member/member-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3fe5ce4ce7d67bc693af0bf9263dfdb6e69e83f1
member-backend/app/api/admin_catalog.py

975 lines
36 KiB
Python
Raw Blame History

import secrets
from fastapi import APIRouter, Depends, HTTPException, Query, status
from sqlalchemy import select
from sqlalchemy.orm import Session
from app.core.keygen import generate_key
from app.core.config import get_settings
from app.db.session import get_db
from app.models.api_client import ApiClient
from app.repositories.companies_repo import CompaniesRepository
from app.repositories.modules_repo import ModulesRepository
from app.repositories.permission_groups_repo import PermissionGroupsRepository
from app.repositories.sites_repo import SitesRepository
from app.repositories.systems_repo import SystemsRepository
from app.repositories.users_repo import UsersRepository
from app.schemas.catalog import (
CompanyCreateRequest,
CompanyItem,
GroupBindingSnapshot,
GroupBindingUpdateRequest,
GroupRelationItem,
MemberRelationItem,
CompanyUpdateRequest,
MemberItem,
MemberPermissionGroupsResponse,
MemberPermissionGroupsUpdateRequest,
MemberPasswordResetResponse,
MemberUpdateRequest,
MemberUpsertRequest,
ModuleCreateRequest,
ModuleItem,
ModuleUpdateRequest,
PermissionGroupCreateRequest,
PermissionGroupItem,
PermissionGroupPermissionItem,
PermissionGroupUpdateRequest,
SiteCreateRequest,
SiteItem,
SiteUpdateRequest,
SystemCreateRequest,
SystemItem,
SystemUpdateRequest,
)
from app.schemas.api_clients import (
ApiClientCreateRequest,
ApiClientCreateResponse,
ApiClientItem,
ApiClientRotateKeyResponse,
ApiClientUpdateRequest,
)
from app.schemas.permissions import PermissionGrantRequest, PermissionRevokeRequest
from app.security.admin_guard import require_admin_principal
from app.security.api_client_auth import hash_api_key
from app.services.authentik_admin_service import AuthentikAdminService
router = APIRouter(
prefix="/admin",
tags=["admin"],
dependencies=[Depends(require_admin_principal)],
)
def _resolve_module_id(db: Session, system_key: str, module_key: str | None) -> str:
systems_repo = SystemsRepository(db)
modules_repo = ModulesRepository(db)
system = systems_repo.get_by_key(system_key)
if not system:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found")
target_module_key = module_key if module_key else f"__system__{system_key}"
module = modules_repo.get_by_key(target_module_key)
if module and module.system_key != system_key:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="module_system_mismatch")
if not module:
module = modules_repo.create(
module_key=target_module_key,
system_key=system_key,
name=target_module_key,
status="active",
)
return module.id
def _resolve_scope_ids(db: Session, scope_type: str, scope_id: str) -> tuple[str | None, str | None]:
companies_repo = CompaniesRepository(db)
sites_repo = SitesRepository(db)
if scope_type == "company":
company = companies_repo.get_by_key(scope_id)
if not company:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
return company.id, None
if scope_type == "site":
site = sites_repo.get_by_key(scope_id)
if not site:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="site_not_found")
return None, site.id
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid_scope_type")
def _split_module_key(payload_module: str | None) -> str:
if not payload_module:
return "__system__"
return payload_module
def _generate_unique_key(prefix: str, exists_fn) -> str:
for salt in range(1000):
key = generate_key(prefix=prefix, salt=salt)
if not exists_fn(key):
return key
raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"failed_to_generate_{prefix.lower()}_key")
def _serialize_api_client(item: ApiClient) -> ApiClientItem:
return ApiClientItem(
id=item.id,
client_key=item.client_key,
name=item.name,
status=item.status,
allowed_origins=item.allowed_origins or [],
allowed_ips=item.allowed_ips or [],
allowed_paths=item.allowed_paths or [],
rate_limit_per_min=item.rate_limit_per_min,
expires_at=item.expires_at,
last_used_at=item.last_used_at,
created_at=item.created_at,
updated_at=item.updated_at,
)
def _generate_api_key() -> str:
return secrets.token_urlsafe(36)
def _sync_member_to_authentik(
*,
authentik_sub: str | None,
authentik_user_id: int | None,
username: str | None,
email: str | None,
display_name: str | None,
is_active: bool,
) -> dict[str, str | int]:
if not email:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="email_required_for_authentik_sync")
settings = get_settings()
service = AuthentikAdminService(settings=settings)
result = service.ensure_user(
sub=authentik_sub,
email=email,
username=username,
display_name=display_name,
is_active=is_active,
authentik_user_id=authentik_user_id,
)
return {
"authentik_user_id": result.user_id,
"sync_action": result.action,
"authentik_sub": result.authentik_sub or "",
}
@router.get("/systems")
def list_systems(
db: Session = Depends(get_db),
limit: int = Query(default=100, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
repo = SystemsRepository(db)
items, total = repo.list(limit=limit, offset=offset)
return {"items": [SystemItem(id=i.id, system_key=i.system_key, name=i.name, status=i.status).model_dump() for i in items], "total": total, "limit": limit, "offset": offset}
@router.post("/systems", response_model=SystemItem)
def create_system(
payload: SystemCreateRequest,
db: Session = Depends(get_db),
) -> SystemItem:
repo = SystemsRepository(db)
system_key = _generate_unique_key("ST", repo.get_by_key)
row = repo.create(system_key=system_key, name=payload.name, status=payload.status)
return SystemItem(id=row.id, system_key=row.system_key, name=row.name, status=row.status)
@router.patch("/systems/{system_key}", response_model=SystemItem)
def update_system(
system_key: str,
payload: SystemUpdateRequest,
db: Session = Depends(get_db),
) -> SystemItem:
repo = SystemsRepository(db)
row = repo.get_by_key(system_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found")
row = repo.update(row, name=payload.name, status=payload.status)
return SystemItem(id=row.id, system_key=row.system_key, name=row.name, status=row.status)
@router.get("/modules")
def list_modules(
db: Session = Depends(get_db),
limit: int = Query(default=200, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
modules_repo = ModulesRepository(db)
items, total = modules_repo.list(limit=limit, offset=offset)
out = []
for i in items:
if i.module_key.startswith("__system__"):
continue
out.append(
ModuleItem(
id=i.id,
system_key=i.system_key,
module_key=i.module_key,
name=i.name,
status=i.status,
).model_dump()
)
return {"items": out, "total": total, "limit": limit, "offset": offset}
@router.post("/modules", response_model=ModuleItem)
def create_module(
payload: ModuleCreateRequest,
db: Session = Depends(get_db),
) -> ModuleItem:
systems_repo = SystemsRepository(db)
modules_repo = ModulesRepository(db)
system = systems_repo.get_by_key(payload.system_key)
if not system:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found")
leaf_module_key = _generate_unique_key("MD", modules_repo.get_by_key)
row = modules_repo.create(
module_key=leaf_module_key,
system_key=payload.system_key,
name=payload.name,
status=payload.status,
)
return ModuleItem(id=row.id, system_key=row.system_key, module_key=row.module_key, name=row.name, status=row.status)
@router.patch("/modules/{module_key}")
def update_module(
module_key: str,
payload: ModuleUpdateRequest,
db: Session = Depends(get_db),
) -> ModuleItem:
modules_repo = ModulesRepository(db)
row = modules_repo.get_by_key(module_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="module_not_found")
row = modules_repo.update(row, name=payload.name, status=payload.status)
return ModuleItem(id=row.id, system_key=row.system_key, module_key=row.module_key, name=row.name, status=row.status)
@router.get("/systems/{system_key}/groups")
def list_system_groups(
system_key: str,
db: Session = Depends(get_db),
) -> dict[str, list[dict]]:
systems_repo = SystemsRepository(db)
groups_repo = PermissionGroupsRepository(db)
if not systems_repo.get_by_key(system_key):
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found")
groups = groups_repo.list_system_groups(system_key)
return {
"items": [
GroupRelationItem(group_key=g.group_key, group_name=g.name, status=g.status).model_dump()
for g in groups
]
}
@router.get("/systems/{system_key}/members")
def list_system_members(
system_key: str,
db: Session = Depends(get_db),
) -> dict[str, list[dict]]:
systems_repo = SystemsRepository(db)
groups_repo = PermissionGroupsRepository(db)
if not systems_repo.get_by_key(system_key):
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found")
members = groups_repo.list_system_members(system_key)
return {
"items": [
MemberRelationItem(
