micosauth 0.1.0__py3-none-any.whl

micosauth/__init__.py

@@ -0,0 +1,21 @@
+from .provider import EmptyMicosAccessProvider, MicosAccessProvider
+from .service import MicosService
+from .setting import MicosDefaultsSetting, MicosRealmSetting, MicosRedisSetting, MicosSetting
+from .token_util import MicosTokenUtil
+from .utils.auth import MicosAuthUtil
+from .utils.auth_inner import MicosAuthInnerUtil
+from .utils.session import MicosSessionUtil
+
+__all__ = [
+    "MicosAccessProvider",
+    "EmptyMicosAccessProvider",
+    "MicosRedisSetting",
+    "MicosRealmSetting",
+    "MicosDefaultsSetting",
+    "MicosService",
+    "MicosSetting",
+    "MicosTokenUtil",
+    "MicosAuthUtil",
+    "MicosAuthInnerUtil",
+    "MicosSessionUtil",
+]

micosauth/_helpers.py

@@ -0,0 +1,30 @@
+from __future__ import annotations
+
+import secrets
+from datetime import datetime, timedelta, timezone
+from fnmatch import fnmatchcase
+
+
+def utc_now() -> datetime:
+    return datetime.now(timezone.utc)
+
+
+def expire_at(seconds: int) -> datetime:
+    return utc_now() + timedelta(seconds=max(1, int(seconds)))
+
+
+def random_token(length: int = 64) -> str:
+    if length <= 0:
+        length = 64
+    raw = secrets.token_hex((length + 1) // 2)
+    return raw[:length]
+
+
+def permission_matches(granted: str, required: str) -> bool:
+    """判断权限是否匹配，支持通配符。"""
+
+    granted_value = str(granted or "").strip()
+    required_value = str(required or "").strip()
+    if not granted_value or not required_value:
+        return False
+    return fnmatchcase(required_value, granted_value) or fnmatchcase(granted_value, required_value)

micosauth/adapters/__init__.py

@@ -0,0 +1 @@
+__all__ = []

micosauth/adapters/fastapi/__init__.py

@@ -0,0 +1,13 @@
+from .deps import require_login_dep, require_permissions_dep, require_roles_dep
+from .install import install_fastapi_auth
+from .lifespan import build_micosauth_lifespan
+from .middleware import MicosAuthMiddleware
+
+__all__ = [
+    "install_fastapi_auth",
+    "build_micosauth_lifespan",
+    "MicosAuthMiddleware",
+    "require_login_dep",
+    "require_permissions_dep",
+    "require_roles_dep",
+]

micosauth/adapters/fastapi/context.py

@@ -0,0 +1,54 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+from fastapi import HTTPException, Request, status
+
+from ...exceptions import MicosConfigError
+from ...service import MicosService
+from ...utils.auth import MicosAuthUtil
+from ...utils.session import MicosSessionUtil
+
+
+@dataclass(slots=True)
+class FastapiMicosContext:
+    service: MicosService
+    auth: MicosAuthUtil
+    session: MicosSessionUtil
+
+
+def get_micos_service(request: Request) -> MicosService:
+    service = getattr(request.app.state, "micos_service", None)
+    if service is None:
+        raise MicosConfigError("FastAPI app has no micos_service")
+    return service
+
+
+def get_micos_context(request: Request) -> FastapiMicosContext:
+    service = get_micos_service(request)
+    auth = getattr(request.app.state, "micos_auth", None)
+    session = getattr(request.app.state, "micos_session", None)
+    if auth is None or session is None:
+        raise MicosConfigError("FastAPI app has not initialized micosauth utilities")
+    return FastapiMicosContext(service=service, auth=auth, session=session)
+
+
+def get_current_realm_id(request: Request, explicit_realm_id: str | None = None) -> str:
+    if explicit_realm_id:
+        return explicit_realm_id
+    raise MicosConfigError("realm_id is required")
+
+
+def get_current_token(request: Request, realm_id: str | None = None) -> str:
+    resolved_realm_id = get_current_realm_id(request, realm_id)
+    realm = get_micos_service(request).get_realm(resolved_realm_id)
+    token = request.headers.get(realm.token_name) or request.cookies.get(realm.token_name)
+    return str(token or "")
+
+
+def unauthorized(detail: str = "未登录或令牌无效") -> HTTPException:
+    return HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=detail)
+
+
+def forbidden(detail: str = "无权限访问") -> HTTPException:
+    return HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=detail)

