kailash 0.6.1__py3-none-any.whl → 0.6.3__py3-none-any.whl

kailash/nodes/admin/tenant_isolation.py

@@ -0,0 +1,249 @@
+"""Enhanced tenant isolation utilities for admin nodes.
+
+This module provides robust tenant isolation mechanisms to ensure that
+multi-tenant operations properly enforce data boundaries and prevent
+cross-tenant access.
+"""
+
+import logging
+from dataclasses import dataclass
+from typing import Any, Dict, List, Optional, Set
+
+from kailash.sdk_exceptions import NodeExecutionError, NodeValidationError
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class TenantContext:
+    """Represents the context for a specific tenant."""
+
+    tenant_id: str
+    permissions: Set[str]
+    user_ids: Set[str]
+    role_ids: Set[str]
+    resource_prefixes: Set[str]
+
+
+class TenantIsolationManager:
+    """Manages tenant isolation for admin operations."""
+
+    def __init__(self, db_node):
+        """
+        Initialize tenant isolation manager.
+
+        Args:
+            db_node: Database node for tenant context queries
+        """
+        self.db_node = db_node
+        self._tenant_cache = {}
+
+    def get_tenant_context(self, tenant_id: str) -> TenantContext:
+        """
+        Get the context for a specific tenant.
+
+        Args:
+            tenant_id: The tenant ID
+
+        Returns:
+            TenantContext with tenant-specific data
+        """
+        if tenant_id not in self._tenant_cache:
+            self._tenant_cache[tenant_id] = self._load_tenant_context(tenant_id)
+
+        return self._tenant_cache[tenant_id]
+
+    def _load_tenant_context(self, tenant_id: str) -> TenantContext:
+        """Load tenant context from database."""
+        # Get all users for this tenant
+        users_query = """
+            SELECT user_id FROM users WHERE tenant_id = $1 AND status = 'active'
+        """
+        users_result = self.db_node.run(
+            query=users_query, parameters=[tenant_id], result_format="dict"
+        )
+        user_ids = {row["user_id"] for row in users_result.get("data", [])}
+
+        # Get all roles for this tenant
+        roles_query = """
+            SELECT role_id FROM roles WHERE tenant_id = $1 AND is_active = true
+        """
+        roles_result = self.db_node.run(
+            query=roles_query, parameters=[tenant_id], result_format="dict"
+        )
+        role_ids = {row["role_id"] for row in roles_result.get("data", [])}
+
+        # Get all permissions for this tenant (from roles)
+        permissions_query = """
+            SELECT DISTINCT unnest(
+                CASE
+                    WHEN jsonb_typeof(permissions) = 'array'
+                    THEN ARRAY(SELECT jsonb_array_elements_text(permissions))
+                    ELSE ARRAY[]::text[]
+                END
+            ) as permission
+            FROM roles
+            WHERE tenant_id = $1 AND is_active = true
+        """
+        permissions_result = self.db_node.run(
+            query=permissions_query, parameters=[tenant_id], result_format="dict"
+        )
+        permissions = {row["permission"] for row in permissions_result.get("data", [])}
+
+        # Create resource prefixes for this tenant
+        resource_prefixes = {f"{tenant_id}:*", "*"}
+
+        return TenantContext(
+            tenant_id=tenant_id,
+            permissions=permissions,
+            user_ids=user_ids,
+            role_ids=role_ids,
+            resource_prefixes=resource_prefixes,
+        )
+
+    def validate_user_tenant_access(self, user_id: str, target_tenant_id: str) -> bool:
+        """
+        Validate that a user has access within a specific tenant.
+
+        Args:
+            user_id: The user ID to check
+            target_tenant_id: The tenant being accessed
+
+        Returns:
+            True if access is allowed, False otherwise
+        """
+        tenant_context = self.get_tenant_context(target_tenant_id)
+        return user_id in tenant_context.user_ids
+
+    def validate_role_tenant_access(self, role_id: str, target_tenant_id: str) -> bool:
+        """
+        Validate that a role belongs to a specific tenant.
+
+        Args:
+            role_id: The role ID to check
+            target_tenant_id: The tenant being accessed
+
+        Returns:
+            True if role belongs to tenant, False otherwise
+        """
+        tenant_context = self.get_tenant_context(target_tenant_id)
+        return role_id in tenant_context.role_ids
+
+    def check_cross_tenant_permission(
+        self,
+        user_id: str,
+        user_tenant_id: str,
+        resource_tenant_id: str,
+        permission: str,
+    ) -> bool:
+        """
+        Check if a user from one tenant can access resources in another tenant.
+
+        Args:
+            user_id: The user attempting access
+            user_tenant_id: The tenant the user belongs to
+            resource_tenant_id: The tenant of the resource being accessed
+            permission: The permission being requested
+
+        Returns:
+            True if cross-tenant access is allowed, False otherwise
+        """
+        # For now, enforce strict tenant isolation
+        # Users can only access resources in their own tenant
+        if user_tenant_id != resource_tenant_id:
+            logger.debug(
+                f"Cross-tenant access denied: user {user_id} from {user_tenant_id} "
+                f"attempting to access {resource_tenant_id}"
+            )
+            return False
+
+        # Same tenant access - check if user exists in tenant
+        return self.validate_user_tenant_access(user_id, resource_tenant_id)
+
+    def enforce_tenant_isolation(
+        self, user_id: str, user_tenant_id: str, operation_tenant_id: str
+    ) -> None:
+        """
+        Enforce tenant isolation for an operation.
+
+        Args:
+            user_id: The user performing the operation
+            user_tenant_id: The tenant the user belongs to
+            operation_tenant_id: The tenant context for the operation
+
+        Raises:
+            NodeValidationError: If tenant isolation is violated
+        """
+        if not self.check_cross_tenant_permission(
+            user_id, user_tenant_id, operation_tenant_id, "access"
+        ):
+            raise NodeValidationError(
+                f"Tenant isolation violation: user {user_id} from tenant "
+                f"{user_tenant_id} cannot access tenant {operation_tenant_id}"
+            )
+
+    def get_tenant_scoped_permission(
+        self, permission: str, tenant_id: str, resource_id: Optional[str] = None
+    ) -> str:
+        """
+        Create a tenant-scoped permission string.
+
+        Args:
+            permission: Base permission (e.g., "read", "write")
+            tenant_id: Tenant ID
+            resource_id: Optional resource ID
+
+        Returns:
+            Tenant-scoped permission string
+        """
+        if resource_id:
+            return f"{tenant_id}:{resource_id}:{permission}"
+        else:
+            return f"{tenant_id}:*:{permission}"
+
+    def clear_tenant_cache(self, tenant_id: Optional[str] = None) -> None:
+        """
+        Clear the tenant context cache.
+
+        Args:
+            tenant_id: Specific tenant to clear, or None to clear all
+        """
+        if tenant_id:
+            self._tenant_cache.pop(tenant_id, None)
+        else:
+            self._tenant_cache.clear()
+
+        logger.debug(f"Cleared tenant cache for {tenant_id or 'all tenants'}")
+
+
+def enforce_tenant_boundary(tenant_id_param: str = "tenant_id"):
+    """
+    Decorator to enforce tenant boundaries on admin node methods.
+
+    Args:
+        tenant_id_param: Name of the parameter containing the tenant ID
+    """
+
+    def decorator(func):
+        def wrapper(self, *args, **kwargs):
+            # Extract tenant ID from parameters
+            tenant_id = kwargs.get(tenant_id_param)
+            if not tenant_id:
+                raise NodeValidationError(
+                    f"Missing required parameter: {tenant_id_param}"
+                )
+
+            # Create tenant isolation manager if not exists
+            if not hasattr(self, "_tenant_isolation"):
+                self._tenant_isolation = TenantIsolationManager(self._db_node)
+
+            # Perform the operation within tenant context
+            try:
+                return func(self, *args, **kwargs)
+            except Exception as e:
+                logger.error(f"Tenant-scoped operation failed for {tenant_id}: {e}")
+                raise
+
+        return wrapper
+
+    return decorator

