PyPI - geek-cafe-saas-sdk - Versions diffs - 0.6.0__py3-none-any.whl - Mend

geek-cafe-saas-sdk 0.6.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of geek-cafe-saas-sdk might be problematic. Click here for more details.

Files changed (194) hide show

geek_cafe_saas_sdk/domains/auth/services/resource_permission_service.py ADDED Viewed

@@ -0,0 +1,408 @@
+# Resource Permission Service
+from typing import Dict, Any, List, Optional
+from boto3_assist.dynamodb.dynamodb import DynamoDB
+from geek_cafe_saas_sdk.services.database_service import DatabaseService
+from geek_cafe_saas_sdk.core.service_result import ServiceResult
+from geek_cafe_saas_sdk.core.service_errors import ValidationError, NotFoundError, AccessDeniedError
+from geek_cafe_saas_sdk.domains.auth.models import ResourcePermission
+import datetime as dt
+import time
+class ResourcePermissionService(DatabaseService[ResourcePermission]):
+    """
+    Service for ResourcePermission operations (ABAC).
+    Manages resource-level permission grants for fine-grained sharing.
+    """
+    def __init__(self, *, dynamodb: DynamoDB = None, table_name: str = None):
+        super().__init__(dynamodb=dynamodb, table_name=table_name)
+    # Required abstract methods from DatabaseService
+    def create(self, tenant_id: str, user_id: str, **kwargs) -> ServiceResult[ResourcePermission]:
+        """Create method - delegates to grant_permission()."""
+        required = ['resource_type', 'resource_id', 'permissions', 'grantee_user_id']
+        for field in required:
+            if field not in kwargs:
+                return ServiceResult.error_result(f"{field} is required", "VALIDATION_ERROR")
+        return self.grant_permission(
+            grantee_user_id=kwargs['grantee_user_id'],
+            tenant_id=tenant_id,
+            resource_type=kwargs['resource_type'],
+            resource_id=kwargs['resource_id'],
+            permissions=kwargs['permissions'],
+            granted_by=user_id,
+            reason=kwargs.get('reason'),
+            expires_at=kwargs.get('expires_at')
+        )
+    def get_by_id(self, resource_id: str, tenant_id: str, user_id: str) -> ServiceResult[ResourcePermission]:
+        """Get a specific grant by ID."""
+        try:
+            grant = self._get_model_by_id(resource_id, ResourcePermission)
+            if not grant:
+                raise NotFoundError(f"Grant with ID {resource_id} not found")
+            # Validate tenant access
+            if grant.tenant_id != tenant_id:
+                raise AccessDeniedError("Access denied: different tenant")
+            return ServiceResult.success_result(grant)
+        except Exception as e:
+            return self._handle_service_exception(e, 'get_by_id', resource_id=resource_id)
+    def update(self, resource_id: str, tenant_id: str, user_id: str, updates: Dict[str, Any]) -> ServiceResult[ResourcePermission]:
+        """Update a grant (e.g., change permissions or expiration)."""
+        try:
+            grant = self._get_model_by_id(resource_id, ResourcePermission)
+            if not grant:
+                raise NotFoundError(f"Grant with ID {resource_id} not found")
+            # Validate tenant access
+            if grant.tenant_id != tenant_id:
+                raise AccessDeniedError("Access denied: different tenant")
+            # Apply updates
+            if 'permissions' in updates:
+                grant.permissions = updates['permissions']
+            if 'expires_at' in updates:
+                grant.expires_at = updates['expires_at']
+            if 'reason' in updates:
+                grant.reason = updates['reason']
+            if 'metadata' in updates:
+                grant.metadata = updates['metadata']
+            grant.prep_for_save()
+            return self._save_model(grant)
+        except Exception as e:
+            return self._handle_service_exception(e, 'update', resource_id=resource_id)
+    def delete(self, resource_id: str, tenant_id: str, user_id: str) -> ServiceResult[bool]:
+        """Revoke a grant."""
+        try:
+            grant = self._get_model_by_id(resource_id, ResourcePermission)
+            if not grant:
+                return ServiceResult.success_result(True)  # Already revoked
+            # Validate tenant access
+            if grant.tenant_id != tenant_id:
+                raise AccessDeniedError("Access denied: different tenant")
+            # Hard delete (or could soft delete with deleted_at timestamp)
+            result = self._delete_model(grant)
+            if result.success:
+                return ServiceResult.success_result(True)
+            return result
+        except Exception as e:
+            return self._handle_service_exception(e, 'delete', resource_id=resource_id)
