import secrets from fastapi import APIRouter, Depends, HTTPException, Query, status from sqlalchemy import select from sqlalchemy.orm import Session from app.core.keygen import generate_key from app.core.config import get_settings from app.db.session import get_db from app.models.api_client import ApiClient from app.repositories.companies_repo import CompaniesRepository from app.repositories.modules_repo import ModulesRepository from app.repositories.permission_groups_repo import PermissionGroupsRepository from app.repositories.sites_repo import SitesRepository from app.repositories.systems_repo import SystemsRepository from app.repositories.users_repo import UsersRepository from app.schemas.catalog import ( CompanyCreateRequest, CompanyItem, GroupBindingSnapshot, GroupBindingUpdateRequest, GroupRelationItem, MemberRelationItem, CompanyUpdateRequest, MemberItem, MemberPermissionGroupsResponse, MemberPermissionGroupsUpdateRequest, MemberPasswordResetResponse, MemberUpdateRequest, MemberUpsertRequest, ModuleCreateRequest, ModuleItem, ModuleUpdateRequest, PermissionGroupCreateRequest, PermissionGroupItem, PermissionGroupPermissionItem, PermissionGroupUpdateRequest, SiteCreateRequest, SiteItem, SiteUpdateRequest, SystemCreateRequest, SystemItem, SystemUpdateRequest, ) from app.schemas.api_clients import ( ApiClientCreateRequest, ApiClientCreateResponse, ApiClientItem, ApiClientRotateKeyResponse, ApiClientUpdateRequest, ) from app.schemas.permissions import PermissionGrantRequest, PermissionRevokeRequest from app.security.admin_guard import require_admin_principal from app.security.api_client_auth import hash_api_key from app.services.authentik_admin_service import AuthentikAdminService router = APIRouter( prefix="/admin", tags=["admin"], dependencies=[Depends(require_admin_principal)], ) def _resolve_module_id(db: Session, system_key: str, module_key: str | None) -> str: systems_repo = SystemsRepository(db) modules_repo = ModulesRepository(db) system = systems_repo.get_by_key(system_key) if not system: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found") target_module_key = module_key if module_key else f"__system__{system_key}" module = modules_repo.get_by_key(target_module_key) if module and module.system_key != system_key: raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="module_system_mismatch") if not module: module = modules_repo.create( module_key=target_module_key, system_key=system_key, name=target_module_key, status="active", ) return module.id def _resolve_scope_ids(db: Session, scope_type: str, scope_id: str) -> tuple[str | None, str | None]: companies_repo = CompaniesRepository(db) sites_repo = SitesRepository(db) if scope_type == "company": company = companies_repo.get_by_key(scope_id) if not company: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found") return company.id, None if scope_type == "site": site = sites_repo.get_by_key(scope_id) if not site: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="site_not_found") return None, site.id raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid_scope_type") def _split_module_key(payload_module: str | None) -> str: if not payload_module: return "__system__" return payload_module def _generate_unique_key(prefix: str, exists_fn) -> str: for salt in range(1000): key = generate_key(prefix=prefix, salt=salt) if not exists_fn(key): return key raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"failed_to_generate_{prefix.lower()}_key") def _serialize_api_client(item: ApiClient) -> ApiClientItem: return ApiClientItem( id=item.id, client_key=item.client_key, name=item.name, status=item.status, allowed_origins=item.allowed_origins or [], allowed_ips=item.allowed_ips or [], allowed_paths=item.allowed_paths or [], rate_limit_per_min=item.rate_limit_per_min, expires_at=item.expires_at, last_used_at=item.last_used_at, created_at=item.created_at, updated_at=item.updated_at, ) def _generate_api_key() -> str: return secrets.token_urlsafe(36) def _sync_member_to_authentik( *, authentik_sub: str | None, authentik_user_id: int | None, username: str | None, email: str | None, display_name: str | None, is_active: bool, ) -> dict[str, str | int]: if not email: raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="email_required_for_authentik_sync") settings = get_settings() service = AuthentikAdminService(settings=settings) result = service.ensure_user( sub=authentik_sub, email=email, username=username, display_name=display_name, is_active=is_active, authentik_user_id=authentik_user_id, ) return { "authentik_user_id": result.user_id, "sync_action": result.action, "authentik_sub": result.authentik_sub or "", } @router.get("/systems") def list_systems( db: Session = Depends(get_db), limit: int = Query(default=100, ge=1, le=500), offset: int = Query(default=0, ge=0), ) -> dict: repo = SystemsRepository(db) items, total = repo.list(limit=limit, offset=offset) return {"items": [SystemItem(id=i.id, system_key=i.system_key, name=i.name, status=i.status).model_dump() for i in items], "total": total, "limit": limit, "offset": offset} @router.post("/systems", response_model=SystemItem) def create_system( payload: SystemCreateRequest, db: Session = Depends(get_db), ) -> SystemItem: repo = SystemsRepository(db) system_key = _generate_unique_key("ST", repo.get_by_key) row = repo.create(system_key=system_key, name=payload.name, status=payload.status) return SystemItem(id=row.id, system_key=row.system_key, name=row.name, status=row.status) @router.patch("/systems/{system_key}", response_model=SystemItem) def update_system( system_key: str, payload: SystemUpdateRequest, db: Session = Depends(get_db), ) -> SystemItem: repo = SystemsRepository(db) row = repo.get_by_key(system_key) if not row: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found") row = repo.update(row, name=payload.name, status=payload.status) return SystemItem(id=row.id, system_key=row.system_key, name=row.name, status=row.status) @router.get("/modules") def list_modules( db: Session = Depends(get_db), limit: int = Query(default=200, ge=1, le=500), offset: int = Query(default=0, ge=0), ) -> dict: modules_repo = ModulesRepository(db) items, total = modules_repo.list(limit=limit, offset=offset) out = [] for i in items: if i.module_key.startswith("__system__"): continue out.append( ModuleItem( id=i.id, system_key=i.system_key, module_key=i.module_key, name=i.name, status=i.status, ).model_dump() ) return {"items": out, "total": total, "limit": limit, "offset": offset} @router.post("/modules", response_model=ModuleItem) def create_module( payload: ModuleCreateRequest, db: Session = Depends(get_db), ) -> ModuleItem: systems_repo = SystemsRepository(db) modules_repo = ModulesRepository(db) system = systems_repo.get_by_key(payload.system_key) if not system: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found") leaf_module_key = _generate_unique_key("MD", modules_repo.get_by_key) row = modules_repo.create( module_key=leaf_module_key, system_key=payload.system_key, name=payload.name, status=payload.status, ) return ModuleItem(id=row.id, system_key=row.system_key, module_key=row.module_key, name=row.name, status=row.status) @router.patch("/modules/{module_key}") def update_module( module_key: str, payload: ModuleUpdateRequest, db: Session = Depends(get_db), ) -> ModuleItem: modules_repo = ModulesRepository(db) row = modules_repo.get_by_key(module_key) if not row: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="module_not_found") row = modules_repo.update(row, name=payload.name, status=payload.status) return ModuleItem(id=row.id, system_key=row.system_key, module_key=row.module_key, name=row.name, status=row.status) @router.get("/systems/{system_key}/groups") def list_system_groups( system_key: str, db: Session = Depends(get_db), ) -> dict[str, list[dict]]: systems_repo = SystemsRepository(db) groups_repo = PermissionGroupsRepository(db) if not systems_repo.get_by_key(system_key): raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found") groups = groups_repo.list_system_groups(system_key) return { "items": [ GroupRelationItem(group_key=g.group_key, group_name=g.name, status=g.status).model_dump() for g in groups ] } @router.get("/systems/{system_key}/members") def list_system_members( system_key: str, db: Session = Depends(get_db), ) -> dict[str, list[dict]]: systems_repo = SystemsRepository(db) groups_repo = PermissionGroupsRepository(db) if not systems_repo.get_by_key(system_key): raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found") members = groups_repo.list_system_members(system_key) return { "items": [ MemberRelationItem( authentik_sub=m.authentik_sub, email=m.email, display_name=m.display_name, is_active=m.is_active, ).model_dump() for m in members ] } @router.get("/modules/{module_key}/groups") def list_module_groups( module_key: str, db: Session = Depends(get_db), ) -> dict[str, list[dict]]: modules_repo = ModulesRepository(db) groups_repo = PermissionGroupsRepository(db) module = modules_repo.get_by_key(module_key) if not module: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="module_not_found") groups = groups_repo.list_module_groups(module.system_key, module.module_key) return { "items": [ GroupRelationItem(group_key=g.group_key, group_name=g.name, status=g.status).model_dump() for g in groups ] } @router.get("/modules/{module_key}/members") def list_module_members( module_key: str, db: Session = Depends(get_db), ) -> dict[str, list[dict]]: modules_repo = ModulesRepository(db) groups_repo = PermissionGroupsRepository(db) module = modules_repo.get_by_key(module_key) if not module: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="module_not_found") members = groups_repo.list_module_members(module.system_key, module.module_key) return { "items": [ MemberRelationItem( authentik_sub=m.authentik_sub, email=m.email, display_name=m.display_name, is_active=m.is_active, ).model_dump() for m in members ] } @router.get("/companies") def list_companies( db: Session = Depends(get_db), keyword: str | None = Query(default=None), limit: int = Query(default=100, ge=1, le=500), offset: int = Query(default=0, ge=0), ) -> dict: repo = CompaniesRepository(db) items, total = repo.list(keyword=keyword, limit=limit, offset=offset) return {"items": [CompanyItem(id=i.id, company_key=i.company_key, name=i.name, status=i.status).model_dump() for i in items], "total": total, "limit": limit, "offset": offset} @router.post("/companies", response_model=CompanyItem) def create_company( payload: CompanyCreateRequest, db: Session = Depends(get_db), ) -> CompanyItem: repo = CompaniesRepository(db) company_key = _generate_unique_key("CP", repo.get_by_key) row = repo.create(company_key=company_key, name=payload.name, status=payload.status) return CompanyItem(id=row.id, company_key=row.company_key, name=row.name, status=row.status) @router.patch("/companies/{company_key}", response_model=CompanyItem) def update_company( company_key: str, payload: CompanyUpdateRequest, db: Session = Depends(get_db), ) -> CompanyItem: repo = CompaniesRepository(db) row = repo.get_by_key(company_key) if not row: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found") row = repo.update(row, name=payload.name, status=payload.status) return CompanyItem(id=row.id, company_key=row.company_key, name=row.name, status=row.status) @router.get("/companies/{company_key}/sites") def list_company_sites( company_key: str, db: Session = Depends(get_db), ) -> dict[str, list[dict]]: companies_repo = CompaniesRepository(db) sites_repo = SitesRepository(db) company = companies_repo.get_by_key(company_key) if not company: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found") items, _ = sites_repo.list(company_id=company.id, limit=1000, offset=0) return { "items": [ SiteItem( id=i.id, site_key=i.site_key, company_key=company.company_key, name=i.name, status=i.status, ).model_dump() for i in items ] } @router.get("/sites") def list_sites( db: Session = Depends(get_db), company_key: str | None = Query(default=None), keyword: str | None = Query(default=None), limit: int = Query(default=100, ge=1, le=500), offset: int = Query(default=0, ge=0), ) -> dict: companies_repo = CompaniesRepository(db) sites_repo = SitesRepository(db) company_lookup: dict[str, str] = {} all_companies, _ = companies_repo.list(limit=1000, offset=0) for c in all_companies: company_lookup[c.id] = c.company_key company_id = None if company_key: company = companies_repo.get_by_key(company_key) if not company: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found") company_id = company.id items, total = sites_repo.list(keyword=keyword, company_id=company_id, limit=limit, offset=offset) return { "items": [ SiteItem( id=i.id, site_key=i.site_key, company_key=company_lookup.get(i.company_id, ""), name=i.name, status=i.status, ).model_dump() for i in items ], "total": total, "limit": limit, "offset": offset, } @router.post("/sites", response_model=SiteItem) def create_site( payload: SiteCreateRequest, db: Session = Depends(get_db), ) -> SiteItem: companies_repo = CompaniesRepository(db) sites_repo = SitesRepository(db) company = companies_repo.get_by_key(payload.company_key) if not company: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found") site_key = _generate_unique_key("ST", sites_repo.get_by_key) row = sites_repo.create(site_key=site_key, company_id=company.id, name=payload.name, status=payload.status) return SiteItem(id=row.id, site_key=row.site_key, company_key=payload.company_key, name=row.name, status=row.status) @router.patch("/sites/{site_key}", response_model=SiteItem) def update_site( site_key: str, payload: SiteUpdateRequest, db: Session = Depends(get_db), ) -> SiteItem: companies_repo = CompaniesRepository(db) sites_repo = SitesRepository(db) row = sites_repo.get_by_key(site_key) if not row: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="site_not_found") company_id = None company_key = None if payload.company_key is not None: company = companies_repo.get_by_key(payload.company_key) if not company: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found") company_id = company.id company_key = company.company_key row = sites_repo.update(row, company_id=company_id, name=payload.name, status=payload.status) if company_key is None: current_company = companies_repo.get_by_id(row.company_id) company_key = current_company.company_key if current_company else "" return SiteItem(id=row.id, site_key=row.site_key, company_key=company_key, name=row.name, status=row.status) @router.get("/members") def list_members( db: Session = Depends(get_db), keyword: str | None = Query(default=None), limit: int = Query(default=100, ge=1, le=500), offset: int = Query(default=0, ge=0), ) -> dict: users_repo = UsersRepository(db) items, total = users_repo.list(keyword=keyword, limit=limit, offset=offset) return { "items": [ MemberItem( id=i.id, authentik_sub=i.authentik_sub, username=i.username, email=i.email, display_name=i.display_name, is_active=i.is_active, ).model_dump() for i in items ], "total": total, "limit": limit, "offset": offset, } @router.post("/members/upsert", response_model=MemberItem) def upsert_member( payload: MemberUpsertRequest, db: Session = Depends(get_db), ) -> MemberItem: users_repo = UsersRepository(db) resolved_sub = payload.authentik_sub resolved_username = payload.username authentik_user_id = None if payload.sync_to_authentik: seed_sub = payload.authentik_sub or payload.username if not seed_sub: raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="authentik_sub_or_username_required") sync = _sync_member_to_authentik( authentik_sub=seed_sub, authentik_user_id=authentik_user_id, username=payload.username, email=payload.email, display_name=payload.display_name, is_active=payload.is_active, ) authentik_user_id = int(sync["authentik_user_id"]) if sync.get("authentik_sub"): resolved_sub = str(sync["authentik_sub"]) if not resolved_sub: raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="authentik_sub_required") row = users_repo.upsert_by_sub( authentik_sub=resolved_sub, username=resolved_username, email=payload.email, display_name=payload.display_name, is_active=payload.is_active, authentik_user_id=authentik_user_id, ) return MemberItem( id=row.id, authentik_sub=row.authentik_sub, username=row.username, email=row.email, display_name=row.display_name, is_active=row.is_active, ) @router.patch("/members/{authentik_sub}", response_model=MemberItem) def update_member( authentik_sub: str, payload: MemberUpdateRequest, db: Session = Depends(get_db), ) -> MemberItem: users_repo = UsersRepository(db) row = users_repo.get_by_sub(authentik_sub) if not row: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found") next_email = payload.email if payload.email is not None else row.email next_username = payload.username if payload.username is not None else row.username next_display_name = payload.display_name if payload.display_name is not None else row.display_name next_is_active = payload.is_active if payload.is_active is not None else row.is_active authentik_user_id = row.authentik_user_id if payload.sync_to_authentik: sync = _sync_member_to_authentik( authentik_sub=row.authentik_sub, authentik_user_id=row.authentik_user_id, username=next_username, email=next_email, display_name=next_display_name, is_active=next_is_active, ) authentik_user_id = int(sync["authentik_user_id"]) row = users_repo.upsert_by_sub( authentik_sub=row.authentik_sub, username=next_username, email=next_email, display_name=next_display_name, is_active=next_is_active, authentik_user_id=authentik_user_id, ) return