paskia 0.9.0__py3-none-any.whl → 0.10.0__py3-none-any.whl

paskia/db/operations.py

@@ -2,7 +2,7 @@
 Database for WebAuthn passkey authentication.
 
 Read operations: Access _db directly, use build_* helpers to get public structs.
-Context lookup: get_session_context() returns full SessionContext with effective permissions.
+Context lookup: _db.session_ctx() returns full SessionContext with effective permissions.
 Write operations: Functions that validate and commit, or raise ValueError.
 """
 
@@ -10,7 +10,7 @@ import hashlib
 import logging
 import os
 import secrets
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 from uuid import UUID
 
 import uuid7
@@ -31,7 +31,6 @@ from paskia.db.structs import (
     SessionContext,
     User,
 )
-from paskia.util.hostutil import normalize_host
 from paskia.util.passphrase import generate as generate_passphrase
 from paskia.util.passphrase import is_well_formed as _is_passphrase
 
@@ -69,21 +68,18 @@ def get_user_organization(user_uuid: UUID) -> tuple[Org, str]:
     Raises ValueError if user not found.
 
     Call sites:
-    - Get user's organization when updating user role (admin.py:493)
-    - Get user's organization for user credential listing (admin.py:530)
-    - Get user's organization for user details API (admin.py:579)
-    - Get user's organization for updating user display name (admin.py:721)
-    - Get user's organization for deleting user credential (admin.py:754)
-    - Get user's organization for deleting user session (admin.py:783)
+    - update_user_role_in_organization: org only
+    - admin_create_user_registration_link: org only
+    - admin_get_user_detail: org and role
+    - admin_update_user_display_name: org only
+    - admin_delete_user_credential: org only
+    - admin_delete_user_session: org only
     """
     if user_uuid not in _db.users:
         raise ValueError(f"User {user_uuid} not found")
-    role_uuid = _db.users[user_uuid].role
-    if role_uuid not in _db.roles:
-        raise ValueError(f"Role {role_uuid} not found")
-    role_data = _db.roles[role_uuid]
-    org_uuid = role_data.org
-    return _db.orgs[org_uuid], role_data.display_name
+    user = _db.users[user_uuid]
+    role = user.role
+    return role.org, role.display_name
 
 
 def get_organization_users(org_uuid: UUID) -> list[tuple[User, str]]:
@@ -91,10 +87,8 @@ def get_organization_users(org_uuid: UUID) -> list[tuple[User, str]]:
 
     Returns list of (User, role_display_name) tuples.
     """
-    role_map = {
-        rid: r.display_name for rid, r in _db.roles.items() if r.org == org_uuid
-    }
-    return [(u, role_map[u.role]) for u in _db.users.values() if u.role in role_map]
+    org = _db.orgs[org_uuid]
+    return [(u, u.role.display_name) for role in org.roles for u in role.users]
 
 
 def get_user_credential_ids(user_uuid: UUID) -> list[bytes]:
@@ -102,7 +96,8 @@ def get_user_credential_ids(user_uuid: UUID) -> list[bytes]:
 
     Returns empty list if user has no credentials.
     """
-    return [c.credential_id for c in _db.credentials.values() if c.user == user_uuid]
+    assert user_uuid
+    return [c.credential_id for c in _db.users[user_uuid].credentials]
 
 
 def _reset_key(passphrase: str) -> bytes:
@@ -126,92 +121,6 @@ def get_reset_token(passphrase: str) -> ResetToken | None:
     return _db.reset_tokens.get(key)
 
