586 lines
23 KiB
Python
586 lines
23 KiB
Python
"""
|
|
Interface to the Gateway system.
|
|
Manages users and mandates for authentication.
|
|
"""
|
|
|
|
from datetime import datetime, timedelta
|
|
import os
|
|
import logging
|
|
from typing import Dict, Any, List, Optional, Union
|
|
import importlib
|
|
import json
|
|
from passlib.context import CryptContext
|
|
|
|
from modules.connectors.connectorDbJson import DatabaseConnector
|
|
from modules.shared.configuration import APP_CONFIG
|
|
from modules.interfaces.serviceAppAccess import AppAccess
|
|
from modules.interfaces.serviceAppModel import (
|
|
User, Mandate, UserInDB, UserConnection,
|
|
Session, AuthEvent, AuthAuthority, UserPrivilege,
|
|
ConnectionStatus
|
|
)
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
# Singleton factory for GatewayInterface instances per context
|
|
_gatewayInterfaces = {}
|
|
|
|
# Root interface instance
|
|
_rootGatewayInterface = None
|
|
|
|
# Password-Hashing
|
|
pwdContext = CryptContext(schemes=["argon2"], deprecated="auto")
|
|
|
|
class GatewayInterface:
|
|
"""
|
|
Interface to the Gateway system.
|
|
Manages users and mandates.
|
|
"""
|
|
|
|
def __init__(self, currentUser: Dict[str, Any] = None):
|
|
"""Initializes the Gateway Interface."""
|
|
# Initialize variables
|
|
self.currentUser = currentUser
|
|
self.userId = currentUser.get("id") if currentUser else None
|
|
self.mandateId = currentUser.get("mandateId") if currentUser else None
|
|
self.access = None # Will be set when user context is provided
|
|
|
|
# Initialize database
|
|
self._initializeDatabase()
|
|
|
|
# Initialize standard records if needed
|
|
self._initRecords()
|
|
|
|
# Set user context if provided
|
|
if currentUser:
|
|
self.setUserContext(currentUser)
|
|
|
|
def setUserContext(self, currentUser: Dict[str, Any]):
|
|
"""Sets the user context for the interface."""
|
|
if not currentUser:
|
|
logger.info("Initializing interface without user context")
|
|
return
|
|
|
|
self.currentUser = currentUser
|
|
self.userId = currentUser.get("id")
|
|
self.mandateId = currentUser.get("mandateId")
|
|
|
|
if not self.userId or not self.mandateId:
|
|
raise ValueError("Invalid user context: id and mandateId are required")
|
|
|
|
# Add language settings
|
|
self.userLanguage = currentUser.get("language", "en") # Default user language
|
|
|
|
# Initialize access control with user context
|
|
self.access = AppAccess(self.currentUser, self.db)
|
|
|
|
logger.debug(f"User context set: userId={self.userId}, mandateId={self.mandateId}")
|
|
|
|
def _initializeDatabase(self):
|
|
"""Initializes the database connection."""
|
|
try:
|
|
# Get configuration values with defaults
|
|
dbHost = APP_CONFIG.get("DB_APP_HOST", "_no_config_default_data")
|
|
dbDatabase = APP_CONFIG.get("DB_APP_DATABASE", "app")
|
|
dbUser = APP_CONFIG.get("DB_APP_USER")
|
|
dbPassword = APP_CONFIG.get("DB_APP_PASSWORD_SECRET")
|
|
|
|
# Ensure the database directory exists
|
|
os.makedirs(dbHost, exist_ok=True)
|
|
|
|
self.db = DatabaseConnector(
|
|
dbHost=dbHost,
|
|
dbDatabase=dbDatabase,
|
|
dbUser=dbUser,
|
|
dbPassword=dbPassword
|
|
)
|
|
|
|
logger.info("Database initialized successfully")
|
|
except Exception as e:
|
|
logger.error(f"Failed to initialize database: {str(e)}")
|
|
raise
|
|
|
|
def _initRecords(self):
|
|
"""Initialize standard records if they don't exist."""
