PyPI - paskia - Versions diffs - 0.9.0__py3-none-any.whl → 0.9.1__py3-none-any.whl - Mend

paskia 0.9.0py3-none-any.whl → 0.9.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

paskia/_version.py +2 -2
paskia/aaguid/__init__.py +5 -4
paskia/authsession.py +4 -19
paskia/db/__init__.py +2 -4
paskia/db/background.py +3 -3
paskia/db/jsonl.py +100 -112
paskia/db/logging.py +233 -0
paskia/db/migrations.py +19 -20
paskia/db/operations.py +99 -192
paskia/db/structs.py +236 -46
paskia/fastapi/__main__.py +1 -0
paskia/fastapi/admin.py +70 -193
paskia/fastapi/api.py +49 -55
paskia/fastapi/logging.py +218 -0
paskia/fastapi/mainapp.py +12 -2
paskia/fastapi/remote.py +4 -4
paskia/fastapi/reset.py +0 -2
paskia/fastapi/response.py +22 -0
paskia/fastapi/user.py +7 -7
paskia/fastapi/ws.py +6 -6
paskia/fastapi/wsutil.py +15 -2
paskia/migrate/__init__.py +9 -9
paskia/migrate/sql.py +26 -19
paskia/remoteauth.py +6 -6
{paskia-0.9.0.dist-info → paskia-0.9.1.dist-info}/METADATA +1 -1
{paskia-0.9.0.dist-info → paskia-0.9.1.dist-info}/RECORD +28 -25
{paskia-0.9.0.dist-info → paskia-0.9.1.dist-info}/WHEEL +0 -0
{paskia-0.9.0.dist-info → paskia-0.9.1.dist-info}/entry_points.txt +0 -0

paskia/db/migrations.py CHANGED Viewed

@@ -5,30 +5,29 @@ Migrations are applied during database load based on the version field.
 Each migration should be idempotent and only run when needed.
 """
-import logging
+from collections.abc import Awaitable, Callable
-_logger = logging.getLogger(__name__)
+def migrate_v1(d: dict) -> None:
+    """Remove Org.created_at fields."""
+    for org_data in d["orgs"].values():
+        org_data.pop("created_at", None)
-def apply_migrations(data_dict: dict) -> bool:
-    """Apply any pending schema migrations to the database dictionary.
-    Args:
-        data_dict: The raw database dictionary loaded from JSONL
+migrations = sorted(
+    [f for n, f in globals().items() if n.startswith("migrate_v")],
+    key=lambda f: int(f.__name__.removeprefix("migrate_v")),
+)
-    Returns:
-        True if any migrations were applied, False otherwise
-    """
-    db_version = data_dict.get("v", 0)
-    migrated = False
+DBVER = len(migrations)  # Used by bootstrap and migrate:sql to set initial version
-    if db_version == 0:
-        # Migration v0 -> v1: Remove created_at from orgs (field removed from schema)
-        if "orgs" in data_dict:
-            for org_data in data_dict["orgs"].values():
-                org_data.pop("created_at", None)
-        data_dict["v"] = 1
-        migrated = True
-        _logger.info("Applied schema migration: v0 -> v1 (removed org.created_at)")
-    return migrated
+async def apply_all_migrations(
+    data_dict: dict,
+    current_version: int,
+    persist: Callable[[str, int, dict], Awaitable[None]],
+) -> None:
+    while current_version < DBVER:
+        migrations[current_version](data_dict)
+        current_version += 1
+        await persist(f"migrate:v{current_version}", current_version, data_dict)

paskia/db/operations.py CHANGED Viewed

@@ -2,7 +2,7 @@
 Database for WebAuthn passkey authentication.
 Read operations: Access _db directly, use build_* helpers to get public structs.
-Context lookup: get_session_context() returns full SessionContext with effective permissions.
+Context lookup: _db.session_ctx() returns full SessionContext with effective permissions.
 Write operations: Functions that validate and commit, or raise ValueError.
