PyPI - mdb-engine - Versions diffs - 0.1.6__py3-none-any.whl → 0.2.0__py3-none-any.whl - Mend

mdb-engine 0.1.6py3-none-any.whl → 0.2.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (87) hide show

mdb_engine/__init__.py +104 -11
mdb_engine/auth/ARCHITECTURE.md +112 -0
mdb_engine/auth/README.md +648 -11
mdb_engine/auth/__init__.py +136 -29
mdb_engine/auth/audit.py +592 -0
mdb_engine/auth/base.py +252 -0
mdb_engine/auth/casbin_factory.py +264 -69
mdb_engine/auth/config_helpers.py +7 -6
mdb_engine/auth/cookie_utils.py +3 -7
mdb_engine/auth/csrf.py +373 -0
mdb_engine/auth/decorators.py +3 -10
mdb_engine/auth/dependencies.py +47 -50
mdb_engine/auth/helpers.py +3 -3
mdb_engine/auth/integration.py +53 -80
mdb_engine/auth/jwt.py +2 -6
mdb_engine/auth/middleware.py +77 -34
mdb_engine/auth/oso_factory.py +18 -38
mdb_engine/auth/provider.py +270 -171
mdb_engine/auth/rate_limiter.py +504 -0
mdb_engine/auth/restrictions.py +8 -24
mdb_engine/auth/session_manager.py +14 -29
mdb_engine/auth/shared_middleware.py +600 -0
mdb_engine/auth/shared_users.py +759 -0
mdb_engine/auth/token_store.py +14 -28
mdb_engine/auth/users.py +54 -113
mdb_engine/auth/utils.py +213 -15
mdb_engine/cli/commands/generate.py +545 -9
mdb_engine/cli/commands/validate.py +3 -7
mdb_engine/cli/utils.py +3 -3
mdb_engine/config.py +7 -21
mdb_engine/constants.py +65 -0
mdb_engine/core/README.md +117 -6
mdb_engine/core/__init__.py +39 -7
mdb_engine/core/app_registration.py +22 -41
mdb_engine/core/app_secrets.py +290 -0
mdb_engine/core/connection.py +18 -9
mdb_engine/core/encryption.py +223 -0
mdb_engine/core/engine.py +1057 -93
mdb_engine/core/index_management.py +12 -16
mdb_engine/core/manifest.py +459 -150
mdb_engine/core/ray_integration.py +435 -0
mdb_engine/core/seeding.py +10 -18
mdb_engine/core/service_initialization.py +12 -23
mdb_engine/core/types.py +2 -5
mdb_engine/database/README.md +140 -17
mdb_engine/database/__init__.py +17 -6
mdb_engine/database/abstraction.py +25 -37
mdb_engine/database/connection.py +11 -18
mdb_engine/database/query_validator.py +367 -0
mdb_engine/database/resource_limiter.py +204 -0
mdb_engine/database/scoped_wrapper.py +713 -196
mdb_engine/dependencies.py +426 -0
mdb_engine/di/__init__.py +34 -0
mdb_engine/di/container.py +248 -0
mdb_engine/di/providers.py +205 -0
mdb_engine/di/scopes.py +139 -0
mdb_engine/embeddings/README.md +54 -24
mdb_engine/embeddings/__init__.py +31 -24
mdb_engine/embeddings/dependencies.py +37 -154
mdb_engine/embeddings/service.py +11 -25
mdb_engine/exceptions.py +92 -0
mdb_engine/indexes/README.md +30 -13
mdb_engine/indexes/__init__.py +1 -0
mdb_engine/indexes/helpers.py +1 -1
mdb_engine/indexes/manager.py +50 -114
mdb_engine/memory/README.md +2 -2
mdb_engine/memory/__init__.py +1 -2
mdb_engine/memory/service.py +30 -87
mdb_engine/observability/README.md +4 -2
mdb_engine/observability/__init__.py +26 -9
mdb_engine/observability/health.py +8 -9
mdb_engine/observability/metrics.py +32 -12
mdb_engine/repositories/__init__.py +34 -0
mdb_engine/repositories/base.py +325 -0
mdb_engine/repositories/mongo.py +233 -0
mdb_engine/repositories/unit_of_work.py +166 -0
mdb_engine/routing/README.md +1 -1
mdb_engine/routing/__init__.py +1 -3
mdb_engine/routing/websockets.py +25 -60
mdb_engine-0.2.0.dist-info/METADATA +313 -0
mdb_engine-0.2.0.dist-info/RECORD +96 -0
mdb_engine-0.1.6.dist-info/METADATA +0 -213
mdb_engine-0.1.6.dist-info/RECORD +0 -75
