oxutils 0.1.12__py3-none-any.whl → 0.1.15__py3-none-any.whl

oxutils/oxiliere/middleware.py

@@ -1,10 +1,13 @@
 from django.conf import settings
+from django.core.exceptions import ObjectDoesNotExist
 from django.db import connection
 from django.http import Http404
 from django.urls import set_urlconf
 from django.utils.module_loading import import_string
 from django.utils.deprecation import MiddlewareMixin
 
+import structlog
+
 from django_tenants.utils import (
     get_public_schema_name,
     get_public_schema_urlconf,
@@ -23,6 +26,9 @@ from oxutils.oxiliere.context import set_current_tenant_schema_name
 
 
 
+logger = structlog.get_logger(__name__)
+
+
 
 class TenantMainMiddleware(MiddlewareMixin):
     TENANT_NOT_FOUND_EXCEPTION = Http404
@@ -44,6 +50,22 @@ class TenantMainMiddleware(MiddlewareMixin):
         """
         return tenant_model.objects.get(oxi_id=oxi_id)
 
+    def get_tenant_user(self, tenant, user, raise_exception=False):
+        """ Get tenant user by tenant and user.
+        """
+        if not tenant or not user:
+            if raise_exception:
+                raise ObjectDoesNotExist("tenant_user_not_found, tenant or user is None")
+            return None
+
+        try:
+            return tenant.users.select_related('user').get(user__pk=user.id)
+        except ObjectDoesNotExist:
+            logger.error("tenant_user_not_found", tenant_id=tenant.id, user_id=user.id)
+            if raise_exception:
+                raise ObjectDoesNotExist("tenant_user_not_found")
+            return None
+
     def process_request(self, request):
         # Connection needs first to be at the public schema, as this is where
         # the tenant metadata is stored.
@@ -51,42 +73,61 @@ class TenantMainMiddleware(MiddlewareMixin):
         connection.set_schema_to_public()
         
         oxi_id = self.get_org_id_from_request(request)
+        tenant_model = connection.tenant_model
 
         # Try to get tenant from cookie token first
         tenant_token = request.COOKIES.get(ORGANIZATION_TOKEN_COOKIE_KEY)
         tenant = None
+        old_tenant = None
         request._should_set_tenant_cookie = False
         
         if tenant_token:
             tenant = TokenTenant.for_token(tenant_token)
             # Verify the token's oxi_id matches the request
             if not is_system_tenant(tenant) and tenant.oxi_id != oxi_id:
+                logger.info("tenant_token_oxi_id_doesnt_match_request_oxi_id", tenant_oxi_id=tenant.oxi_id, request_oxi_id=oxi_id)
+                old_tenant = tenant
                 tenant = None
         
         # If no valid token, fetch from database
         if not tenant:
             if oxi_id: # fetch with oxi_id on tenant
-                tenant_model = connection.tenant_model
                 try:
                     tenant = self.get_tenant(tenant_model, oxi_id)
+                    tenant.user = self.get_tenant_user(tenant, request.user, raise_exception=True)
+
                     # Mark that we need to set the cookie in the response
                     request._should_set_tenant_cookie = True
-                except tenant_model.DoesNotExist:
+
+                    if old_tenant:
+                        logger.info("tenant_changed", old_tenant=old_tenant.oxi_id, new_tenant=tenant.oxi_id)
+                    
+                except ObjectDoesNotExist as ex:
+                    logger.error("tenant_not_found", oxi_id=oxi_id, error=str(ex))
                     default_tenant = self.no_tenant_found(request, oxi_id)
                     return default_tenant
             else: # try to return the system tenant
                 try:
                     from oxutils.oxiliere.caches import get_system_tenant
                     tenant = get_system_tenant()
+                    tenant.user = self.get_tenant_user(tenant, request.user, raise_exception=False)
                     request._should_set_tenant_cookie = True
                 except Exception as e:
+                    logger.error("system_tenant_not_found", error=str(e))
                     from django.http import HttpResponseBadRequest
                     return HttpResponseBadRequest('Missing X-Organization-ID header')
 
         if tenant.is_deleted or not tenant.is_active:
+            logger.error("tenant_is_deleted_or_inactive", oxi_id=oxi_id)
             return self.no_tenant_found(request, oxi_id)
 
