abs-auth-rbac-core 0.1.0__py3-none-any.whl

abs_auth_rbac_core/auth/__init__.py

@@ -0,0 +1,3 @@
+from .jwt_functions import JWTFunctions
+
+__all__ = ["JWTFunctions"]

abs_auth_rbac_core/auth/auth_functions.py

@@ -0,0 +1,31 @@
+from typing import Callable, Any
+from ..models import Users
+
+from abs_exception_core.exceptions import NotFoundError, ValidationError
+
+
+def get_user_by_attribute(db_session: Callable[...,Any],attribute: str, value: str):
+    """
+    Get a user by an attribute.
+
+    Args:
+        attribute (str): The attribute to get the user by.
+        value (str): The value of the attribute.
+    
+    Returns:
+        User: The user object if found, otherwise None.
+    """
+    with db_session() as session:
+        try:
+            if not hasattr(Users, attribute):
+                raise ValidationError(detail=f"Attribute {attribute} does not exist on the User model")
+            
+            user = session.query(Users).filter(getattr(Users, attribute) == value).first()
+
+            if not user:
+                raise NotFoundError(detail="User not found")
+            
+            return user
+        
+        except Exception as e:
+            raise e

abs_auth_rbac_core/auth/jwt_functions.py

@@ -0,0 +1,134 @@
+from datetime import datetime, timedelta, UTC
+from typing import Dict, Type, Callable,Any
+
+import jwt
+from fastapi import Depends
+from fastapi.security import HTTPBearer
+from passlib.context import CryptContext
+from abs_exception_core.exceptions import UnauthorizedError,ValidationError
+
+
+# === JWT Setup ===
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+bearer_scheme = HTTPBearer()
+
+# === Password Hashing ===
+
+class JWTFunctions:
+    def __init__(self,secret_key: str,algorithm: str,expire_minutes: int=None):
+        """
+        Args:
+            secret_key (str): The secret key for the JWT token.
+            algorithm (str): The algorithm for the JWT token.
+            expire_minutes (int): The expiration time for the JWT token in minutes.
+        """
+        self.secret_key = secret_key
+        self.algorithm = algorithm
+        self.expire_minutes = expire_minutes
+
+    def verify_password(self,plain_password: str, hashed_password: str) -> bool:
+        """
+        Verify a plain password against a hashed password using the password hashing context.
+
+        Args:
+            plain_password (str): The plain password to verify.
+            hashed_password (str): The hashed password to verify against.
+        
+        Returns:
+            bool: True if the password is verified, False otherwise.
+        """
+        return pwd_context.verify(plain_password, hashed_password)
+
+    def get_password_hash(self,password: str) -> str:
+        """
+        Generate a hashed password using the password hashing context.
+
+        Args:
+            password (str): The plain password to hash.
+        
+        Returns:
+            str: The hashed password.
+        """
+        return pwd_context.hash(password)
+
+
+    # === Token Dependencies ===
+
+    async def get_token(self,token=Depends(bearer_scheme)) -> str:
+        """
+        Get the token from the bearer scheme.
+
+        Args:
+            token (str): The token to get.
+        
+        Returns:
+            str: The token without the bearer prefix.
+        """
+        return str(token.credentials)
+
+    # === JWT Token Creation & Decoding ===
+
+    def create_jwt_token(self,data: dict, expires_delta: timedelta=None) -> str:
+        """
+        Create a JWT token.
+
+        Args:
+            data (dict): The data to encode in the token.
+            expires_delta (timedelta): The expiration time for the token.
+        
+        Returns:
+            str: The JWT token.
+        """
+        payload = data.copy()
+        if expires_delta:
+            expire = datetime.now(UTC) + expires_delta
+        else:
+            expire = datetime.now(UTC) + timedelta(
+                minutes=self.expire_minutes
+            )
+        payload.update({"exp": expire})
+        return jwt.encode(payload, self.secret_key, algorithm=self.algorithm)
+
+    def decode_jwt(self,token: str) -> dict:
+        """
+        Decode a JWT token.
+
+        Args:
+            token (str): The token to decode.
+        
+        Returns:
+            dict: The decoded token.
+        """
+        try:
+            return jwt.decode(token, self.secret_key, algorithms=[self.algorithm])
+        except jwt.ExpiredSignatureError:
+            raise UnauthorizedError(detail="Token has expired")
+        except jwt.InvalidTokenError:
+            raise  ValidationError(detail="Invalid token")
+
+    def get_data(self,token: str = Depends(get_token)) -> Dict:
+        """
+        Get the data from the JWT token.
+
+        Args:
+            token (str): The token to get the data from.
+        
+        Returns:
+            Dict: The decoded token.
+        """
+        return self.decode_jwt(token)
+    
+    # === Token Generators ===
+
+    def create_access_token(self,data: Dict, expires_delta: timedelta=None) -> str:
+        """
+        Create an access token.
+
+        Args:
+            data (Dict): The data to encode in the token.
+            expires_delta (timedelta): The expiration time for the token.
+        
+        Returns:
+            str: The access token.
+        """
+        return self.create_jwt_token(data=data, expires_delta=expires_delta)

