svc-infra 0.1.595__py3-none-any.whl → 0.1.706__py3-none-any.whl

svc_infra/security/add.py

@@ -0,0 +1,217 @@
+from __future__ import annotations
+
+import os
+from collections.abc import Mapping
+from typing import Iterable, Literal, cast
+
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from starlette.middleware.sessions import SessionMiddleware
+
+from svc_infra.app.env import require_secret
+from svc_infra.security.headers import SECURE_DEFAULTS, SecurityHeadersMiddleware
+
+DEFAULT_SESSION_SECRET = "dev-only-session-secret-not-for-production"
+
+
+def _parse_bool(value: str | None) -> bool | None:
+    if value is None:
+        return None
+    lowered = value.strip().lower()
+    if lowered in {"1", "true", "yes", "on"}:
+        return True
+    if lowered in {"0", "false", "no", "off"}:
+        return False
+    return None
+
+
+def _normalize_origins(value: Iterable[str] | str | None) -> list[str]:
+    if value is None:
+        return []
+    if isinstance(value, str):
+        parts = [p.strip() for p in value.split(",")]
+    else:
+        parts = [str(v).strip() for v in value]
+    return [p for p in parts if p]
+
+
+def _resolve_cors_origins(
+    provided: Iterable[str] | str | None,
+    env: Mapping[str, str],
+) -> list[str]:
+    if provided is not None:
+        return _normalize_origins(provided)
+    return _normalize_origins(env.get("CORS_ALLOW_ORIGINS"))
+
+
+def _resolve_allow_credentials(
+    allow_credentials: bool,
+    env: Mapping[str, str],
+) -> bool:
+    env_value = _parse_bool(env.get("CORS_ALLOW_CREDENTIALS"))
+    if env_value is None:
+        return allow_credentials
+    # Allow explicit overrides via function arguments.
+    if allow_credentials is not True:
+        return allow_credentials
+    return env_value
+
+
+def _configure_cors(
+    app: FastAPI,
+    *,
+    cors_origins: Iterable[str] | str | None,
+    allow_credentials: bool,
+    env: Mapping[str, str],
+) -> None:
+    origins = _resolve_cors_origins(cors_origins, env)
+    if not origins:
+        return
+
+    allow_methods = _normalize_origins(env.get("CORS_ALLOW_METHODS")) or ["*"]
+    allow_headers = _normalize_origins(env.get("CORS_ALLOW_HEADERS")) or ["*"]
+
+    credentials = _resolve_allow_credentials(allow_credentials, env)
+
+    wildcard_origins = "*" in origins
+
+    cors_kwargs: dict[str, object] = {
+        "allow_credentials": credentials,
+        "allow_methods": allow_methods,
+        "allow_headers": allow_headers,
+        "allow_origins": ["*"] if wildcard_origins else origins,
+    }
+    origin_regex = env.get("CORS_ALLOW_ORIGIN_REGEX")
+    if wildcard_origins:
+        cors_kwargs["allow_origin_regex"] = origin_regex or ".*"
+    else:
+        if origin_regex:
+            cors_kwargs["allow_origin_regex"] = origin_regex
+
+    app.add_middleware(CORSMiddleware, **cors_kwargs)  # type: ignore[arg-type]  # CORSMiddleware accepts these kwargs
+
+
+def _configure_security_headers(
+    app: FastAPI,
+    *,
+    overrides: dict[str, str] | None,
+    enable_hsts_preload: bool | None,
+) -> None:
+    merged_overrides = dict(overrides or {})
+    if enable_hsts_preload is not None:
+        current = merged_overrides.get(
+            "Strict-Transport-Security",
+            SECURE_DEFAULTS["Strict-Transport-Security"],
+        )
+        directives = [p.strip() for p in current.split(";") if p.strip()]
+        directives = [d for d in directives if d.lower() != "preload"]
