member/member-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c7ed517ed27bf6a59858223474a1003b39ac4ee6
member-backend/app/api/admin_catalog.py

1100 lines
40 KiB
Python
Raw Blame History

import secrets
from fastapi import APIRouter, Depends, HTTPException, Query, status
from sqlalchemy import delete, select
from sqlalchemy.orm import Session
from app.core.keygen import generate_key
from app.core.config import get_settings
from app.db.session import get_db
from app.models.api_client import ApiClient
from app.models.permission_group_member import PermissionGroupMember
from app.models.permission_group_permission import PermissionGroupPermission
from app.repositories.companies_repo import CompaniesRepository
from app.repositories.modules_repo import ModulesRepository
from app.repositories.permission_groups_repo import PermissionGroupsRepository
from app.repositories.sites_repo import SitesRepository
from app.repositories.systems_repo import SystemsRepository
from app.repositories.users_repo import UsersRepository
from app.schemas.catalog import (
CompanyCreateRequest,
CompanyItem,
GroupBindingSnapshot,
GroupBindingUpdateRequest,
GroupRelationItem,
MemberRelationItem,
CompanyUpdateRequest,
MemberItem,
MemberPermissionGroupsResponse,
MemberPermissionGroupsUpdateRequest,
MemberPasswordResetResponse,
MemberUpdateRequest,
MemberUpsertRequest,
ModuleCreateRequest,
ModuleItem,
ModuleUpdateRequest,
PermissionGroupCreateRequest,
PermissionGroupItem,
PermissionGroupPermissionItem,
PermissionGroupUpdateRequest,
SiteCreateRequest,
SiteItem,
SiteUpdateRequest,
SystemCreateRequest,
SystemItem,
SystemUpdateRequest,
)
from app.schemas.api_clients import (
ApiClientCreateRequest,
ApiClientCreateResponse,
ApiClientItem,
ApiClientRotateKeyResponse,
ApiClientUpdateRequest,
)
from app.schemas.permissions import PermissionGrantRequest, PermissionRevokeRequest
from app.security.admin_guard import require_admin_principal
from app.security.api_client_auth import hash_api_key
from app.services.authentik_admin_service import AuthentikAdminService
router = APIRouter(
prefix="/admin",
tags=["admin"],
dependencies=[Depends(require_admin_principal)],
)
def _resolve_module_id(db: Session, system_key: str, module_key: str | None) -> str:
systems_repo = SystemsRepository(db)
modules_repo = ModulesRepository(db)
system = systems_repo.get_by_key(system_key)
if not system:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found")
target_module_key = module_key if module_key else f"__system__{system_key}"
module = modules_repo.get_by_key(target_module_key)
if module and module.system_key != system_key:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="module_system_mismatch")
if not module:
module = modules_repo.create(
module_key=target_module_key,
system_key=system_key,
name=target_module_key,
status="active",
)
return module.id
def _resolve_scope_ids(db: Session, scope_type: str, scope_id: str) -> tuple[str | None, str | None]:
companies_repo = CompaniesRepository(db)
sites_repo = SitesRepository(db)
if scope_type == "company":
company = companies_repo.get_by_key(scope_id)
if not company:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
return company.id, None
if scope_type == "site":
site = sites_repo.get_by_key(scope_id)
if not site:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="site_not_found")
return None, site.id
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid_scope_type")
def _split_module_key(payload_module: str | None) -> str:
if not payload_module:
return "__system__"
return payload_module
def _generate_unique_key(prefix: str, exists_fn) -> str:
for salt in range(1000):
key = generate_key(prefix=prefix, salt=salt)
if not exists_fn(key):
return key
raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"failed_to_generate_{prefix.lower()}_key")
def _serialize_api_client(item: ApiClient) -> ApiClientItem:
return ApiClientItem(
id=item.id,
client_key=item.client_key,
name=item.name,
status=item.status,
allowed_origins=item.allowed_origins or [],
allowed_ips=item.allowed_ips or [],
allowed_paths=item.allowed_paths or [],
rate_limit_per_min=item.rate_limit_per_min,
expires_at=item.expires_at,
last_used_at=item.last_used_at,
created_at=item.created_at,