+    # Grant Management Methods
+    def grant_permission(
+        self,
+        grantee_user_id: str,
+        tenant_id: str,
+        resource_type: str,
+        resource_id: str,
+        permissions: List[str],
+        granted_by: str,
+        reason: Optional[str] = None,
+        expires_at: Optional[int] = None,
+        metadata: Optional[Dict[str, Any]] = None
+    ) -> ServiceResult[ResourcePermission]:
+        """
+        Grant resource-level permissions to a user.
+        Args:
+            grantee_user_id: User to grant permissions to
+            tenant_id: Tenant context
+            resource_type: Type of resource (event, community, chat_channel, etc.)
+            resource_id: ID of specific resource
+            permissions: List of permissions to grant (e.g., ["read", "write"])
+            granted_by: User ID granting the permission
+            reason: Optional reason for the grant
+            expires_at: Optional expiration timestamp
+            metadata: Optional additional metadata
+        """
+        try:
+            # Validate inputs
+            if not permissions or len(permissions) == 0:
+                raise ValidationError("At least one permission is required")
+            # Check if grant already exists
+            existing = self.get_grant(grantee_user_id, resource_type, resource_id, tenant_id)
+            if existing.success and existing.data:
+                # Update existing grant
+                grant = existing.data
+                grant.permissions = permissions
+                grant.granted_by = granted_by
+                grant.granted_at = int(time.time())
+                grant.expires_at = expires_at
+                grant.reason = reason
+                if metadata:
+                    grant.metadata = metadata
+            else:
+                # Create new grant
+                grant = ResourcePermission()
+                grant.user_id = grantee_user_id
+                grant.tenant_id = tenant_id
+                grant.resource_type = resource_type
+                grant.resource_id = resource_id
+                grant.permissions = permissions
+                grant.granted_by = granted_by
+                grant.granted_at = int(time.time())
+                grant.expires_at = expires_at
+                grant.reason = reason
+                if metadata:
+                    grant.metadata = metadata
+            grant.prep_for_save()
+            return self._save_model(grant)
+        except Exception as e:
+            return self._handle_service_exception(
+                e, 'grant_permission',
+                user_id=grantee_user_id,
+                resource_type=resource_type,
+                resource_id=resource_id
+            )
+    def revoke_permission(
+        self,
+        grantee_user_id: str,
+        resource_type: str,
+        resource_id: str,
+        tenant_id: str
+    ) -> ServiceResult[bool]:
+        """
+        Revoke all permissions for a user on a resource.
+        Args:
+            grantee_user_id: User to revoke from
+            resource_type: Type of resource
+            resource_id: ID of resource
+            tenant_id: Tenant context
+        """
+        try:
+            grant_result = self.get_grant(grantee_user_id, resource_type, resource_id, tenant_id)
+            if not grant_result.success or not grant_result.data:
+                return ServiceResult.success_result(True)  # Already revoked
+            grant = grant_result.data
+            result = self._delete_model(grant)
+            if result.success:
+                return ServiceResult.success_result(True)
+            return result
+        except Exception as e:
+            return self._handle_service_exception(
+                e, 'revoke_permission',
+                user_id=grantee_user_id,
+                resource_type=resource_type,
+                resource_id=resource_id
+            )
+    def get_grant(
+        self,
+        user_id: str,
+        resource_type: str,
+        resource_id: str,
+        tenant_id: str
+    ) -> ServiceResult[ResourcePermission]:
+        """
+        Get a specific grant for user on resource.
+        Args:
+            user_id: User ID
+            resource_type: Type of resource
+            resource_id: ID of resource
+            tenant_id: Tenant context
+        """
+        try:
+            # Query using GSI1 (user + resource)
+            temp = ResourcePermission()
+            temp.user_id = user_id
+            temp.resource_type = resource_type
+            temp.resource_id = resource_id
+            temp.tenant_id = tenant_id
+            result = self._query_by_index(temp, "gsi1", limit=1)
+            if not result.success:
+                return result
