Class swarmauri_tokens_sshsig.SshSigTokenService.SshSigTokenService

swarmauri_tokens_sshsig.SshSigTokenService.SshSigTokenService

SshSigTokenService(
    key_provider,
    *,
    default_issuer=None,
    default_namespace="token",
)

Bases: TokenServiceBase

Token service using SSH signatures in a compact three-part format.

Initialize the token service.

key_provider (IKeyProvider): Provider used to resolve signing keys. default_issuer (Optional[str]): Issuer claim applied when minting tokens. default_namespace (str): Namespace used when constructing signatures. RETURNS (None): The initialized service.

Source code in swarmauri_tokens_sshsig/SshSigTokenService.py

def __init__(
    self,
    key_provider: IKeyProvider,
    *,
    default_issuer: Optional[str] = None,
    default_namespace: str = "token",
) -> None:
    """Initialize the token service.

    key_provider (IKeyProvider): Provider used to resolve signing keys.
    default_issuer (Optional[str]): Issuer claim applied when minting tokens.
    default_namespace (str): Namespace used when constructing signatures.
    RETURNS (None): The initialized service.
    """
    super().__init__()
    self._kp = key_provider
    self._iss = default_issuer
    self._ns = default_namespace

type class-attribute instance-attribute

type = 'SshSigTokenService'

model_config class-attribute instance-attribute

model_config = ConfigDict(
    extra="allow", arbitrary_types_allowed=True
)

id class-attribute instance-attribute

id = Field(default_factory=generate_id)

members class-attribute instance-attribute

members = None

owners class-attribute instance-attribute

owners = None

host class-attribute instance-attribute

host = None

default_logger class-attribute

default_logger = None

logger class-attribute instance-attribute

logger = None

name class-attribute instance-attribute

name = None

resource class-attribute instance-attribute

resource = Field(default=CRYPTO.value, frozen=True)

version class-attribute instance-attribute

version = '0.1.0'

supports

supports()

Describe supported token formats and algorithms.

RETURNS (Mapping[str, Iterable[str]]): Mapping of supported formats and algorithm identifiers.

Source code in swarmauri_tokens_sshsig/SshSigTokenService.py

def supports(self) -> Mapping[str, Iterable[str]]:
    """Describe supported token formats and algorithms.

    RETURNS (Mapping[str, Iterable[str]]): Mapping of supported formats and
        algorithm identifiers.
    """
    return {"formats": ("SSHSIG",), "algs": _SUPPORTED}

mint async

mint(
    claims,
    *,
    alg,
    kid=None,
    key_version=None,
    headers=None,
    lifetime_s=3600,
    issuer=None,
    subject=None,
    audience=None,
    scope=None,
)

Mint a signed SSHSIG token.

claims (Dict[str, Any]): Claims to encode in the payload. alg (str): Identifier of the signing algorithm to use. kid (str | None): Key identifier for the signing key. key_version (int | None): Specific version of the key to use. headers (Optional[Dict[str, Any]]): Additional header values. lifetime_s (Optional[int]): Lifetime of the token in seconds. issuer (Optional[str]): Issuer claim to embed in the token. subject (Optional[str]): Subject claim value. audience (Optional[str | list[str]]): Intended audience claim. scope (Optional[str]): Scope claim for the token. RETURNS (str): Serialized token string.

Source code in swarmauri_tokens_sshsig/SshSigTokenService.py

async def mint(
    self,
    claims: Dict[str, Any],
    *,
    alg: str,
    kid: str | None = None,
    key_version: int | None = None,
    headers: Optional[Dict[str, Any]] = None,
    lifetime_s: Optional[int] = 3600,
    issuer: Optional[str] = None,
    subject: Optional[str] = None,
    audience: Optional[str | list[str]] = None,
    scope: Optional[str] = None,
) -> str:
    """Mint a signed SSHSIG token.

    claims (Dict[str, Any]): Claims to encode in the payload.
    alg (str): Identifier of the signing algorithm to use.
    kid (str | None): Key identifier for the signing key.
    key_version (int | None): Specific version of the key to use.
    headers (Optional[Dict[str, Any]]): Additional header values.
    lifetime_s (Optional[int]): Lifetime of the token in seconds.
    issuer (Optional[str]): Issuer claim to embed in the token.
    subject (Optional[str]): Subject claim value.
    audience (Optional[str | list[str]]): Intended audience claim.
    scope (Optional[str]): Scope claim for the token.
    RETURNS (str): Serialized token string.
    """
    if alg not in _SUPPORTED:
        raise ValueError(f"Unsupported SSH signature alg: {alg}")