authentik_sub=m.authentik_sub,
email=m.email,
display_name=m.display_name,
is_active=m.is_active,
).model_dump()
for m in members
]
}
@router.get("/modules/{module_key}/groups")
def list_module_groups(
module_key: str,
db: Session = Depends(get_db),
) -> dict[str, list[dict]]:
modules_repo = ModulesRepository(db)
groups_repo = PermissionGroupsRepository(db)
module = modules_repo.get_by_key(module_key)
if not module:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="module_not_found")
groups = groups_repo.list_module_groups(module.system_key, module.module_key)
return {
"items": [
GroupRelationItem(group_key=g.group_key, group_name=g.name, status=g.status).model_dump()
for g in groups
]
}
@router.get("/modules/{module_key}/members")
def list_module_members(
module_key: str,
db: Session = Depends(get_db),
) -> dict[str, list[dict]]:
modules_repo = ModulesRepository(db)
groups_repo = PermissionGroupsRepository(db)
module = modules_repo.get_by_key(module_key)
if not module:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="module_not_found")
members = groups_repo.list_module_members(module.system_key, module.module_key)
return {
"items": [
MemberRelationItem(
authentik_sub=m.authentik_sub,
email=m.email,
display_name=m.display_name,
is_active=m.is_active,
).model_dump()
for m in members
]
}
@router.get("/companies")
def list_companies(
db: Session = Depends(get_db),
keyword: str | None = Query(default=None),
limit: int = Query(default=100, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
repo = CompaniesRepository(db)
items, total = repo.list(keyword=keyword, limit=limit, offset=offset)
return {"items": [CompanyItem(id=i.id, company_key=i.company_key, name=i.name, status=i.status).model_dump() for i in items], "total": total, "limit": limit, "offset": offset}
@router.post("/companies", response_model=CompanyItem)
def create_company(
payload: CompanyCreateRequest,
db: Session = Depends(get_db),
) -> CompanyItem:
repo = CompaniesRepository(db)
company_key = _generate_unique_key("CP", repo.get_by_key)
row = repo.create(company_key=company_key, name=payload.name, status=payload.status)
return CompanyItem(id=row.id, company_key=row.company_key, name=row.name, status=row.status)
@router.patch("/companies/{company_key}", response_model=CompanyItem)
def update_company(
company_key: str,
payload: CompanyUpdateRequest,
db: Session = Depends(get_db),
) -> CompanyItem:
repo = CompaniesRepository(db)
row = repo.get_by_key(company_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
row = repo.update(row, name=payload.name, status=payload.status)
return CompanyItem(id=row.id, company_key=row.company_key, name=row.name, status=row.status)
@router.get("/companies/{company_key}/sites")
def list_company_sites(
company_key: str,
db: Session = Depends(get_db),
) -> dict[str, list[dict]]:
companies_repo = CompaniesRepository(db)
sites_repo = SitesRepository(db)
company = companies_repo.get_by_key(company_key)
if not company:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
items, _ = sites_repo.list(company_id=company.id, limit=1000, offset=0)
return {
"items": [
SiteItem(
id=i.id,
site_key=i.site_key,
company_key=company.company_key,
name=i.name,
status=i.status,
).model_dump()
for i in items
]
}
@router.get("/sites")
def list_sites(
db: Session = Depends(get_db),
company_key: str | None = Query(default=None),
keyword: str | None = Query(default=None),
limit: int = Query(default=100, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
companies_repo = CompaniesRepository(db)
sites_repo = SitesRepository(db)
company_lookup: dict[str, str] = {}
all_companies, _ = companies_repo.list(limit=1000, offset=0)
for c in all_companies:
company_lookup[c.id] = c.company_key
company_id = None
if company_key:
company = companies_repo.get_by_key(company_key)
if not company:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
company_id = company.id
items, total = sites_repo.list(keyword=keyword, company_id=company_id, limit=limit, offset=offset)
return {
"items": [
SiteItem(
id=i.id,
site_key=i.site_key,
company_key=company_lookup.get(i.company_id, ""),
name=i.name,
status=i.status,
).model_dump()
for i in items
],
"total": total,
"limit": limit,
"offset": offset,
}
@router.post("/sites", response_model=SiteItem)
def create_site(
payload: SiteCreateRequest,
db: Session = Depends(get_db),
) -> SiteItem:
companies_repo = CompaniesRepository(db)
