PyPI - mdb-engine - Versions diffs - 0.1.7__py3-none-any.whl → 0.2.0__py3-none-any.whl - Mend

mdb-engine 0.1.7py3-none-any.whl → 0.2.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

mdb_engine/__init__.py +71 -10
mdb_engine/auth/ARCHITECTURE.md +112 -0
mdb_engine/auth/README.md +125 -11
mdb_engine/auth/__init__.py +7 -1
mdb_engine/auth/base.py +252 -0
mdb_engine/auth/casbin_factory.py +258 -59
mdb_engine/auth/dependencies.py +10 -5
mdb_engine/auth/integration.py +23 -7
mdb_engine/auth/oso_factory.py +2 -2
mdb_engine/auth/provider.py +263 -143
mdb_engine/core/engine.py +307 -6
mdb_engine/core/manifest.py +35 -15
mdb_engine/database/README.md +28 -1
mdb_engine/dependencies.py +426 -0
mdb_engine/di/__init__.py +34 -0
mdb_engine/di/container.py +248 -0
mdb_engine/di/providers.py +205 -0
mdb_engine/di/scopes.py +139 -0
mdb_engine/embeddings/README.md +54 -24
mdb_engine/embeddings/__init__.py +22 -23
mdb_engine/embeddings/dependencies.py +37 -152
mdb_engine/repositories/__init__.py +34 -0
mdb_engine/repositories/base.py +325 -0
mdb_engine/repositories/mongo.py +233 -0
mdb_engine/repositories/unit_of_work.py +166 -0
{mdb_engine-0.1.7.dist-info → mdb_engine-0.2.0.dist-info}/METADATA +42 -14
{mdb_engine-0.1.7.dist-info → mdb_engine-0.2.0.dist-info}/RECORD +31 -20
{mdb_engine-0.1.7.dist-info → mdb_engine-0.2.0.dist-info}/WHEEL +0 -0
{mdb_engine-0.1.7.dist-info → mdb_engine-0.2.0.dist-info}/entry_points.txt +0 -0
{mdb_engine-0.1.7.dist-info → mdb_engine-0.2.0.dist-info}/licenses/LICENSE +0 -0
{mdb_engine-0.1.7.dist-info → mdb_engine-0.2.0.dist-info}/top_level.txt +0 -0

