PyPI - usso - Versions diffs - 0.28.17__tar.gz → 0.28.19__tar.gz - Mend

usso 0.28.17tar.gz → 0.28.19tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

{usso-0.28.17/src/usso.egg-info → usso-0.28.19}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: usso
-Version: 0.28.17
+Version: 0.28.19
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>

{usso-0.28.17 → usso-0.28.19}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "usso"
-version = "0.28.17"
+version = "0.28.19"
 description = "A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices."
 readme = "README.md"
 requires-python = ">=3.9"

{usso-0.28.17 → usso-0.28.19}/src/usso/auth/authorization.py RENAMED Viewed

@@ -1,4 +1,5 @@
 import fnmatch
+import logging
 from urllib.parse import parse_qs, urlparse
 PRIVILEGE_LEVELS = {
@@ -136,7 +137,7 @@ def is_authorized(
         return False
     if requested_action:
-        user_level = PRIVILEGE_LEVELS.get(user_action or "*", 999)
+        user_level = PRIVILEGE_LEVELS.get(user_action or "read", 10)
         req_level = PRIVILEGE_LEVELS.get(requested_action, 0)
         return user_level >= req_level
@@ -181,3 +182,41 @@ def check_access(
             print(f"auth failed {filter}, {scope}")
     return False
+def is_subset_scope(*, subset_scope: str, super_scope: str) -> bool:
+    child_action, child_path, child_filters = parse_scope(subset_scope)
+    parent_action, parent_path, parent_filters = parse_scope(super_scope)
+    # 1. Compare privilege levels
+    child_level = PRIVILEGE_LEVELS.get(child_action or "read", 10)
+    parent_level = PRIVILEGE_LEVELS.get(parent_action or "read", 10)
+    if parent_level < child_level:
+        return False
+    # 2. Compare path
+    child_path_str = "/".join(child_path)
+    parent_path_str = "/".join(parent_path)
+    if not is_path_match(parent_path_str, child_path_str):
+        return False
+    # 3. Compare filters: parent_filters ⊆ child_filters
+    for k, v in parent_filters.items():
+        if child_filters.get(k) != v:
+            return False
+    logging.error(f"{parent_level}, {child_level}")
+    return True
+def has_subset_scope(
+    *, subset_scope: str, user_scopes: list[str] | str | None
+) -> bool:
+    user_scopes = user_scopes or []
+    if isinstance(user_scopes, str):
+        user_scopes = [user_scopes]
+    for user_scope in user_scopes:
+        if is_subset_scope(subset_scope=subset_scope, super_scope=user_scope):
+            return True
+    return False

{usso-0.28.17 → usso-0.28.19}/src/usso/models/user.py RENAMED Viewed

@@ -46,7 +46,6 @@ class UserData(BaseModel):
         nbf: int | None = None,
         exp: int | None = None,
         jti: str | None = None,
         token_type: TokenType | None = None,
         session_id: str | None = None,
         tenant_id: str | None = None,

{usso-0.28.17 → usso-0.28.19/src/usso.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: usso
-Version: 0.28.17
+Version: 0.28.19
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>

{usso-0.28.17 → usso-0.28.19}/tests/test_authorization.py RENAMED Viewed

@@ -1,6 +1,11 @@
 import pytest
-from src.usso.auth.authorization import check_access, is_path_match
+from src.usso.auth.authorization import (
+    check_access,
+    has_subset_scope,
+    is_path_match,
+    is_subset_scope,
+)
 @pytest.mark.parametrize(
@@ -165,3 +170,43 @@ def test_minimal_params_success():
 def test_minimal_params_fail():
     scopes = ["read:file?*"]
     assert check_access(scopes, "file", "create") is False
+def test_minimal_params_read_create_fail():
+    scopes = ["file"]
+    assert check_access(scopes, "file", "create") is False
+def test_scope_subset():
+    assert is_subset_scope(
+        subset_scope="read:media/files?user_id=123",
+        super_scope="read:media/files",
+    )
+    assert is_subset_scope(
+        subset_scope="read:media/files?user_id=123", super_scope="read:media/*"
+    )
+    assert not is_subset_scope(
+        subset_scope="create:media/files", super_scope="read:media/files"
+    )
+    assert not is_subset_scope(
+        subset_scope="update:media/files", super_scope="read:media/files"
+    )
+    assert not is_subset_scope(
+        subset_scope="read:media/files?user_id=123",
+        super_scope="read:media/files?user_id=456",
+    )
+    assert not is_subset_scope(
+        subset_scope="read:media/files?user_id=123",
+        super_scope="read:media/files?workspace_id=123",
+    )
+    assert is_subset_scope(subset_scope="read:files", super_scope="read:*")
+    assert is_subset_scope(
+        subset_scope="read:files", super_scope="read://files"
+    )
+    assert has_subset_scope(
+        subset_scope="files", user_scopes=["read:files", "create:files"]
+    )
+    assert not is_subset_scope(
+        subset_scope="create:files", super_scope="files"
+    )