sites_repo = SitesRepository(db)
company = companies_repo.get_by_key(payload.company_key)
if not company:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
site_key = _generate_unique_key("ST", sites_repo.get_by_key)
row = sites_repo.create(site_key=site_key, company_id=company.id, name=payload.name, status=payload.status)
return SiteItem(id=row.id, site_key=row.site_key, company_key=payload.company_key, name=row.name, status=row.status)
@router.patch("/sites/{site_key}", response_model=SiteItem)
def update_site(
site_key: str,
payload: SiteUpdateRequest,
db: Session = Depends(get_db),
) -> SiteItem:
companies_repo = CompaniesRepository(db)
sites_repo = SitesRepository(db)
row = sites_repo.get_by_key(site_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="site_not_found")
company_id = None
company_key = None
if payload.company_key is not None:
company = companies_repo.get_by_key(payload.company_key)
if not company:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
company_id = company.id
company_key = company.company_key
row = sites_repo.update(row, company_id=company_id, name=payload.name, status=payload.status)
if company_key is None:
current_company = companies_repo.get_by_id(row.company_id)
company_key = current_company.company_key if current_company else ""
return SiteItem(id=row.id, site_key=row.site_key, company_key=company_key, name=row.name, status=row.status)
@router.get("/members")
def list_members(
db: Session = Depends(get_db),
keyword: str | None = Query(default=None),
limit: int = Query(default=100, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
users_repo = UsersRepository(db)
items, total = users_repo.list(keyword=keyword, limit=limit, offset=offset)
return {
"items": [
MemberItem(
id=i.id,
authentik_sub=i.authentik_sub,
username=i.username,
email=i.email,
display_name=i.display_name,
is_active=i.is_active,
).model_dump()
for i in items
],
"total": total,
"limit": limit,
"offset": offset,
}
@router.post("/members/upsert", response_model=MemberItem)
def upsert_member(
payload: MemberUpsertRequest,
db: Session = Depends(get_db),
) -> MemberItem:
users_repo = UsersRepository(db)
resolved_sub = payload.authentik_sub
resolved_username = payload.username
authentik_user_id = None
if payload.sync_to_authentik:
seed_sub = payload.authentik_sub or payload.username
if not seed_sub:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="authentik_sub_or_username_required")
sync = _sync_member_to_authentik(
authentik_sub=seed_sub,
authentik_user_id=authentik_user_id,
username=payload.username,
email=payload.email,
display_name=payload.display_name,
is_active=payload.is_active,
)
authentik_user_id = int(sync["authentik_user_id"])
if sync.get("authentik_sub"):
resolved_sub = str(sync["authentik_sub"])
if not resolved_sub:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="authentik_sub_required")
row = users_repo.upsert_by_sub(
authentik_sub=resolved_sub,
username=resolved_username,
email=payload.email,
display_name=payload.display_name,
is_active=payload.is_active,
authentik_user_id=authentik_user_id,
)
return MemberItem(
id=row.id,
authentik_sub=row.authentik_sub,
username=row.username,
email=row.email,
display_name=row.display_name,
is_active=row.is_active,
)
@router.patch("/members/{authentik_sub}", response_model=MemberItem)
def update_member(
authentik_sub: str,
payload: MemberUpdateRequest,
db: Session = Depends(get_db),
) -> MemberItem:
users_repo = UsersRepository(db)
row = users_repo.get_by_sub(authentik_sub)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
next_email = payload.email if payload.email is not None else row.email
next_username = payload.username if payload.username is not None else row.username
next_display_name = payload.display_name if payload.display_name is not None else row.display_name
next_is_active = payload.is_active if payload.is_active is not None else row.is_active
authentik_user_id = row.authentik_user_id
if payload.sync_to_authentik:
sync = _sync_member_to_authentik(
authentik_sub=row.authentik_sub,
authentik_user_id=row.authentik_user_id,
username=next_username,
email=next_email,
display_name=next_display_name,
is_active=next_is_active,
)
authentik_user_id = int(sync["authentik_user_id"])
row = users_repo.upsert_by_sub(
authentik_sub=row.authentik_sub,
username=next_username,
email=next_email,
display_name=next_display_name,