mdb_engine/auth/casbin_factory.py CHANGED Viewed

@@ -16,14 +16,14 @@ from typing import TYPE_CHECKING, Any, Optional
 from .casbin_models import DEFAULT_RBAC_MODEL, SIMPLE_ACL_MODEL
 if TYPE_CHECKING:
-    import casbin
+    import casbin  # type: ignore
     from .provider import CasbinAdapter
 logger = logging.getLogger(__name__)
-def get_casbin_model(model_type: str = "rbac") -> str:
+async def get_casbin_model(model_type: str = "rbac") -> str:
     """
     Get Casbin model string by type or path.
@@ -39,16 +39,32 @@ def get_casbin_model(model_type: str = "rbac") -> str:
         return SIMPLE_ACL_MODEL
     else:
         # Assume it's a file path
+        # Try async file reading first, fallback to sync if not available
         model_path = Path(model_type)
         if model_path.exists():
-            return model_path.read_text()
+            try:
+                # Try async file reading (non-blocking)
+                import aiofiles
+                async with aiofiles.open(model_path, "r") as f:
+                    content = await f.read()
+                    logger.debug(f"Read model file asynchronously: {model_path}")
+                    return content
+            except ImportError:
+                # Fallback to sync read if aiofiles not available
+                # This is acceptable during startup initialization
+                logger.debug(
+                    "aiofiles not available, using sync file read (acceptable during startup)"
+                )
+                return model_path.read_text()
         else:
             logger.warning(f"Casbin model file not found: {model_type}, using default RBAC model")
             return DEFAULT_RBAC_MODEL
 async def create_casbin_enforcer(
-    db,
+    mongo_uri: str,
+    db_name: str,
     model: str = "rbac",
     policies_collection: str = "casbin_policies",
     default_roles: Optional[list] = None,
@@ -57,7 +73,8 @@ async def create_casbin_enforcer(
     Create a Casbin AsyncEnforcer with MongoDB adapter.
     Args:
-        db: Scoped MongoDB database instance (ScopedMongoWrapper)
+        mongo_uri: MongoDB connection URI string
+        db_name: MongoDB database name
         model: Casbin model type ("rbac", "acl") or path to model file
         policies_collection: MongoDB collection name for policies (will be app-scoped)
         default_roles: List of default roles to create (optional)
@@ -69,30 +86,94 @@ async def create_casbin_enforcer(
         ImportError: If casbin or casbin-motor-adapter is not installed
     """
     try:
-        import casbin
-        from casbin_motor_adapter import MotorAdapter
+        import casbin  # type: ignore
+        from casbin_motor_adapter import Adapter  # type: ignore
     except ImportError as e:
         raise ImportError(
             "Casbin dependencies not installed. Install with: pip install mdb-engine[casbin]"
         ) from e
-    # Get model string
-    model_str = get_casbin_model(model)
+    # Get model string (async)
+    model_str = await get_casbin_model(model)
     # Create MongoDB adapter
-    adapter = MotorAdapter(db, policies_collection)
+    # Try to pass policies_collection if supported by the adapter
+    logger.debug(
+        f"Creating Casbin MotorAdapter with URI: {mongo_uri[:50]}..., "
+        f"db_name: {db_name}, collection: {policies_collection}"
+    )
+    try:
+        # Try passing collection name as third parameter
+        try:
+            adapter = Adapter(mongo_uri, db_name, policies_collection)
+            logger.debug(
+                f"Casbin MotorAdapter created successfully with custom "
+                f"collection '{policies_collection}'"
+            )
+        except TypeError:
+            # Fallback: adapter doesn't support collection parameter, use default
+            logger.warning(
+                "Adapter doesn't support custom collection name, " "using default collection"
+            )
+            adapter = Adapter(mongo_uri, db_name)
+            logger.debug("Casbin MotorAdapter created successfully (using default collection)")
+    except (RuntimeError, ValueError, AttributeError, TypeError, ConnectionError):
+        logger.exception("Failed to create Casbin MotorAdapter")
+        raise
     # Create enforcer with model and adapter
-    enforcer = casbin.AsyncEnforcer()
-    await enforcer.set_model(casbin.new_model_from_string(model_str))
-    enforcer.set_adapter(adapter)
-    # Load policies from database
-    await enforcer.load_policy()
-    # Create default roles if specified
-    if default_roles:
-        await _create_default_roles(enforcer, default_roles)
+    # AsyncEnforcer can accept model string or Model object
+    logger.debug("Creating Casbin AsyncEnforcer with model and adapter...")
+    try:
+        logger.debug(f"Model string length: {len(model_str)} chars")
+        logger.debug(f"Adapter type: {type(adapter)}")
+        # Create Model object from string
+        model = casbin.Model()
+        model.load_model_from_text(model_str)
+        logger.debug(f"Model object created successfully, type: {type(model)}")
+        # Create enforcer with Model object and adapter
+        # AsyncEnforcer auto-loads by default (auto_load=True), so we don't need manual load
+        logger.debug("Calling casbin.AsyncEnforcer(model, adapter)...")
+        enforcer = casbin.AsyncEnforcer(model, adapter)
+        logger.debug("Enforcer created successfully")
+        # Check if policies were auto-loaded
+        # If auto_load is enabled (default), policies are already loaded
+        # Only manually load if auto_load was disabled
+        if not getattr(enforcer, "auto_load", True):
+            logger.debug("Auto-load disabled, manually loading policies...")
+            await enforcer.load_policy()
+            logger.debug("Policies loaded successfully")
+        else:
+            logger.debug("Policies auto-loaded by AsyncEnforcer constructor")
+    except (RuntimeError, ValueError, AttributeError, TypeError, OSError):
+        logger.exception("Failed to create or configure Casbin enforcer")
+        # Try alternative: use temp file approach
+        logger.info("Attempting alternative: using temporary model file...")
+        try:
+            import os
+            import tempfile
