oxutils 0.1.6__py3-none-any.whl → 0.1.12__py3-none-any.whl

oxutils/oxiliere/permissions.py

@@ -1,6 +1,8 @@
-from ninja.permissions import BasePermission
-from django.conf import settings
-from oxutils.oxiliere.models import TenantUser
+from ninja_extra.permissions import BasePermission
+from oxutils.oxiliere.utils import get_tenant_user_model
+from oxutils.constants import OXILIERE_SERVICE_TOKEN
+from oxutils.jwt.tokens import OxilierServiceToken
+
 
 
 class TenantPermission(BasePermission):
@@ -8,7 +10,7 @@ class TenantPermission(BasePermission):
     Vérifie que l'utilisateur a accès au tenant actuel.
     L'utilisateur doit être authentifié et avoir un lien avec le tenant.
     """
-    def has_permission(self, request, view):
+    def has_permission(self, request, **kwargs):
         if not request.user or not request.user.is_authenticated:
             return False
         
@@ -16,9 +18,9 @@ class TenantPermission(BasePermission):
             return False
         
         # Vérifier que l'utilisateur a accès à ce tenant
-        return TenantUser.objects.filter(
-            tenant=request.tenant,
-            user=request.user
+        return get_tenant_user_model().objects.filter(
+            tenant__pk=request.tenant.pk,
+            user__pk=request.user.pk
         ).exists()
 
 
@@ -26,17 +28,16 @@ class TenantOwnerPermission(BasePermission):
     """
     Vérifie que l'utilisateur est propriétaire (owner) du tenant actuel.
     """
-    def has_permission(self, request, view):
+    def has_permission(self, request, **kwargs):
         if not request.user or not request.user.is_authenticated:
             return False
         
         if not hasattr(request, 'tenant'):
             return False
         
-        # Vérifier que l'utilisateur est owner du tenant
-        return TenantUser.objects.filter(
-            tenant=request.tenant,
-            user=request.user,
+        return get_tenant_user_model().objects.filter(
+            tenant__pk=request.tenant.pk,
+            user__pk=request.user.pk,
             is_owner=True
         ).exists()
 
@@ -45,22 +46,17 @@ class TenantAdminPermission(BasePermission):
     """
     Vérifie que l'utilisateur est admin ou owner du tenant actuel.
     """
-    def has_permission(self, request, view):
+    def has_permission(self, request, **kwargs):
         if not request.user or not request.user.is_authenticated:
             return False
         
         if not hasattr(request, 'tenant'):
             return False
         
-        # Vérifier que l'utilisateur est admin ou owner du tenant
-        return TenantUser.objects.filter(
-            tenant=request.tenant,
-            user=request.user,
+        return get_tenant_user_model().objects.filter(
+            tenant__pk=request.tenant.pk,
+            user__pk=request.user.pk,
             is_admin=True
-        ).exists() or TenantUser.objects.filter(
-            tenant=request.tenant,
-            user=request.user,
-            is_owner=True
         ).exists()
 
 
@@ -69,16 +65,16 @@ class TenantUserPermission(BasePermission):
     Vérifie que l'utilisateur est un membre du tenant actuel.
     Alias de TenantPermission pour plus de clarté sémantique.
     """
-    def has_permission(self, request, view):
+    def has_permission(self, request, **kwargs):
         if not request.user or not request.user.is_authenticated:
             return False
         
         if not hasattr(request, 'tenant'):
             return False
         
-        return TenantUser.objects.filter(
-            tenant=request.tenant,
-            user=request.user
+        return get_tenant_user_model().objects.filter(
+            tenant__pk=request.tenant.pk,
+            user__pk=request.user.pk
         ).exists()
 
 
@@ -87,18 +83,15 @@ class OxiliereServicePermission(BasePermission):
     Vérifie que la requête provient d'un service interne Oxiliere.
     Utilise un token de service ou une clé API spéciale.
     """
-    def has_permission(self, request, view):
-        # Vérifier le header de service
-        service_token = request.headers.get('X-Oxiliere-Service-Token')
+    def has_permission(self, request, **kwargs):
+        custom = 'HTTP_' + OXILIERE_SERVICE_TOKEN.upper().replace('-', '_')
+        service_token = request.headers.get(OXILIERE_SERVICE_TOKEN) or request.META.get(custom)
         
         if not service_token:
             return False
         
-        # Comparer avec le token configuré dans settings
-        expected_token = getattr(settings, 'OXILIERE_SERVICE_TOKEN', None)
-        
-        if not expected_token:
+        try:
+            OxilierServiceToken(token=service_token)
+            return True
+        except Exception:
             return False
-        
-        return service_token == expected_token
-

