imbi-api 2.0.0__py3-none-any.whl

imbi_api/__init__.py

@@ -0,0 +1,15 @@
+"""
+Imbi
+====
+
+Imbi is a DevOps Service Management Platform designed to provide an efficient
+way to manage a large environment that contains many services and applications.
+
+"""
+
+from importlib import metadata
+
+try:
+    version = metadata.version('imbi-api')
+except metadata.PackageNotFoundError:
+    version = '0.0.0'

imbi_api/app.py

@@ -0,0 +1,83 @@
+import logging
+
+import fastapi
+from fastapi import responses
+from fastapi.middleware import cors
+from imbi_common import graph, lifespan, valkey
+from imbi_common.plugins.errors import PluginCredentialsMissing
+from uvicorn.middleware import proxy_headers
+
+from imbi_api import endpoints, lifespans, openapi, settings, version
+from imbi_api.middleware import rate_limit
+
+LOGGER = logging.getLogger(__name__)
+
+
+def create_app() -> fastapi.FastAPI:
+    app = fastapi.FastAPI(
+        title='Imbi',
+        lifespan=lifespan.Lifespan(
+            lifespans.clickhouse_hook,
+            graph.graph_lifespan,
+            lifespans.email_hook,
+            lifespans.storage_hook,
+            lifespans.anthropic_hook,
+            valkey.valkey_lifespan,
+            lifespans.score_worker_hook,
+            lifespans.identity_refresh_hook,
+        ),
+        version=version,
+        redoc_url=None,
+        docs_url=None,
+        license_info={
+            'name': 'BSD 3-Clause',
+            'url': 'https://github.com/AWeber-Imbi/imbi-api/blob/main/LICENSE',
+        },
+    )
+
+    server_config = settings.ServerConfig()
+    app.add_middleware(
+        cors.CORSMiddleware,
+        allow_origins=server_config.cors_allowed_origins,
+        allow_credentials=True,
+        allow_methods=['*'],
+        allow_headers=['authorization'],
+    )
+
+    # Honor X-Forwarded-For from trusted proxies so rate limiting keys
+    # on the real client IP rather than the proxy address. Skipped
+    # when forwarded_allow_ips is empty (dev/no-proxy deployments).
+    if server_config.forwarded_allow_ips:
+        app.add_middleware(
+            proxy_headers.ProxyHeadersMiddleware,
+            trusted_hosts=server_config.forwarded_allow_ips,
+        )
+
+    # Translate plugin credential failures (raised either at credential
+    # lookup or from inside a plugin handler at runtime) into 503 so
+    # callers don't see opaque 500s when an integration isn't configured.
+    @app.exception_handler(PluginCredentialsMissing)
+    async def _plugin_credentials_missing(  # pyright: ignore[reportUnusedFunction]
+        _request: fastapi.Request,
+        exc: PluginCredentialsMissing,
+    ) -> responses.JSONResponse:
+        LOGGER.warning('Plugin credentials missing: %s', exc)
+        return responses.JSONResponse(
+            status_code=503,
+            content={'detail': str(exc)},
+        )
+
+    # Phase 5: Setup rate limiting middleware
+    rate_limit.setup_rate_limiting(app)
+
+    app.add_route('/docs', openapi.stoplights_html, include_in_schema=False)
+    for router in endpoints.prefixed_routers:
+        app.include_router(router, prefix=server_config.api_prefix)
+    for router in endpoints.unprefixed_routers:
+        app.include_router(router)
+
+    # Set custom OpenAPI schema generator with blueprint-enhanced models
+    # FastAPI pattern: override openapi method to customize schema
+    app.openapi = openapi.create_custom_openapi(app)  # type: ignore[method-assign]
+
+    return app

imbi_api/auth/__init__.py

@@ -0,0 +1 @@
+"""Authentication and authorization module."""

