paskia 0.9.0__py3-none-any.whl → 0.10.0__py3-none-any.whl

paskia/fastapi/admin.py

@@ -1,5 +1,4 @@
 import logging
-from datetime import timezone
 from uuid import UUID
 
 from fastapi import Body, FastAPI, HTTPException, Query, Request, Response
@@ -13,6 +12,7 @@ from paskia.db import Permission as PermDC
 from paskia.db import Role as RoleDC
 from paskia.db import User as UserDC
 from paskia.fastapi import authz
+from paskia.fastapi.response import MsgspecResponse
 from paskia.fastapi.session import AUTH_COOKIE
 from paskia.globals import passkey
 from paskia.util import (
@@ -20,46 +20,26 @@ from paskia.util import (
     passphrase,
     permutil,
     querysafe,
-    useragent,
     vitedev,
 )
+from paskia.util.apistructs import ApiPermission, ApiSession, format_datetime
 from paskia.util.hostutil import normalize_host
 
 app = FastAPI(docs_url=None, redoc_url=None, openapi_url=None)
 
 
-def is_global_admin(ctx) -> bool:
-    """Check if user has global admin permission."""
-    effective_scopes = (
-        {p.scope for p in (ctx.permissions or [])}
-        if ctx.permissions
-        else set(ctx.role.permissions or [])
-    )
-    return "auth:admin" in effective_scopes
-
+def master_admin(ctx) -> bool:
+    return any(p.scope == "auth:admin" for p in ctx.permissions)
 
-def is_org_admin(ctx, org_uuid: UUID | None = None) -> bool:
-    """Check if user has org admin permission.
 
-    If org_uuid is provided, checks if user is admin of that specific org.
-    If org_uuid is None, checks if user is admin of their own org.
-    """
-    effective_scopes = (
-        {p.scope for p in (ctx.permissions or [])}
-        if ctx.permissions
-        else set(ctx.role.permissions or [])
+def org_admin(ctx, org_uuid: UUID) -> bool:
+    return ctx.org.uuid == org_uuid and any(
+        p.scope == "auth:org:admin" for p in ctx.permissions
     )
-    if "auth:org:admin" not in effective_scopes:
-        return False
-    if org_uuid is None:
-        return True
-    # User must belong to the target org (via their role)
-    return ctx.org.uuid == org_uuid
 
 
 def can_manage_org(ctx, org_uuid: UUID) -> bool:
-    """Check if user can manage the specified organization."""
-    return is_global_admin(ctx) or is_org_admin(ctx, org_uuid)
+    return master_admin(ctx) or org_admin(ctx, org_uuid)
 
 
 @app.exception_handler(ValueError)
@@ -99,42 +79,38 @@ async def admin_list_orgs(request: Request, auth=AUTH_COOKIE):
         host=request.headers.get("host"),
     )
     orgs = list(db.data().orgs.values())
-    if not is_global_admin(ctx):
+    if not master_admin(ctx):
         # Org admins can only see their own organization
         orgs = [o for o in orgs if o.uuid == ctx.org.uuid]
 
-    def role_to_dict(r):
-        return {
-            "uuid": str(r.uuid),
-            "org": str(r.org),
-            "display_name": r.display_name,
-            "permissions": list(r.permissions.keys()),
-        }
-
-    async def org_to_dict(o):
+    def org_to_dict(o):
         users = db.get_organization_users(o.uuid)
         return {
-            "uuid": str(o.uuid),
+            "uuid": o.uuid,
             "display_name": o.display_name,
-            "permissions": {
-                pid for pid, p in db.data().permissions.items() if o.uuid in p.orgs
-            },
+            "permissions": {p.uuid for p in o.permissions},
             "roles": [
-                role_to_dict(r) for r in db.data().roles.values() if r.org == o.uuid
+                {
+                    "uuid": r.uuid,
+                    "org": r.org_uuid,
+                    "display_name": r.display_name,
+                    "permissions": list(r.permissions.keys()),
+                }
+                for r in o.roles
             ],
             "users": [
                 {
-                    "uuid": str(u.uuid),
+                    "uuid": u.uuid,
                     "display_name": u.display_name,
                     "role": role_name,
                     "visits": u.visits,
-                    "last_seen": u.last_seen.isoformat() if u.last_seen else None,
+                    "last_seen": u.last_seen,
                 }
                 for (u, role_name) in users
             ],
         }
 