 
-# -------------------------------------------------------------------------
-# Context lookup
-# -------------------------------------------------------------------------
-
-
-def get_session_context(
-    session_key: str, host: str | None = None
-) -> SessionContext | None:
-    """Get full session context with effective permissions.
-
-    Args:
-        session_key: The session key string
-        host: Optional host for binding/validation and domain-scoped permissions
-
-    Returns:
-        SessionContext if valid, None if session not found, expired, or host mismatch
-
-    Call sites:
-    - Example usage in docstring (db/__init__.py:16)
-    - Get session context from auth token (util/permutil.py:43)
-    """
-
-    if session_key not in _db.sessions:
-        return None
-
-    s = _db.sessions[session_key]
-    if s.expiry < datetime.now(timezone.utc):
-        return None
-
-    # Validate host matches (sessions are always created with a host)
-    if host is not None and s.host != host:
-        # Session bound to different host
-        return None
-
-    # Validate user exists
-    if s.user not in _db.users:
-        return None
-
-    # Validate role exists
-    role_uuid = _db.users[s.user].role
-    if role_uuid not in _db.roles:
-        return None
-
-    # Validate org exists
-    org_uuid = _db.roles[role_uuid].org
-    if org_uuid not in _db.orgs:
-        return None
-
-    session = _db.sessions[session_key]
-    user = _db.users[s.user]
-    role = _db.roles[role_uuid]
-    org = _db.orgs[org_uuid]
-
-    # Credential must exist (sessions are cascade-deleted when credential is deleted)
-    if s.credential not in _db.credentials:
-        return None
-    credential = _db.credentials[s.credential]
-
-    # Effective permissions: role's permissions that the org can grant
-    # Also filter by domain if host is provided
-    org_perm_uuids = {pid for pid, p in _db.permissions.items() if org_uuid in p.orgs}
-    normalized_host = normalize_host(host)
-    host_without_port = normalized_host.rsplit(":", 1)[0] if normalized_host else None
-
-    effective_perms = []
-    for perm_uuid in role.permission_set:
-        if perm_uuid not in org_perm_uuids:
-            continue
-        if perm_uuid not in _db.permissions:
-            continue
-        p = _db.permissions[perm_uuid]
-        # Check domain restriction
-        if p.domain is not None and p.domain != host_without_port:
-            continue
-        effective_perms.append(_db.permissions[perm_uuid])
-
-    return SessionContext(
-        session=session,
-        user=user,
-        org=org,
-        role=role,
-        credential=credential,
-        permissions=effective_perms,
-    )
-
-
 # -------------------------------------------------------------------------
 # Write operations (validate, modify, commit or raise ValueError)
 # -------------------------------------------------------------------------
@@ -264,9 +173,9 @@ def create_org(org: Org, *, ctx: SessionContext | None = None) -> None:
     if org.uuid in _db.orgs:
         raise ValueError(f"Organization {org.uuid} already exists")
     with _db.transaction("admin:create_org", ctx):
-        new_org = Org(display_name=org.display_name)
-        _db.orgs[org.uuid] = new_org
+        new_org = Org.create(display_name=org.display_name)
         new_org.uuid = org.uuid
+        _db.orgs[org.uuid] = new_org
         # Create Administration role with org admin permission
 
         admin_role_uuid = uuid7.create()
@@ -278,7 +187,7 @@ def create_org(org: Org, *, ctx: SessionContext | None = None) -> None:
                 break
         role_permissions = {org_admin_perm_uuid: True} if org_admin_perm_uuid else {}
         admin_role = Role(
-            org=org.uuid,
+            org_uuid=org.uuid,
             display_name="Administration",
             permissions=role_permissions,
         )
@@ -304,17 +213,15 @@ def delete_org(uuid: UUID, *, ctx: SessionContext | None = None) -> None:
     if uuid not in _db.orgs:
         raise ValueError(f"Organization {uuid} not found")
     with _db.transaction("admin:delete_org", ctx):
+        org = _db.orgs[uuid]
         # Remove org from all permissions
         for p in _db.permissions.values():
             p.orgs.pop(uuid, None)
-        # Delete roles in this org
-        role_uuids = [rid for rid, r in _db.roles.items() if r.org == uuid]
-        for rid in role_uuids:
-            del _db.roles[rid]
-        # Delete users with those roles
-        user_uuids = [uid for uid, u in _db.users.items() if u.role in role_uuids]
-        for uid in user_uuids:
-            del _db.users[uid]
+        # Delete roles in this org and their users
+        for role in org.roles:
+            for user in role.users:
+                del _db.users[user.uuid]
+            del _db.roles[role.uuid]
         del _db.orgs[uuid]
 
 
@@ -356,8 +263,8 @@ def create_role(role: Role, *, ctx: SessionContext | None = None) -> None:
     """Create a new role."""
     if role.uuid in _db.roles:
         raise ValueError(f"Role {role.uuid} already exists")
-    if role.org not in _db.orgs:
-        raise ValueError(f"Organization {role.org} not found")
+    if role.org_uuid not in _db.orgs:
+        raise ValueError(f"Organization {role.org_uuid} not found")
     with _db.transaction("admin:create_role", ctx):
         _db.roles[role.uuid] = role
 
