PyPI - usso - Versions diffs - 0.28.24__tar.gz → 0.28.26__tar.gz - Mend

usso 0.28.24tar.gz → 0.28.26tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

{usso-0.28.24/src/usso.egg-info → usso-0.28.26}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: usso
-Version: 0.28.24
+Version: 0.28.26
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>

{usso-0.28.24 → usso-0.28.26}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "usso"
-version = "0.28.24"
+version = "0.28.26"
 description = "A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices."
 readme = "README.md"
 requires-python = ">=3.9"

{usso-0.28.24 → usso-0.28.26}/src/usso/authorization.py RENAMED Viewed

@@ -84,6 +84,7 @@ def is_path_match(
         ("files", "files/transactions", False),
         ("files", "media/files/transactions", False),
         ("media/files", "media/files/transactions", False),
+        ("finance/*/*", "wallet", False),
     ]
     """
     if isinstance(user_path, str):
@@ -100,10 +101,14 @@ def is_path_match(
     else:
         raise ValueError(f"Invalid path type: {type(requested_path)}")
+    wildcard_found = False
     # Match resource name (rightmost)
     if not fnmatch.fnmatch(req_parts[-1], user_parts[-1]):
         return False
+    if "*" in user_parts[-1]:
+        wildcard_found = True
     # Match rest of the path from right to left
     user_path_parts = user_parts[:-1]
     req_path_parts = req_parts[:-1]
@@ -115,6 +120,14 @@ def is_path_match(
     ):
         if r and u and r != "*" and not fnmatch.fnmatch(r, u):
             return False
+        if "*" in u:
+            wildcard_found = True
+    offset = len(user_path_parts) - len(req_path_parts)
+    if offset > 0 and wildcard_found:
+        for u in user_path_parts[-offset:]:
+            if u != "*":
+                return False
     return True
@@ -129,6 +142,73 @@ def is_filter_match(user_filters: dict, requested_filters: dict) -> bool:
     return True
+def get_scope_filters(
+    action: str,
+    resource: str,
+    user_scopes: list[str],
+) -> list[dict]:
+    """
+    Return filters extracted from user scopes that:
+    - Have equal or higher privilege level than the requested action.
+    - Match the requested resource path.
+    """
+    matched_filters: list[dict] = []
+    action_level = PRIVILEGE_LEVELS.get(action, 0)
+    requested_parts = resource.split("/")
+    for scope in user_scopes:
+        scope_action, scope_path, scope_filters = parse_scope(scope)
+        scope_level = PRIVILEGE_LEVELS.get(scope_action, 0)
+        if scope_level < action_level:
+            continue
+        if not is_path_match(scope_path, requested_parts):
+            continue
+        matched_filters.append(scope_filters)
+    return matched_filters
+def broadest_scope_filter(filters: list[dict]) -> dict:
+    """
+    Return the broadest scope filter. It is used to select the most
+    restrictive filter from the list of filters. by assigning a score
+    to each filter based on the restriction bits. the filter with the
+    lowest score is the most restrictive.
+    filters = [
+        {"tenant_id": "t1"},                           # score = 1
+        {"workspace_id": "w1"},                        # score = 2
+        {"user_id": "u1"},                             # score = 4
+        {"uid": "abc"},                                # score = 8
+        {"tenant_id": "t1", "user_id": "u1"},          # score = 1 + 4 = 5
+        {"workspace_id": "w1", "uid": "abc"},          # score = 2 + 8 = 10
+        {},                                            # score = 0
+    ]
+    """
+    RESTRICTION_BITS = {
+        "tenant_id": 1 << 0,  # 1
+        "workspace_id": 1 << 1,  # 2
+        "user_id": 1 << 2,  # 4
+        "uid": 1 << 3,  # 8
+    }
+    DEFAULT_BIT = 1 << 4
+    if not filters:
+        return {}
+    def restriction_score(f: dict) -> int:
+        if not f:
+            return 0
+        return sum(RESTRICTION_BITS.get(k, DEFAULT_BIT) for k in f)
+    return min(filters, key=restriction_score)
 def is_authorized(
     user_scope: str,
     requested_path: str,

{usso-0.28.24 → usso-0.28.26/src/usso.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: usso
-Version: 0.28.24
+Version: 0.28.26
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>

{usso-0.28.24 → usso-0.28.26}/tests/test_authorization.py RENAMED Viewed

@@ -34,6 +34,7 @@ from src.usso.authorization import (
         ("files", "files/transactions", False),
         ("files", "media/files/transactions", False),
         ("media/files", "media/files/transactions", False),
+        ("finance/*/*", "wallet", False),
     ],
 )
 def test_path_match(user_path, requested_path, expected):