ecodev-core 0.0.1__py3-none-any.whl

ecodev_core/__init__.py

@@ -0,0 +1,79 @@
+"""
+Module listing all public method from the ecodev_core modules
+"""
+from ecodev_core.app_activity import AppActivity
+from ecodev_core.app_activity import dash_monitor
+from ecodev_core.app_activity import fastapi_monitor
+from ecodev_core.app_activity import get_method
+from ecodev_core.app_activity import get_recent_activities
+from ecodev_core.app_rights import AppRight
+from ecodev_core.app_user import AppUser
+from ecodev_core.app_user import select_user
+from ecodev_core.app_user import upsert_app_users
+from ecodev_core.auth_configuration import AUTH
+from ecodev_core.authentication import attempt_to_log
+from ecodev_core.authentication import get_access_token
+from ecodev_core.authentication import get_app_services
+from ecodev_core.authentication import get_current_user
+from ecodev_core.authentication import get_user
+from ecodev_core.authentication import is_admin_user
+from ecodev_core.authentication import is_authorized_user
+from ecodev_core.authentication import is_monitoring_user
+from ecodev_core.authentication import JwtAuth
+from ecodev_core.authentication import SCHEME
+from ecodev_core.authentication import Token
+from ecodev_core.check_dependencies import check_dependencies
+from ecodev_core.check_dependencies import compute_dependencies
+from ecodev_core.custom_equal import custom_equal
+from ecodev_core.db_connection import create_db_and_tables
+from ecodev_core.db_connection import DB_URL
+from ecodev_core.db_connection import delete_table
+from ecodev_core.db_connection import engine
+from ecodev_core.db_connection import get_session
+from ecodev_core.db_connection import info_message
+from ecodev_core.db_filters import ServerSideFilter
+from ecodev_core.db_insertion import generic_insertion
+from ecodev_core.db_insertion import get_raw_df
+from ecodev_core.db_retrieval import count_rows
+from ecodev_core.db_retrieval import get_rows
+from ecodev_core.db_retrieval import ServerSideField
+from ecodev_core.enum_utils import enum_converter
+from ecodev_core.list_utils import first_or_default
+from ecodev_core.list_utils import first_transformed_or_default
+from ecodev_core.list_utils import group_by_value
+from ecodev_core.list_utils import lselect
+from ecodev_core.list_utils import lselectfirst
+from ecodev_core.logger import log_critical
+from ecodev_core.logger import logger_get
+from ecodev_core.pandas_utils import jsonify_series
+from ecodev_core.pandas_utils import pd_equals
+from ecodev_core.permissions import Permission
+from ecodev_core.pydantic_utils import Basic
+from ecodev_core.pydantic_utils import CustomFrozen
+from ecodev_core.pydantic_utils import Frozen
+from ecodev_core.pydantic_utils import OrmFrozen
+from ecodev_core.read_write import load_json_file
+from ecodev_core.read_write import make_dir
+from ecodev_core.read_write import write_json_file
+from ecodev_core.safe_utils import boolify
+from ecodev_core.safe_utils import floatify
+from ecodev_core.safe_utils import intify
+from ecodev_core.safe_utils import safe_clt
+from ecodev_core.safe_utils import SafeTestCase
+from ecodev_core.safe_utils import SimpleReturn
+from ecodev_core.safe_utils import stringify
+
+
+__all__ = [
+    'AUTH', 'Token', 'get_app_services', 'attempt_to_log', 'get_current_user', 'is_admin_user',
+    'write_json_file', 'load_json_file', 'make_dir', 'check_dependencies', 'compute_dependencies',
+    'engine', 'create_db_and_tables', 'get_session', 'info_message', 'group_by_value', 'OrmFrozen',
+    'first_or_default', 'lselect', 'lselectfirst', 'first_transformed_or_default', 'log_critical',
+    'logger_get', 'Permission', 'AppUser', 'AppRight', 'Basic', 'Frozen', 'CustomFrozen', 'JwtAuth',
+    'SafeTestCase', 'SimpleReturn', 'safe_clt', 'stringify', 'boolify', 'get_user', 'floatify',
+    'delete_table', 'SCHEME', 'DB_URL', 'pd_equals', 'jsonify_series', 'upsert_app_users', 'intify',
+    'enum_converter', 'ServerSideFilter', 'get_rows', 'count_rows', 'ServerSideField', 'get_raw_df',
+    'generic_insertion', 'custom_equal', 'is_authorized_user', 'get_method', 'AppActivity',
+    'fastapi_monitor', 'dash_monitor', 'is_monitoring_user', 'get_recent_activities', 'select_user',
+    'get_access_token'
+]

