nlbone 0.6.10__tar.gz → 0.6.12__tar.gz

{nlbone-0.6.10 → nlbone-0.6.12}/PKG-INFO

@@ -1,12 +1,13 @@
 Metadata-Version: 2.4
 Name: nlbone
-Version: 0.6.10
+Version: 0.6.12
 Summary: Backbone package for interfaces and infrastructure in Python projects
 Author-email: Amir Hosein Kahkbazzadeh <a.khakbazzadeh@gmail.com>
 License: MIT
 License-File: LICENSE
 Requires-Python: >=3.10
 Requires-Dist: anyio>=4.0
+Requires-Dist: cachetools>=6.2.0
 Requires-Dist: dependency-injector>=4.48.1
 Requires-Dist: elasticsearch==8.14.0
 Requires-Dist: fastapi>=0.116

{nlbone-0.6.10 → nlbone-0.6.12}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "nlbone"
-version = "0.6.10"
+version = "0.6.12"
 description = "Backbone package for interfaces and infrastructure in Python projects"
 readme = "README.md"
 requires-python = ">=3.10"
@@ -27,7 +27,8 @@ dependencies = [
     "redis~=6.4.0",
     "python-dateutil~=2.9.0.post0",
     "typer>=0.17.4",
-    "makefun>=1.16.0"
+    "makefun>=1.16.0",
+    "cachetools>=6.2.0",
 ]
 
 [tool.ruff]

{nlbone-0.6.10 → nlbone-0.6.12}/src/nlbone/adapters/auth/keycloak.py

@@ -1,9 +1,31 @@
+import functools
+from datetime import datetime, timezone
+from threading import RLock
+
+from cachetools import LRUCache
 from keycloak import KeycloakOpenID
 from keycloak.exceptions import KeycloakAuthenticationError
 
-from nlbone.config.settings import Settings, get_settings, is_production_env
+from nlbone.config.settings import Settings, get_settings
 from nlbone.core.ports.auth import AuthService
 
+_permissions_cache: LRUCache = LRUCache(maxsize=2048)
+_permissions_lock = RLock()
+
+
+def _now_ts() -> int:
+    return int(datetime.now(timezone.utc).timestamp())
+
+
+def _ttl_from_decoded(decoded: dict) -> int:
+    exp = int(decoded.get("exp", 0))
+    ttl = max(1, exp - _now_ts())
+    return ttl
+
+
+def _cache_key(sub: str | None, exp: int | None) -> tuple[str | None, int | None]:
+    return sub, exp
+
 
 class KeycloakAuthService(AuthService):
     def __init__(self, settings: Settings | None = None):
@@ -14,7 +36,7 @@ class KeycloakAuthService(AuthService):
             realm_name=s.KEYCLOAK_REALM_NAME,
             client_secret_key=s.KEYCLOAK_CLIENT_SECRET.get_secret_value().strip(),
         )
-        self.bypass = not is_production_env()
+        self.bypass = s.ENV != 'prod'
 
     def has_access(self, token, permissions):
         if self.bypass:
@@ -29,6 +51,49 @@ class KeycloakAuthService(AuthService):
             print(f"Token verification failed: {e}")
             return False
 
+    def _fetch_permissions_from_keycloak(self, token: str) -> tuple[list[str], dict]:
+        permissions = self.keycloak_openid.uma_permissions(token)
+        decoded_token = self.keycloak_openid.decode_token(token)
+        result: list[str] = []
+        for p in permissions or []:
+            rsname = p.get("rsname")
+            for s in p.get("scopes", []) or []:
+                result.append(f"{rsname}#{s}")
+        return result, decoded_token
+
+    def get_permissions(self, token: str) -> list[str]:
+        try:
+            decoded = self.keycloak_openid.decode_token(token)
+            sub = decoded.get("sub")
+            exp = decoded.get("exp")
+            key = _cache_key(sub, exp)
+
+            now = _now_ts()
+            with _permissions_lock:
+                entry = _permissions_cache.get(key)
+                if entry is not None:
+                    perms, exp_ts = entry
+                    if exp_ts > now:
+                        return perms
+                    _permissions_cache.pop(key, None)
+
+            perms, decoded2 = self._fetch_permissions_from_keycloak(token)
+            decoded_final = decoded2 or decoded
+            sub_f = decoded_final.get("sub")
+            exp_f = int(decoded_final.get("exp") or 0)
+            key_f = _cache_key(sub_f, exp_f)
+
+            with _permissions_lock:
+                _permissions_cache[key_f] = (perms, exp_f)
+
+            return perms
+
+        except KeycloakAuthenticationError:
+            return []
+        except Exception as e:
+            print(f"Getting permissions failed: {e}")
+            return []
+
     def verify_token(self, token: str) -> dict | None:
         try:
             result = self.keycloak_openid.introspect(token)
@@ -76,3 +141,8 @@ class KeycloakAuthService(AuthService):
         if not self.is_client_token(token, allowed_clients):
             return False
         return self.has_access(token, permissions)
+
+
+@functools.lru_cache(maxsize=1)
+def get_auth_service() -> KeycloakAuthService:
+    return KeycloakAuthService()

