foundry_dev_tools.clients.multipass module#
Implementation of the multipass API.
- foundry_dev_tools.clients.multipass.DEFAULT_TOKEN_LIFETIME_IN_SECONDS = 604800#
The default token lifetime in seconds which is equivalent to seven days (7*24*60*60).
- foundry_dev_tools.clients.multipass.MINIMUM_MAX_DURATION_IN_SECONDS = 0#
The minimum max duration for expiration settings which is equivalent to zero seconds.
- foundry_dev_tools.clients.multipass.DEFAULT_MAX_DURATION_IN_SECONDS = 604800#
The default max duration for expiration settings which is equivalent to seven days (7*24*60*60).
- class foundry_dev_tools.clients.multipass.MultipassClient[source]#
Bases:
APIClientTo be implemented/transferred.
- get_user_info()[source]#
Returns the json dict from the
foundry_dev_tools.clients.multipass.MultipassClient.api_me()API.- Return type:
{ "id": "<multipass-id>", "username": "<username>", "attributes": { "multipass:email:primary": ["<email>"], "multipass:given-name": ["<given-name>"], "multipass:organization": ["<your-org>"], "multipass:organization-rid": ["ri.multipass..organization. ..."], "multipass:family-name": ["<family-name>"], "multipass:upn": ["<upn>"], "multipass:realm": ["<your-company>"], "multipass:realm-name": ["<your-org>"], }, }
- api_me(**kwargs)[source]#
Gets the user’s info.
- Parameters:
**kwargs – gets passed to
APIClient.api_request()- Return type:
- api_get_groups_of_user(**kwargs)[source]#
Returns all groups for which the user is immediate or indirect member of the group.
- Parameters:
**kwargs – gets passed to
APIClient.api_request()- Returns:
the response contains a json which includes a list of all groups for which the user is immediate or indirect member
- Return type:
See below for the structure
[ { "id": "<group-id>" "name": "<group-name>" "attributes": { "multipass:realm": ["palantir-internal-realm"], "multipass:organization": ["<your-org>"], "multipass:organization-rid": ["ri.multipass..organization. ..."], "multipass:realm-name": ["Palantir Internal"], } }, ... ]
- is_member_of_group(group_id)[source]#
Returns whether user is immediate or indirect member of the specified group.
- api_get_principals(principal_ids, **kwargs)[source]#
Returns principal information for the provided principal identifiers.
- Parameters:
principal_ids (set[api_types.PrincipalId]) – A set of principal identifiers for which to gather information
**kwargs – gets passed to
APIClient.api_request()
- Returns:
the response contains a json which is a list of principals along with some principal-related information
- Return type:
See below for the structure
[ { "id": "<principal-id>" <"name", "username">: "..." "attributes": { ... } }, ... ]
- api_create_group(name, organization_rids, description=None, **kwargs)[source]#
Create a new multipass group.
- Parameters:
- Returns:
the response contains a json which is the newly created multipass group
- Return type:
See below for the structure
{ 'id': '<...>', 'name': '<name>', 'attributes': { 'multipass:realm': ['palantir-internal-realm'], 'multipass:organization': ['<your-org>'], 'multipass:organization-rid': <organization_rids>, 'multipass:realm-name': ['Palantir Internal'], ... } }
- api_get_group(group_id, **kwargs)[source]#
Returns the multipass group information.
- Parameters:
group_id (api_types.GroupId) – The identifier of the group which to retrieve
**kwargs – gets passed to
APIClient.api_request()
- Return type:
See below for the structure
{ 'id': '<id>', 'name': '<groupname>', 'attributes': { 'multipass:realm': ['palantir-internal-realm'], 'multipass:organization': ['<your-org>'], 'multipass:organization-rid': ['ri.multipass..organization.<...>'], 'multipass:realm-name': ['Palantir Internal'] } }
- api_update_group(group_id, group_description, **kwargs)[source]#
Update the specified multipass group.