|
|
self._initRootMandate()
|
|
self._initAdminUser()
|
|
|
|
def _initRootMandate(self):
|
|
"""Creates the Root mandate if it doesn't exist."""
|
|
existingMandateId = self.getInitialId("mandates")
|
|
mandates = self.db.getRecordset("mandates")
|
|
if existingMandateId is None or not mandates:
|
|
logger.info("Creating Root mandate")
|
|
rootMandate = Mandate(
|
|
name="Root",
|
|
language="en"
|
|
)
|
|
createdMandate = self.db.recordCreate("mandates", rootMandate.model_dump())
|
|
logger.info(f"Root mandate created with ID {createdMandate['id']}")
|
|
|
|
# Register the initial ID
|
|
self.db._registerInitialId("mandates", createdMandate['id'])
|
|
|
|
# Update mandate context
|
|
self.mandateId = createdMandate['id']
|
|
|
|
def _initAdminUser(self):
|
|
"""Creates the Admin user if it doesn't exist."""
|
|
existingUserId = self.getInitialId("users")
|
|
users = self.db.getRecordset("users")
|
|
if existingUserId is None or not users:
|
|
logger.info("Creating Admin user")
|
|
adminUser = UserInDB(
|
|
mandateId=self.getInitialId("mandates"),
|
|
username="admin",
|
|
email="admin@example.com",
|
|
fullName="Administrator",
|
|
disabled=False,
|
|
language="en",
|
|
privilege=UserPrivilege.SYSADMIN,
|
|
authenticationAuthority=AuthAuthority.LOCAL,
|
|
hashedPassword=self._getPasswordHash("The 1st Poweron Admin"), # Use a secure password in production!
|
|
connections=[]
|
|
)
|
|
createdUser = self.db.recordCreate("users", adminUser.model_dump())
|
|
logger.info(f"Admin user created with ID {createdUser['id']}")
|
|
|
|
# Register the initial ID
|
|
self.db._registerInitialId("users", createdUser['id'])
|
|
|
|
# Update user context
|
|
self.currentUser = createdUser
|
|
self.userId = createdUser.get("id")
|
|
|
|
def _uam(self, table: str, recordset: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
|
|
"""
|
|
Unified user access management function that filters data based on user privileges
|
|
and adds access control attributes.
|
|
|
|
Args:
|
|
table: Name of the table
|
|
recordset: Recordset to filter based on access rules
|
|
|
|
Returns:
|
|
Filtered recordset with access control attributes
|
|
"""
|
|
return self.access.uam(table, recordset)
|
|
|
|
def _canModify(self, table: str, recordId: Optional[str] = None) -> bool:
|
|
"""
|
|
Checks if the current user can modify (create/update/delete) records in a table.
|
|
|
|
Args:
|
|
table: Name of the table
|
|
recordId: Optional record ID for specific record check
|
|
|
|
Returns:
|
|
Boolean indicating permission
|
|
"""
|
|
return self.access.canModify(table, recordId)
|
|
|
|
def getInitialId(self, table: str) -> Optional[str]:
|
|
"""Returns the initial ID for a table."""
|
|
return self.db.getInitialId(table)
|
|
|
|
def _getPasswordHash(self, password: str) -> str:
|
|
"""Creates a hash for a password."""
|
|
return pwdContext.hash(password)
|
|
|
|
def _verifyPassword(self, plainPassword: str, hashedPassword: str) -> bool:
|
|
"""Checks if the password matches the hash."""
|
|
return pwdContext.verify(plainPassword, hashedPassword)
|
|
|
|
# User methods
|
|
|
|
def getAllUsers(self) -> List[User]:
|
|
"""Returns users based on user access level."""
