Merge pull request #79 from Colin-b/develop

Release 0.20.0

Author: Colin-b

.github/workflows/release.yml

@@ -25,7 +25,7 @@ jobs:
         python -m pip install .[testing]
     - name: Test with pytest
       run: |
-        pytest --cov=httpx_auth --cov-fail-under=100 --cov-report=term-missing
+        pytest --doctest-modules --cov=httpx_auth --cov-fail-under=100 --cov-report=term-missing
     - name: Create packages
       run: |
         python -m pip install build

.github/workflows/test.yml

@@ -22,7 +22,7 @@ jobs:
         python -m pip install .[testing]
     - name: Test with pytest
       run: |
-        pytest --cov=httpx_auth --cov-fail-under=100 --cov-report=term-missing
+        pytest --doctest-modules --cov=httpx_auth --cov-fail-under=100 --cov-report=term-missing
     - name: Create packages
       run: |
         python -m pip install build

.pre-commit-config.yaml

@@ -1,5 +1,5 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 23.12.1
+    rev: 24.1.1
     hooks:
       - id: black

CHANGELOG.md

@@ -6,6 +6,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.20.0] - 2024-02-12
+### Fixed
+- Remove deprecation warnings due to usage of `utcnow` and `utcfromtimestamp`. Thanks to [`Raphael Krupinski`](https://github.com/rafalkrupinski).
+- `httpx_auth.AWS4Auth.default_include_headers` value kept growing in size every time a new `httpx_auth.AWS4Auth` instance was created with `security_token` parameter provided. Thanks to [`Miikka Koskinen`](https://github.com/miikka).
+- `httpx_auth.AWS4Auth` is now based almost entirely on AWS documentation, diverging from the original implementation based on `requests-aws4auth` and solving implementation issues in the process.
+  - As the AWS documentation might be wrong or not exhaustive enough, feel free to open issues, should you encounter edge cases.
+
+### Changed
+- `httpx_auth.AWS4Auth.default_include_headers` is not available anymore, use `httpx_auth.AWS4Auth` `include_headers` parameter instead to include additional headers if the default does not fit your need (refer to documentation for an exhaustive list).
+- `httpx_auth.AWS4Auth` `include_headers` values will not be stripped anymore, meaning that you can now include headers prefixed and/or suffixed with blank spaces.
+- `httpx_auth.AWS4Auth` does not includes `date` header by default anymore. You will have to provide it via `include_headers` yourself if you need to.
+  - Note that it should not be required as `httpx_auth.AWS4Auth` is sending `x-amz-date` by default and AWS documentation states that the request date can be specified by using either the HTTP `Date` or the `x-amz-date` header. If both headers are present, `x-amz-date` takes precedence.
+- `httpx_auth.AWS4Auth` `include_headers` does not needs to include `host`, `content-type` or `x-amz-*` anymore as those headers will always be included. It is now expected to be provided as a list of additional headers.
+- `httpx_auth.AWS4Auth` will not modify the headers values spaces when computing the canonical headers, only trim leading and trailing whitespaces as per AWS documentation.
+
 ## [0.19.0] - 2024-01-09
 ### Added
 - Explicit support for Python 3.12
@@ -112,7 +127,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 - `get_token` cache method now requires `on_missing_token` function args to be provided as kwargs instead of args.
-- `get_token` cache method now requires `on_missing_token` parameter to be provided as a non positional argument.
+- `get_token` cache method now requires `on_missing_token` parameter to be provided as a non-positional argument.
 - `get_token` cache method now expose `early_expiry` parameter, defaulting to 30 seconds.
 
 ### Fixed
@@ -164,13 +179,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Still under development, subject to breaking changes without notice: `AWS4Auth` authentication class for AWS. Ported from [`requests-aws4auth`](https://github.com/sam-washington/requests-aws4auth) by [`Michael E. Martinka`](https://github.com/martinka).
 Note that a few changes were made:
-  - deprecated `amz_date` attribute has been removed.
-  - it is not possible to provide an `AWSSigningKey` instance, use explicit parameters instead.
-  - it is not possible to provide a `date`. It will default to now.
-  - it is not possible to provide `raise_invalid_date` parameter anymore as the date will always be valid.
+  - Deprecated `amz_date` attribute has been removed.
+  - It is not possible to provide an `AWSSigningKey` instance, use explicit parameters instead.
+  - It is not possible to provide a `date`. It will default to now.
+  - It is not possible to provide `raise_invalid_date` parameter anymore as the date will always be valid.
   - `include_hdrs` parameter was renamed into `include_headers`
   - `host` is not considered as a specific Amazon service anymore (no test specific code).
-  - Each request now has it's own signing key and x-amz-date. Meaning you can use the same auth instance for more than one request.
+  - Each request now has its own signing key and `x-amz-date`. Meaning you can use the same auth instance for more than one request.
   - `session_token` was renamed into `security_token` for consistency with the underlying name at Amazon.
 