kailash/nodes/admin/transaction_utils.py

@@ -0,0 +1,244 @@
+"""Transaction utilities for admin nodes to handle timing and persistence issues.
+
+This module provides utilities to handle common transaction and timing issues
+encountered in admin node operations, particularly around user creation,
+role assignment, and permission checks.
+"""
+
+import logging
+import time
+from typing import Any, Callable, Dict, Optional, TypeVar
+
+from kailash.sdk_exceptions import NodeExecutionError, NodeValidationError
+
+logger = logging.getLogger(__name__)
+
+T = TypeVar("T")
+
+
+class TransactionHelper:
+    """Helper class for handling database transaction timing and persistence issues."""
+
+    def __init__(self, db_node, max_retries: int = 3, retry_delay: float = 0.1):
+        """
+        Initialize transaction helper.
+
+        Args:
+            db_node: Database node instance (SQLDatabaseNode)
+            max_retries: Maximum number of retries for transient failures
+            retry_delay: Delay between retries in seconds
+        """
+        self.db_node = db_node
+        self.max_retries = max_retries
+        self.retry_delay = retry_delay
+
+    def execute_with_retry(self, operation: Callable[[], T], operation_name: str) -> T:
+        """
+        Execute a database operation with retry logic.
+
+        Args:
+            operation: Function that performs the database operation
+            operation_name: Description of the operation for logging
+
+        Returns:
+            Result of the operation
+
+        Raises:
+            NodeExecutionError: If operation fails after all retries
+        """
+        last_exception = None
+
+        for attempt in range(self.max_retries):
+            try:
+                result = operation()
+                if attempt > 0:
+                    logger.info(f"{operation_name} succeeded on attempt {attempt + 1}")
+                return result
+            except Exception as e:
+                last_exception = e
+                if attempt < self.max_retries - 1:
+                    logger.warning(
+                        f"{operation_name} failed on attempt {attempt + 1}, retrying: {e}"
+                    )
+                    time.sleep(self.retry_delay * (2**attempt))  # Exponential backoff
+                else:
+                    logger.error(
+                        f"{operation_name} failed after {self.max_retries} attempts: {e}"
+                    )
+
+        raise NodeExecutionError(
+            f"{operation_name} failed after {self.max_retries} attempts: {last_exception}"
+        )
+
+    def verify_operation_success(
+        self,
+        verification_query: str,
+        expected_result: Any,
+        operation_name: str,
+        timeout_seconds: float = 5.0,
+    ) -> bool:
+        """
+        Verify that a database operation was successful by checking the result.
+
+        Args:
+            verification_query: SQL query to verify the operation
+            expected_result: Expected result from the verification query
+            operation_name: Description of the operation for logging
+            timeout_seconds: Maximum time to wait for verification
+
+        Returns:
+            True if verification succeeds
+
+        Raises:
+            NodeValidationError: If verification fails after timeout
+        """
+        start_time = time.time()
+
+        while time.time() - start_time < timeout_seconds:
+            try:
+                result = self.db_node.run(
+                    query=verification_query, result_format="dict"
+                )
+                data = result.get("data", [])
+
+                if data and len(data) > 0:
+                    # Operation was successful
+                    logger.debug(f"{operation_name} verification succeeded")
+                    return True
+
+            except Exception as e:
+                logger.debug(f"{operation_name} verification error: {e}")
+
+            # Wait before retrying
+            time.sleep(0.05)  # 50ms
+
+        raise NodeValidationError(
+            f"{operation_name} verification failed after {timeout_seconds}s"
+        )
+
+    def create_user_with_verification(
+        self, user_data: Dict[str, Any], tenant_id: str
+    ) -> Dict[str, Any]:
+        """
+        Create a user and verify the creation was successful.
+
+        Args:
+            user_data: User data dictionary
+            tenant_id: Tenant ID
+
+        Returns:
+            User creation result
+        """
+        user_id = user_data.get("user_id")
+
+        def create_operation():
+            # Perform the user creation
+            from .user_management import UserManagementNode
+
+            user_mgmt = UserManagementNode(database_url=self.db_node.connection_string)
+            return user_mgmt.run(
+                operation="create_user", user_data=user_data, tenant_id=tenant_id
+            )
+
+        # Execute creation with retry
+        result = self.execute_with_retry(
+            create_operation, f"User creation for {user_id}"
+        )
+
+        # Verify user was created
+        verification_query = """
+            SELECT user_id FROM users
+            WHERE user_id = $1 AND tenant_id = $2
+        """
+
+        self.verify_operation_success(
+            verification_query,
+            user_id,
+            f"User {user_id} creation verification",
+            timeout_seconds=2.0,
+        )
+
+        return result
+
+    def assign_role_with_verification(
+        self, user_id: str, role_id: str, tenant_id: str
+    ) -> Dict[str, Any]:
+        """
+        Assign a role to a user and verify the assignment was successful.
+
+        Args:
+            user_id: User ID
+            role_id: Role ID
+            tenant_id: Tenant ID
+
+        Returns:
+            Role assignment result
+        """
+
+        def assign_operation():
+            from .role_management import RoleManagementNode
+
+            role_mgmt = RoleManagementNode(database_url=self.db_node.connection_string)
+            return role_mgmt.run(
+                operation="assign_user",
+                user_id=user_id,
+                role_id=role_id,
+                tenant_id=tenant_id,
+            )
+
+        # Execute assignment with retry
+        result = self.execute_with_retry(
+            assign_operation, f"Role assignment {role_id} to {user_id}"
+        )
+
+        # Verify role was assigned
+        verification_query = """
+            SELECT user_id, role_id FROM user_role_assignments
+            WHERE user_id = $1 AND role_id = $2 AND tenant_id = $3 AND is_active = true
+        """
+
+        self.verify_operation_success(
+            verification_query,
+            {"user_id": user_id, "role_id": role_id},
+            f"Role assignment {role_id} to {user_id} verification",
+            timeout_seconds=2.0,
+        )
+
+        return result
+
+
+def with_transaction_retry(max_retries: int = 3, retry_delay: float = 0.1):
+    """
+    Decorator to add retry logic to admin node operations.
+
+    Args:
+        max_retries: Maximum number of retries
+        retry_delay: Initial delay between retries
+    """
+
+    def decorator(func):
+        def wrapper(*args, **kwargs):
+            last_exception = None
+
+            for attempt in range(max_retries):
+                try:
+                    return func(*args, **kwargs)
+                except Exception as e:
+                    last_exception = e
+                    if attempt < max_retries - 1:
+                        logger.warning(
+                            f"{func.__name__} failed on attempt {attempt + 1}, retrying: {e}"
+                        )
+                        time.sleep(retry_delay * (2**attempt))
+                    else:
+                        logger.error(
+                            f"{func.__name__} failed after {max_retries} attempts: {e}"
+                        )
+
+            raise NodeExecutionError(
+                f"{func.__name__} failed after {max_retries} attempts: {last_exception}"
+            )
+
+        return wrapper
+
+    return decorator