micosauth/adapters/fastapi/deps.py

@@ -0,0 +1,82 @@
+from __future__ import annotations
+
+from fastapi import Request
+
+from ...exceptions import MicosConfigError
+from ...exceptions import MicosAuthenticationError, MicosAuthorizationError
+from .context import get_current_realm_id, get_current_token, get_micos_context, unauthorized
+
+
+def require_login_dep(*, realm: str):
+    async def dependency(request: Request):
+        context = get_micos_context(request)
+        try:
+            resolved_realm_id = get_current_realm_id(request, realm)
+        except MicosConfigError as exc:
+            raise unauthorized(str(exc)) from exc
+        token = get_current_token(request, resolved_realm_id)
+        if not token:
+            raise unauthorized()
+        try:
+            result = await context.auth.require_login(token, resolved_realm_id)
+        except MicosAuthenticationError as exc:
+            raise unauthorized(str(exc) or "未登录或令牌无效") from exc
+        request.state.micos_token = token
+        request.state.micos_realm_id = result.realm_id
+        request.state.micos_login_id = result.login_id
+        request.state.micos_claims = result.claims
+        request.state.micos_session = result.session
+        request.state.micos_acl = result.acl
+        return result
+
+    return dependency
+
+
+def require_permissions_dep(permissions: list[str] | str, *, realm: str, mode: str = "AND"):
+    values = [permissions] if isinstance(permissions, str) else list(permissions)
+
+    async def dependency(request: Request):
+        context = get_micos_context(request)
+        try:
+            resolved_realm_id = get_current_realm_id(request, realm)
+        except MicosConfigError as exc:
+            raise unauthorized(str(exc)) from exc
+        token = get_current_token(request, resolved_realm_id)
+        if not token:
+            raise unauthorized()
+        try:
+            await context.auth.require_permissions(token, values, resolved_realm_id, mode)
+        except MicosAuthenticationError as exc:
+            raise unauthorized(str(exc) or "未登录或令牌无效") from exc
+        except MicosAuthorizationError as exc:
+            from .context import forbidden
+
+            raise forbidden(str(exc) or "无权限访问") from exc
+        return True
+
+    return dependency
+
+
+def require_roles_dep(roles: list[str] | str, *, realm: str, mode: str = "AND"):
+    values = [roles] if isinstance(roles, str) else list(roles)
+
+    async def dependency(request: Request):
+        context = get_micos_context(request)
+        try:
+            resolved_realm_id = get_current_realm_id(request, realm)
+        except MicosConfigError as exc:
+            raise unauthorized(str(exc)) from exc
+        token = get_current_token(request, resolved_realm_id)
+        if not token:
+            raise unauthorized()
+        try:
+            await context.auth.require_roles(token, values, resolved_realm_id, mode)
+        except MicosAuthenticationError as exc:
+            raise unauthorized(str(exc) or "未登录或令牌无效") from exc
+        except MicosAuthorizationError as exc:
+            from .context import forbidden
+
+            raise forbidden(str(exc) or "无权限访问") from exc
+        return True
+
+    return dependency

micosauth/adapters/fastapi/install.py

@@ -0,0 +1,12 @@
+from __future__ import annotations
+
+from ...utils.auth import MicosAuthUtil
+from ...utils.session import MicosSessionUtil
+from .middleware import MicosAuthMiddleware
+
+
+def install_fastapi_auth(app, service) -> None:
+    app.state.micos_service = service
+    app.state.micos_auth = MicosAuthUtil(service)
+    app.state.micos_session = MicosSessionUtil(service)
+    app.add_middleware(MicosAuthMiddleware)