- Parameters:
group_id (api_types.GroupId) – The identifier of the group which to update
group_description (str) – The updated description to apply to the group
**kwargs – gets passed to
APIClient.api_request()
- Returns:
the response contains a json which is the updated multipass group
- Return type:
See below for the structure
{ 'id': '<id>', 'name': '<groupname>', 'attributes': { 'multipass:realm': ['palantir-internal-realm'], 'multipass:organization': ['<your-org>'], 'multipass:organization-rid': ['ri.multipass..organization.<...>'], 'multipass:realm-name': ['Palantir Internal'] } }
- api_rename_group(group_id, new_group_name, **kwargs)[source]#
Rename a multipass group.
- Parameters:
group_id (api_types.GroupId) – identifier of the group for which to update its name
new_group_name (str) – the name the group will be renamed to
**kwargs – gets passed to
APIClient.api_request()
- Returns:
the response contains a json which consists of an entry for the renamed or original group and a group which serves as alias group, keeping the old name and directing to the new group
- Return type:
See below for the structure
{ "renamedGroup": { "id": "<group_id>", "name": "<new_group_name>", "attributes": { ... } }, "aliasGroup": { "id": "...", "name": "<old-group-name>", "attributes": { ... } }, }
- api_delete_group(group_id, **kwargs)[source]#
Deletes multipass group.
- Parameters:
group_id (api_types.GroupId) – the identifier of the group which to delete
**kwargs – gets passed to
APIClient.api_request()
- Return type:
- api_get_group_manager_managers(group_id, **kwargs)[source]#
Returns the manager managers of a group who can add and remove members and who can grant the right to manage group permissions to others.
- Parameters:
group_id (api_types.GroupId) – The identifier of the group for which to retrieve the manager managers
**kwargs – gets passed to
APIClient.api_request()
- Returns:
the response contains a json which is a list of principals being manager managers
- Return type:
See below for the structure
[ { "id": "<principal-id>" <"name", "username">: "..." "attributes": { ... } }, ... ]
- api_get_group_member_managers(group_id, **kwargs)[source]#
Returns the member managers of a group who can add and remove members.
- Parameters:
group_id (api_types.GroupId) – The identifier of the group for which to retrieve the member managers
**kwargs – gets passed to
APIClient.api_request()
- Returns:
the response contains a json which is a list of principals being manager managers
- Return type:
See below for the structure
[ { "id": "<principal-id>" <"name", "username">: "..." "attributes": { ... } }, ... ]
- api_update_group_managers(group_id, deleted_manager_managers=None, deleted_member_managers=None, new_manager_managers=None, new_member_managers=None, **kwargs)[source]#
Update group managers by adding new member managers or manager managers or removing member managers or manager managers.
- Parameters:
group_id (api_types.GroupId) – The identifier of the group for which to update the group managers
deleted_manager_managers (set[api_types.PrincipalId] | None) – A set of principal identifiers for which to withdraw the role as manager manager
deleted_member_managers (set[api_types.PrincipalId] | None) – A set of principal identifiers for which to withdraw the role as member manager
new_manager_managers (set[api_types.PrincipalId] | None) – A set of principal identifiers that should be assigned the role as manager manager
new_member_managers (set[api_types.PrincipalId] | None) – A set of principal identifiers that should be assigned the role as member manager
**kwargs – gets passed to
APIClient.api_request()
- Return type:
- add_group_manager_managers(group_id, manager_managers)[source]#
Assign principals as manager managers for the specified group.
- Parameters:
group_id (api_types.GroupId) – The identifier of the group for which to add the manager managers
manager_managers (set[api_types.PrincipalId]) – A set of principal identifiers that should be assigned the role as manager manager
- Return type:
- add_group_member_managers(group_id, member_managers)[source]#
Assign principals as member managers for the specified group.
- Parameters:
group_id (api_types.GroupId) – The identifier of the group for which to add the member managers
member_managers (set[api_types.PrincipalId]) – A set of principal identifiers that should be assigned the role as member manager
- Return type:
- remove_group_manager_managers(group_id, manager_managers)[source]#
Withdraw the provided principals from the manager managers for the specified group.
