oxutils 0.1.8__tar.gz → 0.1.10__tar.gz

{oxutils-0.1.8 → oxutils-0.1.10}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: oxutils
-Version: 0.1.8
+Version: 0.1.10
 Summary: Production-ready utilities for Django applications in the Oxiliere ecosystem
 Keywords: django,utilities,jwt,s3,audit,logging,celery,structlog
 Author: Edimedia Mutoke

{oxutils-0.1.8 → oxutils-0.1.10}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "oxutils"
-version = "0.1.8"
+version = "0.1.10"
 description = "Production-ready utilities for Django applications in the Oxiliere ecosystem"
 readme = "README.md"
 license = "Apache-2.0"

{oxutils-0.1.8 → oxutils-0.1.10}/src/oxutils/__init__.py

@@ -8,9 +8,10 @@ This package provides:
 - Celery integration
 - Django model mixins
 - Custom exceptions
+- Permission management
 """
 
-__version__ = "0.1.8"
+__version__ = "0.1.10"
 
 from oxutils.settings import oxi_settings
 from oxutils.conf import UTILS_APPS, AUDIT_MIDDLEWARE

{oxutils-0.1.8 → oxutils-0.1.10}/src/oxutils/constants.py

@@ -2,3 +2,7 @@ ORGANIZATION_QUERY_KEY = 'organization_id'
 ORGANIZATION_HEADER_KEY = 'X-Organization-ID'
 ORGANIZATION_TOKEN_COOKIE_KEY = 'organization_token'
 OXILIERE_SERVICE_TOKEN = 'X-Oxiliere-Token'
+
+REFRESH_TOKEN_COOKIE = 'refresh_token'
+ACCESS_TOKEN_COOKIE = 'access_token'
+