micosauth/adapters/fastapi/lifespan.py

@@ -0,0 +1,21 @@
+from __future__ import annotations
+
+from contextlib import asynccontextmanager
+
+from ...utils.auth import MicosAuthUtil
+from ...utils.session import MicosSessionUtil
+
+
+def build_micosauth_lifespan(service):
+    @asynccontextmanager
+    async def lifespan(app):
+        app.state.micos_service = service
+        app.state.micos_auth = MicosAuthUtil(service)
+        app.state.micos_session = MicosSessionUtil(service)
+        await service.init()
+        try:
+            yield
+        finally:
+            await service.close()
+
+    return lifespan

micosauth/adapters/fastapi/middleware.py

@@ -0,0 +1,8 @@
+from __future__ import annotations
+
+from fastapi import Request
+from starlette.middleware.base import BaseHTTPMiddleware
+
+class MicosAuthMiddleware(BaseHTTPMiddleware):
+    async def dispatch(self, request: Request, call_next):
+        return await call_next(request)

micosauth/decorators/__init__.py

@@ -0,0 +1,9 @@
+from .check_login import require_login
+from .check_permission import require_permissions
+from .check_role import require_roles
+
+__all__ = [
+    "require_login",
+    "require_permissions",
+    "require_roles",
+]

micosauth/decorators/_support.py

@@ -0,0 +1,85 @@
+from __future__ import annotations
+
+import inspect
+from functools import wraps
+
+from fastapi import HTTPException, Request, status
+
+from ..exceptions import MicosAuthenticationError, MicosAuthorizationError
+
+
+def call_maybe_awaitable(fn, *args, **kwargs):
+    result = fn(*args, **kwargs)
+    if inspect.isawaitable(result):
+        return result
+    return result
+
+
+def get_token_from_call(args, kwargs) -> str:
+    token = kwargs.get("token")
+    if isinstance(token, str):
+        return token
+    request = kwargs.get("request")
+    if isinstance(request, Request):
+        return str(getattr(request.state, "micos_token", "") or "")
+    for arg in args:
+        if isinstance(arg, Request):
+            return str(getattr(arg.state, "micos_token", "") or "")
+        if isinstance(arg, str):
+            return arg
+    return ""
+
+
+def get_token_from_request_by_realm(args, kwargs, auth_util, realm: str) -> str:
+    request = kwargs.get("request")
+    if not isinstance(request, Request):
+        for arg in args:
+            if isinstance(arg, Request):
+                request = arg
+                break
+    if not isinstance(request, Request):
+        return ""
+    realm_model = auth_util.service.get_realm(realm)
+    token = request.headers.get(realm_model.token_name) or request.cookies.get(realm_model.token_name)
+    return str(token or "")
+
+
+def get_request_from_call(args, kwargs):
+    request = kwargs.get("request")
+    if isinstance(request, Request):
+        return request
+    for arg in args:
+        if isinstance(arg, Request):
+            return arg
+    return None
+
+
+def apply_auth_result_to_request(args, kwargs, token: str, result) -> None:
+    request = get_request_from_call(args, kwargs)
+    if not isinstance(request, Request) or result is None:
+        return
+    request.state.micos_token = token
+    request.state.micos_realm_id = result.realm_id
+    request.state.micos_login_id = result.login_id
+    request.state.micos_claims = result.claims
+    request.state.micos_session = result.session
+    request.state.micos_acl = result.acl
+
+
+def wraps_guard(func, checker):
+    @wraps(func)
+    async def wrapper(*args, **kwargs):
+        try:
+            await checker(*args, **kwargs)
+        except HTTPException:
+            raise
+        except MicosAuthenticationError as exc:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=str(exc) or "未登录或令牌无效") from exc
+        except MicosAuthorizationError as exc:
+            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=str(exc) or "无权限访问") from exc
+        result = call_maybe_awaitable(func, *args, **kwargs)
+        if inspect.isawaitable(result):
+            return await result
+        return result
+
+    return wrapper