-    return [await org_to_dict(o) for o in orgs]
+    return MsgspecResponse([org_to_dict(o) for o in orgs])
 
 
 @app.post("/orgs")
@@ -151,7 +127,7 @@ async def admin_create_org(
     db.create_org(org, ctx=ctx)
     # Grant requested permissions to the new org
     for perm in permissions:
-        db.add_permission_to_org(str(org.uuid), perm)
+        db.add_permission_to_org(str(org.uuid), perm, ctx=ctx)
 
     return {"uuid": str(org.uuid)}
 
@@ -283,7 +259,8 @@ async def admin_create_role(
     perms = payload.get("permissions") or []
     if org_uuid not in db.data().orgs:
         raise HTTPException(status_code=404, detail="Organization not found")
-    grantable = {pid for pid, p in db.data().permissions.items() if org_uuid in p.orgs}
+    org = db.data().orgs[org_uuid]
+    grantable = {p.uuid for p in org.permissions}
 
     # Normalize permission IDs to UUIDs
     permission_uuids: set[UUID] = set()
@@ -324,7 +301,7 @@ async def admin_update_role_name(
             status_code=403, detail="Insufficient permissions", mode="forbidden"
         )
     role = db.data().roles.get(role_uuid)
-    if not role or role.org != org_uuid:
+    if not role or role.org_uuid != org_uuid:
         raise HTTPException(status_code=404, detail="Role not found in organization")
 
     display_name = payload.get("display_name")
@@ -356,7 +333,7 @@ async def admin_add_role_permission(
         )
 
     role = db.data().roles.get(role_uuid)
-    if not role or role.org != org_uuid:
+    if not role or role.org_uuid != org_uuid:
         raise HTTPException(status_code=404, detail="Role not found in organization")
 
     # Verify permission exists and org can grant it
@@ -391,7 +368,7 @@ async def admin_remove_role_permission(
         )
 
     role = db.data().roles.get(role_uuid)
-    if not role or role.org != org_uuid:
+    if not role or role.org_uuid != org_uuid:
         raise HTTPException(status_code=404, detail="Role not found in organization")
 
     # Sanity check: prevent admin from removing their own access
@@ -432,7 +409,7 @@ async def admin_delete_role(
             status_code=403, detail="Insufficient permissions", mode="forbidden"
         )
     role = db.data().roles.get(role_uuid)
-    if not role or role.org != org_uuid:
+    if not role or role.org_uuid != org_uuid:
         raise HTTPException(status_code=404, detail="Role not found in organization")
 
     # Sanity check: prevent admin from deleting their own role
@@ -468,8 +445,11 @@ async def admin_create_user(
     if not display_name or not role_name:
         raise ValueError("display_name and role are required")
 
-    roles = [r for r in db.data().roles.values() if r.org == org_uuid]
-    role_obj = next((r for r in roles if r.display_name == role_name), None)
+    org = db.data().orgs[org_uuid]
+    role_obj = next(
+        (r for r in org.roles if r.display_name == role_name),
+        None,
+    )
     if not role_obj:
         raise ValueError("Role not found in organization")
     user = UserDC.create(
@@ -507,7 +487,7 @@ async def admin_update_user_role(
         raise ValueError("User not found")
     if user_org.uuid != org_uuid:
         raise ValueError("User does not belong to this organization")
-    roles = [r for r in db.data().roles.values() if r.org == org_uuid]
+    roles = user_org.roles
     if not any(r.display_name == new_role for r in roles):
         raise ValueError("Role not found in organization")
 
