pylantir 0.1.3__py3-none-any.whl → 0.2.1__py3-none-any.whl

pylantir/auth_db_setup.py

@@ -0,0 +1,188 @@
+#!/usr/bin/env python3
+
+"""
+    Author: Milton Camacho
+    Date: 2025-11-18
+    Database setup for authentication system.
+    Manages separate users database connection and session handling.
+"""
+
+import os
+import logging
+from typing import Optional
+from sqlalchemy import create_engine
+from sqlalchemy.orm import sessionmaker, Session
+from sqlalchemy.exc import SQLAlchemyError
+from pathlib import Path
+
+lgr = logging.getLogger(__name__)
+
+
+class AuthDatabaseError(Exception):
+    """Raised when authentication database operations fail."""
+    pass
+
+
+def get_auth_database_url(users_db_path: Optional[str] = None) -> str:
+    """
+    Get authentication database URL from configuration, environment, or default location.
+    
+    Args:
+        users_db_path: Optional path to users database from configuration
+    
+    Returns:
+        str: SQLite database URL for authentication
+    """
+    if users_db_path:
+        # Use explicitly provided users database path from configuration
+        auth_db_path = os.path.expanduser(users_db_path)
+        lgr.info(f"Using configured users database path: {auth_db_path}")
+    else:
+        # Fallback to environment variable or default location
+        auth_db_path_env = os.getenv("USERS_DB_PATH")
+        
+        if auth_db_path_env:
+            auth_db_path = os.path.expanduser(auth_db_path_env)
+            lgr.info(f"Using environment users database path: {auth_db_path}")
+        else:
+            # Default: users.db in same directory as main database
+            main_db_path = os.getenv("DB_PATH", "~/Desktop/worklist.db")
+            main_db_path = os.path.expanduser(main_db_path)
+            
+            db_dir = Path(main_db_path).parent
+            auth_db_path = db_dir / "users.db"
+            lgr.info(f"Using default users database path: {auth_db_path}")
+    
+    return f"sqlite:///{auth_db_path}"
+
+
+# Create authentication database engine
+auth_engine = None
+AuthSessionLocal = None
+
+
+def init_auth_database(users_db_path: Optional[str] = None) -> None:
+    """
+    Initialize authentication database engine and session factory.
+    
+    Args:
+        users_db_path: Optional path to users database from configuration
+    """
+    global auth_engine, AuthSessionLocal
+    
+    try:
+        database_url = get_auth_database_url(users_db_path)
+        lgr.info(f"Initializing authentication database: {database_url}")
+        
+        auth_engine = create_engine(
+            database_url,
+            connect_args={"check_same_thread": False},  # SQLite specific
+            echo=os.getenv("DB_ECHO", "False").lower() == "true"
+        )
+        
+        AuthSessionLocal = sessionmaker(
+            autocommit=False, 
+            autoflush=False, 
+            bind=auth_engine
+        )
+        
+        # Create all tables
+        from .auth_models import AuthBase
+        AuthBase.metadata.create_all(bind=auth_engine)
+        
+        lgr.info("Authentication database initialized successfully")
+        
+    except Exception as e:
+        lgr.error(f"Failed to initialize authentication database: {e}")
+        raise AuthDatabaseError(f"Database initialization failed: {e}")
+
+
+def get_auth_db() -> Session:
+    """
+    Get authentication database session.
+    
+    Returns:
+        Session: SQLAlchemy session for authentication database
+        
+    Raises:
+        AuthDatabaseError: If database is not initialized
+    """
+    if AuthSessionLocal is None:
+        init_auth_database()
+        
+    if AuthSessionLocal is None:
+        raise AuthDatabaseError("Authentication database not initialized")
+    
+    db = AuthSessionLocal()
+    try:
+        yield db
+    except SQLAlchemyError as e:
+        lgr.error(f"Database session error: {e}")
+        db.rollback()
+        raise AuthDatabaseError(f"Database operation failed: {e}")
+    finally:
+        db.close()
+
+
+def create_initial_admin_user(users_db_path: Optional[str] = None) -> None:
+    """
+    Create initial admin user if no users exist in database.
+    
+    Args:
+        users_db_path: Optional path to users database from configuration
+    """
+    try:
+        # Initialize database with correct path if not already done
+        if AuthSessionLocal is None:
+            init_auth_database(users_db_path)
+            
+        db = next(get_auth_db())
+        
+        from .auth_utils import create_admin_user
+        
+        admin_user = create_admin_user(
+            db=db,
+            username="admin",
+            password="admin123",  # Should be changed immediately
+            email="admin@localhost",
+            full_name="System Administrator"
+        )
+        
+        if admin_user:
+            lgr.warning("Created default admin user with password 'admin123'. Please change this immediately!")
+            lgr.info("Use 'pylantir admin-password' command to change the admin password")
+        
+    except Exception as e:
+        lgr.error(f"Failed to create initial admin user: {e}")
+
+
+def backup_auth_database(backup_path: Optional[str] = None) -> bool:
+    """
+    Create backup of authentication database.
+    
+    Args:
+        backup_path: Optional custom backup path
+        
+    Returns:
+        bool: True if backup successful
+    """
+    try:
+        database_url = get_auth_database_url()
+        source_path = database_url.replace("sqlite:///", "")
+        
+        if backup_path is None:
+            # Create backup in same directory with timestamp
+            from datetime import datetime
+            timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
+            backup_path = f"{source_path}.backup_{timestamp}"
+        
+        # Copy database file
+        import shutil
+        shutil.copy2(source_path, backup_path)
+        
+        lgr.info(f"Authentication database backed up to: {backup_path}")
+        return True
+        
+    except Exception as e:
+        lgr.error(f"Failed to backup authentication database: {e}")
+        return False