micosauth/decorators/check_login.py

@@ -0,0 +1,19 @@
+from __future__ import annotations
+
+from ..exceptions import MicosConfigError
+from ._support import apply_auth_result_to_request, get_token_from_call, get_token_from_request_by_realm, wraps_guard
+
+
+def require_login(auth_util, *, realm: str):
+    if not realm:
+        raise MicosConfigError("realm is required")
+
+    def decorator(func):
+        async def checker(*args, **kwargs):
+            token = get_token_from_call(args, kwargs) or get_token_from_request_by_realm(args, kwargs, auth_util, realm)
+            result = await auth_util.require_login(token, realm)
+            apply_auth_result_to_request(args, kwargs, token, result)
+
+        return wraps_guard(func, checker)
+
+    return decorator

micosauth/decorators/check_permission.py

@@ -0,0 +1,26 @@
+from __future__ import annotations
+
+from ..exceptions import MicosConfigError
+from ._support import (
+    apply_auth_result_to_request,
+    get_token_from_call,
+    get_token_from_request_by_realm,
+    wraps_guard,
+)
+
+
+def require_permissions(auth_util, permissions: list[str] | str, *, realm: str, mode: str = "AND"):
+    if not realm:
+        raise MicosConfigError("realm is required")
+    values = [permissions] if isinstance(permissions, str) else list(permissions)
+
+    def decorator(func):
+        async def checker(*args, **kwargs):
+            token = get_token_from_call(args, kwargs) or get_token_from_request_by_realm(args, kwargs, auth_util, realm)
+            await auth_util.require_permissions(token, values, realm, mode)
+            result = await auth_util.require_login(token, realm)
+            apply_auth_result_to_request(args, kwargs, token, result)
+
+        return wraps_guard(func, checker)
+
+    return decorator

micosauth/decorators/check_role.py

@@ -0,0 +1,26 @@
+from __future__ import annotations
+
+from ..exceptions import MicosConfigError
+from ._support import (
+    apply_auth_result_to_request,
+    get_token_from_call,
+    get_token_from_request_by_realm,
+    wraps_guard,
+)
+
+
+def require_roles(auth_util, roles: list[str] | str, *, realm: str, mode: str = "AND"):
+    if not realm:
+        raise MicosConfigError("realm is required")
+    values = [roles] if isinstance(roles, str) else list(roles)
+
+    def decorator(func):
+        async def checker(*args, **kwargs):
+            token = get_token_from_call(args, kwargs) or get_token_from_request_by_realm(args, kwargs, auth_util, realm)
+            await auth_util.require_roles(token, values, realm, mode)
+            result = await auth_util.require_login(token, realm)
+            apply_auth_result_to_request(args, kwargs, token, result)
+
+        return wraps_guard(func, checker)
+
+    return decorator

micosauth/exceptions.py

@@ -0,0 +1,26 @@
+class MicosAuthError(Exception):
+    """micosauth 基础异常。"""
+
+
+class MicosConfigError(MicosAuthError):
+    """配置无效时抛出。"""
+
+
+class MicosRedisError(MicosAuthError):
+    """Redis 不可用或配置错误时抛出。"""
+
+
+class MicosRealmError(MicosAuthError):
+    """Realm 不存在或无效时抛出。"""
+
+
+class MicosTokenError(MicosAuthError):
+    """Token 无效时抛出。"""
+
+
+class MicosAuthenticationError(MicosAuthError):
+    """认证失败时抛出。"""
+
+
+class MicosAuthorizationError(MicosAuthError):
+    """鉴权失败时抛出。"""

micosauth/guards.py

@@ -0,0 +1,9 @@
+from .decorators.check_login import require_login
+from .decorators.check_permission import require_permissions
+from .decorators.check_role import require_roles
+
+__all__ = [
+    "require_login",
+    "require_permissions",
+    "require_roles",
+]