{nlbone-0.6.10 → nlbone-0.6.12}/src/nlbone/adapters/db/postgres/query_builder.py

@@ -28,6 +28,50 @@ class _InvalidEnum(Exception):
     pass
 
 
+from sqlalchemy.orm import aliased
+from sqlalchemy.inspection import inspect
+from sqlalchemy.orm.attributes import InstrumentedAttribute
+from sqlalchemy.orm.relationships import RelationshipProperty
+
+
+def _resolve_column_and_joins(entity, query, field_path: str, join_cache: dict[str, Any]):
+    parts = [p for p in field_path.split(".") if p]
+    if not parts:
+        return None, query
+
+    current_cls_or_alias = entity
+    current_path_key_parts: list[str] = []
+
+    for i, part in enumerate(parts):
+        current_path_key_parts.append(part)
+        path_key = ".".join(current_path_key_parts)
+
+        if not hasattr(current_cls_or_alias, part):
+            return None, query
+
+        attr = getattr(current_cls_or_alias, part)
+
+        prop = getattr(attr, "property", None)
+        if isinstance(prop, RelationshipProperty):
+            alias = join_cache.get(path_key)
+            if alias is None:
+                alias = aliased(prop.mapper.class_)
+                query = query.outerjoin(alias, attr)
+                join_cache[path_key] = alias
+            current_cls_or_alias = alias
+            continue
+
+        if isinstance(attr, InstrumentedAttribute):
+            if i == len(parts) - 1:
+                return attr, query
+            else:
+                return None, query
+
+        return None, query
+
+    return None, query
+
+
 def _apply_order(pagination: PaginateRequest, entity, query):
     order_clauses = []
 
@@ -112,6 +156,7 @@ def _apply_filters(pagination, entity, query):
         return query
 
     predicates = []
+    join_cache: dict[str, Any] = {}
 
     if getattr(pagination, "filters", None):
         for raw_field, value in pagination.filters.items():
@@ -120,10 +165,10 @@ def _apply_filters(pagination, entity, query):
 
             field, op_hint = _parse_field_and_op(raw_field)
 
-            if not hasattr(entity, field):
+            col, query2 = _resolve_column_and_joins(entity, query, field, join_cache)
+            if col is None:
                 continue
-
-            col = getattr(entity, field)
+            query = query2
             coltype = getattr(col, "type", None)
 
             def coerce(v):
@@ -259,13 +304,13 @@ def _serialize_item(item: Any, output_cls: OutputType) -> Any:
 
 
 def get_paginated_response(
-    pagination,
-    entity,
-    session: Session,
-    *,
-    with_count: bool = True,
-    output_cls: Optional[Type] = None,
-    eager_options: Optional[Sequence[LoaderOption]] = None,
+        pagination,
+        entity,
+        session: Session,
+        *,
+        with_count: bool = True,
+        output_cls: Optional[Type] = None,
+        eager_options: Optional[Sequence[LoaderOption]] = None,
 ) -> dict:
     query = session.query(entity)
     if eager_options:

{nlbone-0.6.10 → nlbone-0.6.12}/src/nlbone/adapters/http_clients/uploadchi/uploadchi.py