@@ -572,11 +552,7 @@ async def admin_create_user_registration_link(
     url = hostutil.reset_link_url(token)
     return {
         "url": url,
-        "expires": (
-            expiry.astimezone(timezone.utc).isoformat().replace("+00:00", "Z")
-            if expiry.tzinfo
-            else expiry.replace(tzinfo=timezone.utc).isoformat().replace("+00:00", "Z")
-        ),
+        "expires": format_datetime(expiry),
     }
 
 
@@ -604,120 +580,39 @@ async def admin_get_user_detail(
             status_code=403, detail="Insufficient permissions", mode="forbidden"
         )
     user = db.data().users.get(user_uuid)
-    user_creds = [c for c in db.data().credentials.values() if c.user == user_uuid]
-    creds: list[dict] = []
-    aaguids: set[str] = set()
-    for c in user_creds:
-        aaguid_str = str(c.aaguid)
-        aaguids.add(aaguid_str)
-        creds.append(
-            {
-                "credential": str(c.uuid),
-                "aaguid": aaguid_str,
-                "created_at": (
-                    c.created_at.astimezone(timezone.utc)
-                    .isoformat()
-                    .replace("+00:00", "Z")
-                    if c.created_at.tzinfo
-                    else c.created_at.replace(tzinfo=timezone.utc)
-                    .isoformat()
-                    .replace("+00:00", "Z")
-                ),
-                "last_used": (
-                    c.last_used.astimezone(timezone.utc)
-                    .isoformat()
-                    .replace("+00:00", "Z")
-                    if c.last_used and c.last_used.tzinfo
-                    else (
-                        c.last_used.replace(tzinfo=timezone.utc)
-                        .isoformat()
-                        .replace("+00:00", "Z")
-                        if c.last_used
-                        else None
-                    )
-                ),
-                "last_verified": (
-                    c.last_verified.astimezone(timezone.utc)
-                    .isoformat()
-                    .replace("+00:00", "Z")
-                    if c.last_verified and c.last_verified.tzinfo
-                    else (
-                        c.last_verified.replace(tzinfo=timezone.utc)
-                        .isoformat()
-                        .replace("+00:00", "Z")
-                        if c.last_verified
-                        else None
-                    )
+    normalized_host = hostutil.normalize_host(request.headers.get("host"))
+
+    return MsgspecResponse(
+        {
+            "display_name": user.display_name,
+            "org": {"display_name": user_org.display_name},
+            "role": role_name,
+            "visits": user.visits,
+            "created_at": user.created_at,
+            "last_seen": user.last_seen,
+            "credentials": [
+                {
+                    "credential": c.uuid,
+                    "aaguid": c.aaguid,
+                    "created_at": c.created_at,
+                    "last_used": c.last_used,
+                    "last_verified": c.last_verified,
+                    "sign_count": c.sign_count,
+                }
+                for c in user.credentials
+            ],
+            "aaguid_info": aaguid_mod.filter(c.aaguid for c in user.credentials),
+            "sessions": [
+                ApiSession.from_db(
+                    s,
+                    current_key=auth,
+                    normalized_host=normalized_host,
+                    expires_delta=EXPIRES,
                 )
-                if c.last_verified
-                else None,
-                "sign_count": c.sign_count,
-            }
-        )
-
-    aaguid_info = aaguid_mod.filter(aaguids)
-
-    # Get sessions for the user
-    normalized_request_host = hostutil.normalize_host(request.headers.get("host"))
-    session_records = [s for s in db.data().sessions.values() if s.user == user_uuid]
-    current_session_key = auth
-    sessions_payload: list[dict] = []
-    for entry in session_records:
-        renewed = entry.expiry - EXPIRES
-        sessions_payload.append(
-            {
-                "id": entry.key,
-                "credential": str(entry.credential),
-                "host": entry.host,
-                "ip": entry.ip,
-                "user_agent": useragent.compact_user_agent(entry.user_agent),
-                "last_renewed": (
-                    renewed.astimezone(timezone.utc).isoformat().replace("+00:00", "Z")
-                    if renewed.tzinfo
-                    else renewed.replace(tzinfo=timezone.utc)
-                    .isoformat()
-                    .replace("+00:00", "Z")
-                ),
-                "is_current": entry.key == current_session_key,
-                "is_current_host": bool(
-                    normalized_request_host
-                    and entry.host
-                    and entry.host == normalized_request_host
-                ),
-            }
-        )
-
-    return {
-        "display_name": user.display_name,
-        "org": {"display_name": user_org.display_name},
-        "role": role_name,
-        "visits": user.visits,
-        "created_at": (
-            user.created_at.astimezone(timezone.utc).isoformat().replace("+00:00", "Z")
-            if user.created_at and user.created_at.tzinfo
-            else (
-                user.created_at.replace(tzinfo=timezone.utc)
-                .isoformat()
-                .replace("+00:00", "Z")
-                if user.created_at
-                else None
-            )
-        ),
-        "last_seen": (
-            user.last_seen.astimezone(timezone.utc).isoformat().replace("+00:00", "Z")
-            if user.last_seen and user.last_seen.tzinfo
-            else (
-                user.last_seen.replace(tzinfo=timezone.utc)
-                .isoformat()
-                .replace("+00:00", "Z")
-                if user.last_seen
-                else None
-            )
-        ),
-        "credentials": creds,
-        "aaguid_info": aaguid_info,
-        "sessions": sessions_payload,
-    }
+                for s in user.sessions
+            ],
+        }
+    )
 
