API Reference¶
Token¶
- class pypitoken.Token(prefix, macaroon)¶
Create a
Token
(as PyPI itself would do), load an existingToken
, create additional restrictions on aToken
and dump aToken
string from aToken
.This class is an higher level abstraction over the Macaroons from pymacaroons, with specific knowledge of their implementation within PyPI.
- prefix¶
PyPI tokens are usually prefixed with
pypi
, but this is arbitrary- Type:
str
- domain¶
PyPI tokens are attached to a specific domain, usually
pypi.org
ortest.pypi.org
- Type:
str
- identifier¶
This part is how PyPI will find a token in its database and associate it to a specific user. Even when additional restrictions are added to a token, the identifier will still be readable in the token. While this is not exactly a secret part of the token, it’s best to keep it reasonably private.
- Type:
str
- _macaroon¶
This is part of the private API and may be subject to change at any time. This gives you access to the underlying Macaroon, if you need to do low-level operations, or just want to poke around.
- Type:
pymacarrons.Macaroon
- classmethod load(raw)¶
Deserialize a
Token
from a raw string. Warning: does NOT check for the Token validity, you need to callcheck
for that.- Parameters:
raw (
str
) – The token string (including the prefix)- Returns:
Loaded token
- Return type:
- Raises:
pypitoken.LoaderError – Any error in loading the token will be raised as a LoaderError. The original exception (if any) will be attached as the exception cause (
raise from
).
- classmethod create(domain, identifier, key, prefix='pypi', version=2)¶
Create a token. Initially, it has no restruction, but they can be added with restrict. In order to create the token, you will need to provide a key. This key is the secret part of the token. When checking a macaroon validity, you will need to provide the same key.
- Parameters:
domain (
str
) – PyPI tokens are attached to a specific domain, usuallypypi.org
ortest.pypi.org
.identifier (
str
) – Identifies the Token (and its associated user) in the PyPI database.key (
str
|bytes
) – Secret key used to validate the token. Having the key of a token would allow removing existing restrictions.prefix (
str
) – PyPI tokens are usually prefixed withpypi
which is the default value for this parameter.version (
int
) – Version of the pymacaroons specification to use. There’s probably no reason we would want to change this.
- Returns:
The newly minted token
- Return type:
- restrict(not_before=None, not_after=None, project_names=None, project_ids=None, user_id=None, legacy_project_names=None, legacy_not_before=None, legacy_not_after=None, legacy_noop=None)¶
Modifies the token in-place to add restrictions to it. This can be called by PyPI as well as by anyone, adding restrictions to new or existing tokens.
Multiple restrictions of different types can be added in one call to
restrict()
. Alternatively, multiple restrictions of the same type can be added via multiple calls torestrict()
.Note: a token allows the owner to delegate their rights to the bearer. Consequently, a token adding restrictions linked to a project that the owner cannot use will not make its bearer able to upload releases to the project. As stated in the name, restrictions can reduce the scope of a token, and cannot broaden it. It’s possible to create a token that can do nothing, for example by adding two incompatible restrictions.
- Parameters:
not_before (
Union
[int
,datetime
,None
]) – Restrict the token to uploading releases only after the given timestamp or tz-aware datetime. Must be used withnot_after
. By default, None (no restriction)not_after (
Union
[int
,datetime
,None
]) – Restrict the token to uploading releases only before the given timestamp or tz-aware datetime. Must be used withnot_before
. By default, None (no restriction)project_names (
Optional
[Iterable
[str
]]) – Restrict the token to uploading releases only for projects with these names, by default None (no restriction)project_ids (
Optional
[Iterable
[str
]]) – Restrict the token to uploading releases only for projects with these ids, by default None (no restriction)user_ids – Restrict the token to uploading user attempting to upload Restrict the token to being used only by user with this id, by default None (no restriction)
legacy_not_before (
Union
[int
,datetime
,None
]) – Uses the legacy restriction format (results in longer token size). Restrict the token to uploading releases only after the given timestamp or tz-aware datetime. Must be used withnot_after
. By default, None (no restriction)legacy_not_after (
Union
[int
,datetime
,None
]) – Uses the legacy restriction format (results in longer token size). Restrict the token to uploading releases only before the given timestamp or tz-aware datetime. Must be used withnot_before
. By default, None (no restriction)legacy_project_names (
Optional
[Iterable
[str
]]) – Uses the legacy restriction format (results in longer token size). Restrict the token to uploading releases only for projects with these ed name of the project the bearer is attempting to upload toed names, by default None (no restriction)legacy_noop (
Optional
[bool
]) – Uses the legacy restriction format (results in longer token size). user attempting to upload This restriction being there or not doesn’t change the validity of the token.
- Raises:
exceptions.Invalidrestrictions.Restriction – If the provided parameters cannot describe a valid description
- Returns:
The modified Token, to ease chaining calls.
- Return type:
- dump()¶
Generates a string representing the token. This could be used for API authentication against PyPI.
