coati-payroll 0.0.2__py3-none-any.whl

coati_payroll/rate_limiting.py

@@ -0,0 +1,83 @@
+# Copyright 2025 BMO Soluciones, S.A.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Rate limiting configuration for the application.
+
+This module configures rate limiting to protect against brute force attacks
+and abuse, particularly for authentication endpoints.
+"""
+
+from __future__ import annotations
+
+from os import environ
+from flask_limiter import Limiter
+from flask_limiter.util import get_remote_address
+
+
+def get_rate_limiter_storage():
+    """Get storage backend for rate limiter based on available configuration.
+
+    Returns:
+        str: Storage URI for rate limiter
+        - Uses Redis if REDIS_URL or SESSION_REDIS_URL is available (production)
+        - Falls back to memory storage for development/testing
+    """
+    # Try to get Redis URL from environment
+    redis_url = environ.get("REDIS_URL") or environ.get("SESSION_REDIS_URL")
+
+    if redis_url:
+        # Use Redis for distributed rate limiting (production)
+        return redis_url
+    else:
+        # Use memory storage for development/testing
+        # Note: This won't work across multiple processes
+        return "memory://"
+
+
+def configure_rate_limiting(app):
+    """Configure rate limiting for the Flask application.
+
+    Sets up Flask-Limiter with appropriate storage backend:
+    - Redis for production (distributed, persistent)
+    - Memory for development (simple, non-persistent)
+
+    Args:
+        app: Flask application instance
+
+    Returns:
+        Limiter: Configured Flask-Limiter instance
+    """
+    from coati_payroll.log import log
+
+    storage_uri = get_rate_limiter_storage()
+
+    # Log which storage backend we're using
+    if storage_uri.startswith("redis"):
+        log.info("Rate limiting configured with Redis storage (production mode)")
+    else:
+        log.info("Rate limiting configured with memory storage (development mode)")
+
+    limiter = Limiter(
+        app=app,
+        key_func=get_remote_address,
+        storage_uri=storage_uri,
+        default_limits=["200 per day", "50 per hour"],  # Global limits
+        storage_options={"socket_connect_timeout": 30},
+        strategy="fixed-window",  # Count resets at fixed intervals
+    )
+
+    # Note: Specific endpoint rate limits can be applied using decorators in the blueprints.
+    # For the login endpoint, we apply a stricter limit (5 per minute) to prevent brute force.
+    # This is documented in the security audit report.
+
+    return limiter

coati_payroll/rbac.py

@@ -0,0 +1,183 @@
+# Copyright 2025 BMO Soluciones, S.A.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Role-Based Access Control (RBAC) utilities.
+
+This module provides decorators and utilities for implementing role-based
+access control throughout the application.
+
+User Types:
+    - admin: Full access to all functionalities
+    - hhrr: HR personnel with access to employee and payroll management
+    - audit: Read-only access for auditing purposes
+"""
+
+from __future__ import annotations
+
+# <-------------------------------------------------------------------------> #
+# Standard library
+# <-------------------------------------------------------------------------> #
+from functools import wraps
+
+# <-------------------------------------------------------------------------> #
+# Third party libraries
+# <-------------------------------------------------------------------------> #
+from flask import abort, flash, redirect, url_for
+from flask_login import current_user
+
+# <-------------------------------------------------------------------------> #
+# Third party libraries
+# <-------------------------------------------------------------------------> #
+from coati_payroll.enums import TipoUsuario
+from coati_payroll.i18n import _
+
+
+def require_role(*allowed_roles: str):
+    """Decorator to restrict access to specific user roles.
+
+    Args:
+        *allowed_roles: Variable number of allowed role strings (admin, hhrr, audit)
+
+    Returns:
+        Decorated function that checks user role before execution
+
+    Example:
+        @require_role(TipoUsuario.ADMIN)
+        def admin_only_view():
+            pass
+
+        @require_role(TipoUsuario.ADMIN, TipoUsuario.HHRR)
+        def admin_or_hr_view():
+            pass
+    """
+
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            if not current_user.is_authenticated:
+                flash(_("Favor iniciar sesión para acceder al sistema."), "warning")
+                return redirect(url_for("auth.login"))
+
+            # Check if user has required role
+            if current_user.tipo not in allowed_roles:
+                flash(_("No tiene permisos para acceder a esta funcionalidad."), "danger")
+                abort(403)
+
+            return f(*args, **kwargs)
+
+        return decorated_function
+
+    return decorator
+
+
+def require_read_access():
+    """Decorator to allow read access to admin, hhrr, and audit users.
+
+    This is used for listing and viewing data where all user types should
+    have access but audit users are read-only.
+
+    Returns:
+        Decorated function that allows read access to all authenticated users
+
+    Example:
+        @require_read_access()
+        def list_employees():
+            pass
+    """
+
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            if not current_user.is_authenticated:
+                flash(_("Favor iniciar sesión para acceder al sistema."), "warning")
+                return redirect(url_for("auth.login"))
+
+            # All authenticated users can read
+            return f(*args, **kwargs)
+
+        return decorated_function
+
+    return decorator
+
+
+def require_write_access():
+    """Decorator to restrict write operations to admin and hhrr users only.
+
+    Audit users are denied access to create, update, or delete operations.
+
+    Returns:
+        Decorated function that checks write permissions
+
+    Example:
+        @require_write_access()
+        def create_employee():
+            pass
+
+        @require_write_access()
+        def update_employee():
+            pass
+    """
+
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            if not current_user.is_authenticated:
+                flash(_("Favor iniciar sesión para acceder al sistema."), "warning")
+                return redirect(url_for("auth.login"))
+
+            # Only admin and hhrr can write
+            if current_user.tipo not in [TipoUsuario.ADMIN, TipoUsuario.HHRR]:
+                flash(_("No tiene permisos para modificar datos. Su rol es de solo lectura."), "danger")
+                abort(403)
+
+            return f(*args, **kwargs)
+
+        return decorated_function
+
+    return decorator
+
+
+def is_admin() -> bool:
+    """Check if current user is an administrator.
+
+    Returns:
+        True if current user has admin role, False otherwise
+    """
+    return current_user.is_authenticated and current_user.tipo == TipoUsuario.ADMIN
+
+
+def is_hhrr() -> bool:
+    """Check if current user is HR personnel.
+
+    Returns:
+        True if current user has hhrr role, False otherwise
+    """
+    return current_user.is_authenticated and current_user.tipo == TipoUsuario.HHRR
+
+
+def is_audit() -> bool:
+    """Check if current user is an auditor.
+
+    Returns:
+        True if current user has audit role, False otherwise
+    """
+    return current_user.is_authenticated and current_user.tipo == TipoUsuario.AUDIT
+
+
+def can_write() -> bool:
+    """Check if current user has write permissions.
+
+    Returns:
+        True if current user is admin or hhrr, False otherwise
+    """
+    return current_user.is_authenticated and current_user.tipo in [TipoUsuario.ADMIN, TipoUsuario.HHRR]