nlbone 0.6.9__py3-none-any.whl → 0.6.11__py3-none-any.whl

nlbone/adapters/auth/keycloak.py

@@ -1,9 +1,31 @@
+import functools
+from datetime import datetime, timezone
+from threading import RLock
+
+from cachetools import LRUCache
 from keycloak import KeycloakOpenID
 from keycloak.exceptions import KeycloakAuthenticationError
 
-from nlbone.config.settings import Settings, get_settings, is_production_env
+from nlbone.config.settings import Settings, get_settings
 from nlbone.core.ports.auth import AuthService
 
+_permissions_cache: LRUCache = LRUCache(maxsize=2048)
+_permissions_lock = RLock()
+
+
+def _now_ts() -> int:
+    return int(datetime.now(timezone.utc).timestamp())
+
+
+def _ttl_from_decoded(decoded: dict) -> int:
+    exp = int(decoded.get("exp", 0))
+    ttl = max(1, exp - _now_ts())
+    return ttl
+
+
+def _cache_key(sub: str | None, exp: int | None) -> tuple[str | None, int | None]:
+    return sub, exp
+
 
 class KeycloakAuthService(AuthService):
     def __init__(self, settings: Settings | None = None):
@@ -14,7 +36,7 @@ class KeycloakAuthService(AuthService):
             realm_name=s.KEYCLOAK_REALM_NAME,
             client_secret_key=s.KEYCLOAK_CLIENT_SECRET.get_secret_value().strip(),
         )
-        self.bypass = not is_production_env()
+        self.bypass = s.ENV != 'prod'
 
     def has_access(self, token, permissions):
         if self.bypass:
@@ -29,6 +51,49 @@ class KeycloakAuthService(AuthService):
             print(f"Token verification failed: {e}")
             return False
 
+    def _fetch_permissions_from_keycloak(self, token: str) -> tuple[list[str], dict]:
+        permissions = self.keycloak_openid.uma_permissions(token)
+        decoded_token = self.keycloak_openid.decode_token(token)
+        result: list[str] = []
+        for p in permissions or []:
+            rsname = p.get("rsname")
+            for s in p.get("scopes", []) or []:
+                result.append(f"{rsname}#{s}")
+        return result, decoded_token
+
+    def get_permissions(self, token: str) -> list[str]:
+        try:
+            decoded = self.keycloak_openid.decode_token(token)
+            sub = decoded.get("sub")
+            exp = decoded.get("exp")
+            key = _cache_key(sub, exp)
+
+            now = _now_ts()
+            with _permissions_lock:
+                entry = _permissions_cache.get(key)
+                if entry is not None:
+                    perms, exp_ts = entry
+                    if exp_ts > now:
+                        return perms
+                    _permissions_cache.pop(key, None)
+
+            perms, decoded2 = self._fetch_permissions_from_keycloak(token)
+            decoded_final = decoded2 or decoded
+            sub_f = decoded_final.get("sub")
+            exp_f = int(decoded_final.get("exp") or 0)
+            key_f = _cache_key(sub_f, exp_f)
+
+            with _permissions_lock:
+                _permissions_cache[key_f] = (perms, exp_f)
+
+            return perms
+
+        except KeycloakAuthenticationError:
+            return []
+        except Exception as e:
+            print(f"Getting permissions failed: {e}")
+            return []
+
     def verify_token(self, token: str) -> dict | None:
         try:
             result = self.keycloak_openid.introspect(token)
@@ -76,3 +141,8 @@ class KeycloakAuthService(AuthService):
         if not self.is_client_token(token, allowed_clients):
             return False
         return self.has_access(token, permissions)
+
+
+@functools.lru_cache(maxsize=1)
+def get_auth_service() -> KeycloakAuthService:
+    return KeycloakAuthService()

nlbone/adapters/db/postgres/query_builder.py

@@ -21,7 +21,7 @@ from sqlalchemy.sql.sqltypes import (
 from nlbone.interfaces.api.exceptions import UnprocessableEntityException
 from nlbone.interfaces.api.pagination import PaginateRequest, PaginateResponse
 
