Skip to main content

"devpi-tokens: add support for constrained access tokens to devpi-client and devpi-server"

Project description

devpi-tokens: authentication tokens plugin for devpi

This plugin adds a authentication tokens to devpi-server and supporting commands to devpi-client.

Installation

devpi-tokens needs to be installed alongside devpi-server to enable authentication tokens.

On client machines the usage of tokens works without the plugin. The creation of tokens requires the devpi-tokens plugin to be installed alongside devpi-client. The plugin also adds several commands to inspect and derive tokens with restricted permissions.

You can install it with:

pip install devpi-tokens

There is no configuration needed as devpi-server and devpi-client will automatically discover the plugin through calling hooks using the setuptools entry points mechanism.

Motivation

The default authentication mechanism of devpi requires a username and password. With that the authenticated user has a fixed set of permissions. Especially for CI systems this is too inflexible. There is also the risk of leaking the password in log output and other sources.

With devpi-tokens it is possible to create additional authentication tokens per user. These tokens can have a limited set of permissions. It is impossible to modify any user data with a token.

It is possible to derive tokens from existing ones and limit the permission set even further without requiring contact with the server.

The plugin builds on macaroons.

Usage

The devpi-tokens plugin adds new commands when installed alongside devpi-client.

token-create

Create a new token for a user. By default the token is created in the scope of the current user. Administration users like root can create tokens for other users with the -u/--user option. The token has a default expiration date of one year, but that can be changed with the -e/--expires option. With the -a/--allowed, -i/--indexes and -p/--projects options the scope of the token can be further limited.

token-delete

Delete an existing token. Any derived tokens will be invalidated as well.

token-derive

Takes an existing token and derives a new one from it. This allows to limit the scope of the token further than the original one.

token-inspect

Show information about the given token. This includes any expiration times and permission limitations etc.

token-list

Show a list of tokens for a user from the server. This only shows initial tokens created with token-create. Derived tokens by definition can not be listed, as they do not require contact to the server.

token-login

Use a token for login with devpi-client. This is also useful to login longer than the default 10 hours by creating a token with a longer expiration time and no further restrictions. It is impossible to modify any user data when logged in like this, as tokens never have user manipulation permissions.

Changelog

1.0.1 - 2023-03-27

  • fix leap year bug

1.0.0 - 2023-02-26

  • add Python 3.10 support

  • drop Python 3.6 support

  • add not_before restriction

  • support restrictions added by pypitoken in devpi-client 6.0.0

0.6.0 - Unreleased

  • hide user permissions from help output, as they are disabled on the server side anyway

  • allow token to be used with basic authentication as username and no password, or as password with no username

0.5.0 - Unreleased

  • ask for confirmation when using unknown permissions

  • add option to write generated token to a file

  • show list of known devpi-server permissions in help

  • show helpful error when delta dependency is missing

  • fix timezone issue in expiration calculation

  • show human readable expiration if possible

0.4.0 - Unreleased

  • unify command naming by using prefix

  • add token-delete command

  • add token-derive command

  • add token-list command

  • allow root or users from --restrict-modify to create tokens for other users, and with no expiration

  • add allowed restriction to tokens

  • add expiration to tokens

  • add indexes restriction to tokens

  • add projects restriction to tokens

0.3.0 - Unreleased

  • add inspect-token command

  • verify login status when using token-login

0.2.0 - Unreleased

  • use new hook and derived keys

0.1.0 - Unreleased

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

devpi-tokens-1.0.1.tar.gz (22.3 kB view details)

Uploaded Source

Built Distribution

devpi_tokens-1.0.1-py3-none-any.whl (22.5 kB view details)

Uploaded Python 3

File details

Details for the file devpi-tokens-1.0.1.tar.gz.

File metadata

  • Download URL: devpi-tokens-1.0.1.tar.gz
  • Upload date:
  • Size: 22.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: devpi-server/6.8.0.dev4 (py3.8.11; linux)

File hashes

Hashes for devpi-tokens-1.0.1.tar.gz
Algorithm Hash digest
SHA256 4d3bbad50a28a7543748e479cad0b30285fbf040609400a86dff90e2bd42c0d7
MD5 e703b51cd465b4458173aa51dcf9ceb4
BLAKE2b-256 2bb144947b90c0524205f58e2c456741ddf9cf45f394018ded61362b888acfa4

See more details on using hashes here.

File details

Details for the file devpi_tokens-1.0.1-py3-none-any.whl.

File metadata

  • Download URL: devpi_tokens-1.0.1-py3-none-any.whl
  • Upload date:
  • Size: 22.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: devpi-server/6.8.0.dev4 (py3.8.11; linux)

File hashes

Hashes for devpi_tokens-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 d306d4a267a222e2b0ca68739bcb29bde03c3dd57fc04b180b43fbf9835cdf23
MD5 5469415586e8a95c21b7fb7a0ed59c95
BLAKE2b-256 27d3ebb20a5976de16cf620112ea8b7f13e27ada2bf08cbb9e894277fc9ff42a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page