micosauth/models.py

@@ -0,0 +1,125 @@
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from datetime import datetime
+from typing import Any
+
+
+@dataclass(slots=True)
+class MicosAcl:
+    roles: list[str] = field(default_factory=list)
+    permissions: list[str] = field(default_factory=list)
+    data_scopes: list[str] = field(default_factory=list)
+    extra: dict[str, Any] = field(default_factory=dict)
+
+
+@dataclass(slots=True)
+class MicosRealm:
+    realm_id: str
+    token_name: str = "Authorization"
+    token_ttl_seconds: int = 2592000
+    temp_token_ttl_seconds: int = 300
+    allow_multi_device_login: bool = True
+    keep_old_token_on_same_device_login: bool = False
+    keep_old_token_on_new_device_login: bool = True
+    max_devices_per_login_id: int = 0
+    max_tokens_per_login_id: int = 0
+    max_tokens_per_device: int = 0
+
+
+@dataclass(slots=True)
+class MicosTokenClaims:
+    realm_id: str
+    login_id: str
+    device_id: str
+    token: str
+    issued_at: datetime
+    expires_at: datetime
+    last_access_at: datetime
+    extra: dict[str, Any] = field(default_factory=dict)
+
+
+@dataclass(slots=True)
+class MicosSessionRecord:
+    realm_id: str
+    login_id: str
+    token_count: int
+    device_count: int
+    last_login_at: datetime
+    last_access_at: datetime
+    extra: dict[str, Any] = field(default_factory=dict)
+
+
+@dataclass(slots=True)
+class MicosTokenRecord:
+    realm_id: str
+    login_id: str
+    device_id: str
+    token: str
+    issued_at: datetime
+    expires_at: datetime
+    last_access_at: datetime
+    extra: dict[str, Any] = field(default_factory=dict)
+
+
+@dataclass(slots=True)
+class MicosTempTokenRecord:
+    token: str
+    temp_id: str
+    token_type: str
+    realm_id: str
+    expires_at: datetime
+    extra: dict[str, Any] = field(default_factory=dict)
+
+
+@dataclass(slots=True)
+class MicosTokenInspectResult:
+    valid: bool
+    reason: str = ""
+    realm_id: str = ""
+    login_id: str = ""
+    device_id: str = ""
+    token: str = ""
+    claims: MicosTokenClaims | None = None
+    session: MicosSessionRecord | None = None
+    acl: MicosAcl | None = None
+
+
+@dataclass(slots=True)
+class MicosSessionAnalysis:
+    total_login_count: int = 0
+    total_token_count: int = 0
+    total_device_count: int = 0
+    one_hour_new_token_count: int = 0
+
+
+@dataclass(slots=True)
+class MicosSessionChartData:
+    days: list[str] = field(default_factory=list)
+    realm_series: dict[str, list[int]] = field(default_factory=dict)
+
+
+@dataclass(slots=True)
+class MicosRealmDistributionItem:
+    realm_id: str
+    login_count: int = 0
+    token_count: int = 0
+    device_count: int = 0
+
+
+@dataclass(slots=True)
+class MicosDeviceSessionSummary:
+    realm_id: str
+    login_id: str
+    device_id: str
+    token_count: int = 0
+    last_login_at: datetime | None = None
+    last_access_at: datetime | None = None
+
+
+@dataclass(slots=True)
+class MicosPageResult:
+    items: list[object] = field(default_factory=list)
+    total: int = 0
+    current: int = 1
+    size: int = 10

micosauth/provider.py

@@ -0,0 +1,31 @@
+from __future__ import annotations
+
+from typing import Any, Protocol
+
+
+class MicosAccessProvider(Protocol):
+    async def get_roles(self, realm_id: str, login_id: str) -> list[str]:
+        """获取角色列表。"""
+
+    async def get_permissions(self, realm_id: str, login_id: str) -> list[str]:
+        """获取权限列表。"""
+
+    async def get_data_scopes(self, realm_id: str, login_id: str) -> list[str]:
+        """获取数据范围列表。"""
+
+    async def get_extra(self, realm_id: str, login_id: str) -> dict[str, Any]:
+        """获取额外信息。"""
+
+
+class EmptyMicosAccessProvider:
+    async def get_roles(self, realm_id: str, login_id: str) -> list[str]:
+        return []
+
+    async def get_permissions(self, realm_id: str, login_id: str) -> list[str]:
+        return []
+
+    async def get_data_scopes(self, realm_id: str, login_id: str) -> list[str]:
+        return []
+
+    async def get_extra(self, realm_id: str, login_id: str) -> dict[str, Any]:
+        return {}