oxutils-0.1.10/src/oxutils/jwt/auth.py

@@ -0,0 +1,204 @@
+import os
+from typing import Dict, Any, Optional, Type, Tuple
+from django.utils.translation import gettext_lazy as _
+from django.http import HttpRequest
+from django.contrib.auth.models import AbstractUser
+from django.contrib.auth import (
+    authenticate as django_authenticate,
+    login as django_login,
+    get_user_model
+)
+from jwcrypto import jwk
+from django.core.exceptions import ImproperlyConfigured
+
+from ninja.security.base import AuthBase
+from ninja_jwt.authentication import (
+    JWTBaseAuthentication,
+    JWTStatelessUserAuthentication
+)
+from ninja.security import (
+    APIKeyCookie,
+    HttpBasicAuth,
+)
+from ninja_jwt.exceptions import InvalidToken
+from ninja_jwt.settings import api_settings
+from oxutils.constants import ACCESS_TOKEN_COOKIE
+from oxutils.settings import oxi_settings
+
+
+
+
+_public_jwk_cache: Optional[jwk.JWK] = None
+
+
+
+def get_jwks() -> Dict[str, Any]:
+    """
+    Get JSON Web Key Set (JWKS) for JWT verification.
+    
+    Returns:
+        Dict containing the public JWK in JWKS format.
+        
+    Raises:
+        ImproperlyConfigured: If jwt_verifying_key is not configured or file doesn't exist.
+    """
+    global _public_jwk_cache
+    
+    if oxi_settings.jwt_verifying_key is None:
+        raise ImproperlyConfigured(
+            "JWT verifying key is not configured. Set OXI_JWT_VERIFYING_KEY environment variable."
+        )
+    
+    key_path = oxi_settings.jwt_verifying_key
+    
+    if not os.path.exists(key_path):
+        raise ImproperlyConfigured(
+            f"JWT verifying key file not found at: {key_path}"
+        )
+    
+    if _public_jwk_cache is None:
+        try:
+            with open(key_path, 'r') as f:
+                key_data = f.read()
+            
+            _public_jwk_cache = jwk.JWK.from_pem(key_data.encode('utf-8'))
+            _public_jwk_cache.update(kid='main')
+        except Exception as e:
+            raise ImproperlyConfigured(
+                f"Failed to load JWT verifying key from {key_path}: {str(e)}"
+            )
+    
+    return {"keys": [_public_jwk_cache.export(as_dict=True)]}
+
+
+def clear_jwk_cache() -> None:
+    """Clear the cached JWK. Useful for testing or key rotation."""
+    global _public_jwk_cache
+    _public_jwk_cache = None
+
+
+class AuthMixin:
+    def jwt_authenticate(self, request: HttpRequest, token: str) -> AbstractUser:
+        """
+        Add token_user to the request object, witch will be erased by the jwt_allauth.utils.popolate_user
+        function.
+        """
+        token_user = super().jwt_authenticate(request, token)
+        request.token_user = token_user
+        return token_user
+
+
+class JWTAuth(AuthMixin, JWTStatelessUserAuthentication):
+    pass
+
+
+class JWTCookieAuth(AuthMixin, JWTBaseAuthentication, APIKeyCookie):
+    """
+    An authentication plugin that authenticates requests through a JSON web
+    token provided in a request header without performing a database lookup to obtain a user instance.
+    """
+
+    param_name = ACCESS_TOKEN_COOKIE
+
+    def authenticate(self, request: HttpRequest, token: str) -> Any:
+        return self.jwt_authenticate(request, token)
+
+    def get_user(self, validated_token: Any) -> Type[AbstractUser]:
+        """
+        Returns a stateless user object which is backed by the given validated
+        token.
+        """
+        if api_settings.USER_ID_CLAIM not in validated_token:
+            # The TokenUser class assumes tokens will have a recognizable user
+            # identifier claim.
+            raise InvalidToken(_("Token contained no recognizable user identification"))
+
+        return api_settings.TOKEN_USER_CLASS(validated_token)
+
+
+def authenticate_by_x_session_token(token: str) -> Optional[Tuple]:
+    """
+    Copied from allauth.headless.internal.sessionkit, to "select_related"
+    """
+    from allauth.headless import app_settings
+
+
+    session = app_settings.TOKEN_STRATEGY.lookup_session(token)
+    if not session:
+        return None
+    user_id_str = session.get(SESSION_KEY)
+    if user_id_str:
+        meta_pk = get_user_model()._meta.pk
+        if meta_pk:
+            user_id = meta_pk.to_python(user_id_str)
+            user = get_user_model().objects.filter(pk=user_id).first()
+            if user and user.is_active:
+                return (user, session)
+    return None
+
+
+class XSessionTokenAuth(AuthBase):
+    """
+    This security class uses the X-Session-Token that django-allauth
+    is using for authentication purposes.
+    """
+
+    openapi_type: str = "apiKey"
+
+    def __call__(self, request: HttpRequest):
+        token = self.get_session_token(request)
+        if token:
+            user_session = authenticate_by_x_session_token(token)
+            if user_session:
+                return user_session[0]
+        return None
+
+    def get_session_token(self, request: HttpRequest) -> Optional[str]:
+        """
+        Returns the session token for the given request, by looking up the
+        ``X-Session-Token`` header. Override this if you want to extract the token
+        from e.g. the ``Authorization`` header.
+        """
+        if request.session.session_key:
+            return request.session.session_key
+        
+        return request.headers.get("X-Session-Token")
+
+
+class BasicAuth(HttpBasicAuth):
+    def authenticate(self, request: HttpRequest, username: str, password: str) -> Optional[Any]:
+        user = django_authenticate(email=username, password=password)
+        if user and user.is_active:
+            django_login(request, user)
+            return user
+        return None
+
+
+class BasicNoPasswordAuth(HttpBasicAuth):
+    def authenticate(self, request: HttpRequest, username: str, password: str) -> Optional[Any]:
+        try:
+            user = get_user_model().objects.get(email=username)
+            if user and user.is_active:
+                django_login(request, user)
+                return user
+            return None
+        except Exception as e:
+            return None
+
+x_session_token_auth = XSessionTokenAuth()
+basic_auth = BasicAuth()
+basic_no_password_auth = BasicNoPasswordAuth()
+jwt_auth = JWTAuth()
+jwt_cookie_auth = JWTCookieAuth()
+
+
+
+
+def get_auth_handlers(auths: List[AuthBase] = []) -> List[AuthBase]:
+    """Auth handler switcher based on settings.DEBUG"""
+    from django.conf import settings
+
+    if settings.DEBUG:
+        return auths
+
+    return [jwt_auth, jwt_cookie_auth]