|
|
allUsers = self.db.getRecordset("users")
|
|
filteredUsers = self._uam("users", allUsers)
|
|
|
|
# Convert to User models
|
|
return [User.from_dict(user) for user in filteredUsers]
|
|
|
|
def getUsersByMandate(self, mandateId: str) -> List[User]:
|
|
"""Returns users for a specific mandate if user has access."""
|
|
# Get users for this mandate
|
|
users = self.db.getRecordset("users", recordFilter={"mandateId": mandateId})
|
|
filteredUsers = self._uam("users", users)
|
|
|
|
# Convert to User models
|
|
return [User.from_dict(user) for user in filteredUsers]
|
|
|
|
def getUserByUsername(self, username: str) -> Optional[User]:
|
|
"""Returns a user by username."""
|
|
try:
|
|
# Get users table
|
|
users = self.db.getRecordset("users")
|
|
if not users:
|
|
return None
|
|
|
|
# Find user by username
|
|
for user in users:
|
|
if user.get("username") == username:
|
|
logger.info(f"Found user with username {username}")
|
|
return User.from_dict(user)
|
|
|
|
logger.info(f"No user found with username {username}")
|
|
return None
|
|
|
|
except Exception as e:
|
|
logger.error(f"Error getting user by username: {str(e)}")
|
|
return None
|
|
|
|
def getUser(self, userId: str) -> Optional[User]:
|
|
"""Returns a user by ID if user has access."""
|
|
users = self.db.getRecordset("users", recordFilter={"id": userId})
|
|
if not users:
|
|
return None
|
|
|
|
filteredUsers = self._uam("users", users)
|
|
if not filteredUsers:
|
|
return None
|
|
|
|
return User.from_dict(filteredUsers[0])
|
|
|
|
def addUserConnection(self, userId: str, authority: AuthAuthority, externalId: str,
|
|
externalUsername: str, externalEmail: Optional[str] = None) -> UserConnection:
|
|
"""Add a new connection to an external service for a user"""
|
|
try:
|
|
# Get user
|
|
user = self.getUser(userId)
|
|
if not user:
|
|
raise ValueError(f"User {userId} not found")
|
|
|
|
# Check if connection already exists
|
|
for conn in user.connections:
|
|
if conn.authority == authority and conn.externalId == externalId:
|
|
raise ValueError(f"Connection to {authority} already exists for user {userId}")
|
|
|
|
# Create new connection
|
|
connection = UserConnection(
|
|
authority=authority,
|
|
externalId=externalId,
|
|
externalUsername=externalUsername,
|
|
externalEmail=externalEmail,
|
|
status=ConnectionStatus.ACTIVE
|
|
)
|
|
|
|
# Add connection to user
|
|
user.connections.append(connection)
|
|
|
|
# Update user record
|
|
self.db.recordModify("users", userId, {"connections": [c.model_dump() for c in user.connections]})
|
|
|
|
return connection
|
|
|
|
except Exception as e:
|
|
logger.error(f"Error adding user connection: {str(e)}")
|
|
raise ValueError(f"Failed to add user connection: {str(e)}")
|
|
|
|
def removeUserConnection(self, userId: str, connectionId: str) -> None:
|
|
"""Remove a connection to an external service for a user"""
|
|
try:
|
|
# Get user
|
|
user = self.getUser(userId)
|
|
if not user:
|
|
raise ValueError(f"User {userId} not found")
|
|
|
|
# Find and remove connection
|
|
user.connections = [c for c in user.connections if c.id != connectionId]
|
|
|
|
# Update user record
|
|
self.db.recordModify("users", userId, {"connections": [c.model_dump() for c in user.connections]})
|
|
|
|
except Exception as e:
|
|
logger.error(f"Error removing user connection: {str(e)}")
|
|
raise ValueError(f"Failed to remove user connection: {str(e)}")
|
|
|
|
def authenticateLocalUser(self, username: str, password: str) -> Optional[User]:
|
|
"""Authenticates a user by username and password using local authentication."""