-NULL_SENTINELS = {"None", "null", ""}
+NULL_SENTINELS = ("None", "null", "")
 
 
 class _InvalidEnum(Exception):

nlbone/adapters/http_clients/uploadchi/uploadchi.py

@@ -35,11 +35,11 @@ def _filename_from_cd(cd: str | None, fallback: str) -> str:
 
 class UploadchiClient(FileServicePort):
     def __init__(
-        self,
-        token_provider: ClientTokenProvider | None = None,
-        base_url: Optional[str] = None,
-        timeout_seconds: Optional[float] = None,
-        client: httpx.Client | None = None,
+            self,
+            token_provider: ClientTokenProvider | None = None,
+            base_url: Optional[str] = None,
+            timeout_seconds: Optional[float] = None,
+            client: httpx.Client | None = None,
     ) -> None:
         s = get_settings()
         self._base_url = normalize_https_base(base_url or str(s.UPLOADCHI_BASE_URL))
@@ -51,7 +51,7 @@ class UploadchiClient(FileServicePort):
         self._client.close()
 
     def upload_file(
-        self, file_bytes: bytes, filename: str, params: dict[str, Any] | None = None, token: str | None = None
+            self, file_bytes: bytes, filename: str, params: dict[str, Any] | None = None, token: str | None = None
     ) -> dict:
         tok = _resolve_token(token)
         files = {"file": (filename, file_bytes)}
@@ -84,12 +84,12 @@ class UploadchiClient(FileServicePort):
             raise UploadchiError(r.status_code, r.text)
 
     def list_files(
-        self,
-        limit: int = 10,
-        offset: int = 0,
-        filters: dict[str, Any] | None = None,
-        sort: list[tuple[str, str]] | None = None,
-        token: str | None = None,
+            self,
+            limit: int = 10,
+            offset: int = 0,
+            filters: dict[str, Any] | None = None,
+            sort: list[tuple[str, str]] | None = None,
+            token: str | None = None,
     ) -> dict:
         tok = _resolve_token(token)
         q = build_list_query(limit, offset, filters, sort)
@@ -116,6 +116,7 @@ class UploadchiClient(FileServicePort):
 
     def delete_file(self, file_id: str, token: str | None = None) -> None:
         tok = _resolve_token(token)
-        r = self._client.delete(f"{self._base_url}/{file_id}", headers=auth_headers(tok))
+        r = self._client.delete(f"{self._base_url}/{file_id}",
+                                headers=auth_headers(tok or self._token_provider.get_access_token()))
         if r.status_code not in (204, 200):
             raise UploadchiError(r.status_code, r.text)

nlbone/adapters/percolation/connection.py

@@ -9,5 +9,6 @@ def get_es_client():
     es = Elasticsearch(
         setting.ELASTIC_PERCOLATE_URL,
         basic_auth=(setting.ELASTIC_PERCOLATE_USER, setting.ELASTIC_PERCOLATE_PASS.get_secret_value().strip()),
+        http_compress=True, max_retries=2, retry_on_timeout=True
     )
     return es

nlbone/core/ports/auth.py

@@ -8,3 +8,4 @@ class AuthService(Protocol):
     def get_client_token(self) -> dict | None: ...
     def is_client_token(self, token: str, allowed_clients: set[str] | None = None) -> bool: ...
     def client_has_access(self, token: str, perms: list[str], allowed_clients: set[str] | None = None) -> bool: ...
+    def get_permissions(self, token: str) -> list[str]: ...

nlbone/interfaces/api/dependencies/auth.py

@@ -1,6 +1,7 @@
 import functools
 
 from nlbone.adapters.auth import KeycloakAuthService
+from nlbone.adapters.auth.keycloak import get_auth_service
 from nlbone.interfaces.api.exceptions import ForbiddenException, UnauthorizedException
 from nlbone.utils.context import current_request
 
