[Python] Support for HTTP signature

bin/openapi3/python-experimental-petstore.sh

@@ -27,6 +27,8 @@ fi
 
 # if you've executed sbt assembly previously it will use that instead.
 export JAVA_OPTS="${JAVA_OPTS} -Xmx1024M -DloggerPath=conf/log4j.properties"
-ags="generate -t modules/openapi-generator/src/main/resources/python -i modules/openapi-generator/src/test/resources/3_0/petstore-with-fake-endpoints-models-for-testing.yaml -g python-experimental -o samples/openapi3/client/petstore/python-experimental/ --additional-properties packageName=petstore_api $@"
+#yaml="modules/openapi-generator/src/test/resources/3_0/petstore-with-fake-endpoints-models-for-testing.yaml"
+yaml="modules/openapi-generator/src/test/resources/3_0/petstore-with-fake-endpoints-models-for-testing-with-http-signature.yaml"
+ags="generate -t modules/openapi-generator/src/main/resources/python -i $yaml -g python-experimental -o samples/openapi3/client/petstore/python-experimental/ --additional-properties packageName=petstore_api $@"
 
 java $JAVA_OPTS -jar $executable $ags

modules/openapi-generator/src/main/java/org/openapitools/codegen/languages/PythonClientExperimentalCodegen.java

@@ -25,12 +25,14 @@
 import io.swagger.v3.oas.models.parameters.Parameter;
 import io.swagger.v3.oas.models.parameters.RequestBody;
 import io.swagger.v3.oas.models.responses.ApiResponse;
+import io.swagger.v3.oas.models.security.SecurityScheme;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.openapitools.codegen.*;
 import org.openapitools.codegen.examples.ExampleGenerator;
 import org.openapitools.codegen.meta.features.*;
 import org.openapitools.codegen.utils.ModelUtils;
+import org.openapitools.codegen.utils.ProcessUtils;
 import org.openapitools.codegen.meta.GeneratorMetadata;
 import org.openapitools.codegen.meta.Stability;
 import org.slf4j.Logger;
@@ -116,6 +118,14 @@ public void processOpts() {
         supportingFiles.add(new SupportingFile("python-experimental/__init__package.mustache", packagePath(), "__init__.py"));
 
 
+        // Generate the 'signing.py' module, but only if the 'HTTP signature' security scheme is specified in the OAS.
+        Map<String, SecurityScheme> securitySchemeMap = openAPI != null ?
+           (openAPI.getComponents() != null ? openAPI.getComponents().getSecuritySchemes() : null) : null;
+        List<CodegenSecurity> authMethods = fromSecurity(securitySchemeMap);
+        if (ProcessUtils.hasHttpSignatureMethods(authMethods)) {
+            supportingFiles.add(new SupportingFile("python-experimental/signing.mustache", packagePath(), "signing.py"));
+        }
+
         Boolean generateSourceCodeOnly = false;
         if (additionalProperties.containsKey(CodegenConstants.SOURCECODEONLY_GENERATION)) {
             generateSourceCodeOnly = Boolean.valueOf(additionalProperties.get(CodegenConstants.SOURCECODEONLY_GENERATION).toString());

modules/openapi-generator/src/main/resources/python/configuration.mustache

@@ -31,6 +31,8 @@ class Configuration(object):
       The dict value is an API key prefix when generating the auth data.
     :param username: Username for HTTP basic authentication
     :param password: Password for HTTP basic authentication
+    :param signing_info: Configuration parameters for HTTP signature.
+        Must be an instance of {{{packageName}}}.signing.HttpSigningConfiguration
 
     :Example:
 
@@ -49,11 +51,50 @@ class Configuration(object):
       )
     The following cookie will be added to the HTTP request:
        Cookie: JSESSIONID abc123
+
+    Configure API client with HTTP basic authentication:
+      conf = {{{packageName}}}.Configuration(
+          username='the-user',
+          password='the-password',
+      )
+
+    Configure API client with HTTP signature authentication. Use the 'hs2019' signature scheme,
+    sign the HTTP requests with the RSA-SSA-PSS signature algorithm, and set the expiration time
+    of the signature to 5 minutes after the signature has been created.
+    Note you can use the constants defined in the {{{packageName}}}.signing module, and you can
+    also specify arbitrary HTTP headers to be included in the HTTP signature, except for the
+    'Authorization' header, which is used to carry the signature.
+
+    One may be tempted to sign all headers by default, but in practice it rarely works.
+    This is beccause explicit proxies, transparent proxies, TLS termination endpoints or
+    load balancers may add/modify/remove headers. Include the HTTP headers that you know
+    are not going to be modified in transit.
+
+      conf = {{{packageName}}}.Configuration(
+        signing_info = {{{packageName}}}.signing.HttpSigningConfiguration(
+            key_id =                 'my-key-id',
+            private_key_path =       'rsa.pem',
+            signing_scheme =         signing.SCHEME_HS2019,
+            signing_algorithm =      signing.ALGORITHM_RSASSA_PSS,
+            signed_headers =         [signing.HEADER_REQUEST_TARGET,
+                                      signing.HEADER_CREATED,
+                                      signing.HEADER_EXPIRES,
+                                      signing.HEADER_HOST,
+                                      signing.HEADER_DATE,
+                                      signing.HEADER_DIGEST,
+                                      'Content-Type',
+                                      'Content-Length',
+                                      'User-Agent'
+                                     ],
+            signature_max_validity = datetime.timedelta(minutes=5)
+        )
+      )
     """
 
