maquinaweb-shared-auth 0.1.2__py3-none-any.whl → 0.1.4__py3-none-any.whl

{maquinaweb_shared_auth-0.1.2.dist-info → maquinaweb_shared_auth-0.1.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: maquinaweb-shared-auth
-Version: 0.1.2
+Version: 0.1.4
 Summary: Models read-only para autenticação compartilhada entre projetos Django.
 Author-email: Seu Nome <seuemail@dominio.com>
 License: MIT
@@ -521,7 +521,7 @@ class RascunhoDetailSerializer(OrganizationUserSerializerMixin, serializers.Mode
         ]
         read_only_fields = ['organization', 'user', 'created_at', 'updated_at']
 
-# views.py
+# views
 class RascunhoViewSet(viewsets.ModelViewSet):
     queryset = Rascunho.objects.all()
     

maquinaweb_shared_auth-0.1.4.dist-info/RECORD

@@ -0,0 +1,17 @@
+shared_auth/__init__.py,sha256=WbDmRRdOp0nn5I_ksYjhAa2HRtXe0wxtGY6qnaiPlB8,397
+shared_auth/authentication.py,sha256=btrTjBszPrKKfKA4F0pOOzaxnfASgXb1y2cxQwOWbnk,1515
+shared_auth/conf.py,sha256=-jdnCokMvWvVKllfsxNYCsPk1Vo3MDRq4Y1MsO16oeA,411
+shared_auth/decorators.py,sha256=LTDHiVX36O65jbcCUqtoNPNkQ1suDH4fICXVyduZ1BM,3444
+shared_auth/exceptions.py,sha256=eiII-REupK6GeFinisteYO3FsGUDAN5zAajXPhTREm8,404
+shared_auth/fields.py,sha256=RAcmFh1D_nkbai_7t_OrPZhfhAipesy5kKnEj4LUvvM,1254
+shared_auth/managers.py,sha256=NfMhsAFuVmo8MUY2fveB_xVAT5_67nlkVOXS_C8bhew,6920
+shared_auth/middleware.py,sha256=OycDHgHh-1GkicU91xDaxXw_AR43JeQn8PsJXm4w_3E,5979
+shared_auth/mixins.py,sha256=3ARghQ4TvtENKoA5UTOHTrRHa6ufMRVJJHGFkV8-BL8,7550
+shared_auth/models.py,sha256=iszFHOhpD78tqcXaxxZ9_57wLdRq9i_ZsHWrfy5W9Nc,6997
+shared_auth/permissions.py,sha256=kkEMtClmV9VB3EOhKDyinSr4r5v9g-3DCCKNtqpaTz8,2473
+shared_auth/router.py,sha256=nYbqnqjoylD0yeSY7rqyH8N4H6j1MHYD2sMnrhi3sm4,646
+shared_auth/serializers.py,sha256=TDpuZVsOL-6igINSOOOyELWbTUeet4XWRoBkvcMGjW4,4290
+maquinaweb_shared_auth-0.1.4.dist-info/METADATA,sha256=nzMW_SX5YSnQrtpPH-f33d1jXc8_bmG6XHVnlKvy-OU,27150
+maquinaweb_shared_auth-0.1.4.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+maquinaweb_shared_auth-0.1.4.dist-info/top_level.txt,sha256=msyYRy02ZV7zz7GR1raUI5LXGFIFn2TIkgkeKZqKufE,12
+maquinaweb_shared_auth-0.1.4.dist-info/RECORD,,

shared_auth/authentication.py

@@ -0,0 +1,48 @@
+"""
+Backend de autenticação usando tokens do banco compartilhado
+"""
+
+from rest_framework.authentication import TokenAuthentication
+from rest_framework import exceptions
+from django.utils.translation import gettext_lazy as _
+from .models import SharedToken, SharedUser
+
+
+class SharedTokenAuthentication(TokenAuthentication):
+    """
+    Autentica usando tokens do banco de dados compartilhado
+
+    Usage em settings.py:
+        REST_FRAMEWORK = {
+            'DEFAULT_AUTHENTICATION_CLASSES': [
+                'shared_auth.authentication.SharedTokenAuthentication',
+            ]
+        }
+    """
+
+    model = SharedToken
+
+    def authenticate_credentials(self, key):
+        """
+        Valida o token no banco de dados compartilhado
+        """
+        try:
+            token = (
+                SharedToken.objects.using("auth_db").select_related("user").get(key=key)
+            )
+        except SharedToken.DoesNotExist:
+            raise exceptions.AuthenticationFailed(_("Token inválido."))
+
+        # Buscar usuário completo
+        try:
+            user = SharedUser.objects.using("auth_db").get(pk=token.user_id)
+        except SharedUser.DoesNotExist:
+            raise exceptions.AuthenticationFailed(_("Usuário não encontrado."))
+
+        if not user.is_active:
+            raise exceptions.AuthenticationFailed(_("Usuário inativo ou deletado."))
+
+        if user.deleted_at is not None:
+            raise exceptions.AuthenticationFailed(_("Usuário deletado."))
+
+        return (user, token)