-        request.tenant = tenant
+        if tenant and not isinstance(tenant, TokenTenant):
+            request.db_tenant = tenant
+        else:
+            request.db_tenant = None
+
+        request.tenant = TokenTenant.from_db(tenant)
+
         set_current_tenant_schema_name(tenant.schema_name)
         connection.set_tenant(request.tenant)
         self.setup_url_routing(request)
@@ -94,9 +135,9 @@ class TenantMainMiddleware(MiddlewareMixin):
     def process_response(self, request, response):
         """Set the tenant token cookie if needed."""
         if hasattr(request, '_should_set_tenant_cookie') and request._should_set_tenant_cookie:
-            if hasattr(request, 'tenant') and not isinstance(request.tenant, TokenTenant):
+            if hasattr(request, 'db_tenant') and isinstance(request.db_tenant, connection.tenant_model):
                 # Generate token from DB tenant
-                token = OrganizationAccessToken.for_tenant(request.tenant)
+                token = OrganizationAccessToken.for_tenant(request.db_tenant)
                 response.set_cookie(
                     key=ORGANIZATION_TOKEN_COOKIE_KEY,
                     value=str(token),

oxutils/oxiliere/permissions.py

@@ -1,81 +1,95 @@
+import structlog
+
 from ninja_extra.permissions import BasePermission
-from oxutils.oxiliere.utils import get_tenant_user_model
 from oxutils.constants import OXILIERE_SERVICE_TOKEN
 from oxutils.jwt.tokens import OxilierServiceToken
+from oxutils.jwt.models import TokenTenant
+
+
 
+logger = structlog.get_logger(__name__)
 
 
-class TenantPermission(BasePermission):
+
+
+class TenantBasePermission(BasePermission):
     """
     Vérifie que l'utilisateur a accès au tenant actuel.
     L'utilisateur doit être authentifié et avoir un lien avec le tenant.
     """
+    def check_tenant_permission(self, request) -> bool:
+        raise NotImplementedError("Subclasses must implement this method")
+
     def has_permission(self, request, **kwargs):
         if not request.user or not request.user.is_authenticated:
             return False
         
         if not hasattr(request, 'tenant'):
+            logger.warning('tenant_permission', type="tenant_not_found", user=request.user)
+            return False
+
+        if not isinstance(request.tenant, TokenTenant):
+            logger.warning(
+                'tenant_permission', 
+                type="tenant_is_not_token_tenant", 
+                tenant=request.tenant, 
+                user=request.user
+            )
             return False
-        
-        # Vérifier que l'utilisateur a accès à ce tenant
-        return get_tenant_user_model().objects.filter(
-            tenant__pk=request.tenant.pk,
-            user__pk=request.user.pk
-        ).exists()
 
+        return self.check_tenant_permission(request)
 
-class TenantOwnerPermission(BasePermission):
+
+class TenantUserPermission(TenantBasePermission):
     """
-    Vérifie que l'utilisateur est propriétaire (owner) du tenant actuel.
+    Vérifie que l'utilisateur est un membre du tenant actuel.
+    Alias de TenantPermission pour plus de clarté sémantique.
     """
-    def has_permission(self, request, **kwargs):
-        if not request.user or not request.user.is_authenticated:
-            return False
-        
-        if not hasattr(request, 'tenant'):
-            return False
+    def check_tenant_permission(self, request) -> bool:
+        tenant: TokenTenant = request.tenant
+
+        logger.info(
+            'tenant_permission', 
+            type="tenant_user_access_permission", 
+            tenant=tenant, user=request.user, 
+            passed=tenant.is_tenant_user
+        )
         
-        return get_tenant_user_model().objects.filter(
-            tenant__pk=request.tenant.pk,
-            user__pk=request.user.pk,
-            is_owner=True
-        ).exists()
+        return tenant.is_tenant_user
 
 
-class TenantAdminPermission(BasePermission):
+class TenantOwnerPermission(TenantBasePermission):
     """
-    Vérifie que l'utilisateur est admin ou owner du tenant actuel.
+    Vérifie que l'utilisateur est propriétaire (owner) du tenant actuel.
     """
-    def has_permission(self, request, **kwargs):
-        if not request.user or not request.user.is_authenticated:
-            return False
-        
-        if not hasattr(request, 'tenant'):
-            return False
+    def check_tenant_permission(self, request) -> bool:
+        tenant: TokenTenant = request.tenant
+
+        logger.info(
+            'tenant_permission', 
+            type="tenant_user_access_permission", 
+            tenant=tenant, user=request.user, 
+            passed=tenant.is_owner_user
+        )
         
