Skip to main content

Python wrapper for consuming Passbolt credentials in KNIME Python Script nodes via the knime-passbolt extension's Credential-to-Python bridge node.

Project description

knime-passbolt-py

PyPI version Python versions License: Apache-2.0 CI

Python wrapper for consuming Passbolt credentials in KNIME Python Script nodes, via the Credential to Python bridge node shipped in the knime-passbolt extension.

Install

The package is distributed via PyPI. A conda-forge feedstock is planned but not yet available — mamba install knime-passbolt-py / conda install knime-passbolt-py will fail until then.

pip install knime-passbolt-py

Inside a conda or mamba environment, install with pip after ensuring pip itself is present:

mamba install python=3.10 pip
pip install knime-passbolt-py

The package is pure-Python with no compiled dependencies, so a pip install inside a conda env is safe.

Usage

In a KNIME workflow, wire:

Passbolt Connector → Get Secret → Credential to Python → Python Script

In the Python Script node:

import knime.scripting.io as knio
import requests

cred = knio.input_objects[0]            # PassboltSecret instance

with cred as c:                          # bytearray zeroed on __exit__
    h = c.basic_auth_header()
    resp = requests.get(url, headers={"Authorization": h.decode()})

Security model

The credential lives in the KNIME JVM, in the existing in-memory CredentialCache owned by the upstream Get Secret node. This wrapper carries only a loopback broker URL (http://127.0.0.1:<port>/v1/auth-header) and a short-lived bearer token. The Authorization header is fetched on demand, held in a bytearray, and zeroed (ctypes.memset) when the with block exits.

  • __slots__ prevents __dict__ introspection.
  • __repr__ shows the (non-secret) broker URL and a truncated session UUID; the token and credential bytes are never included.
  • __reduce__ re-pickles to the broker handshake — credential bytes are never serialized, even by accident.
  • Broker URL is validated to be loopback at every fetch; tampering with a saved pickle to redirect to an external host is rejected client-side.

Limits. In-process Python code can read the bytearray while the with block is open. CPython does not provide hardware-enforced isolation. The posture is on par with KNIME's own Credentials Configuration flow variable combined with a disciplined helper class — better is not achievable in CPython without sandboxing.

Supply-chain provenance

Releases are published to PyPI from GitHub Actions using OIDC Trusted Publishing — no long-lived API token is stored anywhere. Each release also ships PEP 740 attestations linking the artifacts to the exact workflow run that built them. To report a vulnerability, see SECURITY.md.

Compatibility

This package version (0.1.2) is compatible with the knime-passbolt KNIME extension version 0.1.1.20260520 and later. The full extension-↔-package compatibility matrix lives in CONTRACT.md.

Changelog

See CHANGELOG.md for per-release notes, including the security hardening recorded for each version.

License

Apache 2.0. See the LICENSE file shipped with this package, or https://www.apache.org/licenses/LICENSE-2.0.

About

knime-passbolt-py is published by Datanautics GmbH as the companion Python package for the knime-passbolt KNIME extension.

Source: https://github.com/DataNautics-GmbH/knime-passbolt-py Issues: https://github.com/DataNautics-GmbH/knime-passbolt-py/issues

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

knime_passbolt_py-0.1.2.tar.gz (19.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

knime_passbolt_py-0.1.2-py3-none-any.whl (15.5 kB view details)

Uploaded Python 3

File details

Details for the file knime_passbolt_py-0.1.2.tar.gz.

File metadata

  • Download URL: knime_passbolt_py-0.1.2.tar.gz
  • Upload date:
  • Size: 19.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for knime_passbolt_py-0.1.2.tar.gz
Algorithm Hash digest
SHA256 bb31a386f9357472196d66289dafb498335ced6fb15277ad7a7e37e426c08e90
MD5 26ed890b797394a19511061c8025f1c9
BLAKE2b-256 ffac37938f8349a01316599dc1d0382752322f988ec6720b8b24b43816427cec

See more details on using hashes here.

Provenance

The following attestation bundles were made for knime_passbolt_py-0.1.2.tar.gz:

Publisher: release.yml on DataNautics-GmbH/knime-passbolt-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file knime_passbolt_py-0.1.2-py3-none-any.whl.

File metadata

File hashes

Hashes for knime_passbolt_py-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 4a10d63ce2c38bdd95cd9113e689c4f725dc3d7e41eb749b323f26dd34ee5d8c
MD5 24daa07939ebd5723387ba4c914a75c7
BLAKE2b-256 17349fadc90f19921dcabf0953ef967cbe6fb407fe7204817b19ef75b1d6d958

See more details on using hashes here.

Provenance

The following attestation bundles were made for knime_passbolt_py-0.1.2-py3-none-any.whl:

Publisher: release.yml on DataNautics-GmbH/knime-passbolt-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page