- Parameters:
group_id (api_types.GroupId) – The identifier of the group for which to remove manager managers
manager_managers (set[api_types.PrincipalId]) – A set of principal identifiers that should be withdrawn from the manager managers.
- Return type:
- remove_group_member_managers(group_id, member_managers)[source]#
Withdraw the provided principals from the member managers for the specified group.
- Parameters:
group_id (api_types.GroupId) – The identifier of the group for which to remove member managers
member_managers (set[api_types.PrincipalId]) – A set of principal identifiers that should be withdrawn from the member managers.
- Return type:
- api_add_group_members(group_ids, principal_ids, expirations=None, **kwargs)[source]#
Add principals to the specified group.
- Parameters:
group_ids (set[api_types.GroupId]) – A set of group identifiers the principals should be added to
principal_ids (set[api_types.PrincipalId]) – The identifiers of the principals to be added to the groups
expirations (dict[api_types.GroupId, dict[api_types.PrincipalId, datetime]] | None) – Optional expiration settings that can be passed if principals should only have temporal access to groups
**kwargs – gets passed to
APIClient.api_request()
- Return type:
- api_get_principals_groups_all(principal_ids, **kwargs)[source]#
Returns Groups that a principal (user or group) is member of.
- Parameters:
principal_ids (set[api_types.PrincipalId]) – The identifiers of the principals for which to return the groups
**kwargs – gets passed to
APIClient.api_request()
- Returns:
- the response contains a json which is a dict in the following shape:
- {
- “containingGroupIdsByPrincipalId”: {
“<requestedPrincipalId>”: [“<group1>”, …]
}, “groups”: [
- {
“id”: “<group1>”, “name”: “<group1Name>”
}
]
}
- Return type:
- api_get_immediate_group_members(group_id, **kwargs)[source]#
Returns all immediate group members for a specific group.
- Parameters:
group_id (api_types.GroupId) – The group identifiers for which to retrieve all immediate members
**kwargs – gets passed to
APIClient.api_request()
- Returns:
the response contains a json which is a list of principals who are immediate members of the specified group
- Return type:
See below for the structure
[ { "id": "<principal-id>" <"name", "username">: "..." "attributes": { ... } }, ... ]
- api_get_all_group_members(group_ids, **kwargs)[source]#
Returns group members for the specified groups, both immediate and indirect members and will only traverse groups which the user has view membership permissions on.
Request no more than 100 group identifiers!
- Parameters:
group_ids (set[api_types.GroupId]) – A set of group identifiers for which to retrieve all members
**kwargs – gets passed to
APIClient.api_request()
- Returns:
the response contains a json which is a mapping between the group id and the associated principal ids who are members of the given group
- Return type:
See below for the structure
{ "membersByGroupId": { "<group-id>": [ { "principalId": "<principal-id>", "principalType": <"USER", "GROUP"> }, ... ], ... } }
- api_get_all_group_users(group_id, **kwargs)[source]#
Get all user members of a group, immediate and indirect and also traverse groups where the user has no view membership permissions on.
Similar to
api_get_all_group_members()but broader context by capturing all members and even those which the user does not have membership permissions to view.- Parameters:
group_id (api_types.GroupId) – The group identifier for which to retrieve all users
**kwargs – gets passed to
APIClient.api_request()
- Returns:
the response contains a json which is a list of user principals
- Return type:
See below for the structure
[ { "id": "<multipass-id>", "username": "<username>", "attributes": { "<attribute-name": [...] }, } ]
- api_remove_group_members(group_id, principal_ids, **kwargs)[source]#
Remove members from the specified group.
- Parameters:
group_id (api_types.GroupId) – The group identifiers for which to remove principals from the list of members
principal_ids (set[api_types.PrincipalId]) – A set of principal identifiers which should be removed from the member list of the group
**kwargs – gets passed to
APIClient.api_request()
- Return type:
- api_get_group_member_expirations(group_ids, **kwargs)[source]#
Get the expiration for members of the specified group identifiers.