updated_at=item.updated_at,
)
def _generate_api_key() -> str:
return secrets.token_urlsafe(36)
def _sync_member_to_authentik(
*,
user_sub: str | None,
idp_user_id: str | None,
username: str | None,
email: str | None,
display_name: str | None,
is_active: bool,
) -> dict[str, str]:
if not email:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="email_required_for_authentik_sync")
settings = get_settings()
service = AuthentikAdminService(settings=settings)
result = service.ensure_user(
sub=user_sub,
email=email,
username=username,
display_name=display_name,
is_active=is_active,
idp_user_id=idp_user_id,
)
return {
"idp_user_id": result.user_id,
"sync_action": result.action,
"user_sub": result.user_sub or "",
}
@router.get("/systems")
def list_systems(
db: Session = Depends(get_db),
limit: int = Query(default=100, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
repo = SystemsRepository(db)
items, total = repo.list(limit=limit, offset=offset)
return {"items": [SystemItem(id=i.id, system_key=i.system_key, name=i.name, status=i.status).model_dump() for i in items], "total": total, "limit": limit, "offset": offset}
@router.post("/systems", response_model=SystemItem)
def create_system(
payload: SystemCreateRequest,
db: Session = Depends(get_db),
) -> SystemItem:
repo = SystemsRepository(db)
system_key = _generate_unique_key("ST", repo.get_by_key)
row = repo.create(system_key=system_key, name=payload.name, status=payload.status)
return SystemItem(id=row.id, system_key=row.system_key, name=row.name, status=row.status)
@router.patch("/systems/{system_key}", response_model=SystemItem)
def update_system(
system_key: str,
payload: SystemUpdateRequest,
db: Session = Depends(get_db),
) -> SystemItem:
repo = SystemsRepository(db)
row = repo.get_by_key(system_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found")
row = repo.update(row, name=payload.name, status=payload.status)
return SystemItem(id=row.id, system_key=row.system_key, name=row.name, status=row.status)
@router.delete("/systems/{system_key}")
def delete_system(
system_key: str,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
repo = SystemsRepository(db)
row = repo.get_by_key(system_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found")
db.execute(delete(PermissionGroupPermission).where(PermissionGroupPermission.system == system_key))
db.delete(row)
db.commit()
return {"deleted": 1, "result": "deleted"}
@router.get("/modules")
def list_modules(
db: Session = Depends(get_db),
limit: int = Query(default=200, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
modules_repo = ModulesRepository(db)
items, total = modules_repo.list(limit=limit, offset=offset)
out = []
for i in items:
if i.module_key.startswith("__system__"):
continue
out.append(
ModuleItem(
id=i.id,
system_key=i.system_key,
module_key=i.module_key,
name=i.name,
status=i.status,
).model_dump()
)
return {"items": out, "total": total, "limit": limit, "offset": offset}
@router.post("/modules", response_model=ModuleItem)
def create_module(
payload: ModuleCreateRequest,
db: Session = Depends(get_db),
) -> ModuleItem:
systems_repo = SystemsRepository(db)
modules_repo = ModulesRepository(db)
system = systems_repo.get_by_key(payload.system_key)
if not system:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found")
leaf_module_key = _generate_unique_key("MD", modules_repo.get_by_key)
row = modules_repo.create(
module_key=leaf_module_key,
system_key=payload.system_key,
name=payload.name,
status=payload.status,
)
return ModuleItem(id=row.id, system_key=row.system_key, module_key=row.module_key, name=row.name, status=row.status)
@router.patch("/modules/{module_key}")
def update_module(
module_key: str,
payload: ModuleUpdateRequest,
db: Session = Depends(get_db),
) -> ModuleItem:
modules_repo = ModulesRepository(db)
row = modules_repo.get_by_key(module_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="module_not_found")
row = modules_repo.update(row, name=payload.name, status=payload.status)
return ModuleItem(id=row.id, system_key=row.system_key, module_key=row.module_key, name=row.name, status=row.status)
@router.delete("/modules/{module_key}")
def delete_module(
module_key: str,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
