diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ab5a35d..f9c533b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -57,26 +57,11 @@ jobs: with: version: 1.2.1 - - name: Lint & test aserto package + - name: Run lint run: | - cd packages/aserto - poetry install - poetry run pyright . - poetry run pytest -vv - cd ../.. - - - name: Lint & test aserto-idp package - run : | - cd packages/aserto-idp - poetry install - poetry run pyright . - poetry run pytest -vv - cd ../.. - - - name: Lint & test flask-aserto package - run : | - cd packages/flask-aserto poetry install poetry run pyright . + + - name: Run tests + run: | poetry run pytest -vv - cd ../.. \ No newline at end of file diff --git a/.github/workflows/gitleaks-check.yml b/.github/workflows/gitleaks-check.yml new file mode 100644 index 0000000..f0443b2 --- /dev/null +++ b/.github/workflows/gitleaks-check.yml @@ -0,0 +1,13 @@ +name: gitleaks-check + +on: [pull_request] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: gitleaks-check + uses: aserto-dev/gitleaks-action@master \ No newline at end of file diff --git a/DEVELOPER.md b/DEVELOPER.md deleted file mode 100644 index 43b645d..0000000 --- a/DEVELOPER.md +++ /dev/null @@ -1,55 +0,0 @@ -# Aserto Python package development - -## First time setup instructions - -### pyenv -Follow the pyenv [installation instructions](https://github.com/pyenv/pyenv#installation). This tool will allow us to easily switch between different Python versions as needed. - -*For all following steps make sure your shell is located in your local checkout of this repository.* - -Then run: -```sh -pyenv install -``` -This will install the version of Python specified by `.python-version`. This is the minimum supported version of Python for the SDK package. - -### Poetry -Install [Poetry](https://python-poetry.org/docs/#installation). This must be [installed after pyenv](https://github.com/python-poetry/poetry/issues/651#issuecomment-864533910) has been installed. Poetry is used for managing package dependencies and publishing packages to [PyPI](https://pypi.org/). - -Each package has its own `pyproject.toml` file. For every package you're developing on navigate to its directory and run: -```sh -poetry install -``` - -You can verify that your environment is correctly setup by running: -```sh -poetry run python -V -``` -and verifying that the version number matches the one in `.python_version`. - -## Commands - -### Run tests -```sh -poetry run pytest -``` - -### Run the typechecker -```sh -poetry run mypy src -``` - -## Directory layout -TODO - -## Running PeopleFinder example services -1. Navigate to the `peoplefinder_example` directory. -2. Follow the steps in `.env.example` to create a `.env` file. -3. Run: -```sh -poetry run flask run -``` -4. Start only the front-end of the PeopleFinder service in your local checkout of https://github.com/aserto-demo/peoplefinder. -``` -yarn spa -``` \ No newline at end of file diff --git a/README.md b/README.md index 80942dd..9196582 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,342 @@ -# Aserto - Welcome to modern authorization -This is the home of all the packages that will allow you to use [Aserto](https://www.aserto.com/)'s services from your Python code. -## Packages -[`aserto`](https://github.com/aserto-dev/aserto-python/tree/main/packages/aserto) - Provides a high level interface to Aserto's services. It's the recommended package to fall back to when the web framework integrations don't fit your needs. +# Aserto API client -[`aserto-authorizer-grpc`](https://github.com/aserto-dev/aserto-python/tree/main/packages/aserto-authorizer-grpc) - Lower-level interface specifically to Aserto's Authorizer service. This is for advanced users that need more fine-grained control than the `aserto` package provides. +High-level client interface to Aserto's APIs. -[`aserto-idp`](https://github.com/aserto-dev/aserto-python/tree/main/packages/aserto-idp) - Used to more easily create identity providers for Aserto's other packages. -### Web framework integration -[`flask-aserto`](https://github.com/aserto-dev/aserto-python/tree/main/packages/flask-aserto) - For easier integration into [Flask](https://github.com/pallets/flask) apps. +## Authorizer +The client can be used for interacting with Aserto's [Authorizer service](https://docs.aserto.com/docs/authorizer-guide/overview). -...more on the way! \ No newline at end of file +## Installation + +### Using Pip + +```sh +pip install aserto +``` + +### Using Poetry + +```sh +poetry add aserto +``` + +## Usage + +```py +from aserto.client import AuthorizerOptions, Identity +from aserto.client.authorizer import AuthorizerClient + + +client = AuthorizerClient( + identity=Identity(type="NONE"), + options=AuthorizerOptions( + api_key=ASERTO_API_KEY, + tenant_id=ASERTO_TENANT_ID, + ), +) + +result = await client.decision_tree( + decisions=["visible", "enabled", "allowed"], + policy_instance_name=ASERTO_POLICY_INSTANCE_NAME, + policy_instance_label=ASERTO_POLICY_INSTANCE_LABEL, + policy_path_root=ASERTO_POLICY_PATH_ROOT, + policy_path_separator="DOT", +) + +assert result == { + "GET.your.policy.path": { + "visible": True, + "enabled": True, + "allowed": False, + }, +} +``` + +## Directory + +The Directory APIs can be used to interact with the aserto directory services. +It provides CRUD operations on objects and relations, including bulk import and export. +The client can also be used to check whether a user has a permission or relation on an object instance. + +### Directory Client + +You can initialize a directory client as follows: + +```py +from aserto.client.directory.v3 import Directory + +ds = Directory(api_key="my_api_key", tenant_id="1234", address="localhost:9292") +``` + +- `address`: hostname:port of directory service (_required_) +- `api_key`: API key for directory service (_required_ if using hosted directory) +- `tenant_id`: Aserto tenant ID (_required_ if using hosted directory) +- `cert`: Path to the grpc service certificate when connecting to local topaz instance. + +#### `get_object` + +Get a directory object instance with the type and the id, optionally with the object's relations. + +```py +# without relations: +user = ds.get_object(object_type="user", object_id="euang@acmecorp.com") + +# with relations: +page = PaginationRequest(size=10) +while True: + resp = ds.get_object(object_type="user", object_id="euang@acmecorp.com", with_relations=True, page=page) + user = resp.result # The returned object. + relations_page = resp.relations # A page of relations. + + if not resp.page.next_token: + # we've reached the last page. + break + + # request the next page. + page.token = resp.page.next_token + +``` + +#### `get_objects_many` + +Similar to `get_object` but can retrieve multiple object instances in a single request. +```py +objects = ds.get_object_many( + [ + ObjectIdentifier(type="user", id="euan@acmecorp.com"), + ObjectIdentifier(type="group", id="marketing"), + ] +) +``` + +#### `get_objects` + +Get object instances with an object type type pagination info (page size and pagination token). + +```py +from aserto.client.directory.v3 import PaginationRequest + +users = ds.get_objects(object_type="user", page=PaginationRequest(size=10)) +``` + + +#### `set_object` + +Create an object instance with the specified properties. If an `etag` is specified and is different from the current +object's etag, the call raises an `ETagMismatchError`. + +```py +# pass object fields as arguments: +user = ds.set_object( + object_type="user", + object_id="new-user@acmecorp.com", + display_name="John Doe", + "properties": {"active": True, "department": "Engineering"}, +} + +# set_object can also take an Object parameter: +user.display_name = "Jane Doe" +user.properties["title"] = "Senior Engineer" +updated_user = ds.set_object(object=user) +``` + +#### `delete_object` + +Delete an object instance and optionally its relations, using its type and id: + +```py +# delete an object +ds.delete_object(object_type="user", object_id="test-object") + +# delete an object and all its relations +ds.delete_object(object_type="user", object_id="test-object", with_relations=True) +``` + +#### `get_relation` + +Retrieve a single relation from the directory or raise a `NotFoundError` if no matching relation exists. + +```py +# get the manager of euang@acmecorp.com: +relation = ds.get_relation( + object_type="user", + relation="manager", + subject_type="user", + subject_id="euang@acmecorp.com", +) + +assert relation.object_id + +# include the relation's object and subject in the response: +response = ds.get_relation( + object_type="user", + relation="manager", + subject_type="user", + subject_id="euang@acmecorp.com", + with_relations=True, +) + +assert response.relation.object_id +assert response.subject.display_name == "Euan Garden" +assert response.object.properties["department"] == "Sales" +# +``` + +#### `get_relations` + +Searches the directory for relations matching the specified criteria, optionally including the object and subject +of each returned relation. + +```py +# find all groups a user is a member of: +page = PaginationRequest(size=10) + +while True: + response = ds.get_relations( + object_type="group", + "relation"="member", + "subject_type": "user", + "subject_id": "euang@acmecorp.com", + with_objects=True, + page=page, + ) + + if not response.page.next_token: + break + + page.token = response.page.next_token +``` + +#### `set_relation` + +Create a new relation. + +```py +ds.set_relation( + object_type="group", + object_id="admin", + relation="member", + subject_type="user", + subject_id="euang@acmecorp.com", +) +``` + +#### `delete_relation` + +Delete a relation. + +```py +ds.delete_relation( + object_type="group", + object_id="admin", + relation="member", + subject_type="user", + subject_id="euang@acmecorp.com", +) +``` + +#### `check` + +Check if a subject has a given relation or permission on an object. + +```py +allowed = ds.check( + object_type="folder", + object_id="/path/to/folder", + relation="can_delete", + subject_type="user", + subject_id="euang@acmecorp.com", +) +``` + +#### `get_manifest ` + +Download the directory manifest. + +```py +manifest = ds.get_manifest() + +print(manifest.body) # yaml manifest + +# conditionally get the manifest if its etag has changed +new_manifest = ds.get_manifest(etag=manifest.etag) + +assert new_manifest is None # the manifest hasn't changed +``` + +#### `set_manifest` + +Upload a new directory manifest. + +```py +with open("manifest.yaml", "rb") as f: + manifest = f.read() + +ds.set_manifest(manifest) +``` + +#### `import_data` + +Bulk-insert objects and/or relations to the directory. Returns a summary of the number of objects/relations affected. + +```py +# import an object and a relation. +data = [ + Object(type="user", id="test@acmecorp.com"), + Relation( + object_type="user", + object_id="euang@acmecorp.com", + relation="manager", + subject_type="user", + subject_id="test@acmecorp.com", + ), +] + +response = ds.import_data(data) + +assert response.objects.set == 1 +assert response.object.error == 0 +assert response.relations.set == 1 +assert response.relations.error == 0 +``` + +#### `export_data` + +Bulk-retrieve objects and/or relations from the directory. + + +```py +from aserto.client.directory.v3 import ExportOption, Object, Relation + +# export all objects and relations +for item in ds.export(ExportOption.OPTION_DATA): + if isinstance(item, Object): + print("object:", item) + elif isinstance(item, Relation): + print("relation:", item) +``` + +### Async Directory Client + +You can initialize an asynchronous directory client as follows: + +```py +from aserto.client.directory.v3.aio import Directory + +ds = Directory(api_key="my_api_key", tenant_id="1234", address="localhost:9292") +``` + +The methods on the async directory have the same signatures as their synchronous counterparts. + +### Directory v2 client + +To interact with older instances of the directory service, a v2 client is available with limited functionality. +The v2 client doesn't support `get_manifest`/`set_manifest`, and `import_data`/`export_data`. + +```py +from aserto.client.directory.v2 import Directory +ds = Directory(api_key="my_api_key", tenant_id="1234", address="localhost:9292") +``` + +## License + +This project is licensed under the MIT license. See the [LICENSE](https://github.com/aserto-dev/aserto-python/blob/main/LICENSE) file for more info. diff --git a/packages/aserto-idp/README.md b/packages/aserto-idp/README.md deleted file mode 100644 index 2277a5e..0000000 --- a/packages/aserto-idp/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Aserto Identity Providers -Common identity providers for use with Aserto client libraries - -## Installation -### Using Pip -```sh -pip install aserto-idp -``` -### Using Poetry -```sh -poetry add aserto-idp -``` -## Current Identity Providers -### OpenID Connect -```py -from aserto_idp.oidc import identity_provider -``` -## Usage -### With [`aserto-authorizer-grpc`](https://github.com/aserto-dev/aserto-python/tree/HEAD/packages/aserto-authorizer-grpc) -```py -from aserto.client import IdentityContext, IdentityType -from aserto_idp.oidc import AccessTokenError, identity_provider - -oidc_provider = identity_provider(issuer=OIDC_ISSUER, client_id=OIDC_CLIENT_ID) - -try: - subject = await oidc_provider.subject_from_jwt_auth_header(request.headers["Authorization"]) - - identity_context = IdentityContext( - type=IdentityType.IDENTITY_TYPE_SUB, - identity=subject, - ) -except AccessTokenError: - identity_context = IdentityContext(type=IdentityType.IDENTITY_TYPE_NONE) - -``` -### With [`aserto`](https://github.com/aserto-dev/aserto-python/tree/HEAD/packages/aserto) -```py -from aserto import Identity -from aserto_idp.oidc import AccessTokenError, IdentityProvider - -oidc_provider = identity_provider(issuer=OIDC_ISSUER, client_id=OIDC_CLIENT_ID) - -try: - subject = await oidc_provider.subject_from_jwt_auth_header(request.headers["Authorization"]) - - identity = Identity(type="SUBJECT", subject=subject) -except AccessTokenError: - identity = Identity(type="NONE") -``` diff --git a/packages/aserto-idp/poetry.lock b/packages/aserto-idp/poetry.lock deleted file mode 100644 index efebd86..0000000 --- a/packages/aserto-idp/poetry.lock +++ /dev/null @@ -1,455 +0,0 @@ -[[package]] -name = "aiohttp" -version = "3.9.1" -description = "Async http client/server framework (asyncio)" -category = "main" -optional = false -python-versions = ">=3.8" - -[package.dependencies] -aiosignal = ">=1.1.2" -async-timeout = {version = ">=4.0,<5.0", markers = "python_version < \"3.11\""} -attrs = ">=17.3.0" -frozenlist = ">=1.1.1" -multidict = ">=4.5,<7.0" -yarl = ">=1.0,<2.0" - -[package.extras] -speedups = ["brotlicffi", "brotli", "aiodns"] - -[[package]] -name = "aiosignal" -version = "1.3.1" -description = "aiosignal: a list of registered asynchronous callbacks" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -frozenlist = ">=1.1.0" - -[[package]] -name = "async-timeout" -version = "4.0.3" -description = "Timeout context manager for asyncio programs" -category = "main" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "attrs" -version = "23.1.0" -description = "Classes Without Boilerplate" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.extras] -cov = ["attrs", "coverage[toml] (>=5.3)"] -dev = ["attrs", "pre-commit"] -docs = ["furo", "myst-parser", "sphinx", "sphinx-notfound-page", "sphinxcontrib-towncrier", "towncrier", "zope-interface"] -tests = ["attrs", "zope-interface"] -tests-no-zope = ["cloudpickle", "hypothesis", "mypy (>=1.1.1)", "pympler", "pytest-mypy-plugins", "pytest-xdist", "pytest (>=4.3.0)"] - -[[package]] -name = "black" -version = "23.11.0" -description = "The uncompromising code formatter." -category = "dev" -optional = false -python-versions = ">=3.8" - -[package.dependencies] -click = ">=8.0.0" -mypy-extensions = ">=0.4.3" -packaging = ">=22.0" -pathspec = ">=0.9.0" -platformdirs = ">=2" -tomli = {version = ">=1.1.0", markers = "python_version < \"3.11\""} -typing-extensions = {version = ">=4.0.1", markers = "python_version < \"3.11\""} - -[package.extras] -colorama = ["colorama (>=0.4.3)"] -d = ["aiohttp (>=3.7.4)"] -jupyter = ["ipython (>=7.8.0)", "tokenize-rt (>=3.2.0)"] -uvloop = ["uvloop (>=0.15.2)"] - -[[package]] -name = "cffi" -version = "1.16.0" -description = "Foreign Function Interface for Python calling C code." -category = "main" -optional = false -python-versions = ">=3.8" - -[package.dependencies] -pycparser = "*" - -[[package]] -name = "click" -version = "8.1.7" -description = "Composable command line interface toolkit" -category = "dev" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -colorama = {version = "*", markers = "platform_system == \"Windows\""} - -[[package]] -name = "colorama" -version = "0.4.6" -description = "Cross-platform colored terminal text." -category = "dev" -optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" - -[[package]] -name = "coverage" -version = "7.3.2" -description = "Code coverage measurement for Python" -category = "dev" -optional = false -python-versions = ">=3.8" - -[package.dependencies] -tomli = {version = "*", optional = true, markers = "python_full_version <= \"3.11.0a6\" and extra == \"toml\""} - -[package.extras] -toml = ["tomli"] - -[[package]] -name = "cryptography" -version = "41.0.7" -description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -cffi = ">=1.12" - -[package.extras] -docs = ["sphinx (>=5.3.0)", "sphinx-rtd-theme (>=1.1.1)"] -docstest = ["pyenchant (>=1.6.11)", "twine (>=1.12.0)", "sphinxcontrib-spelling (>=4.0.1)"] -nox = ["nox"] -pep8test = ["black", "ruff", "mypy", "check-sdist"] -sdist = ["build"] -ssh = ["bcrypt (>=3.1.5)"] -test = ["pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist", "pretend"] -test-randomorder = ["pytest-randomly"] - -[[package]] -name = "ecdsa" -version = "0.18.0" -description = "ECDSA cryptographic signature library (pure python)" -category = "main" -optional = false -python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*" - -[package.dependencies] -six = ">=1.9.0" - -[package.extras] -gmpy = ["gmpy"] -gmpy2 = ["gmpy2"] - -[[package]] -name = "exceptiongroup" -version = "1.2.0" -description = "Backport of PEP 654 (exception groups)" -category = "dev" -optional = false -python-versions = ">=3.7" - -[package.extras] -test = ["pytest (>=6)"] - -[[package]] -name = "frozenlist" -version = "1.4.0" -description = "A list-like structure which implements collections.abc.MutableSequence" -category = "main" -optional = false -python-versions = ">=3.8" - -[[package]] -name = "idna" -version = "3.6" -description = "Internationalized Domain Names in Applications (IDNA)" -category = "main" -optional = false -python-versions = ">=3.5" - -[[package]] -name = "iniconfig" -version = "2.0.0" -description = "brain-dead simple config-ini parsing" -category = "dev" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "isort" -version = "5.12.0" -description = "A Python utility / library to sort Python imports." -category = "dev" -optional = false -python-versions = ">=3.8.0" - -[package.extras] -colors = ["colorama (>=0.4.3)"] -requirements-deprecated-finder = ["pip-api", "pipreqs"] -pipfile-deprecated-finder = ["pip-shims (>=0.5.2)", "pipreqs", "requirementslib"] -plugins = ["setuptools"] - -[[package]] -name = "multidict" -version = "6.0.4" -description = "multidict implementation" -category = "main" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "mypy-extensions" -version = "1.0.0" -description = "Type system extensions for programs checked with the mypy type checker." -category = "dev" -optional = false -python-versions = ">=3.5" - -[[package]] -name = "nodeenv" -version = "1.8.0" -description = "Node.js virtual environment builder" -category = "dev" -optional = false -python-versions = ">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*" - -[[package]] -name = "packaging" -version = "23.2" -description = "Core utilities for Python packages" -category = "dev" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "pathspec" -version = "0.11.2" -description = "Utility library for gitignore style pattern matching of file paths." -category = "dev" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "platformdirs" -version = "4.0.0" -description = "A small Python package for determining appropriate platform-specific dirs, e.g. a \"user data dir\"." -category = "dev" -optional = false -python-versions = ">=3.7" - -[package.extras] -docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx-autodoc-typehints (>=1.24)", "sphinx (>=7.1.1)"] -test = ["appdirs (==1.4.4)", "covdefaults (>=2.3)", "pytest-cov (>=4.1)", "pytest-mock (>=3.11.1)", "pytest (>=7.4)"] - -[[package]] -name = "pluggy" -version = "1.3.0" -description = "plugin and hook calling mechanisms for python" -category = "dev" -optional = false -python-versions = ">=3.8" - -[package.extras] -dev = ["pre-commit", "tox"] -testing = ["pytest", "pytest-benchmark"] - -[[package]] -name = "pyasn1" -version = "0.5.1" -description = "Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)" -category = "main" -optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.7" - -[[package]] -name = "pycparser" -version = "2.21" -description = "C parser in Python" -category = "main" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" - -[[package]] -name = "pyright" -version = "1.1.337" -description = "Command line wrapper for pyright" -category = "dev" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -nodeenv = ">=1.6.0" - -[package.extras] -all = ["twine (>=3.4.1)"] -dev = ["twine (>=3.4.1)"] - -[[package]] -name = "pytest" -version = "7.4.3" -description = "pytest: simple powerful testing with Python" -category = "dev" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -colorama = {version = "*", markers = "sys_platform == \"win32\""} -exceptiongroup = {version = ">=1.0.0rc8", markers = "python_version < \"3.11\""} -iniconfig = "*" -packaging = "*" -pluggy = ">=0.12,<2.0" -tomli = {version = ">=1.0.0", markers = "python_version < \"3.11\""} - -[package.extras] -testing = ["argcomplete", "attrs (>=19.2.0)", "hypothesis (>=3.56)", "mock", "nose", "pygments (>=2.7.2)", "requests", "setuptools", "xmlschema"] - -[[package]] -name = "pytest-asyncio" -version = "0.15.1" -description = "Pytest support for asyncio." -category = "dev" -optional = false -python-versions = ">= 3.6" - -[package.dependencies] -pytest = ">=5.4.0" - -[package.extras] -testing = ["coverage", "hypothesis (>=5.7.1)"] - -[[package]] -name = "pytest-cov" -version = "3.0.0" -description = "Pytest plugin for measuring coverage." -category = "dev" -optional = false -python-versions = ">=3.6" - -[package.dependencies] -coverage = {version = ">=5.2.1", extras = ["toml"]} -pytest = ">=4.6" - -[package.extras] -testing = ["fields", "hunter", "process-tests", "six", "pytest-xdist", "virtualenv"] - -[[package]] -name = "python-jose" -version = "3.3.0" -description = "JOSE implementation in Python" -category = "main" -optional = false -python-versions = "*" - -[package.dependencies] -cryptography = {version = ">=3.4.0", optional = true, markers = "extra == \"cryptography\""} -ecdsa = "!=0.15" -pyasn1 = "*" -rsa = "*" - -[package.extras] -cryptography = ["cryptography (>=3.4.0)"] -pycrypto = ["pycrypto (>=2.6.0,<2.7.0)", "pyasn1"] -pycryptodome = ["pycryptodome (>=3.3.1,<4.0.0)", "pyasn1"] - -[[package]] -name = "rsa" -version = "4.9" -description = "Pure-Python RSA implementation" -category = "main" -optional = false -python-versions = ">=3.6,<4" - -[package.dependencies] -pyasn1 = ">=0.1.3" - -[[package]] -name = "six" -version = "1.16.0" -description = "Python 2 and 3 compatibility utilities" -category = "main" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" - -[[package]] -name = "tomli" -version = "2.0.1" -description = "A lil' TOML parser" -category = "dev" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "typing-extensions" -version = "4.8.0" -description = "Backported and Experimental Type Hints for Python 3.8+" -category = "dev" -optional = false -python-versions = ">=3.8" - -[[package]] -name = "yarl" -version = "1.9.3" -description = "Yet another URL library" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -idna = ">=2.0" -multidict = ">=4.0" - -[metadata] -lock-version = "1.1" -python-versions = "^3.8" -content-hash = "8847f0250fd18d125e5026cdd1d33d334acf7cb858fa216f3a22cba7eabff6de" - -[metadata.files] -aiohttp = [] -aiosignal = [] -async-timeout = [] -attrs = [] -black = [] -cffi = [] -click = [] -colorama = [] -coverage = [] -cryptography = [] -ecdsa = [] -exceptiongroup = [] -frozenlist = [] -idna = [] -iniconfig = [] -isort = [] -multidict = [] -mypy-extensions = [] -nodeenv = [] -packaging = [] -pathspec = [] -platformdirs = [] -pluggy = [] -pyasn1 = [] -pycparser = [] -pyright = [] -pytest = [] -pytest-asyncio = [] -pytest-cov = [] -python-jose = [] -rsa = [] -six = [] -tomli = [] -typing-extensions = [] -yarl = [] diff --git a/packages/aserto-idp/pyproject.toml b/packages/aserto-idp/pyproject.toml deleted file mode 100644 index 02a7c33..0000000 --- a/packages/aserto-idp/pyproject.toml +++ /dev/null @@ -1,53 +0,0 @@ -[tool.poetry] -name = "aserto-idp" -version = "0.3.1" -description = "Common identity providers for use with Aserto client libraries" -readme = "README.md" -authors = ["Aserto, Inc. "] -maintainers = ["authereal "] -homepage = "https://github.com/aserto-dev/aserto-python/tree/HEAD/packages/aserto-idp" -repository = "https://github.com/aserto-dev/aserto-python/tree/HEAD/packages/aserto-idp" -documentation = "https://github.com/aserto-dev/aserto-python/tree/HEAD/packages/aserto-idp" -license = "Apache-2.0" -classifiers = [ - "Intended Audience :: Developers", - "License :: OSI Approved :: Apache Software License", - "Operating System :: OS Independent", - "Programming Language :: Python", - "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3 :: Only", - "Programming Language :: Python :: 3.8", - "Programming Language :: Python :: 3.9", - "Programming Language :: Python :: 3.10", - "Programming Language :: Python :: 3.11", - "Programming Language :: Python :: 3.12", - "Topic :: Software Development :: Libraries", - "Typing :: Typed", -] -packages = [ - {include = "aserto_idp", from = "src"} -] - -[tool.poetry.dependencies] -python = "^3.8" -aiohttp = "^3.8.0" -python-jose = {version = "^3.3.0", extras = ["cryptography"]} - -[tool.poetry.dev-dependencies] -black = "^23.0" -isort= "^5.9.0" -pytest-asyncio = "^0.15.0" -pyright = "^1.1.0" -pytest-cov = "^3.0.0" - -[tool.black] -line-length = 100 -target-version = ["py38"] - -[tool.isort] -profile = "black" - -[build-system] -requires = ["poetry-core>=1.0.0"] -build-backend = "poetry.core.masonry.api" - diff --git a/packages/aserto-idp/src/aserto_idp/auth0.py b/packages/aserto-idp/src/aserto_idp/auth0.py deleted file mode 100644 index 06c4a19..0000000 --- a/packages/aserto-idp/src/aserto_idp/auth0.py +++ /dev/null @@ -1,62 +0,0 @@ -import warnings - -from aiohttp import ClientSession -from jose import jwk, jwt - -__all__ = ["generate_oauth_subject_from_auth_header", "AccessTokenError"] - - -warnings.warn( - "aserto_idp.auth0 is deprecated and will be removed in future versions. Use aserto_idp.oidc instead." -) - - -class AccessTokenError(Exception): - pass - - -async def generate_oauth_subject_from_auth_header( - *, - authorization_header: str, - domain: str, - client_id: str, - audience: str, -) -> str: - parts = authorization_header.split() - if not parts: - raise AccessTokenError("Authorization header missing") - elif parts[0].lower() != "bearer": - raise AccessTokenError("Authorization header must start with 'Bearer'") - elif len(parts) == 1: - raise AccessTokenError("Bearer token not found") - elif len(parts) > 2: - raise AccessTokenError("Authorization header must be a valid Bearer token") - - _, token = parts - - header = jwt.get_unverified_header(token) - if "kid" not in header: - raise AccessTokenError("Bearer token does not have 'kid' claim") - - kid = header["kid"] - - async with ClientSession() as session: - jwks_url = f"https://{domain}/.well-known/jwks.json" - async with session.get(jwks_url) as response: - jwks = await response.json() - - for key in jwks["keys"]: - if key["kid"] == kid: - rsa_key = jwk.construct(key).to_pem() - break - else: - raise AccessTokenError(f"RSA public key with ID '{kid}' was not found.") - - payload = jwt.decode(token, rsa_key, algorithms=["RS256"], audience=audience) - if payload["azp"] != client_id: - raise AccessTokenError(f"'azp' claim '{payload['azp']}' does not match Auth0 client ID") - - if not isinstance(payload["sub"], str): - raise AccessTokenError(f"'sub' claim '{payload['sub']}'is not a valid identity") - - return payload["sub"] diff --git a/packages/aserto-idp/src/aserto_idp/oidc/__init__.py b/packages/aserto-idp/src/aserto_idp/oidc/__init__.py deleted file mode 100644 index d9115a4..0000000 --- a/packages/aserto-idp/src/aserto_idp/oidc/__init__.py +++ /dev/null @@ -1,31 +0,0 @@ -"""OpenID Connect Identity Provider - -This module implements an OpenID Connect provider that can be used with Aserto client libraries. -""" -from typing import Optional - -from .discovery import DiscoveryClient -from .errors import AccessTokenError, DiscoveryError -from .provider import IdentityProvider - -__all__ = ["AccessTokenError", "DiscoveryError", "identity_provider", "IdentityProvider"] - - -def identity_provider( - issuer: str, client_id: str, audience: Optional[str] = None -) -> IdentityProvider: - """Creates a new OpenID Connect identity provider. - - Args: - issuer: The OpenID Connect Issuer Identifier of the identity provider as defined in - https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier. - client_id: The OAuth 2.0 Client Identifier issued by the authorization server. - See https://datatracker.ietf.org/doc/html/rfc6749#section-2.2. - audience: An optional identifier of the audience(s) for which tokens are intended. If omitted, ``client_id`` - is used. - - Returns: - An ``IdentityProvider`` that can validate JWT tokens created by ``issuer`` and extract subject names. - """ - discovery = DiscoveryClient(issuer) - return IdentityProvider(discovery, client_id, audience) diff --git a/packages/aserto-idp/src/aserto_idp/oidc/discovery.py b/packages/aserto-idp/src/aserto_idp/oidc/discovery.py deleted file mode 100644 index f7f479c..0000000 --- a/packages/aserto-idp/src/aserto_idp/oidc/discovery.py +++ /dev/null @@ -1,99 +0,0 @@ -"""OpenID Connect Discovery - -This module implments a subset of the OpenID Connect Discovery 1.0 specification -(https://openid.net/specs/openid-connect-discovery-1_0.html). - -It provides the means to discover and retrieve an OpenID Connect issuer's keyset and find the signing key for -a specified JWT. -""" -import os.path -from typing import Dict, List, Optional, Union -from urllib.parse import urlparse - -from aiohttp import ClientSession - -from aserto_idp.oidc.errors import DiscoveryError - -OidcConfig = Dict[str, Union[str, List[str]]] -Key = Dict[str, str] -KeySet = Dict[str, List[Key]] - - -class DiscoveryClient: - """Client implementation of the OpenID Connect Discovery 1.0 specification. - - Args: - issuer: The OpenID Connect Issuer Identifier of the server issuing tokens. - """ - - def __init__(self, issuer: str): - self.issuer = issuer_url(issuer) - self.discovery_url = os.path.join(self.issuer, ".well-known/openid-configuration") - self._keyset: Optional[KeySet] = None - - async def find_signing_key(self, key_id: str) -> Key: - """Find and return the signing key for the specified key ID. - - Args: - key_id: The ID of the key used by the OIDC issuer to sign a JWT being verified. Key IDs are extracted from - the "kid" JOSE header of a JWT - (https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature#section-4.1.4). - - Returns: - A ``dict`` - """ - for _ in range(2): - # If we can't find the key ID in the issuer's keyset, clear the cache and try again. - keyset = await self.keyset() - keys = keyset.get("keys") - if not keys: - raise DiscoveryError("Keyset missing required field 'keys': {keys}") - - for key in keys: - if key["kid"] == key_id: - return key - - self.clear_keyset_cache() - - raise DiscoveryError(f"RSA public key with ID '{key_id}' was not found.") - - async def keyset(self) -> KeySet: - """Downloads the OIDC issuer's signing key-set. - - The key-set URL is retrieved from the "jwks_uri" field in the issuer's OIDC configuration - (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). - - Returns: - A ``dict`` containing the downloaded JOSE key-set. - """ - if not self._keyset: - config = await self.config() - keyset_url = config.get("jwks_uri") - if not keyset_url: - raise DiscoveryError("Issuer openid-configuration missing 'jwks_uri'") - - self._keyset = await get_json(keyset_url) # type: ignore - - return self._keyset - - async def config(self) -> OidcConfig: - return await get_json(self.discovery_url) - - def clear_keyset_cache(self) -> None: - self._keyset = None - - -def issuer_url(issuer: str) -> str: - url = urlparse(issuer) - if not url.scheme: - # issuer is not a full URL - return f"https://{issuer}" - elif url.scheme != "https": - raise ValueError("OIDC issuer MUST use the 'https' scheme.") - return issuer - - -async def get_json(url: str) -> dict: # type: ignore - async with ClientSession() as session: - async with session.get(url) as response: - return await response.json() diff --git a/packages/aserto-idp/src/aserto_idp/oidc/errors.py b/packages/aserto-idp/src/aserto_idp/oidc/errors.py deleted file mode 100644 index 2da6637..0000000 --- a/packages/aserto-idp/src/aserto_idp/oidc/errors.py +++ /dev/null @@ -1,6 +0,0 @@ -class AccessTokenError(Exception): - """An error that occurs while processing an access token.""" - - -class DiscoveryError(AccessTokenError): - """An error that occurs during the OIDC discovery process.""" diff --git a/packages/aserto-idp/src/aserto_idp/oidc/provider.py b/packages/aserto-idp/src/aserto_idp/oidc/provider.py deleted file mode 100644 index 12c1fa8..0000000 --- a/packages/aserto-idp/src/aserto_idp/oidc/provider.py +++ /dev/null @@ -1,60 +0,0 @@ -from typing import Optional - -from jose import jwt - -from aserto_idp.oidc.discovery import DiscoveryClient -from aserto_idp.oidc.errors import AccessTokenError - - -class IdentityProvider: - def __init__( - self, - discovery_client: DiscoveryClient, - client_id: str, - audience: Optional[str] = None, - ): - self.discovery_client: DiscoveryClient = discovery_client - self.client_id: str = client_id - self.audience: str = audience or client_id - - async def subject_from_jwt_auth_header( - self, - authorization_header: str, - access_token: Optional[str] = None, - ) -> str: - token = self._parse_authorization_header(authorization_header) - key_id = get_key_id(token) - key = await self.discovery_client.find_signing_key(key_id) - - options = {"verify_at_hash": access_token is not None} - claims = jwt.decode(token, key, options=options, audience=self.audience) - if "azp" in claims and claims["azp"] != self.client_id: - raise AccessTokenError(f"'azp' claim '{claims['azp']}' does not match client ID") - - if not isinstance(claims["sub"], str): - raise AccessTokenError(f"'sub' claim '{claims['sub']}'is not a valid identity") - - return claims["sub"] - - @staticmethod - def _parse_authorization_header(header: str) -> str: - parts = header.split() - if not parts: - raise AccessTokenError("Authorization header missing") - elif parts[0].lower() != "bearer": - raise AccessTokenError("Authorization header must start with 'Bearer'") - elif len(parts) == 1: - raise AccessTokenError("Bearer token not found") - elif len(parts) > 2: - raise AccessTokenError("Authorization header must be a valid Bearer token") - - _, token = parts - return token - - -def get_key_id(token: str) -> str: - kid = jwt.get_unverified_header(token).get("kid") - if not kid: - raise AccessTokenError("Bearer token does not have 'kid' claim") - - return kid # type: ignore diff --git a/packages/aserto-idp/test/test_oidc.py b/packages/aserto-idp/test/test_oidc.py deleted file mode 100644 index 02c6d40..0000000 --- a/packages/aserto-idp/test/test_oidc.py +++ /dev/null @@ -1,38 +0,0 @@ -import pytest - -from aserto_idp.oidc import AccessTokenError, identity_provider - -ISSUER = "issuer" -CLIENT_ID = "client_id" - - -@pytest.fixture -def idp(): - return identity_provider(issuer=ISSUER, client_id=CLIENT_ID) - - -def test_create(idp): - assert idp.discovery_client.issuer == f"https://{ISSUER}" - assert idp.client_id == idp.audience == CLIENT_ID - - -def test_parse_empty_header(idp): - for token in ("", " ", "\t", " "): - with pytest.raises(AccessTokenError, match="Authorization header missing"): - idp._parse_authorization_header(token) - - -def test_not_bearer_token(idp): - for token in ("basic xyz", "xyz"): - with pytest.raises(AccessTokenError, match="Authorization header must start with 'Bearer'"): - idp._parse_authorization_header(token) - - -def test_empty_bearer(idp): - with pytest.raises(AccessTokenError, match="Bearer token not found"): - idp._parse_authorization_header("bearer ") - - -def test_too_many_header_parts(idp): - with pytest.raises(AccessTokenError, match="Authorization header must be a valid Bearer token"): - idp._parse_authorization_header("bearer xyz 123") diff --git a/packages/aserto-idp/tox.ini b/packages/aserto-idp/tox.ini deleted file mode 100644 index a5ee60a..0000000 --- a/packages/aserto-idp/tox.ini +++ /dev/null @@ -1,12 +0,0 @@ -[tox] -skipsdist = true -envlist = py37, py38, py39, py310 - -[testenv] -whitelist_externals = poetry -commands = - poetry install -v - poetry run black . - poetry run isort . - poetry run pytest --cov src/ - poetry run mypy src diff --git a/packages/aserto/README.md b/packages/aserto/README.md deleted file mode 100644 index a30571c..0000000 --- a/packages/aserto/README.md +++ /dev/null @@ -1,342 +0,0 @@ -# Aserto API client - -High-level client interface to Aserto's APIs. - -At the moment this only supports interacting with Aserto's [Authorizer service](https://docs.aserto.com/docs/authorizer-guide/overview). - -## Installation - -### Using Pip - -```sh -pip install aserto -``` - -### Using Poetry - -```sh -poetry add aserto -``` - -## Usage - -```py -from aserto.client import AuthorizerOptions, Identity -from aserto.client.api.authorizer import AuthorizerClient - - -client = AuthorizerClient( - identity=Identity(type="NONE"), - options=AuthorizerOptions( - api_key=ASERTO_API_KEY, - tenant_id=ASERTO_TENANT_ID, - service_type="gRPC", - ), -) - -result = await client.decision_tree( - decisions=["visible", "enabled", "allowed"], - policy_instance_name=ASERTO_POLICY_INSTANCE_NAME, - policy_instance_label=ASERTO_POLICY_INSTANCE_LABEL, - policy_path_root=ASERTO_POLICY_PATH_ROOT, - policy_path_separator="DOT", -) - -assert result == { - "GET.your.policy.path": { - "visible": True, - "enabled": True, - "allowed": False, - }, -} -``` - -## Directory - -The Directory APIs can be used to interact with the aserto directory services. -It provides CRUD operations on objects and relations, including bulk import and export. -The client can also be used to check whether a user has a permission or relation on an object instance. - -### Directory Client - -You can initialize a directory client as follows: - -```py -from aserto.client.directory.v3 import Directory - -ds = Directory(api_key="my_api_key", tenant_id="1234", address="localhost:9292") -``` - -- `address`: hostname:port of directory service (_required_) -- `api_key`: API key for directory service (_required_ if using hosted directory) -- `tenant_id`: Aserto tenant ID (_required_ if using hosted directory) -- `cert`: Path to the grpc service certificate when connecting to local topaz