PyPI - usso - Versions diffs - 0.28.30.dev1__tar.gz → 0.28.32__tar.gz - Mend

usso 0.28.30.dev1tar.gz → 0.28.32tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

{usso-0.28.30.dev1/src/usso.egg-info → usso-0.28.32}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: usso
-Version: 0.28.30.dev1
+Version: 0.28.32
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>

{usso-0.28.30.dev1 → usso-0.28.32}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "usso"
-version = "0.28.30dev1"
+version = "0.28.32"
 description = "A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices."
 readme = "README.md"
 requires-python = ">=3.9"

{usso-0.28.30.dev1 → usso-0.28.32}/src/usso/__init__.py RENAMED Viewed

@@ -5,8 +5,8 @@ with Python frameworks, enabling secure and seamless authentication
 across microservices.
 """
-from .client import AuthConfig, UssoAuth
-from .config import APIHeaderConfig, HeaderConfig
+from .client import UssoAuth
+from .config import APIHeaderConfig, AuthConfig, HeaderConfig
 from .exceptions import USSOException
 from .user import UserData

{usso-0.28.30.dev1 → usso-0.28.32}/src/usso/authorization.py RENAMED Viewed

@@ -7,8 +7,10 @@ PRIVILEGE_LEVELS = {
     "update": 30,
     "delete": 40,
     "manage": 50,
+    "admin": 60,
     "owner": 90,
     "*": 90,
+    "superadmin": 100,
 }
@@ -179,11 +181,25 @@ def broadest_scope_filter(filters: list[dict]) -> dict:
     return min(filters, key=restriction_score)
+def owner_authorization(
+    requested_filter: dict[str, str] | None = None,
+    user_id: str | None = None,
+    self_action: str = "owner",
+    action: str = "read",
+) -> bool:
+    user_level = PRIVILEGE_LEVELS.get(self_action or "read", 10)
+    req_level = PRIVILEGE_LEVELS.get(action or "read", 10)
+    if user_id and requested_filter.get("user_id") == user_id:
+        return user_level >= req_level
+    return False
 def is_authorized(
     user_scope: str,
     requested_path: str,
-    requested_action: str | None = None,
-    reuested_filter: dict[str, str] | None = None,
+    requested_action: str = "read",
+    requested_filter: dict[str, str] | None = None,
     *,
     strict: bool = False,
 ) -> bool:
@@ -192,12 +208,12 @@ def is_authorized(
     if not is_path_match(user_path, requested_path, strict=strict):
         return False
-    if not is_filter_match(user_filters, reuested_filter or {}):
+    if not is_filter_match(user_filters, requested_filter or {}):
         return False
     if requested_action:
         user_level = PRIVILEGE_LEVELS.get(user_action or "read", 10)
-        req_level = PRIVILEGE_LEVELS.get(requested_action, 0)
+        req_level = PRIVILEGE_LEVELS.get(requested_action, 10)
         return user_level >= req_level
     return True
@@ -234,7 +250,7 @@ def check_access(
                 user_scope=scope,
                 requested_path=resource_path,
                 requested_action=action,
-                reuested_filter=filt,
+                requested_filter=filt,
                 strict=strict,
             ):
                 return True

{usso-0.28.30.dev1 → usso-0.28.32}/src/usso/client.py RENAMED Viewed

@@ -1,4 +1,6 @@
+import json
 import logging
+import os
 from urllib.parse import urlparse
 import usso_jwt.exceptions
@@ -32,7 +34,10 @@ class UssoAuth:
             jwt_config: JWT configuration(s) to use for token validation
         """
         if jwt_config is None:
-            jwt_config = AuthConfig()
+            if os.getenv("JWT_CONFIGS"):
+                jwt_config = json.loads(os.getenv("JWT_CONFIGS"))
+            else:
+                jwt_config = AuthConfig()
         self.jwt_configs = AuthConfig.validate_jwt_configs(jwt_config)
         self.from_base_usso_url = from_base_usso_url
@@ -73,7 +78,6 @@ class UssoAuth:
                     f"{self.from_base_usso_url}/.well-known/jwks.json?"
                     f"domain={iss_domain}"
                 )
-                logging.error(f"{iss_domain=} {jwks_url=}")
                 jwt_obj.config.jwks_url = jwks_url
                 if jwt_obj.verify(
                     expected_token_type=expected_token_type,
@@ -82,8 +86,6 @@ class UssoAuth:
                     return jwt_obj.payload
             except usso_jwt.exceptions.JWTError as e:
                 exp = e
-        else:
-            logging.error("No from_base_usso_url")
         for jwk_config in self.jwt_configs:
             try:

{usso-0.28.30.dev1 → usso-0.28.32}/src/usso/exceptions.py RENAMED Viewed

@@ -47,7 +47,7 @@ class PermissionDenied(USSOException):
         **kwargs: dict,
     ) -> None:
         super().__init__(
-            403, error=error, message=message, detail=detail, **kwargs
+            403, error=error, detail=detail, message=message, **kwargs
         )

{usso-0.28.30.dev1 → usso-0.28.32}/src/usso/integrations/fastapi/dependency.py RENAMED Viewed

@@ -1,10 +1,11 @@
 import logging
+from collections.abc import Callable
 from fastapi import Request, WebSocket
 from ...client import UssoAuth
 from ...config import AuthConfig, AvailableJwtConfigs
-from ...exceptions import _handle_exception
+from ...exceptions import PermissionDenied, _handle_exception
 from ...user import UserData
 logger = logging.getLogger("usso")
@@ -84,3 +85,32 @@ class USSOAuthentication(UssoAuth):
             message="No token provided",
             raise_exception=self.raise_exception,
         )
+    def authorize(
+        self,
+        *,
+        action: str = "read",
+        resource_path: str,
+        filter_data: dict | None = None,
+    ) -> Callable[[Request], UserData]:
+        def _authorize(request: Request) -> UserData:
+            from ... import authorization
+            user = self.usso_access_security(request)
+            user_scopes = user.scopes or []
+            if not authorization.check_access(
+                user_scopes=user_scopes,
+                resource_path=resource_path,
+                action=action,
+                filters=filter_data,
+            ):
+                raise PermissionDenied(
+                    detail=(
+                        f"User {user.uid} is not authorized "
+                        f"to {action} {resource_path}"
+                    )
+                )
+            return user
+        return _authorize

{usso-0.28.30.dev1 → usso-0.28.32/src/usso.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: usso
-Version: 0.28.30.dev1
+Version: 0.28.32
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>

{usso-0.28.30.dev1 → usso-0.28.32}/tests/test_authorization.py RENAMED Viewed

@@ -3,11 +3,72 @@ import pytest
 from src.usso.authorization import (
     check_access,
     has_subset_scope,
+    is_authorized,
     is_path_match,
     is_subset_scope,
+    owner_authorization,
 )
+@pytest.mark.parametrize(
+    "requested_filter, user_id, self_action, action, expected",
+    [
+        ({"user_id": "123"}, "123", "owner", "read", True),
+        ({}, "123", "owner", "create", False),
+        ({"user_id": "123"}, "123", "read", "create", False),
+    ],
+)
+def test_owner_authorization(
+    requested_filter: dict[str, str],
+    user_id: str,
+    self_action: str,
+    action: str,
+    expected: bool,
+) -> None:
+    assert (
+        owner_authorization(requested_filter, user_id, self_action, action)
+        == expected
+    )
+@pytest.mark.parametrize(
+    "user_scope,requested_path,requested_action,requested_filter,strict,expected",
+    [
+        (
+            "read:media/files",
+            "media/files",
+            "read",
+            {"user_id": "123"},
+            False,
+            True,
+        ),
+        ("read:media/files", "media/files", "read", None, False, True),
+        ("media/files", "media/files", "read", None, False, True),
+        ("media/files", "files", "create", None, False, False),
+        ("media/*", "files", "read", None, False, False),
+        ("read:media/files", "media/files", "create", None, False, False),
+    ],
+)
+def test_is_authorized(
+    user_scope: str,
+    requested_path: str,
+    requested_action: str,
+    requested_filter: dict[str, str] | None,
+    strict: bool,
+    expected: bool,
+) -> None:
+    assert (
+        is_authorized(
+            user_scope,
+            requested_path,
+            requested_action,
+            requested_filter,
+            strict=strict,
+        )
+        == expected
+    )
 @pytest.mark.parametrize(
     "user_path, requested_path, expected",
     [