 
 @app.patch("/orgs/{org_uuid}/users/{user_uuid}/display-name")
@@ -808,10 +703,10 @@ async def admin_delete_user_session(
         )
 
     target_session = db.data().sessions.get(session_id)
-    if not target_session or target_session.user != user_uuid:
+    if not target_session or target_session.user_uuid != user_uuid:
         raise HTTPException(status_code=404, detail="Session not found")
 
-    db.delete_session(session_id, ctx=ctx)
+    db.delete_session(session_id, ctx=ctx, action="admin:delete_session")
 
     # Check if admin terminated their own session
     current_terminated = session_id == auth
@@ -821,14 +716,6 @@ async def admin_delete_user_session(
 # -------------------- Permissions (global) --------------------
 
 
-def _perm_to_dict(p):
-    """Convert Permission to dict, omitting domain if None."""
-    d = {"uuid": str(p.uuid), "scope": p.scope, "display_name": p.display_name}
-    if p.domain is not None:
-        d["domain"] = p.domain
-    return d
-
-
 def _validate_permission_domain(domain: str | None) -> None:
     """Validate that domain is rp_id or a subdomain of it."""
     if domain is None:
@@ -919,18 +806,8 @@ async def admin_list_permissions(request: Request, auth=AUTH_COOKIE):
         match=permutil.has_any,
         host=request.headers.get("host"),
     )
-    perms = list(db.data().permissions.values())
-
-    # Global admins see all permissions
-    if is_global_admin(ctx):
-        return [_perm_to_dict(p) for p in perms]
-
-    # Org admins only see permissions their org can grant (by UUID)
-    grantable = {
-        pid for pid, p in db.data().permissions.items() if ctx.org.uuid in p.orgs
-    }
-    filtered_perms = [p for p in perms if p.uuid in grantable]
-    return [_perm_to_dict(p) for p in filtered_perms]
+    perms = db.data().permissions.values() if master_admin(ctx) else ctx.org.permissions
+    return MsgspecResponse([ApiPermission.from_db(p) for p in perms])
 