abs_auth_rbac_core/auth/middleware.py

@@ -0,0 +1,50 @@
+from fastapi import Depends
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+import logging
+from typing import Callable, Any
+
+from .jwt_functions import JWTFunctions
+from .auth_functions import get_user_by_attribute
+from abs_exception_core.exceptions import UnauthorizedError
+
+security = HTTPBearer()
+logger = logging.getLogger(__name__)
+
+
+# Dependency acting like per-route middleware
+def auth_middleware(
+    db_session: Callable[...,Any],
+    jwt_secret_key:str,
+    jwt_algorithm:str
+):
+    """
+    This middleware is used for authentication of the user.
+    Args:
+        db_session: Callable[...,Any]: Session of the SQLAlchemy database engine
+        Users: User table fo teh system
+        jwt_secret_key: Secret key of the JWT for jwt functions
+        jwt_algorithm: Algorithm used for JWT
+
+    Returns:
+    """
+    def get_auth(token: HTTPAuthorizationCredentials = Depends(security)):
+        jwt_functions = JWTFunctions(secret_key=jwt_secret_key,algorithm=jwt_algorithm)
+        try:
+            if not token or not token.credentials:
+                raise UnauthorizedError(detail="Invalid authentication credentials")
+
+            payload = jwt_functions.get_data(token=token.credentials)
+            uuid = payload.get("uuid")
+
+            user = get_user_by_attribute(db_session=db_session,attribute="uuid", value=uuid)
+            
+            if not user:
+                logger.error(f"Authentication failed: User with id {uuid} not found")
+                raise UnauthorizedError(detail="Authentication failed")
+
+            return user  # Attach user for use in route
+
+        except Exception as e:
+            logger.error(f"Authentication error: {str(e)}", exc_info=True)
+            raise UnauthorizedError(detail="Authentication failed")
+    return get_auth

abs_auth_rbac_core/models/__init__.py

@@ -0,0 +1,7 @@
+from .permissions import Permission
+from .roles import Role
+from .user_role import UserRole
+from .user import Users
+from .role_permission import RolePermission
+
+__all__ = ["Permission", "Role", "UserRole", "Users","RolePermission"]

abs_auth_rbac_core/models/base_model.py

@@ -0,0 +1,20 @@
+import uuid
+from datetime import UTC, datetime
+
+from sqlalchemy import Column, DateTime, Integer, String
+from sqlalchemy.ext.declarative import declarative_base
+
+Base = declarative_base()
+
+
+class BaseModel(Base):
+    """
+    Base model for all models
+    """
+    __abstract__ = True
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    uuid = Column(String(36), unique=True, default=lambda: str(uuid.uuid4()))
+    created_at = Column(DateTime, default=lambda: datetime.now(UTC))
+    updated_at = Column(
+        DateTime, default=lambda: datetime.now(UTC), onupdate=lambda: datetime.now(UTC)
+    )

