Merge pull request #8 from NYPL/noref-add-platform-api-client

aaronfriedman6 · web-flow · commit 411721e45fca · 2023-03-01T15:12:22.000-05:00
Add Oauth2ApiClient (for Platform API and Sierra API)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog
 
+## v0.0.7 - 2/28/23
+- Added Oauth2ApiClient for oauth2 authenticated calls to our Platform API and Sierra
+
 ## v0.0.5 - 2/22/23
 - Support write queries to PostgreSQL and MySQL databases
 - Support different return formats when querying PostgreSQL, MySQL, and Redshift databases
@@ -22,4 +25,4 @@
 
 ## v0.0.1 - 1/26/23
 
-Initial version. Includes the `avro_encoder`, `kinesis_client`, `mysql_client`, `postgresql_client`, `redshift_client`, and `s3_client` classes as well as the `config_helper`, `kms_helper`, `log_helper`, and `obfuscation_helper` functions.
+Initial version. Includes the `avro_encoder`, `kinesis_client`, `mysql_client`, `postgresql_client`, `redshift_client`, and `s3_client` classes as well as the `config_helper`, `kms_helper`, `log_helper`, and `obfuscation_helper` functions.
diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@ This package contains common Python utility classes and functions.
 * Connecting to and querying a MySQL database
 * Connecting to and querying a PostgreSQL database using a connection pool
 * Connecting to and querying Redshift
+* Making requests to the Oauth2 authenticated APIS such as NYPL Platform API and Sierra
 
 ## Functions
 * Reading a YAML config file and putting the contents in os.environ
@@ -63,4 +64,4 @@ This repo uses the [Main-QA-Production](https://github.com/NYPL/engineering-gene
 - Deploy app to production on GitHub and confirm it works
 
 ## Deployment
-The utils repo is deployed as a PyPI package [here](https://pypi.org/project/nypl-py-utils/) and as a Test PyPI package for QA purposes [here](https://test.pypi.org/project/nypl-py-utils/). In order to be deployed, the version listed in `pyproject.toml` **must be updated**. To deploy to Test PyPI, create a new release in GitHub and tag it `qa-vX.X.X`. The GitHub Actions deploy-qa workflow will then build and publish the package. To deploy to production PyPI, create a release and tag it `production-vX.X.X`.
+The utils repo is deployed as a PyPI package [here](https://pypi.org/project/nypl-py-utils/) and as a Test PyPI package for QA purposes [here](https://test.pypi.org/project/nypl-py-utils/). In order to be deployed, the version listed in `pyproject.toml` **must be updated**. To deploy to Test PyPI, create a new release in GitHub and tag it `qa-vX.X.X`. The GitHub Actions deploy-qa workflow will then build and publish the package. To deploy to production PyPI, create a release and tag it `production-vX.X.X`.
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "nypl_py_utils"
-version = "0.0.6"
+version = "0.0.7"
 authors = [
   { name="Aaron Friedman", email="aaronfriedman@nypl.org" },
 ]
@@ -22,10 +22,12 @@ dependencies = [
     "boto3>=1.26.5",
     "botocore>=1.29.5",
     "mysql-connector-python>=8.0.32",
+    "oauthlib>=3.2.2",
     "psycopg[binary,pool]>=3.1.6",
     "PyYAML>=6.0",
     "redshift-connector>=2.0.909",
-    "requests>=2.28.1"
+    "requests>=2.28.1",
+    "requests_oauthlib>=1.3.1"
 ]
 