Request no more than 100 group identifiers!
- Parameters:
group_ids (set[api_types.GroupId]) – The identifiers of the groups for which to retrieve the expiration of members
**kwargs – gets passed to
APIClient.api_request()
- Returns:
the response contains a json which is a mapping between the group id and the associated principals along their expiration datetime
- Return type:
See below for the structure
{ "expirationsByGroupId": { "<group-id>": { "<principal-id>": { "expiration": "..." }, ... }, ... } }
- api_get_group_member_expiration_settings(group_ids, **kwargs)[source]#
Returns group member expiration settings for the specified groups that the user has view permission on.
- Parameters:
group_ids (set[api_types.GroupId]) – A set of group identifiers for which to gather the expiration settings information
**kwargs – gets passed to
APIClient.api_request()
- Returns:
the response contains a json which is a mapping between the group identifiers and their respective expiration settings
- Return type:
See below for the structure
{ "maxExpiration": "...", "maxDurationInSeconds": "..." }
- api_update_group_member_expiration_settings(group_id, max_expiration=None, max_duration_in_seconds=None, **kwargs)[source]#
Update group member expiration settings for the specified group.
- Parameters:
group_id (api_types.GroupId) – The identifier of the group whose expiration settings will be updated
max_expiration (datetime | None) – The time in the future on which all memberships will be automatically expired and no new memberships can be requested after this time. If not specified or set to ‘None’, memberships will no longer expire at a certain date, and it defaults to the initial state where no expiration date is set for the group
max_duration_in_seconds (int | None) – When adding a new membership, it can last no longer than the specified maximum duration. Expiration of existing memberships will be adjusted accordingly. Value passed must be greater equal
MINIMUM_MAX_DURATION_IN_SECONDSand defaults toDEFAULT_MAX_DURATION_IN_SECONDSif it does not meet the condition. If not specified or set to ‘None’, new memberships will no longer expire after a particular maximum lifetime and not be constrained by any maximum duration anymore. It defaults to the initial state where no maximum duration is applied to the group**kwargs – gets passed to
APIClient.api_request()
- Returns:
the response contains a json which holds the updated expiration settings
- Return type:
- reset_group_member_expiration_settings(group_id)[source]#
Reset the group member expiration settings for the specified group.
- Parameters:
group_id (str) – The identifier of the group for which to restore the initial state of the expiration settings
- Returns:
the updated group member expiration settings
- Return type:
- api_get_all_organizations(**kwargs)[source]#
Returns a list of all organizations the user can view.
- Parameters:
**kwargs – gets passed to
APIClient.api_request()- Returns:
the response contains a json which is a list of organizations and their associated properties
- Return type:
See below for the structure
[ { "rid": "ri.multipass..organization. ...", "displayName": "<org-name>", "description": "<org-description>", "crossOrganizationPermissions": { "<cross-organization-rid>": { "allowDiscoverUsers": "...", "allowDiscoverGroups": "...", "allowAccessCategories": "..." }, ... }, "administrators": { "<principal-id>": [<"METADATA", "USER", "GROUP", "VIEW_GROUP_MEMBERSHIP", "UNMARK", "ADMIN", "USER", "MARKING_CATEGORY">] }, "markingId": "<marking-id>", "host": "<host-id>" }, ... ]
- api_create_third_party_application(client_type, display_name, description, grant_types, redirect_uris, logo_uri, organization_rid, allowed_organization_rids=None, resources=None, operations=None, marking_ids=None, role_set_id=None, role_grants=None, **kwargs)[source]#
Creates Foundry Third Party application (TPA).
https://www.palantir.com/docs/foundry/platform-security-third-party/third-party-apps-overview/ User must have ‘Manage OAuth 2.0 clients’ workflow permissions.