 """
@@ -10,7 +10,7 @@ import hashlib
 import logging
 import os
 import secrets
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 from uuid import UUID
 import uuid7
@@ -31,7 +31,6 @@ from paskia.db.structs import (
     SessionContext,
     User,
 )
-from paskia.util.hostutil import normalize_host
 from paskia.util.passphrase import generate as generate_passphrase
 from paskia.util.passphrase import is_well_formed as _is_passphrase
@@ -69,21 +68,18 @@ def get_user_organization(user_uuid: UUID) -> tuple[Org, str]:
     Raises ValueError if user not found.
     Call sites:
-    - Get user's organization when updating user role (admin.py:493)
-    - Get user's organization for user credential listing (admin.py:530)
-    - Get user's organization for user details API (admin.py:579)
-    - Get user's organization for updating user display name (admin.py:721)
-    - Get user's organization for deleting user credential (admin.py:754)
-    - Get user's organization for deleting user session (admin.py:783)
+    - update_user_role_in_organization: org only
+    - admin_create_user_registration_link: org only
+    - admin_get_user_detail: org and role
+    - admin_update_user_display_name: org only
+    - admin_delete_user_credential: org only
+    - admin_delete_user_session: org only
     """
     if user_uuid not in _db.users:
         raise ValueError(f"User {user_uuid} not found")
-    role_uuid = _db.users[user_uuid].role
-    if role_uuid not in _db.roles:
-        raise ValueError(f"Role {role_uuid} not found")
-    role_data = _db.roles[role_uuid]
-    org_uuid = role_data.org
-    return _db.orgs[org_uuid], role_data.display_name
+    user = _db.users[user_uuid]
+    role = user.role
+    return role.org, role.display_name
 def get_organization_users(org_uuid: UUID) -> list[tuple[User, str]]:
@@ -91,10 +87,8 @@ def get_organization_users(org_uuid: UUID) -> list[tuple[User, str]]:
     Returns list of (User, role_display_name) tuples.
     """
-    role_map = {
-        rid: r.display_name for rid, r in _db.roles.items() if r.org == org_uuid
-    }
-    return [(u, role_map[u.role]) for u in _db.users.values() if u.role in role_map]
+    org = _db.orgs[org_uuid]
+    return [(u, u.role.display_name) for role in org.roles for u in role.users]
 def get_user_credential_ids(user_uuid: UUID) -> list[bytes]:
@@ -102,7 +96,8 @@ def get_user_credential_ids(user_uuid: UUID) -> list[bytes]:
     Returns empty list if user has no credentials.
     """
-    return [c.credential_id for c in _db.credentials.values() if c.user == user_uuid]
+    assert user_uuid
+    return [c.credential_id for c in _db.users[user_uuid].credentials]
 def _reset_key(passphrase: str) -> bytes:
@@ -126,92 +121,6 @@ def get_reset_token(passphrase: str) -> ResetToken | None:
     return _db.reset_tokens.get(key)
-# -------------------------------------------------------------------------
-# Context lookup
-# -------------------------------------------------------------------------
-def get_session_context(
-    session_key: str, host: str | None = None
-) -> SessionContext | None:
-    """Get full session context with effective permissions.