@@ -408,7 +315,8 @@ def delete_role(uuid: UUID, *, ctx: SessionContext | None = None) -> None:
     if uuid not in _db.roles:
         raise ValueError(f"Role {uuid} not found")
     # Check no users have this role
-    if any(u.role == uuid for u in _db.users.values()):
+    role = _db.roles[uuid]
+    if role.users:
         raise ValueError(f"Cannot delete role {uuid}: users still assigned")
     with _db.transaction("admin:delete_role", ctx):
         del _db.roles[uuid]
@@ -418,8 +326,8 @@ def create_user(new_user: User, *, ctx: SessionContext | None = None) -> None:
     """Create a new user."""
     if new_user.uuid in _db.users:
         raise ValueError(f"User {new_user.uuid} already exists")
-    if new_user.role not in _db.roles:
-        raise ValueError(f"Role {new_user.role} not found")
+    if new_user.role_uuid not in _db.roles:
+        raise ValueError(f"Role {new_user.role_uuid} not found")
     with _db.transaction("admin:create_user", ctx):
         _db.users[new_user.uuid] = new_user
 
@@ -456,7 +364,7 @@ def update_user_role(
     if role_uuid not in _db.roles:
         raise ValueError(f"Role {role_uuid} not found")
     with _db.transaction("admin:update_user_role", ctx):
-        _db.users[uuid].role = role_uuid
+        _db.users[uuid].role_uuid = role_uuid
 
 
 def update_user_role_in_organization(
@@ -468,39 +376,35 @@ def update_user_role_in_organization(
     """Update user's role by role name within their current organization."""
     if user_uuid not in _db.users:
         raise ValueError(f"User {user_uuid} not found")
-    current_role_uuid = _db.users[user_uuid].role
-    if current_role_uuid not in _db.roles:
-        raise ValueError("Current role not found")
-    org_uuid = _db.roles[current_role_uuid].org
+    user = _db.users[user_uuid]
+    org = user.org
     # Find role by name in the same org
     new_role_uuid = None
-    for rid, r in _db.roles.items():
-        if r.org == org_uuid and r.display_name == role_name:
-            new_role_uuid = rid
+    for r in org.roles:
+        if r.display_name == role_name:
+            new_role_uuid = r.uuid
             break
     if new_role_uuid is None:
         raise ValueError(f"Role '{role_name}' not found in organization")
     with _db.transaction("admin:update_user_role", ctx):
-        _db.users[user_uuid].role = new_role_uuid
+        _db.users[user_uuid].role_uuid = new_role_uuid
 
 
 def delete_user(uuid: UUID, *, ctx: SessionContext | None = None) -> None:
     """Delete user and their credentials/sessions."""
     if uuid not in _db.users:
         raise ValueError(f"User {uuid} not found")
+    user = _db.users[uuid]
     with _db.transaction("admin:delete_user", ctx):
         # Delete credentials
-        cred_uuids = [cid for cid, c in _db.credentials.items() if c.user == uuid]
-        for cid in cred_uuids:
-            del _db.credentials[cid]
+        for cred in user.credentials:
+            del _db.credentials[cred.uuid]
         # Delete sessions
-        sess_keys = [k for k, s in _db.sessions.items() if s.user == uuid]
-        for k in sess_keys:
-            del _db.sessions[k]
+        for sess in user.sessions:
+            del _db.sessions[sess.key]
         # Delete reset tokens
-        token_keys = [k for k, t in _db.reset_tokens.items() if t.user == uuid]
-        for k in token_keys:
-            del _db.reset_tokens[k]
+        for token in user.reset_tokens:
+            del _db.reset_tokens[token.key]
         del _db.users[uuid]
 
 
@@ -508,8 +412,8 @@ def create_credential(cred: Credential, *, ctx: SessionContext | None = None) ->
     """Create a new credential."""
     if cred.uuid in _db.credentials:
         raise ValueError(f"Credential {cred.uuid} already exists")
-    if cred.user not in _db.users:
-        raise ValueError(f"User {cred.user} not found")
+    if cred.user_uuid not in _db.users:
+        raise ValueError(f"User {cred.user_uuid} not found")
     with _db.transaction("create_credential", ctx):
         _db.credentials[cred.uuid] = cred
 