+            with tempfile.NamedTemporaryFile(mode="w", suffix=".conf", delete=False) as f:
+                f.write(model_str)
+                temp_model_path = f.name
+            try:
+                enforcer = casbin.AsyncEnforcer(temp_model_path, adapter)
+                logger.info("✅ Enforcer created successfully using temp model file")
+                # Clean up temp file
+                os.unlink(temp_model_path)
+            except (RuntimeError, ValueError, AttributeError, TypeError, OSError) as e2:
+                if os.path.exists(temp_model_path):
+                    os.unlink(temp_model_path)
+                logger.exception("Alternative approach also failed")
+                raise RuntimeError("Failed to create Casbin enforcer") from e2
+        except (OSError, RuntimeError) as e2:
+            logger.exception("Failed to try alternative approach")
+            raise RuntimeError("Failed to create Casbin enforcer") from e2
+    # Note: Removed default_roles creation - roles exist implicitly when assigned to users
     logger.info(
         f"Casbin enforcer created with model '{model}' and "
@@ -102,28 +183,8 @@ async def create_casbin_enforcer(
     return enforcer
-async def _create_default_roles(enforcer: casbin.AsyncEnforcer, roles: list) -> None:
-    """
-    Create default roles in Casbin (as grouping rules).
-    Args:
-        enforcer: Casbin AsyncEnforcer instance
-        roles: List of role names to create
-    """
-    for role in roles:
-        # Create a grouping rule: role -> role (self-reference for role existence)
-        # This ensures the role exists in the system
-        # Actual user-role assignments will be added when users are created
-        try:
-            # Check if role already exists
-            existing = await enforcer.get_roles_for_user(role)
-            if not existing:
-                # Add role as a self-grouping rule to ensure it exists
-                # This is a common pattern to "register" roles
-                await enforcer.add_grouping_policy(role, role)
-                logger.debug(f"Created default Casbin role: {role}")
-        except (AttributeError, TypeError, ValueError, RuntimeError) as e:
-            logger.warning(f"Error creating default role '{role}': {e}")
+# Removed _create_default_roles function - roles exist implicitly when assigned to users
+# No need to "create" roles beforehand with self-referencing policies
 async def initialize_casbin_from_manifest(
@@ -135,7 +196,7 @@ async def initialize_casbin_from_manifest(
     Args:
         engine: MongoDBEngine instance
         app_slug: App slug identifier
-        auth_config: Auth configuration dict from manifest (contains auth_policy)
+        auth_config: Full manifest config dict (contains auth.policy or auth_policy)
     Returns:
         CasbinAdapter instance if successfully created, None otherwise
@@ -143,40 +204,176 @@ async def initialize_casbin_from_manifest(
     try:
         from .provider import CasbinAdapter
-        auth_policy = auth_config.get("auth_policy", {})
+        # Support both old (auth_policy) and new (auth.policy) structures
+        auth = auth_config.get("auth", {})
+        auth_policy = auth.get("policy", {}) or auth_config.get("auth_policy", {})
         provider = auth_policy.get("provider", "casbin")
         # Only proceed if provider is casbin
         if provider != "casbin":
+            logger.debug(f"Provider is '{provider}', not 'casbin' - skipping Casbin initialization")
             return None
+        logger.info(f"Initializing Casbin provider for app '{app_slug}'...")
         # Get authorization config
         authorization = auth_policy.get("authorization", {})
         model = authorization.get("model", "rbac")
         policies_collection = authorization.get("policies_collection", "casbin_policies")
         default_roles = authorization.get("default_roles", [])
+        initial_policies = authorization.get("initial_policies", [])
+        initial_roles = authorization.get("initial_roles", [])
-        # Get scoped database from engine
-        db = engine.get_scoped_db(app_slug)
-        # Create enforcer
-        enforcer = await create_casbin_enforcer(
-            db=db,
-            model=model,
-            policies_collection=policies_collection,
-            default_roles=default_roles,
+        # Create enforcer with MongoDB connection info from engine
+        logger.debug(
+            f"Creating Casbin enforcer with URI: {engine.mongo_uri[:50]}..., "
+            f"db: {engine.db_name}"
         )
+        try:
+            enforcer = await create_casbin_enforcer(
+                mongo_uri=engine.mongo_uri,
+                db_name=engine.db_name,
+                model=model,
+                policies_collection=policies_collection,
+                default_roles=default_roles,
+            )
+            logger.debug("Casbin enforcer created successfully")
+        except (
+            RuntimeError,
+            ValueError,
+            AttributeError,
+            TypeError,
+            ConnectionError,
+            ImportError,
+        ):
+            logger.exception(f"Failed to create Casbin enforcer for '{app_slug}'")
+            return None
         # Create adapter
-        adapter = CasbinAdapter(enforcer)
+        try:
+            adapter = CasbinAdapter(enforcer)
+            logger.info("✅ CasbinAdapter created successfully")
+        except (RuntimeError, ValueError, AttributeError, TypeError):
+            logger.exception(f"Failed to create CasbinAdapter for '{app_slug}'")
+            return None
+        # Set up initial policies if configured
+        if initial_policies:
+            logger.info(f"Setting up {len(initial_policies)} initial policies...")
+            for policy in initial_policies:
+                if isinstance(policy, (list, tuple)) and len(policy) >= 3:
+                    role, resource, action = policy[0], policy[1], policy[2]
+                    try:
+                        # Check if policy already exists
+                        exists = await adapter.has_policy(role, resource, action)
+                        if exists:
+                            logger.debug(f"  Policy already exists: {role} -> {resource}:{action}")
+                        else:
+                            added = await adapter.add_policy(role, resource, action)
