API reference¶
gafaelfawr Package¶
The Gafaelfawr service.
Variables¶
__version__ |
The application version string (PEP 440 / SemVer compatible). |
gafaelfawr.app Module¶
Application setup for Gafaelfawr.
Functions¶
create_app(settings_path, redis_pool, …) |
Create and configure the Gafaelfawr application. |
gafaelfawr.cli Module¶
Administrative command-line interface.
gafaelfawr.config Module¶
Configuration for Gafaelfawr.
Classes¶
Config(realm, session_secret, redis_url, …) |
Configuration for Gafaelfawr. |
GitHubConfig(client_id, client_secret, …) |
Metadata for GitHub authentication. |
IssuerConfig(iss, kid, aud, aud_internal, …) |
Configuration for how to issue tokens. |
OIDCConfig(client_id, client_secret, …) |
Configuration for OpenID Connect authentication. |
SafirConfig(log_level, name, profile, …) |
Safir configuration for Gafaelfawr. |
VerifierConfig(iss, aud, aud_internal, …) |
Configuration for how to verify tokens. |
gafaelfawr.constants Module¶
Constants for Gafaelfawr.
gafaelfawr.issuer Module¶
Token issuer.
Classes¶
InvalidTokenClaimsException |
A token cannot be issued with the provided claims. |
TokenIssuer(config) |
Issuing new JWTs. |
gafaelfawr.handlers Package¶
HTTP API route tables.
Functions¶
init_routes() |
Initialize the route table for the routes. |
gafaelfawr.handlers.analyze Module¶
Handler for token analysis (/auth/analyze).
Functions¶
get_analyze(request) |
Analyze a session handle from a web session. |
post_analyze(request) |
Analyze a token. |
gafaelfawr.handlers.auth Module¶
Handler for authentication and authorization checking (/auth).
gafaelfawr.handlers.index Module¶
Handlers for the app’s root, /.
gafaelfawr.handlers.login Module¶
Initial authentication handlers (/login).
gafaelfawr.handlers.logout Module¶
Log out handler (/logout).
Functions¶
get_logout(request) |
Log out and redirect the user. |
gafaelfawr.handlers.tokens Module¶
Handlers for user-created tokens (/auth/tokens).
Functions¶
get_token_by_handle(request, token) |
Displays information about a single token. |
get_tokens(request, token) |
Displays all tokens for the current user. |
get_tokens_new(request, token) |
Return a form for creating a new token. |
post_delete_token(request, token) |
Deletes a single token. |
post_tokens_new(request, token) |
Create a new token based on form parameters. |
gafaelfawr.handlers.util Module¶
Utility functions for external routes.
Functions¶
verify_token(context, encoded_token) |
Verify a token. |
Classes¶
AuthChallenge(auth_type, realm, error, …) |
Represents the components of a WWW-Authenticate header. |
AuthError |
Valid authentication errors for a WWW-Authenticate header. |
AuthType |
Authentication types for the WWW-Authenticate header. |
InvalidTokenException |
The provided token was invalid. |
RequestContext(request, config, logger, redis) |
Holds the incoming request and its surrounding context. |
gafaelfawr.handlers.well_known Module¶
Handler for /.well-known/jwks.json.
Functions¶
get_well_known_jwks(request) |
Handler for /.well-known/jwks.json. |
gafaelfawr.keypair Module¶
RSA key pair handling.
Classes¶
RSAKeyPair(private_key) |
An RSA key pair with some simple helper functions. |
gafaelfawr.providers.base Module¶
Base class for authentication providers.
Classes¶
Provider |
Abstract base class for authentication providers. |
ProviderException |
A provider returned an error from an API call. |
gafaelfawr.providers.github Module¶
GitHub authentication provider.
Classes¶
GitHubException |
GitHub returned an error from an API call. |
GitHubProvider(*, config, http_session, …) |
Authenticate a user with GitHub. |
gafaelfawr.providers.oidc Module¶
OpenID Connect authentication provider.
Classes¶
OIDCException |
The OpenID Connect provider returned an error from an API call. |
OIDCProvider(*, config, verifier, issuer, …) |
Authenticate a user with GitHub. |
gafaelfawr.session Module¶
Session storage for JWT Authorizer.
Classes¶
InvalidSessionHandleException |
Session handle is not in expected format. |
Session(handle, token, email, created_at, …) |
An authentication session. |
SessionHandle(key, secret) |
A handle for a session, usable instead of a JWT. |
SessionStore(key, verifier, redis, logger) |
Stores and retrieves sessions. |
gafaelfawr.token_store Module¶
Storage for user-issued tokens.
Classes¶
TokenEntry(key, scope, expires, encoded) |
An index entry for a user-issued token. |
TokenStore(redis, logger) |
Store, retrieve, revoke, and expire user-created tokens. |
gafaelfawr.tokens Module¶
Token data types.
Classes¶
Token(encoded) |
Holds an encoded JWT. |
VerifiedToken(encoded, claims, Any], …) |
Holds a verified JWT. |
gafaelfawr.util Module¶
General utility functions.
Functions¶
add_padding(encoded) |
Add padding to base64 encoded bytes. |
base64_to_number(data) |
Convert base64-encoded bytes to an integer. |
number_to_base64(data) |
Convert an integer to base64-encoded bytes in big endian order. |
gafaelfawr.verify Module¶
Verify a JWT.
Classes¶
FetchKeysException |
Cannot retrieve the keys from an issuer. |
MissingClaimsException |
The token is missing required claims. |
TokenVerifier(config, session, cache, logger) |
Verifies the validity of a JWT. |
UnknownAlgorithmException |
The issuer key was for an unsupported algorithm. |
UnknownKeyIdException |
The reqeusted key ID was not found for an issuer. |
VerifyTokenException |
Base exception class for failure in verifying a token. |
gafaelfawr.x_forwarded Module¶
Update the request based on X-Forwarded-For headers.
Classes¶
XForwardedFiltered(trusted) |
Middleware to update the request based on X-Forwarded-For. |