    now = _now_s()
    payload = dict(claims)
    payload.setdefault("iat", now)
    payload.setdefault("nbf", now)
    if lifetime_s:
        payload.setdefault("exp", now + int(lifetime_s))
    if issuer or self._iss:
        payload.setdefault("iss", issuer or self._iss)
    if subject:
        payload.setdefault("sub", subject)
    if audience:
        payload.setdefault("aud", audience)
    if scope:
        payload.setdefault("scope", scope)

    if not kid:
        raise ValueError("mint() requires 'kid' of a signing key")
    ref = await self._kp.get_key(kid, key_version, include_secret=True)
    if ref.material is None:
        raise RuntimeError("Signing key is not exportable under current policy")

    kidver = f"{ref.kid}.{ref.version}"
    hdr = dict(headers or {})
    hdr.setdefault("typ", "SSHSIG")
    hdr["alg"] = alg
    hdr["kid"] = kidver
    hdr.setdefault("ns", self._ns)

    hdr_b64 = _b64u(_canonical_json(hdr))
    pl_b64 = _b64u(_canonical_json(payload))
    preimage = _sig_input(hdr["ns"], pl_b64)

    sk = load_pem_private_key(ref.material, password=None)
    if alg == "ssh-ed25519":
        if not isinstance(sk, Ed25519PrivateKey):
            raise ValueError("ssh-ed25519 requires an Ed25519 private key (PEM)")
        sig = sk.sign(preimage)
    elif alg == "ecdsa-sha2-nistp256":
        if not isinstance(sk, ec.EllipticCurvePrivateKey) or sk.curve.name not in (
            "secp256r1",
            "prime256v1",
        ):
            raise ValueError(
                "ecdsa-sha2-nistp256 requires an ECDSA P-256 private key"
            )
        sig = sk.sign(preimage, ec.ECDSA(hashes.SHA256()))
    else:
        raise ValueError(f"Unsupported alg: {alg}")

    return f"{hdr_b64}.{pl_b64}.{_b64u(sig)}"

verify async

verify(token, *, issuer=None, audience=None, leeway_s=60)

Verify a token and return its claims.

token (str): Token string to verify. issuer (Optional[str]): Expected issuer claim. audience (Optional[str | list[str]]): Expected audience claim. leeway_s (int): Allowed clock skew in seconds when validating times. RETURNS (Dict[str, Any]): Verified claims payload.

Source code in swarmauri_tokens_sshsig/SshSigTokenService.py

async def verify(
    self,
    token: str,
    *,
    issuer: Optional[str] = None,
    audience: Optional[str | list[str]] = None,
    leeway_s: int = 60,
) -> Dict[str, Any]:
    """Verify a token and return its claims.

    token (str): Token string to verify.
    issuer (Optional[str]): Expected issuer claim.
    audience (Optional[str | list[str]]): Expected audience claim.
    leeway_s (int): Allowed clock skew in seconds when validating times.
    RETURNS (Dict[str, Any]): Verified claims payload.
    """
    try:
        hdr_b64, pl_b64, sig_b64 = token.split(".", 2)
    except ValueError as exc:
        raise ValueError("Invalid token format") from exc

    hdr = json.loads(_b64u_d(hdr_b64).decode("utf-8"))
    payload = json.loads(_b64u_d(pl_b64).decode("utf-8"))
    sig = _b64u_d(sig_b64)

    if hdr.get("typ") != "SSHSIG":
        raise ValueError("Invalid typ (expected SSHSIG)")
    alg = hdr.get("alg")
    if alg not in _SUPPORTED:
        raise ValueError(f"Unsupported alg: {alg}")
    kidver = hdr.get("kid")
    if not kidver:
        raise ValueError("Missing 'kid' in header")
    ns = hdr.get("ns") or self._ns

    base_kid, _, v_str = kidver.partition(".")
    ver = int(v_str) if v_str else None
    ref = await self._kp.get_key(base_kid, ver, include_secret=False)
    if ref.public is None:
        await self._kp.get_public_jwk(base_kid, ver)
        raise RuntimeError(
            "Public key PEM not available from provider; ensure .public is populated"
        )

    pk = load_pem_public_key(ref.public)
    preimage = _sig_input(ns, pl_b64)
    try:
        if alg == "ssh-ed25519":
            if not isinstance(pk, Ed25519PublicKey):
                raise ValueError(
                    "Header alg is ssh-ed25519 but public key is not Ed25519"
                )
            pk.verify(sig, preimage)
        elif alg == "ecdsa-sha2-nistp256":
            if not isinstance(
                pk, ec.EllipticCurvePublicKey
            ) or pk.curve.name not in ("secp256r1", "prime256v1"):
                raise ValueError(
                    "Header alg is ecdsa-sha2-nistp256 but public key is not P-256"
                )
            pk.verify(sig, preimage, ec.ECDSA(hashes.SHA256()))
    except InvalidSignature as exc:
        raise ValueError("Signature verification failed") from exc