instance. - -#### `get_object` - -Get a directory object instance with the type and the id, optionally with the object's relations. - -```py -# without relations: -user = ds.get_object(object_type="user", object_id="euang@acmecorp.com") - -# with relations: -page = PaginationRequest(size=10) -while True: - resp = ds.get_object(object_type="user", object_id="euang@acmecorp.com", with_relations=True, page=page) - user = resp.result # The returned object. - relations_page = resp.relations # A page of relations. - - if not resp.page.next_token: - # we've reached the last page. - break - - # request the next page. - page.token = resp.page.next_token - -``` - -#### `get_objects_many` - -Similar to `get_object` but can retrieve multiple object instances in a single request. -```py -objects = ds.get_object_many( - [ - ObjectIdentifier(type="user", id="euan@acmecorp.com"), - ObjectIdentifier(type="group", id="marketing"), - ] -) -``` - -#### `get_objects` - -Get object instances with an object type type pagination info (page size and pagination token). - -```py -from aserto.client.directory.v3 import PaginationRequest - -users = ds.get_objects(object_type="user", page=PaginationRequest(size=10)) -``` - - -#### `set_object` - -Create an object instance with the specified properties. If an `etag` is specified and is different from the current -object's etag, the call raises an `ETagMismatchError`. - -```py -# pass object fields as arguments: -user = ds.set_object( - object_type="user", - object_id="new-user@acmecorp.com", - display_name="John Doe", - "properties": {"active": True, "department": "Engineering"}, -} - -# set_object can also take an Object parameter: -user.display_name = "Jane Doe" -user.properties["title"] = "Senior Engineer" -updated_user = ds.set_object(object=user) -``` - -#### `delete_object` - -Delete an object instance and optionally its relations, using its type and id: - -```py -# delete an object -ds.delete_object(object_type="user", object_id="test-object") - -# delete an object and all its relations -ds.delete_object(object_type="user", object_id="test-object", with_relations=True) -``` - -#### `get_relation` - -Retrieve a single relation from the directory or raise a `NotFoundError` if no matching relation exists. - -```py -# get the manager of euang@acmecorp.com: -relation = ds.get_relation( - object_type="user", - relation="manager", - subject_type="user", - subject_id="euang@acmecorp.com", -) - -assert relation.object_id - -# include the relation's object and subject in the response: -response = ds.get_relation( - object_type="user", - relation="manager", - subject_type="user", - subject_id="euang@acmecorp.com", - with_relations=True, -) - -assert response.relation.object_id -assert response.subject.display_name == "Euan Garden" -assert response.object.properties["department"] == "Sales" -# -``` - -#### `get_relations` - -Searches the directory for relations matching the specified criteria, optionally including the object and subject -of each returned relation. - -```py -# find all groups a user is a member of: -page = PaginationRequest(size=10) - -while True: - response = ds.get_relations( - object_type="group", - "relation"="member", - "subject_type": "user", - "subject_id": "euang@acmecorp.com", - with_objects=True, - page=page, - ) - - if not response.page.next_token: - break - - page.token = response.page.next_token -``` - -#### `set_relation` - -Create a new relation. - -```py -ds.set_relation( - object_type="group", - object_id="admin", - relation="member", - subject_type="user", - subject_id="euang@acmecorp.com", -) -``` - -#### `delete_relation` - -Delete a relation. - -```py -ds.delete_relation( - object_type="group", - object_id="admin", - relation="member", - subject_type="user", - subject_id="euang@acmecorp.com", -) -``` - -#### `check` - -Check if a subject has a given relation or permission on an object. - -```py -allowed = ds.check( - object_type="folder", - object_id="/path/to/folder", - relation="can_delete", - subject_type="user", - subject_id="euang@acmecorp.com", -) -``` - -#### `get_manifest ` - -Download the directory manifest. - -```py -manifest = ds.get_manifest() - -print(manifest.body) # yaml manifest - -# conditionally get the manifest if its etag has changed -new_manifest = ds.get_manifest(etag=manifest.etag) - -assert new_manifest is None # the manifest hasn't changed -``` - -#### `set_manifest` - -Upload a new directory manifest. - -```py -with open("manifest.yaml", "rb") as f: - manifest = f.read() - -ds.set_manifest(manifest) -``` - -#### `import_data` - -Bulk-insert objects and/or relations to the directory. Returns a summary of the number of objects/relations affected. - -```py -# import an object and a relation. -data = [ - Object(type="user", id="test@acmecorp.com"), - Relation( - object_type="user", - object_id="euang@acmecorp.com", - relation="manager", - subject_type="user", - subject_id="test@acmecorp.com", - ), -] - -response = ds.import_data(data) - -assert response.objects.set == 1 -assert response.object.error == 0 -assert response.relations.set == 1 -assert response.relations.error == 0 -``` - -#### `export_data` - -Bulk-retrieve objects and/or relations from the directory. - - -```py -from aserto.client.directory.v3 import ExportOption, Object, Relation - -# export all objects and relations -for item in ds.export(ExportOption.OPTION_DATA): - if isinstance(item, Object): - print("object:", item) - elif isinstance(item, Relation): - print("relation:", item) -``` - -### Async Directory Client - -You can initialize an asynchronous directory client as follows: - -```py -from aserto.client.directory.v3.aio import Directory - -ds = Directory(api_key="my_api_key", tenant_id="1234", address="localhost:9292") -``` - -The methods on the async directory have the same signatures as their synchronous counterparts. - -### Directory v2 client - -To interact with older instances of the directory service, a v2 client is available with limited functionality. -The v2 client doesn't support `get_manifest`/`set_manifest`, and `import_data`/`export_data`. - -```py -from aserto.client.directory.v2 import Directory -ds = Directory(api_key="my_api_key", tenant_id="1234", address="localhost:9292") -``` - -## License - -This project is licensed under the MIT license. See the [LICENSE](https://github.com/aserto-dev/aserto-python/blob/main/LICENSE) file for more info. diff --git a/packages/aserto/src/aserto/client/py.typed b/packages/aserto/src/aserto/client/py.typed deleted file mode 100644 index e69de29..0000000 diff --git a/packages/aserto/test/__init__.py b/packages/aserto/test/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/packages/flask-aserto/README.md b/packages/flask-aserto/README.md deleted file mode 100644 index 162e312..0000000 --- a/packages/flask-aserto/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# Aserto Flask middleware -This is the official library for integrating [Aserto](https://www.aserto.com/) authorization into your [Flask](https://github.com/pallets/flask) applications. - -For a example of what this looks like in a running Flask app and guidance on connecting an identity provider, see the [PeopleFinder app example](https://github.com/aserto-dev/aserto-python/tree/main/packages/flask-aserto/peoplefinder_example). - -## Features -### Add authorization checks to your routes -```py -from flask_aserto import AsertoMiddleware, AuthorizationError - - -app = Flask(__name__) -aserto = AsertoMiddleware(**aserto_options) - - -@app.route("/api/users/", methods=["GET"]) -@aserto.authorize -def api_user(id: str) -> Response: - # Raises an AuthorizationError if the `GET.api.users.__id` - # policy returns a decision of "allowed = false" - ... -``` -### Automatically create a route to serve a [Display State Map](https://docs.aserto.com/docs/authorizer-guide/display-state-map) -```py -# Defaults to creating a route at the path "/__displaystatemap" -aserto.register_display_state_map(app) -``` -### Perform more finely controlled authorization checks -```py -@app.route("/api/users/", methods=["GET"]) -async def api_user(id: str) -> Response: - # This also automatically knows to check the `GET.api.users.__id` policy - if not await aserto.check("allowed"): - raise AuthorizationError() - - ... -``` diff --git a/packages/flask-aserto/poetry.lock b/packages/flask-aserto/poetry.lock deleted file mode 100644 index 293cae6..0000000 --- a/packages/flask-aserto/poetry.lock +++ /dev/null @@ -1,647 +0,0 @@ -[[package]] -name = "aiohttp" -version = "3.9.1" -description = "Async http client/server framework (asyncio)" -category = "main" -optional = false -python-versions = ">=3.8" - -[package.dependencies] -aiosignal = ">=1.1.2" -async-timeout = {version = ">=4.0,<5.0", markers = "python_version < \"3.11\""} -attrs = ">=17.3.0" -frozenlist = ">=1.1.1" -multidict = ">=4.5,<7.0" -yarl = ">=1.0,<2.0" - -[package.extras] -speedups = ["brotlicffi", "brotli", "aiodns"] - -[[package]] -name = "aiosignal" -version = "1.3.1" -description = "aiosignal: a list of registered asynchronous callbacks" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -frozenlist = ">=1.1.0" - -[[package]] -name = "aserto" -version = "0.30.1" -description = "Aserto API client" -category = "main" -optional = false -python-versions = ">=3.8,<4.0" - -[package.dependencies] -aiohttp = ">=3.8.0,<4.0.0" -aserto-authorizer = ">=0.20.2,<0.21.0" -aserto-directory = ">=0.30.0,<0.31.0" -grpcio = ">=1.49.0,<2.0.0" -protobuf = ">=4.21.0,<5.0.0" - -[[package]] -name = "aserto-authorizer" -version = "0.20.2" -description = "gRPC client for Aserto Authorizer service instances" -category = "main" -optional = false -python-versions = ">=3.8,<4.0" - -[package.dependencies] -grpcio = ">=1.49,<2.0" -protobuf = ">=4.21.0,<5.0.0" - -[[package]] -name = "aserto-directory" -version = "0.30.0" -description = "gRPC client for Aserto Directory service instances" -category = "main" -optional = false -python-versions = ">=3.8,<4" - -[package.dependencies] -grpcio = ">=1.49,<2.0" -protobuf = ">=4.21.0,<5.0.0" -protovalidate = {version = ">=0.3.0,<0.4.0", markers = "python_version >= \"3.11\""} - -[[package]] -name = "asgiref" -version = "3.7.2" -description = "ASGI specs, helper code, and adapters" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -typing-extensions = {version = ">=4", markers = "python_version < \"3.11\""} - -[package.extras] -tests = ["pytest", "pytest-asyncio", "mypy (>=0.800)"] - -[[package]] -name = "async-timeout" -version = "4.0.3" -description = "Timeout context manager for asyncio programs" -category = "main" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "attrs" -version = "23.1.0" -description = "Classes Without Boilerplate" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.extras] -cov = ["attrs", "coverage[toml] (>=5.3)"] -dev = ["attrs", "pre-commit"] -docs = ["furo", "myst-parser", "sphinx", "sphinx-notfound-page", "sphinxcontrib-towncrier", "towncrier", "zope-interface"] -tests = ["attrs", "zope-interface"] -tests-no-zope = ["cloudpickle", "hypothesis", "mypy (>=1.1.1)", "pympler", "pytest-mypy-plugins", "pytest-xdist", "pytest (>=4.3.0)"] - -[[package]] -name = "babel" -version = "2.13.1" -description = "Internationalization utilities" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.extras] -dev = ["pytest (>=6.0)", "pytest-cov", "freezegun (>=1.0,<2.0)"] - -[[package]] -name = "black" -version = "23.11.0" -description = "The uncompromising code formatter." -category = "dev" -optional = false -python-versions = ">=3.8" - -[package.dependencies] -click = ">=8.0.0" -mypy-extensions = ">=0.4.3" -packaging = ">=22.0" -pathspec = ">=0.9.0" -platformdirs = ">=2" -tomli = {version = ">=1.1.0", markers = "python_version < \"3.11\""} -typing-extensions = {version = ">=4.0.1", markers = "python_version < \"3.11\""} - -[package.extras] -colorama = ["colorama (>=0.4.3)"] -d = ["aiohttp (>=3.7.4)"] -jupyter = ["ipython (>=7.8.0)", "tokenize-rt (>=3.2.0)"] -uvloop = ["uvloop (>=0.15.2)"] - -[[package]] -name = "blinker" -version = "1.7.0" -description = "Fast, simple object-to-object and broadcast signaling" -category = "main" -optional = false -python-versions = ">=3.8" - -[[package]] -name = "cel-python" -version = "0.1.5" -description = "Pure Python CEL Implementation" -category = "main" -optional = false -python-versions = ">=3.7, <4" - -[package.dependencies] -babel = ">=2.9.0" -jmespath = ">=0.10.0" -lark-parser = ">=0.10.1" -python-dateutil = ">=2.8.1" -pyyaml = ">=5.4.1" -requests = ">=2.25.1" -urllib3 = ">=1.26.4" - -[[package]] -name = "certifi" -version = "2023.11.17" -description = "Python package for providing Mozilla's CA Bundle." -category = "main" -optional = false -python-versions = ">=3.6" - -[[package]] -name = "charset-normalizer" -version = "3.3.2" -description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." -category = "main" -optional = false -python-versions = ">=3.7.0" - -[[package]] -name = "click" -version = "8.1.7" -description = "Composable command line interface toolkit" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -colorama = {version = "*", markers = "platform_system == \"Windows\""} - -[[package]] -name = "colorama" -version = "0.4.6" -description = "Cross-platform colored terminal text." -category = "main" -optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" - -[[package]] -name = "exceptiongroup" -version = "1.2.0" -description = "Backport of PEP 654 (exception groups)" -category = "dev" -optional = false -python-versions = ">=3.7" - -[package.extras] -test = ["pytest (>=6)"] - -[[package]] -name = "flask" -version = "3.0.0" -description = "A simple framework for building complex web applications." -category = "main" -optional = false -python-versions = ">=3.8" - -[package.dependencies] -asgiref = {version = ">=3.2", optional = true, markers = "extra == \"async\""} -blinker = ">=1.6.2" -click = ">=8.1.3" -importlib-metadata = {version = ">=3.6.0", markers = "python_version < \"3.10\""} -itsdangerous = ">=2.1.2" -Jinja2 = ">=3.1.2" -Werkzeug = ">=3.0.0" - -[package.extras] -async = ["asgiref (>=3.2)"] -dotenv = ["python-dotenv"] - -[[package]] -name = "flask-cors" -version = "4.0.0" -description = "A Flask extension adding a decorator for CORS support" -category = "main" -optional = false -python-versions = "*" - -[package.dependencies] -Flask = ">=0.9" - -[[package]] -name = "frozenlist" -version = "1.4.0" -description = "A list-like structure which implements collections.abc.MutableSequence" -category = "main" -optional = false -python-versions = ">=3.8" - -[[package]] -name = "grpcio" -version = "1.59.3" -description = "HTTP/2-based RPC framework" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.extras] -protobuf = ["grpcio-tools (>=1.59.3)"] - -[[package]] -name = "idna" -version = "3.6" -description = "Internationalized Domain Names in Applications (IDNA)" -category = "main" -optional = false -python-versions = ">=3.5" - -[[package]] -name = "importlib-metadata" -version = "6.8.0" -description = "Read metadata from Python packages" -category = "main" -optional = false -python-versions = ">=3.8" - -[package.dependencies] -zipp = ">=0.5" - -[package.extras] -docs = ["sphinx (>=3.5)", "jaraco.packaging (>=9)", "rst.linker (>=1.9)", "furo", "sphinx-lint", "jaraco.tidelift (>=1.4)"] -perf = ["ipython"] -testing = ["pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-ruff", "packaging", "pyfakefs", "flufl.flake8", "pytest-perf (>=0.9.2)", "pytest-black (>=0.3.7)", "pytest-mypy (>=0.9.1)", "importlib-resources (>=1.3)"] - -[[package]] -name = "iniconfig" -version = "2.0.0" -description = "brain-dead simple config-ini parsing" -category = "dev" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "isort" -version = "5.12.0" -description = "A Python utility / library to sort Python imports." -category = "dev" -optional = false -python-versions = ">=3.8.0" - -[package.extras] -colors = ["colorama (>=0.4.3)"] -requirements-deprecated-finder = ["pip-api", "pipreqs"] -pipfile-deprecated-finder = ["pip-shims (>=0.5.2)", "pipreqs", "requirementslib"] -plugins = ["setuptools"] - -[[package]] -name = "itsdangerous" -version = "2.1.2" -description = "Safely pass data to untrusted environments and back." -category = "main" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "jinja2" -version = "3.1.2" -description = "A very fast and expressive template engine." -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -MarkupSafe = ">=2.0" - -[package.extras] -i18n = ["Babel (>=2.7)"] - -[[package]] -name = "jmespath" -version = "1.0.1" -description = "JSON Matching Expressions" -category = "main" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "lark-parser" -version = "0.12.0" -description = "a modern parsing library" -category = "main" -optional = false -python-versions = "*" - -[package.extras] -atomic_cache = ["atomicwrites"] -nearley = ["js2py"] -regex = ["regex"] - -[[package]] -name = "markupsafe" -version = "2.1.3" -description = "Safely add untrusted strings to HTML/XML markup." -category = "main" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "multidict" -version = "6.0.4" -description = "multidict implementation" -category = "main" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "mypy-extensions" -version = "1.0.0" -description = "Type system extensions for programs checked with the mypy type checker." -category = "dev" -optional = false -python-versions = ">=3.5" - -[[package]] -name = "nodeenv" -version = "1.8.0" -description = "Node.js virtual environment builder" -category = "dev" -optional = false -python-versions = ">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*" - -[[package]] -name = "packaging" -version = "23.2" -description = "Core utilities for Python packages" -category = "dev" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "pathspec" -version = "0.11.2" -description = "Utility library for gitignore style pattern matching of file paths." -category = "dev" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "platformdirs" -version = "4.0.0" -description = "A small Python package for determining appropriate platform-specific dirs, e.g. a \"user data dir\"." -category = "dev" -optional = false -python-versions = ">=3.7" - -[package.extras] -docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx-autodoc-typehints (>=1.24)", "sphinx (>=7.1.1)"] -test = ["appdirs (==1.4.4)", "covdefaults (>=2.3)", "pytest-cov (>=4.1)", "pytest-mock (>=3.11.1)", "pytest (>=7.4)"] - -[[package]] -name = "pluggy" -version = "1.3.0" -description = "plugin and hook calling mechanisms for python" -category = "dev" -optional = false -python-versions = ">=3.8" - -[package.extras] -dev = ["pre-commit", "tox"] -testing = ["pytest", "pytest-benchmark"] - -[[package]] -name = "protobuf" -version = "4.25.1" -description = "" -category = "main" -optional = false -python-versions = ">=3.8" - -[[package]] -name = "protovalidate" -version = "0.3.0" -description = "Protocol Buffer Validation for Python" -category = "main" -optional = false -python-versions = ">=3.11" - -[package.dependencies] -cel-python = "*" -protobuf = "*" - -[[package]] -name = "pyright" -version = "1.1.337" -description = "Command line wrapper for pyright" -category = "dev" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -nodeenv = ">=1.6.0" - -[package.extras] -all = ["twine (>=3.4.1)"] -dev = ["twine (>=3.4.1)"] - -[[package]] -name = "pytest" -version = "7.4.3" -description = "pytest: simple powerful testing with Python" -category = "dev" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -colorama = {version = "*", markers = "sys_platform == \"win32\""} -exceptiongroup = {version = ">=1.0.0rc8", markers = "python_version < \"3.11\""} -iniconfig = "*" -packaging = "*" -pluggy = ">=0.12,<2.0" -tomli = {version = ">=1.0.0", markers = "python_version < \"3.11\""} - -[package.extras] -testing = ["argcomplete", "attrs (>=19.2.0)", "hypothesis (>=3.56)", "mock", "nose", "pygments (>=2.7.2)", "requests", "setuptools", "xmlschema"] - -[[package]] -name = "python-dateutil" -version = "2.8.2" -description = "Extensions to the standard Python datetime module" -category = "main" -optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7" - -[package.dependencies] -six = ">=1.5" - -[[package]] -name = "pyyaml" -version = "6.0.1" -description = "YAML parser and emitter for Python" -category = "main" -optional = false -python-versions = ">=3.6" - -[[package]] -name = "requests" -version = "2.31.0" -description = "Python HTTP for Humans." -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -certifi = ">=2017.4.17" -charset-normalizer = ">=2,<4" -idna = ">=2.5,<4" -urllib3 = ">=1.21.1,<3" - -[package.extras] -socks = ["PySocks (>=1.5.6,!=1.5.7)"] -use_chardet_on_py3 = ["chardet (>=3.0.2,<6)"] - -[[package]] -name = "six" -version = "1.16.0" -description = "Python 2 and 3 compatibility utilities" -category = "main" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" - -[[package]] -name = "tomli" -version = "2.0.1" -description = "A lil' TOML parser" -category = "dev" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "typing-extensions" -version = "4.8.0" -description = "Backported and Experimental Type Hints for Python 3.8+" -category = "main" -optional = false -python-versions = ">=3.8" - -[[package]] -name = "urllib3" -version = "2.1.0" -description = "HTTP library with thread-safe connection pooling, file post, and more." -category = "main" -optional = false -python-versions = ">=3.8" - -[package.extras] -brotli = ["brotli (>=1.0.9)", "brotlicffi (>=0.8.0)"] -socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"] -zstd = ["zstandard (>=0.18.0)"] - -[[package]] -name = "werkzeug" -version = "3.0.1" -description = "The comprehensive WSGI web application library." -category = "main" -optional = false -python-versions = ">=3.8" - -[package.dependencies] -MarkupSafe = ">=2.1.1" - -[package.extras] -watchdog = ["watchdog (>=2.3)"] - -[[package]] -name = "yarl" -version = "1.9.3" -description = "Yet another URL library" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -idna = ">=2.0" -multidict = ">=4.0" - -[[package]] -name = "zipp" -version = "3.17.0" -description = "Backport of pathlib-compatible object wrapper for zip files" -category = "main" -optional = false -python-versions = ">=3.8" - -[package.extras] -docs = ["sphinx (>=3.5)", "sphinx (<7.2.5)", "jaraco.packaging (>=9.3)", "rst.linker (>=1.9)", "furo", "sphinx-lint", "jaraco.tidelift (>=1.4)"] -testing = ["pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-ruff", "jaraco.itertools", "jaraco.functools", "more-itertools", "big-o", "pytest-ignore-flaky", "pytest-black (>=0.3.7)", "pytest-mypy (>=0.9.1)"] - -[metadata] -lock-version = "1.1" -python-versions = "^3.8" -content-hash = "c14d278390ba11bb3cfba8cb91919fe82465ad9ab0f7d8440978c2d845b6f491" - -[metadata.files] -aiohttp = [] -aiosignal = [] -aserto = [] -aserto-authorizer = [] -aserto-directory = [] -asgiref = [] -async-timeout = [] -attrs = [] -babel = [] -black = [] -blinker = [] -cel-python = [] -certifi = [] -charset-normalizer = [] -click = [] -colorama = [] -exceptiongroup = [] -flask = [] -flask-cors = [] -frozenlist = [] -grpcio = [] -idna = [] -importlib-metadata = [] -iniconfig = [] -isort = [] -itsdangerous = [] -jinja2 = [] -jmespath = [] -lark-parser = [] -markupsafe = [] -multidict = [] -mypy-extensions = [] -nodeenv = [] -packaging = [] -pathspec = [] -platformdirs = [] -pluggy = [] -protobuf = [] -protovalidate = [] -pyright = [] -pytest = [] -python-dateutil = [] -pyyaml = [] -requests = [] -six = [] -tomli = [] -typing-extensions = [] -urllib3 = [] -werkzeug = [] -yarl = [] -zipp = [] diff --git a/packages/flask-aserto/pyproject.toml b/packages/flask-aserto/pyproject.toml deleted file mode 100644 index c229585..0000000 --- a/packages/flask-aserto/pyproject.toml +++ /dev/null @@ -1,54 +0,0 @@ -[tool.poetry] -name = "flask-aserto" -version = "0.30.3" -description = "Aserto integration for Flask" -readme = "README.md" -authors = ["Aserto, Inc. "] -maintainers = ["authereal "] -homepage = "https://github.com/aserto-dev/aserto-python/tree/HEAD/packages/flask-aserto" -repository = "https://github.com/aserto-dev/aserto-python/tree/HEAD/packages/flask-aserto" -documentation = "https://github.com/aserto-dev/aserto-python/tree/HEAD/packages/flask-aserto" -license = "Apache-2.0" -classifiers = [ - "Intended Audience :: Developers", - "License :: OSI Approved :: Apache Software License", - "Operating System :: OS Independent", - "Programming Language :: Python", - "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3 :: Only", - "Programming Language :: Python :: 3.8", - "Programming Language :: Python :: 3.9", - "Programming Language :: Python :: 3.10", - "Programming Language :: Python :: 3.11", - "Topic :: Software Development :: Libraries", - "Typing :: Typed", -] -packages = [ - {include = "flask_aserto", from = "src"} -] - -[tool.poetry.dependencies] -python = "^3.8" -Flask = {version = ">=2.0.0,<4.0.0", extras = ["async"]} -Flask-Cors = ">=3.0.0,<5.0.0" -grpcio = "^1.49.0" -protobuf = "^4.21.0" -aserto = "^0.30.1" - -[tool.poetry.dev-dependencies] -black = "^23.0" -isort= "^5.9.0" -pyright = "^1.1.0" -pytest = "^7.4.0" - -[tool.black] -line-length = 100 -target-version = ["py38"] - -[tool.isort] -profile = "black" - -[build-system] -requires = ["poetry-core>=1.0.0"] -build-backend = "poetry.core.masonry.api" - diff --git a/packages/flask-aserto/src/flask_aserto/__init__.py b/packages/flask-aserto/src/flask_aserto/__init__.py deleted file mode 100644 index 5f21f36..0000000 --- a/packages/flask-aserto/src/flask_aserto/__init__.py +++ /dev/null @@ -1,5 +0,0 @@ -from .middleware import AsertoMiddleware -from .check import CheckMiddleware, CheckOptions -from ._defaults import AuthorizationError - -__all__ = ["AsertoMiddleware", "AuthorizationError", "CheckMiddleware", "CheckOptions"] diff --git a/packages/flask-aserto/src/flask_aserto/_defaults.py b/packages/flask-aserto/src/flask_aserto/_defaults.py deleted file mode 100644 index 0f2a18e..0000000 --- a/packages/flask-aserto/src/flask_aserto/_defaults.py +++ /dev/null @@ -1,57 +0,0 @@ -import re -from dataclasses import dataclass -from typing import Callable, TypeVar, Any - -from aserto.client import Identity, ResourceContext -from flask import request - -__all__ = [ - "create_default_policy_path_resolver", - "DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_ENDPOINT", - "DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_DISPLAY_STATE_MAP", -] - -@dataclass -class Obj: - id: str - objType: str - - -IdentityMapper = Callable[[], Identity] -StringMapper = Callable[[], str] -ObjectMapper = Callable[[], Obj] -ResourceMapper = Callable[[], ResourceContext] -DEFAULT_DISPLAY_STATE_MAP_ENDPOINT = "/__displaystatemap" - -@dataclass(frozen=True) -class AuthorizationError(Exception): - policy_instance_name: str - policy_path: str - - -Handler = TypeVar("Handler", bound=Callable[..., Any]) - - -def DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_ENDPOINT() -> ResourceContext: - return request.view_args or {} - - -def DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_DISPLAY_STATE_MAP() -> ResourceContext: - return request.get_json(silent=True) or {} - - -def create_default_policy_path_resolver(policy_root: str) -> StringMapper: - def default_policy_path_resolver() -> str: - rule_string = str(request.url_rule) - policy_sub_path = policy_path_heuristic(rule_string) - return f"{policy_root}.