shared_auth/decorators.py

@@ -0,0 +1,122 @@
+"""
+Decorators para views funcionais
+"""
+
+from functools import wraps
+from django.http import JsonResponse
+from .models import SharedToken, SharedUser, SharedOrganization
+
+
+def require_auth(view_func):
+    """
+    Decorator que requer autenticação
+
+    Usage:
+        @require_auth
+        def my_view(request):
+            return JsonResponse({'user': request.user.email})
+    """
+
+    @wraps(view_func)
+    def wrapped_view(request, *args, **kwargs):
+        # Extrair token
+        token = _get_token_from_request(request)
+
+        if not token:
+            return JsonResponse({"error": "Token não fornecido"}, status=401)
+
+        # Validar token
+        try:
+            token_obj = SharedToken.objects.using("auth_db").get(key=token)
+            user = SharedUser.objects.using("auth_db").get(pk=token_obj.user_id)
+
+            if not user.is_active or user.deleted_at is not None:
+                return JsonResponse({"error": "Usuário inativo"}, status=401)
+
+            request.user = user
+            request.auth = token_obj
+
+        except (SharedToken.DoesNotExist, SharedUser.DoesNotExist):
+            return JsonResponse({"error": "Token inválido"}, status=401)
+
+        return view_func(request, *args, **kwargs)
+
+    return wrapped_view
+
+
+def require_organization(view_func):
+    """
+    Decorator que requer organização ativa
+    """
+
+    @wraps(view_func)
+    @require_auth
+    def wrapped_view(request, *args, **kwargs):
+        if (
+            not hasattr(request.user, "logged_organization_id")
+            or not request.user.logged_organization_id
+        ):
+            return JsonResponse({"error": "Organização não definida"}, status=403)
+
+        # Buscar organização
+        try:
+            org = SharedOrganization.objects.using("auth_db").get(
+                pk=request.user.logged_organization_id
+            )
+
+            if not org.is_active():
+                return JsonResponse({"error": "Organização inativa"}, status=403)
+
+            request.organization = org
+
+        except SharedOrganization.DoesNotExist:
+            return JsonResponse({"error": "Organização não encontrada"}, status=404)
+
+        return view_func(request, *args, **kwargs)
+
+    return wrapped_view
+
+
+def require_same_organization(view_func):
+    """
+    Decorator que verifica se objeto pertence à mesma organização
+
+    O objeto deve estar em kwargs['pk'] ou kwargs['id']
+    """
+
+    @wraps(view_func)
+    @require_organization
+    def wrapped_view(request, *args, **kwargs):
+        obj_id = kwargs.get("pk") or kwargs.get("id")
+
+        if not obj_id:
+            return view_func(request, *args, **kwargs)
+
+        # Aqui você precisa buscar o objeto e verificar
+        # Exemplo genérico - adapte conforme seu model
+        from django.apps import apps
+
+        # Tentar identificar o model pelo path
+        # Esta é uma implementação básica
+        # Em produção, você pode passar o model como parâmetro
+
+        return view_func(request, *args, **kwargs)
+
+    return wrapped_view
+
+
+def _get_token_from_request(request):
+    """Helper para extrair token"""
+    auth_header = request.META.get("HTTP_AUTHORIZATION", "")
+    if auth_header.startswith("Token "):
+        return auth_header.split(" ")[1]
+
+    token = request.META.get("HTTP_X_AUTH_TOKEN")
+    if token:
+        return token
+
+    token = request.COOKIES.get("auth_token")
+    if token:
+        return token
+
+    return None