 
 @app.post("/permissions")

paskia/fastapi/api.py

@@ -1,6 +1,6 @@
 import logging
 from contextlib import suppress
-from datetime import datetime, timedelta, timezone
+from datetime import UTC, datetime, timedelta
 
 from fastapi import (
     Depends,
@@ -14,12 +14,9 @@ from fastapi.responses import JSONResponse
 from fastapi.security import HTTPBearer
 
 from paskia import db
-from paskia.authsession import (
-    EXPIRES,
-    get_reset,
-    refresh_session_token,
-)
+from paskia.authsession import EXPIRES, expires, get_reset
 from paskia.fastapi import authz, session, user
+from paskia.fastapi.response import MsgspecResponse
 from paskia.fastapi.session import AUTH_COOKIE, AUTH_COOKIE_NAME
 from paskia.globals import passkey as global_passkey
 from paskia.util import hostutil, htmlutil, passphrase, userinfo, vitedev
@@ -81,7 +78,7 @@ async def validate_token(
     try:
         ctx = await authz.verify(
             auth,
-            perm,
+            " ".join(perm).split(),
             host=request.headers.get("host"),
             max_age=max_age,
         )
@@ -90,44 +87,24 @@ async def validate_token(
         raise
     renewed = False
     if auth:
-        consumed = EXPIRES - (ctx.session.expiry - datetime.now(timezone.utc))
+        consumed = EXPIRES - (ctx.session.expiry - datetime.now(UTC))
         if not timedelta(0) < consumed < _REFRESH_INTERVAL:
-            try:
-                refresh_session_token(
-                    auth,
-                    ip=request.client.host if request.client else "",
-                    user_agent=request.headers.get("user-agent") or "",
-                )
-                session.set_session_cookie(response, auth)
-                renewed = True
-            except ValueError:
-                # Session disappeared, e.g. due to concurrent logout; global handler will clear
-                raise authz.AuthException(
-                    status_code=401, detail="Session expired", mode="login"
-                )
-    return {
-        "valid": True,
-        "renewed": renewed,
-        "ctx": userinfo.format_session_context(ctx),
-    }
-
-
-@app.get("/token-info")
-async def token_info(credentials=Depends(bearer_auth)):
-    """Get reset/device-add token info. Pass token via Bearer header."""
-    token = credentials.credentials
-    if not passphrase.is_well_formed(token):
-        raise HTTPException(400, "Invalid token format")
-    try:
-        reset_token = get_reset(token)
-    except ValueError as e:
-        raise HTTPException(401, str(e))
-
-    u = db.data().users.get(reset_token.user)
-    return {
-        "token_type": reset_token.token_type,
-        "display_name": u.display_name,
-    }
+            db.update_session(
+                auth,
+                ip=request.client.host if request.client else "",
+                user_agent=request.headers.get("user-agent") or "",
+                expiry=expires(),
+                ctx=ctx,
+            )
+            session.set_session_cookie(response, auth)
+            renewed = True
+    return MsgspecResponse(
+        {
+            "valid": True,
+            "renewed": renewed,
+            "ctx": userinfo.build_session_context(ctx),
+        }
+    )
 
 
 @app.get("/forward")
@@ -154,7 +131,10 @@ async def forward_authentication(
     """
     try:
         ctx = await authz.verify(
-            auth, perm, host=request.headers.get("host"), max_age=max_age
+            auth,
+            " ".join(perm).split(),
+            host=request.headers.get("host"),
+            max_age=max_age,
         )
         # Build permission scopes for Remote-Groups header
         role_permissions = (
@@ -170,11 +150,9 @@ async def forward_authentication(
             "Remote-Role": str(ctx.role.uuid),
             "Remote-Role-Name": ctx.role.display_name,
             "Remote-Session-Expires": (
-                ctx.session.expiry.astimezone(timezone.utc)
-                .isoformat()
-                .replace("+00:00", "Z")
+                ctx.session.expiry.astimezone(UTC).isoformat().replace("+00:00", "Z")
                 if ctx.session.expiry.tzinfo
-                else ctx.session.expiry.replace(tzinfo=timezone.utc)
+                else ctx.session.expiry.replace(tzinfo=UTC)
                 .isoformat()
                 .replace("+00:00", "Z")
             ),
@@ -233,28 +211,48 @@ async def api_user_info(
             detail="Authentication required",
             mode="login",
         )
-    ctx = db.get_session_context(auth, request.headers.get("host"))
+    ctx = db.data().session_ctx(auth, request.headers.get("host"))
     if not ctx:
         raise HTTPException(401, "Session expired")
 