+        if enable_hsts_preload:
+            directives.append("preload")
+        merged_overrides["Strict-Transport-Security"] = "; ".join(directives)
+
+    app.add_middleware(SecurityHeadersMiddleware, overrides=merged_overrides)
+
+
+def _should_add_session_middleware(app: FastAPI) -> bool:
+    return not any(m.cls is SessionMiddleware for m in app.user_middleware)
+
+
+def _configure_session_middleware(
+    app: FastAPI,
+    *,
+    env: Mapping[str, str],
+    install: bool,
+    secret_key: str | None,
+    session_cookie: str,
+    max_age: int,
+    same_site: str,
+    https_only: bool | None,
+) -> None:
+    if not install or not _should_add_session_middleware(app):
+        return
+
+    # Use require_secret to ensure secrets are set in production
+    secret = require_secret(
+        secret_key or env.get("SESSION_SECRET"),
+        "SESSION_SECRET",
+        dev_default=DEFAULT_SESSION_SECRET,
+    )
+    https_env = _parse_bool(env.get("SESSION_COOKIE_SECURE"))
+    effective_https_only = (
+        https_only
+        if https_only is not None
+        else (https_env if https_env is not None else False)
+    )
+    same_site_env = env.get("SESSION_COOKIE_SAMESITE")
+    same_site_raw = same_site_env.strip() if same_site_env else same_site
+    # Validate and narrow to expected Literal type
+    same_site_value: Literal["lax", "strict", "none"] = (
+        "lax"
+        if same_site_raw not in ("lax", "strict", "none")
+        else cast(Literal["lax", "strict", "none"], same_site_raw)
+    )
+
+    max_age_env = env.get("SESSION_COOKIE_MAX_AGE_SECONDS")
+    try:
+        max_age_value = int(max_age_env) if max_age_env is not None else max_age
+    except ValueError:
+        max_age_value = max_age
+
+    session_cookie_env = env.get("SESSION_COOKIE_NAME")
+    session_cookie_value = (
+        session_cookie_env.strip() if session_cookie_env else session_cookie
+    )
+
+    app.add_middleware(
+        SessionMiddleware,
+        secret_key=secret,
+        session_cookie=session_cookie_value,
+        max_age=max_age_value,
+        same_site=same_site_value,
+        https_only=effective_https_only,
+    )
+
+
+def add_security(
+    app: FastAPI,
+    *,
+    cors_origins: Iterable[str] | str | None = None,
+    headers_overrides: dict[str, str] | None = None,
+    allow_credentials: bool = True,
+    env: Mapping[str, str] = os.environ,
+    enable_hsts_preload: bool | None = None,
+    install_session_middleware: bool = False,
+    session_secret_key: str | None = None,
+    session_cookie_name: str = "svc_session",
+    session_cookie_max_age_seconds: int = 4 * 3600,
+    session_cookie_samesite: str = "lax",
+    session_cookie_https_only: bool | None = None,
+) -> None:
+    """Install security middlewares with svc-infra defaults."""
+
+    _configure_security_headers(
+        app,
+        overrides=headers_overrides,
+        enable_hsts_preload=enable_hsts_preload,
+    )
+    _configure_cors(
+        app,
+        cors_origins=cors_origins,
+        allow_credentials=allow_credentials,
+        env=env,
+    )
+    _configure_session_middleware(
+        app,
+        env=env,
+        install=install_session_middleware,
+        secret_key=session_secret_key,
+        session_cookie=session_cookie_name,
+        max_age=session_cookie_max_age_seconds,
+        same_site=session_cookie_samesite,
+        https_only=session_cookie_https_only,
+    )
+
+
+__all__ = [
+    "add_security",
+]