imbi_api/auth/local_auth.py

@@ -0,0 +1,58 @@
+"""Local password authentication configuration repository.
+
+Reads/writes the singleton ``LocalAuthConfig`` node in the graph.
+A small in-memory TTL cache keeps the ``/auth/providers`` hot path
+off the graph.  Writes invalidate the cache.
+"""
+
+from __future__ import annotations
+
+import datetime
+import logging
+import time
+
+from imbi_common import graph
+
+from imbi_api.domain import models
+
+LOGGER = logging.getLogger(__name__)
+
+_CACHE_TTL_SECONDS = 30.0
+_CACHE_KEY = 'global'
+
+_config_cache: dict[str, tuple[models.LocalAuthConfig, float]] = {}
+
+
+def _invalidate_cache() -> None:
+    """Drop the cached config entry."""
+    _config_cache.clear()
+
+
+async def get_config(db: graph.Graph) -> models.LocalAuthConfig:
+    """Return the local-auth config, defaulting to enabled.
+
+    If no row exists yet a default ``LocalAuthConfig(enabled=True)`` is
+    returned without persisting it (lazy-default semantics).
+    """
+    cached = _config_cache.get(_CACHE_KEY)
+    now = time.time()
+    if cached is not None and (now - cached[1]) < _CACHE_TTL_SECONDS:
+        return cached[0]
+
+    rows = await db.match(models.LocalAuthConfig, {'key': 'global'})
+    config = rows[0] if rows else models.LocalAuthConfig(enabled=True)
+    _config_cache[_CACHE_KEY] = (config, now)
+    return config
+
+
+async def set_enabled(
+    db: graph.Graph, enabled: bool
+) -> models.LocalAuthConfig:
+    """Persist the singleton config and invalidate the cache."""
+    config = models.LocalAuthConfig(
+        enabled=enabled,
+        updated_at=datetime.datetime.now(datetime.UTC),
+    )
+    await db.merge(config, ['key'])
+    _invalidate_cache()
+    return config

