half-orm-gen 1.0.0a1__py3-none-any.whl

half_orm_gen/scaffolding/roles_core.py

@@ -0,0 +1,62 @@
+"""
+Role composition decorators for half-orm-litestar.
+
+Two decorators are provided:
+
+- @authorize_and(role_name): both the decorated function AND the named role
+  must return True (use for role refinement: "permanent IS a membre").
+
+- @authorize_or(role_name): either the decorated function OR the named role
+  must return True (use for alternative access paths).
+
+Example::
+
+    # api/roles/permanent.py
+    from api.roles.core import authorize_and
+
+    @authorize_and("membre")
+    async def authorize(path_params, jwt_payload):
+        return jwt_payload.is_permanent
+"""
+
+import importlib
+from functools import wraps
+from typing import Awaitable, Callable
+
+AuthorizeFunc = Callable[[dict, object], Awaitable[bool]]
+
+
+def authorize_and(role_name: str) -> Callable[[AuthorizeFunc], AuthorizeFunc]:
+    """Compose authorization with AND logic.
+
+    The named role's authorize() must return True AND the decorated function
+    must return True.
+    """
+    def decorator(func: AuthorizeFunc) -> AuthorizeFunc:
+        @wraps(func)
+        async def wrapper(path_params: dict, jwt_payload) -> bool:
+            role_module = importlib.import_module(f"api.roles.{role_name}")
+            return (
+                await role_module.authorize(path_params, jwt_payload)
+                and await func(path_params, jwt_payload)
+            )
+        return wrapper
+    return decorator
+
+
+def authorize_or(role_name: str) -> Callable[[AuthorizeFunc], AuthorizeFunc]:
+    """Compose authorization with OR logic.
+
+    The named role's authorize() returning True OR the decorated function
+    returning True is sufficient.
+    """
+    def decorator(func: AuthorizeFunc) -> AuthorizeFunc:
+        @wraps(func)
+        async def wrapper(path_params: dict, jwt_payload) -> bool:
+            role_module = importlib.import_module(f"api.roles.{role_name}")
+            return (
+                await role_module.authorize(path_params, jwt_payload)
+                or await func(path_params, jwt_payload)
+            )
+        return wrapper
+    return decorator

half_orm_gen/templates.py

@@ -0,0 +1,454 @@
+"""
+Template strings for the generated api/app.py.
+"""
+
+FRAMEWORK = 'litestar'
+
+HEADER = """\
+# This file is generated by `half_orm litestar generate`. Do not edit by hand.
+from typing import Union, Any, List, TypedDict
+import datetime
+import uuid
+import os
+import sys
+import typing
+from typing import Optional
+
+cur_dir = os.path.dirname(os.path.abspath(__file__))
+sys.path.insert(0, cur_dir)
+par_dir = os.path.join(cur_dir, os.path.pardir)
+sys.path.insert(0, par_dir)
+
+from litestar import Request, Litestar, get, post, patch, put, delete, Response, MediaType
+from litestar.exceptions import HTTPException
+from litestar.status_codes import HTTP_500_INTERNAL_SERVER_ERROR
+from litestar.logging import LoggingConfig
+from litestar.openapi import OpenAPIConfig
+from dataclasses import dataclass, field
+
+from {module} import ho_baseclasses
+from {module} import ho_typeddicts
+from {module} import MODEL
+from api import guards
+
+try:
+    from api.custom.routes import routes
+except ImportError:
+    routes = []
+
+try:
+    from api.custom.middlewares import middlewares
+except ImportError:
+    middlewares = []
+
+try:
+    from api.custom.middlewares.authorization import Authorization
+    _auth_middleware = [Authorization]
+except ImportError:
+    _auth_middleware = []
+
+logging_config = LoggingConfig(
+    loggers={{
+        "app": {{
+            "level": "ERROR",
+            "handlers": ["queue_listener"],
+        }}
+    }}
+)
+
+"""
+
+FOOTER = '''
+_HO_WARN = """
+======================================================================
+  halfORM DEV HELPERS ACTIVE — NOT FOR PRODUCTION
+======================================================================
+  /ho_roles  : exposes all declared roles (no authentication)
+  /ho_access : exposes the full access map filtered by role
+  _get_roles : bearer token used directly as a role name
+               (no signature verification)
+  ho_dev     : super-role with full access to all resources
+               (Authorization: Bearer ho_dev)
+
+  Replace the Authorization middleware with a real JWT implementation
+  before deploying to production.
