oxutils 0.1.5__py3-none-any.whl → 0.1.12__py3-none-any.whl

oxutils/__init__.py

@@ -2,15 +2,15 @@
 
 This package provides:
 - JWT authentication with JWKS support
-- S3 storage backends (static, media, private, logs)
 - Structured logging with correlation IDs
 - Audit system with S3 export
 - Celery integration
 - Django model mixins
 - Custom exceptions
+- Permission management
 """
 
-__version__ = "0.1.5"
+__version__ = "0.1.12"
 
 from oxutils.settings import oxi_settings
 from oxutils.conf import UTILS_APPS, AUDIT_MIDDLEWARE

oxutils/audit/migrations/0001_initial.py

@@ -2,7 +2,7 @@
 
 import django.db.models.deletion
 import oxutils.enums.audit
-import oxutils.s3.storages
+from oxutils.logger import get_log_storage
 from django.db import migrations, models
 
 
@@ -22,7 +22,7 @@ class Migration(migrations.Migration):
                 ('updated_at', models.DateTimeField(auto_now=True, help_text='Date and time when this record was last updated')),
                 ('last_export_date', models.DateTimeField(null=True)),
                 ('status', models.CharField(choices=[(oxutils.enums.audit.ExportStatus['FAILED'], 'Failed'), (oxutils.enums.audit.ExportStatus['PENDING'], 'Pending'), (oxutils.enums.audit.ExportStatus['SUCCESS'], 'Success')], default=oxutils.enums.audit.ExportStatus['PENDING'])),
-                ('data', models.FileField(storage=oxutils.s3.storages.LogStorage(), upload_to='')),
+                ('data', models.FileField(storage=get_log_storage, upload_to='')),
                 ('size', models.BigIntegerField()),
             ],
             options={

oxutils/audit/models.py

@@ -3,7 +3,7 @@ from django.utils import timezone
 from django.db import models, transaction
 from oxutils.enums.audit import ExportStatus
 from oxutils.models.base import TimestampMixin
-from oxutils.s3.storages import LogStorage
+from oxutils.logger import get_log_storage
 
 
 
@@ -38,7 +38,7 @@ class LogExportState(TimestampMixin):
             (ExportStatus.SUCCESS, _('Success'))
         )
     )
-    data = models.FileField(storage=LogStorage())
+    data = models.FileField(storage=get_log_storage)
     size = models.BigIntegerField()
 
     @classmethod

oxutils/constants.py

@@ -1,2 +1,8 @@
 ORGANIZATION_QUERY_KEY = 'organization_id'
 ORGANIZATION_HEADER_KEY = 'X-Organization-ID'
+ORGANIZATION_TOKEN_COOKIE_KEY = 'organization_token'
+OXILIERE_SERVICE_TOKEN = 'X-Oxiliere-Token'
+
+REFRESH_TOKEN_COOKIE = 'refresh_token'
+ACCESS_TOKEN_COOKIE = 'access_token'
+

oxutils/jwt/auth.py

@@ -1,11 +1,33 @@
 import os
-from typing import Dict, Any, Optional
+from typing import Dict, Any, Optional, Type, Tuple, List
+from django.utils.translation import gettext_lazy as _
+from django.http import HttpRequest
+from django.contrib.auth.models import AbstractUser
+from django.contrib.auth import (
+    authenticate as django_authenticate,
+    login as django_login,
+    get_user_model
+)
 from jwcrypto import jwk
 from django.core.exceptions import ImproperlyConfigured
+
+from ninja.security.base import AuthBase
+from ninja_jwt.authentication import (
+    JWTBaseAuthentication,
+    JWTStatelessUserAuthentication
+)
+from ninja.security import (
+    APIKeyCookie,
+    HttpBasicAuth,
+)
+from ninja_jwt.exceptions import InvalidToken
+from ninja_jwt.settings import api_settings
+from oxutils.constants import ACCESS_TOKEN_COOKIE
 from oxutils.settings import oxi_settings
 
 
 