{mdb_engine-0.1.6.dist-info → mdb_engine-0.2.0.dist-info}/WHEEL +0 -0
{mdb_engine-0.1.6.dist-info → mdb_engine-0.2.0.dist-info}/entry_points.txt +0 -0
{mdb_engine-0.1.6.dist-info → mdb_engine-0.2.0.dist-info}/licenses/LICENSE +0 -0
{mdb_engine-0.1.6.dist-info → mdb_engine-0.2.0.dist-info}/top_level.txt +0 -0

mdb_engine/auth/integration.py CHANGED Viewed

@@ -12,9 +12,12 @@ from typing import Any, Dict, Optional
 from fastapi import FastAPI
-from .config_defaults import (CORS_DEFAULTS, OBSERVABILITY_DEFAULTS,
-                              SECURITY_CONFIG_DEFAULTS,
-                              TOKEN_MANAGEMENT_DEFAULTS)
+from .config_defaults import (
+    CORS_DEFAULTS,
+    OBSERVABILITY_DEFAULTS,
+    SECURITY_CONFIG_DEFAULTS,
+    TOKEN_MANAGEMENT_DEFAULTS,
+)
 from .config_helpers import merge_config_with_defaults
 from .helpers import initialize_token_management
@@ -45,8 +48,7 @@ def _has_cors_middleware(app: FastAPI) -> bool:
                 middleware_cls = middleware[0]
                 # Check if it's CORSMiddleware or a subclass
                 if middleware_cls == CORSMiddleware or (
-                    hasattr(middleware_cls, "__name__")
-                    and "CORS" in middleware_cls.__name__
+                    hasattr(middleware_cls, "__name__") and "CORS" in middleware_cls.__name__
                 ):
                     return True
         return False
@@ -131,18 +133,12 @@ async def _setup_authorization_provider(
         try:
             from .casbin_factory import initialize_casbin_from_manifest
-            authz_provider = await initialize_casbin_from_manifest(
-                engine, slug_id, config
-            )
+            authz_provider = await initialize_casbin_from_manifest(engine, slug_id, config)
             if authz_provider:
                 app.state.authz_provider = authz_provider
-                logger.info(
-                    f"Authorization provider (Casbin) auto-created for {slug_id}"
-                )
+                logger.info(f"Authorization provider (Casbin) auto-created for {slug_id}")
             else:
-                logger.debug(
-                    f"Casbin provider not created for {slug_id} (may not be installed)"
-                )
+                logger.debug(f"Casbin provider not created for {slug_id} (may not be installed)")
         except (
             ImportError,
             AttributeError,
@@ -160,9 +156,7 @@ async def _setup_authorization_provider(
             authz_provider = await initialize_oso_from_manifest(engine, slug_id, config)
             if authz_provider:
                 app.state.authz_provider = authz_provider
-                logger.info(
-                    f"✅ Authorization provider (OSO Cloud) auto-created for {slug_id}"
-                )
+                logger.info(f"✅ Authorization provider (OSO Cloud) auto-created for {slug_id}")
             else:
                 logger.error(
                     f"❌ OSO Cloud provider not created for {slug_id}. "
@@ -187,9 +181,7 @@ async def _setup_authorization_provider(
         logger.info(f"Custom provider specified for {slug_id} - manual setup required")
-async def _setup_demo_users(
-    app: FastAPI, engine, slug_id: str, config: Dict[str, Any]
-) -> list:
+async def _setup_demo_users(app: FastAPI, engine, slug_id: str, config: Dict[str, Any]) -> list:
     """Set up demo users and link with OSO roles if applicable."""