     def __init__(self, host="{{{basePath}}}",
                  api_key=None, api_key_prefix=None,
-                 username=None, password=None):
+                 username=None, password=None,
+                 signing_info=None):
         """Constructor
         """
         self.host = host
@@ -82,6 +123,11 @@ class Configuration(object):
         self.password = password
         """Password for HTTP basic authentication
         """
+        if signing_info is not None:
+            signing_info.host = host
+        self.signing_info = signing_info
+        """The HTTP signing configuration
+        """
 {{#hasOAuthMethods}}
         self.access_token = ""
         """access token for OAuth/Bearer
@@ -318,6 +364,15 @@ class Configuration(object):
                 'value': 'Bearer ' + self.access_token
             }
   {{/isBasicBearer}}
+  {{#isHttpSignature}}
+        if self.signing_info is not None:
+            auth['{{name}}'] = {
+                'type': 'http-signature',
+                'in': 'header',
+                'key': 'Authorization',
+                'value': None  # Signature headers are calculated for every HTTP request
+            }
+  {{/isHttpSignature}}
 {{/isBasic}}
 {{#isOAuth}}
         if self.access_token is not None:

modules/openapi-generator/src/main/resources/python/python-experimental/README_common.mustache

@@ -56,6 +56,9 @@ Class | Method | HTTP request | Description
 {{#isBasicBearer}}
 - **Type**: Bearer authentication{{#bearerFormat}} ({{{.}}}){{/bearerFormat}}
 {{/isBasicBearer}}
+{{#isHttpSignature}}
+- **Type**: HTTP signature authentication
+{{/isHttpSignature}}
 {{/isBasic}}
 {{#isOAuth}}
 - **Type**: OAuth

modules/openapi-generator/src/main/resources/python/python-experimental/api.mustache

@@ -120,7 +120,7 @@ class {{classname}}(object):
 {{#-first}}
                 'auth': [
 {{/-first}}
-                    '{{name}}'{{#hasMore}}, {{/hasMore}}
+                    '{{name}}'{{#hasMore}},{{/hasMore}}
 {{#-last}}
                 ],
 {{/-last}}

modules/openapi-generator/src/main/resources/python/python-experimental/api_client.mustache

@@ -150,13 +150,14 @@ class ApiClient(object):
                                                     collection_formats)
             post_params.extend(self.files_parameters(files))
 
-        # auth setting
-        self.update_params_for_auth(header_params, query_params, auth_settings)
-
         # body
         if body:
             body = self.sanitize_for_serialization(body)
 
+        # auth setting
+        self.update_params_for_auth(header_params, query_params,
+                                    auth_settings, resource_path, method, body)
+
         # request url
         if _host is None:
             url = self.configuration.host + resource_path
@@ -517,12 +518,17 @@ class ApiClient(object):
         else:
             return content_types[0]
 
-    def update_params_for_auth(self, headers, querys, auth_settings):
+    def update_params_for_auth(self, headers, querys, auth_settings,
+                               resource_path, method, body):
         """Updates header and query params based on authentication setting.
 
         :param headers: Header parameters dict to be updated.
         :param querys: Query parameters tuple list to be updated.
         :param auth_settings: Authentication setting identifiers list.
+        :resource_path: A string representation of the HTTP request resource path.
+        :method: A string representation of the HTTP request method.
+        :body: A object representing the body of the HTTP request.
+            The object type is the return value of sanitize_for_serialization().
         """
         if not auth_settings:
             return
@@ -533,7 +539,17 @@ class ApiClient(object):
                 if auth_setting['in'] == 'cookie':
                     headers['Cookie'] = auth_setting['value']
                 elif auth_setting['in'] == 'header':
-                    headers[auth_setting['key']] = auth_setting['value']
+                    if auth_setting['type'] != 'http-signature':
+                        headers[auth_setting['key']] = auth_setting['value']
+{{#hasHttpSignatureMethods}}
+                    else:
+                        # The HTTP signature scheme requires multiple HTTP headers
+                        # that are calculated dynamically.
+                        signing_info = self.configuration.signing_info
+                        auth_headers = signing_info.get_http_signature_headers(
+                                            resource_path, method, headers, body, querys)
+                        headers.update(auth_headers)
+{{/hasHttpSignatureMethods}}
                 elif auth_setting['in'] == 'query':
                     querys.append((auth_setting['key'], auth_setting['value']))
                 else:

modules/openapi-generator/src/main/resources/python/python-experimental/setup.mustache

@@ -16,13 +16,22 @@ VERSION = "{{packageVersion}}"
 # prerequisite: setuptools
 # http://pypi.python.org/pypi/setuptools
 
-REQUIRES = ["urllib3 >= 1.15", "six >= 1.10", "certifi", "python-dateutil"]
+REQUIRES = [
+  "urllib3 >= 1.15",
+  "six >= 1.10",
+  "certifi",
+  "python-dateutil",
 {{#asyncio}}
-REQUIRES.append("aiohttp >= 3.0.0")
+  "aiohttp >= 3.0.0",
 {{/asyncio}}
 {{#tornado}}
-REQUIRES.append("tornado>=4.2,<5")
+  "tornado>=4.2,<5",
 {{/tornado}}
+{{#hasHttpSignatureMethods}}
+  "pem>=19.3.0",
+  "pycryptodome>=3.9.0",
+{{/hasHttpSignatureMethods}}
+]
 EXTRAS = {':python_version <= "2.7"': ['future']}
 
 setup(