-    Args:
-        session_key: The session key string
-        host: Optional host for binding/validation and domain-scoped permissions
-    Returns:
-        SessionContext if valid, None if session not found, expired, or host mismatch
-    Call sites:
-    - Example usage in docstring (db/__init__.py:16)
-    - Get session context from auth token (util/permutil.py:43)
-    """
-    if session_key not in _db.sessions:
-        return None
-    s = _db.sessions[session_key]
-    if s.expiry < datetime.now(timezone.utc):
-        return None
-    # Validate host matches (sessions are always created with a host)
-    if host is not None and s.host != host:
-        # Session bound to different host
-        return None
-    # Validate user exists
-    if s.user not in _db.users:
-        return None
-    # Validate role exists
-    role_uuid = _db.users[s.user].role
-    if role_uuid not in _db.roles:
-        return None
-    # Validate org exists
-    org_uuid = _db.roles[role_uuid].org
-    if org_uuid not in _db.orgs:
-        return None
-    session = _db.sessions[session_key]
-    user = _db.users[s.user]
-    role = _db.roles[role_uuid]
-    org = _db.orgs[org_uuid]
-    # Credential must exist (sessions are cascade-deleted when credential is deleted)
-    if s.credential not in _db.credentials:
-        return None
-    credential = _db.credentials[s.credential]
-    # Effective permissions: role's permissions that the org can grant
-    # Also filter by domain if host is provided
-    org_perm_uuids = {pid for pid, p in _db.permissions.items() if org_uuid in p.orgs}
-    normalized_host = normalize_host(host)
-    host_without_port = normalized_host.rsplit(":", 1)[0] if normalized_host else None
-    effective_perms = []
-    for perm_uuid in role.permission_set:
-        if perm_uuid not in org_perm_uuids:
-            continue
-        if perm_uuid not in _db.permissions:
-            continue
-        p = _db.permissions[perm_uuid]
-        # Check domain restriction
-        if p.domain is not None and p.domain != host_without_port:
-            continue
-        effective_perms.append(_db.permissions[perm_uuid])
-    return SessionContext(
-        session=session,
-        user=user,
-        org=org,
-        role=role,
-        credential=credential,
-        permissions=effective_perms,
-    )
 # -------------------------------------------------------------------------
 # Write operations (validate, modify, commit or raise ValueError)
 # -------------------------------------------------------------------------
@@ -264,9 +173,9 @@ def create_org(org: Org, *, ctx: SessionContext | None = None) -> None:
     if org.uuid in _db.orgs:
         raise ValueError(f"Organization {org.uuid} already exists")
     with _db.transaction("admin:create_org", ctx):
-        new_org = Org(display_name=org.display_name)
-        _db.orgs[org.uuid] = new_org
+        new_org = Org.create(display_name=org.display_name)
         new_org.uuid = org.uuid
+        _db.orgs[org.uuid] = new_org
         # Create Administration role with org admin permission
         admin_role_uuid = uuid7.create()
@@ -278,7 +187,7 @@ def create_org(org: Org, *, ctx: SessionContext | None = None) -> None:
                 break
         role_permissions = {org_admin_perm_uuid: True} if org_admin_perm_uuid else {}
         admin_role = Role(
-            org=org.uuid,
+            org_uuid=org.uuid,
             display_name="Administration",
             permissions=role_permissions,
         )
@@ -304,17 +213,15 @@ def delete_org(uuid: UUID, *, ctx: SessionContext | None = None) -> None:
     if uuid not in _db.orgs:
         raise ValueError(f"Organization {uuid} not found")
     with _db.transaction("admin:delete_org", ctx):
+        org = _db.orgs[uuid]
         # Remove org from all permissions
         for p in _db.permissions.values():
             p.orgs.pop(uuid, None)
-        # Delete roles in this org
-        role_uuids = [rid for rid, r in _db.roles.items() if r.org == uuid]
-        for rid in role_uuids:
-            del _db.roles[rid]
-        # Delete users with those roles
-        user_uuids = [uid for uid, u in _db.users.items() if u.role in role_uuids]
-        for uid in user_uuids:
-            del _db.users[uid]
+        # Delete roles in this org and their users
+        for role in org.roles:
+            for user in role.users:
+                del _db.users[user.uuid]
+            del _db.roles[role.uuid]
         del _db.orgs[uuid]
@@ -356,8 +263,8 @@ def create_role(role: Role, *, ctx: SessionContext | None = None) -> None:
     """Create a new role."""