{request.method.upper()}{policy_sub_path}" - - return default_policy_path_resolver - - -def policy_path_heuristic(path: str) -> str: - # Replace route arguments surrounded in angle brackets to being - # prefixed with two underscores, e.g. -> __id - path = re.sub("<([^:]*)(:[^>]*)?>", r"__\1", path) - path = path.replace("/", ".") - return path diff --git a/packages/flask-aserto/src/flask_aserto/aio/__init__.py b/packages/flask-aserto/src/flask_aserto/aio/__init__.py deleted file mode 100644 index 974bdba..0000000 --- a/packages/flask-aserto/src/flask_aserto/aio/__init__.py +++ /dev/null @@ -1,6 +0,0 @@ -from .middleware import AsertoMiddleware -from .check import CheckMiddleware, CheckOptions -from ._defaults import AuthorizationError - - -__all__ = ["AsertoMiddleware", "AuthorizationError", "CheckMiddleware", "CheckOptions"] diff --git a/packages/flask-aserto/src/flask_aserto/aio/_defaults.py b/packages/flask-aserto/src/flask_aserto/aio/_defaults.py deleted file mode 100644 index 8c6b24d..0000000 --- a/packages/flask-aserto/src/flask_aserto/aio/_defaults.py +++ /dev/null @@ -1,66 +0,0 @@ -import re -from dataclasses import dataclass -from typing import Awaitable, Callable, Any, TypeVar - -from aserto.client import Identity, ResourceContext -from flask import request - -__all__ = [ - "create_default_policy_path_resolver", - "DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_ENDPOINT", - "DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_DISPLAY_STATE_MAP", - "policy_path_heuristic", -] - - -@dataclass -class Obj: - id: str - objType: str - -@dataclass(frozen=True) -class AuthorizationError(Exception): - policy_instance_name: str - policy_path: str - - -Handler = TypeVar("Handler", bound=Callable[..., Awaitable[Any]]) - - -DEFAULT_DISPLAY_STATE_MAP_ENDPOINT = "/__displaystatemap" - -IdentityMapper = Callable[[], Awaitable[Identity]] -StringMapper = Callable[[], Awaitable[str]] -ObjectMapper = Callable[[], Awaitable[Obj]] -ResourceMapper = Callable[[], Awaitable[ResourceContext]] - - -def DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_ENDPOINT() -> ResourceMapper: - async def view_args() -> ResourceContext: - return request.view_args or {} - - return view_args - - -def DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_DISPLAY_STATE_MAP() -> ResourceMapper: - async def get_json_from_request() -> ResourceContext: - return request.get_json(silent=True) or {} - - return get_json_from_request - - -def create_default_policy_path_resolver(policy_root: str) -> StringMapper: - async def default_policy_path_resolver() -> str: - rule_string = str(request.url_rule) - policy_sub_path = policy_path_heuristic(rule_string) - return f"{policy_root}.{request.method.upper()}{policy_sub_path}" - - return default_policy_path_resolver - - -def policy_path_heuristic(path: str) -> str: - # Replace route arguments surrounded in angle brackets to being - # prefixed with two underscores, e.g. -> __id - path = re.sub("<([^:]*)(:[^>]*)?>", r"__\1", path) - path = path.replace("/", ".") - return path diff --git a/packages/flask-aserto/src/flask_aserto/aio/check.py b/packages/flask-aserto/src/flask_aserto/aio/check.py deleted file mode 100644 index cb9fd76..0000000 --- a/packages/flask-aserto/src/flask_aserto/aio/check.py +++ /dev/null @@ -1,195 +0,0 @@ -from dataclasses import dataclass -from functools import wraps -from typing import Any, Callable, Optional, Union, cast, TYPE_CHECKING -if TYPE_CHECKING: - from .middleware import AsertoMiddleware - -from aserto.client import ResourceContext -from flask.wrappers import Response - -from ._defaults import ( - IdentityMapper, - StringMapper, - ResourceMapper, - ObjectMapper, - Obj, - AuthorizationError, - Handler -) - -@dataclass(frozen=True) -class CheckOptions: - """ - Check options class used to create a new instance of Check Middleware - """ - objId: Optional[str] = "" - objType: Optional[str] = "" - objIdMapper: Optional[StringMapper] = None - objMapper: Optional[ObjectMapper] = None - relationName: Optional[str] = "" - relationMapper: Optional[StringMapper] = None - subjType: Optional[str] = "" - subjMapper: Optional[IdentityMapper] = None - policyPath: Optional[str] = "" - policyRoot: Optional[str] = "" - policyPathMapper: Optional[StringMapper] = None - - - -def build_resource_context_mapper( - opts: CheckOptions -) -> ResourceMapper: - - async def resource() -> ResourceContext: - objid = ( - opts.objId - if opts.objId is not None - else "" - ) - objtype = ( - opts.objType - if opts.objType is not None - else "" - ) - - obj = ( - await opts.objMapper() - if opts.objMapper is not None - else Obj(id=objid, objType=objtype) - ) - - obj.id = ( - await opts.objIdMapper() - if opts.objIdMapper is not None - else obj.id - ) - - relation = ( - await opts.relationMapper() - if opts.relationMapper is not None - else opts.relationName - ) - - subjType = ( - opts.subjType - if opts.subjType != "" - else "user" - ) - - return {"relation": relation, - "object_type": obj.objType, - "object_id": obj.id, - "subject_type": subjType} - - return resource - -class CheckMiddleware: - def __init__( - self, - *, - options: CheckOptions, - aserto_middleware: "AsertoMiddleware", - ): - self._aserto_middleware = aserto_middleware - - self._identity_provider = ( - options.subjMapper - if options.subjMapper is not None - else aserto_middleware._identity_provider - ) - - self._resource_context_provider = build_resource_context_mapper(options) - self._options = options - - def _with_overrides(self, **kwargs: Any) -> "CheckMiddleware": - return ( - self - if not kwargs - else CheckMiddleware( - aserto_middleware=self._aserto_middleware, - options = CheckOptions( - relationName=kwargs.get("relation_name", self._options.relationName), - relationMapper=kwargs.get("relation_mapper", self._options.relationMapper), - policyPath=kwargs.get("policy_path", self._options.policyPath), - policyRoot=kwargs.get("policy_root", self._options.policyRoot), - subjMapper=kwargs.get("identity_provider", self._identity_provider), - objId=kwargs.get("object_id", self._options.objId), - objType=kwargs.get("object_type", self._options.objType), - objIdMapper=kwargs.get("object_id_mapper", self._options.objIdMapper), - objMapper=kwargs.get("object_mapper", self._options.objMapper), - subjType=self._options.subjType, - policyPathMapper=self._options.policyPathMapper, - ), - ) - ) - - def _build_policy_path_mapper(self) -> StringMapper: - async def mapper() -> str: - policy_path = "" - if self._options.policyPathMapper is not None: - policy_path = await self._options.policyPathMapper() - if policy_path == "": - policy_path = "check" - policy_root = self._options.policyRoot or self._aserto_middleware._policy_path_root - if policy_root: - policy_path = f"{policy_root}.{policy_path}" - return policy_path - - return mapper - - async def authorize( - self, - *args: Any, - **kwargs: Any, - ) -> Union[Handler, Callable[[Handler], Handler]]: - arguments_error = TypeError( - f"{self.authorize.__name__}() expects either exactly 1 callable" - " 'handler' argument or at least 1 'options' argument" - ) - - handler: Optional[Handler] = None - - if not args and kwargs.keys() == {"handler"}: - handler = kwargs["handler"] - elif not kwargs and len(args) == 1: - (handler,) = args - - if handler is not None: - if not callable(handler): - raise arguments_error - return self._authorize(handler) - - if args: - raise arguments_error - - return self._with_overrides(**kwargs)._authorize - - def _authorize(self, handler: Handler) -> Handler: - if self._aserto_middleware._policy_instance_name == None: - raise TypeError(f"{self._aserto_middleware._policy_instance_name}() should not be None") - - if self._aserto_middleware._policy_instance_label == None: - self._aserto_middleware._policy_instance_label = self._aserto_middleware._policy_instance_name - - @wraps(handler) - async def decorated(*args: Any, **kwargs: Any) -> Response: - - policy_mapper = self._build_policy_path_mapper() - resource_context = await self._resource_context_provider() - decision = await self._aserto_middleware.is_allowed( - decision="allowed", - authorizer_options=self._aserto_middleware._authorizer_options, - identity_provider=self._identity_provider, - policy_instance_name=self._aserto_middleware._policy_instance_name or "", - policy_instance_label=self._aserto_middleware._policy_instance_label or "", - policy_path_root=self._options.policyRoot or self._aserto_middleware._policy_path_root, - policy_path_resolver=policy_mapper, - resource_context_provider=resource_context, - ) - - if not decision: - raise AuthorizationError(policy_instance_name=self._aserto_middleware._policy_instance_name, policy_path=policy_mapper()) # type: ignore[arg-type] - - return await handler(*args, **kwargs) - - return cast(Handler, decorated) \ No newline at end of file diff --git a/packages/flask-aserto/src/flask_aserto/aio/middleware.py b/packages/flask-aserto/src/flask_aserto/aio/middleware.py deleted file mode 100644 index b32a3aa..0000000 --- a/packages/flask-aserto/src/flask_aserto/aio/middleware.py +++ /dev/null @@ -1,247 +0,0 @@ -from asyncio import gather -from functools import wraps -from typing import Any, Callable, Optional, Union, cast, overload - -from aserto.client import AuthorizerOptions, ResourceContext -from aserto.client.authorizer.aio import AuthorizerClient -from flask import Flask, jsonify -from flask.wrappers import Response - -from .check import CheckMiddleware, CheckOptions - -from ._defaults import ( - DEFAULT_DISPLAY_STATE_MAP_ENDPOINT, - DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_DISPLAY_STATE_MAP, - DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_ENDPOINT, - IdentityMapper, - ResourceMapper, - StringMapper, - create_default_policy_path_resolver, - Handler, - ObjectMapper, - AuthorizationError -) - - -class AsertoMiddleware: - def __init__( - self, - *, - authorizer_options: AuthorizerOptions, - policy_path_root: str, - identity_provider: IdentityMapper, - policy_instance_name: Optional[str] = None, - policy_instance_label: Optional[str] = None, - policy_path_resolver: Optional[StringMapper] = None, - resource_context_provider: Optional[ResourceMapper] = None, - ) -> None: - self._authorizer_options = authorizer_options - self._identity_provider = identity_provider - self._policy_instance_name = policy_instance_name - self._policy_instance_label = policy_instance_label - self._policy_path_root = policy_path_root - - self._policy_path_resolver = ( - policy_path_resolver - if policy_path_resolver is not None - else create_default_policy_path_resolver(policy_path_root) - ) - - self._resource_context_provider = ( - resource_context_provider - if resource_context_provider is not None - else DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_ENDPOINT() - ) - - async def _generate_client(self) -> AuthorizerClient: - identity = await self._identity_provider() - - return AuthorizerClient( - identity=identity, - options=self._authorizer_options, - ) - - def _with_overrides(self, **kwargs: Any) -> "AsertoMiddleware": - return ( - self - if not kwargs - else AsertoMiddleware( - authorizer_options=kwargs.get("authorizer", self._authorizer_options), - policy_path_root=kwargs.get("policy_path_root", self._policy_path_root), - identity_provider=kwargs.get("identity_provider", self._identity_provider), - policy_instance_name=kwargs.get("policy_instance_name", self._policy_instance_name), - policy_instance_label=kwargs.get( - "policy_instance_label", self._policy_instance_label - ), - policy_path_resolver=kwargs.get("policy_path_resolver", self._policy_path_resolver), - resource_context_provider=kwargs.get( - "resource_context_provider", self._resource_context_provider - ), - ) - ) - - @overload - async def is_allowed(self, decision: str) -> bool: - ... - - @overload - async def is_allowed( - self, - decision: str, - *, - authorizer_options: AuthorizerOptions = ..., - identity_provider: IdentityMapper = ..., - policy_instance_name: str = ..., - policy_instance_label: str = ..., - policy_path_root: str = ..., - policy_path_resolver: StringMapper = ..., - resource_context_provider: ResourceContext = ..., - ) -> bool: - ... - - async def is_allowed(self, decision: str, **kwargs: Any) -> bool: - return await self._with_overrides(**kwargs)._is_allowed(decision) - - async def _is_allowed(self, decision: str) -> bool: - client = await self._generate_client() - resource_context = await self._resource_context_provider() - policy_path = await self._policy_path_resolver() - - decisions = await client.decisions( - policy_path=policy_path, - decisions=(decision,), - policy_instance_name=self._policy_instance_name, - policy_instance_label=self._policy_instance_label, - resource_context=resource_context, - ) - return decisions[decision] - - @overload - async def authorize(self, handler: Handler) -> Handler: - ... - - @overload - async def authorize( - self, - *, - authorizer_options: AuthorizerOptions = ..., - identity_provider: IdentityMapper = ..., - policy_instance_name: str = ..., - policy_instance_label: str = ..., - policy_path_root: str = ..., - policy_path_resolver: StringMapper = ..., - ) -> Callable[[Handler], Handler]: - ... - - async def authorize( - self, - *args: Any, - **kwargs: Any, - ) -> Union[Handler, Callable[[Handler], Handler]]: - arguments_error = TypeError( - f"{self.authorize.