@@ -35,11 +35,11 @@ def _filename_from_cd(cd: str | None, fallback: str) -> str:
 
 class UploadchiClient(FileServicePort):
     def __init__(
-        self,
-        token_provider: ClientTokenProvider | None = None,
-        base_url: Optional[str] = None,
-        timeout_seconds: Optional[float] = None,
-        client: httpx.Client | None = None,
+            self,
+            token_provider: ClientTokenProvider | None = None,
+            base_url: Optional[str] = None,
+            timeout_seconds: Optional[float] = None,
+            client: httpx.Client | None = None,
     ) -> None:
         s = get_settings()
         self._base_url = normalize_https_base(base_url or str(s.UPLOADCHI_BASE_URL))
@@ -51,7 +51,7 @@ class UploadchiClient(FileServicePort):
         self._client.close()
 
     def upload_file(
-        self, file_bytes: bytes, filename: str, params: dict[str, Any] | None = None, token: str | None = None
+            self, file_bytes: bytes, filename: str, params: dict[str, Any] | None = None, token: str | None = None
     ) -> dict:
         tok = _resolve_token(token)
         files = {"file": (filename, file_bytes)}
@@ -84,12 +84,12 @@ class UploadchiClient(FileServicePort):
             raise UploadchiError(r.status_code, r.text)
 
     def list_files(
-        self,
-        limit: int = 10,
-        offset: int = 0,
-        filters: dict[str, Any] | None = None,
-        sort: list[tuple[str, str]] | None = None,
-        token: str | None = None,
+            self,
+            limit: int = 10,
+            offset: int = 0,
+            filters: dict[str, Any] | None = None,
+            sort: list[tuple[str, str]] | None = None,
+            token: str | None = None,
     ) -> dict:
         tok = _resolve_token(token)
         q = build_list_query(limit, offset, filters, sort)
@@ -116,6 +116,7 @@ class UploadchiClient(FileServicePort):
 
     def delete_file(self, file_id: str, token: str | None = None) -> None:
         tok = _resolve_token(token)
-        r = self._client.delete(f"{self._base_url}/{file_id}", headers=auth_headers(tok))
+        r = self._client.delete(f"{self._base_url}/{file_id}",
+                                headers=auth_headers(tok or self._token_provider.get_access_token()))
         if r.status_code not in (204, 200):
             raise UploadchiError(r.status_code, r.text)

{nlbone-0.6.10 → nlbone-0.6.12}/src/nlbone/adapters/percolation/connection.py

@@ -9,5 +9,6 @@ def get_es_client():
     es = Elasticsearch(
         setting.ELASTIC_PERCOLATE_URL,
         basic_auth=(setting.ELASTIC_PERCOLATE_USER, setting.ELASTIC_PERCOLATE_PASS.get_secret_value().strip()),
+        http_compress=True, max_retries=2, retry_on_timeout=True
     )
     return es

{nlbone-0.6.10 → nlbone-0.6.12}/src/nlbone/core/ports/auth.py

@@ -8,3 +8,4 @@ class AuthService(Protocol):
     def get_client_token(self) -> dict | None: ...
     def is_client_token(self, token: str, allowed_clients: set[str] | None = None) -> bool: ...
     def client_has_access(self, token: str, perms: list[str], allowed_clients: set[str] | None = None) -> bool: ...
+    def get_permissions(self, token: str) -> list[str]: ...

{nlbone-0.6.10 → nlbone-0.6.12}/src/nlbone/interfaces/api/dependencies/auth.py

@@ -1,6 +1,7 @@
 import functools
 
 from nlbone.adapters.auth import KeycloakAuthService
+from nlbone.adapters.auth.keycloak import get_auth_service
 from nlbone.interfaces.api.exceptions import ForbiddenException, UnauthorizedException
 from nlbone.utils.context import current_request
 
@@ -51,8 +52,10 @@ def has_access(*, permissions=None):
             request = current_request()
             if not current_user_id():
                 raise UnauthorizedException()
-            if not KeycloakAuthService().has_access(request.state.token, permissions=permissions):
-                raise ForbiddenException(f"Forbidden {permissions}")
+            user_permissions = get_auth_service().get_permissions(request.state.token)
+            for p in permissions or []:
+                if p not in user_permissions:
+                    raise ForbiddenException(f"Forbidden {permissions}")
 
             return func(*args, **kwargs)
 
@@ -79,9 +82,14 @@ def client_or_user_has_access(*, permissions=None, client_permissions=None):
             else:
                 if not current_user_id():
                     raise UnauthorizedException()
-                if not auth.has_access(token, permissions=permissions):
-                    raise ForbiddenException(f"Forbidden (user) {permissions}")
+
+                user_permissions = get_auth_service().get_permissions(request.state.token)
+                for p in permissions or []:
+                    if p not in user_permissions:
+                        raise ForbiddenException(f"Forbidden {permissions}")
 
             return func(*args, **kwargs)
+
         return wrapper
-    return decorator
+
+    return decorator