pylantir/auth_models.py

@@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+
+"""
+    Author: Milton Camacho
+    Date: 2025-11-18
+    This script provides the SQLAlchemy models for user authentication and authorization.
+    
+    User roles:
+    - admin: Full access to users and worklist data (CRUD operations)
+    - write: Read and write access to worklist data only
+    - read: Read-only access to worklist data only
+"""
+
+from sqlalchemy.orm import declarative_base
+from sqlalchemy import Column, Integer, String, DateTime, Boolean, Enum
+from datetime import datetime
+import logging
+import enum
+
+AuthBase = declarative_base()
+
+lgr = logging.getLogger(__name__)
+
+
+class UserRole(enum.Enum):
+    """User role enumeration for access control."""
+    ADMIN = "admin"
+    WRITE = "write"  
+    READ = "read"
+
+
+class User(AuthBase):
+    """User model for API authentication and authorization."""
+    
+    __tablename__ = 'users'
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    username = Column(String(50), unique=True, nullable=False, index=True)
+    email = Column(String(100), unique=True, nullable=True)
+    full_name = Column(String(100), nullable=True)
+    hashed_password = Column(String(255), nullable=False)
+    role = Column(Enum(UserRole), nullable=False, default=UserRole.READ)
+    is_active = Column(Boolean, default=True)
+    created_at = Column(DateTime, default=datetime.utcnow)
+    last_login = Column(DateTime, nullable=True)
+    created_by = Column(Integer, nullable=True)  # ID of user who created this account
+    
+    def __repr__(self):
+        return f"<User(id={self.id}, username={self.username}, role={self.role.value}, active={self.is_active})>"
+
+    def has_permission(self, action: str, resource: str = "worklist") -> bool:
+        """
+        Check if user has permission for specific action on resource.
+        
+        Args:
+            action: Action type ('read', 'write', 'delete', 'create')
+            resource: Resource type ('worklist', 'users')
+        
+        Returns:
+            bool: True if user has permission
+        """
+        if not self.is_active:
+            return False
+            
+        # Admin has all permissions
+        if self.role == UserRole.ADMIN:
+            return True
+            
+        # Non-admin users cannot manage other users
+        if resource == "users":
+            return False
+            
+        # Worklist permissions based on role
+        if resource == "worklist":
+            if action == "read":
+                return self.role in [UserRole.READ, UserRole.WRITE, UserRole.ADMIN]
+            elif action in ["write", "create", "update", "delete"]:
+                return self.role in [UserRole.WRITE, UserRole.ADMIN]
+                
+        return False