__name__}() expects either exactly 1 callable" - " 'handler' argument or at least 1 'options' argument" - ) - - handler: Optional[Handler] = None - - if not args and kwargs.keys() == {"handler"}: - handler = kwargs["handler"] - elif not kwargs and len(args) == 1: - (handler,) = args - - if handler is not None: - if not callable(handler): - raise arguments_error - return self._authorize(handler) - - if args: - raise arguments_error - - return self._with_overrides(**kwargs)._authorize - - def _authorize(self, handler: Handler) -> Handler: - if self._policy_instance_name == None: - raise TypeError(f"{self._policy_instance_name}() should not be None") - - if self._policy_instance_label == None: - self._policy_instance_label = self._policy_instance_name - - @wraps(handler) - async def decorated(*args: Any, **kwargs: Any) -> Response: - client, policy_path, resource_context = await gather( - self._generate_client(), - self._policy_path_resolver(), - self._resource_context_provider(), - ) - - decisions = await client.decisions( - policy_path=policy_path, - decisions=("allowed",), - policy_instance_name=self._policy_instance_name, - policy_instance_label=self._policy_instance_label, - resource_context=resource_context, - ) - - if not decisions["allowed"]: - raise AuthorizationError( - policy_instance_name=self._policy_instance_name or "", policy_path=policy_path - ) - - return await handler(*args, **kwargs) - - return cast(Handler, decorated) - - def check( - self, - objId: Optional[str] = "", - objType: Optional[str] = "", - objIdMapper: Optional[StringMapper] = None, - objMapper: Optional[ObjectMapper] = None, - relationName: Optional[str] = "", - relationMapper: Optional[StringMapper] = None, - subjType: Optional[str] = "", - subjMapper: Optional[IdentityMapper] = None, - policyPath: Optional[str] = "", - policyRoot: Optional[str] = "", - policyPathMapper: Optional[StringMapper] = None, - ) -> CheckMiddleware: - opts = CheckOptions( - objId=objId, objType=objType,objIdMapper=objIdMapper, - objMapper=objMapper, relationName=relationName, relationMapper=relationMapper, - subjType=subjType, subjMapper=subjMapper, policyRoot=policyRoot, - policyPath=policyPath, policyPathMapper=policyPathMapper) - return CheckMiddleware(options=opts, aserto_middleware=self) - - def register_display_state_map( - self, - app: Flask, - *, - endpoint: str = DEFAULT_DISPLAY_STATE_MAP_ENDPOINT, - resource_context_provider: Optional[ResourceMapper] = None, - ) -> Flask: - @app.route(endpoint, methods=["GET", "POST"]) - async def __displaystatemap() -> Response: - nonlocal resource_context_provider - if resource_context_provider is None: - - resource_context_provider = ( - DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_DISPLAY_STATE_MAP() - ) - - client, resource_context = await gather( - self._generate_client(), - resource_context_provider(), - ) - - display_state_map = await client.decision_tree( - policy_path_root=self._policy_path_root, - decisions=["visible", "enabled"], - policy_instance_name=self._policy_instance_name, - policy_instance_label=self._policy_instance_label, - resource_context=resource_context, - policy_path_separator="SLASH", - ) - return jsonify(display_state_map) - - return app diff --git a/packages/flask-aserto/src/flask_aserto/check.py b/packages/flask-aserto/src/flask_aserto/check.py deleted file mode 100644 index 45a70cb..0000000 --- a/packages/flask-aserto/src/flask_aserto/check.py +++ /dev/null @@ -1,194 +0,0 @@ -from dataclasses import dataclass -from functools import wraps -from typing import Any, Callable, Optional, Union, cast, TYPE_CHECKING -if TYPE_CHECKING: - from .middleware import AsertoMiddleware - -from aserto.client import ResourceContext -from flask.wrappers import Response - -from ._defaults import ( - IdentityMapper, - StringMapper, - ResourceMapper, - ObjectMapper, - Obj, - AuthorizationError, - Handler -) - -@dataclass(frozen=True) -class CheckOptions: - """ - Check options class used to create a new instance of Check Middleware - """ - objId: Optional[str] = "" - objType: Optional[str] = "" - objIdMapper: Optional[StringMapper] = None - objMapper: Optional[ObjectMapper] = None - relationName: Optional[str] = "" - relationMapper: Optional[StringMapper] = None - subjType: Optional[str] = "" - subjMapper: Optional[IdentityMapper] = None - policyPath: Optional[str] = "" - policyRoot: Optional[str] = "" - policyPathMapper: Optional[StringMapper] = None - - - -def build_resource_context_mapper( - opts: CheckOptions -) -> ResourceMapper: - - def resource() -> ResourceContext: - objid = ( - opts.objId - if opts.objId is not None - else "" - ) - objtype = ( - opts.objType - if opts.objType is not None - else "" - ) - - obj = ( - opts.objMapper() - if opts.objMapper is not None - else Obj(id=objid, objType=objtype) - ) - - obj.id = ( - opts.objIdMapper() - if opts.objIdMapper is not None - else obj.id - ) - - relation = ( - opts.relationMapper() - if opts.relationMapper is not None - else opts.relationName - ) - - subjType = ( - opts.subjType - if opts.subjType != "" - else "user" - ) - - return {"relation": relation, - "object_type": obj.objType, - "object_id": obj.id, - "subject_type": subjType} - - return resource - -class CheckMiddleware: - def __init__( - self, - *, - options: CheckOptions, - aserto_middleware: "AsertoMiddleware", - ): - self._aserto_middleware = aserto_middleware - - self._identity_provider = ( - options.subjMapper - if options.subjMapper is not None - else aserto_middleware._identity_provider - ) - - self._resource_context_provider = build_resource_context_mapper(options) - self._options = options - - def _with_overrides(self, **kwargs: Any) -> "CheckMiddleware": - return ( - self - if not kwargs - else CheckMiddleware( - aserto_middleware=self._aserto_middleware, - options = CheckOptions( - relationName=kwargs.get("relation_name", self._options.relationName), - relationMapper=kwargs.get("relation_mapper", self._options.relationMapper), - policyPath=kwargs.get("policy_path", self._options.policyPath), - policyRoot=kwargs.get("policy_root", self._options.policyRoot), - subjMapper=kwargs.get("identity_provider", self._identity_provider), - objId=kwargs.get("object_id", self._options.objId), - objType=kwargs.get("object_type", self._options.objType), - objIdMapper=kwargs.get("object_id_mapper", self._options.objIdMapper), - objMapper=kwargs.get("object_mapper", self._options.objMapper), - subjType=self._options.subjType, - policyPathMapper=self._options.policyPathMapper, - ), - ) - ) - - def _build_policy_path_mapper(self) -> StringMapper: - def mapper() -> str: - policy_path = "" - if self._options.policyPathMapper is not None: - policy_path = self._options.policyPathMapper() - if policy_path == "": - policy_path = "check" - policy_root = self._options.policyRoot or self._aserto_middleware._policy_path_root - if policy_root: - policy_path = f"{policy_root}.{policy_path}" - return policy_path - - return mapper - - def authorize( - self, - *args: Any, - **kwargs: Any, - ) -> Union[Handler, Callable[[Handler], Handler]]: - arguments_error = TypeError( - f"{self.authorize.__name__}() expects either exactly 1 callable" - " 'handler' argument or at least 1 'options' argument" - ) - - handler: Optional[Handler] = None - - if not args and kwargs.keys() == {"handler"}: - handler = kwargs["handler"] - elif not kwargs and len(args) == 1: - (handler,) = args - - if handler is not None: - if not callable(handler): - raise arguments_error - return self._authorize(handler) - - if args: - raise arguments_error - - return self._with_overrides(**kwargs)._authorize - - def _authorize(self, handler: Handler) -> Handler: - if self._aserto_middleware._policy_instance_name == None: - raise TypeError(f"{self._aserto_middleware._policy_instance_name}() should not be None") - - if self._aserto_middleware._policy_instance_label == None: - self._aserto_middleware._policy_instance_label = self._aserto_middleware._policy_instance_name - - @wraps(handler) - def decorated(*args: Any, **kwargs: Any) -> Response: - - policy_mapper = self._build_policy_path_mapper() - decision = self._aserto_middleware.is_allowed( - decision="allowed", - authorizer_options=self._aserto_middleware._authorizer_options, - identity_provider=self._identity_provider, - policy_instance_name=self._aserto_middleware._policy_instance_name or "", - policy_instance_label=self._aserto_middleware._policy_instance_label or "", - policy_path_root=self._options.policyRoot or self._aserto_middleware._policy_path_root, - policy_path_resolver=policy_mapper, - resource_context_provider=self._resource_context_provider, - ) - - if not decision: - raise AuthorizationError(policy_instance_name=self._aserto_middleware._policy_instance_name, policy_path=policy_mapper()) # type: ignore[arg-type] - - return handler(*args, **kwargs) - - return cast(Handler, decorated) \ No newline at end of file diff --git a/packages/flask-aserto/src/flask_aserto/middleware.py b/packages/flask-aserto/src/flask_aserto/middleware.py deleted file mode 100644 index ad7197b..0000000 --- a/packages/flask-aserto/src/flask_aserto/middleware.py +++ /dev/null @@ -1,234 +0,0 @@ -from functools import wraps -from typing import Any, Callable, Optional, Union, cast, overload - -from aserto.client import AuthorizerOptions -from aserto.client.authorizer import AuthorizerClient -from flask import Flask, jsonify -from flask.wrappers import Response - -from ._defaults import ( - DEFAULT_DISPLAY_STATE_MAP_ENDPOINT, - DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_DISPLAY_STATE_MAP, - DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_ENDPOINT, - create_default_policy_path_resolver, - IdentityMapper, - StringMapper, - ResourceMapper, - ObjectMapper, - AuthorizationError, - Handler -) - -from .check import CheckMiddleware, CheckOptions - -class AsertoMiddleware: - def __init__( - self, - *, - authorizer_options: AuthorizerOptions, - policy_path_root: str, - identity_provider: IdentityMapper, - policy_instance_name: Optional[str]= None, - policy_instance_label: Optional[str]= None, - policy_path_resolver: Optional[StringMapper] = None, - resource_context_provider: Optional[ResourceMapper] = None, - ): - self._authorizer_options = authorizer_options - self._identity_provider = identity_provider - self._policy_instance_name = policy_instance_name - self._policy_instance_label = policy_instance_label - self._policy_path_root = policy_path_root - - self._policy_path_resolver = ( - policy_path_resolver - if policy_path_resolver is not None - else create_default_policy_path_resolver(policy_path_root) - ) - - self._resource_context_provider = ( - resource_context_provider - if resource_context_provider is not None - else DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_ENDPOINT - ) - - def _generate_client(self) -> AuthorizerClient: - identity = self._identity_provider() - - return AuthorizerClient( - identity=identity, - options=self._authorizer_options, - ) - - def _with_overrides(self, **kwargs: Any) -> "AsertoMiddleware": - return ( - self - if not kwargs - else AsertoMiddleware( - authorizer_options=kwargs.get("authorizer", self._authorizer_options), - policy_path_root=kwargs.get("policy_path_root", self._policy_path_root), - identity_provider=kwargs.get("identity_provider", self._identity_provider), - policy_instance_name=kwargs.get("policy_instance_name", self._policy_instance_name), - policy_instance_label=kwargs.get("policy_instance_label", self._policy_instance_label), - policy_path_resolver=kwargs.get("policy_path_resolver", self._policy_path_resolver), - resource_context_provider=kwargs.get( - "resource_context_provider", self._resource_context_provider - ), - ) - ) - - @overload - def is_allowed(self, decision: str) -> bool: - ... - - @overload - def is_allowed( - self, - decision: str, - *, - authorizer_options: AuthorizerOptions = ..., - identity_provider: IdentityMapper = ..., - policy_instance_name: str = ..., - policy_instance_label: str = ..., - policy_path_root: str = ..., - policy_path_resolver: StringMapper = ..., - resource_context_provider: ResourceMapper = ..., - ) -> bool: - ... - - def is_allowed(self, decision: str, **kwargs: Any) -> bool: - return self._with_overrides(**kwargs)._is_allowed(decision) - - def _is_allowed(self, decision: str) -> bool: - client = self._generate_client() - resource_context = self._resource_context_provider() - policy_path = self._policy_path_resolver() - - decisions = client.decisions( - policy_path=policy_path, - decisions=(decision,), - policy_instance_name=self._policy_instance_name, - policy_instance_label=self._policy_instance_label, - resource_context=resource_context, - ) - return decisions[decision] - - @overload - def authorize(self, handler: Handler) -> Handler: - ... - - @overload - def authorize( - self, - *, - authorizer_options: AuthorizerOptions = ..., - identity_provider: IdentityMapper = ..., - policy_instance_name: str = ..., - policy_instance_label: str = ..., - policy_path_root: str = ..., - policy_path_resolver: StringMapper = ..., - ) -> Callable[[Handler], Handler]: - ... - - def authorize( - self, - *args: Any, - **kwargs: Any, - ) -> Union[Handler, Callable[[Handler], Handler]]: - arguments_error = TypeError( - f"{self.authorize.