feat: initial gnap and http signatures implementation

[elijah0kello]

Changes in this PR

• added classes for key management
• added http signature header support for requests to auth server and resource server
• added unit tests
• added github actions file to run tests

Things to note

• integration tests are still failing since when I was making requests to https://auth.interledger-test.dev, I didn't have any public keys registered.
• I therefore need some help understanding how to upload public keys to the AS.

@Tymmmy @johngian please review

Authors

• @elijah0kello
• @Kasweka1

Run unit tests

poetry run pytest -s test/unit

[elijah0kello]

@Tymmmy I have added some usage documentation in the README.md. Still adding more docs though.

The current docs should give an idea of how I envisioned the client to be used.

[elijah0kello]

The integration test for requesting a grant is now passing.

to run integration tests.

poetry run pytest -s tests/integration/test_grants.py

I registered a wallet , created keys and loaded it in privkey.pem.example for testing

[sidvishnoi]

Looking good!
Did a quick first pass, will try setting up locally for next round of review.

[sidvishnoi]

Can we aim from Python 3.9 as it's still a supported version?
One old version, one "most used supported" version, and one latest (even beta)?

[sidvishnoi]

Suggested change

	name: Test Python open payments sdk f
	name: Test Python Open Payments SDK

[sidvishnoi]

Can we test on Windows as well?

[sidvishnoi]

Can we merge these two into "Set up Poetry"?

[sidvishnoi]

So the code becomes part of Step 2:

Suggested change

	```
	> poetry install
	```
	```
	> poetry install
	```

[sidvishnoi]

Skipping model_validate? for this response?

[sidvishnoi]

Should these methods be made @staticmethod or move moved out of the class? They're essentially constants.

[sidvishnoi]

Nit: given we'll be using encoded bytes, better to name this variable pem_bytes:

Suggested change

	def load_ed25519_private_key_from_pem(self,pem_str: Union[str, bytes]) -> Ed25519PrivateKey:
	"""
	Read private key from str or bytes string
	"""
	if isinstance(pem_str,str):
	pem_str = pem_str.encode("utf-8")
	def load_ed25519_private_key_from_pem(self,pem_bytes: Union[str, bytes]) -> Ed25519PrivateKey:
	"""
	Read private key from str or bytes string
	"""
	if isinstance(pem_bytes,str):
	pem_bytes = pem_bytes.encode("utf-8")

[sidvishnoi]

Should this be typed as dict as well?

[sidvishnoi]

Should we expose this httpx dependency like this to other modules? Seems fine from perspective of better control at call-site, but makes dependency harder to switch when/if needed.

[elijah0kello]

thanks @sidvishnoi for these comments. I will address them ASAP.

[johngian]

Some overall comments about this PR:

• I think 33 commits are not very manageable/readable to review. I suggest the commits to be more atomic.
• I am not sure what's the policy for 3rd party libraries but I would advise against building on top of non established authentication related libraries

[elijah0kello]

thanks @johngian for these comments.

• I am happy to take you through the codebase if it is overwhelming. Also it is just a lot of commits but the actual code changes are not so many.
• In regard to the third party lib, I read through the code base for the http signatures lib and also made a PR to fix something that was wrong. That being said if there is a policy, let's hear it and I'll address that specific issue with a custom implementation of http signatures.

[johngian]

@elijah0kello its not about having an overwhelming codebase. There is a purpose and value on having atomic commits. The PR at its current state (from a quick look) has 4+ commits that are about running unit tests and 3-4 commits only about updating docs, on top of that there is a bunch of merge commits from other repositories which don't bring much value in the context of the commit history. Also there is a commit that fixes a typo of a change introduced in this changeset.

Regarding the http signatures lib i would defer to the folks from the organization to decide but if it was my decision i would rather have an implementation that is audited/vetted by the org or built internally just for the purpose of ILF projects.

[johngian]

We do have a poetry based setup, there is no need to point to a pinned version of the wheel file.

[johngian]

If you are running poetry install why do you need to explicitly install the module?

[koekiebox]

@elijah0kello its not about having an overwhelming codebase. There is a purpose and value on having atomic commits. The PR at its current state (from a quick look) has 4+ commits that are about running unit tests and 3-4 commits only about updating docs, on top of that there is a bunch of merge commits from other repositories which don't bring much value in the context of the commit history. Also there is a commit that fixes a typo of a change introduced in this changeset.

Regarding the http signatures lib i would defer to the folks from the organization to decide but if it was my decision i would rather have an implementation that is audited/vetted by the org or built internally just for the purpose of ILF projects.

I am happy, as long as we introduce CVE scanning to ensure the libraries are safe to use. I have left other comments on the PR. 🙇

[koekiebox]

Left a couple of comments, mostly regarding pip-audit.

[koekiebox]

add new line.

[koekiebox]

There doesn't seem to be any vulnerabilities with these dependencies, but could we also run the pip-audit as part of the workflow?

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Install dependencies
        run: |
          python3 -m pip install .  # assumes dependencies declared in pyproject.toml
          python3 -m pip install pip-audit
      - name: Run pip-audit
        run: pip-audit .

[koekiebox]

Could you also run an audit as part of the flow?

[elijah0kello]

thanks @koekiebox for comments.

I will address as advised. Especially the dependency auditing.