modules_repo = ModulesRepository(db)
row = modules_repo.get_by_key(module_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="module_not_found")
db.execute(delete(PermissionGroupPermission).where(PermissionGroupPermission.module == module_key))
db.delete(row)
db.commit()
return {"deleted": 1, "result": "deleted"}
@router.get("/systems/{system_key}/groups")
def list_system_groups(
system_key: str,
db: Session = Depends(get_db),
) -> dict[str, list[dict]]:
systems_repo = SystemsRepository(db)
groups_repo = PermissionGroupsRepository(db)
if not systems_repo.get_by_key(system_key):
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found")
groups = groups_repo.list_system_groups(system_key)
return {
"items": [
GroupRelationItem(group_key=g.group_key, group_name=g.name, status=g.status).model_dump()
for g in groups
]
}
@router.get("/systems/{system_key}/members")
def list_system_members(
system_key: str,
db: Session = Depends(get_db),
) -> dict[str, list[dict]]:
systems_repo = SystemsRepository(db)
groups_repo = PermissionGroupsRepository(db)
if not systems_repo.get_by_key(system_key):
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found")
members = groups_repo.list_system_members(system_key)
return {
"items": [
MemberRelationItem(
user_sub=m.user_sub,
email=m.email,
display_name=m.display_name,
is_active=m.is_active,
).model_dump()
for m in members
]
}
@router.get("/modules/{module_key}/groups")
def list_module_groups(
module_key: str,
db: Session = Depends(get_db),
) -> dict[str, list[dict]]:
modules_repo = ModulesRepository(db)
groups_repo = PermissionGroupsRepository(db)
module = modules_repo.get_by_key(module_key)
if not module:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="module_not_found")
groups = groups_repo.list_module_groups(module.system_key, module.module_key)
return {
"items": [
GroupRelationItem(group_key=g.group_key, group_name=g.name, status=g.status).model_dump()
for g in groups
]
}
@router.get("/modules/{module_key}/members")
def list_module_members(
module_key: str,
db: Session = Depends(get_db),
) -> dict[str, list[dict]]:
modules_repo = ModulesRepository(db)
groups_repo = PermissionGroupsRepository(db)
module = modules_repo.get_by_key(module_key)
if not module:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="module_not_found")
members = groups_repo.list_module_members(module.system_key, module.module_key)
return {
"items": [
MemberRelationItem(
user_sub=m.user_sub,
email=m.email,
display_name=m.display_name,
is_active=m.is_active,
).model_dump()
for m in members
]
}
@router.get("/companies")
def list_companies(
db: Session = Depends(get_db),
keyword: str | None = Query(default=None),
limit: int = Query(default=100, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
repo = CompaniesRepository(db)
items, total = repo.list(keyword=keyword, limit=limit, offset=offset)
return {"items": [CompanyItem(id=i.id, company_key=i.company_key, name=i.name, status=i.status).model_dump() for i in items], "total": total, "limit": limit, "offset": offset}
@router.post("/companies", response_model=CompanyItem)
def create_company(
payload: CompanyCreateRequest,
db: Session = Depends(get_db),
) -> CompanyItem:
repo = CompaniesRepository(db)
company_key = _generate_unique_key("CP", repo.get_by_key)
row = repo.create(company_key=company_key, name=payload.name, status=payload.status)
return CompanyItem(id=row.id, company_key=row.company_key, name=row.name, status=row.status)
@router.patch("/companies/{company_key}", response_model=CompanyItem)
def update_company(
company_key: str,
payload: CompanyUpdateRequest,
db: Session = Depends(get_db),
) -> CompanyItem:
repo = CompaniesRepository(db)
row = repo.get_by_key(company_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
row = repo.update(row, name=payload.name, status=payload.status)
return CompanyItem(id=row.id, company_key=row.company_key, name=row.name, status=row.status)
@router.delete("/companies/{company_key}")
def delete_company(
company_key: str,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
companies_repo = CompaniesRepository(db)
sites_repo = SitesRepository(db)
company = companies_repo.get_by_key(company_key)
if not company:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
