usso 0.28.15__tar.gz → 0.28.17__tar.gz

{usso-0.28.15/src/usso.egg-info → usso-0.28.17}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: usso
-Version: 0.28.15
+Version: 0.28.17
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>

{usso-0.28.15 → usso-0.28.17}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "usso"
-version = "0.28.15"
+version = "0.28.17"
 description = "A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices."
 readme = "README.md"
 requires-python = ">=3.9"

{usso-0.28.15 → usso-0.28.17}/src/usso/auth/api_key.py

@@ -1,5 +1,4 @@
 import logging
-from urllib.parse import urlparse
 
 import cachetools.func
 import httpx
@@ -19,12 +18,12 @@ def _handle_exception(error_type: str, **kwargs):
     logger.error(kwargs.get("message") or error_type)
 
 
-@cachetools.func.ttl_cache(maxsize=128, ttl=10 * 60)
-def fetch_api_key_data(jwks_url: str, api_key: str):
+@cachetools.func.ttl_cache(maxsize=128, ttl=60)
+def fetch_api_key_data(api_key_verify_url: str, api_key: str):
     """Fetch user data using an API key.
 
     Args:
-        jwks_url: The JWK URL to use for verification
+        api_key_verify_url: The API key verify URL to use for verification
         api_key: The API key to verify
 
     Returns:
@@ -34,9 +33,7 @@ def fetch_api_key_data(jwks_url: str, api_key: str):
         USSOException: If the API key is invalid or verification fails
     """
     try:
-        parsed = urlparse(jwks_url)
-        url = f"{parsed.scheme}://{parsed.netloc}/api_key/verify"
-        response = httpx.post(url, json={"api_key": api_key})
+        response = httpx.post(api_key_verify_url, json={"api_key": api_key})
         response.raise_for_status()
         return UserData(**response.json())
     except Exception as e:

usso-0.28.17/src/usso/auth/authorization.py

@@ -0,0 +1,183 @@
+import fnmatch
+from urllib.parse import parse_qs, urlparse
+
+PRIVILEGE_LEVELS = {
+    "read": 10,
+    "create": 20,
+    "update": 30,
+    "delete": 40,
+    "manage": 50,
+    "owner": 90,
+    "*": 90,
+}
+
+
+def parse_scope(scope: str) -> tuple[str, list[str], dict[str, str]]:
+    """
+    Parse a scope string into (action, path_parts, filters).
+
+    Examples:
+        "read:media/files/transaction?user_id=123" ->
+            ("read", ["media", "files", "transaction"], {"user_id": "123"})
+
+        "media/files/transaction?user_id=123" ->
+            ("", ["media", "files", "transaction"], {"user_id": "123"})
+
+        "*:*" ->
+            ("*", ["*"], {})
+
+    Returns:
+        - action: str (could be empty string if no scheme present)
+        - path_parts: list[str]
+        - filters: dict[str, str]
+    """
+
+    parsed = urlparse(scope)
+    path = parsed.path
+    query = parsed.query
+    filters = {k: v[0] for k, v in parse_qs(query).items()}
+    path_parts = path.split("/") if path else ["*"]
+    return parsed.scheme, path_parts, filters
+
+
+def is_path_match(
+    user_path: list[str] | str,
+    requested_path: list[str] | str,
+    strict: bool = False,
+) -> bool:
+    """
+    Match resource paths from right to left, supporting wildcards (*).
+
+    Rules:
+    - The final resource name must match exactly or via fnmatch.
+    - Upper-level path parts are matched from right to left.
+    - Wildcards are allowed in any part.
+
+    Examples = [
+        ("files", "files", True),
+        ("file-manager/files", "files", True),
+        ("media/file-manager/files", "files", True),
+        ("media//files", "files", True),
+        ("media//files", "file-manager/files", True),
+        ("files", "file-manager/files", True),
+        ("*/files", "file-manager/files", True),
+        ("*//files", "file-manager/files", True),
+        ("//files", "file-manager/files", True),
+        ("//files", "media/file-manager/files", True),
+        ("media//files", "media/file-manager/files", True),
+        ("media/files/*", "media/files/transactions", True),
+        ("*/*/transactions", "media/files/transactions", True),
+        ("media/*/transactions", "media/images/transactions", True),
+        ("media//files", "media/files", True), # attention
+
+        ("files", "file", False),
+        ("files", "files/transactions", False),
+        ("files", "media/files/transactions", False),
+        ("media/files", "media/files/transactions", False),
+    ]
+    """
+    if isinstance(user_path, str):
+        user_parts = user_path.split("/")
+    elif isinstance(user_path, list):
+        user_parts = user_path
+    else:
+        raise ValueError(f"Invalid path type: {type(user_path)}")
+
+    if isinstance(requested_path, str):
+        req_parts = requested_path.split("/")
+    elif isinstance(requested_path, list):
+        req_parts = requested_path
+    else:
+        raise ValueError(f"Invalid path type: {type(requested_path)}")
+
+    # Match resource name (rightmost)
+    if not fnmatch.fnmatch(req_parts[-1], user_parts[-1]):
+        return False
+
+    # Match rest of the path from right to left
+    user_path_parts = user_parts[:-1]
+    req_path_parts = req_parts[:-1]
+
+    for u, r in zip(
+        reversed(user_path_parts),
+        reversed(req_path_parts),
+        strict=strict,
+    ):
+        if r and u and r != "*" and not fnmatch.fnmatch(r, u):
+            return False
+
+    return True
+
+
+def is_filter_match(user_filters: dict, requested_filters: dict):
+    """All user filters must match requested filters."""
+    for k, v in user_filters.items():
+        if k not in requested_filters or not fnmatch.fnmatch(
+            str(requested_filters[k]), v
+        ):
+            return False
+    return True
+
+
+def is_authorized(
+    user_scope: str,
+    requested_path: str,
+    requested_action: str | None = None,
+    reuested_filter: dict[str, str] | None = None,
+    *,
+    strict: bool = False,
+):
+    user_action, user_path, user_filters = parse_scope(user_scope)
+
+    if not is_path_match(user_path, requested_path, strict=strict):
+        return False
+
+    if not is_filter_match(user_filters, reuested_filter):
+        return False
+
+    if requested_action:
+        user_level = PRIVILEGE_LEVELS.get(user_action or "*", 999)
+        req_level = PRIVILEGE_LEVELS.get(requested_action, 0)
+        return user_level >= req_level
+
+    return True
+
+
+def check_access(
+    user_scopes: list[str],
+    resource_path: str,
+    action: str | None = None,
+    *,
+    filters: list[dict[str, str]] | dict[str, str] | None = None,
+    strict: bool = False,
+):
+    """
+    Check if the user has the required access to a resource.
+
+    Args:
+        user_scopes: list of user scope strings
+        resource_path: resource path like "media/files/transactions"
+        action: requested action like "read", "update", etc.
+        filters: optional dict of filters like {"user_id": "abc"}
+
+    Returns:
+        True if access is granted, False otherwise
+    """
+    if isinstance(filters, dict):
+        filters = [{k: v} for k, v in filters.items()]
+    elif filters is None:
+        filters = ["*"]
+
+    for scope in user_scopes:
+        for filter in filters:
+            if is_authorized(
+                user_scope=scope,
+                requested_path=resource_path,
+                requested_action=action,
+                reuested_filter=filter,
+                strict=strict,
+            ):
+                return True
+            print(f"auth failed {filter}, {scope}")
+
+    return False

{usso-0.28.15 → usso-0.28.17}/src/usso/auth/client.py

@@ -87,4 +87,7 @@ class UssoAuth:
         Raises:
             USSOException: If the API key is invalid
         """
-        return fetch_api_key_data(self.jwt_configs[0].jwks_url, api_key)
+        return fetch_api_key_data(
+            self.jwt_configs[0].api_key_header.verify_endpoint,
+            api_key,
+        )

{usso-0.28.15 → usso-0.28.17}/src/usso/auth/config.py

@@ -42,7 +42,7 @@ class HeaderConfig(BaseModel):
 
 
 class APIHeaderConfig(HeaderConfig):
-    verify_endpoint: str = "https://sso.usso.io/api_key/verify"
+    verify_endpoint: str = "https://sso.usso.io/api/sso/v1/apikeys/verify"
 
 
 class AuthConfig(usso_jwt.config.JWTConfig):

{usso-0.28.15 → usso-0.28.17/src/usso.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: usso
-Version: 0.28.15
+Version: 0.28.17
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>