|
|
# Clear the users table from cache and reload it
|
|
if "users" in self.db._tablesCache:
|
|
del self.db._tablesCache["users"]
|
|
|
|
# Get user by username
|
|
user = self.getUserByUsername(username)
|
|
|
|
if not user:
|
|
raise ValueError("User not found")
|
|
|
|
# Check if the user is disabled
|
|
if user.disabled:
|
|
raise ValueError("User is disabled")
|
|
|
|
# Verify that the user has local authentication enabled
|
|
if user.authenticationAuthority != AuthAuthority.LOCAL:
|
|
raise ValueError("User does not have local authentication enabled")
|
|
|
|
# Get the full user record with password hash for verification
|
|
userWithPassword = UserInDB(**self.db.getRecordset("users", recordFilter={"id": user.id})[0])
|
|
if not self._verifyPassword(password, userWithPassword.hashedPassword):
|
|
raise ValueError("Invalid password")
|
|
|
|
return user
|
|
|
|
def createUser(self, username: str, password: str = None, email: str = None,
|
|
fullName: str = None, language: str = "en", disabled: bool = False,
|
|
privilege: UserPrivilege = UserPrivilege.USER,
|
|
authenticationAuthority: AuthAuthority = AuthAuthority.LOCAL,
|
|
externalId: str = None, externalUsername: str = None,
|
|
externalEmail: str = None) -> User:
|
|
"""Create a new user with optional external connection"""
|
|
try:
|
|
# Create user data using UserInDB model
|
|
userData = UserInDB(
|
|
username=username,
|
|
email=email,
|
|
fullName=fullName,
|
|
language=language,
|
|
mandateId=self.mandateId,
|
|
disabled=disabled,
|
|
privilege=privilege,
|
|
authenticationAuthority=authenticationAuthority,
|
|
hashedPassword=self._getPasswordHash(password) if password else None,
|
|
connections=[]
|
|
)
|
|
|
|
# Create user record
|
|
createdRecord = self.db.recordCreate("users", userData.to_dict())
|
|
if not createdRecord or not createdRecord.get("id"):
|
|
raise ValueError("Failed to create user record")
|
|
|
|
# Add external connection if provided
|
|
if externalId and externalUsername:
|
|
self.addUserConnection(
|
|
createdRecord["id"],
|
|
authenticationAuthority,
|
|
externalId,
|
|
externalUsername,
|
|
externalEmail
|
|
)
|
|
|
|
# Get created user using the returned ID
|
|
createdUser = self.db.getRecordset("users", recordFilter={"id": createdRecord["id"]})
|
|
if not createdUser or len(createdUser) == 0:
|
|
raise ValueError("Failed to retrieve created user")
|
|
|
|
# Clear users table from cache
|
|
if hasattr(self.db, '_tablesCache') and "users" in self.db._tablesCache:
|
|
del self.db._tablesCache["users"]
|
|
|
|
return User.from_dict(createdUser[0])
|
|
|
|
except ValueError as e:
|
|
logger.error(f"Error creating user: {str(e)}")
|
|
raise
|
|
except Exception as e:
|
|
logger.error(f"Unexpected error creating user: {str(e)}")
|
|
raise ValueError(f"Failed to create user: {str(e)}")
|
|
|
|
def updateUser(self, userId: str, updateData: Dict[str, Any]) -> User:
|
|
"""Update a user's information"""
|
|
try:
|
|
# Get user
|
|
user = self.getUser(userId)
|
|
if not user:
|
|
raise ValueError(f"User {userId} not found")
|
|
|
|
# Update user data using model
|
|
updatedData = user.model_dump()
|
|
updatedData.update(updateData)
|
|
updatedUser = User.from_dict(updatedData)
|
|
|
|
# Update user record
|
|
self.db.recordModify("users", userId, updatedUser.to_dict())
|
|
|
|
# Get updated user
|
|
updatedUser = self.getUser(userId)
|
|
if not updatedUser:
|
|
raise ValueError("Failed to retrieve updated user")
|
|
|
|
return updatedUser
|
|
|
|
except Exception as e:
|
|
logger.error(f"Error updating user: {str(e)}")
|
|
raise ValueError(f"Failed to update user: {str(e)}")
|
|
|
|
def disableUser(self, userId: str) -> User:
|
|
"""Disables a user if current user has permission."""
