Merge pull request #132 from deathiop/allowed-ips

feat: handle allowedIPs parameters in CK building

Author: deathiop

CHANGELOG.md

@@ -1,6 +1,10 @@
 Changelog
 =========
 
+## 1.1.1 (2024-06-07)
+
+- [feature]: handle allowedIPs parameters in CK building
+
 ## 1.1.0 (2023-04-07)
 
 - [feature]: add support for v2 routes (#115)

debian/changelog

@@ -1,3 +1,9 @@
+python-ovh (1.1.1) trusty; urgency=medium
+
+  * feat: handle allowedIPs parameters in CK building
+
+ -- Adrien Barreau <[email protected]>  Fri, 07 Jun 2024 15:11:19 +0000
+
 python-ovh (1.1.0) trusty; urgency=medium
 
   * feat: add support for v2 routes (#115)

ovh/client.py

@@ -228,14 +228,15 @@ def new_consumer_key_request(self):
         """  # noqa:E501
         return ConsumerKeyRequest(self)
 
-    def request_consumerkey(self, access_rules, redirect_url=None):
+    def request_consumerkey(self, access_rules, redirect_url=None, allowedIPs=None):
         """
         Create a new "consumer key" identifying this application's end user. API
         will return a ``consumerKey`` and a ``validationUrl``. The end user must
         visit the ``validationUrl``, authenticate and validate the requested
         ``access_rules`` to link his account to the ``consumerKey``. Once this
         is done, he may optionally be redirected to ``redirect_url`` and the
-        application can start using the ``consumerKey``.
+        application can start using the ``consumerKey``. If adding an ``allowedIPs``
+        parameter, the generated credentials will only be usable from these IPs.
 
         The new ``consumerKey`` is automatically loaded into
         ``self._consumer_key`` and is ready to used as soon as validated.
@@ -270,7 +271,7 @@ def request_consumerkey(self, access_rules, redirect_url=None):
             ]
 
             # Request token
-            validation = client.request_consumerkey(access_rules)
+            validation = client.request_consumerkey(access_rules, redirect_url="https://optional-redirect-url.example.org", allowedIPs=["127.0.0.1/32"])
 
             print("Please visit", validation['validationUrl'], "to authenticate")
             input("and press Enter to continue...")
@@ -280,12 +281,19 @@ def request_consumerkey(self, access_rules, redirect_url=None):
 
 
         :param list access_rules: Mapping specifying requested privileges.
-        :param str redirect_url: Where to redirect end user upon validation.
+        :param str redirect_url: Where to redirect end user upon validation (optional).
+        :param list allowedIPs: CIDRs that will be allowed to use these credentials (optional).
         :raises APIError: When ``self.call`` fails.
         :returns: dict with ``consumerKey`` and ``validationUrl`` keys
         :rtype: dict
-        """
-        res = self.post("/auth/credential", _need_auth=False, accessRules=access_rules, redirection=redirect_url)
+        """  # noqa:E501
+        res = self.post(
+            "/auth/credential",
+            _need_auth=False,
+            accessRules=access_rules,
+            redirection=redirect_url,
+            allowedIPs=allowedIPs,
+        )
         self._consumer_key = res["consumerKey"]
         return res
 

ovh/consumer_key.py

@@ -61,7 +61,7 @@ def __init__(self, client):
         self._client = client
         self._access_rules = []
 
-    def request(self, redirect_url=None):
+    def request(self, redirect_url=None, allowedIPs=None):
         """
         Create the consumer key with the configures autorizations. The user will
         need to validate it before it can be used with the API
@@ -73,7 +73,7 @@ def request(self, redirect_url=None):
             'validationUrl': 'https://eu.api.ovh.com/auth/?credentialToken=now2OOAVO4Wp6t7bemyN9DMWIobhGjFNZSHmixtVJM4S7mzjkN2L5VBfG96Iy1i0'
         }
         """  # noqa: E501
-        return self._client.request_consumerkey(self._access_rules, redirect_url)
+        return self._client.request_consumerkey(self._access_rules, redirect_url, allowedIPs)
 
     def add_rule(self, method, path):
         """

setup.cfg

@@ -2,7 +2,7 @@
 name = ovh
 description = "Official module to perform HTTP requests to the OVHcloud APIs"
 long_description = file: README.rst
-version = 1.1.0
+version = 1.1.1
 author = OVHcloud team - Romain Beuque
 author_email = [email protected]
 url = https://api.ovh.com

tests/test_client.py

@@ -77,14 +77,15 @@ def test_time_delta(self, m_call, m_time):
     @mock.patch.object(Client, "call", return_value={"consumerKey": "CK"})
     def test_request_consumerkey(self, m_call):
         api = Client("ovh-eu")
-        ret = api.request_consumerkey([{"method": "GET", "path": "/"}], "https://example.com")
+        ret = api.request_consumerkey([{"method": "GET", "path": "/"}], "https://example.com", ["127.0.0.1/32"])
 
         m_call.assert_called_once_with(
             "POST",
             "/auth/credential",
             {
                 "redirection": "https://example.com",
                 "accessRules": [{"method": "GET", "path": "/"}],
+                "allowedIPs": ["127.0.0.1/32"],
             },
             False,
         )

tests/test_consumer_key.py

@@ -86,4 +86,4 @@ def test_add_rules(self):
         ck._access_rules = []
         ck.add_recursive_rules(ovh.API_READ_WRITE, "/")
         assert ck.request() is m_client.request_consumerkey.return_value
-        m_client.request_consumerkey.assert_called_once_with(ck._access_rules, None)
+        m_client.request_consumerkey.assert_called_once_with(ck._access_rules, None, None)