oxutils/oxiliere/schemas.py

@@ -1,10 +1,13 @@
 from typing import Optional
+from uuid import UUID 
 from ninja import Schema
 from django.db import transaction
 from django.contrib.auth import get_user_model
 from django_tenants.utils import get_tenant_model
-from oxutils.oxiliere.models import TenantUser
-from oxutils.oxiliere.utils import oxid_to_schema_name
+from oxutils.oxiliere.utils import (
+    get_tenant_user_model,
+)
+from oxutils.oxiliere.authorization import grant_manager_access_to_owners
 import structlog
 
 logger = structlog.get_logger(__name__)
@@ -20,7 +23,9 @@ class TenantSchema(Schema):
 
 
 class TenantOwnerSchema(Schema):
-    oxi_id: str
+    oxi_id: UUID
+    first_name: Optional[str] = None
+    last_name: Optional[str] = None
     email: str
 
 
@@ -33,33 +38,38 @@ class CreateTenantSchema(Schema):
     def create_tenant(self):
         UserModel = get_user_model()
         TenantModel = get_tenant_model()
+        TenantUserModel = get_tenant_user_model()
 
         if TenantModel.objects.filter(oxi_id=self.tenant.oxi_id).exists():
             logger.info("tenant_exists", oxi_id=self.tenant.oxi_id)
             raise ValueError("Tenant with oxi_id {} already exists".format(self.tenant.oxi_id))
 
-        user = UserModel.objects.get_or_create(
+        user, _ = UserModel.objects.get_or_create(
             oxi_id=self.owner.oxi_id,
             defaults={
+                'id': self.owner.oxi_id,
                 'email': self.owner.email,
+                'first_name': self.owner.first_name,
+                'last_name': self.owner.last_name
             }
         )
         
         tenant = TenantModel.objects.create(
             name=self.tenant.name,
-            schema_name=oxid_to_schema_name(self.tenant.oxi_id),
+            schema_name=self.tenant.oxi_id,
             oxi_id=self.tenant.oxi_id,
             subscription_plan=self.tenant.subscription_plan,
             subscription_status=self.tenant.subscription_status,
             subscription_end_date=self.tenant.subscription_end_date,
         )
         
-        TenantUser.objects.create(
+        TenantUserModel.objects.create(
             tenant=tenant,
             user=user,
             is_owner=True,
             is_admin=True,
         )
 
+        grant_manager_access_to_owners(tenant)
         logger.info("tenant_created", oxi_id=self.tenant.oxi_id)
         return tenant

oxutils/oxiliere/signals.py

@@ -0,0 +1,5 @@
+from django.dispatch import Signal
+
+
+tenant_user_removed = Signal()
+tenant_user_added = Signal()

oxutils/oxiliere/utils.py

@@ -1,4 +1,32 @@
-# utils.py
+from typing import Any
+import uuid
+from django.apps import apps
+from django.conf import settings
+from .constants import OXI_SYSTEM_TENANT
+
+
+
+
+def get_model(setting: str) -> Any:
+    try:
+        value = getattr(settings, setting)
+    except AttributeError:
+        raise ValueError(f"Model `{setting}` is not a valid Tenant model.")
+
+    return apps.get_model(value)
+
+
+def get_tenant_model() -> Any:
+    return get_model('TENANT_MODEL')
+
+def get_tenant_user_model() -> Any:
+    return get_model('TENANT_USER_MODEL')
+
+def is_system_tenant(tenant: Any) -> bool:
+    return tenant.oxi_id == get_system_tenant_oxi_id()
+
+def get_system_tenant_oxi_id():
+    return getattr(settings, 'OXI_SYSTEM_TENANT', OXI_SYSTEM_TENANT)
 
 def oxid_to_schema_name(oxid: str) -> str:
     """
@@ -37,6 +65,13 @@ def oxid_to_schema_name(oxid: str) -> str:
     return schema_name
 