is_active=next_is_active,
authentik_user_id=authentik_user_id,
)
return MemberItem(
id=row.id,
authentik_sub=row.authentik_sub,
username=row.username,
email=row.email,
display_name=row.display_name,
is_active=row.is_active,
)
@router.post("/members/{authentik_sub}/password/reset", response_model=MemberPasswordResetResponse)
def reset_member_password(
authentik_sub: str,
db: Session = Depends(get_db),
) -> MemberPasswordResetResponse:
users_repo = UsersRepository(db)
user = users_repo.get_by_sub(authentik_sub)
if not user:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
settings = get_settings()
service = AuthentikAdminService(settings=settings)
result = service.reset_password(
authentik_user_id=user.authentik_user_id,
email=user.email,
username=user.username,
)
user = users_repo.upsert_by_sub(
authentik_sub=user.authentik_sub,
username=user.username,
email=user.email,
display_name=user.display_name,
is_active=user.is_active,
authentik_user_id=result.user_id,
)
return MemberPasswordResetResponse(authentik_sub=user.authentik_sub, temporary_password=result.temporary_password)
@router.get("/members/{authentik_sub}/permission-groups", response_model=MemberPermissionGroupsResponse)
def get_member_permission_groups(
authentik_sub: str,
db: Session = Depends(get_db),
) -> MemberPermissionGroupsResponse:
users_repo = UsersRepository(db)
groups_repo = PermissionGroupsRepository(db)
user = users_repo.get_by_sub(authentik_sub)
if not user:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
group_keys = groups_repo.list_group_keys_by_member_sub(authentik_sub)
return MemberPermissionGroupsResponse(authentik_sub=authentik_sub, group_keys=group_keys)
@router.put("/members/{authentik_sub}/permission-groups", response_model=MemberPermissionGroupsResponse)
def set_member_permission_groups(
authentik_sub: str,
payload: MemberPermissionGroupsUpdateRequest,
db: Session = Depends(get_db),
) -> MemberPermissionGroupsResponse:
users_repo = UsersRepository(db)
groups_repo = PermissionGroupsRepository(db)
user = users_repo.get_by_sub(authentik_sub)
if not user:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
unique_group_keys = list(dict.fromkeys(payload.group_keys))
groups = groups_repo.get_by_keys(unique_group_keys)
found_keys = {g.group_key for g in groups}
missing = [k for k in unique_group_keys if k not in found_keys]
if missing:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"group_not_found:{','.join(missing)}")
groups_repo.replace_member_groups(authentik_sub, [g.id for g in groups])
return MemberPermissionGroupsResponse(authentik_sub=authentik_sub, group_keys=unique_group_keys)
@router.get("/api-clients")
def list_api_clients(
db: Session = Depends(get_db),
keyword: str | None = Query(default=None),
limit: int = Query(default=200, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
stmt = select(ApiClient)
count_stmt = select(ApiClient)
if keyword:
pattern = f"%{keyword}%"
filter_cond = (ApiClient.client_key.ilike(pattern)) | (ApiClient.name.ilike(pattern))
stmt = stmt.where(filter_cond)
count_stmt = count_stmt.where(filter_cond)
items = list(db.scalars(stmt.order_by(ApiClient.created_at.desc()).limit(limit).offset(offset)).all())
total = len(list(db.scalars(count_stmt)))
return {
"items": [_serialize_api_client(item).model_dump() for item in items],
"total": total,
"limit": limit,
"offset": offset,
}
@router.post("/api-clients", response_model=ApiClientCreateResponse)
def create_api_client(
payload: ApiClientCreateRequest,
db: Session = Depends(get_db),
) -> ApiClientCreateResponse:
status_value = payload.status.strip().lower()
if status_value not in {"active", "inactive"}:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid_status")
client_key = payload.client_key or _generate_unique_key(
"AC", lambda value: db.scalar(select(ApiClient).where(ApiClient.client_key == value)) is not None
)
exists = db.scalar(select(ApiClient).where(ApiClient.client_key == client_key))
if exists:
raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="client_key_already_exists")
api_key = _generate_api_key()
row = ApiClient(
client_key=client_key,
name=payload.name,
status=status_value,
api_key_hash=hash_api_key(api_key),
allowed_origins=payload.allowed_origins,
allowed_ips=payload.allowed_ips,
allowed_paths=payload.allowed_paths,
rate_limit_per_min=payload.rate_limit_per_min,
expires_at=payload.expires_at,
)