     auth = config.get("auth", {})
     users_config = auth.get("users", {})
@@ -260,9 +252,7 @@ async def _setup_demo_users(
             f"Demo user creation disabled for {slug_id} (demo_user_seed_strategy: disabled)"
         )
     elif seed_strategy == "manual":
-        logger.debug(
-            f"Demo user creation set to manual for {slug_id} - skipping auto-creation"
-        )
+        logger.debug(f"Demo user creation set to manual for {slug_id} - skipping auto-creation")
     # Link demo users with OSO initial_roles if auth provider is OSO
     if hasattr(app.state, "authz_provider") and demo_users:
@@ -283,14 +273,30 @@ async def _setup_demo_users(
                         if role_assignment.get("user") == user_email:
                             role = role_assignment.get("role")
                             resource = role_assignment.get("resource", "documents")
+                            # Check if provider is Casbin (uses email as subject for initial_roles)
+                            is_casbin = hasattr(app.state.authz_provider, "_enforcer")
                             try:
-                                await app.state.authz_provider.add_role_for_user(
-                                    user_email, role, resource
-                                )
-                                logger.info(
-                                    f"✅ Assigned role '{role}' on resource '{resource}' "
-                                    f"to demo user '{user_email}' for {slug_id}"
-                                )
+                                if is_casbin:
+                                    # For Casbin, use email as subject to match initial_roles format
+                                    # This ensures consistency with how initial_roles are set up
+                                    await app.state.authz_provider.add_role_for_user(
+                                        user_email, role
+                                    )
+                                    logger.info(
+                                        f"✅ Assigned Casbin role '{role}' "
+                                        f"to demo user '{user_email}' for {slug_id}"
+                                    )
+                                else:
+                                    # For OSO, use email, role, resource
+                                    await app.state.authz_provider.add_role_for_user(
+                                        user_email, role, resource
+                                    )
+                                    logger.info(
+                                        f"✅ Assigned role '{role}' on resource '{resource}' "
+                                        f"to demo user '{user_email}' for {slug_id}"
+                                    )
                             except (
                                 ValueError,
                                 TypeError,
@@ -324,15 +330,13 @@ async def _setup_token_management(
     """Initialize token management (blacklist and session manager)."""
     if token_management.get("auto_setup", True):
         try:
-            db = engine.get_database()
+            db = engine.get_scoped_db(slug_id)
             await initialize_token_management(app, db)
             # Configure session fingerprinting if session manager exists
             session_mgr = getattr(app.state, "session_manager", None)
             if session_mgr:
-                fingerprinting_config = app.state.security_config.get(
-                    "session_fingerprinting", {}
-                )
+                fingerprinting_config = app.state.security_config.get("session_fingerprinting", {})
                 session_mgr.configure_fingerprinting(
                     enabled=fingerprinting_config.get("enabled", True),
                     strict=fingerprinting_config.get("strict_mode", False),
@@ -355,9 +359,7 @@ async def _setup_security_middleware(
     app: FastAPI, slug_id: str, security_config: Dict[str, Any]
 ) -> None:
     """Set up security middleware (if not already added)."""
-    if security_config.get("csrf_protection", True) or security_config.get(
-        "require_https", False
-    ):
+    if security_config.get("csrf_protection", True) or security_config.get("require_https", False):
         try:
             from .middleware import SecurityMiddleware
@@ -384,9 +386,7 @@ async def _setup_security_middleware(
                         f"This is normal when using lifespan context managers."