-    return await userinfo.format_user_info(
-        user_uuid=ctx.user.uuid,
-        auth=auth,
-        session_record=ctx.session,
-        request_host=request.headers.get("host"),
+    return MsgspecResponse(
+        await userinfo.build_user_info(
+            user_uuid=ctx.user.uuid,
+            auth=auth,
+            session_record=ctx.session,
+            request_host=request.headers.get("host"),
+        )
     )
 
 
+@app.get("/token-info")
+async def token_info(credentials=Depends(bearer_auth)):
+    """Get reset/device-add token info. Pass token via Bearer header."""
+    token = credentials.credentials
+    if not passphrase.is_well_formed(token):
+        raise HTTPException(400, "Invalid token format")
+    try:
+        reset_token = get_reset(token)
+    except ValueError as e:
+        raise HTTPException(401, str(e))
+
+    u = reset_token.user
+    return {
+        "token_type": reset_token.token_type,
+        "display_name": u.display_name,
+    }
+
+
 @app.post("/logout")
 async def api_logout(request: Request, response: Response, auth=AUTH_COOKIE):
     if not auth:
         return {"message": "Already logged out"}
     host = request.headers.get("host")
-    ctx = db.get_session_context(auth, host)
+    ctx = db.data().session_ctx(auth, host)
     if not ctx:
         return {"message": "Already logged out"}
     with suppress(Exception):
-        db.delete_session(auth, ctx=ctx)
+        db.delete_session(auth, ctx=ctx, action="logout")
     session.clear_session_cookie(response)
     return {"message": "Logged out successfully"}
 
@@ -263,7 +261,7 @@ async def api_logout(request: Request, response: Response, auth=AUTH_COOKIE):
 async def api_set_session(
     request: Request, response: Response, auth=Depends(bearer_auth)
 ):
-    ctx = db.get_session_context(auth.credentials, request.headers.get("host"))
+    ctx = db.data().session_ctx(auth.credentials, request.headers.get("host"))
     if not ctx:
         raise HTTPException(401, "Session expired")
     session.set_session_cookie(response, auth.credentials)

paskia/fastapi/authz.py

@@ -2,6 +2,7 @@ import logging
 
 from fastapi import HTTPException
 
+from paskia.fastapi.logging import log_permission_denied
 from paskia.util import permutil, sessionutil
 
 logger = logging.getLogger(__name__)
@@ -93,20 +94,14 @@ async def verify(
             logger.warning(f"Invalid max_age format '{max_age}': {e}")
 
     if not match(ctx, perm):
-        # Determine which permissions are missing for clearer diagnostics
         effective_scopes = (
             {p.scope for p in (ctx.permissions or [])}
             if ctx.permissions
             else set(ctx.role.permissions or [])
         )
         missing = sorted(set(perm) - effective_scopes)
-        logger.warning(
-            "Permission denied: user=%s role=%s missing=%s required=%s granted=%s",  # noqa: E501
-            getattr(ctx.user, "uuid", "?"),
-            getattr(ctx.role, "display_name", "?"),
-            missing,
-            perm,
-            list(effective_scopes),
+        log_permission_denied(
+            ctx, perm, missing, require_all=(match == permutil.has_all)
         )
         raise AuthException(
             status_code=403, mode="forbidden", detail="Permission required"