+
 _public_jwk_cache: Optional[jwk.JWK] = None
 
 
@@ -53,3 +75,130 @@ def clear_jwk_cache() -> None:
     """Clear the cached JWK. Useful for testing or key rotation."""
     global _public_jwk_cache
     _public_jwk_cache = None
+
+
+class AuthMixin:
+    def jwt_authenticate(self, request: HttpRequest, token: str) -> AbstractUser:
+        """
+        Add token_user to the request object, witch will be erased by the jwt_allauth.utils.popolate_user
+        function.
+        """
+        token_user = super().jwt_authenticate(request, token)
+        request.token_user = token_user
+        return token_user
+
+
+class JWTAuth(AuthMixin, JWTStatelessUserAuthentication):
+    pass
+
+
+class JWTCookieAuth(AuthMixin, JWTBaseAuthentication, APIKeyCookie):
+    """
+    An authentication plugin that authenticates requests through a JSON web
+    token provided in a request header without performing a database lookup to obtain a user instance.
+    """
+
+    param_name = ACCESS_TOKEN_COOKIE
+
+    def authenticate(self, request: HttpRequest, token: str) -> Any:
+        return self.jwt_authenticate(request, token)
+
+    def get_user(self, validated_token: Any) -> Type[AbstractUser]:
+        """
+        Returns a stateless user object which is backed by the given validated
+        token.
+        """
+        if api_settings.USER_ID_CLAIM not in validated_token:
+            # The TokenUser class assumes tokens will have a recognizable user
+            # identifier claim.
+            raise InvalidToken(_("Token contained no recognizable user identification"))
+
+        return api_settings.TOKEN_USER_CLASS(validated_token)
+
+
+def authenticate_by_x_session_token(token: str) -> Optional[Tuple]:
+    """
+    Copied from allauth.headless.internal.sessionkit, to "select_related"
+    """
+    from allauth.headless import app_settings
+
+
+    session = app_settings.TOKEN_STRATEGY.lookup_session(token)
+    if not session:
+        return None
+    user_id_str = session.get(SESSION_KEY)
+    if user_id_str:
+        meta_pk = get_user_model()._meta.pk
+        if meta_pk:
+            user_id = meta_pk.to_python(user_id_str)
+            user = get_user_model().objects.filter(pk=user_id).first()
+            if user and user.is_active:
+                return (user, session)
+    return None
+
+
+class XSessionTokenAuth(AuthBase):
+    """
+    This security class uses the X-Session-Token that django-allauth
+    is using for authentication purposes.
+    """
+
+    openapi_type: str = "apiKey"
+
+    def __call__(self, request: HttpRequest):
+        token = self.get_session_token(request)
+        if token:
+            user_session = authenticate_by_x_session_token(token)
+            if user_session:
+                return user_session[0]
+        return None
+
+    def get_session_token(self, request: HttpRequest) -> Optional[str]:
+        """
+        Returns the session token for the given request, by looking up the
+        ``X-Session-Token`` header. Override this if you want to extract the token
+        from e.g. the ``Authorization`` header.
+        """
+        if request.session.session_key:
+            return request.session.session_key
+        
+        return request.headers.get("X-Session-Token")
+
+
+class BasicAuth(HttpBasicAuth):
+    def authenticate(self, request: HttpRequest, username: str, password: str) -> Optional[Any]:
+        user = django_authenticate(email=username, password=password)
+        if user and user.is_active:
+            django_login(request, user)
+            return user
+        return None
+
+
+class BasicNoPasswordAuth(HttpBasicAuth):
+    def authenticate(self, request: HttpRequest, username: str, password: str) -> Optional[Any]:
+        try:
+            user = get_user_model().objects.get(email=username)
+            if user and user.is_active:
+                django_login(request, user)
+                return user
+            return None
+        except Exception as e:
+            return None
+
+x_session_token_auth = XSessionTokenAuth()
+basic_auth = BasicAuth()
+basic_no_password_auth = BasicNoPasswordAuth()
+jwt_auth = JWTAuth()
+jwt_cookie_auth = JWTCookieAuth()
+
+
+
+
+def get_auth_handlers(auths: List[AuthBase] = []) -> List[AuthBase]:
+    """Auth handler switcher based on settings.DEBUG"""
+    from django.conf import settings
+
+    if settings.DEBUG:
+        return auths
+
+    return [jwt_auth, jwt_cookie_auth]