                     )
                 else:
-                    logger.warning(
-                        f"Could not set up security middleware for {slug_id}: {e}"
-                    )
+                    logger.warning(f"Could not set up security middleware for {slug_id}: {e}")
         except (AttributeError, TypeError, ValueError, RuntimeError, ImportError) as e:
             logger.warning(f"Could not set up security middleware for {slug_id}: {e}")
@@ -409,9 +409,7 @@ async def _setup_cors_and_observability(
     app.state.cors_config = merge_config_with_defaults(cors_config, CORS_DEFAULTS)
     # Extract and store observability config
-    observability_config = (
-        manifest_data.get("observability", {}) if manifest_data else {}
-    )
+    observability_config = manifest_data.get("observability", {}) if manifest_data else {}
     app.state.observability_config = merge_config_with_defaults(
         observability_config, OBSERVABILITY_DEFAULTS
     )
@@ -421,9 +419,7 @@ async def _setup_cors_and_observability(
         try:
             # Check if CORS middleware already exists to avoid duplication
             if _has_cors_middleware(app):
-                logger.debug(
-                    f"CORS middleware already exists for {slug_id}, skipping addition"
-                )
+                logger.debug(f"CORS middleware already exists for {slug_id}, skipping addition")
             else:
                 from fastapi.middleware.cors import CORSMiddleware
@@ -431,44 +427,29 @@ async def _setup_cors_and_observability(
                     try:
                         app.add_middleware(
                             CORSMiddleware,
-                            allow_origins=app.state.cors_config.get(
-                                "allow_origins", ["*"]
-                            ),
-                            allow_credentials=app.state.cors_config.get(
-                                "allow_credentials", False
-                            ),
+                            allow_origins=app.state.cors_config.get("allow_origins", ["*"]),
+                            allow_credentials=app.state.cors_config.get("allow_credentials", False),
                             allow_methods=app.state.cors_config.get(
                                 "allow_methods",
                                 ["GET", "POST", "PUT", "DELETE", "PATCH"],
                             ),
-                            allow_headers=app.state.cors_config.get(
-                                "allow_headers", ["*"]
-                            ),
-                            expose_headers=app.state.cors_config.get(
-                                "expose_headers", []
-                            ),
+                            allow_headers=app.state.cors_config.get("allow_headers", ["*"]),
+                            expose_headers=app.state.cors_config.get("expose_headers", []),
                             max_age=app.state.cors_config.get("max_age", 3600),
                         )
                         logger.info(f"CORS middleware added for {slug_id}")
                     except (RuntimeError, ValueError) as e:
                         error_msg = str(e).lower()
-                        if (
-                            "cannot add middleware" in error_msg
-                            or "middleware" in error_msg
-                        ):
+                        if "cannot add middleware" in error_msg or "middleware" in error_msg:
                             logger.debug(
                                 f"CORS middleware not added for {slug_id} - "
                                 f"app middleware stack already initialized. "
                                 f"This is normal when using lifespan context managers."
                             )
                         else:
-                            logger.warning(
-                                f"Could not set up CORS middleware for {slug_id}: {e}"
-                            )
+                            logger.warning(f"Could not set up CORS middleware for {slug_id}: {e}")
                 else:
-                    logger.warning(
-                        f"CORS middleware not added for {slug_id} - app already started"
-                    )
+                    logger.warning(f"CORS middleware not added for {slug_id} - app already started")
         except (AttributeError, TypeError, ValueError, RuntimeError, ImportError) as e:
             logger.warning(f"Could not set up CORS middleware for {slug_id}: {e}")
@@ -480,9 +461,7 @@ async def _setup_cors_and_observability(
             from .middleware import StaleSessionMiddleware
             try:
-                app.add_middleware(
-                    StaleSessionMiddleware, slug_id=slug_id, engine=engine
-                )
+                app.add_middleware(StaleSessionMiddleware, slug_id=slug_id, engine=engine)
                 logger.info(f"Stale session cleanup middleware added for {slug_id}")
             except (RuntimeError, ValueError) as e:
                 error_msg = str(e).lower()
@@ -493,13 +472,9 @@ async def _setup_cors_and_observability(
                         f"This is normal when using lifespan context managers."