ecodev_core/app_activity.py

@@ -0,0 +1,108 @@
+"""
+Module implementing a simple monitoring table
+"""
+import inspect
+from datetime import datetime
+from typing import Dict
+from typing import Optional
+
+from sqlmodel import col
+from sqlmodel import Field
+from sqlmodel import select
+from sqlmodel import Session
+from sqlmodel import SQLModel
+
+from ecodev_core.app_user import AppUser
+from ecodev_core.authentication import get_user
+from ecodev_core.db_connection import engine
+
+
+"""
+Simple helper to retrieve the method name in which this helper is called
+
+NB: this is meant to stay a lambda, otherwise the name retrieved is get_method, not the caller
+"""
+
+
+def get_method(): return inspect.stack()[1][3]
+
+
+class AppActivityBase(SQLModel):
+    """
+    Simple monitoring class
+
+    Attributes are:
+        - user: the name of the user that triggered the monitoring log
+        - application: the application in which the user triggered the monitoring log
+        - method: the method called by the user  that triggered the monitoring log
+        - relevant_option: if filled, complementary information on method (num of treated lines...)
+    """
+    user: str = Field(index=True)
+    application: str = Field(index=True)
+    method: str = Field(index=True)
+    relevant_option: Optional[str] = Field(index=True, default=None)
+
+
+class AppActivity(AppActivityBase, table=True):  # type: ignore
+    """
+    The table version of the AppActivityBase monitoring class
+    """
+    __tablename__ = 'app_activity'
+    id: Optional[int] = Field(default=None, primary_key=True)
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+
+
+def dash_monitor(method: str,
+                 token: Dict,
+                 application: str,
+                 relevant_option: Optional[str] = None):
+    """
+    Generic dash monitor.
+
+     Attributes are:
+        - method: the method called by the user  that triggered the monitoring log
+        - token: contains the information on the user that triggered the monitoring log
+        - application: the application in which the user triggered the monitoring log
+        - relevant_option: if filled, complementary information on method (num of treated lines...)
+    """
+    with Session(engine) as session:
+        user = get_user(token.get('token', {}).get('access_token'))
+        add_activity_to_db(method, user, application, session, relevant_option)
+
+
+def fastapi_monitor(method: str,
+                    user: AppUser,
+                    application: str,
+                    session: Session,
+                    relevant_option: Optional[str] = None):
+    """
+    Generic fastapi monitor.
+
+     Attributes are:
+        - method: the method called by the user  that triggered the monitoring log
+        - user: the name of the user that triggered the monitoring log
+        - application: the application in which the user triggered the monitoring log
+        - session: db connection
+        - relevant_option: if filled, complementary information on method (num of treated lines...)
+    """
+    add_activity_to_db(method, user, application, session, relevant_option)
+
+
+def add_activity_to_db(method: str,
+                       user: AppUser,
+                       application: str,
+                       session: Session,
+                       relevant_option: Optional[str] = None):
+    """
+    Add a new entry in AppActivity given the passed arguments
+    """
+    session.add(AppActivity(user=user.user, application=application, method=method,
+                            relevant_option=relevant_option))
+    session.commit()
+
+
+def get_recent_activities(last_date: str, session: Session):
+    """
+    Returns all activities that happened after last_date
+    """
+    return session.exec(select(AppActivity).where(col(AppActivity.created_at) > last_date)).all()