@@ -51,8 +52,10 @@ def has_access(*, permissions=None):
             request = current_request()
             if not current_user_id():
                 raise UnauthorizedException()
-            if not KeycloakAuthService().has_access(request.state.token, permissions=permissions):
-                raise ForbiddenException(f"Forbidden {permissions}")
+            user_permissions = get_auth_service().get_permissions(request.state.token)
+            for p in permissions or []:
+                if p not in user_permissions:
+                    raise ForbiddenException(f"Forbidden {permissions}")
 
             return func(*args, **kwargs)
 
@@ -79,9 +82,14 @@ def client_or_user_has_access(*, permissions=None, client_permissions=None):
             else:
                 if not current_user_id():
                     raise UnauthorizedException()
-                if not auth.has_access(token, permissions=permissions):
-                    raise ForbiddenException(f"Forbidden (user) {permissions}")
+
+                user_permissions = get_auth_service().get_permissions(request.state.token)
+                for p in permissions or []:
+                    if p not in user_permissions:
+                        raise ForbiddenException(f"Forbidden {permissions}")
 
             return func(*args, **kwargs)
+
         return wrapper
-    return decorator
+
+    return decorator

{nlbone-0.6.9.dist-info → nlbone-0.6.11.dist-info}/METADATA

@@ -1,12 +1,13 @@
 Metadata-Version: 2.4
 Name: nlbone
-Version: 0.6.9
+Version: 0.6.11
 Summary: Backbone package for interfaces and infrastructure in Python projects
 Author-email: Amir Hosein Kahkbazzadeh <a.khakbazzadeh@gmail.com>
 License: MIT
 License-File: LICENSE
 Requires-Python: >=3.10
 Requires-Dist: anyio>=4.0
+Requires-Dist: cachetools>=6.2.0
 Requires-Dist: dependency-injector>=4.48.1
 Requires-Dist: elasticsearch==8.14.0
 Requires-Dist: fastapi>=0.116