- Returns:
The token
- Return type:
str
- check(key, project_name=None, project_id=None, user_id=None, now=None)¶
Raises pypitoken.ValidationError if the token is invalid.
Parameters besides
key
are all optional and will be used to provide the current context this token is used for, allowing to accept or reject the caveat restrictions. If a parameter is not passed, but a caveat using it is encountered, the caveat will not be met, the token will be found invalid, and this method will raise with an appropriate exception. There is an exception fornow
: if not passed, it defaults to the current timestamp.- Parameters:
key (str) – Key of the macaroon, stored in PyPI database
project_name (
Optional
[str
]) – Normalized name of the project the bearer is attempting to upload toproject_id (
Optional
[str
]) – ID of the project the bearer is attempting to upload touser_id (
Optional
[str
]) – ID of the user attempting to uploadnow (
Union
[int
,datetime
,None
]) – Timestamp of the moment the upload takes place, or tz-aware datetime. Defaults to the current timestamp.
- Raises:
pypitoken.ValidationError – Any error in validating the token will be raised as a ValidationError. The original exception (if any) will be attached as the exception cause (
raise from
).- Return type:
None
- property restrictions: list[pypitoken.restrictions.Restriction]¶
Return a list of restrictions associated to this
Token
. This can be used to get a better insight on what thisToken
contains.- Return type:
List[
restrictions.Restriction
]- Raises:
pypitoken.LoaderError – When the existing restrictions cannot be parsed
Restriction classes¶
You may come accross those classes, but while introspection is ok, you
should not have to call the methods directly. Use Token.restrict
and
Token.restrictions
instead.
- class pypitoken.restrictions.Restriction¶
Base Restriction class.
Expose lower-level methods for restriction/caveat introspection.
- check(context)¶
Receive the context of a check
- Parameters:
context (
Context
) – Describes how the bearer is attempting to use the token.- Raises:
ValidationError – Restriction was checked and appeared unmet.
MissingContextError – (a subclass of ValidationError): Restriction is unmet because the context is lacking required values. This is more probably a code issue from the
Token.check
call than an issue with the token itself, though it also means that the token should be rejected.
- Return type:
None
- dump()¶
Transform a restriction into a JSON-compatible dict object
- Return type:
dict
|list
- dump_json()¶
Transform a restriction into a JSON-encoded string
- Return type:
str
- classmethod load(caveat)¶
Create a Restriction from a raw caveat restriction JSON object.
- Raises:
pypitokens.LoaderError – If the format cannot be understood
- Return type:
- classmethod load_json(caveat)¶
Create a Restriction from a raw caveat restriction JSON string.
- Raises:
pypitokens.LoaderError – If the format cannot be understood
- Return type:
- class pypitoken.DateRestriction(not_before, not_after)¶
Bases:
Restriction
Restrict a
Token
to a single time interval.- not_before¶
Token is not to be used before this Unix timestamp.
- not_after¶
Token is not to be used after this Unix timestamp.
- class pypitoken.ProjectNamesRestriction(project_names)¶
Bases:
Restriction
Restrict a
Token
to uploading releases for project with specific names.- project_names¶
Normalized project names this token may upload to.
- class pypitoken.ProjectIDsRestriction(project_ids)¶
Bases:
Restriction
Restrict a
Token
to uploading releases for project with specific IDs.- project_ids¶
Project IDs this token may upload to.
- class pypitoken.UserIDRestriction(user_id)¶
Bases:
Restriction
Restrict a
Token
to being used by the user with the corresponding ID.- user_id¶
ID of the user that may use this token.
- class pypitoken.LegacyNoopRestriction¶
Bases:
Restriction
Says it restricts the
Token
, but doesn’t actually restrict it.
- class pypitoken.LegacyProjectNamesRestriction(project_names)¶
Bases:
Restriction
Restrict a
Token
to uploading releases for a specific set of packages.- projects¶
Normalized project names this token may upload to.
- class pypitoken.LegacyDateRestriction(not_before, not_after)¶
Bases:
Restriction
Restrict a
Token
to a single time interval.- not_before¶
Token is not to be used before this Unix timestamp.
- not_after¶
Token is not to be used after this Unix timestamp.
Exceptions¶
- class pypitoken.PyPITokenException¶
Bases:
Exception
The base exception for all exceptions raised from this library. Any code raising a different exception would be considered a bug.
- class pypitoken.LoaderError¶
Bases:
PyPITokenException
Exception encountered while calling
Token.load
, due to unexpected format.Exception should be associated with a message in English that can be shown to the bearer to explain the error.
- class pypitoken.ValidationError¶
Bases:
PyPITokenException
Exception encountered while calling
Token.check
, the token should be considered invalid.Exception should be associated with a message in English that can be shown to the bearer to explain the error.
- class pypitoken.MissingContextError¶
Bases:
ValidationError
Exception encountered while calling
Token.check
, the token should be considered invalid.The restriction couldn’t be checked because the context is missing required values
- class pypitoken.InvalidRestriction¶
Bases:
PyPITokenException
,ValueError
Exception encountered while calling
Token.restrict
, due to unexpected parameters.