added standard token type enum; added aws_creds helper

Author: mconflitti-pbc

src/posit/connect/client.py

@@ -11,7 +11,7 @@
 from .context import Context, ContextManager, requires
 from .groups import Groups
 from .metrics.metrics import Metrics
-from .oauth.oauth import API_KEY_TOKEN_TYPE, OAuth
+from .oauth.oauth import OAuth, OAuthTokenType
 from .resources import _PaginatedResourceSequence, _ResourceSequence
 from .sessions import Session
 from .system import System
@@ -256,7 +256,7 @@ def user_profile():
             raise ValueError("token must be set to non-empty string.")
 
         visitor_credentials = self.oauth.get_credentials(
-            token, requested_token_type=API_KEY_TOKEN_TYPE
+            token, requested_token_type=OAuthTokenType.API_KEY
         )
 
         visitor_api_key = visitor_credentials.get("access_token", "")

src/posit/connect/external/aws.py

@@ -0,0 +1,49 @@
+from __future__ import annotations
+
+import base64
+import json
+
+from typing_extensions import TYPE_CHECKING, Dict
+
+from ..oauth.oauth import OAuthTokenType
+
+if TYPE_CHECKING:
+    from ..client import Client
+
+
+def get_aws_credentials(client: Client, user_session_token: str) -> Dict[str, str]:
+    """
+    Get AWS credentials using OAuth token exchange.
+
+    According to RFC 8693, the access token must be a base64 encoded JSON object
+    containing the AWS credentials. This function will decode and deserialize the
+    access token and return the AWS credentials.
+
+    Parameters
+    ----------
+    client : Client
+        The client to use for making requests
+    user_session_token : str
+        The user session token to exchange
+
+    Returns
+    -------
+    Dict[str, str]
+        Dictionary containing AWS credentials with keys:
+        access_key_id, secret_access_key, session_token, and expiration
+    """
+    # Get credentials using OAuth
+    credentials = client.oauth.get_credentials(
+        user_session_token=user_session_token,
+        requested_token_type=OAuthTokenType.AWS_CREDENTIALS,
+    )
+
+    # Decode base64 access token
+    access_token = credentials.get("access_token")
+    if not access_token:
+        raise ValueError("No access token found in credentials")
+    decoded_bytes = base64.b64decode(access_token)
+    decoded_str = decoded_bytes.decode("utf-8")
+    aws_credentials = json.loads(decoded_str)
+
+    return aws_credentials

src/posit/connect/oauth/oauth.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import os
+from enum import Enum
 
 from typing_extensions import TYPE_CHECKING, Optional, TypedDict
 
@@ -12,9 +13,14 @@
     from ..context import Context
 
 GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange"
-USER_SESSION_TOKEN_TYPE = "urn:posit:connect:user-session-token"
-CONTENT_SESSION_TOKEN_TYPE = "urn:posit:connect:content-session-token"
-API_KEY_TOKEN_TYPE = "urn:posit:connect:api-key"
+
+
+class OAuthTokenType(str, Enum):
+    ACCESS_TOKEN = "urn:ietf:params:oauth:token-type:access_token"
+    AWS_CREDENTIALS = "urn:ietf:params:aws:token-type:credentials"
+    API_KEY = "urn:posit:connect:api-key"
+    CONTENT_SESSION_TOKEN = "urn:posit:connect:content-session-token"
+    USER_SESSION_TOKEN = "urn:posit:connect:user-session-token"
 
 
 def _get_content_session_token() -> str:
@@ -53,13 +59,15 @@ def sessions(self):
         return Sessions(self._ctx)
 
     def get_credentials(
-        self, user_session_token: Optional[str] = None, requested_token_type: Optional[str] = None
+        self,
+        user_session_token: Optional[str] = None,
+        requested_token_type: Optional[str | OAuthTokenType] = None,
     ) -> Credentials:
         """Perform an oauth credential exchange with a user-session-token."""
         # craft a credential exchange request
         data = {}
         data["grant_type"] = GRANT_TYPE
-        data["subject_token_type"] = USER_SESSION_TOKEN_TYPE
+        data["subject_token_type"] = OAuthTokenType.USER_SESSION_TOKEN
         if user_session_token:
             data["subject_token"] = user_session_token
         if requested_token_type:
@@ -73,7 +81,7 @@ def get_content_credentials(self, content_session_token: Optional[str] = None) -
         # craft a credential exchange request
         data = {}
         data["grant_type"] = GRANT_TYPE
-        data["subject_token_type"] = CONTENT_SESSION_TOKEN_TYPE
+        data["subject_token_type"] = OAuthTokenType.CONTENT_SESSION_TOKEN
         data["subject_token"] = content_session_token or _get_content_session_token()
 