kailash/nodes/admin/user_management.py

@@ -25,6 +25,8 @@ from enum import Enum
 from typing import Any, Dict, List, Optional, Set, Union
 from uuid import uuid4
 
+import bcrypt
+
 from kailash.nodes.base import Node, NodeParameter, register_node
 from kailash.nodes.data import SQLDatabaseNode
 from kailash.sdk_exceptions import NodeExecutionError, NodeValidationError
@@ -32,6 +34,25 @@ from kailash.sdk_exceptions import NodeExecutionError, NodeValidationError
 from .schema_manager import AdminSchemaManager
 
 
+def hash_password(password: str) -> str:
+    """Hash password using bcrypt with salt."""
+    if not password:
+        return ""
+    salt = bcrypt.gensalt()
+    hashed = bcrypt.hashpw(password.encode("utf-8"), salt)
+    return hashed.decode("utf-8")
+
+
+def verify_password(password: str, hashed: str) -> bool:
+    """Verify password against bcrypt hash."""
+    if not password or not hashed:
+        return False
+    try:
+        return bcrypt.checkpw(password.encode("utf-8"), hashed.encode("utf-8"))
+    except Exception:
+        return False
+
+
 def parse_datetime(value: Union[str, datetime, None]) -> Optional[datetime]:
     """Parse datetime from various formats."""
     if value is None:
@@ -496,7 +517,7 @@ class UserManagementNode(Node):
                     user.user_id,
                     user.email,
                     user.username,
-                    inputs.get("password_hash"),
+                    hash_password(inputs.get("password", "")),
                     user.first_name,
                     user.last_name,
                     user.display_name,
@@ -509,12 +530,15 @@ class UserManagementNode(Node):
                 ],
             )
 
-            # Get the created user to return complete data
-            created_user = self._get_user_by_id(user.user_id, tenant_id)
+            # Return the user data that was successfully inserted
+            # Add timestamps that would be set by the database
+            user_dict = user.to_dict()
+            user_dict["created_at"] = datetime.now(UTC).isoformat()
+            user_dict["updated_at"] = datetime.now(UTC).isoformat()
 
             return {
                 "result": {
-                    "user": created_user.to_dict(),
+                    "user": user_dict,
                     "operation": "create_user",
                     "timestamp": datetime.now(UTC).isoformat(),
                 }
@@ -918,7 +942,8 @@ class UserManagementNode(Node):
         """Set user password hash."""
         user_id = inputs["user_id"]
         tenant_id = inputs["tenant_id"]
-        password_hash = inputs["password_hash"]
+        password = inputs.get("password", "")
+        password_hash = hash_password(password)
 
         update_query = """
         UPDATE users
@@ -964,9 +989,13 @@ class UserManagementNode(Node):
         for i, user_data in enumerate(users_data):
             try:
                 # Create each user individually for better error handling
+                # Extract password from user_data if present
+                user_data_copy = user_data.copy()
+                password = user_data_copy.pop("password", "")
                 create_inputs = {
                     "operation": "create_user",
-                    "user_data": user_data,
+                    "user_data": user_data_copy,
+                    "password": password,
                     "tenant_id": tenant_id,
                     "database_config": inputs["database_config"],
                 }
@@ -1370,7 +1399,7 @@ class UserManagementNode(Node):
         user_id = result["data"][0]["user_id"]
 
         # Update password
-        password_hash = hashlib.sha256(new_password.encode()).hexdigest()
+        password_hash = hash_password(new_password)
         update_query = """
         UPDATE users
         SET password_hash = :password_hash,
@@ -1441,9 +1470,8 @@ class UserManagementNode(Node):
 
         user_data = result["data"][0]
         stored_hash = user_data["password_hash"]
-        provided_hash = hashlib.sha256(password.encode()).hexdigest()
 
-        if stored_hash != provided_hash:
+        if not verify_password(password, stored_hash):
             return {"authenticated": False, "message": "Invalid password"}
 
         if user_data["status"] != "active":