imbi_api/auth/login_providers.py

@@ -0,0 +1,255 @@
+"""Login-provider repository.
+
+Reads ``ServiceApplication`` rows whose ``usage`` is ``'login'`` or
+``'both'``, joined to their parent ``ThirdPartyService`` for the OAuth
+endpoints. Cross-org by design — login providers are an instance-level
+concern even though each row is owned by a single organization.
+
+A 30s in-memory TTL cache keeps the OAuth hot path off the graph.
+"""
+
+from __future__ import annotations
+
+import logging
+import time
+import typing
+
+import pydantic
+from imbi_common import graph
+
+from imbi_api import settings
+
+LOGGER = logging.getLogger(__name__)
+
+_CACHE_TTL_SECONDS = 30.0
+
+_provider_cache: dict[str, tuple[LoginApp, float]] = {}
+_list_cache: dict[bool, tuple[list[LoginApp], float]] = {}
+
+
+class LoginApp(pydantic.BaseModel):
+    """Flat view of a login-eligible row.
+
+    Combines the application or identity-plugin row with the OAuth
+    endpoints from the parent ``ThirdPartyService`` so callers don't
+    need to traverse the graph again.
+
+    Two sources feed this list:
+
+    * ``source='service_app'`` — legacy ``ServiceApplication`` rows
+      whose ``usage`` is ``'login'`` or ``'both'``. ``oauth_app_type``
+      is one of the hardcoded literals (``google``, ``github``,
+      ``oidc``).
+    * ``source='identity_plugin'`` — ``Plugin`` nodes whose manifest is
+      ``login_capable=true`` *and* whose row has ``used_as_login=true``.
+      ``oauth_app_type='identity_plugin'`` and ``plugin_id`` carries the
+      Plugin nano-ID so the auth router can route start/callback
+      through ``imbi_api.identity.flows``.
+    """
+
+    model_config = pydantic.ConfigDict(extra='ignore')
+
+    slug: str
+    name: str
+    oauth_app_type: typing.Literal[
+        'google', 'github', 'oidc', 'identity_plugin'
+    ]
+    source: typing.Literal['service_app', 'identity_plugin'] = 'service_app'
+    plugin_id: str | None = None
+    plugin_slug: str | None = None
+    client_id: str | None = None
+    client_secret_encrypted: str | None = None
+    issuer_url: str | None = None
+    allowed_domains: list[str] = pydantic.Field(default_factory=list)
+    scopes: list[str] = pydantic.Field(default_factory=list)
+    status: str = 'active'
+    authorization_endpoint: str | None = None
+    token_endpoint: str | None = None
+    revoke_endpoint: str | None = None
+    callback_url: str = ''
+
+
+def invalidate_cache(slug: str | None = None) -> None:
+    """Drop cached entries.
+
+    ``slug=None`` clears everything; otherwise only the slug + lists.
+    """
+    if slug is None:
+        _provider_cache.clear()
+    else:
+        _provider_cache.pop(slug, None)
+    _list_cache.clear()
+
+
+_LIST_QUERY: typing.LiteralString = """
+MATCH (a:ServiceApplication)-[:REGISTERED_IN]->(s:ThirdPartyService)
+WHERE a.usage IN ['login', 'both']
+RETURN a{{.*}} AS app, s{{.*}} AS service
+ORDER BY a.slug
+"""
+
+_IDENTITY_LOGIN_QUERY: typing.LiteralString = """
+MATCH (p:Plugin)
+WHERE p.login_capable = true AND p.used_as_login = true
+RETURN p{{.*}} AS plugin
+ORDER BY p.plugin_slug
+"""
+
+
+def _row_to_login_app(
+    app: dict[str, typing.Any],
+    svc: dict[str, typing.Any] | None,
+) -> LoginApp:
+    """Materialize a ``LoginApp`` from raw graph dicts."""
+    raw_scopes = app.get('scopes')
+    if isinstance(raw_scopes, str):
+        import json as _json
+
+        try:
+            scopes = _json.loads(raw_scopes)
+        except (ValueError, TypeError):
+            scopes = []
+    else:
+        scopes = list(raw_scopes) if raw_scopes else []
+    raw_domains = app.get('allowed_domains')
+    if isinstance(raw_domains, str):
+        import json as _json
+
+        try:
+            domains = _json.loads(raw_domains)
+        except (ValueError, TypeError):
+            domains = []
+    else:
+        domains = list(raw_domains) if raw_domains else []
+    return LoginApp(
+        slug=app['slug'],
+        name=app.get('name', app['slug']),
+        oauth_app_type=app['oauth_app_type'],
+        client_id=app.get('client_id'),
+        client_secret_encrypted=app.get('client_secret'),
+        issuer_url=app.get('issuer_url'),
+        allowed_domains=domains,
+        scopes=scopes,
+        status=app.get('status', 'active'),
+        authorization_endpoint=(
+            svc.get('authorization_endpoint') if svc else None
+        ),
+        token_endpoint=svc.get('token_endpoint') if svc else None,
+        revoke_endpoint=svc.get('revoke_endpoint') if svc else None,
+        callback_url=settings.oauth_callback_url(app['slug']),
+    )
+
+
+def _plugin_row_to_login_app(plugin: dict[str, typing.Any]) -> LoginApp:
+    """Materialize a ``LoginApp`` from a Plugin node row.
+
+    Identity-plugin rows have no client_id/client_secret on the Plugin
+    node — those live on the parent ``ServiceApplication`` and are
+    looked up by the identity flow at start/callback time. The
+    ``LoginApp`` returned here only carries enough metadata for the UI
+    to render the row and for the auth router to dispatch.
+    """
+    return LoginApp(
+        slug=plugin['plugin_slug'],
+        name=plugin.get('label') or plugin['plugin_slug'],
+        oauth_app_type='identity_plugin',
+        source='identity_plugin',
+        plugin_id=plugin['id'],
+        plugin_slug=plugin['plugin_slug'],
+        status='active',
+        callback_url=settings.oauth_callback_url(plugin['plugin_slug']),
+    )
+
+
+async def list_login_apps(
+    db: graph.Graph,
+    *,
+    enabled_only: bool = False,
+) -> list[LoginApp]:
+    """Return every login-eligible row, merged across both sources.
+
+    Cached per ``enabled_only`` for ``_CACHE_TTL_SECONDS``. The merge
+    rule is "identity-plugin row wins on slug collision" — operators
+    are expected to disable the legacy ``ServiceApplication.usage``
+    flag once the identity-plugin equivalent is in use, but if both
+    are flagged, the identity row is the canonical source.
+    """
+    cached = _list_cache.get(enabled_only)
+    now = time.time()
+    if cached is not None and (now - cached[1]) < _CACHE_TTL_SECONDS:
+        return list(cached[0])
+
+    records = await db.execute(_LIST_QUERY, {}, ['app', 'service'])
+    apps: dict[str, LoginApp] = {}
+    for record in records:
+        app = graph.parse_agtype(record['app'])
+        svc = graph.parse_agtype(record.get('service'))
+        if not app.get('oauth_app_type'):
+            continue
+        login_app = _row_to_login_app(app, svc)
+        if enabled_only and login_app.status != 'active':
+            continue
+        apps[login_app.slug] = login_app
+
+    plugin_records = await db.execute(_IDENTITY_LOGIN_QUERY, {}, ['plugin'])
+    for record in plugin_records:
+        plugin = graph.parse_agtype(record['plugin'])
+        if not plugin.get('plugin_slug') or not plugin.get('id'):
+            continue
+        login_app = _plugin_row_to_login_app(plugin)
+        # Identity-plugin row wins on slug collision (operators are
+        # expected to disable the legacy service-app flag once they
+        # promote the identity plugin to a login provider).
+        apps[login_app.slug] = login_app
+
+    merged = list(apps.values())
+    _list_cache[enabled_only] = (list(merged), now)
+    return merged
+
+
+_GET_QUERY: typing.LiteralString = """
+MATCH (a:ServiceApplication {{slug: {slug}}})
+      -[:REGISTERED_IN]->(s:ThirdPartyService)
+WHERE a.usage IN ['login', 'both']
+RETURN a{{.*}} AS app, s{{.*}} AS service
+"""
+
+_IDENTITY_LOGIN_GET_QUERY: typing.LiteralString = """
+MATCH (p:Plugin {{plugin_slug: {slug}}})
+WHERE p.login_capable = true AND p.used_as_login = true
+RETURN p{{.*}} AS plugin
+LIMIT 1
+"""
+
+
+async def get_login_app(db: graph.Graph, slug: str) -> LoginApp | None:
+    """Look up a single login app by slug.
+
+    Checks the identity-plugin source first so it wins on collision
+    (matching :func:`list_login_apps`).
+    """
+    cached = _provider_cache.get(slug)
+    now = time.time()
+    if cached is not None and (now - cached[1]) < _CACHE_TTL_SECONDS:
+        return cached[0]
+
+    plugin_records = await db.execute(
+        _IDENTITY_LOGIN_GET_QUERY, {'slug': slug}, ['plugin']
+    )
+    if plugin_records:
+        plugin = graph.parse_agtype(plugin_records[0]['plugin'])
+        if plugin.get('plugin_slug') and plugin.get('id'):
+            login_app = _plugin_row_to_login_app(plugin)
+            _provider_cache[slug] = (login_app, now)
+            return login_app
+
+    records = await db.execute(_GET_QUERY, {'slug': slug}, ['app', 'service'])
+    if not records:
+        return None
+    app = graph.parse_agtype(records[0]['app'])
+    svc = graph.parse_agtype(records[0].get('service'))
+    if not app.get('oauth_app_type'):
+        return None
+    login_app = _row_to_login_app(app, svc)
+    _provider_cache[slug] = (login_app, now)
+    return login_app