abs_auth_rbac_core/models/gov_casbin_rule.py

@@ -0,0 +1,25 @@
+from casbin_sqlalchemy_adapter import CasbinRule as BaseCasbinRule
+from sqlalchemy import Column, Integer, String
+
+
+class GovCasbinRule(BaseCasbinRule):
+    __tablename__ = "gov_casbin_rule"
+    __mapper_args__ = {"polymorphic_identity": "gov_casbin_rule", "concrete": True}
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    ptype = Column(String(255))
+    v0 = Column(String(255))
+    v1 = Column(String(255))
+    v2 = Column(String(255))
+    v3 = Column(String(255))
+    v4 = Column(String(255))
+    v5 = Column(String(255))
+
+    def __init__(self, ptype=None, v0=None, v1=None, v2=None, v3=None, v4=None, v5=None):
+        self.ptype = ptype
+        self.v0 = v0
+        self.v1 = v1
+        self.v2 = v2
+        self.v3 = v3
+        self.v4 = v4
+        self.v5 = v5

abs_auth_rbac_core/models/permissions.py

@@ -0,0 +1,26 @@
+from sqlalchemy import Column, String
+from sqlalchemy.orm import relationship
+
+from abs_auth_rbac_core.models.rbac_model import RBACBaseModel
+
+
+class Permission(RBACBaseModel):
+    """Permission model representing system permissions"""
+
+    __tablename__ = "gov_permissions"
+
+    resource = Column(
+        String(100), index=True
+    )  # The resource this permission applies to
+    
+    action = Column(
+        String(50), index=True
+    )  # The action allowed (e.g., read, write, delete)
+
+    module = Column(String(100), index=True)
+    # The module this permission applies to
+
+    # Relationships
+    roles = relationship(
+        "Role", secondary="gov_role_permissions", back_populates="permissions"
+    )

abs_auth_rbac_core/models/rbac_model.py

@@ -0,0 +1,10 @@
+from abs_auth_rbac_core.models.base_model import BaseModel
+from sqlalchemy import Column, String
+
+class RBACBaseModel(BaseModel):
+    """Base model for RBAC entities with common fields"""
+
+    __abstract__ = True
+
+    name = Column(String(100), index=True, unique=True)
+    description = Column(String(500), nullable=True)

abs_auth_rbac_core/models/role_permission.py

@@ -0,0 +1,12 @@
+from sqlalchemy import Column, ForeignKey, String
+
+from abs_auth_rbac_core.models.base_model import BaseModel
+
+
+class RolePermission(BaseModel):
+    """Association model between roles and permissions"""
+
+    __tablename__ = "gov_role_permissions"
+
+    role_uuid = Column(String(36), ForeignKey("gov_roles.uuid"), index=True)
+    permission_uuid = Column(String(36), ForeignKey("gov_permissions.uuid"), index=True)

abs_auth_rbac_core/models/roles.py

@@ -0,0 +1,21 @@
+from sqlalchemy.orm import relationship
+
+from abs_auth_rbac_core.models.rbac_model import RBACBaseModel
+
+
+class Role(RBACBaseModel):
+    """Role model representing user roles in the system"""
+    __tablename__ = "gov_roles"
+
+    # Relationships
+    permissions = relationship(
+        "Permission", secondary="gov_role_permissions", back_populates="roles"
+    )
+    users = relationship(
+        "Users", secondary="gov_user_roles", back_populates="roles", overlaps="user_roles"
+    )
+    user_roles = relationship(
+        "UserRole", back_populates="role", cascade="all, delete-orphan", overlaps="users,roles"
+    )
+
+    eagers = ["permissions", "users"]