+======================================================================
+"""
+
+_HO_WARN_SHOWN = False
+
+async def _ho_startup() -> None:
+    global _HO_WARN_SHOWN
+    import sys
+    await MODEL.aconnect()
+    if MODEL._production_mode:
+        raise RuntimeError(
+            "halfORM DEV HELPERS are active (ho_roles, ho_access, _get_roles fallback). "
+            "These routes and the bearer-token-as-role fallback are not safe for production. "
+            "Secure or remove them before deploying."
+        )
+    if not _HO_WARN_SHOWN:
+        print(_HO_WARN, file=sys.stderr, flush=True)
+        _HO_WARN_SHOWN = True
+
+application = Litestar(
+    route_handlers=[{route_handlers}] + routes,
+    middleware=_auth_middleware + middlewares,
+    logging_config=logging_config,
+    on_startup=[_ho_startup],{openapi_config}
+)
+'''
+
+OPENAPI_CONFIG = """
+    openapi_config=OpenAPIConfig(title="{title}", version="{version}"),"""
+
+# ---------------------------------------------------------------------------
+# @api_* route templates
+# ---------------------------------------------------------------------------
+
+IMPORT = "\nfrom {schema} import {module_name} as {module_alias}\n"
+
+GET = """
+@get({litestar_args})
+async def {full_name}({query_params}) -> typing.List[ho_baseclasses.{dc_name}]:
+    return await {module_alias}.{class_name}().{name}({params})
+"""
+
+POST = """
+@post({litestar_args})
+async def {full_name}({query_params}) -> ho_baseclasses.{dc_name}:
+    return await {module_alias}.{class_name}().{name}({params})
+"""
+
+PATCH = """
+@patch({litestar_args})
+async def {full_name}(request: "Request", data: ho_baseclasses.{dc_name}) -> ho_baseclasses.{dc_name}:
+    return await {module_alias}.{class_name}().{name}({params})
+"""
+
+PUT = """
+@put({litestar_args})
+async def {full_name}(request: "Request", {path_params}) -> ho_baseclasses.{dc_name}:
+    return await {module_alias}.{class_name}().{name}({params})
+"""
+
+DELETE = """
+@delete({litestar_args})
+async def {full_name}(request: "Request", {path_params}) -> None:
+    return await {module_alias}.{class_name}().{name}({params})
+"""
+
+DIRECT_API = """
+from {module_str} import {function} as {function_alias}
+"""
+
+HTTP = {
+    'GET':    GET,
+    'POST':   POST,
+    'PATCH':  PATCH,
+    'PUT':    PUT,
+    'DELETE': DELETE,
+}
+
+# ---------------------------------------------------------------------------
+# Auto-CRUD templates
+# ---------------------------------------------------------------------------
+
+CRUD_HELPERS = """
+def _get_roles(request):
+    '''Return authorized roles: from middleware state, or bearer token as role (dev fallback).'''
+    roles = getattr(request.state, 'authorized_roles', None)
+    if roles is not None:
+        return roles
+    token = request.headers.get('Authorization', '').removeprefix('Bearer ').strip()
+    return [token] if token else ['public']
+
+
+def _get_role_filter(crud_access, verb, authorized_roles):
+    '''Return mandatory filter kwargs for authorized roles (row-level security).'''