- Parameters:
client_type (api_types.MultipassClientType) – Server Application (CONFIDENTIAL) or Native or single-page application (PUBLIC)
display_name (str) – Display name of the TPA
description (str | None) – Long description of the TPA
grant_types (list[api_types.MultipassGrantType]) – Usually, [“AUTHORIZATION_CODE”, “REFRESH_TOKEN”] (authorization code grant) or [“REFRESH_TOKEN”, “CLIENT_CREDENTIALS”] (client credentials grant)
redirect_uris (list | None) – Redirect URLs of TPA, used in combination with AUTHORIZATION_CODE grant
logo_uri (str | None) – URI or embedded image ‘data:image/png;base64,<…>’
organization_rid (str) – Parent Organization of this TPA
allowed_organization_rids (list | None) – Passing None or empty list means TPA is activated for all Foundry organizations
resources (list[api_types.Rid] | None) – Resources allowed to access by the client, otherwise no resource restrictions
operations (list[str] | None) – Operations the client can be granted, otherwise no operation restrictions
marking_ids (list[str] | None) – Markings allowed to access by the client, otherwise no marking restrictions
role_set_id (str | None) – roles allowed for this client, defaults to oauth2-client
role_grants (dict[str, list[str]] | None) – mapping between roles and principal ids dict[role id,list[principal id]]
**kwargs – gets passed to
APIClient.api_request()
- Return type:
See below for the structure
{ "clientId":"<...>", "clientSecret":"<...>", "clientType":"<CONFIDENTIAL/PUBLIC>", "organizationRid":"<...>", "displayName":"<...>", "description":null, "logoUri":null, "grantTypes":[<"AUTHORIZATION_CODE","REFRESH_TOKEN","CLIENT_CREDENTIALS">], "redirectUris":[], "allowedOrganizationRids":[] }
- api_delete_third_party_application(client_id, **kwargs)[source]#
Deletes a Third Party Application.
- Parameters:
client_id (str) – The unique identifier of the TPA.
**kwargs – gets passed to
APIClient.api_request()
- Return type:
- api_update_third_party_application(client_id, client_type, display_name, description, grant_types, redirect_uris, logo_uri, organization_rid, allowed_organization_rids=None, resources=None, operations=None, marking_ids=None, role_set_id=None, **kwargs)[source]#
Updates Foundry Third Party application (TPA).
https://www.palantir.com/docs/foundry/platform-security-third-party/third-party-apps-overview/ User must have ‘Manage OAuth 2.0 clients’ workflow permissions.
- Parameters:
client_id (str) – The unique identifier of the TPA.
client_type (api_types.MultipassClientType) – Server Application (CONFIDENTIAL) or Native or single-page application (PUBLIC)
display_name (str) – Display name of the TPA
description (str | None) – Long description of the TPA
grant_types (list[api_types.MultipassGrantType]) – Usually, [“AUTHORIZATION_CODE”, “REFRESH_TOKEN”] (authorization code grant) or [“REFRESH_TOKEN”, “CLIENT_CREDENTIALS”] (client credentials grant)
redirect_uris (list | None) – Redirect URLs of TPA, used in combination with AUTHORIZATION_CODE grant
logo_uri (str | None) – URI or embedded image ‘data:image/png;base64,<…>’
organization_rid (str) – Parent Organization of this TPA
allowed_organization_rids (list | None) – Passing None or empty list means TPA is activated for all Foundry organizations
resources (list[api_types.Rid] | None) – Resources allowed to access by the client, otherwise no resource restrictions
operations (list[str] | None) – Operations the client can be granted, otherwise no operation restrictions
marking_ids (list[str] | None) – Markings allowed to access by the client, otherwise no marking restrictions
role_set_id (str | None) – roles allowed for this client, defaults to oauth2-client
**kwargs – gets passed to
APIClient.api_request()
- Return type:
Reponse in following structure:
{ "clientId":"<...>", "clientType":"<CONFIDENTIAL/PUBLIC>", "organizationRid":"<...>", "displayName":"<...>", "description":null, "logoUri":null, "grantTypes":[<"AUTHORIZATION_CODE","REFRESH_TOKEN","CLIENT_CREDENTIALS">], "redirectUris":[], "allowedOrganizationRids":[] }
- api_rotate_third_party_application_secret(client_id, **kwargs)[source]#
Rotates Foundry Third Party application (TPA) secret.