db.add(row)
db.commit()
db.refresh(row)
return ApiClientCreateResponse(item=_serialize_api_client(row), api_key=api_key)
@router.patch("/api-clients/{client_key}", response_model=ApiClientItem)
def update_api_client(
client_key: str,
payload: ApiClientUpdateRequest,
db: Session = Depends(get_db),
) -> ApiClientItem:
row = db.scalar(select(ApiClient).where(ApiClient.client_key == client_key))
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="api_client_not_found")
if payload.name is not None:
row.name = payload.name
if payload.status is not None:
next_status = payload.status.strip().lower()
if next_status not in {"active", "inactive"}:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid_status")
row.status = next_status
if payload.allowed_origins is not None:
row.allowed_origins = payload.allowed_origins
if payload.allowed_ips is not None:
row.allowed_ips = payload.allowed_ips
if payload.allowed_paths is not None:
row.allowed_paths = payload.allowed_paths
row.rate_limit_per_min = payload.rate_limit_per_min
row.expires_at = payload.expires_at
db.commit()
db.refresh(row)
return _serialize_api_client(row)
@router.post("/api-clients/{client_key}/rotate-key", response_model=ApiClientRotateKeyResponse)
def rotate_api_client_key(
client_key: str,
db: Session = Depends(get_db),
) -> ApiClientRotateKeyResponse:
row = db.scalar(select(ApiClient).where(ApiClient.client_key == client_key))
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="api_client_not_found")
api_key = _generate_api_key()
row.api_key_hash = hash_api_key(api_key)
db.commit()
return ApiClientRotateKeyResponse(client_key=row.client_key, api_key=api_key)
@router.get("/permission-groups")
def list_permission_groups(
db: Session = Depends(get_db),
limit: int = Query(default=100, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
repo = PermissionGroupsRepository(db)
items, total = repo.list(limit=limit, offset=offset)
return {"items": [PermissionGroupItem(id=i.id, group_key=i.group_key, name=i.name, status=i.status).model_dump() for i in items], "total": total, "limit": limit, "offset": offset}
@router.get("/permission-groups/{group_key}/permissions")
def list_permission_group_permissions(
group_key: str,
db: Session = Depends(get_db),
) -> dict[str, list[dict]]:
repo = PermissionGroupsRepository(db)
group = repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
rows = repo.list_group_permissions(group.id)
return {
"items": [
PermissionGroupPermissionItem(
id=r.id,
system=r.system,
module="" if r.module == "__system__" else r.module,
action=r.action,
scope_type=r.scope_type,
scope_id=r.scope_id,
).model_dump()
for r in rows
if r.action in {"view", "edit"} and r.scope_type == "site"
]
}
@router.get("/permission-groups/{group_key}/bindings", response_model=GroupBindingSnapshot)
def get_permission_group_bindings(
group_key: str,
db: Session = Depends(get_db),
) -> GroupBindingSnapshot:
repo = PermissionGroupsRepository(db)
group = repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
snapshot = repo.get_group_binding_snapshot(group.id, group_key)
return GroupBindingSnapshot(
group_key=snapshot["group_key"],
site_keys=snapshot["site_keys"],
system_keys=snapshot["system_keys"],
module_keys=[k.split("|", 1)[1] if "|" in k else k for k in snapshot["module_keys"]],
member_subs=snapshot["member_subs"],
actions=snapshot["actions"],
)
@router.put("/permission-groups/{group_key}/bindings", response_model=GroupBindingSnapshot)
def replace_permission_group_bindings(
group_key: str,
payload: GroupBindingUpdateRequest,
db: Session = Depends(get_db),
) -> GroupBindingSnapshot:
repo = PermissionGroupsRepository(db)
sites_repo = SitesRepository(db)
systems_repo = SystemsRepository(db)
modules_repo = ModulesRepository(db)
group = repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
site_keys = list(dict.fromkeys(payload.site_keys))
system_keys = list(dict.fromkeys(payload.system_keys))
module_keys = list(dict.fromkeys(payload.module_keys))
valid_sites = {s.site_key for s in sites_repo.list(limit=10000, offset=0)[0]}
missing_sites = [k for k in site_keys if k not in valid_sites]
if missing_sites:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"site_not_found:{','.join(missing_sites)}")
valid_systems = {s.system_key for s in systems_repo.list(limit=10000, offset=0)[0]}
missing_systems = [k for k in system_keys if k not in valid_systems]