+    role_map = crud_access.get(verb, {})
+    combined = {}
+    for role in authorized_roles:
+        rv = role_map.get(role)
+        if isinstance(rv, dict) and 'filter' in rv:
+            combined.update(rv['filter'])
+    return combined
+
+
+def _effective_out_fields(crud_access, verb, authorized_roles, api_excluded=None):
+    api_excluded = api_excluded or []
+    if 'ho_dev' in authorized_roles:
+        return []  # ho_dev: unrestricted access to all fields
+    role_map = crud_access.get(verb, {})
+    get_map = crud_access.get('GET', {})
+    fields = []
+    for role in authorized_roles:
+        if role not in role_map:
+            return None  # role not authorized for this verb
+        rv = role_map[role]
+        if isinstance(rv, dict):
+            if 'out' in rv:
+                out = rv['out']
+            else:
+                get_rv = get_map.get(role)
+                out = get_rv if not isinstance(get_rv, dict) else get_rv.get('out')
+        else:
+            out = rv
+        if out is None:
+            return []  # role authorized, all fields
+        fields.extend(out)
+    return [f for f in dict.fromkeys(fields) if f not in api_excluded]
+
+
+def _effective_in_fields(crud_access, verb, authorized_roles, api_excluded=None):
+    api_excluded = api_excluded or []
+    role_map = crud_access.get(verb, {})
+    fields = []
+    for role in authorized_roles:
+        rv = role_map.get(role)
+        if rv is None or not isinstance(rv, dict):
+            return []
+        in_val = rv.get('in')
+        if in_val is None:
+            return []
+        fields.extend(in_val)
+    return [f for f in dict.fromkeys(fields) if f not in api_excluded]
+
+
+def get_access_map():
+    result = {}
+    for resource, verbs in _STATIC_ACCESS_MAP.items():
+        entry = {}
+        for verb, roles in verbs.items():
+            entry[verb] = dict(roles)
+        result[resource] = entry
+    if not MODEL._production_mode:
+        for resource, ho_verbs in _HO_DEV_MAP.items():
+            entry = result.setdefault(resource, {})
+            for verb, ho_val in ho_verbs.items():
+                verb_entry = dict(entry.get(verb, {}))
+                verb_entry['ho_dev'] = ho_val
+                entry[verb] = verb_entry
+    return result
+
+
+def _filter_access_for_roles(access_map, authorized_roles):
+    result = {}
+    for resource, verbs in access_map.items():
+        resource_entry = {}
+        for verb, roles in verbs.items():
+            if verb == 'DELETE':
+                if any(r in roles and roles[r] == 'allowed' for r in authorized_roles):
+                    resource_entry[verb] = True
+            else:
+                active = {r: roles[r] for r in authorized_roles if r in roles}
+                if not active:
+                    continue
+                if verb == 'GET':
+                    out = []
+                    for v in active.values():
+                        out.extend(v.get('out', []))
+                    resource_entry[verb] = {'out': list(dict.fromkeys(out))}
+                else:
+                    in_f, out_f = [], []
+                    for v in active.values():
+                        in_f.extend(v.get('in', []))
+                        out_f.extend(v.get('out', []))
+                    resource_entry[verb] = {
+                        'in':  list(dict.fromkeys(in_f)),
+                        'out': list(dict.fromkeys(out_f)),
+                    }
+        if resource_entry:
+            result[resource] = resource_entry
+    return result