pylantir/auth_utils.py

@@ -0,0 +1,210 @@
+#!/usr/bin/env python3
+
+"""
+    Author: Milton Camacho
+    Date: 2025-11-18
+    Authentication utilities for password hashing, JWT token generation,
+    and user authentication functions.
+"""
+
+import os
+import logging
+from datetime import datetime, timedelta
+from typing import Optional, Dict, Any
+from passlib.context import CryptContext
+from jose import JWTError, jwt
+from sqlalchemy.orm import Session
+
+lgr = logging.getLogger(__name__)
+
+# Password hashing context
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+# JWT configuration
+SECRET_KEY = os.getenv("JWT_SECRET_KEY", "your-secret-key-change-in-production")
+ALGORITHM = "HS256"
+ACCESS_TOKEN_EXPIRE_MINUTES = 30
+
+
+class AuthenticationError(Exception):
+    """Raised when authentication fails."""
+    pass
+
+
+class AuthorizationError(Exception):
+    """Raised when user lacks required permissions."""
+    pass
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """
+    Verify a plain password against a hashed password.
+    
+    Args:
+        plain_password: Plain text password
+        hashed_password: Hashed password from database
+        
+    Returns:
+        bool: True if password matches
+    """
+    try:
+        return pwd_context.verify(plain_password, hashed_password)
+    except Exception as e:
+        lgr.error(f"Password verification error: {e}")
+        return False
+
+
+def get_password_hash(password: str) -> str:
+    """
+    Hash a plain password using bcrypt.
+    
+    Args:
+        password: Plain text password
+        
+    Returns:
+        str: Hashed password
+    """
+    try:
+        return pwd_context.hash(password)
+    except Exception as e:
+        lgr.error(f"Password hashing error: {e}")
+        raise AuthenticationError("Failed to hash password")
+
+
+def create_access_token(data: Dict[str, Any], expires_delta: Optional[timedelta] = None) -> str:
+    """
+    Create a JWT access token.
+    
+    Args:
+        data: Data to encode in token (typically user info)
+        expires_delta: Token expiration time
+        
+    Returns:
+        str: JWT token
+    """
+    to_encode = data.copy()
+    
+    if expires_delta:
+        expire = datetime.utcnow() + expires_delta
+    else:
+        expire = datetime.utcnow() + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
+    
+    to_encode.update({"exp": expire})
+    
+    try:
+        encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+        return encoded_jwt
+    except Exception as e:
+        lgr.error(f"Token creation error: {e}")
+        raise AuthenticationError("Failed to create access token")
+
+
+def verify_token(token: str) -> Optional[Dict[str, Any]]:
+    """
+    Verify and decode a JWT token.
+    
+    Args:
+        token: JWT token string
+        
+    Returns:
+        Dict containing token payload or None if invalid
+    """
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        return payload
+    except JWTError as e:
+        lgr.warning(f"Token verification failed: {e}")
+        return None
+
+
+def authenticate_user(db: Session, username: str, password: str):
+    """
+    Authenticate user with username and password.
+    
+    Args:
+        db: Database session
+        username: Username
+        password: Plain text password
+        
+    Returns:
+        User object if authentication successful, None otherwise
+    """
+    from .auth_models import User
+    
+    try:
+        user = db.query(User).filter(User.username == username).first()
+        
+        if not user:
+            lgr.warning(f"Authentication attempt for non-existent user: {username}")
+            return None
+            
+        if not user.is_active:
+            lgr.warning(f"Authentication attempt for inactive user: {username}")
+            return None
+            
+        if not verify_password(password, user.hashed_password):
+            lgr.warning(f"Failed password authentication for user: {username}")
+            return None
+            
+        # Update last login time
+        user.last_login = datetime.utcnow()
+        db.commit()
+        
+        lgr.info(f"Successful authentication for user: {username}")
+        return user
+        
+    except Exception as e:
+        lgr.error(f"Authentication error for user {username}: {e}")
+        db.rollback()
+        return None
+
+
+def create_admin_user(db: Session, username: str = "admin", password: str = "admin123", 
+                     email: str = "admin@localhost", full_name: str = "System Administrator"):
+    """
+    Create initial admin user if no users exist.
+    
+    Args:
+        db: Database session
+        username: Admin username
+        password: Admin password
+        email: Admin email
+        full_name: Admin full name
+        
+    Returns:
+        User object or None if creation fails
+    """
+    from .auth_models import User, UserRole
+    
+    try:
+        # Check if any users exist
+        user_count = db.query(User).count()
+        
+        if user_count > 0:
+            lgr.info("Users already exist, skipping admin user creation")
+            return None
+            
+        # Create admin user
+        hashed_password = get_password_hash(password)
+        
+        admin_user = User(
+            username=username,
+            email=email,
+            full_name=full_name,
+            hashed_password=hashed_password,
+            role=UserRole.ADMIN,
+            is_active=True,
+            created_at=datetime.utcnow()
+        )
+        
+        db.add(admin_user)
+        db.commit()
+        db.refresh(admin_user)
+        
+        lgr.info(f"Created initial admin user: {username}")
+        return admin_user
+        
+    except Exception as e:
+        lgr.error(f"Failed to create admin user: {e}")
+        db.rollback()
+        return None