|
|
return self.updateUser(userId, {"disabled": True})
|
|
|
|
def enableUser(self, userId: str) -> User:
|
|
"""Enables a user if current user has permission."""
|
|
return self.updateUser(userId, {"disabled": False})
|
|
|
|
def _deleteUserReferencedData(self, userId: str) -> None:
|
|
"""Deletes all data associated with a user."""
|
|
try:
|
|
# Delete user sessions
|
|
sessions = self.db.getRecordset("sessions", recordFilter={"userId": userId})
|
|
for session in sessions:
|
|
self.db.recordDelete("sessions", session["id"])
|
|
logger.debug(f"Deleted session {session['id']} for user {userId}")
|
|
|
|
# Delete user auth events
|
|
events = self.db.getRecordset("auth_events", recordFilter={"userId": userId})
|
|
for event in events:
|
|
self.db.recordDelete("auth_events", event["id"])
|
|
logger.debug(f"Deleted auth event {event['id']} for user {userId}")
|
|
|
|
# Delete user connections
|
|
user = self.getUser(userId)
|
|
if user and user.connections:
|
|
for conn in user.connections:
|
|
self.removeUserConnection(userId, conn.id)
|
|
logger.debug(f"Deleted connection {conn.id} for user {userId}")
|
|
|
|
logger.info(f"All referenced data for user {userId} has been deleted")
|
|
|
|
except Exception as e:
|
|
logger.error(f"Error deleting referenced data for user {userId}: {str(e)}")
|
|
raise
|
|
|
|
# Mandate methods
|
|
|
|
def getAllMandates(self) -> List[Mandate]:
|
|
"""Returns all mandates based on user access level."""
|
|
allMandates = self.db.getRecordset("mandates")
|
|
filteredMandates = self._uam("mandates", allMandates)
|
|
return [Mandate.from_dict(mandate) for mandate in filteredMandates]
|
|
|
|
def getMandate(self, mandateId: str) -> Optional[Mandate]:
|
|
"""Returns a mandate by ID if user has access."""
|
|
mandates = self.db.getRecordset("mandates", recordFilter={"id": mandateId})
|
|
if not mandates:
|
|
return None
|
|
|
|
filteredMandates = self._uam("mandates", mandates)
|
|
if not filteredMandates:
|
|
return None
|
|
|
|
return Mandate.from_dict(filteredMandates[0])
|
|
|
|
def createMandate(self, name: str, language: str = "en") -> Mandate:
|
|
"""Creates a new mandate if user has permission."""
|
|
if not self._canModify("mandates"):
|
|
raise PermissionError("No permission to create mandates")
|
|
|
|
# Create mandate data using model
|
|
mandateData = Mandate(
|
|
name=name,
|
|
language=language
|
|
)
|
|
|
|
# Create mandate record
|
|
createdRecord = self.db.recordCreate("mandates", mandateData.to_dict())
|
|
if not createdRecord or not createdRecord.get("id"):
|
|
raise ValueError("Failed to create mandate record")
|
|
|
|
return Mandate.from_dict(createdRecord)
|
|
|
|
def updateMandate(self, mandateId: str, updateData: Dict[str, Any]) -> Mandate:
|
|
"""Updates a mandate if user has access."""
