add support for PKCE in HTTP access method

tomweber-sas · tomweber-sas · commit 9ebaeb405176 · 2024-04-18T14:49:20.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,31 @@
 
 
 
+## [5.12.0] - 2024-04-18
+
+### Added
+
+-   `None` Nothing added
+
+### Changed
+
+-   `Enhancement` A new requirement in Viya 4 called for a change in the SSO authentication mechanism, to support PKCE. So this
+release provides support for that. There's nothing you have to do, but you will see a different message about the URL you need
+to use to get an auth code to provide, when using that authentication mechanism. In short, every time you want to authenticate,
+you get a new URL (it has its own unique code in it). This is displayed in the log same as the previous URL was, but unlike
+previously, where the url was the same every time for the deployment, and you could already get a code and provide it to SASsession(),
+this is a unique URL every time. So you can't get an authcode ahead of time. Don't fuss at me, I don't like it either. If you need
+help, open an issue and I'll see what I can do.
+
+### Fixed
+
+-   `None` Nothing fixed
+
+### Removed
+
+-   `None` Nothing removed
+
+
 ## [5.11.0] - 2024-04-16
 
 ### Added
diff --git a/saspy/sasiohttp.py b/saspy/sasiohttp.py
@@ -25,6 +25,10 @@
 import ssl
 import atexit
 
+import secrets
+import hashlib
+import base64
+
 import tempfile as tf
 from time import sleep
 from threading import Thread
@@ -83,6 +87,7 @@ def __init__(self, session, **kwargs):
       puser          = cfg.get('proxy_user', '')
       ppw            = cfg.get('proxy_pw', '')
       pauthkey       = cfg.get('proxy_authkey', '')
+      self.pkce      = cfg.get('pkce', None)
 
       try:
          self.outopts = getattr(SAScfg, "SAS_output_options")
@@ -271,6 +276,15 @@ def __init__(self, session, **kwargs):
          else:
             self.verify = bool(inver)
 
+      inpkce = kwargs.get('pkce', None)
+      if inpkce is not None:
+         if lock and self.pkce:
+            logger.warning("Parameter 'pkce' passed to SAS_session was ignored due to configuration restriction.")
+         else:
+            self.pkce = inpkce
+      if self.pkce is None:
+         self.pkce = True
+
       if len(self.url) > 0:
          http = self.url.split('://')
          hp   = http[1].split(':')
@@ -297,6 +311,7 @@ def __init__(self, session, **kwargs):
          else:
             self.port = 80
 
+      cv = None
       if not self._token and not authcode and not jwt and not self.serverid:
          found = False
          if self.authkey:
@@ -352,12 +367,23 @@ def __init__(self, session, **kwargs):
                      raise RuntimeError("Neither authcode nor userid provided.")
 
          if code_pw.lower() == 'authcode':
-            purl = "/SASLogon/oauth/authorize?client_id={}&response_type=code".format(client_id)
+            if self.pkce:
+               cv    = secrets.token_urlsafe(32)
+               cvh   = hashlib.sha256(cv.encode('ascii')).digest()
+               cvhe  = base64.urlsafe_b64encode(cvh)
+               cc    = cvhe.decode('ascii')[:-1]
+               purl = "/SASLogon/oauth/authorize?client_id={}&response_type=code&code_challenge_method=S256&code_challenge={}".format(client_id, cc)
+            else:
+               purl = "/SASLogon/oauth/authorize?client_id={}&response_type=code".format(client_id)
+
             if len(self.url) > 0:
                purl = self.url+purl
             else:
                purl = "http{}://{}:{}{}".format('s' if self.ssl else '', self.ip, str(self.port), purl)
-            msg  = "The default url to authenticate with would be {}\n".format(purl)
+            if self.pkce:
+               msg  = "The PKCE required url to authenticate with is {}\n".format(purl)
+            else:
+               msg  = "The default url to authenticate with would be {}\n".format(purl)
             msg += "Please enter authcode: "
             authcode = self._prompt(msg)
             if authcode is None:
@@ -472,7 +498,7 @@ def __init__(self, session, **kwargs):
 
       # get AuthToken
       if not self._token:
-         js = self._authenticate(user, pw, authcode, client_id, client_secret, jwt)
+         js = self._authenticate(user, pw, authcode, client_id, client_secret, jwt, cv)
          self._token   = js.get('access_token',  None)
          self._refresh = js.get('refresh_token', None)
 
@@ -557,7 +583,7 @@ def __init__(self, session, **kwargs):
 
          return
 
-   def _authenticate(self, user, pw, authcode, client_id, client_secret, jwt):
+   def _authenticate(self, user, pw, authcode, client_id, client_secret, jwt, cv):
 
       if self.serverid:
          return {'access_token':'tom'}
@@ -566,9 +592,13 @@ def _authenticate(self, user, pw, authcode, client_id, client_secret, jwt):
          uauthcode      = urllib.parse.quote(authcode)
          uclient_id     = urllib.parse.quote(client_id)
          uclient_secret = urllib.parse.quote(client_secret)
-         d1             = ("grant_type=authorization_code&code="+uauthcode+
-                          "&client_id="+uclient_id+"&client_secret="+uclient_secret).encode(self.encoding)
          headers        = {"Accept":"application/vnd.sas.compute.session+json","Content-Type":"application/x-www-form-urlencoded"}
+         if self.pkce:
+            d1          = ("grant_type=authorization_code&code="+uauthcode+"&code_verifier="+cv+
+                          "&client_id="+uclient_id+"&client_secret="+uclient_secret).encode(self.encoding)
+         else:
+            d1          = ("grant_type=authorization_code&code="+uauthcode+
+                          "&client_id="+uclient_id+"&client_secret="+uclient_secret).encode(self.encoding)
       elif jwt:
          ujwt           = urllib.parse.quote(jwt)
          d1             = "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion="+ujwt
diff --git a/saspy/sasiostdio.py b/saspy/sasiostdio.py
@@ -557,11 +557,6 @@ def _endsas(self):
             self.stdin.flush()
          sleep(1)
 
-         try:
-            self._log += self.stderr.get_nowait().decode(self.sascfg.encoding, errors='replace').replace(chr(12), chr(10))
-         except Empty:
-            pass
-
          if self.pid:
             if os.name == 'nt':
                self.pid.stdin.close()
@@ -591,6 +586,11 @@ def _endsas(self):
                self.to.join(1)
                self.te.join(1)
 
+         try:
+            self._log += self.stderr.get_nowait().decode(self.sascfg.encoding, errors='replace').replace(chr(12), chr(10))
+         except Empty:
+            pass
+
          if self.sascfg.verbose:
             logger.info("SAS Connection terminated. Subprocess id was "+str(pid))
          self.pid        = None
diff --git a/saspy/version.py b/saspy/version.py
@@ -1 +1 @@
-__version__ = '5.11.0'
+__version__ = '5.12.0'

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-__version__ = '5.11.0'`
	`1`	`+__version__ = '5.12.0'`