                     )
                 else:
-                    logger.warning(
-                        f"Could not set up stale session middleware for {slug_id}: {e}"
-                    )
+                    logger.warning(f"Could not set up stale session middleware for {slug_id}: {e}")
         except (AttributeError, TypeError, ValueError, RuntimeError, ImportError) as e:
-            logger.warning(
-                f"Could not set up stale session middleware for {slug_id}: {e}"
-            )
+            logger.warning(f"Could not set up stale session middleware for {slug_id}: {e}")
 async def setup_auth_from_manifest(app: FastAPI, engine, slug_id: str) -> bool:
@@ -572,7 +547,5 @@ async def setup_auth_from_manifest(app: FastAPI, engine, slug_id: str) -> bool:
         KeyError,
         ConnectionError,
     ) as e:
-        logger.error(
-            f"Error setting up auth from manifest for {slug_id}: {e}", exc_info=True
-        )
+        logger.error(f"Error setting up auth from manifest for {slug_id}: {e}", exc_info=True)
         return False

mdb_engine/auth/jwt.py CHANGED Viewed

@@ -164,9 +164,7 @@ def generate_token_pair(
         "jti": access_jti,
         "device_id": device_id,
     }
-    access_token = encode_jwt_token(
-        access_payload, secret_key, expires_in=access_token_ttl
-    )
+    access_token = encode_jwt_token(access_payload, secret_key, expires_in=access_token_ttl)
     # Generate refresh token
     refresh_jti = str(uuid.uuid4())
@@ -177,9 +175,7 @@ def generate_token_pair(
         "email": user_data.get("email"),
         "device_id": device_id,
     }
-    refresh_token = encode_jwt_token(
-        refresh_payload, secret_key, expires_in=refresh_token_ttl
-    )
+    refresh_token = encode_jwt_token(refresh_payload, secret_key, expires_in=refresh_token_ttl)
     # Token metadata
     token_metadata = {

mdb_engine/auth/middleware.py CHANGED Viewed

@@ -4,12 +4,18 @@ Security Middleware
 Middleware for enforcing security settings from manifest configuration.
 This module is part of MDB_ENGINE - MongoDB Engine.
+Security Features:
+    - HTTPS enforcement in production
+    - HSTS (HTTP Strict Transport Security) header
+    - Security headers (X-Content-Type-Options, X-Frame-Options, etc.)
+    - CSRF token generation (legacy, prefer CSRFMiddleware for new apps)
 """
 import logging
 import os
 import secrets
-from typing import Awaitable, Callable
+from typing import Any, Awaitable, Callable, Dict, Optional
 from fastapi import HTTPException, Request, Response, status
 from fastapi.responses import RedirectResponse
@@ -17,6 +23,18 @@ from starlette.middleware.base import BaseHTTPMiddleware
 logger = logging.getLogger(__name__)
+# Default HSTS settings
+DEFAULT_HSTS_MAX_AGE = 31536000  # 1 year in seconds
+def _is_production() -> bool:
+    """Check if we're running in production environment."""
+    return (
+        os.getenv("MDB_ENGINE_ENV", "").lower() == "production"
+        or os.getenv("ENVIRONMENT", "").lower() == "production"
+        or os.getenv("G_NOME_ENV", "").lower() == "production"
+    )
 class SecurityMiddleware(BaseHTTPMiddleware):
     """
@@ -24,9 +42,9 @@ class SecurityMiddleware(BaseHTTPMiddleware):
     Features:
     - HTTPS enforcement in production
-    - CSRF token generation and validation
-    - Security headers
-    - Token validation
+    - HSTS header for forcing HTTPS
+    - Security headers (X-Content-Type-Options, X-Frame-Options, etc.)
+    - Legacy CSRF token generation (prefer CSRFMiddleware for new apps)
     """
     def __init__(
@@ -35,6 +53,7 @@ class SecurityMiddleware(BaseHTTPMiddleware):
         require_https: bool = False,
         csrf_protection: bool = True,
         security_headers: bool = True,
+        hsts_config: Optional[Dict[str, Any]] = None,
     ):
         """
         Initialize security middleware.