 
+def generate_schema_name(oxi_id: str, suffix: str = None) -> str:
+    cleaned = oxid_to_schema_name(oxi_id)
+    if suffix:
+        return f"{cleaned}_{suffix}"
+    return f"{cleaned}_{uuid.uuid4().hex[:8]}"
+
+
 def update_tenant_user(oxi_org_id: str, oxi_user_id: str, data: dict):
     if not data or isinstance(data, dict) == False: return
     if not oxi_org_id or not oxi_user_id: return

oxutils/pagination/cursor.py

@@ -0,0 +1,367 @@
+"""
+Cursor pagination for django ninja & ninja extra
+
+forked from django-ninja-cursor-pagination
+https://github.com/kitware-resonant/django-ninja-cursor-pagination
+
+
+adapted for django ninja extra by @prosper-groups-soft for Oxiliere
+https://github.com/prosper-groups-soft
+"""
+
+
+from base64 import b64decode, b64encode
+from dataclasses import dataclass
+from typing import Any
+from urllib import parse
+from django.db.models import QuerySet
+from django.http import HttpRequest
+from django.utils.translation import gettext as _
+from ninja import Field, Schema
+from ninja.pagination import PaginationBase
+from pydantic import field_validator
+
+
+@dataclass
+class Cursor:
+    offset: int = 0
+    reverse: bool = False
+    position: str | None = None
+
+
+def _clamp(val: int, min_: int, max_: int) -> int:
+    return max(min_, min(val, max_))
+
+
+def _reverse_order(order: tuple) -> tuple:
+    # Reverse the ordering specification for a Django ORM query.
+    # Given an order_by tuple such as `('-created_at', 'uuid')` reverse the
+    # ordering and return a new tuple, eg. `('created_at', '-uuid')`.
+    def invert(x: str) -> str:
+        return x[1:] if x.startswith("-") else f"-{x}"
+
+    return tuple(invert(item) for item in order)
+
+
+def _replace_query_param(url: str, key: str, val: str) -> str:
+    scheme, netloc, path, query, fragment = parse.urlsplit(url)
+    query_dict = parse.parse_qs(query, keep_blank_values=True)
+    query_dict[key] = [val]
+    query = parse.urlencode(sorted(query_dict.items()), doseq=True)
+    return parse.urlunsplit((scheme, netloc, path, query, fragment))
+
+
+def _get_http_request(request) -> HttpRequest:
+    """
+    Normalize the incoming request object to a Django HttpRequest.
+
+    Supports both direct HttpRequest instances and ninja-extra ControllerBase
+    wrappers (where the HttpRequest is available as request.context.request).
+    """
+    if isinstance(request, HttpRequest):
+        return request
+
+    if hasattr(request, "context") and hasattr(request.context, "request"):
+        return request.context.request
+
+    raise TypeError(
+        f"Unsupported request type for pagination: {type(request)!r}"
+    )
+    
+
+
+class CursorPagination(PaginationBase):
+    class Input(Schema):
+        limit: int | None = Field(
+            None,
+            description=_("Number of results to return per page."),
+        )
+        cursor: str | None = Field(
+            None,
+            description=_("The pagination cursor value."),
+            validate_default=True,
+        )
+
+        @field_validator("cursor")
+        @classmethod
+        def decode_cursor(cls, encoded_cursor: str | None) -> Cursor:
+            if encoded_cursor is None:
+                return Cursor()
+
+            try:
+                encoded_cursor = parse.unquote(encoded_cursor)
+                querystring = b64decode(encoded_cursor).decode()
+                tokens = parse.parse_qs(querystring, keep_blank_values=True)
+
+                offset = int(tokens.get("o", ["0"])[0])
+                offset = _clamp(offset, 0, CursorPagination._offset_cutoff)
+
+                reverse = tokens.get("r", ["0"])[0]
+                reverse = bool(int(reverse))
+
+                position = tokens.get("p", [None])[0]
+            except (TypeError, ValueError) as e:
+                raise ValueError(_("Invalid cursor.")) from e
+
+            return Cursor(offset=offset, reverse=reverse, position=position)
+
+    class Output(Schema):
+        results: list[Any] = Field(description=_("The page of objects."))
+        count: int = Field(
+            description=_("The total number of results across all pages."),
+        )
+        next: str | None = Field(
+            description=_("URL of next page of results if there is one."),
+        )
+        previous: str | None = Field(
+            description=_("URL of previous page of results if there is one."),
+        )
+
+    items_attribute = "results"
+    default_ordering = ("-id",)
+    max_page_size = 100
+    _offset_cutoff = 100  # limit to protect against possibly malicious queries
+
+    def paginate_queryset(
+        self,
+        queryset: QuerySet,
+        pagination: Input,
+        request: Any,
+        **params,
+    ) -> dict:
+        limit = _clamp(pagination.limit or self.max_page_size, 0, self.max_page_size)
+        request = _get_http_request(request)
+
+        if not queryset.query.order_by:
+            queryset = queryset.order_by(*self.default_ordering)
+
+        order = queryset.query.order_by
+        total_count = queryset.count()
+
+        base_url = request.build_absolute_uri()
+        cursor = pagination.cursor
+
+        if cursor.reverse:
+            queryset = queryset.order_by(*_reverse_order(order))
+
+        if cursor.position is not None:
+            values = cursor.position.split("|")
+            fields = [f.lstrip("-") for f in order]
+
+            filters = {}
+            for i, field in enumerate(fields):
+                if i < len(values) - 1:
+                    filters[field] = values[i]
+                else:
+                    op = "lt" if order[i].startswith("-") ^ cursor.reverse else "gt"
+                    filters[f"{field}__{op}"] = values[i]
+
+            queryset = queryset.filter(**filters)
+
+
+        # If we have an offset cursor then offset the entire page by that amount.
+        # We also always fetch an extra item in order to determine if there is a
+        # page following on from this one.
+        results = list(queryset[cursor.offset : cursor.offset + limit + 1])
+        page = list(results[:limit])
+
+        # Determine the position of the final item following the page.
+        if len(results) > len(page):
+            has_following_position = True
+            following_position = self._get_position_from_instance(results[-1], order)
+        else:
+            has_following_position = False
+            following_position = None
+
+        if cursor.reverse:
+            # If we have a reverse queryset, then the query ordering was in reverse
+            # so we need to reverse the items again before returning them to the user.
+            page.reverse()
+
+            has_next = (cursor.position is not None) or (cursor.offset > 0)
+            has_previous = has_following_position
+            next_position = cursor.position if has_next else None
+            previous_position = following_position if has_previous else None