{usso-0.28.15 → usso-0.28.17}/src/usso.egg-info/SOURCES.txt

@@ -13,6 +13,7 @@ src/usso.egg-info/requires.txt
 src/usso.egg-info/top_level.txt
 src/usso/auth/__init__.py
 src/usso/auth/api_key.py
+src/usso/auth/authorization.py
 src/usso/auth/client.py
 src/usso/auth/config.py
 src/usso/integrations/django/__init__.py
@@ -28,4 +29,5 @@ src/usso/session/session.py
 src/usso/utils/__init__.py
 src/usso/utils/method_utils.py
 src/usso/utils/string_utils.py
+tests/test_authorization.py
 tests/test_fastapi.py

usso-0.28.17/tests/test_authorization.py

@@ -0,0 +1,167 @@
+import pytest
+
+from src.usso.auth.authorization import check_access, is_path_match
+
+
+@pytest.mark.parametrize(
+    "user_path, requested_path, expected",
+    [
+        ("files", "files", True),
+        ("file-manager/files", "files", True),
+        ("media/file-manager/files", "files", True),
+        ("media//files", "files", True),
+        ("media//files", "file-manager/files", True),
+        ("files", "file-manager/files", True),
+        ("*/files", "file-manager/files", True),
+        ("*//files", "file-manager/files", True),
+        ("//files", "file-manager/files", True),
+        ("//files", "media/file-manager/files", True),
+        ("media//files", "media/file-manager/files", True),
+        (
+            "media//files",
+            "media/files",
+            True,
+        ),  # !! atention it matches because the middle part is empty
+        ("media/files/*", "media/files/transactions", True),
+        ("*/*/transactions", "media/files/transactions", True),
+        ("media/*/transactions", "media/images/transactions", True),
+        ("files", "file", False),
+        ("files", "files/transactions", False),
+        ("files", "media/files/transactions", False),
+        ("media/files", "media/files/transactions", False),
+    ],
+)
+def test_path_match(user_path, requested_path, expected):
+    assert is_path_match(user_path, requested_path, strict=False) == expected
+
+
+# Define pytest tests
+def test_exact_match_id():
+    scopes = ["read:media/file-manager/files?uid=file123"]
+    assert (
+        check_access(
+            scopes,
+            "files",
+            action="read",
+            filters=[
+                dict(namespace="media"),
+                dict(service="file-manager"),
+                dict(uid="file123"),
+            ],
+        )
+        is True
+    )
+
+
+# Define pytest tests
+def test_wildcard():
+    scopes = [
+        "update:media/files/transactions?user_id=abc",
+        "read:media/files/*",
+    ]
+
+    assert check_access(
+        scopes,
+        "media/files/transactions",
+        action="read",
+        filters={"user_id": "abc"},
+    )
+    assert check_access(
+        scopes, "transactions", action="update", filters={"user_id": "abc"}
+    )
+    assert not check_access(
+        scopes, "transactions", action="update", filters={"uid": "def"}
+    )
+    assert not check_access(
+        scopes,
+        "media/files/transactions",
+        action="delete",
+        filters={"user_id": "abc"},
+    )
+
+
+def test_insufficient_privilege():
+    scopes = ["read:media/files/file:uid:file123"]
+    assert (
+        check_access(
+            scopes,
+            "file",
+            "update",
+            filters=[
+                dict(namespace="finance"),
+                dict(service="wallet"),
+                dict(workspace_id="ws_7"),
+            ],
+        )
+        is False
+    )
+
+
+def test_wildcard_match():
+    scopes = ["manage:media/files/file?*"]
+    assert (
+        check_access(
+            scopes,
+            "file",
+            "update",
+            filters=dict(
+                namespace="finance",
+                service="wallet",
+                workspace_id="ws_7",
+            ),
+        )
+        is True
+    )
+
+
+def test_match_by_user_id():
+    scopes = ["manage:finance/wallet/transaction?user=user_1"]
+    assert (
+        check_access(
+            scopes,
+            "transaction",
+            "update",
+            filters=[
+                dict(namespace="finance"),
+                dict(service="wallet"),
+                dict(workspace_id="ws_7"),
+            ],
+        )
+        is False
+    )
+    assert (
+        check_access(
+            scopes,
+            "transaction",
+            "update",
+            filters=dict(namespace="finance", user="user_1"),
+        )
+        is True
+    )
+
+
+def test_match_by_workspace_id():
+    scopes = ["delete:finance/wallet/transaction?workspace_id=ws_7"]
+    assert (
+        check_access(
+            scopes,
+            "transaction",
+            "delete",
+            filters=[
+                dict(namespace="finance"),
+                dict(service="wallet"),
+                dict(workspace_id="ws_7"),
+            ],
+        )
+        is True
+    )
+
+
+def test_minimal_params_success():
+    scopes = ["create:file?*"]
+    assert check_access(scopes, "file", "create") is True
+
+
+def test_minimal_params_fail():
+    scopes = ["read:file?*"]
+    assert check_access(scopes, "file", "create") is False