+
+"""
+
+CRUD_TYPEDICT = """
+class {class_name}(TypedDict, total=False):
+{fields}
+"""
+
+CRUD_MODULE_IMPORT = "\nfrom {schema} import {module_name} as {module_alias}\n"
+
+HO_ACCESS_ROUTE = (
+    '\n_STATIC_ACCESS_MAP = {json_str}\n'
+    '\n_ACCESS_MAP = get_access_map()\n\n'
+    '@get("{version_prefix}/ho_access", guards=[guards.public])\n'
+    'async def _crud_access_map(request: Request) -> dict:\n'
+    '    authorized_roles = _get_roles(request)\n'
+    '    return _filter_access_for_roles(_ACCESS_MAP, authorized_roles)\n'
+)
+
+HO_ROLES_ROUTE = (
+    '\n_ROLES = {roles_json}\n\n'
+    '@get("{version_prefix}/ho_roles", guards=[guards.public])\n'
+    'async def _crud_roles_list(request: Request) -> list:\n'
+    '    return _ROLES\n'
+)
+
+
+def typedict_block(class_name: str, field_names: list, all_fields: dict) -> str:
+    from half_orm_gen.crud_routes import _py_type_str
+    lines = [f'class {class_name}(TypedDict, total=False):']
+    valid = [(f, all_fields[f]) for f in field_names if f in all_fields]
+    if not valid:
+        lines.append('    pass')
+    else:
+        for fname, fobj in valid:
+            lines.append(f'    {fname}: Optional[{_py_type_str(fobj.py_type)}]')
+    return '\n'.join(lines)
+
+WS_HELPERS = """
+import json as _json
+from litestar import WebSocket, websocket
+
+class _ConnectionManager:
+    def __init__(self):
+        self._sockets: set = set()
+
+    async def connect(self, socket: WebSocket) -> None:
+        await socket.accept()
+        self._sockets.add(socket)
+
+    def disconnect(self, socket: WebSocket) -> None:
+        self._sockets.discard(socket)
+
+    async def broadcast(self, message: dict) -> None:
+        dead = set()
+        for s in set(self._sockets):
+            try:
+                await s.send_data(_json.dumps(message, default=str))
+            except Exception:
+                dead.add(s)
+        self._sockets -= dead
+
+_manager = _ConnectionManager()
+
+@websocket("{version_prefix}/ws")
+async def _ws_handler(socket: WebSocket) -> None:
+    await _manager.connect(socket)
+    try:
+        while True:
+            await socket.receive_data(mode="text")
+    except Exception:
+        pass
+    finally:
+        _manager.disconnect(socket)
+"""
+
+CRUD_GET_LIST = """
+@get("{path}", description="{access_description}")
+async def {handler_name}(
+    request: Request,
+{filter_params}    fields: Optional[List[str]] = None,
+    limit: Optional[int] = None,
+    offset: Optional[int] = None,
+) -> list[{out_typedict}]:
+    api_excluded = getattr({module_alias}, 'API_EXCLUDED_FIELDS', [])
+    roles = _get_roles(request)
+    filter_kwargs = {{{filter_dict}}}
+    role_filter = _get_role_filter(getattr({module_alias}, 'CRUD_ACCESS', {{}}), "GET", roles)
+    authorized = _effective_out_fields(getattr({module_alias}, 'CRUD_ACCESS', {{}}), "GET", roles, api_excluded)
+    if authorized is None:
+        return []
+    if fields:
+        projection = [f for f in fields if not authorized or f in authorized]
+    else:
+        projection = authorized
+    return await {module_alias}.{class_name}(**{{**filter_kwargs, **role_filter}}).ho_aselect(
+        *projection, limit=limit, offset=offset
+    )
+"""
+
+CRUD_GET_ONE = """
+@get("{path}/{{id: {pk_path_type}}}", description="{access_description}")
+async def {handler_name}_get(
+    request: Request,
+    id: {pk_py_type},
+) -> {out_typedict}:
+    api_excluded = getattr({module_alias}, 'API_EXCLUDED_FIELDS', [])
+    roles = _get_roles(request)