+        else:
+            has_next = has_following_position
+            has_previous = (cursor.position is not None) or (cursor.offset > 0)
+            next_position = following_position if has_next else None
+            previous_position = cursor.position if has_previous else None
+
+        return {
+            "results": page,
+            "count": total_count,
+            "next": self.next_link(
+                base_url=base_url,
+                page=page,
+                cursor=cursor,
+                order=order,
+                has_previous=has_previous,
+                limit=limit,
+                next_position=next_position,
+                previous_position=previous_position,
+            )
+            if has_next
+            else None,
+            "previous": self.previous_link(
+                base_url=base_url,
+                page=page,
+                cursor=cursor,
+                order=order,
+                has_next=has_next,
+                limit=limit,
+                next_position=next_position,
+                previous_position=previous_position,
+            )
+            if has_previous
+            else None,
+        }
+
+    def _encode_cursor(self, cursor: Cursor, base_url: str) -> str:
+        tokens = {}
+        if cursor.offset != 0:
+            tokens["o"] = str(cursor.offset)
+        if cursor.reverse:
+            tokens["r"] = "1"
+        if cursor.position is not None:
+            tokens["p"] = cursor.position
+
+        querystring = parse.urlencode(tokens, doseq=True)
+        encoded = b64encode(querystring.encode()).decode()
+        return _replace_query_param(base_url, "cursor", encoded)
+
+    def next_link(  # noqa: PLR0913
+        self,
+        *,
+        base_url: str,
+        page: list,
+        cursor: Cursor,
+        order: tuple,
+        has_previous: bool,
+        limit: int,
+        next_position: str,
+        previous_position: str,
+    ) -> str:
+        if page and cursor.reverse and cursor.offset:
+            # If we're reversing direction and we have an offset cursor
+            # then we cannot use the first position we find as a marker.
+            compare = self._get_position_from_instance(page[-1], order)
+        else:
+            compare = next_position
+        offset = 0
+
+        has_item_with_unique_position = False
+        for item in reversed(page):
+            position = self._get_position_from_instance(item, order)
+            if position != compare:
+                # The item in this position and the item following it
+                # have different positions. We can use this position as
+                # our marker.
+                has_item_with_unique_position = True
+                break
+
+            # The item in this position has the same position as the item
+            # following it, we can't use it as a marker position, so increment
+            # the offset and keep seeking to the previous item.
+            compare = position
+            offset += 1  # noqa: SIM113
+
+        if page and not has_item_with_unique_position:
+            # There were no unique positions in the page.
+            if not has_previous:
+                # We are on the first page.
+                # Our cursor will have an offset equal to the page size,
+                # but no position to filter against yet.
+                offset = limit
+                position = None
+            elif cursor.reverse:
+                # The change in direction will introduce a paging artifact,
+                # where we end up skipping forward a few extra items.
+                offset = 0
+                position = previous_position
+            else:
+                # Use the position from the existing cursor and increment
+                # it's offset by the page size.
+                offset = cursor.offset + limit
+                position = previous_position
+
+        if not page:
+            position = next_position
+
+        next_cursor = Cursor(offset=offset, reverse=False, position=position)
+        return self._encode_cursor(next_cursor, base_url)
+
+    def previous_link(  # noqa: PLR0913
+        self,
+        *,
+        base_url: str,
+        page: list,
+        cursor: Cursor,
+        order: tuple,
+        has_next: bool,
+        limit: int,
+        next_position: str,
+        previous_position: str,
+    ):
+        if page and not cursor.reverse and cursor.offset:
+            # If we're reversing direction and we have an offset cursor
+            # then we cannot use the first position we find as a marker.
+            compare = self._get_position_from_instance(page[0], order)
+        else:
+            compare = previous_position
+        offset = 0
+
+        has_item_with_unique_position = False
+        for item in page:
+            position = self._get_position_from_instance(item, order)
+            if position != compare:
+                # The item in this position and the item following it
+                # have different positions. We can use this position as
+                # our marker.
+                has_item_with_unique_position = True
+                break
+
+            # The item in this position has the same position as the item
+            # following it, we can't use it as a marker position, so increment
+            # the offset and keep seeking to the previous item.
+            compare = position
+            offset += 1  # noqa: SIM113
+
+        if page and not has_item_with_unique_position:
+            # There were no unique positions in the page.
+            if not has_next:
+                # We are on the final page.
+                # Our cursor will have an offset equal to the page size,
+                # but no position to filter against yet.
+                offset = limit
+                position = None
+            elif cursor.reverse:
+                # Use the position from the existing cursor and increment
+                # it's offset by the page size.
+                offset = cursor.offset + limit
+                position = next_position
+            else:
+                # The change in direction will introduce a paging artifact,
+                # where we end up skipping back a few extra items.
+                offset = 0
+                position = next_position
+
+        if not page:
+            position = previous_position
+
+        cursor = Cursor(offset=offset, reverse=True, position=position)
+        return self._encode_cursor(cursor, base_url)
+
+    def _get_position_from_instance(self, instance, ordering) -> str:
+        values: list[str] = []
+
+        for field in ordering:
+            name = field.lstrip("-")
+            value = (
+                instance[name]
+                if isinstance(instance, dict)
+                else getattr(instance, name)
+            )
+            values.append(str(value))
+
+        return "|".join(values)