 [project.optional-dependencies]
@@ -40,4 +42,4 @@ tests = [
 
 [project.urls]
 "Homepage" = "https://github.com/NYPL/python-utils"
-"Bug Tracker" = "https://github.com/NYPL/python-utils/issues"
+"Bug Tracker" = "https://github.com/NYPL/python-utils/issues"
diff --git a/src/nypl_py_utils/__init__.py b/src/nypl_py_utils/__init__.py
@@ -2,6 +2,7 @@
 from .classes.kinesis_client import KinesisClient, KinesisClientError  # noqa
 from .classes.kms_client import KmsClient, KmsClientError # noqa
 from .classes.mysql_client import MySQLClient, MySQLClientError  # noqa
+from .classes.oauth2_api_client import Oauth2ApiClient  # noqa
 from .classes.postgresql_client import PostgreSQLClient, PostgreSQLClientError  # noqa
 from .classes.redshift_client import RedshiftClient, RedshiftClientError  # noqa
-from .classes.s3_client import S3Client, S3ClientError  # noqa
+from .classes.s3_client import S3Client, S3ClientError  # noqa
diff --git a/src/nypl_py_utils/classes/oauth2_api_client.py b/src/nypl_py_utils/classes/oauth2_api_client.py
@@ -0,0 +1,94 @@
+import os
+from oauthlib.oauth2 import BackendApplicationClient, TokenExpiredError
+from requests_oauthlib import OAuth2Session
+from nypl_py_utils.functions.log_helper import create_log
+
+
+class Oauth2ApiClient:
+    """
+    Client for interacting with an Oauth2 authenticated API such as NYPL's
+    Platform API endpoints
+    """
+
+    def __init__(self, client_id=None, client_secret=None, base_url=None,
+                 token_url=None):
+        self.client_id = client_id \
+            or os.environ.get('NYPL_API_CLIENT_ID', None)
+        self.client_secret = client_secret \
+            or os.environ.get('NYPL_API_CLIENT_SECRET', None)
+        self.token_url = token_url \
+            or os.environ.get('NYPL_API_TOKEN_URL', None)
+        self.base_url = base_url \
+            or os.environ.get('NYPL_API_BASE_URL', None)
+
+        self.client = None
+        self.token = None
+
+        self.logger = create_log('oauth2_api_client')
+
+    def get(self, request_path, **kwargs):
+        """
+        Issue an HTTP GET on the given request_path
+        """
+        return self._do_http_method('GET', request_path, **kwargs)
+
+    def post(self, request_path, json, **kwargs):
+        """
+        Issue an HTTP POST on the given request_path with given JSON body
+        """
+        kwargs['json'] = json
+        return self._do_http_method('POST', request_path, **kwargs)
+
+    def patch(self, request_path, json, **kwargs):
+        """
+        Issue an HTTP PATCH on the given request_path with given JSON body
+        """
+        kwargs['json'] = json
+        return self._do_http_method('PATCH', request_path, **kwargs)
+
+    def delete(self, request_path, **kwargs):
+        """
+        Issue an HTTP DELETE on the given request_path
+        """
+        return self._do_http_method('DELETE', request_path, **kwargs)
+
+    def _do_http_method(self, method, request_path, **kwargs):
+        """
+        Issue an HTTP method call on on the given request_path
+        """
+        if not self.client:
+            self._create_oauth_client()
+
+        url = f'{self.base_url}/{request_path}'
+        self.logger.debug(f'{method} {url}')
+
+        try:
+            return self.oauth_client.request(method, url, **kwargs).json()
+        except TokenExpiredError as e:
+            self.logger.debug(f'TokenExpiredError encountered: {e}')
+            self._generate_access_token()
+
+            return self._do_http_method(method, request_path, **kwargs)
+        except TimeoutError as e:
+            self.logger.error(f'TimeoutError encountered: {e}')
+            return {}
+
+    def _create_oauth_client(self):
+        """
+        Creates an authenticated a OAuth2Session instance for later requests
+        """
+        self._generate_access_token()
+        self.oauth_client = OAuth2Session(self.client_id, token=self.token)
+
+    def _generate_access_token(self):
+        """
+        Fetch and store a fresh token
+        """
+        client = BackendApplicationClient(client_id=self.client_id)
+        oauth = OAuth2Session(client=client)
+        self.logger.debug(f'Refreshing token via @{self.token_url}')
+        self.token = oauth.fetch_token(
+            token_url=self.token_url,
+            client_id=self.client_id,
+            client_secret=self.client_secret
+        )
diff --git a/tests/test_oauth2_api_client.py b/tests/test_oauth2_api_client.py
@@ -0,0 +1,91 @@
+import os
+import json
+import pytest
+from requests_oauthlib import OAuth2Session
+
+from nypl_py_utils import Oauth2ApiClient
+# from requests.exceptions import ConnectTimeout
+
+_TOKEN_RESPONSE = {
+    'access_token': 'super-secret-token',
+    'expires_in': 3600,
+    'token_type': 'Bearer',
+    'scope': ['offline_access', 'openid', 'login:staff', 'admin'],
+    'id_token': 'super-secret-token',
+    'expires_at': 1677599823.3180869
+}
+
+BASE_URL = 'https://example.com/api/v0.1'
+
+
+class TestOauth2ApiClient:
+
+    @pytest.fixture
+    def test_instance(self, requests_mock):
+        token_url = 'https://oauth.example.com/oauth/token'
+        requests_mock.post(token_url, text=json.dumps(_TOKEN_RESPONSE))
+
+        return Oauth2ApiClient(base_url=BASE_URL,
+                               token_url=token_url,
+                               client_id='clientid',
+                               client_secret='clientsecret'
+                               )
+
+    def test_uses_env_vars(self):
+        env = {
+            'NYPL_API_CLIENT_ID': 'env client id',
+            'NYPL_API_CLIENT_SECRET': 'env client secret',
+            'NYPL_API_TOKEN_URL': 'env token url',
+            'NYPL_API_BASE_URL': 'env base url'
+        }
+        for key, value in env.items():
+            os.environ[key] = value
+
+        client = Oauth2ApiClient()
+        assert client.client_id == 'env client id'
+        assert client.client_secret == 'env client secret'
+        assert client.token_url == 'env token url'
+        assert client.base_url == 'env base url'
+
+        for key, value in env.items():
+            os.environ[key] = ''
+
+    def test_generate_access_token(self, test_instance):
+        test_instance._generate_access_token()
+        assert test_instance.token['access_token']\
+            == _TOKEN_RESPONSE['access_token']
+
+    def test_create_oauth_client(self, test_instance):
+        test_instance._create_oauth_client()
+        assert type(test_instance.oauth_client) is OAuth2Session
+
+    def test_do_http_method(self, requests_mock, test_instance):
+        requests_mock.get(f'{BASE_URL}/foo', json={'foo': 'bar'})
+        resp = test_instance._do_http_method('GET', 'foo')
+        assert resp == {'foo': 'bar'}
+
+    def test_token_expiration(self, requests_mock, test_instance):
+        api_get_mock = requests_mock.get(f'{BASE_URL}/foo',
+                                         json={'foo': 'bar'})
+
+        # Perform first request to auto-authenticate:
+        resp = test_instance._do_http_method('GET', 'foo')
+        assert api_get_mock.request_history[0]._request\
+            .headers['Authorization'] == 'Bearer super-secret-token'
+
+        # Emulate token expiration:
+        test_instance.token['expires_at'] = 0
+
+        token_post_mock = requests_mock.post(
+            test_instance.token_url,
+            text=json.dumps(_TOKEN_RESPONSE)
+        )
+
+        # Perform second request, which should detect token expiration and
+        # re-authenticate:
+        resp = test_instance._do_http_method('GET', 'foo')
+
+        assert token_post_mock.called is True
+        assert api_get_mock.request_history[1]._request\
+            .headers['Authorization'] == 'Bearer super-secret-token'
+        assert resp == {'foo': 'bar'}