shared_auth/middleware.py

@@ -0,0 +1,207 @@
+"""
+Middlewares para autenticação compartilhada
+"""
+
+from django.utils.deprecation import MiddlewareMixin
+from django.http import JsonResponse
+
+from . import SharedMember
+from .authentication import SharedTokenAuthentication
+from .models import SharedToken, SharedUser, SharedOrganization
+
+
+class SharedAuthMiddleware(MiddlewareMixin):
+    """
+    Middleware que autentica usuário baseado no token do header
+
+    Usage em settings.py:
+        MIDDLEWARE = [
+            ...
+            'shared_auth.middleware.SharedAuthMiddleware',
+        ]
+
+    O middleware busca o token em:
+    - Header: Authorization: Token <token>
+    - Header: X-Auth-Token: <token>
+    - Cookie: auth_token
+    """
+
+    def process_request(self, request):
+        # Caminhos que não precisam de autenticação
+        exempt_paths = getattr(
+            request,
+            "auth_exempt_paths",
+            [
+                "/api/auth/login/",
+                "/api/auth/register/",
+                "/health/",
+                "/static/",
+            ],
+        )
+
+        if any(request.path.startswith(path) for path in exempt_paths):
+            return None
+
+        # Extrair token
+        token = self._get_token_from_request(request)
+
+        if not token:
+            request.user = None
+            request.auth = None
+            return None
+
+        # Validar token e buscar usuário
+        try:
+            token_obj = SharedToken.objects.using("auth_db").get(key=token)
+            user = SharedUser.objects.using("auth_db").get(pk=token_obj.user_id)
+
+            if not user.is_active or user.deleted_at is not None:
+                request.user = None
+                request.auth = None
+                return None
+
+            # Adicionar ao request
+            request.user = user
+            request.auth = token_obj
+
+        except (SharedToken.DoesNotExist, SharedUser.DoesNotExist):
+            request.user = None
+            request.auth = None
+
+        return None
+
+    def _get_token_from_request(self, request):
+        """Extrai token do request"""
+        # Header: Authorization: Token <token>
+        auth_header = request.META.get("HTTP_AUTHORIZATION", "")
+        if auth_header.startswith("Token "):
+            return auth_header.split(" ")[1]
+
+        # Header: X-Auth-Token
+        token = request.META.get("HTTP_X_AUTH_TOKEN")
+        if token:
+            return token
+
+        # Cookie
+        token = request.COOKIES.get("auth_token")
+        if token:
+            return token
+
+        return None
+
+
+class RequireAuthMiddleware(MiddlewareMixin):
+    """
+    Middleware que FORÇA autenticação em todas as rotas
+    Retorna 401 se não estiver autenticado
+
+    Usage em settings.py:
+        MIDDLEWARE = [
+            'shared_auth.middleware.SharedAuthMiddleware',
+            'shared_auth.middleware.RequireAuthMiddleware',
+        ]
+    """
+
+    def process_request(self, request):
+        # Caminhos públicos
+        public_paths = getattr(
+            request,
+            "public_paths",
+            [
+                "/api/auth/",
+                "/health/",
+                "/docs/",
+                "/static/",
+            ],
+        )
+
+        if any(request.path.startswith(path) for path in public_paths):
+            return None
+
+        # Verificar se está autenticado
+        if not hasattr(request, "user") or request.user is None:
+            return JsonResponse(
+                {
+                    "error": "Autenticação necessária",
+                    "detail": "Token não fornecido ou inválido",
+                },
+                status=401,
+            )
+
+        return None
+
+
+class OrganizationMiddleware(MiddlewareMixin):
+    """
+    Middleware que adiciona organização logada ao request
+
+    Adiciona:
+    - request.organization (objeto SharedOrganization)
+    """
+
+    def process_request(self, request) -> None:
+        ip = request.META.get("HTTP_X_FORWARDED_FOR")
+        if ip:
+            ip = ip.split(",")[0]
+        else:
+            ip = request.META.get("REMOTE_ADDR")
+
+        organization_id = self._determine_organization_id(request)
+        user = self._authenticate_user(request)
+
+        if organization_id and user:
+            organization_id = self._validate_organization_membership(
+                user, organization_id
+            )
+            if not organization_id:
+                return
+
+        request.organization_id = organization_id
+        request.organization = SharedOrganization.objects.get_or_fail(organization_id)
+
+    @staticmethod
+    def _authenticate_user(request):
+        data = SharedTokenAuthentication().authenticate(request)
+
+        return data[0] if data else None
+
+    def _determine_organization_id(self, request):
+        org_id = self._get_organization_from_header(request)
+        if org_id:
+            return org_id
+
+        return self._get_organization_from_user(request)
+    @staticmethod
+    def _get_organization_from_header(request):
+        if header_value := request.headers.get("X-Organization"):
+            try:
+                return int(header_value)
+            except (ValueError, TypeError):
+                pass
+        return None
+    @staticmethod
+    def _get_organization_from_user(request):
+        if not request.user.is_authenticated:
+            return None
+
+        if (
+            hasattr(request.user, "logged_organization")
+            and request.user.logged_organization
+        ):
+            return request.user.logged_organization.id
+
+        return None
+    @staticmethod
+    def _validate_organization_membership(
+        user, organization_id
+    ):
+        try:
+            member = get_member(user, organization_id)
+            if not member and not user.is_superuser:
+                return None
+            return organization_id
+        except Exception:
+            return None
+
+def get_member(user, organization_id):
+    return SharedMember.objects.filter(user_id=user.pk, organization_id=organization_id).first()