company_sites, _ = sites_repo.list(company_id=company.id, limit=10000, offset=0)
company_site_keys = [s.site_key for s in company_sites]
if company_site_keys:
db.execute(
delete(PermissionGroupPermission).where(
PermissionGroupPermission.scope_type == "site",
PermissionGroupPermission.scope_id.in_(company_site_keys),
)
)
db.delete(company)
db.commit()
return {"deleted": 1, "result": "deleted"}
@router.get("/companies/{company_key}/sites")
def list_company_sites(
company_key: str,
db: Session = Depends(get_db),
) -> dict[str, list[dict]]:
companies_repo = CompaniesRepository(db)
sites_repo = SitesRepository(db)
company = companies_repo.get_by_key(company_key)
if not company:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
items, _ = sites_repo.list(company_id=company.id, limit=1000, offset=0)
return {
"items": [
SiteItem(
id=i.id,
site_key=i.site_key,
company_key=company.company_key,
name=i.name,
status=i.status,
).model_dump()
for i in items
]
}
@router.get("/sites")
def list_sites(
db: Session = Depends(get_db),
company_key: str | None = Query(default=None),
keyword: str | None = Query(default=None),
limit: int = Query(default=100, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
companies_repo = CompaniesRepository(db)
sites_repo = SitesRepository(db)
company_lookup: dict[str, str] = {}
all_companies, _ = companies_repo.list(limit=1000, offset=0)
for c in all_companies:
company_lookup[c.id] = c.company_key
company_id = None
if company_key:
company = companies_repo.get_by_key(company_key)
if not company:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
company_id = company.id
items, total = sites_repo.list(keyword=keyword, company_id=company_id, limit=limit, offset=offset)
return {
"items": [
SiteItem(
id=i.id,
site_key=i.site_key,
company_key=company_lookup.get(i.company_id, ""),
name=i.name,
status=i.status,
).model_dump()
for i in items
],
"total": total,
"limit": limit,
"offset": offset,
}
@router.post("/sites", response_model=SiteItem)
def create_site(
payload: SiteCreateRequest,
db: Session = Depends(get_db),
) -> SiteItem:
companies_repo = CompaniesRepository(db)
sites_repo = SitesRepository(db)
company = companies_repo.get_by_key(payload.company_key)
if not company:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
site_key = _generate_unique_key("ST", sites_repo.get_by_key)
row = sites_repo.create(site_key=site_key, company_id=company.id, name=payload.name, status=payload.status)
return SiteItem(id=row.id, site_key=row.site_key, company_key=payload.company_key, name=row.name, status=row.status)
@router.patch("/sites/{site_key}", response_model=SiteItem)
def update_site(
site_key: str,
payload: SiteUpdateRequest,
db: Session = Depends(get_db),
) -> SiteItem:
companies_repo = CompaniesRepository(db)
sites_repo = SitesRepository(db)
row = sites_repo.get_by_key(site_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="site_not_found")
company_id = None
company_key = None
if payload.company_key is not None:
company = companies_repo.get_by_key(payload.company_key)
if not company:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
company_id = company.id
company_key = company.company_key
row = sites_repo.update(row, company_id=company_id, name=payload.name, status=payload.status)
if company_key is None:
current_company = companies_repo.get_by_id(row.company_id)
company_key = current_company.company_key if current_company else ""
return SiteItem(id=row.id, site_key=row.site_key, company_key=company_key, name=row.name, status=row.status)
@router.delete("/sites/{site_key}")
def delete_site(
site_key: str,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
sites_repo = SitesRepository(db)
row = sites_repo.get_by_key(site_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="site_not_found")
db.execute(
delete(PermissionGroupPermission).where(
PermissionGroupPermission.scope_type == "site",
PermissionGroupPermission.scope_id == site_key,
)
)
db.delete(row)
db.commit()
return {"deleted": 1, "result": "deleted"}
@router.get("/members")
def list_members(
db: Session = Depends(get_db),
keyword: str | None = Query(default=None),
limit: int = Query(default=100, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
