# orthauth
[![PyPI version](https://badge.fury.io/py/orthauth.svg)](https://pypi.org/project/orthauth/)
[![Build Status](https://travis-ci.org/tgbugs/orthauth.svg?branch=master)](https://travis-ci.org/tgbugs/orthauth)
[![Coverage Status](https://coveralls.io/repos/github/tgbugs/orthauth/badge.svg?branch=master)](https://coveralls.io/github/tgbugs/orthauth?branch=master)
A library to separate configuration and authentication from program logic
# THIS IS NOT ENCRYPTED
# THIS IS NOT A PASSWORD MANAGER
# THIS IS NOT A SECURE SECRET STORAGE SYSTEM
# YOU CAN SHOOT YOURSELF IN THE FOOT WITH THIS
There is **NO encryption** for secrets stored using orthauth.
Orthauth can source credientials from a variety of sources
but it is **INTENTIONALLY INSECURE**.
If you do not understand the [use case](#use-case) for this as well as the
risks if used outside a secure environment then DO NOT USE IT.
No one can help you if you get pwnd.
## Use case
The primary use case for `orthauth` is to keep api keys from leaking into
source code and winding up in public repositories. `orthauth` does not provide
operational security for any auth store that it uses. It is up to the user to
secure those and the systems they reside on as they see fit.
While `orthauth` attemts to prevent secrets from leaking via debug messages
or logging, it doesn't know anything about the secretness of the values it
returns, and once it has returned that value, it is up to the consuming code
to prevent the contents of the value from leaking.
`orthauth` is indented to unify two common ways managing configuration
variables and credentials: setting them environment variables, and including
them in a plain text file with permissions set to `0600` (and preferably kept
in a folder set to `0700`).
For example running a program in the following way
`export API_KEY=lolplzdonotstealthis; ./my-script-that-needs-the-key`
or using a file like `~/.pgpass` or emacs `.authinfo`. Note that
pgpass probably shouldn't be a source for most python implementations
because libraries like psycopg2 are able to read it directly. However in
other languages that do not have a library that supports reading from pgpass
directly, then pgpass would be a useful source.
By making it possible to provide credentials seemlessley in multiple ways
the hope is to reduce the use of different solutions in different environments
without incuring the massive complexity of maintaining a managed authentication
infrasturcture.
## Approach
1. Decorators
2. A layer of indirection between names in a code base and config/secrets structure.
3. Be clear about what should be considered public information. Thus prevent anything
stored as a secret from being used as a key to find another secret.
4. Bare minimum to store static configuration information, anything more should
be implemented in the language consuming the config, not in the config.
## Currently supported config formats
| Format | Support | Install |
| -------------------------- | --------------- | ---------------------------- |
| json | builtin | `pip install orthauth` |
| python dictionary literals | builtin | `pip install orthauth` |
| yaml | requires pyyaml | `pip install orthauth[yaml]` |
## Usage
```python
import orthauth as oa
auth = oa.AuthConfig('path/to/config.yaml')
@auth.tangential_init('api_key', 'some-service-api-key')
class ThatNeedsAuth:
""" needs authenticated connection to some-service """
tna = ThatNeedsAuth()
print(tna.api_key)
```
Haven't been scared off yet?
See the [developer guide](./docs/guide.org) for more examples.