     if role.uuid in _db.roles:
         raise ValueError(f"Role {role.uuid} already exists")
-    if role.org not in _db.orgs:
-        raise ValueError(f"Organization {role.org} not found")
+    if role.org_uuid not in _db.orgs:
+        raise ValueError(f"Organization {role.org_uuid} not found")
     with _db.transaction("admin:create_role", ctx):
         _db.roles[role.uuid] = role
@@ -408,7 +315,8 @@ def delete_role(uuid: UUID, *, ctx: SessionContext | None = None) -> None:
     if uuid not in _db.roles:
         raise ValueError(f"Role {uuid} not found")
     # Check no users have this role
-    if any(u.role == uuid for u in _db.users.values()):
+    role = _db.roles[uuid]
+    if role.users:
         raise ValueError(f"Cannot delete role {uuid}: users still assigned")
     with _db.transaction("admin:delete_role", ctx):
         del _db.roles[uuid]
@@ -418,8 +326,8 @@ def create_user(new_user: User, *, ctx: SessionContext | None = None) -> None:
     """Create a new user."""
     if new_user.uuid in _db.users:
         raise ValueError(f"User {new_user.uuid} already exists")
-    if new_user.role not in _db.roles:
-        raise ValueError(f"Role {new_user.role} not found")
+    if new_user.role_uuid not in _db.roles:
+        raise ValueError(f"Role {new_user.role_uuid} not found")
     with _db.transaction("admin:create_user", ctx):
         _db.users[new_user.uuid] = new_user
@@ -456,7 +364,7 @@ def update_user_role(
     if role_uuid not in _db.roles:
         raise ValueError(f"Role {role_uuid} not found")
     with _db.transaction("admin:update_user_role", ctx):
-        _db.users[uuid].role = role_uuid
+        _db.users[uuid].role_uuid = role_uuid
 def update_user_role_in_organization(
@@ -468,39 +376,35 @@ def update_user_role_in_organization(
     """Update user's role by role name within their current organization."""
     if user_uuid not in _db.users:
         raise ValueError(f"User {user_uuid} not found")
-    current_role_uuid = _db.users[user_uuid].role
-    if current_role_uuid not in _db.roles:
-        raise ValueError("Current role not found")
-    org_uuid = _db.roles[current_role_uuid].org
+    user = _db.users[user_uuid]
+    org = user.org
     # Find role by name in the same org
     new_role_uuid = None
-    for rid, r in _db.roles.items():
-        if r.org == org_uuid and r.display_name == role_name:
-            new_role_uuid = rid
+    for r in org.roles:
+        if r.display_name == role_name:
+            new_role_uuid = r.uuid
             break
     if new_role_uuid is None:
         raise ValueError(f"Role '{role_name}' not found in organization")
     with _db.transaction("admin:update_user_role", ctx):
-        _db.users[user_uuid].role = new_role_uuid
+        _db.users[user_uuid].role_uuid = new_role_uuid
 def delete_user(uuid: UUID, *, ctx: SessionContext | None = None) -> None:
     """Delete user and their credentials/sessions."""
     if uuid not in _db.users:
         raise ValueError(f"User {uuid} not found")
+    user = _db.users[uuid]
     with _db.transaction("admin:delete_user", ctx):
         # Delete credentials
-        cred_uuids = [cid for cid, c in _db.credentials.items() if c.user == uuid]
-        for cid in cred_uuids:
-            del _db.credentials[cid]
+        for cred in user.credentials:
+            del _db.credentials[cred.uuid]
         # Delete sessions
-        sess_keys = [k for k, s in _db.sessions.items() if s.user == uuid]
-        for k in sess_keys:
-            del _db.sessions[k]
+        for sess in user.sessions:
+            del _db.sessions[sess.key]
         # Delete reset tokens
-        token_keys = [k for k, t in _db.reset_tokens.items() if t.user == uuid]
-        for k in token_keys:
-            del _db.reset_tokens[k]
+        for token in user.reset_tokens:
+            del _db.reset_tokens[token.key]
         del _db.users[uuid]
@@ -508,8 +412,8 @@ def create_credential(cred: Credential, *, ctx: SessionContext | None = None) ->
     """Create a new credential."""