    now = _now_s()
    leeway = int(leeway_s)
    if "exp" in payload and now > int(payload["exp"]) + leeway:
        raise ValueError("Token expired")
    if "nbf" in payload and now + leeway < int(payload["nbf"]):
        raise ValueError("Token not yet valid")
    if "iat" in payload and now + leeway < int(payload["iat"]):
        raise ValueError("Token 'iat' is in the future")

    expected_iss = issuer or self._iss
    if expected_iss is not None and payload.get("iss") != expected_iss:
        raise ValueError("Issuer (iss) mismatch")

    if audience is not None:
        aud_claim = payload.get("aud")
        if isinstance(audience, str):
            ok = (audience == aud_claim) or (
                isinstance(aud_claim, list) and audience in aud_claim
            )
        else:
            ok = any(
                a == aud_claim or (isinstance(aud_claim, list) and a in aud_claim)
                for a in audience
            )
        if not ok:
            raise ValueError("Audience (aud) mismatch")

    return payload

jwks async

jwks()

Retrieve the provider's JSON Web Key Set.

RETURNS (dict): JWKS dictionary supplied by the key provider.

Source code in swarmauri_tokens_sshsig/SshSigTokenService.py

async def jwks(self) -> dict:
    """Retrieve the provider's JSON Web Key Set.

    RETURNS (dict): JWKS dictionary supplied by the key provider.
    """
    return await self._kp.jwks()

register_model classmethod

register_model()

Decorator to register a base model in the unified registry.

RETURNS	DESCRIPTION
Callable	A decorator function that registers the model class. TYPE: Callable[[Type[BaseModel]], Type[BaseModel]]

Source code in swarmauri_base/DynamicBase.py

@classmethod
def register_model(cls) -> Callable[[Type[BaseModel]], Type[BaseModel]]:
    """
    Decorator to register a base model in the unified registry.

    Returns:
        Callable: A decorator function that registers the model class.
    """

    def decorator(model_cls: Type[BaseModel]):
        """Register ``model_cls`` as a base model."""
        model_name = model_cls.__name__
        if model_name in cls._registry:
            glogger.warning(
                "Model '%s' is already registered; skipping duplicate.", model_name
            )
            return model_cls

        cls._registry[model_name] = {"model_cls": model_cls, "subtypes": {}}
        glogger.debug("Registered base model '%s'.", model_name)
        DynamicBase._recreate_models()
        return model_cls

    return decorator

register_type classmethod

register_type(resource_type=None, type_name=None)

Decorator to register a subtype under one or more base models in the unified registry.

PARAMETER	DESCRIPTION
resource_type	The base model(s) under which to register the subtype. If None, all direct base classes (except DynamicBase) are used. TYPE: Optional[Union[Type[T], List[Type[T]]]] DEFAULT: None
type_name	An optional custom type name for the subtype. TYPE: Optional[str] DEFAULT: None

RETURNS	DESCRIPTION
Callable	A decorator function that registers the subtype. TYPE: Callable[[Type[DynamicBase]], Type[DynamicBase]]

Source code in swarmauri_base/DynamicBase.py

@classmethod
def register_type(
    cls,
    resource_type: Optional[Union[Type[T], List[Type[T]]]] = None,
    type_name: Optional[str] = None,
) -> Callable[[Type["DynamicBase"]], Type["DynamicBase"]]:
    """
    Decorator to register a subtype under one or more base models in the unified registry.

    Parameters:
        resource_type (Optional[Union[Type[T], List[Type[T]]]]):
            The base model(s) under which to register the subtype. If None, all direct base classes (except DynamicBase)
            are used.
        type_name (Optional[str]): An optional custom type name for the subtype.

    Returns:
        Callable: A decorator function that registers the subtype.
    """

    def decorator(subclass: Type["DynamicBase"]):
        """Register ``subclass`` as a subtype."""
        if resource_type is None:
            resource_types = [
                base for base in subclass.__bases__ if base is not cls
            ]
        elif not isinstance(resource_type, list):
            resource_types = [resource_type]
        else:
            resource_types = resource_type

        for rt in resource_types:
            if not issubclass(subclass, rt):
                raise TypeError(
                    f"'{subclass.__name__}' must be a subclass of '{rt.__name__}'."
                )
            final_type_name = type_name or getattr(
                subclass, "_type", subclass.__name__
            )
            base_model_name = rt.__name__

            if base_model_name not in cls._registry:
                cls._registry[base_model_name] = {"model_cls": rt, "subtypes": {}}
                glogger.debug(
                    "Created new registry entry for base model '%s'.",
                    base_model_name,
                )

            subtypes_dict = cls._registry[base_model_name]["subtypes"]
            if final_type_name in subtypes_dict:
                glogger.warning(
                    "Type '%s' already exists under '%s'; skipping duplicate.",
                    final_type_name,
                    base_model_name,
                )
                continue

            subtypes_dict[final_type_name] = subclass
            glogger.debug(
                "Registered '%s' as '%s' under '%s'.",
                subclass.__name__,
                final_type_name,
                base_model_name,
            )

        DynamicBase._recreate_models()
        return subclass

    return decorator

model_validate_toml classmethod

model_validate_toml(toml_data)

Validate a model from a TOML string.