abs_auth_rbac_core/models/seeder/permission_seeder.py

@@ -0,0 +1,101 @@
+from loguru import logger
+from sqlalchemy.orm import Session
+from typing import List,Callable
+
+from ...util.permission_constants import (
+    PermissionConstants
+)
+from ...models import ( Permission,Role,UserRole,Users)
+
+
+def seed_permissions(db:Session,emails:List[str]=[]) -> None:
+    """Seed permissions into the database"""
+    logger.info("Starting permission seeding...")
+
+    # Get all current permissions
+    current_permissions = {p.name: p for p in db.query(Permission).all()}
+
+    # Get all defined permissions from constants
+    defined_permissions = {
+        p.name: p for p in PermissionConstants.get_all_permissions()
+    }
+
+    logger.info(f"Found {len(current_permissions)} existing permissions")
+    logger.info(f"Found {len(defined_permissions)} defined permissions")
+
+    # Update or create permissions
+    for name, permission_data in defined_permissions.items():
+        if name in current_permissions:
+            # Update existing permission
+            existing_permission = current_permissions[name]
+            existing_permission.description = permission_data.description
+            existing_permission.resource = permission_data.resource
+            existing_permission.action = permission_data.action
+            existing_permission.module = permission_data.module
+            logger.debug(f"Updated permission: {name}")
+        else:
+            # Create new permission
+            new_permission = Permission(
+                name=permission_data.name,
+                description=permission_data.description,
+                resource=permission_data.resource,
+                action=permission_data.action,
+                module=permission_data.module
+            )
+            db.add(new_permission)
+            logger.debug(f"Created new permission: {name}")
+
+    # Remove permissions that no longer exist in constants
+    for name in current_permissions:
+        if name not in defined_permissions:
+            db.delete(current_permissions[name])
+            logger.debug(f"Removed obsolete permission: {name}")
+
+    logger.success("Permission seeding completed successfully!")
+
+    # Create or get super admin role
+    super_admin_role = db.query(Role).filter(Role.name == "super_admin").first()
+    if not super_admin_role:
+        super_admin_role = Role(
+            name="super_admin",
+            description="Super Administrator with all permissions",
+        )
+        db.add(super_admin_role)
+        db.flush()  # Get the role UUID
+
+    logger.info("Created super admin role.") 
+
+    for email in emails:
+        user = db.query(Users).filter(Users.email == email).first()
+        if not user:
+            # Create new user
+            user = Users(
+                email=email,
+                name=email.split("@")[0],  # Use part before @ as name
+                is_active=True,
+            )
+            db.add(user)
+            db.flush()  # Get the user UUID
+            logger.info(f"Created new user: {email}")
+
+        # Check if user already has super admin role
+        existing_role = (
+            db.query(UserRole)
+            .filter(
+                UserRole.user_uuid == user.uuid,
+                UserRole.role_uuid == super_admin_role.uuid,
+            )
+            .first()
+        )
+
+        if not existing_role:
+            # Assign super admin role to user
+            user_role = UserRole(
+                user_uuid=user.uuid,
+                role_uuid=super_admin_role.uuid,
+            )
+            db.add(user_role)
+            logger.info(f"Assigned super admin role to user: {email}")
+
+    db.commit()
+    logger.success("Super admin seeding completed successfully!")

abs_auth_rbac_core/models/user.py

@@ -0,0 +1,27 @@
+from sqlalchemy import Boolean, Column, DateTime, String, Integer
+from sqlalchemy.orm import relationship
+
+from abs_auth_rbac_core.models.base_model import BaseModel
+
+
+class Users(BaseModel):
+    """User model representing the user in the system"""
+    __tablename__ = "gov_users"
+
+    email = Column(String(255), unique=True, index=True, nullable=False)
+    name = Column(String(100), nullable=False)
+    is_active = Column(Boolean, default=True)
+    last_login_at = Column(DateTime, nullable=True)
+
+    # Relationships
+    roles = relationship(
+        "Role", secondary="gov_user_roles", back_populates="users", lazy="joined", overlaps="user_roles"
+    )
+    user_roles = relationship(
+        "UserRole",
+        back_populates="user",
+        cascade="all, delete-orphan",
+        overlaps="roles"
+    )
+
+    eagers = ["roles"]