|
|
try:
|
|
# Get mandate
|
|
mandate = self.getMandate(mandateId)
|
|
if not mandate:
|
|
raise ValueError(f"Mandate {mandateId} not found")
|
|
|
|
# Update mandate data using model
|
|
updatedData = mandate.model_dump()
|
|
updatedData.update(updateData)
|
|
updatedMandate = Mandate.from_dict(updatedData)
|
|
|
|
# Update mandate record
|
|
self.db.recordModify("mandates", mandateId, updatedMandate.to_dict())
|
|
|
|
# Get updated mandate
|
|
updatedMandate = self.getMandate(mandateId)
|
|
if not updatedMandate:
|
|
raise ValueError("Failed to retrieve updated mandate")
|
|
|
|
return updatedMandate
|
|
|
|
except Exception as e:
|
|
logger.error(f"Error updating mandate: {str(e)}")
|
|
raise ValueError(f"Failed to update mandate: {str(e)}")
|
|
|
|
def deleteMandate(self, mandateId: str) -> bool:
|
|
"""Deletes a mandate if user has access."""
|
|
try:
|
|
# Check if mandate exists and user has access
|
|
mandate = self.getMandate(mandateId)
|
|
if not mandate:
|
|
return False
|
|
|
|
if not self._canModify("mandates", mandateId):
|
|
raise PermissionError(f"No permission to delete mandate {mandateId}")
|
|
|
|
# Check if mandate has users
|
|
users = self.getUsersByMandate(mandateId)
|
|
if users:
|
|
raise ValueError(f"Cannot delete mandate {mandateId} with existing users")
|
|
|
|
# Delete mandate
|
|
return self.db.recordDelete("mandates", mandateId)
|
|
|
|
except Exception as e:
|
|
logger.error(f"Error deleting mandate: {str(e)}")
|
|
raise ValueError(f"Failed to delete mandate: {str(e)}")
|
|
|
|
# Public Methods
|
|
|
|
def getInterface(currentUser: Dict[str, Any]) -> GatewayInterface:
|
|
"""
|
|
Returns a GatewayInterface instance for the current user.
|
|
Handles initialization of database and records.
|
|
"""
|
|
mandateId = currentUser.get("mandateId")
|
|
userId = currentUser.get("id")
|
|
if not mandateId or not userId:
|
|
raise ValueError("Invalid user context: mandateId and id are required")
|
|
|
|
# Create context key
|
|
contextKey = f"{mandateId}_{userId}"
|
|
|
|
# Create new instance if not exists
|
|
if contextKey not in _gatewayInterfaces:
|
|
_gatewayInterfaces[contextKey] = GatewayInterface(currentUser)
|
|
|
|
return _gatewayInterfaces[contextKey]
|
|
|
|
def getRootUser() -> Dict[str, Any]:
|
|
"""
|
|
Returns the root user from the database.
|
|
This is the user with the initial ID in the users table.
|
|
"""
|
|
try:
|
|
readInterface = getInterface()
|
|
# Get the initial user ID
|
|
initialUserId = readInterface.db.getInitialId("users")
|
|
if not initialUserId:
|
|
raise ValueError("No initial user ID found in database")
|
|
|
|
# Get the user record
|
|
users = readInterface.db.getRecordset("users", recordFilter={"id": initialUserId})
|
|
if not users:
|
|
raise ValueError(f"Root user with ID {initialUserId} not found in database")
|
|
|
|
return users[0]
|
|
except Exception as e:
|
|
logger.error(f"Error getting root user: {str(e)}")
|
|
raise ValueError(f"Failed to get root user: {str(e)}")
|
|
|
|
def getRootInterface() -> GatewayInterface:
|
|
"""
|
|
Returns a GatewayInterface instance with root privileges.
|
|
This is used for initial setup and user creation.
|
|
"""
|
|
global _rootGatewayInterface
|
|
|
|
if _rootGatewayInterface is None:
|
|
rootUser = getRootUser()
|
|
_rootGatewayInterface = GatewayInterface(rootUser)
|
|
|
|
return _rootGatewayInterface
|