 ## [0.3.0] - 2020-05-26
@@ -193,7 +208,8 @@ Note that a few changes were made:
 ### Added
 - Placeholder for port of requests_auth to httpx
 
-[Unreleased]: https://github.com/Colin-b/httpx_auth/compare/v0.19.0...HEAD
+[Unreleased]: https://github.com/Colin-b/httpx_auth/compare/v0.20.0...HEAD
+[0.20.0]: https://github.com/Colin-b/httpx_auth/compare/v0.19.0...v0.20.0
 [0.19.0]: https://github.com/Colin-b/httpx_auth/compare/v0.18.0...v0.19.0
 [0.18.0]: https://github.com/Colin-b/httpx_auth/compare/v0.17.0...v0.18.0
 [0.17.0]: https://github.com/Colin-b/httpx_auth/compare/v0.16.0...v0.17.0

CONTRIBUTING.md

@@ -21,7 +21,7 @@ Before creating an issue please make sure that it was not already reported.
 
 1) Go to the *Issues* tab and click on the *New issue* button.
 2) Title should be a small sentence describing the request.
-3) The comment should contains as much information as possible
+3) The comment should contain as much information as possible
     * Actual behavior (including the version you used)
     * Expected behavior
     * Steps to reproduce
@@ -56,7 +56,7 @@ Before creating an issue please make sure that it was not already reported.
 1) Go to the *Pull requests* tab and click on the *New pull request* button.
 2) *base* should always be set to `develop` and it should be compared to your branch.
 3) Title should be a small sentence describing the request.
-3) The comment should contains as much information as possible
+4) The comment should contain as much information as possible
     * Actual behavior (before the new code)
     * Expected behavior (with the new code)
     * Steps to reproduce (with and without the new code to see the difference)

README.md

@@ -5,7 +5,7 @@
 <a href="https://github.com/Colin-b/httpx_auth/actions"><img alt="Build status" src="https://github.com/Colin-b/httpx_auth/workflows/Release/badge.svg"></a>
 <a href="https://github.com/Colin-b/httpx_auth/actions"><img alt="Coverage" src="https://img.shields.io/badge/coverage-100%25-brightgreen"></a>
 <a href="https://github.com/psf/black"><img alt="Code style: black" src="https://img.shields.io/badge/code%20style-black-000000.svg"></a>
-<a href="https://github.com/Colin-b/httpx_auth/actions"><img alt="Number of tests" src="https://img.shields.io/badge/tests-335 passed-blue"></a>
+<a href="https://github.com/Colin-b/httpx_auth/actions"><img alt="Number of tests" src="https://img.shields.io/badge/tests-681 passed-blue"></a>
 <a href="https://pypi.org/project/httpx-auth/"><img alt="Number of downloads" src="https://img.shields.io/pypi/dm/httpx_auth"></a>
 </p>
 
@@ -18,7 +18,8 @@ Provides authentication classes to be used with [`httpx`][1] [authentication par
 <p align="center">
     <a href="https://oauth.net/2/"><img alt="OAuth2" src="https://oauth.net/images/oauth-2-sm.png"></a>
     <a href="https://www.okta.com"><img alt="Okta" src="https://www.okta.com/sites/all/themes/Okta/images/logos/developer/Dev_Logo-03_Large.png" height="120"></a>
-    <a href="https://azure.microsoft.com/en-us/services/active-directory/"><img alt="Azure Active Directory (AD)" src="https://azurecomcdn.azureedge.net/cvt-cda59ccd0aa5ced6ff5a2052417cf596b92980921e88e667127eaca2232a31ab/images/shared/services/pricing-glyph-lock.svg" height="120"></a>
+    <a href="https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id"><img alt="Microsoft Entra ID, formerly Azure Active Directory (AD)" src="https://svgshare.com/i/12u_.svg" height="120"></a>
+    <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html"><img alt="AWS Signature Version 4" src="https://upload.wikimedia.org/wikipedia/commons/9/93/Amazon_Web_Services_Logo.svg" height="120"></a>
 </p>
 <p align="center">Some of the supported authentication</p>
 
@@ -34,8 +35,8 @@ Provides authentication classes to be used with [`httpx`][1] [authentication par
   - [Client Credentials Flow](#client-credentials-flow)
     - [Okta](#okta-oauth2-client-credentials)
   - [Implicit Flow](#implicit-flow)
-    - [Azure AD (Access Token)](#microsoft---azure-active-directory-oauth2-access-token)
-    - [Azure AD (ID token)](#microsoft---azure-active-directory-openid-connect-id-token)
+    - [Microsoft Entra (Access Token)](#microsoft---azure-active-directory-oauth2-access-token)
+    - [Microsoft Entra (ID token)](#microsoft---azure-active-directory-openid-connect-id-token)
     - [Okta (Access Token)](#okta-oauth2-implicit-access-token)
     - [Okta (ID token)](#okta-openid-connect-implicit-id-token)
   - [Managing token cache](#managing-token-cache)
@@ -667,7 +668,7 @@ OAuth2.token_cache = JsonTokenFileCache('path/to/my_token_cache.json')
 
