"}
+
+    Returns:
+        True if access is granted, False otherwise
+    """
+    if isinstance(filters, dict):
+        filters = [{k: v} for k, v in filters.items()]
+    elif filters is None:
+        filters = ["*"]
+
+    for scope in user_scopes:
+        for filter in filters:
+            if is_authorized(
+                user_scope=scope,
+                requested_path=resource_path,
+                requested_action=action,
+                reuested_filter=filter,
+                strict=strict,
+            ):
+                return True
+            print(f"auth failed {filter}, {scope}")
+
+    return False

usso/auth/client.py

@@ -87,4 +87,4 @@ class UssoAuth:
         Raises:
             USSOException: If the API key is invalid
         """
-        return fetch_api_key_data(self.jwt_configs[0].jwk_url, api_key)
+        return fetch_api_key_data(self.jwt_configs[0].jwks_url, api_key)

usso/integrations/django/middleware.py

@@ -70,8 +70,8 @@ class USSOAuthenticationMiddleware(MiddlewareMixin):
         Check if a user exists by phone. If not, create a new user
         and return it.
         """
-        if self.jwt_config.jwk_url:
-            domain = urlparse(self.jwt_config.jwk_url).netloc
+        if self.jwt_config.jwks_url:
+            domain = urlparse(self.jwt_config.jwks_url).netloc
         else:
             domain = "example.com"
         phone = user_data.phone

usso/session/async_session.py

@@ -52,11 +52,11 @@ class AsyncUssoSession(httpx.AsyncClient, BaseUssoSession):
         data: dict[str, str | dict[str, str]] = response.json()
         self.access_token = JWT(
             token=data.get("access_token"),
-            config=JWTConfig(jwk_url=f"{self.usso_url}/website/jwks.json"),
+            config=JWTConfig(jwks_url=f"{self.usso_url}/website/jwks.json"),
         )
         self._refresh_token = JWT(
             token=data.get("token", {}).get("refresh_token"),
-            config=JWTConfig(jwk_url=f"{self.usso_url}/website/jwks.json"),
+            config=JWTConfig(jwks_url=f"{self.usso_url}/website/jwks.json"),
         )
         if self.access_token:
             self.headers.update({

usso/session/base_session.py

@@ -48,7 +48,7 @@ class BaseUssoSession:
         self.usso_refresh_url = f"{usso_url}/auth/refresh"
         self._refresh_token = JWT(
             token=refresh_token,
-            config=JWTConfig(jwk_url=f"{self.usso_url}/website/jwks.json"),
+            config=JWTConfig(jwks_url=f"{self.usso_url}/website/jwks.json"),
         )
 
         self.access_token = None
@@ -67,10 +67,10 @@ class BaseUssoSession:
     def refresh_token(self):
         if (
             self._refresh_token
-            and self._refresh_token.verify(
+            and self._refresh_token.verify(  # noqa: W503
                 expected_token_type="refresh",
             )
-            and self._refresh_token.is_temporally_valid()
+            and self._refresh_token.is_temporally_valid()  # noqa: W503
         ):
             self._refresh_token = None
 

usso/session/session.py

@@ -38,7 +38,7 @@ class UssoSession(httpx.Client, BaseUssoSession):
         response.raise_for_status()
         self.access_token = JWT(
             token=response.json().get("access_token"),
-            config=JWTConfig(jwk_url=f"{self.usso_url}/website/jwks.json"),
+            config=JWTConfig(jwks_url=f"{self.usso_url}/website/jwks.json"),
         )
         self.headers.update({"Authorization": f"Bearer {self.access_token}"})
         return response.json()

{usso-0.28.14.dist-info → usso-0.28.16.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: usso
-Version: 0.28.14
+Version: 0.28.16
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>
@@ -28,7 +28,7 @@ Requires-Dist: cachetools
 Requires-Dist: singleton_package
 Requires-Dist: json-advanced
 Requires-Dist: httpx
-Requires-Dist: usso-jwt>=0.1.16
+Requires-Dist: usso-jwt>=0.2.0
 Provides-Extra: fastapi
 Requires-Dist: fastapi>=0.65.0; extra == "fastapi"
 Requires-Dist: uvicorn[standard]>=0.13.0; extra == "fastapi"
@@ -148,7 +148,7 @@ Then configure your app to verify tokens issued by this service, using its publi
 
 ```python
 JWTConfig(
-    jwk_url="http://localhost:8000/.well-known/jwks.json",
+    jwks_url="http://localhost:8000/.well-known/jwks.json",
     ...
 )
 ```