- Parameters:
client_id (str) – The unique identifier of the TPA.
**kwargs – gets passed to
APIClient.api_request()
- Return type:
See below for the structure:
{ "clientId":"<...>", "clientSecret": "<...>", "clientType":"<CONFIDENTIAL/PUBLIC>", "organizationRid":"<...>", "displayName":"<...>", "description":null, "logoUri":null, "grantTypes":[<"AUTHORIZATION_CODE","REFRESH_TOKEN","CLIENT_CREDENTIALS">], "redirectUris":[], "allowedOrganizationRids":[] }
- api_enable_third_party_application(client_id, operations=None, resources=None, marking_ids=None, grant_types=None, require_consent=True, **kwargs)[source]#
Enables Foundry Third Party application (TPA).
- Parameters:
client_id (str) – The unique identifier of the TPA.
operations (list | None) – Scopes that this TPA is allowed to use (To be confirmed) if None or empty list is passed, all scopes will be activated.
resources (list | None) – Compass Project RID’s that this TPA is allowed to access, if None or empty list is passed, unrestricted access will be given.
marking_ids (list[str] | None) – Marking Ids that this TPA is allowed to access, if None or empty list is passed, unrestricted access will be given.
grant_types (list[api_types.MultipassGrantType] | None) – Grant types that this TPA is allowed to use to access resources, if None is passed, no grant type restrictions if an empty list is passed, no grant types are allowed for this TPA
require_consent (bool) – Wether users need to provide consent for this application to act on their behalf, defaults to true
**kwargs – gets passed to
APIClient.api_request()
- Return type:
Response with the following structure:
{ "client": { "clientId": "<...>", "organizationRid": "ri.multipass..organization.<...>", "displayName": "<...>", "description": None, "logoUri": None, }, "installation": {"resources": [], "operations": [], "markingIds": None}, }
- api_create_token(name, description='', seconds_to_live=604800, **kwargs)[source]#
Issue a new token generated by the user.
- Parameters:
- Returns:
the response contains a json including the actual jwt bearer token along some token information
- Return type:
Response with the following structure:
{ 'access_token': 'ey<...>', 'tokenInfo': { 'clientId': '<...>', 'description': '<description>', 'expires_in': <seconds-to-live>, 'grantType': '<...>', 'name': '<name>', 'scope': { 'type': '<...>' }, 'state': 'ENABLED', 'tokenId': '<...>', 'userId': '<...>' } }
- api_revoke_token(token_id, **kwargs)[source]#
Revoke the user-generated token for the specified token identifier.
- Parameters:
token_id (api_types.TokenId) – The identifier of the token that should be revoked
**kwargs – gets passed to
APIClient.api_request()
- Returns:
the response contains a json which holds a boolean value indicating whether the revocation was successful
- Return type:
- api_get_tokens(token_type=None, limit=100, page_token=None, **kwargs)[source]#
Returns a list of all tokens generated by the user.
- Parameters:
- Returns:
the response contains a json which holds a list of tokens providing information about the token and a nextPageToken used for pagination
- Return type:
Response with the following structure:
{ 'values': [ { 'tokenId': '<...>', 'clientId': '<...>', 'grantType': '<...>', 'userId': '<...>' 'expires_in': <seconds-to-live>, 'scope': { 'type': '<...>' }, 'name': '<name>', 'description': '<description>', 'state': 'ENABLED' }, ... ], 'nextPageToken': <...> }
- get_tokens(token_type=None, limit=100)[source]#
Returns a list of all tokens generated by the user (automatic pagination).