 ## AWS Signature v4
 
-Amazon Web Service Signature version 4 is implemented following [Amazon S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html) and [request-aws4auth](https://github.com/sam-washington/requests-aws4auth).
+Amazon Web Service Signature version 4 is implemented following [Amazon S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html) and [request-aws4auth 1.2.3](https://github.com/sam-washington/requests-aws4auth) (with some changes, see below).
 
 Use `httpx_auth.AWS4Auth` to configure this kind of authentication.
 
@@ -680,15 +681,31 @@ with httpx.Client() as client:
     client.get('http://s3-eu-west-1.amazonaws.com', auth=aws)
 ```
 
+Note that the following changes were made compared to `requests-aws4auth`:
+  - Each request now has its own signing key and `x-amz-date`. Meaning **you can use the same auth instance for more than one request**.
+  - `session_token` was renamed into `security_token` for consistency with the underlying name at Amazon.
+  - `include_hdrs` parameter was renamed into `include_headers`. When using this parameter:
+    - Provided values will not be stripped, [WYSIWYG](https://en.wikipedia.org/wiki/WYSIWYG).
+    - If multiple values are provided for a same header, the computation will be based on the value order you provided and value separated by `, `. Instead of ordered values separated by comma for `requests-aws4auth`.
+  - `amz_date` attribute has been removed.
+  - It is not possible to provide a `date`. It will default to now.
+  - It is not possible to provide an `AWSSigningKey` instance, use explicit parameters instead.
+  - It is not possible to provide `raise_invalid_date` parameter anymore as the date will always be valid.
+  - `host` is not considered as a specific Amazon service anymore (no test specific code).
+  - Canonical query string computation is entirely based on AWS documentation (and consider undocumented fragment (`#` and following characters) as part of the query string).
+  - Canonical uri computation is entirely based on AWS documentation.
+  - Canonical headers computation is entirely based on AWS documentation.
+
 ### Parameters
 
-| Name             | Description                | Mandatory | Default value |
-|:-----------------|:---------------------------|:----------|:--------------|
-| `access_id`      | AWS access ID. | Mandatory | |
-| `secret_key`     | AWS secret access key. | Mandatory | |
-| `region`         | The region you are connecting to, as per [this list](http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region). For services which do not require a region (e.g. IAM), use us-east-1. | Mandatory | |
-| `service`        | The name of the service you are connecting to, as per [this list](http://docs.aws.amazon.com/general/latest/gr/rande.html). e.g. elasticbeanstalk. | Mandatory | |
-| `security_token` | Used for the `x-amz-security-token` header, for use with STS temporary credentials. | Optional | |
+| Name               | Description                                                                                                                                                                                    | Mandatory  | Default value                                                                                                            |
+|:-------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:-------------------------------------------------------------------------------------------------------------------------|
+| `access_id`        | AWS access ID.                                                                                                                                                                                 | Mandatory  |                                                                                                                          |
+| `secret_key`       | AWS secret access key.                                                                                                                                                                         | Mandatory  |                                                                                                                          |
+| `region`           | The region you are connecting to, as per [this list](http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region). For services which do not require a region (e.g. IAM), use us-east-1. | Mandatory  |                                                                                                                          |
+| `service`          | The name of the service you are connecting to, as per [this list](http://docs.aws.amazon.com/general/latest/gr/rande.html). e.g. elasticbeanstalk.                                             | Mandatory  |                                                                                                                          |
+| `security_token`   | Used for the `x-amz-security-token` header, for use with STS temporary credentials.                                                                                                            | Optional   |                                                                                                                          |
+| `include_headers`  | Set of headers to include in the canonical and signed headers (in addition to the default). Note that `x-amz-client-context` is not included by default and `*` will include all headers.      | Optional   | {"host", "content-type", "x-amz-*"} and if `security_token` is provided, `x-amz-security-token`. |
 
 ## API key in header
 
@@ -859,7 +876,7 @@ import datetime
 from httpx_auth.testing import browser_mock, BrowserMock, create_token
 
 def test_something(browser_mock: BrowserMock):
-    token_expiry = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
+    token_expiry = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(hours=1)
     token = create_token(token_expiry)
     tab = browser_mock.add_response(
         opened_url="http://url_opened_by_browser?state=1234",