oxutils/permissions/actions.py

@@ -0,0 +1,57 @@
+# actions.py
+
+READ = "r"
+WRITE = "w"
+DELETE = "d"
+UPDATE = "u"
+APPROVE = "a"
+
+ACTIONS = [READ, WRITE, DELETE, UPDATE, APPROVE]
+
+
+ACTION_HIERARCHY = {
+    "r": set(),            # read
+    "w": {"r"},            # write ⇒ read
+    "u": {"r"},            # update ⇒ read
+    "d": {"r", "w"},       # delete ⇒ write ⇒ read
+    "a": {"r"},            # approve ⇒ read
+}
+
+
+def collapse_actions(actions: list[str]) -> set[str]:
+    """
+    ['d','w','r'] -> {'d'}
+    ['w','r']     -> {'w'}
+    ['r']         -> {'r'}
+    """
+    actions = set(actions)
+    roots = set(actions)
+
+    # Remove all implied actions from roots
+    for action in list(roots):
+        if action in ACTION_HIERARCHY:
+            implied = ACTION_HIERARCHY[action]
+            roots -= implied
+
+    return roots
+
+
+def expand_actions(actions: list[str]) -> list[str]:
+    """
+    ['w']        -> ['w', 'r']
+    ['d']        -> ['d', 'w', 'r']
+    ['a', 'w']   -> ['a', 'w', 'r']
+    """
+    expanded = set(actions)
+
+    stack = list(actions)
+    while stack:
+        action = stack.pop()
+        implied = ACTION_HIERARCHY.get(action, set())
+
+        for a in implied:
+            if a not in expanded:
+                expanded.add(a)
+                stack.append(a)
+
+    return sorted(expanded)

oxutils/permissions/admin.py

@@ -0,0 +1,3 @@
+from django.contrib import admin
+
+# Register your models here.

oxutils/permissions/apps.py

@@ -0,0 +1,10 @@
+from django.apps import AppConfig
+
+
+class PermissionsConfig(AppConfig):
+    default_auto_field = 'django.db.models.BigAutoField'
+    name = 'oxutils.permissions'
+    
+    def ready(self):
+        """Import checks when app is ready."""
+        from . import checks  # noqa