+                            if added:
+                                logger.debug(f"  Added policy: {role} -> {resource}:{action}")
+                            else:
+                                logger.warning(
+                                    f"  Failed to add policy: {role} -> " f"{resource}:{action}"
+                                )
+                    except (ValueError, TypeError, RuntimeError, AttributeError) as e:
+                        logger.warning(f"  Failed to add policy {policy}: {e}", exc_info=True)
+        # Set up initial role assignments if configured
+        # Disable auto_save during bulk operations for better performance
+        if initial_roles:
+            logger.info(f"Setting up {len(initial_roles)} initial role assignments...")
+            # Temporarily disable auto_save to avoid writing on every iteration
+            original_auto_save = getattr(enforcer, "auto_save", True)
+            try:
+                enforcer.auto_save = False
+                logger.debug("Disabled auto_save for bulk role assignment")
+            except AttributeError:
+                # Some enforcer implementations don't support auto_save attribute
+                logger.debug("auto_save attribute not available, proceeding with default behavior")
+            for role_assignment in initial_roles:
+                if isinstance(role_assignment, dict):
+                    user = role_assignment.get("user")
+                    role = role_assignment.get("role")
+                    if user and role:
+                        try:
+                            # Check if role assignment already exists
+                            exists = await adapter.has_role_for_user(user, role)
+                            logger.debug(
+                                f"  Checking role assignment: {user} -> {role}, " f"exists={exists}"
+                            )
+                            if exists:
+                                logger.info(f"  ✓ Role assignment already exists: {user} -> {role}")
+                            else:
+                                logger.info(f"  Adding role assignment: {user} -> {role}")
+                                # Use enforcer directly with add_grouping_policy
+                                added = await enforcer.add_grouping_policy(user, role)
+                                if added:
+                                    logger.info(
+                                        f"  ✓ Successfully assigned role '{role}' "
+                                        f"to user '{user}'"
+                                    )
+                                else:
+                                    logger.warning(
+                                        f"  ⚠ Failed to assign role '{role}' to "
+                                        f"user '{user}' - add_grouping_policy returned False"
+                                    )
+                        except (ValueError, TypeError, RuntimeError, AttributeError):
+                            logger.exception(f"  ✗ Exception assigning role {role_assignment}")
+            # Restore auto_save setting
+            if hasattr(enforcer, "auto_save"):
+                enforcer.auto_save = original_auto_save
+                logger.debug("Restored auto_save setting")
+        # Verify that policies and roles were set up correctly
+        if initial_policies:
+            verified = 0
+            for policy in initial_policies:
+                if isinstance(policy, (list, tuple)) and len(policy) >= 3:
+                    role, resource, action = policy[0], policy[1], policy[2]
+                    if await adapter.has_policy(role, resource, action):
+                        verified += 1
+            logger.info(f"Verified {verified}/{len(initial_policies)} policies exist in memory")
+        if initial_roles:
+            verified = 0
+            for role_assignment in initial_roles:
+                if isinstance(role_assignment, dict):
+                    user = role_assignment.get("user")
+                    role = role_assignment.get("role")
+                    if user and role and await adapter.has_role_for_user(user, role):
+                        verified += 1
+            logger.info(
+                f"Verified {verified}/{len(initial_roles)} role assignments " f"exist in memory"
+            )
+        # Save policies to persist them to database
+        # Only save if auto_save was disabled (to avoid double-saving)
+        if not getattr(enforcer, "auto_save", True):
+            saved = await adapter.save_policy()
+            if saved:
+                logger.debug("Policies saved to database successfully")
+            else:
+                logger.warning(
+                    "Failed to save policies to database - they may not " "persist across restarts"
+                )
+        else:
+            logger.debug(
+                "Skipping manual save_policy() - auto_save is enabled, "
+                "policies already persisted"
+            )
-        logger.info(f"Casbin provider initialized for app '{app_slug}'")
+        logger.info(f"✅ Casbin provider initialized for app '{app_slug}'")
+        logger.info(f"✅ CasbinAdapter ready for use - type: {type(adapter).__name__}")
         return adapter
     except ImportError as e:
+        # ImportError is expected if Casbin is not installed - use warning, not error
         logger.warning(
-            f"Casbin not available for app '{app_slug}': {e}. "
+            f"❌ Casbin not available for app '{app_slug}': {e}. "
             "Install with: pip install mdb-engine[casbin]"
         )
         return None
@@ -188,8 +385,10 @@ async def initialize_casbin_from_manifest(
         RuntimeError,
         KeyError,
     ) as e:
-        logger.error(
-            f"Error initializing Casbin provider for app '{app_slug}': {e}",
-            exc_info=True,
+        logger.exception(f"❌ Error initializing Casbin provider for app '{app_slug}': {e}")
+        # Informational message, not exception logging
+        logger.error(  # noqa: TRY400
+            f"❌ Casbin provider initialization FAILED for '{app_slug}' - "
+            "check logs above for detailed error information"
         )
         return None