shared_auth/mixins.py

@@ -3,6 +3,10 @@ Mixins para facilitar a criação de models com referências ao sistema de auth
 """
 
 from django.db import models
+from rest_framework import viewsets, status
+from rest_framework.response import Response
+
+from shared_auth.managers import BaseAuthManager
 
 
 class OrganizationMixin(models.Model):
@@ -26,7 +30,7 @@ class OrganizationMixin(models.Model):
     organization_id = models.IntegerField(
         db_index=True, help_text="ID da organização no sistema de autenticação"
     )
-
+    objects = BaseAuthManager()
     class Meta:
         abstract = True
         indexes = [
@@ -89,7 +93,7 @@ class UserMixin(models.Model):
     user_id = models.IntegerField(
         db_index=True, help_text="ID do usuário no sistema de autenticação"
     )
-
+    objects = BaseAuthManager()
     class Meta:
         abstract = True
         indexes = [
@@ -188,6 +192,62 @@ class OrganizationUserMixin(OrganizationMixin, UserMixin):
             .exists()
         )
 
+class LoggedOrganizationMixin(viewsets.ModelViewSet):
+    """
+    Mixin para ViewSets que dependem de uma organização logada.
+    Integra com a lib maquinaweb-shared-auth.
+    """
+
+    def get_organization_id(self):
+        """Obtém o ID da organização logada via maquinaweb-shared-auth"""
+        return self.request.organization_id
+
+    def get_user(self):
+        """Obtém o usuário atual autenticado"""
+        return self.request.user
+
+    def check_logged_organization(self):
+        """Verifica se há uma organização logada"""
+        return self.get_organization_id() is not None
+
+    def require_logged_organization(self):
+        """Retorna erro se não houver organização logada"""
+        if not self.check_logged_organization():
+            return Response(
+                {
+                    "detail": "Nenhuma organização logada. Defina uma organização antes de continuar."
+                },
+                status=status.HTTP_403_FORBIDDEN,
+            )
+        return None
+
+    def get_queryset(self):
+        """Filtra os objetos pela organização logada, se aplicável"""
+        queryset = super().get_queryset()
+
+        response = self.require_logged_organization()
+        if response:
+            return queryset.none()
+
+        organization_id = self.get_organization_id()
+        if hasattr(queryset.model, "organization_id"):
+            return queryset.filter(organization_id=organization_id)
+        elif hasattr(queryset.model, "organization"):
+            return queryset.filter(organization_id=organization_id)
+        return queryset
+
+    def perform_create(self, serializer):
+        """Define a organização automaticamente ao criar um objeto"""
+        response = self.require_logged_organization()
+        if response:
+            return response
+
+        organization_id = self.get_organization_id()
+
+        if "organization" in serializer.fields:
+            serializer.save(organization_id=organization_id)
+        else:
+            serializer.save()
 
 class TimestampedMixin(models.Model):
     """

shared_auth/models.py

@@ -12,6 +12,41 @@ from .managers import (
 )
 
 
+class SharedToken(models.Model):
+    """
+    Model READ-ONLY da tabela authtoken_token
+    Usado para validar tokens em outros sistemas
+    """
+
+    key = models.CharField(max_length=40, primary_key=True)
+    user_id = models.IntegerField()
+    created = models.DateTimeField()
+
+    objects = models.Manager()
+
+    class Meta:
+        managed = False
+        db_table = "authtoken_token"
+        app_label = "shared_auth"
+
+    def __str__(self):
+        return self.key
+
+    @property
+    def user(self):
+        """Acessa usuário do token"""
+        if not hasattr(self, "_cached_user"):
+            self._cached_user = SharedUser.objects.using("auth_db").get_or_fail(
+                self.user_id
+            )
+        return self._cached_user
+
+    def is_valid(self):
+        """Verifica se token ainda é válido"""
+        # Implementar lógica de expiração se necessário
+        return True
+
+
 class SharedOrganization(models.Model):
     """
     Model READ-ONLY da tabela organization