__name__}() expects either exactly 1 callable" - " 'handler' argument or at least 1 'options' argument" - ) - - handler: Optional[Handler] = None - - if not args and kwargs.keys() == {"handler"}: - handler = kwargs["handler"] - elif not kwargs and len(args) == 1: - (handler,) = args - - if handler is not None: - if not callable(handler): - raise arguments_error - return self._authorize(handler) - - if args: - raise arguments_error - - return self._with_overrides(**kwargs)._authorize - - def _authorize(self, handler: Handler) -> Handler: - if self._policy_instance_name == None: - raise TypeError(f"{self._policy_instance_name}() should not be None") - - if self._policy_instance_label == None: - self._policy_instance_label = self._policy_instance_name - - @wraps(handler) - def decorated(*args: Any, **kwargs: Any) -> Response: - client = self._generate_client() - resource_context = self._resource_context_provider() - policy_path = self._policy_path_resolver() - - decisions = client.decisions( - policy_path=policy_path, - decisions=("allowed",), - policy_instance_name=self._policy_instance_name, - policy_instance_label=self._policy_instance_label, - resource_context=resource_context, - ) - - if not decisions["allowed"]: - raise AuthorizationError(policy_instance_name=self._policy_instance_name, policy_path=policy_path) # type: ignore[arg-type] - - return handler(*args, **kwargs) - - return cast(Handler, decorated) - - def check( - self, - objId: Optional[str] = "", - objType: Optional[str] = "", - objIdMapper: Optional[StringMapper] = None, - objMapper: Optional[ObjectMapper] = None, - relationName: Optional[str] = "", - relationMapper: Optional[StringMapper] = None, - subjType: Optional[str] = "", - subjMapper: Optional[IdentityMapper] = None, - policyPath: Optional[str] = "", - policyRoot: Optional[str] = "", - policyPathMapper: Optional[StringMapper] = None, - ) -> CheckMiddleware: - opts = CheckOptions( - objId=objId, objType=objType,objIdMapper=objIdMapper, - objMapper=objMapper, relationName=relationName, relationMapper=relationMapper, - subjType=subjType, subjMapper=subjMapper, policyRoot=policyRoot, - policyPath=policyPath, policyPathMapper=policyPathMapper) - return CheckMiddleware(options=opts, aserto_middleware=self) - - def register_display_state_map( - self, - app: Flask, - *, - endpoint: str = DEFAULT_DISPLAY_STATE_MAP_ENDPOINT, - resource_context_provider: Optional[ResourceMapper] = None, - ) -> Flask: - @app.route(endpoint, methods=["GET", "POST"]) - def __displaystatemap() -> Response: - nonlocal resource_context_provider - if resource_context_provider is None: - resource_context_provider = DEFAULT_RESOURCE_CONTEXT_PROVIDER_FOR_DISPLAY_STATE_MAP - - client = self._generate_client() - resource_context = resource_context_provider() - - display_state_map = client.decision_tree( - policy_path_root=self._policy_path_root, - decisions=["visible", "enabled"], - policy_instance_name=self._policy_instance_name, - policy_instance_label=self._policy_instance_label, - resource_context=resource_context, - policy_path_separator="SLASH", - ) - return jsonify(display_state_map) - - return app diff --git a/packages/flask-aserto/src/flask_aserto/py.typed b/packages/flask-aserto/src/flask_aserto/py.typed deleted file mode 100644 index e69de29..0000000 diff --git a/packages/flask-aserto/test/__init__.py b/packages/flask-aserto/test/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/packages/flask-aserto/test/test_default_policy_path_resolver.py b/packages/flask-aserto/test/test_default_policy_path_resolver.py deleted file mode 100644 index 13b7558..0000000 --- a/packages/flask-aserto/test/test_default_policy_path_resolver.py +++ /dev/null @@ -1,36 +0,0 @@ -from flask import Flask - -from flask_aserto._defaults import ( - create_default_policy_path_resolver, - policy_path_heuristic, -) - - -def test_heuristic() -> None: - assert policy_path_heuristic("/api/users") == ".api.users", "Slashes become dots" - assert policy_path_heuristic("/Upercase") == ".Upercase", "Uppercased stays uppercased" - assert policy_path_heuristic("/dotted.route") == ".dotted.route", "Dots stay dots" - assert ( - policy_path_heuristic("/api/users/") == ".api.users.__id" - ), "Parameters prefixed with double underscores" - assert ( - policy_path_heuristic("/api/users/") == ".api.users.__userID" - ), "Uppercased parameters stay uppercased" - - -def test_policy_route_concatenation() -> None: - resolver = create_default_policy_path_resolver("peoplefinder") - - app = Flask(__name__) - - @app.route("/api/users", methods=["GET", "POST"]) - def api_users() -> str: - return "" - - with app.test_client() as client: - client.get("/api/users") - assert resolver() == "peoplefinder.GET.api.users" - - with app.test_client() as client: - client.post("/api/users") - assert resolver() == "peoplefinder.POST.api.users" diff --git a/packages/flask-aserto/tox.ini b/packages/flask-aserto/tox.ini deleted file mode 100644 index f08f301..0000000 --- a/packages/flask-aserto/tox.ini +++ /dev/null @@ -1,10 +0,0 @@ -[tox] -skipsdist = true -envlist = py37, py38, py39, py310 - -[testenv] -whitelist_externals = poetry -commands = - poetry install -v - poetry run pytest - poetry run mypy src diff --git a/packages/aserto/poetry.lock b/poetry.lock similarity index 100% rename from packages/aserto/poetry.lock rename to poetry.lock diff --git a/packages/aserto/pyproject.toml b/pyproject.toml similarity index 100% rename from packages/aserto/pyproject.toml rename to pyproject.toml diff --git a/packages/aserto/src/aserto/client/__init__.py b/src/aserto/client/__init__.py similarity index 100% rename from packages/aserto/src/aserto/client/__init__.py rename to src/aserto/client/__init__.py diff --git a/packages/aserto/src/aserto/client/_deadline.py b/src/aserto/client/_deadline.py similarity index 100% rename from packages/aserto/src/aserto/client/_deadline.py rename to src/aserto/client/_deadline.py diff --git a/packages/aserto/src/aserto/client/_typing.py b/src/aserto/client/_typing.py similarity index 100% rename from packages/aserto/src/aserto/client/_typing.py rename to src/aserto/client/_typing.py diff --git a/packages/aserto/src/aserto/client/authorizer/__init__.py b/src/aserto/client/authorizer/__init__.py similarity index 100% rename from packages/aserto/src/aserto/client/authorizer/__init__.py rename to src/aserto/client/authorizer/__init__.py diff --git a/packages/aserto/src/aserto/client/authorizer/aio/__init__.py b/src/aserto/client/authorizer/aio/__init__.py similarity index 100% rename from packages/aserto/src/aserto/client/authorizer/aio/__init__.py rename to src/aserto/client/authorizer/aio/__init__.py diff --git a/packages/aserto/src/aserto/client/authorizer/helpers.py b/src/aserto/client/authorizer/helpers.py similarity index 100% rename from packages/aserto/src/aserto/client/authorizer/helpers.py rename to src/aserto/client/authorizer/helpers.py diff --git a/packages/aserto/src/aserto/client/directory/__init__.py b/src/aserto/client/directory/__init__.py similarity index 100% rename from packages/aserto/src/aserto/client/directory/__init__.py rename to src/aserto/client/directory/__init__.py diff --git a/packages/aserto/src/aserto/client/directory/aio/__init__.py b/src/aserto/client/directory/aio/__init__.py similarity index 100% rename from packages/aserto/src/aserto/client/directory/aio/__init__.py rename to src/aserto/client/directory/aio/__init__.py diff --git a/packages/aserto/src/aserto/client/directory/channels.py b/src/aserto/client/directory/channels.py similarity index 100% rename from packages/aserto/src/aserto/client/directory/channels.py rename to src/aserto/client/directory/channels.py diff --git a/packages/aserto/src/aserto/client/directory/v2/__init__.py b/src/aserto/client/directory/v2/__init__.py similarity index 100% rename from packages/aserto/src/aserto/client/directory/v2/__init__.py rename to src/aserto/client/directory/v2/__init__.py diff --git a/packages/aserto/src/aserto/client/directory/v2/aio/__init__.py b/src/aserto/client/directory/v2/aio/__init__.py similarity index 100% rename from packages/aserto/src/aserto/client/directory/v2/aio/__init__.py rename to src/aserto/client/directory/v2/aio/__init__.py diff --git a/packages/aserto/src/aserto/client/directory/v2/helpers.py b/src/aserto/client/directory/v2/helpers.py similarity index 100% rename from packages/aserto/src/aserto/client/directory/v2/helpers.py rename to src/aserto/client/directory/v2/helpers.py diff --git a/packages/aserto/src/aserto/client/directory/v3/__init__.py b/src/aserto/client/directory/v3/__init__.py similarity index 100% rename from packages/aserto/src/aserto/client/directory/v3/__init__.py rename to src/aserto/client/directory/v3/__init__.py diff --git a/packages/aserto/src/aserto/client/directory/v3/aio/__init__.py b/src/aserto/client/directory/v3/aio/__init__.py similarity index 100% rename from packages/aserto/src/aserto/client/directory/v3/aio/__init__.py rename to src/aserto/client/directory/v3/aio/__init__.py diff --git a/packages/aserto/src/aserto/client/directory/v3/helpers.py b/src/aserto/client/directory/v3/helpers.py similarity index 100% rename from packages/aserto/src/aserto/client/directory/v3/helpers.py rename to src/aserto/client/directory/v3/helpers.py diff --git a/packages/aserto/src/aserto/client/identity.py b/src/aserto/client/identity.py similarity index 100% rename from packages/aserto/src/aserto/client/identity.py rename to src/aserto/client/identity.py diff --git a/packages/aserto/src/aserto/client/options.py b/src/aserto/client/options.py similarity index 100% rename from packages/aserto/src/aserto/client/options.py rename to src/aserto/client/options.py diff --git a/packages/aserto-idp/src/aserto_idp/py.typed b/src/aserto/client/py.typed similarity index 100% rename from packages/aserto-idp/src/aserto_idp/py.typed rename to src/aserto/client/py.typed diff --git a/packages/aserto/src/aserto/client/resource_context.py b/src/aserto/client/resource_context.py similarity index 100% rename from packages/aserto/src/aserto/client/resource_context.py rename to src/aserto/client/resource_context.py diff --git a/packages/aserto-idp/src/aserto_idp/__init__.py b/test/__init__.py similarity index 100% rename from packages/aserto-idp/src/aserto_idp/__init__.py rename to test/__init__.py diff --git a/packages/aserto/test/assets/manifest.yaml b/test/assets/manifest.yaml similarity index 100% rename from packages/aserto/test/assets/manifest.yaml rename to test/assets/manifest.yaml diff --git a/packages/aserto/test/assets/objects.json b/test/assets/objects.json similarity index 100% rename from packages/aserto/test/assets/objects.json rename to test/assets/objects.json diff --git a/packages/aserto/test/assets/relations.json b/test/assets/relations.json similarity index 100% rename from packages/aserto/test/assets/relations.json rename to test/assets/relations.json diff --git a/packages/aserto/test/conftest.py b/test/conftest.py similarity index 100% rename from packages/aserto/test/conftest.py rename to test/conftest.py diff --git a/packages/aserto/test/test_authorizer.py b/test/test_authorizer.py similarity index 100% rename from packages/aserto/test/test_authorizer.py rename to test/test_authorizer.py diff --git a/packages/aserto/test/test_authorizer_async.py b/test/test_authorizer_async.py similarity index 100% rename from packages/aserto/test/test_authorizer_async.py rename to test/test_authorizer_async.py diff --git a/packages/aserto/test/test_directory_v2.py b/test/test_directory_v2.py similarity index 100% rename from packages/aserto/test/test_directory_v2.py rename to test/test_directory_v2.py diff --git a/packages/aserto/test/test_directory_v2_async.py b/test/test_directory_v2_async.py similarity index 100% rename from packages/aserto/test/test_directory_v2_async.py rename to test/test_directory_v2_async.py diff --git a/packages/aserto/test/test_directory_v3.py b/test/test_directory_v3.py similarity index 100% rename from packages/aserto/test/test_directory_v3.py rename to test/test_directory_v3.py diff --git a/packages/aserto/test/test_directory_v3_async.py b/test/test_directory_v3_async.py similarity index 100% rename from packages/aserto/test/test_directory_v3_async.py rename to test/test_directory_v3_async.py