if missing_systems:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"system_not_found:{','.join(missing_systems)}")
all_modules = modules_repo.list(limit=10000, offset=0)[0]
valid_modules = {m.module_key for m in all_modules}
module_system_lookup = {m.module_key: m.system_key for m in all_modules}
missing_modules = [k for k in module_keys if k not in valid_modules]
if missing_modules:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"module_not_found:{','.join(missing_modules)}")
module_pairs = [f"{module_system_lookup[m]}|{m}" for m in module_keys]
repo.replace_group_bindings(
group_id=group.id,
site_keys=site_keys,
system_keys=system_keys,
module_keys=module_pairs,
member_subs=payload.member_subs,
actions=payload.actions,
)
snapshot = repo.get_group_binding_snapshot(group.id, group_key)
return GroupBindingSnapshot(
group_key=snapshot["group_key"],
site_keys=snapshot["site_keys"],
system_keys=snapshot["system_keys"],
module_keys=[k.split("|", 1)[1] if "|" in k else k for k in snapshot["module_keys"]],
member_subs=snapshot["member_subs"],
actions=snapshot["actions"],
)
@router.post("/permission-groups", response_model=PermissionGroupItem)
def create_permission_group(
payload: PermissionGroupCreateRequest,
db: Session = Depends(get_db),
) -> PermissionGroupItem:
repo = PermissionGroupsRepository(db)
group_key = _generate_unique_key("GP", repo.get_by_key)
row = repo.create(group_key=group_key, name=payload.name, status=payload.status)
return PermissionGroupItem(id=row.id, group_key=row.group_key, name=row.name, status=row.status)
@router.patch("/permission-groups/{group_key}", response_model=PermissionGroupItem)
def update_permission_group(
group_key: str,
payload: PermissionGroupUpdateRequest,
db: Session = Depends(get_db),
) -> PermissionGroupItem:
repo = PermissionGroupsRepository(db)
row = repo.get_by_key(group_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
row = repo.update(row, name=payload.name, status=payload.status)
return PermissionGroupItem(id=row.id, group_key=row.group_key, name=row.name, status=row.status)
@router.post("/permission-groups/{group_key}/members/{authentik_sub}")
def add_group_member(
group_key: str,
authentik_sub: str,
db: Session = Depends(get_db),
) -> dict[str, str]:
groups_repo = PermissionGroupsRepository(db)
group = groups_repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
row = groups_repo.add_member_if_not_exists(group.id, authentik_sub)
return {"membership_id": row.id, "result": "added"}
@router.delete("/permission-groups/{group_key}/members/{authentik_sub}")
def remove_group_member(
group_key: str,
authentik_sub: str,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
groups_repo = PermissionGroupsRepository(db)
group = groups_repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
deleted = groups_repo.remove_member(group.id, authentik_sub)
return {"deleted": deleted, "result": "removed"}
@router.post("/permission-groups/{group_key}/permissions/grant")
def grant_group_permission(
group_key: str,
payload: PermissionGrantRequest,
db: Session = Depends(get_db),
) -> dict[str, str]:
groups_repo = PermissionGroupsRepository(db)
group = groups_repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
_resolve_module_id(db, payload.system, payload.module)
_resolve_scope_ids(db, payload.scope_type, payload.scope_id)
module_name = _split_module_key(payload.module)
row = groups_repo.grant_group_permission(
group_id=group.id,
system=payload.system,
module=module_name,
action=payload.action,
scope_type=payload.scope_type,
scope_id=payload.scope_id,
)
return {"permission_id": row.id, "result": "granted"}
@router.post("/permission-groups/{group_key}/permissions/revoke")
def revoke_group_permission(
group_key: str,
payload: PermissionRevokeRequest,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
groups_repo = PermissionGroupsRepository(db)
group = groups_repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
_resolve_module_id(db, payload.system, payload.module)
_resolve_scope_ids(db, payload.scope_type, payload.scope_id)
module_name = _split_module_key(payload.module)
deleted = groups_repo.revoke_group_permission(
group_id=group.id,
system=payload.system,
module=module_name,
action=payload.action,
scope_type=payload.scope_type,
scope_id=payload.scope_id,
)
return {"deleted": deleted, "result": "revoked"}
Reference in New Issue View Git Blame Copy Permalink