{oxutils-0.1.8 → oxutils-0.1.10}/src/oxutils/jwt/models.py

@@ -36,6 +36,14 @@ class TokenTenant:
     def pk(self):
         return self.id
 
+    @property
+    def is_active(self):
+        return self.status == 'active'
+
+    @property
+    def is_deleted(self):
+        return self.status == 'deleted'
+
     @classmethod
     def for_token(cls, token):
         try:
@@ -59,6 +67,11 @@ class TokenUser(DefaultTonkenUser):
     def id(self):
         return UUID(self.token[api_settings.USER_ID_CLAIM])
 
+    @property
+    def oxi_id(self):
+        # for compatibility with the User model
+        return self.id
+
     @cached_property
     def token_created_at(self):
         return self.token.get('cat', None)

oxutils-0.1.10/src/oxutils/logger/receivers.py

@@ -0,0 +1,20 @@
+from django.contrib.sites.shortcuts import RequestSite
+from django.dispatch import receiver
+import structlog
+from django_structlog import signals
+from oxutils.settings import oxi_settings
+from oxutils.oxiliere.context import get_current_tenant_schema_name
+
+
+@receiver(signals.bind_extra_request_metadata)
+def bind_domain(request, logger, **kwargs):
+    current_site = RequestSite(request)
+    ctx = {
+        'domain': current_site.domain,
+        'user_id': str(request.user.pk),
+        'service': oxi_settings.service_name
+    }
+    if oxi_settings.multitenancy:
+        ctx['tenant'] = get_current_tenant_schema_name()
+
+    structlog.contextvars.bind_contextvars(**ctx)