users_repo = UsersRepository(db)
items, total = users_repo.list(keyword=keyword, limit=limit, offset=offset)
return {
"items": [
MemberItem(
id=i.id,
user_sub=i.user_sub,
username=i.username,
email=i.email,
display_name=i.display_name,
is_active=i.is_active,
).model_dump()
for i in items
],
"total": total,
"limit": limit,
"offset": offset,
}
@router.post("/members/upsert", response_model=MemberItem)
def upsert_member(
payload: MemberUpsertRequest,
db: Session = Depends(get_db),
) -> MemberItem:
users_repo = UsersRepository(db)
resolved_sub = payload.user_sub
resolved_username = payload.username
idp_user_id = None
if payload.sync_to_authentik:
seed_sub = payload.user_sub or payload.username
if not seed_sub:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="user_sub_or_username_required")
sync = _sync_member_to_authentik(
user_sub=seed_sub,
idp_user_id=idp_user_id,
username=payload.username,
email=payload.email,
display_name=payload.display_name,
is_active=payload.is_active,
)
idp_user_id = str(sync["idp_user_id"])
if sync.get("user_sub"):
resolved_sub = str(sync["user_sub"])
if not resolved_sub:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="user_sub_required")
row = users_repo.upsert_by_sub(
user_sub=resolved_sub,
username=resolved_username,
email=payload.email,
display_name=payload.display_name,
is_active=payload.is_active,
idp_user_id=idp_user_id,
)
return MemberItem(
id=row.id,
user_sub=row.user_sub,
username=row.username,
email=row.email,
display_name=row.display_name,
is_active=row.is_active,
)
@router.patch("/members/{user_sub}", response_model=MemberItem)
def update_member(
user_sub: str,
payload: MemberUpdateRequest,
db: Session = Depends(get_db),
) -> MemberItem:
users_repo = UsersRepository(db)
row = users_repo.get_by_sub(user_sub)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
next_email = payload.email if payload.email is not None else row.email
next_username = payload.username if payload.username is not None else row.username
next_display_name = payload.display_name if payload.display_name is not None else row.display_name
next_is_active = payload.is_active if payload.is_active is not None else row.is_active
idp_user_id = row.idp_user_id
if payload.sync_to_authentik:
sync = _sync_member_to_authentik(
user_sub=row.user_sub,
idp_user_id=row.idp_user_id,
username=next_username,
email=next_email,
display_name=next_display_name,
is_active=next_is_active,
)
idp_user_id = str(sync["idp_user_id"])
row = users_repo.upsert_by_sub(
user_sub=row.user_sub,
username=next_username,
email=next_email,
display_name=next_display_name,
is_active=next_is_active,
idp_user_id=idp_user_id,
)
return MemberItem(
id=row.id,
user_sub=row.user_sub,
username=row.username,
email=row.email,
display_name=row.display_name,
is_active=row.is_active,
)
@router.delete("/members/{user_sub}")
def delete_member(
user_sub: str,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
users_repo = UsersRepository(db)
row = users_repo.get_by_sub(user_sub)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
settings = get_settings()
service = AuthentikAdminService(settings=settings)
service.delete_user(
idp_user_id=row.idp_user_id,
email=row.email,
username=row.username,
)
db.execute(delete(PermissionGroupMember).where(PermissionGroupMember.user_sub == user_sub))
db.delete(row)
db.commit()
return {"deleted": 1, "result": "deleted"}
@router.post("/members/{user_sub}/password/reset", response_model=MemberPasswordResetResponse)
def reset_member_password(
user_sub: str,
db: Session = Depends(get_db),
) -> MemberPasswordResetResponse:
users_repo = UsersRepository(db)
user = users_repo.get_by_sub(user_sub)
if not user:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
settings = get_settings()
service = AuthentikAdminService(settings=settings)
result = service.reset_password(
idp_user_id=user.idp_user_id,
email=user.email,
username=user.username,
)
user = users_repo.upsert_by_sub(
user_sub=user.user_sub,
username=user.username,
email=user.email,
display_name=user.display_name,
is_active=user.is_active,
idp_user_id=result.user_id,
)
return MemberPasswordResetResponse(user_sub=user.user_sub, temporary_password=result.temporary_password)