oxutils/jwt/models.py

@@ -0,0 +1,81 @@
+from uuid import UUID
+from django.utils.functional import cached_property
+from ninja_jwt.models import TokenUser as DefaultTonkenUser
+from ninja_jwt.settings import api_settings
+
+import structlog
+from .tokens import OrganizationAccessToken
+
+
+
+logger = structlog.get_logger(__name__)
+
+
+class TokenTenant:
+
+    def __init__(
+        self,
+        schema_name: str,
+        tenant_id: int,
+        oxi_id: str,
+        subscription_plan: str,
+        subscription_status: str,
+        status: str,
+        ):
+        self.schema_name = schema_name
+        self.id = tenant_id
+        self.oxi_id = oxi_id
+        self.subscription_plan = subscription_plan
+        self.subscription_status = subscription_status
+        self.status = status
+
+    def __str__(self):
+        return f"{self.schema_name} - {self.oxi_id}"
+
+    @property
+    def pk(self):
+        return self.id
+
+    @property
+    def is_active(self):
+        return self.status == 'active'
+
+    @property
+    def is_deleted(self):
+        return self.status == 'deleted'
+
+    @classmethod
+    def for_token(cls, token):
+        try:
+            token_obj = OrganizationAccessToken(token=token)
+            tenant = cls(
+                schema_name=token_obj['schema_name'],
+                tenant_id=token_obj['tenant_id'],
+                oxi_id=token_obj['oxi_id'],
+                subscription_plan=token_obj['subscription_plan'],
+                subscription_status=token_obj['subscription_status'],
+                status=token_obj['status'],
+            )
+            return tenant
+        except Exception:
+            logger.exception('Failed to create TokenTenant from token', token=token)
+            return None
+
+
+class TokenUser(DefaultTonkenUser):
+    @cached_property
+    def id(self):
+        return UUID(self.token[api_settings.USER_ID_CLAIM])
+
+    @property
+    def oxi_id(self):
+        # for compatibility with the User model
+        return self.id
+
+    @cached_property
+    def token_created_at(self):
+        return self.token.get('cat', None)
+
+    @cached_property
+    def token_session(self):
+        return self.token.get('session', None)

oxutils/jwt/tokens.py

@@ -0,0 +1,69 @@
+from django.conf import settings
+from ninja_jwt.tokens import Token, AccessToken
+from ninja_jwt.backends import TokenBackend
+from ninja_jwt.settings import api_settings
+from datetime import timedelta
+from oxutils.settings import oxi_settings
+
+
+
+
+__all__ = [
+    'AccessToken',
+    'OrganizationAccessToken',
+]
+
+
+
+token_backend = TokenBackend(
+    algorithm='HS256',
+    signing_key=settings.SECRET_KEY,
+    verifying_key="",
+    audience=None,
+    issuer=None,
+    jwk_url=None,
+    leeway=api_settings.LEEWAY,
+    json_encoder=api_settings.JSON_ENCODER,
+)
+
+
+
+class OxilierServiceToken(Token):
+    token_type = oxi_settings.jwt_service_token_key
+    lifetime = timedelta(minutes=oxi_settings.jwt_service_token_lifetime)
+
+
+    @classmethod
+    def for_service(cls, payload: dict = {}) -> Token:
+        token = cls()
+
+        for key, value in payload.items():
+            token[key] = value
+
+        return token
+
+
+class OrganizationAccessToken(Token):
+    token_type = oxi_settings.jwt_org_access_token_key
+    lifetime = timedelta(minutes=oxi_settings.jwt_org_access_token_lifetime)
+
+    @classmethod
+    def for_tenant(cls, tenant) -> Token:
+        token = cls()
+        token.payload['tenant_id'] = str(tenant.id)
+        token.payload['oxi_id'] = str(tenant.oxi_id)
+        token.payload['schema_name'] = str(tenant.schema_name)
+        token.payload['subscription_plan'] = str(tenant.subscription_plan)
+        token.payload['subscription_status'] = str(tenant.subscription_status)
+        token.payload['subscription_end_date'] = str(tenant.subscription_end_date)
+        token.payload['status'] = str(tenant.status)
+
+        return token
+
+    @property
+    def token_backend(self):
+        return token_backend
+
+    def get_token_backend(self):
+        # Backward compatibility.
+        return self.token_backend