Source code in swarmauri_base/TomlMixin.py

@classmethod
def model_validate_toml(cls, toml_data: str):
    """Validate a model from a TOML string."""
    try:
        # Parse TOML into a Python dictionary
        toml_content = tomllib.loads(toml_data)

        # Convert the dictionary to JSON and validate using Pydantic
        return cls.model_validate_json(json.dumps(toml_content))
    except tomllib.TOMLDecodeError as e:
        raise ValueError(f"Invalid TOML data: {e}")
    except ValidationError as e:
        raise ValueError(f"Validation failed: {e}")

model_dump_toml

model_dump_toml(
    fields_to_exclude=None, api_key_placeholder=None
)

Return a TOML representation of the model.

Source code in swarmauri_base/TomlMixin.py

def model_dump_toml(self, fields_to_exclude=None, api_key_placeholder=None):
    """Return a TOML representation of the model."""
    if fields_to_exclude is None:
        fields_to_exclude = []

    # Load the JSON string into a Python dictionary
    json_data = json.loads(self.model_dump_json())

    # Function to recursively remove specific keys and handle api_key placeholders
    def process_fields(data, fields_to_exclude):
        """Recursively filter fields and apply placeholders."""
        if isinstance(data, dict):
            return {
                key: (
                    api_key_placeholder
                    if key == "api_key" and api_key_placeholder is not None
                    else process_fields(value, fields_to_exclude)
                )
                for key, value in data.items()
                if key not in fields_to_exclude
            }
        elif isinstance(data, list):
            return [process_fields(item, fields_to_exclude) for item in data]
        else:
            return data

    # Filter the JSON data
    filtered_data = process_fields(json_data, fields_to_exclude)

    # Convert the filtered data into TOML
    return toml.dumps(filtered_data)

model_validate_yaml classmethod

model_validate_yaml(yaml_data)

Validate a model from a YAML string.

Source code in swarmauri_base/YamlMixin.py

@classmethod
def model_validate_yaml(cls, yaml_data: str):
    """Validate a model from a YAML string."""
    try:
        # Parse YAML into a Python dictionary
        yaml_content = yaml.safe_load(yaml_data)

        # Convert the dictionary to JSON and validate using Pydantic
        return cls.model_validate_json(json.dumps(yaml_content))
    except yaml.YAMLError as e:
        raise ValueError(f"Invalid YAML data: {e}")
    except ValidationError as e:
        raise ValueError(f"Validation failed: {e}")

model_dump_yaml

model_dump_yaml(
    fields_to_exclude=None, api_key_placeholder=None
)

Return a YAML representation of the model.

Source code in swarmauri_base/YamlMixin.py

def model_dump_yaml(self, fields_to_exclude=None, api_key_placeholder=None):
    """Return a YAML representation of the model."""
    if fields_to_exclude is None:
        fields_to_exclude = []

    # Load the JSON string into a Python dictionary
    json_data = json.loads(self.model_dump_json())

    # Function to recursively remove specific keys and handle api_key placeholders
    def process_fields(data, fields_to_exclude):
        """Recursively filter fields and apply placeholders."""
        if isinstance(data, dict):
            return {
                key: (
                    api_key_placeholder
                    if key == "api_key" and api_key_placeholder is not None
                    else process_fields(value, fields_to_exclude)
                )
                for key, value in data.items()
                if key not in fields_to_exclude
            }
        elif isinstance(data, list):
            return [process_fields(item, fields_to_exclude) for item in data]
        else:
            return data

    # Filter the JSON data
    filtered_data = process_fields(json_data, fields_to_exclude)

    # Convert the filtered data into YAML using safe mode
    return yaml.safe_dump(filtered_data, default_flow_style=False)

model_post_init

model_post_init(logger=None)

Assign a logger instance after model initialization.

Source code in swarmauri_base/LoggerMixin.py

def model_post_init(self, logger: Optional[FullUnion[LoggerBase]] = None) -> None:
    """Assign a logger instance after model initialization."""

    # Directly assign the provided FullUnion[LoggerBase] or fallback to the
    # class-level default.
    self.logger = self.logger or logger or self.default_logger