ecodev_core/app_rights.py

@@ -0,0 +1,24 @@
+"""
+Module implementing the sqlmodel orm part of the right table
+"""
+from typing import Optional
+from typing import TYPE_CHECKING
+
+from sqlmodel import Field
+from sqlmodel import Relationship
+from sqlmodel import SQLModel
+
+
+if TYPE_CHECKING:  # pragma: no cover
+    from ecodev_core.app_user import AppUser
+
+
+class AppRight(SQLModel, table=True):  # type: ignore
+    """
+    Simple right class: listing all app_services that a particular user can access to
+    """
+    __tablename__ = 'app_right'
+    id: Optional[int] = Field(default=None, primary_key=True)
+    app_service: str
+    user_id: Optional[int] = Field(default=None, foreign_key='app_user.id')
+    user: Optional['AppUser'] = Relationship(back_populates='rights')

ecodev_core/app_user.py

@@ -0,0 +1,92 @@
+"""
+Module implementing the sqlmodel orm part of the user table
+"""
+from pathlib import Path
+from typing import Dict
+from typing import List
+from typing import Optional
+from typing import TYPE_CHECKING
+
+import pandas as pd
+from sqlmodel import col
+from sqlmodel import Field
+from sqlmodel import Relationship
+from sqlmodel import select
+from sqlmodel import Session
+from sqlmodel import SQLModel
+from sqlmodel.sql.expression import SelectOfScalar
+
+from ecodev_core.db_insertion import create_or_update
+from ecodev_core.db_insertion import Insertor
+from ecodev_core.permissions import Permission
+from ecodev_core.read_write import load_json_file
+
+
+if TYPE_CHECKING:  # pragma: no cover
+    from ecodev_core.app_rights import AppRight
+
+
+class AppUser(SQLModel, table=True):  # type: ignore
+    """
+    Simple user class: an id associate to a user with a password
+    """
+    __tablename__ = 'app_user'
+    id: Optional[int] = Field(default=None, primary_key=True)
+    user: str = Field(index=True)
+    password: str
+    permission: Permission = Field(default=Permission.ADMIN)
+    client: Optional[str] = Field(default=None)
+    rights: List['AppRight'] = Relationship(back_populates='user')
+
+
+def user_convertor(df: pd.DataFrame) -> List[Dict]:
+    """
+    Dummy user convertor
+    """
+    return [x for _, x in df.iterrows()]
+
+
+def user_reductor(in_db_row: AppUser,  db_row: AppUser) -> AppUser:
+    """
+    Update an existing in_db_row with new information coming from db_row
+
+    NB: in the future this will maybe handle the client as well
+    """
+    in_db_row.permission = db_row.permission
+    in_db_row.password = db_row.password
+    return in_db_row
+
+
+def user_selector(db_row: AppUser) -> SelectOfScalar:
+    """
+    Criteria on which to decide whether creating a new row or updating an existing one in db
+    """
+    return select(AppUser).where(col(AppUser.user) == db_row.user)
+
+
+USER_INSERTOR = Insertor(convertor=user_convertor, selector=user_selector,
+                         reductor=user_reductor, db_schema=AppUser, read_excel_file=False)
+
+
+def upsert_app_users(file_path: Path, session: Session) -> None:
+    """
+    Upsert db users with a list of users provided in the file_path (json format)
+    """
+    for user in load_json_file(file_path):
+        session.add(create_or_update(session, user, USER_INSERTOR))
+        session.commit()
+
+
+def select_user(username: str, session: Session) -> AppUser:
+    """
+    Helper function to (attempt to) retrieve AppUser from username.
+
+    NB: Used to check whether user exists, before resetting its password.
+    I.e. User does not yet have a token - we are simply checking if
+    an active account exists under that username.
+
+    Raises:
+        sqlalchemy.exc.NoResultFound: Typical error is no users are found.
+        sqlalchemy.exc.MultipleResultsFound: Should normally never be an issue.
+    """
+    return session.exec(select(AppUser).where(col(AppUser.user) == username)).one()