-        return get_tenant_user_model().objects.filter(
-            tenant__pk=request.tenant.pk,
-            user__pk=request.user.pk,
-            is_admin=True
-        ).exists()
+        return tenant.is_owner_user
 
 
-class TenantUserPermission(BasePermission):
+class TenantAdminPermission(TenantBasePermission):
     """
-    Vérifie que l'utilisateur est un membre du tenant actuel.
-    Alias de TenantPermission pour plus de clarté sémantique.
+    Vérifie que l'utilisateur est admin ou owner du tenant actuel.
     """
-    def has_permission(self, request, **kwargs):
-        if not request.user or not request.user.is_authenticated:
-            return False
-        
-        if not hasattr(request, 'tenant'):
-            return False
+    def check_tenant_permission(self, request) -> bool:
+        tenant: TokenTenant = request.tenant
+
+        logger.info(
+            'tenant_permission', 
+            type="tenant_user_access_permission", 
+            tenant=tenant, user=request.user, 
+            passed=tenant.is_admin_user
+        )
         
-        return get_tenant_user_model().objects.filter(
-            tenant__pk=request.tenant.pk,
-            user__pk=request.user.pk
-        ).exists()
+        return tenant.is_admin_user
 
 
 class OxiliereServicePermission(BasePermission):
@@ -95,3 +109,10 @@ class OxiliereServicePermission(BasePermission):
             return True
         except Exception:
             return False
+
+
+
+IsTenantUser = TenantUserPermission()
+IsTenantOwner = TenantOwnerPermission()
+IsTenantAdmin = TenantAdminPermission()
+IsOxiliereService = OxiliereServicePermission()

oxutils/oxiliere/schemas.py

@@ -1,6 +1,9 @@
 from typing import Optional
 from uuid import UUID 
 from ninja import Schema
+from django.conf import settings
+from django.core.exceptions import ImproperlyConfigured
+from django.utils.module_loading import import_string
 from django.db import transaction
 from django.contrib.auth import get_user_model
 from django_tenants.utils import get_tenant_model
@@ -13,6 +16,18 @@ import structlog
 logger = structlog.get_logger(__name__)
 
 
+
+def get_tenant_schema() -> 'TenantSchema':
+    if hasattr(settings, 'OX_TENANT_SCHEMA'):
+        try:
+            return import_string(settings.OX_TENANT_SCHEMA)
+        except ImportError as e:
+            raise ImproperlyConfigured(
+                f"Error: OX_TENANT_SCHEMA import error: {settings.OX_TENANT_SCHEMA}, please check your settings"
+            ) from e
+    return TenantSchema
+
+
 class TenantSchema(Schema):
     name: str
     oxi_id: str
@@ -29,6 +44,22 @@ class TenantOwnerSchema(Schema):
     email: str
 
 
+class UserSchema(Schema):
+    oxi_id: UUID
+    first_name: Optional[str] = None
+    last_name: Optional[str] = None
+    email: str
+    is_active: bool
+    photo: Optional[str] = None
+
+
+class TenantUser(Schema):
+    user: UserSchema
+    is_owner: bool
+    is_admin: bool
+    status: str
+
+
 class CreateTenantSchema(Schema):
     tenant: TenantSchema
     owner: TenantOwnerSchema

oxutils/permissions/caches.py

@@ -7,13 +7,27 @@ CACHE_CHECK_PERMISSION = getattr(settings, 'CACHE_CHECK_PERMISSION', False)
 if CACHE_CHECK_PERMISSION:
     from cacheops import cached_as
     from .models import Grant
-    from .utils import check
+    from .utils import check, any_action_check, any_permission_check
 
