pycsamt.iot.security#
Security configuration for IoT telemetry transports.
Field IoT reviewers expect a credible security story: TLS for transport encryption and a defined credential scheme (bearer token, basic auth, or API key). This module provides small, serialisable configuration objects that:
carry TLS material and credentials,
redact secrets from
repr/as_dictso they never leak into logs, manifests, or notebooks, andproject into the
**optionsaccepted bybuild_telemetry_client().
The objects hold configuration only; they do not implement cryptography themselves — encryption is delegated to the underlying transport (TLS via the OS/OpenSSL, tokens via HTTP headers).
Functions
|
Return a redaction placeholder when value is a non-empty secret. |
Classes
|
Supported authentication schemes. |
|
Authentication credential with secret redaction. |
|
Combined TLS + credential policy for telemetry transports. |
|
Transport-layer security material for a telemetry client. |
- class pycsamt.iot.security.AuthScheme(*values)[source]#
-
Supported authentication schemes.
- NONE = 'none'#
- BEARER = 'bearer'#
- BASIC = 'basic'#
- API_KEY = 'api_key'#
- class pycsamt.iot.security.TLSConfig(enabled=False, ca_cert=None, certfile=None, keyfile=None, verify=True, min_version=None)[source]#
Bases:
PyCSAMTObjectTransport-layer security material for a telemetry client.
- Parameters:
- class pycsamt.iot.security.Credential(scheme=AuthScheme.NONE, token=None, username=None, password=None, api_key=None, api_key_header='X-API-Key')[source]#
Bases:
PyCSAMTObjectAuthentication credential with secret redaction.
Secrets (
token,password,api_key) are never shown byreproras_dict(); usereveal()explicitly when a real transport needs the raw values.- Parameters:
- scheme: AuthScheme | str = 'none'#
- validate()[source]#
Validate object state.
Subclasses can override this hook. The base implementation intentionally accepts all states.
- Return type:
None
- class pycsamt.iot.security.SecurityConfig(tls=<factory>, credential=<factory>, require_tls=False, allowed_protocols=None)[source]#
Bases:
PyCSAMTObjectCombined TLS + credential policy for telemetry transports.
- Parameters:
tls (TLSConfig)
credential (Credential)
require_tls (bool)
- credential: Credential#
- validate()[source]#
Validate object state.
Subclasses can override this hook. The base implementation intentionally accepts all states.
- Return type:
None
- client_options()[source]#
Return options for
build_telemetry_client().Includes TLS flags, credential headers, and (for MQTT) username / password so a transport can authenticate. Raw secrets are included because this feeds the live client, not a log.