{nlbone-0.6.9.dist-info → nlbone-0.6.11.dist-info}/RECORD

@@ -3,7 +3,7 @@ nlbone/container.py,sha256=VPGkfQO0HS4SbQy2ja3HVKyuMjD94p5ZmDPSqYHGhNo,3317
 nlbone/types.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nlbone/adapters/__init__.py,sha256=NzUmk4XPyp3GJOw7VSE86xkQMZLtG3MrOoXLeoB551M,41
 nlbone/adapters/auth/__init__.py,sha256=hkDHvsFhw_UiOHG9ZSMqjiAhK4wumEforitveSZswVw,42
-nlbone/adapters/auth/keycloak.py,sha256=j5KWMXGZN4Sey34I-dbaHrPG37hAaDPs4Utcra6UgWY,2730
+nlbone/adapters/auth/keycloak.py,sha256=ZGWeq9by2onb440kNRm4BdcxnO7N1qDPmg8UUrXrUrQ,4924
 nlbone/adapters/auth/token_provider.py,sha256=vL2Hk6HXnBbpk40Tq1wpqak5QQ7KEQf3nRquT0N8V4Q,1433
 nlbone/adapters/cache/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nlbone/adapters/cache/async_redis.py,sha256=vvu5w4ANx0BVRHL95RAMGsD8CcaC-tSBMbCius2cuNc,6212
@@ -15,7 +15,7 @@ nlbone/adapters/db/postgres/__init__.py,sha256=6JYJH0xZs3aR-zuyMpRhsdzFugmqz8npr
 nlbone/adapters/db/postgres/audit.py,sha256=8f5XOuW7_ybJyy_STam1FNzqmZAAVAu7tmMRUkCGJOM,4594
 nlbone/adapters/db/postgres/base.py,sha256=kha9xmklzhuQAK8QEkNBn-mAHq8dUKbOM-3abaBpWmQ,71
 nlbone/adapters/db/postgres/engine.py,sha256=UCegauVB1gvo42ThytYnn5VIcQBwR-5xhcXYFApRFNk,3448
-nlbone/adapters/db/postgres/query_builder.py,sha256=rJ9J3vl0ikELwq5JujFn7jZYPmF6rM5wHTbIiUHOs1k,9381
+nlbone/adapters/db/postgres/query_builder.py,sha256=HVGtgWm0AtbjAtW3E3K9KVnJixcZWXMuk5uNqzZQJnQ,9381
 nlbone/adapters/db/postgres/repository.py,sha256=J_DBE73JhHPYCk90c5-O7lQtZbxDgqjjN9OcWy4Omvs,1660
 nlbone/adapters/db/postgres/schema.py,sha256=NlE7Rr8uXypsw4oWkdZhZwcIBHQEPIpoHLxcUo98i6s,1039
 nlbone/adapters/db/postgres/uow.py,sha256=nRxNpY-WoWHpym-XeZ8VHm0MYvtB9wuopOeNdV_ebk8,2088
@@ -25,13 +25,13 @@ nlbone/adapters/http_clients/__init__.py,sha256=w-Yr9CLuXMU71N0Ada5HbvP1DB53wqeP
 nlbone/adapters/http_clients/pricing/__init__.py,sha256=ElA9NFcAR9u4cqb_w3PPqKU3xGeyjNLQ8veJ0ql2iz0,81
 nlbone/adapters/http_clients/pricing/pricing_service.py,sha256=PDG6CbLg_SL-BsrhNwfyypywcuZIsEyj5mpQGSPH4e4,3300
 nlbone/adapters/http_clients/uploadchi/__init__.py,sha256=uBzEOuVtY22teWW2b36Pitkdk5yVdSqa6xbg22JfTNg,105
-nlbone/adapters/http_clients/uploadchi/uploadchi.py,sha256=ABFiH3bLsxFtB-4Si4SEedE2bMUVz5hWXGwD4RkV3ws,4816
+nlbone/adapters/http_clients/uploadchi/uploadchi.py,sha256=oOkjDA7MMGe7HNl7qgoPbeV_EI5PNIx1yidsxvnkhis,4939
 nlbone/adapters/http_clients/uploadchi/uploadchi_async.py,sha256=PQbVNeaYde5CmgT3vcnQoI1PGeSs9AxHlPFuB8biOmU,4717
 nlbone/adapters/messaging/__init__.py,sha256=UDAwu3s-JQmOZjWz2Nu0SgHhnkbeOhKDH_zLD75oWMY,40
 nlbone/adapters/messaging/event_bus.py,sha256=w-NPwDiPMLFPU_enRQCtfQXOALsXfg31u57R8sG_-1U,781
 nlbone/adapters/messaging/redis.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nlbone/adapters/percolation/__init__.py,sha256=0h1Bw7FzxgkDIHxeoyQXSfegrhP6VbpYV4QC8njYdRE,38
-nlbone/adapters/percolation/connection.py,sha256=yuqcboFLsd4FRfywfXatbe8NjVtzyEWHGOZ8OVmmQaI,333
+nlbone/adapters/percolation/connection.py,sha256=KUlYPFBXyjv_IEt8zgwdNKynl4VnzL7bp-hcll48Z2w,398