Raw data
{
"_id": null,
"home_page": "https://github.com/tgbugs/orthauth",
"name": "orthauth",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.6",
"maintainer_email": "",
"keywords": "python orthogonal authentication config configuration management",
"author": "Tom Gillespie",
"author_email": "tgbugs@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/9f/f5/03e939fc287cc5ec05a603784096ef2a06c8132cea7423e4e96895b5afc9/orthauth-0.0.17.tar.gz",
"platform": null,
"description": "# orthauth\n[![PyPI version](https://badge.fury.io/py/orthauth.svg)](https://pypi.org/project/orthauth/)\n[![Build Status](https://travis-ci.org/tgbugs/orthauth.svg?branch=master)](https://travis-ci.org/tgbugs/orthauth)\n[![Coverage Status](https://coveralls.io/repos/github/tgbugs/orthauth/badge.svg?branch=master)](https://coveralls.io/github/tgbugs/orthauth?branch=master)\n\nA library to separate configuration and authentication from program logic\n\n# THIS IS NOT ENCRYPTED\n# THIS IS NOT A PASSWORD MANAGER\n# THIS IS NOT A SECURE SECRET STORAGE SYSTEM\n# YOU CAN SHOOT YOURSELF IN THE FOOT WITH THIS\nThere is **NO encryption** for secrets stored using orthauth.\nOrthauth can source credientials from a variety of sources\nbut it is **INTENTIONALLY INSECURE**.\n\nIf you do not understand the [use case](#use-case) for this as well as the\nrisks if used outside a secure environment then DO NOT USE IT.\nNo one can help you if you get pwnd.\n\n## Use case\nThe primary use case for `orthauth` is to keep api keys from leaking into\nsource code and winding up in public repositories. `orthauth` does not provide\noperational security for any auth store that it uses. It is up to the user to\nsecure those and the systems they reside on as they see fit.\n\nWhile `orthauth` attemts to prevent secrets from leaking via debug messages\nor logging, it doesn't know anything about the secretness of the values it\nreturns, and once it has returned that value, it is up to the consuming code\nto prevent the contents of the value from leaking.\n\n`orthauth` is indented to unify two common ways managing configuration\nvariables and credentials: setting them environment variables, and including\nthem in a plain text file with permissions set to `0600` (and preferably kept\nin a folder set to `0700`).\n\nFor example running a program in the following way\n`export API_KEY=lolplzdonotstealthis; ./my-script-that-needs-the-key`\nor using a file like `~/.pgpass` or emacs `.authinfo`. Note that\npgpass probably shouldn't be a source for most python implementations\nbecause libraries like psycopg2 are able to read it directly. However in\nother languages that do not have a library that supports reading from pgpass\ndirectly, then pgpass would be a useful source.\n\nBy making it possible to provide credentials seemlessley in multiple ways\nthe hope is to reduce the use of different solutions in different environments\nwithout incuring the massive complexity of maintaining a managed authentication\ninfrasturcture.\n\n## Approach\n1. Decorators \n2. A layer of indirection between names in a code base and config/secrets structure.\n3. Be clear about what should be considered public information. Thus prevent anything\nstored as a secret from being used as a key to find another secret.\n4. Bare minimum to store static configuration information, anything more should\nbe implemented in the language consuming the config, not in the config.\n\n## Currently supported config formats\n| Format | Support | Install |\n| -------------------------- | --------------- | ---------------------------- |\n| json | builtin | `pip install orthauth` |\n| python dictionary literals | builtin | `pip install orthauth` |\n| yaml | requires pyyaml | `pip install orthauth[yaml]` |\n\n## Usage\n```python\nimport orthauth as oa\nauth = oa.AuthConfig('path/to/config.yaml')\n\n@auth.tangential_init('api_key', 'some-service-api-key')\nclass ThatNeedsAuth:\n \"\"\" needs authenticated connection to some-service \"\"\"\n\ntna = ThatNeedsAuth()\nprint(tna.api_key)\n```\nHaven't been scared off yet?\nSee the [developer guide](./docs/guide.org) for more examples.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "A library to separate configuration and authentication from program logic",
"version": "0.0.17",
"split_keywords": [
"python",
"orthogonal",
"authentication",
"config",
"configuration",
"management"
],
"urls": [
{
"comment_text": "",
"digests": {
"md5": "77604b7cd8ba2fe4592b7296c54131e1",
"sha256": "06f5bb757d7586e049fcfe2fd1bbd72dab765492e723b3c5656906694094c4ad"
},
"downloads": -1,
"filename": "orthauth-0.0.17-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "77604b7cd8ba2fe4592b7296c54131e1",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": ">=3.6",
"size": 18804,
"upload_time": "2022-12-23T06:05:19",
"upload_time_iso_8601": "2022-12-23T06:05:19.564172Z",
"url": "https://files.pythonhosted.org/packages/da/da/64c0cd25650186393b902a2ce99c7267aaf34249afee65b9d2399953c8ea/orthauth-0.0.17-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"md5": "72475c660ed8f538431dc23543535604",
"sha256": "6fb49a8eeaef2903541bcf5e8889906637123dbca686df9abed36b7a045746fc"
},
"downloads": -1,
"filename": "orthauth-0.0.17.tar.gz",
"has_sig": false,
"md5_digest": "72475c660ed8f538431dc23543535604",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.6",
"size": 31656,
"upload_time": "2022-12-23T06:05:21",
"upload_time_iso_8601": "2022-12-23T06:05:21.637220Z",
"url": "https://files.pythonhosted.org/packages/9f/f5/03e939fc287cc5ec05a603784096ef2a06c8132cea7423e4e96895b5afc9/orthauth-0.0.17.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2022-12-23 06:05:21",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "tgbugs",
"github_project": "orthauth",
"travis_ci": true,
"coveralls": false,
"github_actions": false,
"lcname": "orthauth"
}