     if cred.uuid in _db.credentials:
         raise ValueError(f"Credential {cred.uuid} already exists")
-    if cred.user not in _db.users:
-        raise ValueError(f"User {cred.user} not found")
+    if cred.user_uuid not in _db.users:
+        raise ValueError(f"User {cred.user_uuid} not found")
     with _db.transaction("create_credential", ctx):
         _db.credentials[cred.uuid] = cred
@@ -542,20 +446,19 @@ def delete_credential(
     """
     if uuid not in _db.credentials:
         raise ValueError(f"Credential {uuid} not found")
+    cred = _db.credentials[uuid]
     if user_uuid is not None:
-        cred_user = _db.credentials[uuid].user
-        if cred_user != user_uuid:
+        if cred.user_uuid != user_uuid:
             raise ValueError(f"Credential {uuid} does not belong to user {user_uuid}")
     with _db.transaction("delete_credential", ctx):
         # Delete all sessions using this credential
-        keys = [k for k, s in _db.sessions.items() if s.credential == uuid]
-        for k in keys:
-            del _db.sessions[k]
+        for sess in cred.sessions:
+            print(sess, repr(sess.key))
+            del _db.sessions[sess.key]
         del _db.credentials[uuid]
 def create_session(
-    key: str,
     user_uuid: UUID,
     credential_uuid: UUID,
     host: str,
@@ -564,23 +467,25 @@ def create_session(
     expiry: datetime,
     *,
     ctx: SessionContext | None = None,
-) -> None:
-    """Create a new session."""
-    if key in _db.sessions:
-        raise ValueError("Session already exists")
+) -> str:
+    """Create a new session. Returns the session key."""
     if user_uuid not in _db.users:
         raise ValueError(f"User {user_uuid} not found")
     if credential_uuid not in _db.credentials:
         raise ValueError(f"Credential {credential_uuid} not found")
+    session = Session.create(
+        user=user_uuid,
+        credential=credential_uuid,
+        host=host,
+        ip=ip,
+        user_agent=user_agent,
+        expiry=expiry,
+    )
+    if session.key in _db.sessions:
+        raise ValueError("Session already exists")
     with _db.transaction("create_session", ctx):
-        _db.sessions[key] = Session(
-            user=user_uuid,
-            credential=credential_uuid,
-            host=host,
-            ip=ip,
-            user_agent=user_agent,
-            expiry=expiry,
-        )
+        _db.sessions[session.key] = session
+    return session.key
 def update_session(
@@ -634,10 +539,12 @@ def delete_sessions_for_user(
     For user logout-all, pass ctx of the user's session.
     For admin bulk termination, pass admin's ctx.
     """
+    user = _db.users.get(user_uuid)
+    if not user:
+        return
     with _db.transaction("admin:delete_sessions_for_user", ctx):
-        keys = [k for k, s in _db.sessions.items() if s.user == user_uuid]
-        for k in keys:
-            del _db.sessions[k]
+        for sess in user.sessions:
+            del _db.sessions[sess.key]
 def create_reset_token(
@@ -662,7 +569,7 @@ def create_reset_token(
         raise ValueError(f"User {user_uuid} not found")
     with _db.transaction("create_reset_token", ctx):
         _db.reset_tokens[key] = ResetToken(
-            user=user_uuid, expiry=expiry, token_type=token_type
+            user_uuid=user_uuid, expiry=expiry, token_type=token_type
         )
@@ -681,7 +588,7 @@ def delete_reset_token(key: bytes, *, ctx: SessionContext | None = None) -> None
 def cleanup_expired() -> int:
     """Remove expired sessions and reset tokens. Returns count removed."""