@@ -42,38 +61,60 @@ class SecurityMiddleware(BaseHTTPMiddleware):
         Args:
             app: FastAPI application
             require_https: Require HTTPS in production (default: False, auto-detected)
-            csrf_protection: Enable CSRF protection (default: True)
+            csrf_protection: Enable legacy CSRF protection (default: True)
             security_headers: Add security headers (default: True)
+            hsts_config: HSTS configuration dict with keys:
+                - enabled: Enable HSTS (default: True in production)
+                - max_age: Max-age in seconds (default: 31536000)
+                - include_subdomains: Include subdomains (default: True)
+                - preload: Add preload directive (default: False)
         """
         super().__init__(app)
         self.require_https = require_https
         self.csrf_protection = csrf_protection
         self.security_headers = security_headers
+        # HSTS configuration
+        self.hsts_config = hsts_config or {}
+        self.hsts_enabled = self.hsts_config.get("enabled", True)
+        self.hsts_max_age = self.hsts_config.get("max_age", DEFAULT_HSTS_MAX_AGE)
+        self.hsts_include_subdomains = self.hsts_config.get("include_subdomains", True)
+        self.hsts_preload = self.hsts_config.get("preload", False)
+    def _build_hsts_header(self) -> str:
+        """Build the HSTS header value."""
+        parts = [f"max-age={self.hsts_max_age}"]
+        if self.hsts_include_subdomains:
+            parts.append("includeSubDomains")
+        if self.hsts_preload:
+            parts.append("preload")
+        return "; ".join(parts)
     async def dispatch(
         self, request: Request, call_next: Callable[[Request], Awaitable[Response]]
     ) -> Response:
         """
         Process request through security middleware.
         """
+        is_production = _is_production()
+        is_https = request.url.scheme == "https"
         # Check HTTPS requirement
-        if self.require_https:
-            is_production = (
-                os.getenv("G_NOME_ENV") == "production"
-                or os.getenv("ENVIRONMENT") == "production"
-            )
-            if is_production and request.url.scheme != "https":
-                if request.method == "GET":
-                    # Redirect to HTTPS
-                    https_url = str(request.url).replace("http://", "https://", 1)
-                    return RedirectResponse(url=https_url, status_code=301)
-                else:
-                    raise HTTPException(
-                        status_code=status.HTTP_403_FORBIDDEN,
-                        detail="HTTPS required in production",
-                    )
-        # Generate CSRF token if not present (for GET requests)
+        if self.require_https and is_production and not is_https:
+            if request.method == "GET":
+                # Redirect to HTTPS
+                https_url = str(request.url).replace("http://", "https://", 1)
+                return RedirectResponse(url=https_url, status_code=301)
+            else:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="HTTPS required in production",
+                )
+        # Generate CSRF token if not present (for GET requests) - legacy support
         if self.csrf_protection and request.method == "GET":
             csrf_token = request.cookies.get("csrf_token")
             if not csrf_token:
@@ -90,19 +131,27 @@ class SecurityMiddleware(BaseHTTPMiddleware):
             response.headers["X-XSS-Protection"] = "1; mode=block"
             response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+            # Permissions-Policy (modern replacement for some legacy headers)
+            response.headers["Permissions-Policy"] = (
+                "accelerometer=(), camera=(), geolocation=(), gyroscope=(), "
+                "magnetometer=(), microphone=(), payment=(), usb=()"
+            )
             # Content Security Policy (basic)
             if request.url.path.startswith("/api"):
                 response.headers["Content-Security-Policy"] = "default-src 'self'"
-        # Set CSRF token cookie if generated