-    @cached_as(Grant, timeout=60*5)
+    @cached_as(Grant, timeout=60*15)
     def cache_check(user, scope, actions, group = None, **context):
         return check(user, scope, actions, group, **context)
+    
+    @cached_as(Grant, timeout=60*15)
+    def cache_any_action_check(user, scope, required, group = None, **context):
+        return any_action_check(user, scope, required, group, **context)
+    
+    @cached_as(Grant, timeout=60*15)
+    def cache_any_permission_check(user, *str_perms):
+        return any_permission_check(user, *str_perms)
 else:
-    from .utils import check
+    from .utils import check, any_action_check, any_permission_check
 
     def cache_check(user, scope, actions, group = None, **context):
         return check(user, scope, actions, group, **context)
+    
+    def cache_any_action_check(user, scope, required, group = None, **context):
+        return any_action_check(user, scope, required, group, **context)
+    
+    def cache_any_permission_check(user, *str_perms):
+        return any_permission_check(user, *str_perms)

oxutils/permissions/perms.py

@@ -45,6 +45,112 @@ class ScopePermission(BasePermission):
         return str_check(request.user, self.perm, **self.ctx)
 
 
+class ScopeAnyPermission(BasePermission):
+    """
+    Permission class for checking if user has at least one of multiple permissions.
+    
+    Vérifie si l'utilisateur possède au moins une des permissions fournies.
+    Utilise any_permission_check pour une vérification optimisée en une seule requête.
+    
+    Example:
+        @api_controller('/articles', permissions=[
+            ScopeAnyPermission('articles:r', 'articles:w:staff', 'articles:d:admin')
+        ])
+        class ArticleController:
+            # User needs either read access, OR staff write access, OR admin delete access
+            pass
+    """
+
+    def __init__(self, *perms: str):
+        """
+        Initialize the permission checker with multiple permission strings.
+        
+        Args:
+            *perms: Variable number of permission strings in format "<scope>:<actions>:<group>?context"
+        """
+        if not perms:
+            raise ValueError("At least one permission string must be provided")
+        self.perms = perms
+
+    def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
+        """
+        Check if the user has at least one of the required permissions.
+        
+        Args:
+            request: HTTP request object
+            controller: Controller instance
+            
+        Returns:
+            True if user has at least one permission, False otherwise
+        """
+        from oxutils.permissions.caches import cache_any_permission_check
+        return cache_any_permission_check(request.user, *self.perms)
+
+
+class ScopeAnyActionPermission(BasePermission):
+    """
+    Permission class for checking if user has at least one of multiple actions on a scope.
+    
+    Vérifie si l'utilisateur possède au moins une des actions requises pour un scope donné.
+    La chaîne d'actions contient plusieurs actions dont au moins une est requise.
+    
+    Example:
+        @api_controller('/articles', permissions=[
+            ScopeAnyActionPermission('articles:rwd:staff')
+        ])
+        class ArticleController:
+            # User needs read OR write OR delete access on articles in staff group
+            pass
+            
+        @api_controller('/invoices', permissions=[
+            ScopeAnyActionPermission('invoices:rw?tenant_id=123')
+        ])
+        class InvoiceController:
+            # User needs read OR write access on invoices with tenant_id=123
+            pass
+    """
+
+    def __init__(self, perm: str, ctx: Optional[dict] = None):
+        """
+        Initialize the permission checker with a permission string.
+        
+        Args:
+            perm: Permission string in format "<scope>:<actions>:<group>?context"
+                  where actions contains multiple characters (e.g., 'rwd' for read OR write OR delete)
+            ctx: Optional additional context dict
+        """
+        if not perm:
+            raise ValueError("Permission string must be provided")
+        
+        self.perm = perm
+        self.ctx = ctx if ctx else dict()
+
+    def has_permission(self, request: HttpRequest, controller: ControllerBase) -> bool:
+        """
+        Check if the user has at least one of the required actions.
+        
+        Args:
+            request: HTTP request object
+            controller: Controller instance
+            
+        Returns:
+            True if user has at least one action, False otherwise
+        """
+        from oxutils.permissions.caches import cache_any_action_check
+        from oxutils.permissions.utils import parse_permission
+        
+        scope, actions, group, query_context = parse_permission(self.perm)
+        final_context = {**query_context, **self.ctx}
+        
+        return cache_any_action_check(
+            request.user,
+            scope,
+            actions,
+            group,
+            **final_context
+        )
+
+
 def access_manager(actions: str):
     """
     Factory function for creating ScopePermission instances for access manager.