@router.get("/members/{user_sub}/permission-groups", response_model=MemberPermissionGroupsResponse)
def get_member_permission_groups(
user_sub: str,
db: Session = Depends(get_db),
) -> MemberPermissionGroupsResponse:
users_repo = UsersRepository(db)
groups_repo = PermissionGroupsRepository(db)
user = users_repo.get_by_sub(user_sub)
if not user:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
group_keys = groups_repo.list_group_keys_by_member_sub(user_sub)
return MemberPermissionGroupsResponse(user_sub=user_sub, group_keys=group_keys)
@router.put("/members/{user_sub}/permission-groups", response_model=MemberPermissionGroupsResponse)
def set_member_permission_groups(
user_sub: str,
payload: MemberPermissionGroupsUpdateRequest,
db: Session = Depends(get_db),
) -> MemberPermissionGroupsResponse:
users_repo = UsersRepository(db)
groups_repo = PermissionGroupsRepository(db)
user = users_repo.get_by_sub(user_sub)
if not user:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
unique_group_keys = list(dict.fromkeys(payload.group_keys))
groups = groups_repo.get_by_keys(unique_group_keys)
found_keys = {g.group_key for g in groups}
missing = [k for k in unique_group_keys if k not in found_keys]
if missing:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"group_not_found:{','.join(missing)}")
groups_repo.replace_member_groups(user_sub, [g.id for g in groups])
return MemberPermissionGroupsResponse(user_sub=user_sub, group_keys=unique_group_keys)
@router.get("/api-clients")
def list_api_clients(
db: Session = Depends(get_db),
keyword: str | None = Query(default=None),
limit: int = Query(default=200, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
stmt = select(ApiClient)
count_stmt = select(ApiClient)
if keyword:
pattern = f"%{keyword}%"
filter_cond = (ApiClient.client_key.ilike(pattern)) | (ApiClient.name.ilike(pattern))
stmt = stmt.where(filter_cond)
count_stmt = count_stmt.where(filter_cond)
items = list(db.scalars(stmt.order_by(ApiClient.created_at.desc()).limit(limit).offset(offset)).all())
total = len(list(db.scalars(count_stmt)))
return {
"items": [_serialize_api_client(item).model_dump() for item in items],
"total": total,
"limit": limit,
"offset": offset,
}
@router.post("/api-clients", response_model=ApiClientCreateResponse)
def create_api_client(
payload: ApiClientCreateRequest,
db: Session = Depends(get_db),
) -> ApiClientCreateResponse:
status_value = payload.status.strip().lower()
if status_value not in {"active", "inactive"}:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid_status")
client_key = payload.client_key or _generate_unique_key(
"AC", lambda value: db.scalar(select(ApiClient).where(ApiClient.client_key == value)) is not None
)
exists = db.scalar(select(ApiClient).where(ApiClient.client_key == client_key))
if exists:
raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="client_key_already_exists")
api_key = _generate_api_key()
row = ApiClient(
client_key=client_key,
name=payload.name,
status=status_value,
api_key_hash=hash_api_key(api_key),
allowed_origins=payload.allowed_origins,
allowed_ips=payload.allowed_ips,
allowed_paths=payload.allowed_paths,
rate_limit_per_min=payload.rate_limit_per_min,
expires_at=payload.expires_at,
)
db.add(row)
db.commit()
db.refresh(row)
return ApiClientCreateResponse(item=_serialize_api_client(row), api_key=api_key)
@router.patch("/api-clients/{client_key}", response_model=ApiClientItem)
def update_api_client(
client_key: str,
payload: ApiClientUpdateRequest,
db: Session = Depends(get_db),
) -> ApiClientItem:
row = db.scalar(select(ApiClient).where(ApiClient.client_key == client_key))
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="api_client_not_found")
if payload.name is not None:
row.name = payload.name
if payload.status is not None:
next_status = payload.status.strip().lower()
if next_status not in {"active", "inactive"}:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid_status")
row.status = next_status
if payload.allowed_origins is not None:
row.allowed_origins = payload.allowed_origins
if payload.allowed_ips is not None:
row.allowed_ips = payload.allowed_ips
if payload.allowed_paths is not None:
row.allowed_paths = payload.allowed_paths
row.rate_limit_per_min = payload.rate_limit_per_min