abs_auth_rbac_core/models/user_role.py

@@ -0,0 +1,20 @@
+from sqlalchemy import Column, ForeignKey, String
+from sqlalchemy.orm import relationship
+
+from abs_auth_rbac_core.models.base_model import BaseModel
+
+
+class UserRole(BaseModel):
+    """Association table for User-Role relationship"""
+    __tablename__ = "gov_user_roles"
+
+    user_uuid = Column(
+        String(36), ForeignKey("gov_users.uuid", ondelete="CASCADE"), nullable=False
+    )
+    role_uuid = Column(
+        String(36), ForeignKey("gov_roles.uuid", ondelete="CASCADE"), nullable=False
+    )
+
+    # Corrected relationships
+    user = relationship("Users", back_populates="user_roles",  overlaps="roles,users")
+    role = relationship("Role", back_populates="user_roles",  overlaps="roles,users")

abs_auth_rbac_core/rbac/__init__.py

@@ -0,0 +1,2 @@
+from .decorator import rbac_require_permission
+from .service import RBACService

abs_auth_rbac_core/rbac/database.py

@@ -0,0 +1,52 @@
+from contextlib import AbstractContextManager, contextmanager
+from typing import Any, Generator
+from loguru import logger
+
+from sqlalchemy import create_engine, orm
+from sqlalchemy.orm import Session
+from abs_repository_core.models import BaseModel
+
+
+class Database:
+    def __init__(self, db_url: str) -> None:
+        """
+        Initialize the database engine and session factory
+        """
+        self._engine = create_engine(
+            db_url,
+            echo=False,
+            echo_pool=False,
+            pool_pre_ping=True,
+            pool_recycle=3600,
+            query_cache_size=0,
+        )
+        self._session_factory = orm.scoped_session(
+            orm.sessionmaker(
+                autocommit=False,
+                autoflush=False,
+                bind=self._engine,
+            ),
+        )
+
+    def create_database(self) -> None:
+        """
+        Create all the tables in the database
+        """
+        BaseModel.metadata.create_all(self._engine)
+
+    @contextmanager
+    def session(self) -> Generator[Any, Any, AbstractContextManager[Session]]:
+        """
+        Provides a database session for the request
+        """
+        session: Session = self._session_factory()
+        try:
+            yield session
+        except Exception as e:
+            session.rollback()
+            import traceback
+
+            logger.error(f"Exception: {e}\n{traceback.format_exc()}")
+            raise e
+        finally:
+            session.close()

abs_auth_rbac_core/rbac/decorator.py

@@ -0,0 +1,48 @@
+from functools import wraps
+from typing import Dict, List, Union
+
+from abs_exception_core.exceptions import PermissionDeniedError
+from .service import RBACService
+
+def rbac_require_permission(permissions: Union[str, List[str]]):
+    """
+    Decorator to enforce all required permissions for a user.
+
+    Args:
+        permissions (str | list[str]): One or more "resource:action" strings.
+
+    Raises:
+        PermissionDeniedError: If the user lacks any one of the required permissions.
+    """
+    if isinstance(permissions, str):
+        permissions = [permissions]
+
+    def decorator(func):
+        @wraps(func)
+        async def wrapper(
+            *args, current_user: Dict,rbac_service:RBACService, **kwargs,
+        ):
+            current_user_id = current_user.get("uuid")
+            if not current_user_id:
+                raise PermissionDeniedError(
+                    detail="User not found (missing 'uuid')."
+                )
+            for perm in permissions:
+                try:
+                    module, resource, action = perm.split(":")
+                except ValueError:
+                    raise ValueError(
+                        f"Invalid permission format: '{perm}'. Expected 'module:resource:action'."
+                    )
+                
+                has_permission = rbac_service.check_permission(
+                    user_uuid=current_user_id, resource=resource, action=action,module=module
+                )
+
+                if not has_permission:
+                    raise PermissionDeniedError(
+                        detail=f"Permission denied: {action} on {resource} in {module}"
+                    )
+            return await func(*args, current_user=current_user,rbac_service=rbac_service, **kwargs)
+        return wrapper
+    return decorator

abs_auth_rbac_core/rbac/policy.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act, module
+
+[policy_definition]
+p = sub, obj, act, module
+
+[role_definition]
+g = _, _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = (g(r.sub, p.sub, r.module) && r.obj == p.obj && r.act == p.act && r.module == p.module) || r.sub == "super_admin"