+            if not result.data or len(result.data) == 0:
+                return ServiceResult.error_result("Grant not found", "NOT_FOUND")
+            grant = result.data[0]
+            # Check if expired
+            if grant.expires_at and grant.expires_at < int(time.time()):
+                return ServiceResult.error_result("Grant has expired", "EXPIRED")
+            return ServiceResult.success_result(grant)
+        except Exception as e:
+            return self._handle_service_exception(
+                e, 'get_grant',
+                user_id=user_id,
+                resource_type=resource_type,
+                resource_id=resource_id
+            )
+    def list_user_grants(
+        self,
+        user_id: str,
+        tenant_id: str,
+        limit: int = 50
+    ) -> ServiceResult[List[ResourcePermission]]:
+        """
+        List all grants for a user.
+        Args:
+            user_id: User ID
+            tenant_id: Tenant context
+            limit: Max results
+        """
+        try:
+            temp = ResourcePermission()
+            temp.user_id = user_id
+            temp.tenant_id = tenant_id
+            result = self._query_by_index(temp, "gsi2", limit=limit)
+            if not result.success:
+                return result
+            # Filter out expired grants
+            current_time = int(time.time())
+            active_grants = [
+                grant for grant in result.data
+                if not grant.expires_at or grant.expires_at > current_time
+            ]
+            return ServiceResult.success_result(active_grants)
+        except Exception as e:
+            return self._handle_service_exception(
+                e, 'list_user_grants',
+                user_id=user_id
+            )
+    def list_resource_grants(
+        self,
+        resource_type: str,
+        resource_id: str,
+        tenant_id: str,
+        limit: int = 50
+    ) -> ServiceResult[List[ResourcePermission]]:
+        """
+        List all grants on a resource (who has access).
+        Args:
+            resource_type: Type of resource
+            resource_id: ID of resource
+            tenant_id: Tenant context
+            limit: Max results
+        """
+        try:
+            temp = ResourcePermission()
+            temp.resource_type = resource_type
+            temp.resource_id = resource_id
+            temp.tenant_id = tenant_id
+            result = self._query_by_index(temp, "gsi3", limit=limit)
+            if not result.success:
+                return result
+            # Filter out expired grants
+            current_time = int(time.time())
+            active_grants = [
+                grant for grant in result.data
+                if not grant.expires_at or grant.expires_at > current_time
+            ]
+            return ServiceResult.success_result(active_grants)
+        except Exception as e:
+            return self._handle_service_exception(
+                e, 'list_resource_grants',
+                resource_type=resource_type,
+                resource_id=resource_id
+            )
+    def get_user_permissions_on_resource(
+        self,
+        user_id: str,
+        resource_type: str,
+        resource_id: str,
+        tenant_id: str
+    ) -> List[str]:
+        """
+        Get list of permissions user has on a resource.
+        Args:
+            user_id: User ID
+            resource_type: Type of resource
+            resource_id: ID of resource
+            tenant_id: Tenant context
+        Returns:
+            List of permission strings (e.g., ["read", "write"])
+        """
+        try:
+            grant_result = self.get_grant(user_id, resource_type, resource_id, tenant_id)
+            if grant_result.success and grant_result.data:
+                return grant_result.data.permissions
+            return []
+        except:
+            return []
+    def has_permission_on_resource(
+        self,
+        user_id: str,
+        resource_type: str,
+        resource_id: str,
+        permission: str,
+        tenant_id: str
+    ) -> bool:
+        """
+        Check if user has a specific permission on a resource.
+        Args:
+            user_id: User ID
+            resource_type: Type of resource
+            resource_id: ID of resource
+            permission: Permission to check (e.g., "write")
+            tenant_id: Tenant context
+        Returns:
+            True if user has permission, False otherwise
+        """
+        try:
+            perms = self.get_user_permissions_on_resource(
+                user_id, resource_type, resource_id, tenant_id
+            )
+            # Check for wildcard or specific permission
+            return "*" in perms or permission in perms
+        except:
+            return False