+        # Add HSTS header in production (only over HTTPS or always if configured)
+        if self.hsts_enabled and (is_production or is_https):
+            response.headers["Strict-Transport-Security"] = self._build_hsts_header()
+        # Set CSRF token cookie if generated (legacy support)
         if (
             self.csrf_protection
             and request.method == "GET"
             and not request.cookies.get("csrf_token")
         ):
             csrf_token = secrets.token_urlsafe(32)
-            is_https = request.url.scheme == "https"
-            is_production = os.getenv("G_NOME_ENV") == "production"
             response.set_cookie(
                 key="csrf_token",
                 value=csrf_token,
@@ -154,10 +203,7 @@ class StaleSessionMiddleware(BaseHTTPMiddleware):
         # Check if we need to clear a stale session cookie
         # Only act if explicitly flagged - this ensures we don't interfere with
         # apps that don't use get_app_user()
-        if (
-            hasattr(request.state, "clear_stale_session")
-            and request.state.clear_stale_session
-        ):
+        if hasattr(request.state, "clear_stale_session") and request.state.clear_stale_session:
             try:
                 # Get cookie name from app config
                 cookie_name = None
@@ -197,8 +243,7 @@ class StaleSessionMiddleware(BaseHTTPMiddleware):
                 # Get cookie settings to match how it was set
                 should_use_secure = (
-                    request.url.scheme == "https"
-                    or os.getenv("G_NOME_ENV") == "production"
+                    request.url.scheme == "https" or os.getenv("G_NOME_ENV") == "production"
                 )
                 # Delete the stale cookie
@@ -208,9 +253,7 @@ class StaleSessionMiddleware(BaseHTTPMiddleware):
                     secure=should_use_secure,
                     samesite="lax",
                 )
-                logger.debug(
-                    f"Cleared stale session cookie '{cookie_name}' for {self.slug_id}"
-                )
+                logger.debug(f"Cleared stale session cookie '{cookie_name}' for {self.slug_id}")
             except (ValueError, TypeError, AttributeError, RuntimeError) as e:
                 # Don't fail the request if cookie cleanup fails
                 logger.warning(

mdb_engine/auth/oso_factory.py CHANGED Viewed

@@ -11,7 +11,7 @@ from __future__ import annotations
 import logging
 import os
-from typing import TYPE_CHECKING, Any, Dict, List, Optional
+from typing import TYPE_CHECKING, Any, Optional
 if TYPE_CHECKING:
     from .provider import OsoAdapter
@@ -46,13 +46,11 @@ async def create_oso_cloud_client(
     # Import OSO Cloud SDK - the class is named "Oso"
     try:
-        from oso_cloud import Oso
+        from oso_cloud import Oso  # type: ignore
         logger.debug("✅ Imported Oso from oso_cloud")
-    except ImportError:
-        raise ImportError(
-            "OSO Cloud SDK not installed. Install with: pip install oso-cloud"
-        )
+    except ImportError as e:
+        raise ImportError("OSO Cloud SDK not installed. Install with: pip install oso-cloud") from e
     # Get API key from parameter or environment
     if not api_key:
@@ -81,9 +79,7 @@ async def create_oso_cloud_client(
             # Note: OSO client creation doesn't actually connect to the server
             # The connection happens on first API call, so we'll catch errors then
-            logger.info(
-                f"✅ OSO Cloud client created successfully (URL: {url or 'default'})"
-            )
+            logger.info(f"✅ OSO Cloud client created successfully (URL: {url or 'default'})")
             if url:
                 logger.info(f"   Using OSO Dev Server at: {url}")
             return oso_client
@@ -118,8 +114,8 @@ async def create_oso_cloud_client(
 async def setup_initial_oso_facts(
     authz_provider: OsoAdapter,
-    initial_roles: Optional[List[Dict[str, Any]]] = None,
-    initial_policies: Optional[List[Dict[str, Any]]] = None,
+    initial_roles: Optional[list[dict[str, Any]]] = None,
+    initial_policies: Optional[list[dict[str, Any]]] = None,
 ) -> None:
     """
     Set up initial roles and policies in OSO Cloud.