row.expires_at = payload.expires_at
db.commit()
db.refresh(row)
return _serialize_api_client(row)
@router.post("/api-clients/{client_key}/rotate-key", response_model=ApiClientRotateKeyResponse)
def rotate_api_client_key(
client_key: str,
db: Session = Depends(get_db),
) -> ApiClientRotateKeyResponse:
row = db.scalar(select(ApiClient).where(ApiClient.client_key == client_key))
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="api_client_not_found")
api_key = _generate_api_key()
row.api_key_hash = hash_api_key(api_key)
db.commit()
return ApiClientRotateKeyResponse(client_key=row.client_key, api_key=api_key)
@router.delete("/api-clients/{client_key}")
def delete_api_client(
client_key: str,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
row = db.scalar(select(ApiClient).where(ApiClient.client_key == client_key))
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="api_client_not_found")
db.delete(row)
db.commit()
return {"deleted": 1, "result": "deleted"}
@router.get("/permission-groups")
def list_permission_groups(
db: Session = Depends(get_db),
limit: int = Query(default=100, ge=1, le=500),
offset: int = Query(default=0, ge=0),
) -> dict:
repo = PermissionGroupsRepository(db)
items, total = repo.list(limit=limit, offset=offset)
return {"items": [PermissionGroupItem(id=i.id, group_key=i.group_key, name=i.name, status=i.status).model_dump() for i in items], "total": total, "limit": limit, "offset": offset}
@router.get("/permission-groups/{group_key}/permissions")
def list_permission_group_permissions(
group_key: str,
db: Session = Depends(get_db),
) -> dict[str, list[dict]]:
repo = PermissionGroupsRepository(db)
group = repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
rows = repo.list_group_permissions(group.id)
return {
"items": [
PermissionGroupPermissionItem(
id=r.id,
system=r.system,
module="" if r.module == "__system__" else r.module,
action=r.action,
scope_type=r.scope_type,
scope_id=r.scope_id,
).model_dump()
for r in rows
if r.action in {"view", "edit"} and r.scope_type == "site"
]
}
@router.get("/permission-groups/{group_key}/bindings", response_model=GroupBindingSnapshot)
def get_permission_group_bindings(
group_key: str,
db: Session = Depends(get_db),
) -> GroupBindingSnapshot:
repo = PermissionGroupsRepository(db)
group = repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
snapshot = repo.get_group_binding_snapshot(group.id, group_key)
return GroupBindingSnapshot(
group_key=snapshot["group_key"],
site_keys=snapshot["site_keys"],
system_keys=snapshot["system_keys"],
module_keys=[k.split("|", 1)[1] if "|" in k else k for k in snapshot["module_keys"]],
member_subs=snapshot["member_subs"],
actions=snapshot["actions"],
)
@router.put("/permission-groups/{group_key}/bindings", response_model=GroupBindingSnapshot)
def replace_permission_group_bindings(
group_key: str,
payload: GroupBindingUpdateRequest,
db: Session = Depends(get_db),
) -> GroupBindingSnapshot:
repo = PermissionGroupsRepository(db)
sites_repo = SitesRepository(db)
systems_repo = SystemsRepository(db)
modules_repo = ModulesRepository(db)
group = repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
site_keys = list(dict.fromkeys(payload.site_keys))
system_keys = list(dict.fromkeys(payload.system_keys))
module_keys = list(dict.fromkeys(payload.module_keys))
valid_sites = {s.site_key for s in sites_repo.list(limit=10000, offset=0)[0]}
missing_sites = [k for k in site_keys if k not in valid_sites]
if missing_sites:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"site_not_found:{','.join(missing_sites)}")
valid_systems = {s.system_key for s in systems_repo.list(limit=10000, offset=0)[0]}
missing_systems = [k for k in system_keys if k not in valid_systems]
if missing_systems:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"system_not_found:{','.join(missing_systems)}")
all_modules = modules_repo.list(limit=10000, offset=0)[0]
valid_modules = {m.module_key for m in all_modules}
module_system_lookup = {m.module_key: m.system_key for m in all_modules}
missing_modules = [k for k in module_keys if k not in valid_modules]
if missing_modules:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"module_not_found:{','.join(missing_modules)}")