ecodev_core/auth_configuration.py

@@ -0,0 +1,22 @@
+"""
+Module implementing authentication configuration.
+"""
+from pydantic import BaseSettings
+
+
+class AuthenticationConfiguration(BaseSettings):
+    """
+    Simple authentication configuration class
+    """
+    secret_key: str
+    algorithm: str
+    access_token_expire_minutes: int
+
+    class Config:
+        """
+        Config class specifying the name of the environment file to read
+        """
+        env_file = '.env'
+
+
+AUTH = AuthenticationConfiguration()

ecodev_core/authentication.py

@@ -0,0 +1,226 @@
+"""
+Module implementing all jwt security logic
+"""
+from datetime import datetime
+from datetime import timedelta
+from datetime import timezone
+from typing import Any
+from typing import Dict
+from typing import List
+from typing import Optional
+from typing import Union
+
+from fastapi import APIRouter
+from fastapi import Depends
+from fastapi import HTTPException
+from fastapi import status
+from fastapi.security import OAuth2PasswordBearer
+from jose import jwt
+from jose import JWTError
+from passlib.context import CryptContext
+from sqladmin.authentication import AuthenticationBackend
+from sqlmodel import col
+from sqlmodel import select
+from sqlmodel import Session
+from starlette.requests import Request
+from starlette.responses import RedirectResponse
+
+from ecodev_core.app_user import AppUser
+from ecodev_core.auth_configuration import AUTH
+from ecodev_core.db_connection import engine
+from ecodev_core.logger import logger_get
+from ecodev_core.permissions import Permission
+from ecodev_core.pydantic_utils import Frozen
+
+
+SCHEME = OAuth2PasswordBearer(tokenUrl='login')
+auth_router = APIRouter(tags=['authentication'])
+CONTEXT = CryptContext(schemes=['bcrypt'], deprecated='auto')
+MONITORING = 'monitoring'
+MONITORING_ERROR = 'Could not validate credentials. You need to be the monitoring user to call this'
+INVALID_USER = 'Invalid User'
+ADMIN_ERROR = 'Could not validate credentials. You need admin rights to call this'
+INVALID_CREDENTIALS = 'Invalid Credentials'
+log = logger_get(__name__)
+
+
+class Token(Frozen):
+    """
+    Simple class for storing token value and type
+    """
+    access_token: str
+    token_type: str
+
+
+class TokenData(Frozen):
+    """
+    Simple class storing token id information
+    """
+    id: int
+
+
+def get_access_token(token: Dict[str, Any]):
+    """
+    Robust method to return access token or None
+    """
+    try:
+        return token.get('token', {}).get('access_token')
+    except AttributeError:
+        return None
+
+
+def get_app_services(user: AppUser, session: Session) -> List[str]:
+    """
+    Retrieve all app services the passed user has access to
+    """
+    if db_user := session.exec(select(AppUser).where(col(AppUser.id) == user.id)).first():
+        return [right.app_service for right in db_user.rights]
+    return []
+
+
+class JwtAuth(AuthenticationBackend):
+    """
+    Sqladmin security class. Implement login/logout procedure as well as the authentication check.
+    """
+
+    async def login(self, request: Request) -> bool:
+        """
+        Login procedure: factorized with the fastapi jwt logic
+        """
+        form = await request.form()
+        if token := self.authorized(form):
+            request.session.update(token)
+        return True if token else False
+
+    @staticmethod
+    def authorized(form: Dict):
+        """
+        Check that the user information contained in the form corresponds to an admin user
+        """
+        with Session(engine) as session:
+            try:
+                token = attempt_to_log(form.get('username', ''), form.get('password', ''), session)
+                if is_admin_user(token['access_token']):
+                    return token
+                return None
+            except HTTPException:
+                return None
+
+    async def logout(self, request: Request) -> bool:
+        """
+        Logout procedure: clears the cache
+        """
+        request.session.clear()
+        return True
+
+    async def authenticate(self, request: Request) -> Optional[RedirectResponse]:
+        """
+        Authentication procedure
+        """
+        return (token := request.session.get('access_token')) and is_admin_user(token)
+
+
+def attempt_to_log(user: str,
+                   password: str,
+                   session: Session) -> Union[Dict, HTTPException]:
+    """
+    Factorized security logic. Ensure that the user is a legit one with a valid password
+    """
+    selector = select(AppUser).where(col(AppUser.user) == user)
+    if not (db_user := session.exec(selector).first()):
+        log.warning('unauthorized user')
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=INVALID_USER)
+    if not _check_password(password, db_user.password):
+        log.warning('invalid user')
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=INVALID_CREDENTIALS)
+
+    return {'access_token': _create_access_token(data={'user_id': db_user.id}),
+            'token_type': 'bearer'}
+
+
+def is_authorized_user(token: str = Depends(SCHEME)) -> bool:
+    """
+    Check if the passed token corresponds to an authorized user
+    """
+    try:
+        return get_current_user(token) is not None
+    except Exception:
+        return False
+
+
+def get_user(token: str = Depends(SCHEME)) -> AppUser:
+    """
+    Retrieves (if it exists) the db user corresponding to the passed token
+    """
+    if user := get_current_user(token):
+        return user
+    raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=INVALID_CREDENTIALS,
+                        headers={'WWW-Authenticate': 'Bearer'})
+
+
+def get_current_user(token: str) -> Union[AppUser, None]:
+    """
+    Retrieves (if it exists) a valid (meaning who has valid credentials) user from the db
+    """
+    token = _verify_access_token(token)
+    with Session(engine) as session:
+        return session.exec(select(AppUser).where(col(AppUser.id) == token.id)).first()
+
+
+def is_admin_user(token: str = Depends(SCHEME)) -> AppUser:
+    """
+    Retrieves (if it exists) the admin (meaning who has valid credentials) user from the db
+    """
+    if (user := get_current_user(token)) and user.permission == Permission.ADMIN:
+        return user
+    raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=ADMIN_ERROR,
+                        headers={'WWW-Authenticate': 'Bearer'})
+
+
+def is_monitoring_user(token: str = Depends(SCHEME)) -> AppUser:
+    """
+    Retrieves (if it exists) the monitoring user from the db
+    """
+    if (user := get_current_user(token)) and user.user == MONITORING:
+        return user
+    raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED,
+                        detail=MONITORING_ERROR, headers={'WWW-Authenticate': 'Bearer'})
+
+
+def _create_access_token(data: Dict) -> str:
+    """
+    Create an access token out of the passed data. Only called if credentials are valid
+    """
+    to_encode = data.copy()
+    expire = datetime.now(timezone.utc) + timedelta(minutes=AUTH.access_token_expire_minutes)
+    to_encode.update({'exp': expire})
+    return jwt.encode(to_encode, AUTH.secret_key, algorithm=AUTH.algorithm)
+
+
+def _verify_access_token(token: str) -> TokenData:
+    """
+    Retrieves the token data associated to the passed token if it contains valid credential info.
+    """
+    try:
+        payload = jwt.decode(token, AUTH.secret_key, algorithms=[AUTH.algorithm])
+        if (user_id := payload.get('user_id')) is None:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=INVALID_USER,
+                                headers={'WWW-Authenticate': 'Bearer'})
+        return TokenData(id=user_id)
+    except JWTError as e:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=INVALID_CREDENTIALS,
+                            headers={'WWW-Authenticate': 'Bearer'}) from e
+
+
+def _hash_password(password: str) -> str:
+    """
+    Hashes the passed password (encoding).
+    """
+    return CONTEXT.hash(password)
+
+
+def _check_password(plain_password: str, hashed_password: str) -> bool:
+    """
+    Check the passed password (compare it to the passed encoded one).
+    """
+    return CONTEXT.verify(plain_password, hashed_password)