oxutils-0.1.10/src/oxutils/models/base.py

@@ -0,0 +1,218 @@
+import uuid
+import time
+from django.db import models
+from django.db import transaction
+from django.conf import settings
+from oxutils.models.fields import MaskedBackupField
+
+
+
+try:
+    from safedelete.models import SafeDeleteModel
+    from safedelete.models import SOFT_DELETE_CASCADE
+    from safedelete.signals import post_undelete
+except ImportError:
+    from django.dispatch import Signal
+    post_undelete = Signal()
+    SOFT_DELETE_CASCADE = 2
+
+    class SafeDeleteModel(models.Model):
+        def __new__(cls, *args, **kwargs):
+            raise ImportError("django-safedelete is not installed, please install it to use SafeDeleteModel")
+
+
+class UUIDPrimaryKeyMixin(models.Model):
+    """Mixin that provides a UUID primary key field."""
+    id = models.UUIDField(
+        primary_key=True,
+        default=uuid.uuid4,
+        editable=False,
+        help_text="Unique identifier for this record"
+    )
+
+    class Meta:
+        abstract = True
+
+
+class TimestampMixin(models.Model):
+    """Mixin that provides created_at and updated_at timestamp fields."""
+    created_at = models.DateTimeField(
+        auto_now_add=True,
+        help_text="Date and time when this record was created"
+    )
+    updated_at = models.DateTimeField(
+        auto_now=True,
+        help_text="Date and time when this record was last updated"
+    )
+
+    class Meta:
+        abstract = True
+
+
+class UserTrackingMixin(models.Model):
+    """Mixin that tracks which user created and last modified a record."""
+    created_by = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+        related_name="%(app_label)s_%(class)s_created",
+        help_text="User who created this record"
+    )
+    updated_by = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+        related_name="%(app_label)s_%(class)s_updated",
+        help_text="User who last updated this record"
+    )
+
+    class Meta:
+        abstract = True
+
+
+class SlugMixin(models.Model):
+    """Mixin that provides a slug field."""
+    slug = models.SlugField(
+        max_length=255,
+        unique=True,
+        help_text="URL-friendly version of the name"
+    )
+
+    class Meta:
+        abstract = True
+
+
+class NameMixin(models.Model):
+    """Mixin that provides name and description fields."""
+    name = models.CharField(
+        max_length=255,
+        help_text="Name of this record"
+    )
+    description = models.TextField(
+        blank=True,
+        help_text="Optional description"
+    )
+
+    class Meta:
+        abstract = True
+
+    def __str__(self):
+        return self.name
+
+
+class ActiveMixin(models.Model):
+    """Mixin that provides an active/inactive status field."""
+    is_active = models.BooleanField(
+        default=True,
+        help_text="Whether this record is active"
+    )
+
+    class Meta:
+        abstract = True
+
+
+class OrderingMixin(models.Model):
+    """Mixin that provides an ordering field."""
+    order = models.PositiveIntegerField(
+        default=0,
+        help_text="Order for sorting records"
+    )
+
+    class Meta:
+        abstract = True
+        ordering = ['order']
+
+
+class BaseModelMixin(UUIDPrimaryKeyMixin, TimestampMixin, ActiveMixin):
+    """
+    Base mixin that combines the most commonly used mixins.
+    Provides UUID primary key, timestamps, and active status.
+    """
+    class Meta:
+        abstract = True
+
+
+class SafeDeleteModelMixin(SafeDeleteModel):
+    _safedelete_policy = SOFT_DELETE_CASCADE
+    mask_fields = []
+
+    _masked_backup = MaskedBackupField(default=dict, editable=False)
+
+    class Meta:
+        abstract = True
+
+    @transaction.atomic
+    def delete(self, *args, **kwargs):
+        backup = {}
+
+        for field_name in self.mask_fields:
+            field = self._meta.get_field(field_name)
+            old_value = getattr(self, field_name)
+
+            if old_value is None:
+                continue
+
+            backup[field_name] = old_value
+            masked = self._mask_value(field, old_value)
+            setattr(self, field_name, masked)
+
+        if backup:
+            self._masked_backup = backup
+            self.save(update_fields=[*backup.keys(), "_masked_backup"])
+
+        return super().delete(*args, **kwargs)
+
+    def _mask_value(self, field: models.Field, old_value):
+        uid = uuid.uuid4().hex
+        ts = int(time.time())
+
+        if isinstance(field, models.EmailField):
+            return f"{ts}.{uid}.deleted@invalid.local"
+
+        if isinstance(field, models.URLField):
+            return f"https://deleted.invalid/{ts}/{uid}"
+
+        if isinstance(field, models.SlugField):
+            return f"deleted-{ts}-{uid}"
+
+        if isinstance(field, models.CharField):
+            return f"__deleted__{ts}__{uid}"
+
+        if isinstance(field, models.IntegerField):
+            return None  # souvent OK, sinon adapte
+
+        # fallback générique
+        return f"deleted-{ts}-{uid}"
+
+    @transaction.atomic
+    def restore_masked_fields(self):
+        if not self._masked_backup:
+            return
+
+        for field_name, old_value in self._masked_backup.items():
+            field = self._meta.get_field(field_name)
+
+            # vérification collision
+            qs = self.__class__._default_manager.filter(
+                **{field_name: old_value}
+            ).exclude(pk=self.pk)
+
+            if qs.exists():
+                raise ValueError(
+                    f"Collision détectée lors de la restauration du champ '{field_name}'"
+                )
+
+            setattr(self, field_name, old_value)
+
+        self._masked_backup = {}
+        self.save()
+
+
+def _restore_masked_fields(sender, instance, **kwargs):
+    if isinstance(instance, SafeDeleteModelMixin):
+        instance.restore_masked_fields()
+
+
+post_undelete.connect(_restore_masked_fields)