-    now = datetime.now(timezone.utc)
+    now = datetime.now(UTC)
     count = 0
     with _db.transaction("expiry"):
         expired_sessions = [k for k, s in _db.sessions.items() if s.expiry < now]
@@ -726,13 +633,20 @@ def login(
     """
     if isinstance(user_uuid, str):
         user_uuid = UUID(user_uuid)
-    now = datetime.now(timezone.utc)
+    now = datetime.now(UTC)
     if user_uuid not in _db.users:
         raise ValueError(f"User {user_uuid} not found")
     if credential_uuid not in _db.credentials:
         raise ValueError(f"Credential {credential_uuid} not found")
-    session_key = _create_token()
+    session = Session.create(
+        user=user_uuid,
+        credential=credential_uuid,
+        host=host,
+        ip=ip,
+        user_agent=user_agent,
+        expiry=expiry,
+    )
     user_str = str(user_uuid)
     with _db.transaction("login", user=user_str):
         # Update user
@@ -742,15 +656,8 @@ def login(
         _db.credentials[credential_uuid].sign_count = sign_count
         _db.credentials[credential_uuid].last_used = now
         # Create session
-        _db.sessions[session_key] = Session(
-            user=user_uuid,
-            credential=credential_uuid,
-            host=host,
-            ip=ip,
-            user_agent=user_agent,
-            expiry=expiry,
-        )
-    return session_key
+        _db.sessions[session.key] = session
+    return session.key
 def create_credential_session(
@@ -773,13 +680,20 @@ def create_credential_session(
     Returns the generated session token.
     """
-    now = datetime.now(timezone.utc)
+    now = datetime.now(UTC)
     expiry = now + SESSION_LIFETIME
-    session_key = _create_token()
     if user_uuid not in _db.users:
         raise ValueError(f"User {user_uuid} not found")
+    session = Session.create(
+        user=user_uuid,
+        credential=credential.uuid,
+        host=host,
+        ip=ip,
+        user_agent=user_agent,
+        expiry=expiry,
+    )
     user_str = str(user_uuid)
     with _db.transaction("create_credential_session", user=user_str):
         # Update display name if provided
@@ -790,20 +704,13 @@ def create_credential_session(
         _db.credentials[credential.uuid] = credential
         # Create session
-        _db.sessions[session_key] = Session(
-            user=user_uuid,
-            credential=credential.uuid,
-            host=host,
-            ip=ip,
-            user_agent=user_agent,
-            expiry=expiry,
-        )
+        _db.sessions[session.key] = session
         # Delete reset token if provided
         if reset_key:
             if reset_key in _db.reset_tokens:
                 del _db.reset_tokens[reset_key]
-    return session_key
+    return session.key
 # -------------------------------------------------------------------------
@@ -862,7 +769,7 @@ def bootstrap(
         reset_expiry = reset_expires()
     reset_key = _reset_key(reset_passphrase)
-    now = datetime.now(timezone.utc)
+    now = datetime.now(UTC)
     with _db.transaction("bootstrap"):
         # Create auth:admin permission
@@ -884,13 +791,13 @@ def bootstrap(
         _db.permissions[perm_org_admin_uuid] = perm_org_admin
         # Create organization
-        new_org = Org(display_name=org_name)
+        new_org = Org.create(display_name=org_name)
         new_org.uuid = org_uuid
         _db.orgs[org_uuid] = new_org
         # Create Administration role with both permissions
         admin_role = Role(
-            org=org_uuid,
+            org_uuid=org_uuid,
             display_name="Administration",
             permissions={perm_admin_uuid: True, perm_org_admin_uuid: True},
         )
@@ -900,7 +807,7 @@ def bootstrap(
         # Create admin user
         admin_user = User(
             display_name=admin_name,
-            role=role_uuid,
+            role_uuid=role_uuid,
             created_at=now,
             last_seen=None,
             visits=0,
@@ -910,7 +817,7 @@ def bootstrap(
         # Create reset token
         _db.reset_tokens[reset_key] = ResetToken(
-            user=user_uuid,
+            user_uuid=user_uuid,
             expiry=reset_expiry,
             token_type="admin bootstrap",
         )

paskia 0.9.0__py3-none-any.whl → 0.9.1__py3-none-any.whl

paskia 0.9.0py3-none-any.whl → 0.9.1py3-none-any.whl