module_pairs = [f"{module_system_lookup[m]}|{m}" for m in module_keys]
repo.replace_group_bindings(
group_id=group.id,
site_keys=site_keys,
system_keys=system_keys,
module_keys=module_pairs,
member_subs=payload.member_subs,
actions=payload.actions,
)
snapshot = repo.get_group_binding_snapshot(group.id, group_key)
return GroupBindingSnapshot(
group_key=snapshot["group_key"],
site_keys=snapshot["site_keys"],
system_keys=snapshot["system_keys"],
module_keys=[k.split("|", 1)[1] if "|" in k else k for k in snapshot["module_keys"]],
member_subs=snapshot["member_subs"],
actions=snapshot["actions"],
)
@router.post("/permission-groups", response_model=PermissionGroupItem)
def create_permission_group(
payload: PermissionGroupCreateRequest,
db: Session = Depends(get_db),
) -> PermissionGroupItem:
repo = PermissionGroupsRepository(db)
group_key = _generate_unique_key("GP", repo.get_by_key)
row = repo.create(group_key=group_key, name=payload.name, status=payload.status)
return PermissionGroupItem(id=row.id, group_key=row.group_key, name=row.name, status=row.status)
@router.patch("/permission-groups/{group_key}", response_model=PermissionGroupItem)
def update_permission_group(
group_key: str,
payload: PermissionGroupUpdateRequest,
db: Session = Depends(get_db),
) -> PermissionGroupItem:
repo = PermissionGroupsRepository(db)
row = repo.get_by_key(group_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
row = repo.update(row, name=payload.name, status=payload.status)
return PermissionGroupItem(id=row.id, group_key=row.group_key, name=row.name, status=row.status)
@router.delete("/permission-groups/{group_key}")
def delete_permission_group(
group_key: str,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
repo = PermissionGroupsRepository(db)
row = repo.get_by_key(group_key)
if not row:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
db.delete(row)
db.commit()
return {"deleted": 1, "result": "deleted"}
@router.post("/permission-groups/{group_key}/members/{user_sub}")
def add_group_member(
group_key: str,
user_sub: str,
db: Session = Depends(get_db),
) -> dict[str, str]:
groups_repo = PermissionGroupsRepository(db)
group = groups_repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
row = groups_repo.add_member_if_not_exists(group.id, user_sub)
return {"membership_id": row.id, "result": "added"}
@router.delete("/permission-groups/{group_key}/members/{user_sub}")
def remove_group_member(
group_key: str,
user_sub: str,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
groups_repo = PermissionGroupsRepository(db)
group = groups_repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
deleted = groups_repo.remove_member(group.id, user_sub)
return {"deleted": deleted, "result": "removed"}
@router.post("/permission-groups/{group_key}/permissions/grant")
def grant_group_permission(
group_key: str,
payload: PermissionGrantRequest,
db: Session = Depends(get_db),
) -> dict[str, str]:
groups_repo = PermissionGroupsRepository(db)
group = groups_repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
_resolve_module_id(db, payload.system, payload.module)
_resolve_scope_ids(db, payload.scope_type, payload.scope_id)
module_name = _split_module_key(payload.module)
row = groups_repo.grant_group_permission(
group_id=group.id,
system=payload.system,
module=module_name,
action=payload.action,
scope_type=payload.scope_type,
scope_id=payload.scope_id,
)
return {"permission_id": row.id, "result": "granted"}
@router.post("/permission-groups/{group_key}/permissions/revoke")
def revoke_group_permission(
group_key: str,
payload: PermissionRevokeRequest,
db: Session = Depends(get_db),
) -> dict[str, int | str]:
groups_repo = PermissionGroupsRepository(db)
group = groups_repo.get_by_key(group_key)
if not group:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
_resolve_module_id(db, payload.system, payload.module)
_resolve_scope_ids(db, payload.scope_type, payload.scope_id)
module_name = _split_module_key(payload.module)
deleted = groups_repo.revoke_group_permission(
group_id=group.id,
system=payload.system,
module=module_name,
action=payload.action,
scope_type=payload.scope_type,
scope_id=payload.scope_id,
)
return {"deleted": deleted, "result": "revoked"}
Reference in New Issue View Git Blame Copy Permalink