@@ -542,20 +446,19 @@ def delete_credential(
     """
     if uuid not in _db.credentials:
         raise ValueError(f"Credential {uuid} not found")
+    cred = _db.credentials[uuid]
     if user_uuid is not None:
-        cred_user = _db.credentials[uuid].user
-        if cred_user != user_uuid:
+        if cred.user_uuid != user_uuid:
             raise ValueError(f"Credential {uuid} does not belong to user {user_uuid}")
     with _db.transaction("delete_credential", ctx):
         # Delete all sessions using this credential
-        keys = [k for k, s in _db.sessions.items() if s.credential == uuid]
-        for k in keys:
-            del _db.sessions[k]
+        for sess in cred.sessions:
+            print(sess, repr(sess.key))
+            del _db.sessions[sess.key]
         del _db.credentials[uuid]
 
 
 def create_session(
-    key: str,
     user_uuid: UUID,
     credential_uuid: UUID,
     host: str,
@@ -564,23 +467,25 @@ def create_session(
     expiry: datetime,
     *,
     ctx: SessionContext | None = None,
-) -> None:
-    """Create a new session."""
-    if key in _db.sessions:
-        raise ValueError("Session already exists")
+) -> str:
+    """Create a new session. Returns the session key."""
     if user_uuid not in _db.users:
         raise ValueError(f"User {user_uuid} not found")
     if credential_uuid not in _db.credentials:
         raise ValueError(f"Credential {credential_uuid} not found")
+    session = Session.create(
+        user=user_uuid,
+        credential=credential_uuid,
+        host=host,
+        ip=ip,
+        user_agent=user_agent,
+        expiry=expiry,
+    )
+    if session.key in _db.sessions:
+        raise ValueError("Session already exists")
     with _db.transaction("create_session", ctx):
-        _db.sessions[key] = Session(
-            user=user_uuid,
-            credential=credential_uuid,
-            host=host,
-            ip=ip,
-            user_agent=user_agent,
-            expiry=expiry,
-        )
+        _db.sessions[session.key] = session
+    return session.key
 
 
 def update_session(
@@ -612,16 +517,18 @@ def set_session_host(key: str, host: str, *, ctx: SessionContext | None = None)
     update_session(key, host=host, ctx=ctx)
 
 
-def delete_session(key: str, *, ctx: SessionContext | None = None) -> None:
+def delete_session(
+    key: str, *, ctx: SessionContext | None = None, action: str = "delete_session"
+) -> None:
     """Delete a session.
 
     The acting user should be logged via ctx.
-    For user logout, pass ctx of the user's session.
+    For user logout, pass ctx of the user's session and action="logout".
     For admin terminating a session, pass admin's ctx.
     """
     if key not in _db.sessions:
         raise ValueError("Session not found")
-    with _db.transaction("delete_session", ctx):
+    with _db.transaction(action, ctx):
         del _db.sessions[key]
 
 
@@ -634,10 +541,12 @@ def delete_sessions_for_user(
     For user logout-all, pass ctx of the user's session.
     For admin bulk termination, pass admin's ctx.
     """
+    user = _db.users.get(user_uuid)
+    if not user:
+        return
     with _db.transaction("admin:delete_sessions_for_user", ctx):
-        keys = [k for k, s in _db.sessions.items() if s.user == user_uuid]
-        for k in keys:
-            del _db.sessions[k]
+        for sess in user.sessions:
+            del _db.sessions[sess.key]
 
 
 def create_reset_token(
@@ -647,6 +556,7 @@ def create_reset_token(
     token_type: str,
     *,
     ctx: SessionContext | None = None,
+    user: str | None = None,
 ) -> None:
     """Create a reset token from a passphrase.
 
@@ -654,15 +564,16 @@ def create_reset_token(
     For self-service (user creating own recovery link), pass user's ctx.
     For admin operations, pass admin's ctx.
     For system operations (bootstrap), pass neither to log no user.
+    For API operations where ctx is not available but user is known, pass user.
     """
     key = _reset_key(passphrase)
     if key in _db.reset_tokens:
         raise ValueError("Reset token already exists")
     if user_uuid not in _db.users:
         raise ValueError(f"User {user_uuid} not found")
-    with _db.transaction("create_reset_token", ctx):
+    with _db.transaction("create_reset_token", ctx, user=user):
         _db.reset_tokens[key] = ResetToken(
-            user=user_uuid, expiry=expiry, token_type=token_type
+            user_uuid=user_uuid, expiry=expiry, token_type=token_type
         )
 
