pangea-sdk

Pangea Python SDK

A Python SDK for integrating with Pangea services. Supports Python v3.9.2 and above.

Installation

GA releases

Via pip:

$ pip3 install pangea-sdk

Via poetry:

$ poetry add pangea-sdk

Beta releases

Pre-release versions may be available with the b (beta) denotation in the version number. These releases serve to preview Beta and Early Access services and APIs. Per Semantic Versioning, they are considered unstable and do not carry the same compatibility guarantees as stable releases. Beta changelog.

Via pip:

$ pip3 install pangea-sdk==6.2.0b2

Via poetry:

$ poetry add pangea-sdk==6.2.0b2

Usage

• Documentation
• GA Examples
• Beta Examples

General usage would be to create a token for a service through the Pangea Console and then construct an API client for that respective service. The below example shows how this can be done for Secure Audit Log to log a simple event:

import os

from pangea.config import PangeaConfig
from pangea.services import Audit

# Load client configuration from environment variables `PANGEA_AUDIT_TOKEN` and
# `PANGEA_DOMAIN`.
token = os.getenv("PANGEA_AUDIT_TOKEN")
domain = os.getenv("PANGEA_DOMAIN")
config = PangeaConfig(domain=domain)

# Create a Secure Audit Log client.
audit = Audit(token, config)

# Log a basic event.
response = audit.log(message="Hello, World!")

Configuration

The SDK supports the following configuration options via PangeaConfig:

• base_url_template — Template for constructing the base URL for API requests. The placeholder {SERVICE_NAME} will be replaced with the service name slug. This is a more powerful version of domain that allows for setting more than just the host of the API server. Defaults to https://{SERVICE_NAME}.aws.us.pangea.cloud.
• domain — Base domain for API requests. This is a weaker version of base_url_template that only allows for setting the host of the API server. Use base_url_template for more control over the URL, such as setting service-specific paths. Defaults to aws.us.pangea.cloud.
• request_retries — Number of retries on the initial request.
• request_backoff — Backoff strategy passed to 'requests'.
• request_timeout — Timeout used on initial request attempts.
• poll_result_timeout — Timeout used to poll results after 202 (in secs).
• queued_retry_enabled — Enable queued request retry support.
• custom_user_agent — Custom user agent to be used in the request headers.

asyncio support

asyncio support is available through the pangea.asyncio.services module. The previous example may be rewritten to utilize async/await syntax like so:

import asyncio
import os

from pangea.asyncio.services import AuditAsync
from pangea.config import PangeaConfig

# Load client configuration from environment variables `PANGEA_AUDIT_TOKEN` and
# `PANGEA_DOMAIN`.
token = os.getenv("PANGEA_AUDIT_TOKEN")
domain = os.getenv("PANGEA_DOMAIN")
config = PangeaConfig(domain=domain)

# Create a Secure Audit Log client.
audit = AuditAsync(token, config=config)


async def main():
    # Log a basic event.
    response = await audit.log(message="Hello, World!")

    await audit.close()


if __name__ == "__main__":
    asyncio.run(main())

Secure Audit Log - Integrity Tools

The Python Pangea SDK also includes some extra features to validate Audit Service log's integrity. Here we explain how to run them.

Verify audit data

Verify that an event or a list of events has not been tampered with. Usage:

usage: python -m pangea.verify_audit [-h] [--file PATH]
or
usage: poetry run python -m pangea.verify_audit [-h] [--file PATH]

Pangea Audit Verifier

options:
  -h, --help            show this help message and exit
  --file PATH, -f PATH  Input file (default: standard input).

It accepts multiple file formats:

• a Verification Artifact from the Pangea User Console
• a search response from the REST API:

$ curl -H "Authorization: Bearer ${PANGEA_TOKEN}" -X POST -H 'Content-Type: application/json'  --data '{"verbose": true}' https://audit.aws.us.pangea.cloud/v1/search

Bulk Download Audit Data

Download all audit logs for a given time range. Start and end date should be provided, a variety of formats is supported, including ISO-8601. The result is stored in a json file (one json per line).

usage: python -m pangea.dump_audit [-h] [--token TOKEN] [--domain DOMAIN] [--output OUTPUT] start end
or
usage: poetry run python -m pangea.dump_audit [-h] [--token TOKEN] [--domain DOMAIN] [--output OUTPUT] start end

Pangea Audit Dump Tool

positional arguments:
  start                 Start timestamp. Supports a variety of formats, including ISO-8601. e.g.: 2023-06-05T18:05:15.030667Z
  end                   End timestamp. Supports a variety of formats, including ISO-8601. e.g.: 2023-06-05T18:05:15.030667Z

options:
  -h, --help            show this help message and exit
  --token TOKEN, -t TOKEN
                        Pangea token (default: env PANGEA_TOKEN)
  --domain DOMAIN, -d DOMAIN
                        Pangea base domain (default: env PANGEA_DOMAIN)
  --output OUTPUT, -o OUTPUT
                        Output file name. Default: dump-<timestamp>

Perform Exhaustive Verification of Audit Data

This script performs extensive verification on a range of events of the log stream. Apart from verifying the hash and the membership proof, it checks that there are no omissions in the stream, i.e. all the events are present and properly located.

usage: python -m pangea.deep_verify [-h] [--token TOKEN] [--domain DOMAIN] --file FILE
or
usage: poetry run python -m pangea.deep_verify [-h] [--token TOKEN] [--domain DOMAIN] --file FILE

Pangea Audit Event Deep Verifier

options:
  -h, --help            show this help message and exit
  --token TOKEN, -t TOKEN
                        Pangea token (default: env PANGEA_TOKEN)
  --domain DOMAIN, -d DOMAIN
                        Pangea base domain (default: env PANGEA_DOMAIN)
  --file FILE, -f FILE  Event input file. Must be a collection of JSON Objects separated by newlines

It accepts multiple file formats:

• a Verification Artifact from the Pangea User Console

• a file generated by the dump_audit command

• a search response from the REST API (see verify_audit)