+    role_filter = _get_role_filter(getattr({module_alias}, 'CRUD_ACCESS', {{}}), "GET", roles)
+    authorized = _effective_out_fields(getattr({module_alias}, 'CRUD_ACCESS', {{}}), "GET", roles, api_excluded)
+    if authorized is None:
+        raise HTTPException(status_code=403)
+    rows = await {module_alias}.{class_name}({pk_instance_filter}, **role_filter).ho_aselect(*authorized)
+    if not rows:
+        raise HTTPException(status_code=404)
+    return rows[0]
+"""
+
+CRUD_POST = """
+@post("{path}", description="{access_description}")
+async def {handler_name}_create(
+    request: Request,
+    data: {in_typedict},
+) -> {out_typedict}:
+    api_excluded = getattr({module_alias}, 'API_EXCLUDED_FIELDS', [])
+    in_fields = _effective_in_fields(getattr({module_alias}, 'CRUD_ACCESS', {{}}), "POST", _get_roles(request), api_excluded)
+    payload = {{k: v for k, v in dict(data).items() if v is not None and (not in_fields or k in in_fields)}}
+    result = await {module_alias}.{class_name}(**payload).ho_ainsert()
+    await _manager.broadcast({{"event": "create", "resource": "{resource}", "id": {pk_broadcast_expr}}})
+    return result
+"""
+
+CRUD_PUT = """
+@put("{path}/{{id: {pk_path_type}}}", description="{access_description}")
+async def {handler_name}_update(
+    request: Request,
+    id: {pk_py_type},
+    data: {in_typedict},
+) -> {out_typedict}:
+    api_excluded = getattr({module_alias}, 'API_EXCLUDED_FIELDS', [])
+    in_fields = _effective_in_fields(getattr({module_alias}, 'CRUD_ACCESS', {{}}), "PUT", _get_roles(request), api_excluded)
+    payload = {{k: v for k, v in dict(data).items() if v is not None and (not in_fields or k in in_fields)}}
+    authorized = _effective_out_fields(getattr({module_alias}, 'CRUD_ACCESS', {{}}), "PUT", _get_roles(request), api_excluded)
+    result = await {module_alias}.{class_name}({pk_instance_filter}).ho_aupdate(*(authorized or ['*']), **payload)
+    if not result:
+        raise HTTPException(status_code=404)
+    await _manager.broadcast({{"event": "update", "resource": "{resource}", "id": id}})
+    return result[0]
+"""
+
+CRUD_DELETE = """
+@delete("{path}/{{id: {pk_path_type}}}", description="{access_description}")
+async def {handler_name}_delete(
+    request: Request,
+    id: {pk_py_type},
+) -> None:
+    await _ws_broadcast_cascade(
+        {module_alias}.{class_name}({pk_instance_filter}), "{resource}", id
+    )
+    result = await {module_alias}.{class_name}({pk_instance_filter}).ho_adelete('*')
+    if not result:
+        raise HTTPException(status_code=404)
+    await _manager.broadcast({{"event": "delete", "resource": "{resource}", "id": id}})
+"""
+
+WS_CASCADE_HELPER = """
+_WS_RMAP: dict = {{
+{resource_entries}
+}}
+
+async def _ws_broadcast_cascade(inst, resource: str, pk_val, _seen: set | None = None) -> None:
+    if _seen is None:
+        _seen = set()
+    _key = (resource, str(pk_val))
+    if _key in _seen:
+        return
+    _seen.add(_key)
+    for _fk in inst._ho_fkeys.values():
+        if not _fk.is_reverse or len(_fk.fk_names) != 1:
+            continue
+        _fk_field = _fk.fk_names[0]
+        _fqtn     = _fk.remote['fqtn']
+        _r        = f"{{_fqtn[0].replace('.', '_')}}/{{_fqtn[1]}}"
+        if _r not in _WS_RMAP:
+            continue
+        _cls, _pk = _WS_RMAP[_r]
+        for _row in await _cls(**{{_fk_field: pk_val}}).ho_aselect(_pk):
+            _rid = _row[_pk]
+            await _ws_broadcast_cascade(_cls(**{{_pk: _rid}}), _r, _rid, _seen)
+            await _manager.broadcast({{"event": "delete", "resource": _r, "id": _rid}})
+"""