{usso-0.28.14.dist-info → usso-0.28.16.dist-info}/RECORD

@@ -1,25 +1,26 @@
 usso/__init__.py,sha256=t3tYcw4qtGFpk7iakXTqEj5RlzIc8D2fs0I3FZcOmGs,571
 usso/exceptions.py,sha256=cBzmMCwpNQKMjCUXO3bCcFwZJQQvbvJ5RxTH987ZlCI,1012
 usso/auth/__init__.py,sha256=Dthv-iZTgsHTGcJrkJsnAtDCbRR5dNCx0Ut7MufoAXY,270
-usso/auth/api_key.py,sha256=ec3q_mJtPiNb-eZt5MA4bantX1zRo3WwU2JfYBcGCGk,1254
-usso/auth/client.py,sha256=TgqFGb83HnuYGretCWEUGrkNLXg0KvPtCs46_g2f-ik,2587
+usso/auth/api_key.py,sha256=cT0ZCMhr8mX3-tByocvhOmK0kkeFCMMGtd6cZdzIspA,1257
+usso/auth/authorization.py,sha256=HuNBgz0RSPMevPAhZdqsCpp-Uz1MrDM37KvC5utVwqU,5489
+usso/auth/client.py,sha256=BD4auDPCLoIPHIg8_JXjqFkc2a_6QrAxDkYjoB4416Q,2588
 usso/auth/config.py,sha256=wRMsR89tw_PbUY83ObuEMCWuj3_Y8gcuYj8yZ-PiDFs,3739
 usso/integrations/django/__init__.py,sha256=dKpbffHS5ouGtW6ooI2ivzjPmH_1rOBny85htR-KqrY,97
-usso/integrations/django/middleware.py,sha256=8b-VYQ3FRhLnXSl4ZfHBpiA6VLY4b7b0-YoE_X41SFM,3443
+usso/integrations/django/middleware.py,sha256=AZKYZ4UPNmyxcD3ANgp0y_fdrFvVQdHBqyYxo5XhQUs,3445
 usso/integrations/fastapi/__init__.py,sha256=ohToiqutHu3Okr8naunssDkamj1OdiG4OpPdBW0rt7U,204
 usso/integrations/fastapi/dependency.py,sha256=Cq-rkCrmNIC8OT1OkdMxfIEkmQkl_pwqV7N7CiNnDSA,2801
 usso/integrations/fastapi/handler.py,sha256=MNDoBYdySumFsBgVw-xir3jXXH63KehFXKCh-pNnNZQ,386
 usso/models/user.py,sha256=eVZD1roaXkHiyO_fmMVoIAoE8AVvot4RTySJcYMe2uw,3760
 usso/session/__init__.py,sha256=tE4qWUdSI7iN_pywm47Mg8NKOTBa2nCNwCy3wCZWRmU,124
-usso/session/async_session.py,sha256=QQamIOZZD0eXXkIt8LZVUgjKFTFYnsxWI_HGj2VOMM8,3969
-usso/session/base_session.py,sha256=Z-Uwcwb0xX6Uo7OVd6ejYz7aMiDWrj5KGein7WWJCo0,2530
-usso/session/session.py,sha256=a8iy7lI3cvi7NKi6V1PKfCZ2nLrGTS5sM6Kbu30tN7k,1636
+usso/session/async_session.py,sha256=eQQh2DXiaHdballRjePa8GSI9GmGsxNDU7vTfwh8mRQ,3971
+usso/session/base_session.py,sha256=O3tEltMhlwkEz1GGbjE4iXPwSlLaUW2juUt9RDSLrHI,2559
+usso/session/session.py,sha256=briCgDMoF-b59H6Aie_Lmjy4qnPBBSmKnVhAwef34F0,1637
 usso/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 usso/utils/method_utils.py,sha256=1NMN4le04PWXDSJZK-nf7q2IFqOMkwYcCnslFXAzlH8,355
 usso/utils/string_utils.py,sha256=7tziAa2Cwa7xhwM_NF4DSY3BHoqVaWgJ21VuV8LvhrY,253
-usso-0.28.14.dist-info/licenses/LICENSE.txt,sha256=ceC9ZJOV9H6CtQDcYmHOS46NA3dHJ_WD4J9blH513pc,1081
-usso-0.28.14.dist-info/METADATA,sha256=Tcgog9XyW4vJbH7TnWHrmv8Ztd_WKez5nCktU7pBkOI,5061
-usso-0.28.14.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-usso-0.28.14.dist-info/entry_points.txt,sha256=4Zgpm5ELaAWPf0jPGJFz1_X69H7un8ycT3WdGoJ0Vvk,35
-usso-0.28.14.dist-info/top_level.txt,sha256=g9Jf6h1Oyidh0vPiFni7UHInTJjSvu6cUalpLTIvthg,5
-usso-0.28.14.dist-info/RECORD,,
+usso-0.28.16.dist-info/licenses/LICENSE.txt,sha256=ceC9ZJOV9H6CtQDcYmHOS46NA3dHJ_WD4J9blH513pc,1081
+usso-0.28.16.dist-info/METADATA,sha256=CwuJO02M13iJKbJc28gQ69WoJOFoz7MJS3aW8rTd0nQ,5061
+usso-0.28.16.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+usso-0.28.16.dist-info/entry_points.txt,sha256=4Zgpm5ELaAWPf0jPGJFz1_X69H7un8ycT3WdGoJ0Vvk,35
+usso-0.28.16.dist-info/top_level.txt,sha256=g9Jf6h1Oyidh0vPiFni7UHInTJjSvu6cUalpLTIvthg,5
+usso-0.28.16.dist-info/RECORD,,