mdb_engine/auth/dependencies.py CHANGED Viewed

@@ -41,15 +41,20 @@ def _get_secret_key() -> str:
     if _SECRET_KEY_CACHE is not None:
         return _SECRET_KEY_CACHE
-    secret_key = os.environ.get("FLASK_SECRET_KEY") or os.environ.get("SECRET_KEY")
+    secret_key = (
+        os.environ.get("FLASK_SECRET_KEY")
+        or os.environ.get("SECRET_KEY")
+        or os.environ.get("APP_SECRET_KEY")
+    )
     if not secret_key:
         raise ConfigurationError(
-            "FLASK_SECRET_KEY environment variable is required for JWT token security. "
-            "Set a strong secret key (minimum 32 characters, cryptographically random). "
-            "Example: export FLASK_SECRET_KEY=$(python -c "
+            "SECRET_KEY environment variable is required for JWT token security. "
+            "Set FLASK_SECRET_KEY, SECRET_KEY, or APP_SECRET_KEY with a strong secret key "
+            "(minimum 32 characters, cryptographically random). "
+            "Example: export SECRET_KEY=$(python -c "
             "'import secrets; print(secrets.token_urlsafe(32))')",
-            config_key="FLASK_SECRET_KEY",
+            config_key="SECRET_KEY",
         )
     if len(secret_key) < 32:

mdb_engine/auth/integration.py CHANGED Viewed

@@ -273,14 +273,30 @@ async def _setup_demo_users(app: FastAPI, engine, slug_id: str, config: Dict[str
                         if role_assignment.get("user") == user_email:
                             role = role_assignment.get("role")
                             resource = role_assignment.get("resource", "documents")
+                            # Check if provider is Casbin (uses email as subject for initial_roles)
+                            is_casbin = hasattr(app.state.authz_provider, "_enforcer")
                             try:
-                                await app.state.authz_provider.add_role_for_user(
-                                    user_email, role, resource
-                                )
-                                logger.info(
-                                    f"✅ Assigned role '{role}' on resource '{resource}' "
-                                    f"to demo user '{user_email}' for {slug_id}"
-                                )
+                                if is_casbin:
+                                    # For Casbin, use email as subject to match initial_roles format
+                                    # This ensures consistency with how initial_roles are set up
+                                    await app.state.authz_provider.add_role_for_user(
+                                        user_email, role
+                                    )
+                                    logger.info(
+                                        f"✅ Assigned Casbin role '{role}' "
+                                        f"to demo user '{user_email}' for {slug_id}"
+                                    )
+                                else:
+                                    # For OSO, use email, role, resource
+                                    await app.state.authz_provider.add_role_for_user(
+                                        user_email, role, resource
+                                    )
+                                    logger.info(
+                                        f"✅ Assigned role '{role}' on resource '{resource}' "
+                                        f"to demo user '{user_email}' for {slug_id}"
+                                    )
                             except (
                                 ValueError,
                                 TypeError,

mdb_engine/auth/oso_factory.py CHANGED Viewed

@@ -46,7 +46,7 @@ async def create_oso_cloud_client(
     # Import OSO Cloud SDK - the class is named "Oso"
     try:
-        from oso_cloud import Oso
+        from oso_cloud import Oso  # type: ignore
         logger.debug("✅ Imported Oso from oso_cloud")
     except ImportError as e:
@@ -212,7 +212,7 @@ async def initialize_oso_from_manifest(
             try:
                 import asyncio
-                from oso_cloud import Value
+                from oso_cloud import Value  # type: ignore
                 # Try a simple test authorization to verify connection
                 test_actor = Value("User", "test")

mdb-engine 0.1.7__py3-none-any.whl → 0.2.0__py3-none-any.whl

mdb-engine 0.1.7py3-none-any.whl → 0.2.0py3-none-any.whl