oxutils/jwt/utils.py

@@ -0,0 +1,45 @@
+from functools import wraps
+import structlog
+from django.contrib.auth import get_user_model
+from django.http import HttpRequest
+
+from ninja_jwt.exceptions import InvalidToken
+
+
+
+logger = structlog.getLogger("django")
+User = get_user_model()
+
+
+def load_user(f):
+    """
+    Decorator that loads the complete user object from the database for stateless JWT authentication.
+    This is necessary because JWT tokens only contain the user ID, and the full user object
+    might be needed in the view methods.
+
+    Usage:
+
+    .. code-block:: python
+
+        @load_user
+        def my_view_method(self, *args, **kwargs):
+            # self.request.user will be the complete user object
+            pass
+    """
+    @wraps(f)
+    def wrapper(self, *args, **kwargs):
+        populate_user(self.context.request)
+        res = f(self, *args, **kwargs)
+        return res
+    return wrapper
+
+
+def populate_user(request: HttpRequest):
+    if isinstance(request.user, User):
+        return
+
+    try:
+        request.user = User.objects.get(oxi_id=request.user.id)
+    except User.DoesNotExist as exc:
+        logger.exception('user_not_found', oxi_id=request.user.id, message=str(exc))
+        raise InvalidToken()

oxutils/logger/__init__.py

@@ -0,0 +1,10 @@
+from django.core.files.storage import storages, default_storage
+
+
+def get_log_storage():
+    try:
+        return storages['logs']
+    except:
+        pass
+
+    return default_storage

oxutils/logger/receivers.py

@@ -3,14 +3,18 @@ from django.dispatch import receiver
 import structlog
 from django_structlog import signals
 from oxutils.settings import oxi_settings
-
+from oxutils.oxiliere.context import get_current_tenant_schema_name
 
 
 @receiver(signals.bind_extra_request_metadata)
 def bind_domain(request, logger, **kwargs):
     current_site = RequestSite(request)
-    structlog.contextvars.bind_contextvars(
-        domain=current_site.domain,
-        user_id=str(request.user.pk),
-        service=oxi_settings.service_name
-    )
+    ctx = {
+        'domain': current_site.domain,
+        'user_id': str(request.user.pk),
+        'service': oxi_settings.service_name
+    }
+    if oxi_settings.multitenancy:
+        ctx['tenant'] = get_current_tenant_schema_name()
+
+    structlog.contextvars.bind_contextvars(**ctx)

oxutils/logger/settings.py

@@ -1,5 +1,5 @@
 import structlog
-
+from oxutils.settings import oxi_settings
 
 
 
@@ -29,7 +29,7 @@ LOGGING = {
         },
         "json_file": {
             "class": "logging.handlers.WatchedFileHandler",
-            "filename": "logs/json.log",
+            "filename": oxi_settings.log_file_path,
             "formatter": "json_formatter",
         },
     },

oxutils/models/base.py

@@ -1,6 +1,24 @@
 import uuid
+import time
 from django.db import models
+from django.db import transaction
 from django.conf import settings
+from oxutils.models.fields import MaskedBackupField
+
+
+
+try:
+    from safedelete.models import SafeDeleteModel
+    from safedelete.models import SOFT_DELETE_CASCADE
+    from safedelete.signals import post_undelete
+except ImportError:
+    from django.dispatch import Signal
+    post_undelete = Signal()
+    SOFT_DELETE_CASCADE = 2
+
+    class SafeDeleteModel(models.Model):
+        def __new__(cls, *args, **kwargs):
+            raise ImportError("django-safedelete is not installed, please install it to use SafeDeleteModel")
 