 nlbone/config/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nlbone/config/logging.py,sha256=Ot6Ctf7EQZlW8YNB-uBdleqI6wixn5fH0Eo6QRgNkQk,4358
 nlbone/config/settings.py,sha256=W3NHZP6yjIyyKiGWNkjlUt_RYFKkcIfMBoKih_z_0Bs,3911
@@ -47,7 +47,7 @@ nlbone/core/domain/base.py,sha256=5oUfbpaI8juJ28Api8J9IXOSm55VI2bp4QNhA0U8h2Y,12
 nlbone/core/domain/events.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nlbone/core/domain/models.py,sha256=Zn_rwtlzfjOEJZo6HS9M8UsMk-HpMJrHAKn05UA-u2k,1461
 nlbone/core/ports/__init__.py,sha256=gx-Ubj7h-1vvnu56sNnRqmer7HHfW3rX2WLl-0AX5U0,214
-nlbone/core/ports/auth.py,sha256=Gh0yQsxx2OD6pDH2_p-khsA-bVoypP1juuqMoSfjZUo,493
+nlbone/core/ports/auth.py,sha256=C-GmUqHNx4bAku6KbW_OTpPXCEfurBWWyDi9KxpTi9M,553
 nlbone/core/ports/cache.py,sha256=8pP_z4ta7PNNG8UiSrEF4xMZRm2wLPxISZvdPt7QnxQ,2351
 nlbone/core/ports/event_bus.py,sha256=_Om1GOOT-F325oV6_LJXtLdx4vu5i7KrpTDD3qPJXU0,325
 nlbone/core/ports/files.py,sha256=7Ov2ITYRpPwwDTZGCeNVISg8e3A9l08jbOgpTImgfK8,1863
@@ -62,7 +62,7 @@ nlbone/interfaces/api/routers.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hS
 nlbone/interfaces/api/schemas.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nlbone/interfaces/api/dependencies/__init__.py,sha256=rnYRrFVZCfICQrp_PVFlzNg3BeC57yM08wn2DbOHCfk,359
 nlbone/interfaces/api/dependencies/async_auth.py,sha256=bfxgBXhp29WqevjTG4jrdPNR-75APm4jKyHdOOtxnp4,1825
-nlbone/interfaces/api/dependencies/auth.py,sha256=Tp4_DjJ-7hHWiWdvPaD922DGdauuzDXl5aqALBtk-QM,2750
+nlbone/interfaces/api/dependencies/auth.py,sha256=D3D-UA2fMtEU-pSQNWk4cb3W74rXiz4a8u1reI7Wrkk,3001
 nlbone/interfaces/api/dependencies/db.py,sha256=-UD39J_86UU7ZJs2ZncpdND0yhAG0NeeeALrgSDuuFw,466
 nlbone/interfaces/api/dependencies/uow.py,sha256=QfLEvLYLNWZJQN1k-0q0hBVtUld3D75P4j39q_RjcnE,1181
 nlbone/interfaces/api/middleware/__init__.py,sha256=zbX2vaEAfxRMIYwO2MVY_2O6bqG5H9o7HqGpX14U3Is,158
@@ -84,8 +84,8 @@ nlbone/utils/context.py,sha256=MmclJ24BG2uvSTg1IK7J-Da9BhVFDQ5ag4Ggs2FF1_w,1600
 nlbone/utils/http.py,sha256=UXUoXgQdTRNT08ho8zl-C5ekfDsD8uf-JiMQ323ooqw,872
 nlbone/utils/redactor.py,sha256=-V4HrHmHwPi3Kez587Ek1uJlgK35qGSrwBOvcbw8Jas,1279
 nlbone/utils/time.py,sha256=DjjyQ9GLsfXoT6NK8RDW2rOlJg3e6sF04Jw6PBUrSvg,1268
-nlbone-0.6.9.dist-info/METADATA,sha256=uE-MksB9505zd0epl9bh3S7QmnanB2hvnoppyU_0mH4,2194
-nlbone-0.6.9.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-nlbone-0.6.9.dist-info/entry_points.txt,sha256=CpIL45t5nbhl1dGQPhfIIDfqqak3teK0SxPGBBr7YCk,59
-nlbone-0.6.9.dist-info/licenses/LICENSE,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-nlbone-0.6.9.dist-info/RECORD,,
+nlbone-0.6.11.dist-info/METADATA,sha256=_AtHFMQwxHiwO8I-RV-hNDm3ToQMmbuidYTkvvQPnmc,2228
+nlbone-0.6.11.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+nlbone-0.6.11.dist-info/entry_points.txt,sha256=CpIL45t5nbhl1dGQPhfIIDfqqak3teK0SxPGBBr7YCk,59
+nlbone-0.6.11.dist-info/licenses/LICENSE,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+nlbone-0.6.11.dist-info/RECORD,,