shared_auth/permissions.py

@@ -0,0 +1,86 @@
+"""
+Permissões customizadas para DRF
+"""
+
+from rest_framework import permissions
+
+
+class IsAuthenticated(permissions.BasePermission):
+    """
+    Verifica se usuário está autenticado via SharedToken
+    """
+
+    message = "Autenticação necessária."
+
+    def has_permission(self, request, view):
+        return bool(
+            request.user and hasattr(request.user, "pk") and request.user.is_active
+        )
+
+
+class HasActiveOrganization(permissions.BasePermission):
+    """
+    Verifica se usuário tem organização ativa
+    """
+
+    message = "Organização ativa necessária."
+
+    def has_permission(self, request, view):
+        if not request.user or not hasattr(request.user, "logged_organization_id"):
+            return False
+
+        if not request.user.logged_organization_id:
+            return False
+
+        # Verificar se organização está ativa
+        from .models import SharedOrganization
+
+        try:
+            org = SharedOrganization.objects.using("auth_db").get(
+                pk=request.user.logged_organization_id
+            )
+            return org.is_active()
+        except SharedOrganization.DoesNotExist:
+            return False
+
+
+class IsSameOrganization(permissions.BasePermission):
+    """
+    Verifica se o objeto pertence à mesma organização do usuário
+
+    O model deve ter organization_id
+    """
+
+    message = "Você não tem permissão para acessar este recurso."
+
+    def has_object_permission(self, request, view, obj):
+        if not hasattr(request.user, "logged_organization_id"):
+            return False
+
+        if not hasattr(obj, "organization_id"):
+            return True  # Se objeto não tem org, permite
+
+        return obj.organization_id == request.user.logged_organization_id
+
+
+class IsOwnerOrSameOrganization(permissions.BasePermission):
+    """
+    Verifica se é o dono do objeto OU da mesma organização
+
+    O model deve ter user_id e/ou organization_id
+    """
+
+    message = "Você não tem permissão para acessar este recurso."
+
+    def has_object_permission(self, request, view, obj):
+        # Verificar se é o dono
+        if hasattr(obj, "user_id") and obj.user_id == request.user.pk:
+            return True
+
+        # Verificar se é da mesma organização
+        if hasattr(obj, "organization_id") and hasattr(
+            request.user, "logged_organization_id"
+        ):
+            return obj.organization_id == request.user.logged_organization_id
+
+        return False

shared_auth/router.py

@@ -0,0 +1,22 @@
+class SharedAuthRouter:
+    """
+    Direciona queries dos models compartilhados para o banco correto
+    """
+
+    route_app_labels = {"shared_auth"}
+
+    def db_for_read(self, model, **hints):
+        if model._meta.app_label in self.route_app_labels:
+            return "auth_db"
+        return None
+
+    def db_for_write(self, model, **hints):
+        if model._meta.app_label in self.route_app_labels:
+            return None
+        return None
+
+    def allow_migrate(self, db, app_label, model_name=None, **hints):
+        """Bloqueia migrations"""
+        if app_label in self.route_app_labels:
+            return False
+        return None

maquinaweb_shared_auth-0.1.2.dist-info/RECORD

@@ -1,12 +0,0 @@
-shared_auth/__init__.py,sha256=WbDmRRdOp0nn5I_ksYjhAa2HRtXe0wxtGY6qnaiPlB8,397
-shared_auth/conf.py,sha256=-jdnCokMvWvVKllfsxNYCsPk1Vo3MDRq4Y1MsO16oeA,411
-shared_auth/exceptions.py,sha256=eiII-REupK6GeFinisteYO3FsGUDAN5zAajXPhTREm8,404
-shared_auth/fields.py,sha256=RAcmFh1D_nkbai_7t_OrPZhfhAipesy5kKnEj4LUvvM,1254
-shared_auth/managers.py,sha256=NfMhsAFuVmo8MUY2fveB_xVAT5_67nlkVOXS_C8bhew,6920
-shared_auth/mixins.py,sha256=fl7h5IWPXtrdzqXJUe8L1cPjYBjwOkQZ6Rs-ZG1iUJw,5334
-shared_auth/models.py,sha256=gwJ9jCCJ-W21G0D-dcHjlYuKDv8GOwgosNj9QA_aMew,6094
-shared_auth/serializers.py,sha256=TDpuZVsOL-6igINSOOOyELWbTUeet4XWRoBkvcMGjW4,4290
-maquinaweb_shared_auth-0.1.2.dist-info/METADATA,sha256=qc3CdNSkNNOOF02f4Qm2B5H9USLzNvY5z_D9rN6gIdA,27153
-maquinaweb_shared_auth-0.1.2.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-maquinaweb_shared_auth-0.1.2.dist-info/top_level.txt,sha256=msyYRy02ZV7zz7GR1raUI5LXGFIFn2TIkgkeKZqKufE,12
-maquinaweb_shared_auth-0.1.2.dist-info/RECORD,,