@@ -137,28 +133,22 @@ async def setup_initial_oso_facts(
             try:
                 user = role_assignment.get("user")
                 role = role_assignment.get("role")
-                resource = role_assignment.get(
-                    "resource", "documents"
-                )  # Default to "documents"
+                resource = role_assignment.get("resource", "documents")  # Default to "documents"
                 if user and role:
                     # For OSO Cloud, we add has_role facts with resource context
                     # This supports resource-based authorization
                     await authz_provider.add_role_for_user(user, role, resource)
-                    logger.debug(
-                        f"Added role '{role}' for user '{user}' on resource '{resource}'"
-                    )
+                    logger.debug(f"Added role '{role}' for user '{user}' on resource '{resource}'")
             except (ValueError, TypeError, AttributeError, RuntimeError) as e:
-                logger.warning(
-                    f"Failed to add initial role assignment {role_assignment}: {e}"
-                )
+                logger.warning(f"Failed to add initial role assignment {role_assignment}: {e}")
     # Note: initial_policies are not used - we use has_role facts instead
     # The policy derives permissions from roles, not from explicit grants_permission facts
 async def initialize_oso_from_manifest(
-    engine, app_slug: str, auth_config: Dict[str, Any]
+    engine, app_slug: str, auth_config: dict[str, Any]
 ) -> Optional[OsoAdapter]:
     """
     Initialize OSO Cloud provider from manifest configuration.
@@ -181,9 +171,7 @@ async def initialize_oso_from_manifest(
         # Only proceed if provider is oso
         if provider != "oso":
-            logger.debug(
-                f"Provider is '{provider}', not 'oso' - skipping OSO initialization"
-            )
+            logger.debug(f"Provider is '{provider}', not 'oso' - skipping OSO initialization")
             return None
         logger.info(f"Initializing OSO Cloud provider for app '{app_slug}'...")
@@ -224,24 +212,18 @@ async def initialize_oso_from_manifest(
             try:
                 import asyncio
-                from oso_cloud import Value
+                from oso_cloud import Value  # type: ignore
                 # Try a simple test authorization to verify connection
                 test_actor = Value("User", "test")
                 test_resource = Value("Document", "test")
                 # This might fail, but it tests if the server is responding
-                await asyncio.to_thread(
-                    oso_client.authorize, test_actor, "read", test_resource
-                )
+                await asyncio.to_thread(oso_client.authorize, test_actor, "read", test_resource)
                 logger.debug("✅ OSO Dev Server connection test successful")
             except (TimeoutError, OSError, RuntimeError) as test_error:
                 # Type 2: Recoverable - connection test failed, check if it's a connection error
                 error_str = str(test_error).lower()
-                if (
-                    "connection" in error_str
-                    or "refused" in error_str
-                    or "timeout" in error_str
-                ):
+                if "connection" in error_str or "refused" in error_str or "timeout" in error_str:
                     logger.warning(
                         f"⚠️  OSO Dev Server connection test failed - "
                         f"server might not be ready: {test_error}"
@@ -289,9 +271,7 @@ async def initialize_oso_from_manifest(
                 )
                 logger.info("✅ Initial OSO facts set up successfully")
             except (ValueError, TypeError, AttributeError, RuntimeError) as e:
-                logger.warning(
-                    f"⚠️  Failed to set up initial OSO facts: {e}", exc_info=True
-                )
+                logger.warning(f"⚠️  Failed to set up initial OSO facts: {e}", exc_info=True)
                 # Continue anyway - adapter is still usable
         logger.info(f"✅ OSO Cloud provider initialized for app '{app_slug}'")
@@ -299,13 +279,13 @@ async def initialize_oso_from_manifest(
         return adapter
     except ImportError as e:
-        logger.error(
+        logger.exception(
             f"❌ OSO Cloud SDK not available for app '{app_slug}': {e}. "
             "Install with: pip install oso-cloud"
         )
         return None
     except ValueError as e:
-        logger.error(f"❌ OSO Cloud configuration error for app '{app_slug}': {e}")
+        logger.exception(f"❌ OSO Cloud configuration error for app '{app_slug}': {e}")
         return None
     except (
         ImportError,

mdb-engine 0.1.6__py3-none-any.whl → 0.2.0__py3-none-any.whl

mdb-engine 0.1.6py3-none-any.whl → 0.2.0py3-none-any.whl