oxutils-0.1.10/src/oxutils/models/fields.py

@@ -0,0 +1,79 @@
+"""# settings.py
+
+FIELD_MASKING_CRYPTO_ENABLED = True  # switch global
+
+# optionnel (recommandé)
+FIELD_MASKING_KEY = env("FIELD_MASKING_KEY", default=None)
+
+"""
+
+import json
+import base64
+import hashlib
+from django.utils.functional import cached_property
+from django.conf import settings
+from django.db import models
+
+
+
+
+
+def get_field_masking_fernet():
+    from cryptography.fernet import Fernet
+
+    if not hasattr(settings, "FIELD_MASKING_CRYPTO_ENABLED") or not settings.FIELD_MASKING_CRYPTO_ENABLED:
+        return None
+
+    if not hasattr(settings, "FIELD_MASKING_KEY") or settings.FIELD_MASKING_KEY:
+        return Fernet(settings.FIELD_MASKING_KEY)
+
+    # fallback contrôlé
+    digest = hashlib.sha256(
+        (settings.SECRET_KEY + ":field-masking:v1").encode()
+    ).digest()
+
+    key = base64.urlsafe_b64encode(digest)
+    return Fernet(key)
+
+
+
+class MaskedBackupField(models.TextField):
+    """
+    JSONField avec chiffrement optionnel
+    """
+
+    @cached_property
+    def fernet(self):
+        return get_field_masking_fernet()
+
+    def get_prep_value(self, value):
+        if value in (None, ""):
+            return None
+
+        raw = json.dumps(value).encode()
+
+        if not self.fernet:
+            return raw.decode()
+
+        return self.fernet.encrypt(raw).decode()
+
+    def from_db_value(self, value, expression, connection):
+        return self.to_python(value)
+
+    def to_python(self, value):
+        if isinstance(value, dict):
+            return value
+
+        if value in (None, ""):
+            return {}
+
+        try:
+            if self.fernet:
+                decrypted = self.fernet.decrypt(value.encode())
+                return json.loads(decrypted.decode())
+
+            return json.loads(value)
+
+        except Exception:
+            # sécurité : ne jamais casser un fetch DB
+            return {}

{oxutils-0.1.8 → oxutils-0.1.10}/src/oxutils/oxiliere/apps.py

@@ -6,4 +6,9 @@ class OxiliereConfig(AppConfig):
     name = 'oxutils.oxiliere'
 
     def ready(self):
-        import oxutils.oxiliere.caches
+        import oxutils.oxiliere.checks
+        
+        try:
+            import oxutils.oxiliere.caches
+        except LookupError:
+            pass

oxutils-0.1.10/src/oxutils/oxiliere/authorization.py

@@ -0,0 +1,45 @@
+from django.conf import settings
+from django.db import transaction
+from oxutils.permissions.actions import ACTIONS
+from oxutils.permissions.models import Grant, Group, UserGroup
+from oxutils.oxiliere.utils import get_tenant_user_model
+from oxutils.oxiliere.models import BaseTenant
+
+
+@transaction.atomic
+def grant_manager_access_to_owners(tenant: BaseTenant):
+    tenant_user_model = get_tenant_user_model()
+    tenant_users = tenant_user_model.objects.select_related("user").filter(tenant=tenant, is_owner=True)
+
+    access_scope = getattr(settings, 'ACCESS_MANAGER_SCOPE')
+    access_group = getattr(settings, 'ACCESS_MANAGER_GROUP')
+
+    if access_group:
+        try:
+            group = Group.objects.get(slug=access_group)
+        except Group.DoesNotExist:
+            group = None
+
+    bulk_grant = []
+    for tenant_user in tenant_users:
+        if group:
+            user_group, _ = UserGroup.objects.get_or_create(
+                user=tenant_user.user,
+                group=group,
+            )
+        else:
+            user_group = None
+        
+        bulk_grant.append(
+            Grant(
+                user=tenant_user.user,
+                scope=access_scope,
+                role=None,
+                actions=ACTIONS,
+                context={},
+                user_group=user_group,
+                created_by=None,
+            )
+        )
+
+    Grant.objects.bulk_create(bulk_grant)

{oxutils-0.1.8 → oxutils-0.1.10}/src/oxutils/oxiliere/caches.py

@@ -1,6 +1,11 @@
 from django.conf import settings
 from cacheops import cached_as, cached
-from oxutils.oxiliere.utils import get_tenant_model, get_tenant_user_model
+from oxutils.oxiliere.utils import (
+    get_tenant_model,
+    get_tenant_user_model,
+    get_system_tenant_schema_name
+)
+
 
 
 
@@ -28,9 +33,5 @@ def get_tenant_user(oxi_org_id: str, oxi_user_id: str):
 
 @cached(timeout=60*15)
 def get_system_tenant():
-    from oxutils.oxiliere.utils import oxid_to_schema_name
-
-    system_schema_name = oxid_to_schema_name(
-        getattr(settings, 'OXI_SYSTEM_TENANT', 'tenant_oxisystem')
-    )
-    return get_tenant_model().objects.get(schema_name=system_schema_name)
+    schema_name = get_system_tenant_schema_name()
+    return get_tenant_model().objects.get(schema_name=schema_name)