 
@@ -681,7 +592,7 @@ def delete_reset_token(key: bytes, *, ctx: SessionContext | None = None) -> None
 
 def cleanup_expired() -> int:
     """Remove expired sessions and reset tokens. Returns count removed."""
-    now = datetime.now(timezone.utc)
+    now = datetime.now(UTC)
     count = 0
     with _db.transaction("expiry"):
         expired_sessions = [k for k, s in _db.sessions.items() if s.expiry < now]
@@ -726,13 +637,20 @@ def login(
     """
     if isinstance(user_uuid, str):
         user_uuid = UUID(user_uuid)
-    now = datetime.now(timezone.utc)
+    now = datetime.now(UTC)
     if user_uuid not in _db.users:
         raise ValueError(f"User {user_uuid} not found")
     if credential_uuid not in _db.credentials:
         raise ValueError(f"Credential {credential_uuid} not found")
 
-    session_key = _create_token()
+    session = Session.create(
+        user=user_uuid,
+        credential=credential_uuid,
+        host=host,
+        ip=ip,
+        user_agent=user_agent,
+        expiry=expiry,
+    )
     user_str = str(user_uuid)
     with _db.transaction("login", user=user_str):
         # Update user
@@ -742,15 +660,8 @@ def login(
         _db.credentials[credential_uuid].sign_count = sign_count
         _db.credentials[credential_uuid].last_used = now
         # Create session
-        _db.sessions[session_key] = Session(
-            user=user_uuid,
-            credential=credential_uuid,
-            host=host,
-            ip=ip,
-            user_agent=user_agent,
-            expiry=expiry,
-        )
-    return session_key
+        _db.sessions[session.key] = session
+    return session.key
 
 
 def create_credential_session(
@@ -773,13 +684,20 @@ def create_credential_session(
     Returns the generated session token.
     """
 
-    now = datetime.now(timezone.utc)
+    now = datetime.now(UTC)
     expiry = now + SESSION_LIFETIME
-    session_key = _create_token()
 
     if user_uuid not in _db.users:
         raise ValueError(f"User {user_uuid} not found")
 
+    session = Session.create(
+        user=user_uuid,
+        credential=credential.uuid,
+        host=host,
+        ip=ip,
+        user_agent=user_agent,
+        expiry=expiry,
+    )
     user_str = str(user_uuid)
     with _db.transaction("create_credential_session", user=user_str):
         # Update display name if provided
@@ -790,20 +708,13 @@ def create_credential_session(
         _db.credentials[credential.uuid] = credential
 
         # Create session
-        _db.sessions[session_key] = Session(
-            user=user_uuid,
-            credential=credential.uuid,
-            host=host,
-            ip=ip,
-            user_agent=user_agent,
-            expiry=expiry,
-        )
+        _db.sessions[session.key] = session
 
         # Delete reset token if provided
         if reset_key:
             if reset_key in _db.reset_tokens:
                 del _db.reset_tokens[reset_key]
-    return session_key
+    return session.key
 
 
 # -------------------------------------------------------------------------
@@ -862,7 +773,7 @@ def bootstrap(
         reset_expiry = reset_expires()
     reset_key = _reset_key(reset_passphrase)
 
-    now = datetime.now(timezone.utc)
+    now = datetime.now(UTC)
 
     with _db.transaction("bootstrap"):
         # Create auth:admin permission
@@ -884,13 +795,13 @@ def bootstrap(
         _db.permissions[perm_org_admin_uuid] = perm_org_admin
 
         # Create organization
-        new_org = Org(display_name=org_name)
+        new_org = Org.create(display_name=org_name)
         new_org.uuid = org_uuid
         _db.orgs[org_uuid] = new_org
 
         # Create Administration role with both permissions
         admin_role = Role(
-            org=org_uuid,
+            org_uuid=org_uuid,
             display_name="Administration",
             permissions={perm_admin_uuid: True, perm_org_admin_uuid: True},
         )
@@ -900,7 +811,7 @@ def bootstrap(
         # Create admin user
         admin_user = User(
             display_name=admin_name,
-            role=role_uuid,
+            role_uuid=role_uuid,
             created_at=now,
             last_seen=None,
             visits=0,
@@ -910,7 +821,7 @@ def bootstrap(
 
         # Create reset token
         _db.reset_tokens[reset_key] = ResetToken(
-            user=user_uuid,
+            user_uuid=user_uuid,
             expiry=reset_expiry,
             token_type="admin bootstrap",
         )