 
 class UUIDPrimaryKeyMixin(models.Model):
@@ -114,3 +132,87 @@ class BaseModelMixin(UUIDPrimaryKeyMixin, TimestampMixin, ActiveMixin):
     """
     class Meta:
         abstract = True
+
+
+class SafeDeleteModelMixin(SafeDeleteModel):
+    _safedelete_policy = SOFT_DELETE_CASCADE
+    mask_fields = []
+
+    _masked_backup = MaskedBackupField(default=dict, editable=False)
+
+    class Meta:
+        abstract = True
+
+    @transaction.atomic
+    def delete(self, *args, **kwargs):
+        backup = {}
+
+        for field_name in self.mask_fields:
+            field = self._meta.get_field(field_name)
+            old_value = getattr(self, field_name)
+
+            if old_value is None:
+                continue
+
+            backup[field_name] = old_value
+            masked = self._mask_value(field, old_value)
+            setattr(self, field_name, masked)
+
+        if backup:
+            self._masked_backup = backup
+            self.save(update_fields=[*backup.keys(), "_masked_backup"])
+
+        return super().delete(*args, **kwargs)
+
+    def _mask_value(self, field: models.Field, old_value):
+        uid = uuid.uuid4().hex
+        ts = int(time.time())
+
+        if isinstance(field, models.EmailField):
+            return f"{ts}.{uid}.deleted@invalid.local"
+
+        if isinstance(field, models.URLField):
+            return f"https://deleted.invalid/{ts}/{uid}"
+
+        if isinstance(field, models.SlugField):
+            return f"deleted-{ts}-{uid}"
+
+        if isinstance(field, models.CharField):
+            return f"__deleted__{ts}__{uid}"
+
+        if isinstance(field, models.IntegerField):
+            return None  # souvent OK, sinon adapte
+
+        # fallback générique
+        return f"deleted-{ts}-{uid}"
+
+    @transaction.atomic
+    def restore_masked_fields(self):
+        if not self._masked_backup:
+            return
+
+        for field_name, old_value in self._masked_backup.items():
+            field = self._meta.get_field(field_name)
+
+            # vérification collision
+            qs = self.__class__._default_manager.filter(
+                **{field_name: old_value}
+            ).exclude(pk=self.pk)
+
+            if qs.exists():
+                raise ValueError(
+                    f"Collision détectée lors de la restauration du champ '{field_name}'"
+                )
+
+            setattr(self, field_name, old_value)
+
+        self._masked_backup = {}
+        self.save()
+
+
+def _restore_masked_fields(sender, instance, **kwargs):
+    if isinstance(instance, SafeDeleteModelMixin):
+        instance.restore_masked_fields()
+
+
+post_undelete.connect(_restore_masked_fields)

oxutils/models/fields.py

@@ -0,0 +1,79 @@
+"""# settings.py
+
+FIELD_MASKING_CRYPTO_ENABLED = True  # switch global
+
+# optionnel (recommandé)
+FIELD_MASKING_KEY = env("FIELD_MASKING_KEY", default=None)
+
+"""
+
+import json
+import base64
+import hashlib
+from django.utils.functional import cached_property
+from django.conf import settings
+from django.db import models
+
+
+
+
+
+def get_field_masking_fernet():
+    from cryptography.fernet import Fernet
+
+    if not hasattr(settings, "FIELD_MASKING_CRYPTO_ENABLED") or not settings.FIELD_MASKING_CRYPTO_ENABLED:
+        return None
+
+    if not hasattr(settings, "FIELD_MASKING_KEY") or settings.FIELD_MASKING_KEY:
+        return Fernet(settings.FIELD_MASKING_KEY)
+
+    # fallback contrôlé
+    digest = hashlib.sha256(
+        (settings.SECRET_KEY + ":field-masking:v1").encode()
+    ).digest()
+
+    key = base64.urlsafe_b64encode(digest)
+    return Fernet(key)
+
+
+
+class MaskedBackupField(models.TextField):
+    """
+    JSONField avec chiffrement optionnel
+    """
+
+    @cached_property
+    def fernet(self):
+        return get_field_masking_fernet()
+
+    def get_prep_value(self, value):
+        if value in (None, ""):
+            return None
+
+        raw = json.dumps(value).encode()
+
+        if not self.fernet:
+            return raw.decode()
+
+        return self.fernet.encrypt(raw).decode()
+
+    def from_db_value(self, value, expression, connection):
+        return self.to_python(value)
+
+    def to_python(self, value):
+        if isinstance(value, dict):
+            return value
+
+        if value in (None, ""):
+            return {}
+
+        try:
+            if self.fernet:
+                decrypted = self.fernet.decrypt(value.encode())
+                return json.loads(decrypted.decode())
+
+            return json.loads(value)
+
+        except Exception:
+            # sécurité : ne jamais casser un fetch DB
+            return {}

oxutils/oxiliere/apps.py

@@ -3,4 +3,12 @@ from django.apps import AppConfig
 
 class OxiliereConfig(AppConfig):
     default_auto_field = 'django.db.models.BigAutoField'
-    name = 'oxiliere'
+    name = 'oxutils.oxiliere'
+
+    def ready(self):
+        import oxutils.oxiliere.checks
+        
+        try:
+            import oxutils.oxiliere.caches
+        except LookupError:
+            pass