         response = self._ctx.client.post(self._path, data=data)

tests/posit/connect/external/test_aws.py

@@ -0,0 +1,68 @@
+import pytest
+import responses
+
+from posit.connect import Client
+from posit.connect.external.aws import get_aws_credentials
+
+aws_creds = {
+    "accessKeyId": "abc123",
+    "secretAccessKey": "def456",
+    "sessionToken": "ghi789",
+    "expiration": "2025-01-01T00:00:00Z",
+}
+
+encoded_aws_creds = "eyJhY2Nlc3NLZXlJZCI6ICJhYmMxMjMiLCAic2VjcmV0QWNjZXNzS2V5IjogImRlZjQ1NiIsICJzZXNzaW9uVG9rZW4iOiAiZ2hpNzg5IiwgImV4cGlyYXRpb24iOiAiMjAyNS0wMS0wMVQwMDowMDowMFoifQ=="
+
+
+class TestAWS:
+    @responses.activate
+    def test_get_aws_credentials(self):
+        responses.post(
+            "https://connect.example/__api__/v1/oauth/integrations/credentials",
+            match=[
+                responses.matchers.urlencoded_params_matcher(
+                    {
+                        "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
+                        "subject_token_type": "urn:posit:connect:user-session-token",
+                        "subject_token": "cit",
+                        "requested_token_type": "urn:ietf:params:aws:token-type:credentials",
+                    }
+                )
+            ],
+            json={
+                "access_token": encoded_aws_creds,
+                "issued_token_type": "urn:ietf:params:aws:token-type:credentials",
+                "token_type": "aws_credentials",
+            },
+        )
+
+        c = Client(api_key="12345", url="https://connect.example/")
+        c._ctx.version = None
+        response = get_aws_credentials(c, "cit")
+
+        assert response == aws_creds
+
+    @responses.activate
+    def test_get_aws_credentials_no_token(self):
+        responses.post(
+            "https://connect.example/__api__/v1/oauth/integrations/credentials",
+            match=[
+                responses.matchers.urlencoded_params_matcher(
+                    {
+                        "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
+                        "subject_token_type": "urn:posit:connect:user-session-token",
+                        "subject_token": "cit",
+                        "requested_token_type": "urn:ietf:params:aws:token-type:credentials",
+                    }
+                )
+            ],
+            json={},
+        )
+
+        c = Client(api_key="12345", url="https://connect.example/")
+        c._ctx.version = None
+
+        with pytest.raises(ValueError) as e:
+            get_aws_credentials(c, "cit")
+
+        assert e.match("No access token found in credentials")

tests/posit/connect/oauth/test_oauth.py

@@ -4,7 +4,7 @@
 import responses
 
 from posit.connect import Client
-from posit.connect.oauth.oauth import API_KEY_TOKEN_TYPE, _get_content_session_token
+from posit.connect.oauth.oauth import OAuthTokenType, _get_content_session_token
 
 
 class TestOAuthIntegrations:
@@ -62,11 +62,38 @@ def test_get_credentials_api_key(self):
         )
         c = Client(api_key="12345", url="https://connect.example/")
         c._ctx.version = None
-        creds = c.oauth.get_credentials("cit", API_KEY_TOKEN_TYPE)
+        creds = c.oauth.get_credentials("cit", OAuthTokenType.API_KEY)
         assert creds.get("access_token") == "viewer-api-key"
         assert creds.get("issued_token_type") == "urn:posit:connect:api-key"
         assert creds.get("token_type") == "Key"
 
+    @responses.activate
+    def test_get_credentials_aws(self):
+        responses.post(
+            "https://connect.example/__api__/v1/oauth/integrations/credentials",
+            match=[
+                responses.matchers.urlencoded_params_matcher(
+                    {
+                        "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
+                        "subject_token_type": "urn:posit:connect:user-session-token",
+                        "subject_token": "cit",
+                        "requested_token_type": "urn:ietf:params:aws:token-type:credentials",
+                    },
+                ),
+            ],
+            json={
+                "access_token": "encoded-aws-creds",
+                "issued_token_type": "urn:ietf:params:aws:token-type:credentials",
+                "token_type": "aws_credentials",
+            },
+        )
+        c = Client(api_key="12345", url="https://connect.example/")
+        c._ctx.version = None
+        creds = c.oauth.get_credentials("cit", OAuthTokenType.AWS_CREDENTIALS)
+        assert creds.get("access_token") == "encoded-aws-creds"
+        assert creds.get("issued_token_type") == "urn:ietf:params:aws:token-type:credentials"
+        assert creds.get("token_type") == "aws_credentials"
+
     @responses.activate
     def test_get_content_credentials(self):
         responses.post(