imbi_api/auth/models.py

@@ -0,0 +1,86 @@
+"""Request and response models for authentication endpoints."""
+
+import typing
+
+import pydantic
+
+
+class LoginRequest(pydantic.BaseModel):
+    """Login request with email and password."""
+
+    email: pydantic.EmailStr
+    password: str
+
+
+class TokenResponse(pydantic.BaseModel):
+    """JWT token response."""
+
+    access_token: str
+    refresh_token: str
+    token_type: str = 'bearer'
+    expires_in: int
+
+
+class TokenRefreshRequest(pydantic.BaseModel):
+    """Request to refresh an access token."""
+
+    refresh_token: str
+
+
+class AuthProvider(pydantic.BaseModel):
+    """Authentication provider configuration for UI."""
+
+    id: str  # 'google', 'github', 'oidc', 'local'
+    type: typing.Literal['oauth', 'password']
+    name: str  # Display name
+    enabled: bool
+    auth_url: str | None = None  # URL to initiate auth (for OAuth)
+    icon: str | None = None  # Icon identifier for UI
+
+
+class AuthProvidersResponse(pydantic.BaseModel):
+    """List of available authentication providers."""
+
+    providers: list[AuthProvider]
+    default_redirect: str = '/dashboard'
+
+
+class OAuthStateData(pydantic.BaseModel):
+    """Data stored in OAuth state parameter for CSRF protection.
+
+    The identity-plugin flow extends this with optional fields:
+
+    * ``intent`` discriminates ``'login'`` from ``'identity'``.  Login
+      flows still create the local user; identity flows persist an
+      :class:`imbi_common.models.IdentityConnection` for the actor.
+    * ``plugin_id`` names the target identity plugin (or ``None`` for
+      the legacy hardcoded login providers).
+    * ``code_verifier`` carries the PKCE verifier through the redirect
+      so we don't need server-side state for in-flight flows.
+    * ``return_to`` is where the UI lands after a successful exchange.
+    * ``actor_user_id`` lets a logged-in user begin an identity flow
+      without re-authenticating.
+    * ``device_code`` is set for OAuth 2.0 device-code flows (e.g.
+      AWS IAM IC).  The IdP issues the code at ``StartDeviceAuthorization``
+      time and there is no redirect callback to echo it back, so the
+      host signs it into the state JWT and pulls it back out on the
+      poll endpoint to call ``CreateToken``.
+    """
+
+    provider: str
+    nonce: str  # Random nonce for CSRF
+    redirect_uri: str  # Where to redirect after auth
+    timestamp: int  # Unix timestamp for expiry
+    intent: typing.Literal['login', 'identity'] = 'login'
+    plugin_id: str | None = None
+    code_verifier: str | None = None
+    return_to: str | None = None
+    actor_user_id: str | None = None
+    device_code: str | None = None
+
+
+class OAuthCallbackError(pydantic.BaseModel):
+    """OAuth callback error response."""
+
+    error: str
+    error_description: str | None = None