geek_cafe_saas_sdk/domains/auth/services/user_service.py ADDED Viewed

@@ -0,0 +1,274 @@
+# User Service
+from typing import Dict, Any, Optional, List
+from boto3_assist.dynamodb.dynamodb import DynamoDB
+from geek_cafe_saas_sdk.services.database_service import DatabaseService
+from geek_cafe_saas_sdk.core.service_result import ServiceResult
+from geek_cafe_saas_sdk.core.service_errors import ValidationError, NotFoundError, AccessDeniedError
+from geek_cafe_saas_sdk.utilities.dynamodb_utils import build_projection_with_reserved_keywords
+from geek_cafe_saas_sdk.domains.auth.models import User
+import datetime as dt
+class UserService(DatabaseService[User]):
+    def __init__(self, *, dynamodb: DynamoDB = None, table_name: str = None):
+        super().__init__(dynamodb=dynamodb, table_name=table_name)
+    def create(self, tenant_id: str, user_id: str, **kwargs) -> ServiceResult[User]:
+        """Create a new user."""
+        try:
+            # Validate required fields
+            required_fields = ['email', 'first_name', 'last_name']
+            self._validate_required_fields(kwargs, required_fields)
+            # Create user instance using map() approach
+            user = User().map(kwargs)
+            user.tenant_id = tenant_id
+            user.user_id = user_id  # Set creator
+            user.created_by_id = user_id
+            # Prepare for save (sets ID and timestamps)
+            user.prep_for_save()
+            # Save to database
+            return self._save_model(user)
+        except Exception as e:
+            return self._handle_service_exception(e, 'create_user', tenant_id=tenant_id, user_id=user_id)
+    def get_by_id(self, resource_id: str, tenant_id: str, user_id: str) -> ServiceResult[User]:
+        """Get user by ID with access control."""
+        try:
+            user = self._get_model_by_id(resource_id, User)
+            if not user:
+                raise NotFoundError(f"User with ID {resource_id} not found")
+            # Check if deleted
+            if user.is_deleted():
+                raise NotFoundError(f"User with ID {resource_id} not found")
+            # Validate tenant access
+            if hasattr(user, 'tenant_id'):
+                self._validate_tenant_access(user.tenant_id, tenant_id)
+            return ServiceResult.success_result(user)
+        except Exception as e:
+            return self._handle_service_exception(e, 'get_user', resource_id=resource_id, tenant_id=tenant_id)
+    def get_by_email(self, email: str, tenant_id: str, user_id: str) -> ServiceResult[User]:
+        """Get user by email using GSI1."""
+        try:
+            # Create a temporary user instance to get the GSI key
+            temp_user = User()
+            temp_user.email = email
+            result = self._query_by_index(
+                temp_user,
+                "gsi1",
+                ascending=False
+            )
+            if not result.success or not result.data:
+                raise NotFoundError(f"User with email {email} not found")
+            # Get the first (most recent) result
+            user = result.data[0]
+            # Check if deleted
+            if user.is_deleted():
+                raise NotFoundError(f"User with email {email} not found")
+            # Validate tenant access
+            self._validate_tenant_access(user.tenant_id, tenant_id)
+            return ServiceResult.success_result(user)
+        except Exception as e:
+            return self._handle_service_exception(e, 'get_user_by_email', email=email, tenant_id=tenant_id)
+    def get_users_by_tenant(self, tenant_id: str, user_id: str, limit: int = 50) -> ServiceResult[List[User]]:
+        """Get all users for a tenant using GSI2."""
+        try:
+            # Create a temporary user instance to get the GSI key
+            temp_user = User()
+            temp_user.tenant_id = tenant_id
+            result = self._query_by_index(
+                temp_user,
+                "gsi2",
+                ascending=False,  # Most recent first
+                limit=limit
+            )
+            if not result.success:
+                return result
+            # Filter out deleted users and validate tenant access
+            active_users = []
+            for user in result.data:
+                if not user.is_deleted() and user.tenant_id == tenant_id:
+                    active_users.append(user)
+            return ServiceResult.success_result(active_users)
+        except Exception as e:
+            return self._handle_service_exception(e, 'get_users_by_tenant', tenant_id=tenant_id)
+    def get_users_by_role(self, role: str, tenant_id: str, user_id: str, limit: int = 50) -> ServiceResult[List[User]]:
+        """Get users by role within a tenant using GSI3."""
+        try:
+            # Create a temporary user instance to get the GSI key
+            temp_user = User()
+            temp_user._roles = [role]  # Set the primary role
+            result = self._query_by_index(
+                temp_user,
+                "gsi3",
+                ascending=False,  # Most recent first
+                limit=limit
+            )
+            if not result.success:
+                return result
+            # Filter out deleted users and validate tenant access
+            active_users = []
+            for user in result.data:
+                if not user.is_deleted() and user.tenant_id == tenant_id and user.has_role(role):
+                    active_users.append(user)
+            return ServiceResult.success_result(active_users)
+        except Exception as e:
+            return self._handle_service_exception(e, 'get_users_by_role', role=role, tenant_id=tenant_id)
+    def restore_user(self, resource_id: str, tenant_id: str, user_id: str) -> ServiceResult[User]:
+        """Restore a soft-deleted user (admin only)."""
+        try:
+            # Check permissions (admin only)
+            if not self._is_admin_user(user_id, tenant_id):
+                raise AccessDeniedError("Access denied: insufficient permissions")
+            # Get existing user (even if deleted)
+            user = self._get_model_by_id(resource_id, User)
+            if not user:
+                raise NotFoundError(f"User with ID {resource_id} not found")
+            # Validate tenant access
+            if hasattr(user, 'tenant_id'):
+                self._validate_tenant_access(user.tenant_id, tenant_id)
+            # Check if actually deleted
+            if not user.is_deleted():
+                return ServiceResult.success_result(user)  # Already active
+            # Restore: clear deleted timestamp and metadata
+            user.deleted_utc_ts = None
+            user.deleted_by_id = None
+            user.updated_by_id = user_id
+            user.prep_for_save()  # Updates timestamp
+            # Save the restored user
+            save_result = self._save_model(user)
+            if save_result.success:
+                return ServiceResult.success_result(user)
+            else:
+                return save_result
+        except Exception as e:
+            return self._handle_service_exception(e, 'restore_user', resource_id=resource_id, tenant_id=tenant_id)
+    def update(self, resource_id: str, tenant_id: str, user_id: str,
+               updates: Dict[str, Any]) -> ServiceResult[User]:
+        try:
+            # Get existing user
+            user = self._get_model_by_id(resource_id, User)
+            if not user:
+                raise NotFoundError(f"User with ID {resource_id} not found")
+            # Validate tenant access
+            if hasattr(user, 'tenant_id'):
+                self._validate_tenant_access(user.tenant_id, tenant_id)
+            # Check if user can update (admin or self)
+            if not (user_id == resource_id or self._is_admin_user(user_id, tenant_id)):
+                raise AccessDeniedError("Access denied: insufficient permissions")
+            # Prevent non-admins from updating roles
+            if 'roles' in updates and not self._is_admin_user(user_id, tenant_id):
+                raise AccessDeniedError("Access denied: only admins can update roles")
+            # Apply updates
+            for field, value in updates.items():
+                if hasattr(user, field) and field not in ['id', 'created_utc_ts', 'tenant_id', 'organizer_id']:
+                    if field == 'email':
+                        user.email = value
+                    elif field == 'first_name':
+                        user.first_name = value
+                    elif field == 'last_name':
+                        user.last_name = value
+                    elif field == 'roles':
+                        user.roles = value
+                    elif field == 'avatar':
+                        user.avatar = value
+            # Update metadata
+            user.updated_by_id = user_id
+            user.prep_for_save()  # Updates timestamp
+            # Save updated user
+            return self._save_model(user)
+        except Exception as e:
+            return self._handle_service_exception(e, 'update_user', resource_id=resource_id, tenant_id=tenant_id)
+    def delete(self, resource_id: str, tenant_id: str, user_id: str) -> ServiceResult[bool]:
+        """Soft delete user with access control."""
+        try:
+            # Get existing user
+            user = self._get_model_by_id(resource_id, User)
+            if not user:
+                raise NotFoundError(f"User with ID {resource_id} not found")
+            # Check if already deleted
+            if user.is_deleted():
+                return ServiceResult.success_result(True)
+            # Validate tenant access
+            if hasattr(user, 'tenant_id'):
+                self._validate_tenant_access(user.tenant_id, tenant_id)
+            # Check permissions (admin or self)
+            if not (user_id == resource_id or self._is_admin_user(user_id, tenant_id)):
+                raise AccessDeniedError("Access denied: insufficient permissions")
+            # Prevent deleting self
+            if user_id == resource_id:
+                raise ValidationError("Cannot delete your own account")
+            # Soft delete: set deleted timestamp and metadata
+            user.deleted_utc_ts = dt.datetime.now(dt.UTC).timestamp()
+            user.deleted_by_id = user_id
+            user.prep_for_save()  # Updates timestamp
+            # Save the updated user
+            save_result = self._save_model(user)
+            if save_result.success:
+                return ServiceResult.success_result(True)
+            else:
+                return save_result
+        except Exception as e:
+            return self._handle_service_exception(e, 'delete_user', resource_id=resource_id, tenant_id=tenant_id)
+    def _is_admin_user(self, user_id: str, tenant_id: str) -> bool:
+        """Check if user has admin role (placeholder - will be implemented when UserService is available)."""
+        # For now, assume no admin privileges
+        # This will be enhanced when we have user service integration
+        return False

geek_cafe_saas_sdk/domains/communities/__init__.py ADDED Viewed

File without changes

geek_cafe_saas_sdk/domains/communities/handlers/__init__.py ADDED Viewed

File without changes