MemberItem( id=row.id, authentik_sub=row.authentik_sub, username=row.username, email=row.email, display_name=row.display_name, is_active=row.is_active, ) @router.post("/members/{authentik_sub}/password/reset", response_model=MemberPasswordResetResponse) def reset_member_password( authentik_sub: str, db: Session = Depends(get_db), ) -> MemberPasswordResetResponse: users_repo = UsersRepository(db) user = users_repo.get_by_sub(authentik_sub) if not user: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found") settings = get_settings() service = AuthentikAdminService(settings=settings) result = service.reset_password( authentik_user_id=user.authentik_user_id, email=user.email, username=user.username, ) user = users_repo.upsert_by_sub( authentik_sub=user.authentik_sub, username=user.username, email=user.email, display_name=user.display_name, is_active=user.is_active, authentik_user_id=result.user_id, ) return MemberPasswordResetResponse(authentik_sub=user.authentik_sub, temporary_password=result.temporary_password) @router.get("/members/{authentik_sub}/permission-groups", response_model=MemberPermissionGroupsResponse) def get_member_permission_groups( authentik_sub: str, db: Session = Depends(get_db), ) -> MemberPermissionGroupsResponse: users_repo = UsersRepository(db) groups_repo = PermissionGroupsRepository(db) user = users_repo.get_by_sub(authentik_sub) if not user: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found") group_keys = groups_repo.list_group_keys_by_member_sub(authentik_sub) return MemberPermissionGroupsResponse(authentik_sub=authentik_sub, group_keys=group_keys) @router.put("/members/{authentik_sub}/permission-groups", response_model=MemberPermissionGroupsResponse) def set_member_permission_groups( authentik_sub: str, payload: MemberPermissionGroupsUpdateRequest, db: Session = Depends(get_db), ) -> MemberPermissionGroupsResponse: users_repo = UsersRepository(db) groups_repo = PermissionGroupsRepository(db) user = users_repo.get_by_sub(authentik_sub) if not user: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found") unique_group_keys = list(dict.fromkeys(payload.group_keys)) groups = groups_repo.get_by_keys(unique_group_keys) found_keys = {g.group_key for g in groups} missing = [k for k in unique_group_keys if k not in found_keys] if missing: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"group_not_found:{','.join(missing)}") groups_repo.replace_member_groups(authentik_sub, [g.id for g in groups]) return MemberPermissionGroupsResponse(authentik_sub=authentik_sub, group_keys=unique_group_keys) @router.get("/api-clients") def list_api_clients( db: Session = Depends(get_db), keyword: str | None = Query(default=None), limit: int = Query(default=200, ge=1, le=500), offset: int = Query(default=0, ge=0), ) -> dict: stmt = select(ApiClient) count_stmt = select(ApiClient) if keyword: pattern = f"%{keyword}%" filter_cond = (ApiClient.client_key.ilike(pattern)) | (ApiClient.name.ilike(pattern)) stmt = stmt.where(filter_cond) count_stmt = count_stmt.where(filter_cond) items = list(db.scalars(stmt.order_by(ApiClient.created_at.desc()).limit(limit).offset(offset)).all()) total = len(list(db.scalars(count_stmt))) return { "items": [_serialize_api_client(item).model_dump() for item in items], "total": total, "limit": limit, "offset": offset, } @router.post("/api-clients", response_model=ApiClientCreateResponse) def create_api_client( payload: ApiClientCreateRequest, db: Session = Depends(get_db), ) -> ApiClientCreateResponse: status_value = payload.status.strip().lower() if status_value not in {"active", "inactive"}: raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid_status") client_key = payload.client_key or _generate_unique_key( "AC", lambda value: db.scalar(select(ApiClient).where(ApiClient.client_key == value)) is not None ) exists = db.scalar(select(ApiClient).where(ApiClient.client_key == client_key)) if exists: raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="client_key_already_exists") api_key = _generate_api_key() row = ApiClient( client_key=client_key, name=payload.name, status=status_value, api_key_hash=hash_api_key(api_key), allowed_origins=payload.allowed_origins, allowed_ips=payload.allowed_ips, allowed_paths=payload.allowed_paths, rate_limit_per_min=payload.rate_limit_per_min, expires_at=payload.expires_at, ) db.add(row) db.commit() db.refresh(row) return ApiClientCreateResponse(item=_serialize_api_client(row), api_key=api_key) @router.patch("/api-clients/{client_key}", response_model=ApiClientItem) def update_api_client( client_key: str, payload: ApiClientUpdateRequest, db: Session = Depends(get_db), ) -> ApiClientItem: row = db.scalar(select(ApiClient).where(ApiClient.client_key == client_key)) if not row: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="api_client_not_found") if payload.name is not None: row.name = payload.name if payload.status is not None: next_status = payload.status.strip().lower() if next_status not in {"active", "inactive"}: raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid_status") row.status = next_status if payload.allowed_origins is not None: row.allowed_origins = payload.allowed_origins if payload.allowed_ips is not None: row.allowed_ips = payload.allowed_ips if payload.allowed_paths is not None: row.allowed_paths = payload.allowed_paths row.rate_limit_per_min = payload.rate_limit_per_min row.expires_at = payload.expires_at db.commit() db.refresh(row) return _serialize_api_client(row) @router.post("/api-clients/{client_key}/rotate-key", response_model=ApiClientRotateKeyResponse) def rotate_api_client_key( client_key: str, db: Session = Depends(get_db), ) -> ApiClientRotateKeyResponse: row = db.scalar(select(ApiClient).where(ApiClient.client_key == client_key)) if not row: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="api_client_not_found") api_key = _generate_api_key() row.api_key_hash = hash_api_key(api_key) db.commit() return ApiClientRotateKeyResponse(client_key=row.client_key, api_key=api_key) @router.get("/permission-groups") def list_permission_groups( db: Session = Depends(get_db), limit: int = Query(default=100, ge=1, le=500), offset: int = Query(default=0, ge=0), ) -> dict: repo = PermissionGroupsRepository(db) items, total = repo.list(limit=limit, offset=offset) return {"items": [PermissionGroupItem(id=i.id, group_key=i.group_key, name=i.name, status=i.status).model_dump() for i in items], "total": total, "limit": limit, "offset": offset} @router.get("/permission-groups/{group_key}/permissions") def list_permission_group_permissions( group_key: str, db: Session = Depends(get_db), ) -> dict[str, list[dict]]: repo = PermissionGroupsRepository(db) group = repo.get_by_key(group_key) if not group: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found") rows = repo.list_group_permissions(group.id) return { "items": [ PermissionGroupPermissionItem( id=r.id, system=r.system, module="" if r.module == "__system__" else r.module, action=r.action, scope_type=r.scope_type, scope_id=r.scope_id, ).model_dump() for r in rows if r.action in {"view", "edit"} and r.scope_type == "site" ] } @router.get("/permission-groups/{group_key}/bindings", response_model=GroupBindingSnapshot) def get_permission_group_bindings( group_key: str, db: Session = Depends(get_db), ) -> GroupBindingSnapshot: repo = PermissionGroupsRepository(db) group = repo.get_by_key(group_key) if not group: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found") snapshot = repo.get_group_binding_snapshot(group.id, group_key) return GroupBindingSnapshot( group_key=snapshot["group_key"], site_keys=snapshot["site_keys"], system_keys=snapshot["system_keys"], module_keys=[k.split("|", 1)[1] if "|" in k else k for k in snapshot["module_keys"]], member_subs=snapshot["member_subs"], actions=snapshot["actions"], ) @router.put("/permission-groups/{group_key}/bindings", response_model=GroupBindingSnapshot) def replace_permission_group_bindings( group_key: str, payload: GroupBindingUpdateRequest, db: Session = Depends(get_db), ) -> GroupBindingSnapshot: repo = PermissionGroupsRepository(db) sites_repo = SitesRepository(db) systems_repo = SystemsRepository(db) modules_repo = ModulesRepository(db) group = repo.get_by_key(group_key) if not group: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found") site_keys = list(dict.fromkeys(payload.site_keys)) system_keys = list(dict.fromkeys(payload.system_keys)) module_keys = list(dict.fromkeys(payload.module_keys)) valid_sites = {s.site_key for s in sites_repo.list(limit=10000, offset=0)[0]} missing_sites = [k for k in site_keys if k not in valid_sites] if missing_sites: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"site_not_found:{','.join(missing_sites)}") valid_systems = {s.system_key for s in systems_repo.list(limit=10000, offset=0)[0]} missing_systems = [k for k in system_keys if k not in valid_systems] if missing_systems: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"system_not_found:{','.join(missing_systems)}") all_modules = modules_repo.list(limit=10000, offset=0)[0] valid_modules = {m.module_key for m in all_modules} module_system_lookup = {m.module_key: m.system_key for m in all_modules} missing_modules = [k for k in module_keys if k not in valid_modules] if missing_modules: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"module_not_found:{','.join(missing_modules)}") module_pairs = [f"{module_system_lookup[m]}|{m}" for m in module_keys] repo.replace_group_bindings( group_id=group.id, site_keys=site_keys, system_keys=system_keys, module_keys=module_pairs, member_subs=payload.member_subs, actions=payload.actions, ) snapshot = repo.get_group_binding_snapshot(group.id, group_key) return GroupBindingSnapshot( group_key=snapshot["group_key"], site_keys=snapshot["site_keys"], system_keys=snapshot["system_keys"], module_keys=[k.split("|", 1)[1] if "|" in k else k for k in snapshot["module_keys"]], member_subs=snapshot["member_subs"], actions=snapshot["actions"], ) @router.post("/permission-groups", response_model=PermissionGroupItem) def create_permission_group( payload: PermissionGroupCreateRequest, db: Session = Depends(get_db), ) -> PermissionGroupItem: repo = PermissionGroupsRepository(db) group_key = _generate_unique_key("GP", repo.get_by_key) row = repo.create(group_key=group_key, name=payload.name, status=payload.status) return PermissionGroupItem(id=row.id, group_key=row.group_key, name=row.name, status=row.status) @router.patch("/permission-groups/{group_key}", response_model=PermissionGroupItem) def update_permission_group( group_key: str, payload: PermissionGroupUpdateRequest, db: Session = Depends(get_db), ) -> PermissionGroupItem: repo = PermissionGroupsRepository(db) row = repo.get_by_key(group_key) if not row: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found") row = repo.update(row, name=payload.name, status=payload.status) return PermissionGroupItem(id=row.id, group_key=row.group_key, name=row.name, status=row.status) @router.post("/permission-groups/{group_key}/members/{authentik_sub}") def add_group_member( group_key: str, authentik_sub: str, db: Session = Depends(get_db), ) -> dict[str, str]: groups_repo = PermissionGroupsRepository(db) group = groups_repo.get_by_key(group_key) if not group: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found") row = groups_repo.add_member_if_not_exists(group.id, authentik_sub) return {"membership_id": row.id, "result": "added"} @router.delete("/permission-groups/{group_key}/members/{authentik_sub}") def remove_group_member( group_key: str, authentik_sub: str, db: Session = Depends(get_db), ) -> dict[str, int | str]: groups_repo = PermissionGroupsRepository(db) group = groups_repo.get_by_key(group_key) if not group: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found") deleted = groups_repo.remove_member(group.id, authentik_sub) return {"deleted": deleted, "result": "removed"} @router.post("/permission-groups/{group_key}/permissions/grant") def grant_group_permission( group_key: str, payload: PermissionGrantRequest, db: Session = Depends(get_db), ) -> dict[str, str]: groups_repo = PermissionGroupsRepository(db) group = groups_repo.get_by_key(group_key) if not group: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found") _resolve_module_id(db, payload.system, payload.module) _resolve_scope_ids(db, payload.scope_type, payload.scope_id) module_name = _split_module_key(payload.module) row = groups_repo.grant_group_permission( group_id=group.id, system=payload.system, module=module_name, action=payload.action, scope_type=payload.scope_type, scope_id=payload.scope_id, ) return {"permission_id": row.id, "result": "granted"} @router.post("/permission-groups/{group_key}/permissions/revoke") def revoke_group_permission( group_key: str, payload: PermissionRevokeRequest, db: Session = Depends(get_db), ) -> dict[str, int | str]: groups_repo = PermissionGroupsRepository(db) group = groups_repo.get_by_key(group_key) if not group: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found") _resolve_module_id(db, payload.system, payload.module) _resolve_scope_ids(db, payload.scope_type, payload.scope_id) module_name = _split_module_key(payload.module) deleted = groups_repo.revoke_group_permission( group_id=group.id, system=payload.system, module=module_name, action=payload.action, scope_type=payload.scope_type, scope_id=payload.scope_id, ) return {"deleted": deleted, "result": "revoked"}