svc_infra/security/audit.py

@@ -1,5 +1,3 @@
-from __future__ import annotations
-
 """Audit log append & chain verification utilities.
 
 Provides helpers to append a new AuditLog entry maintaining a hash-chain
@@ -13,19 +11,95 @@ Design notes:
    fail verification (because their prev_hash links break transitively).
 """
 
+from __future__ import annotations
+
+from dataclasses import dataclass
 from datetime import datetime, timezone
-from typing import Any, List, Optional, Sequence, Tuple
+from typing import Any, List, Optional, Protocol, Sequence, Tuple
 
 try:  # SQLAlchemy may not be present in minimal test context
     from sqlalchemy import select
     from sqlalchemy.ext.asyncio import AsyncSession
 except Exception:  # pragma: no cover
-    AsyncSession = Any  # type: ignore
-    select = None  # type: ignore
+    AsyncSession = Any  # type: ignore[misc,assignment]
+    select = None  # type: ignore[assignment]
 
 from svc_infra.security.models import AuditLog, compute_audit_hash
 
 
+@dataclass(frozen=True)
+class AuditEvent:
+    ts: datetime
+    actor_id: Any
+    tenant_id: str | None
+    event_type: str
+    resource_ref: str | None
+    metadata: dict
+
+
+class AuditLogStore(Protocol):
+    """Minimal interface for storing audit events.
+
+    This is intentionally small so applications can swap in a SQL-backed store.
+    """
+
+    def append(
+        self,
+        *,
+        actor_id: Any = None,
+        tenant_id: str | None = None,
+        event_type: str,
+        resource_ref: str | None = None,
+        metadata: dict | None = None,
+        ts: datetime | None = None,
+    ) -> AuditEvent:
+        pass
+
+    def list(
+        self,
+        *,
+        tenant_id: str | None = None,
+        limit: int | None = None,
+    ) -> list[AuditEvent]:
+        pass
+
+
+class InMemoryAuditLogStore:
+    """In-memory audit event store (useful for tests and prototypes)."""
+
+    def __init__(self):
+        self._events: list[AuditEvent] = []
+
+    def append(
+        self,
+        *,
+        actor_id: Any = None,
+        tenant_id: str | None = None,
+        event_type: str,
+        resource_ref: str | None = None,
+        metadata: dict | None = None,
+        ts: datetime | None = None,
+    ) -> AuditEvent:
+        event = AuditEvent(
+            ts=ts or datetime.now(timezone.utc),
+            actor_id=actor_id,
+            tenant_id=tenant_id,
+            event_type=event_type,
+            resource_ref=resource_ref,
+            metadata=dict(metadata or {}),
+        )
+        self._events.append(event)
+        return event
+
+    def list(
+        self, *, tenant_id: str | None = None, limit: int | None = None
+    ) -> list[AuditEvent]:
+        out = [e for e in self._events if tenant_id is None or e.tenant_id == tenant_id]
+        if limit is not None:
+            return out[-int(limit) :]
+        return out
+
+
 async def append_audit_event(
     db: Any,
     *,
@@ -48,7 +122,9 @@ async def append_audit_event(
     prev_hash: Optional[str] = None
     if prev_event is not None:
         prev_hash = prev_event.hash
-    elif select is not None and hasattr(db, "execute"):  # attempt DB lookup for previous event
+    elif select is not None and hasattr(
+        db, "execute"
+    ):  # attempt DB lookup for previous event
         try:
             stmt = (
                 select(AuditLog)
@@ -56,7 +132,7 @@ async def append_audit_event(
                 .order_by(AuditLog.id.desc())
                 .limit(1)
             )
-            result = await db.execute(stmt)  # type: ignore[attr-defined]
+            result = await db.execute(stmt)
             prev = result.scalars().first()
             if prev:
                 prev_hash = prev.hash
@@ -85,12 +161,12 @@ async def append_audit_event(
     )
     if hasattr(db, "add"):
         try:
-            db.add(row)  # type: ignore[attr-defined]
+            db.add(row)
         except Exception:  # pragma: no cover - minimal shim safety
             pass
         if hasattr(db, "flush"):
             try:
-                await db.flush()  # type: ignore[attr-defined]
+                await db.flush()
             except Exception:  # pragma: no cover
                 pass
     return row
@@ -127,4 +203,10 @@ def verify_audit_chain(events: Sequence[AuditLog]) -> Tuple[bool, List[int]]:
     return ok, sorted(set(broken))
 
 
-__all__ = ["append_audit_event", "verify_audit_chain"]
+__all__ = [
+    "append_audit_event",
+    "verify_audit_chain",
+    "AuditEvent",
+    "AuditLogStore",
+    "InMemoryAuditLogStore",
+]

svc_infra/security/audit_service.py

@@ -5,7 +5,7 @@ from typing import Any, List, Optional, Sequence, Tuple
 try:  # optional SQLAlchemy import for environments without SA
     from sqlalchemy import select
 except Exception:  # pragma: no cover
-    select = None  # type: ignore
+    select = None  # type: ignore[assignment]
 
 from .audit import append_audit_event, verify_audit_chain
 from .models import AuditLog
@@ -51,7 +51,7 @@ async def verify_chain_for_tenant(
             if tenant_id is not None:
                 stmt = stmt.where(AuditLog.tenant_id == tenant_id)
             stmt = stmt.order_by(AuditLog.id.asc())
-            result = await db.execute(stmt)  # type: ignore[attr-defined]
+            result = await db.execute(stmt)
             events = list(result.scalars().all())
         except Exception:  # pragma: no cover
             events = []
@@ -62,7 +62,8 @@ async def verify_chain_for_tenant(
             events = [
                 e
                 for e in pool
-                if isinstance(e, AuditLog) and (tenant_id is None or e.tenant_id == tenant_id)
+                if isinstance(e, AuditLog)
+                and (tenant_id is None or e.tenant_id == tenant_id)
             ]
         except Exception:  # pragma: no cover
             events = []

svc_infra/security/headers.py

@@ -6,8 +6,21 @@ SECURE_DEFAULTS = {
     "X-Frame-Options": "DENY",
     "Referrer-Policy": "strict-origin-when-cross-origin",
     "X-XSS-Protection": "0",
-    # CSP kept minimal; allow config override
-    "Content-Security-Policy": "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'",
+    # CSP with practical defaults - allows inline styles/scripts and data URIs for images
+    # Also allows cdn.jsdelivr.net for FastAPI docs (Swagger UI, ReDoc)
+    # Still secure: blocks arbitrary external scripts, prevents framing, restricts form actions
+    # Override via headers_overrides in add_security() for stricter or custom policies
+    "Content-Security-Policy": (
+        "default-src 'self'; "
+        "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
+        "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
+        "img-src 'self' data: https:; "
+        "connect-src 'self'; "
+        "font-src 'self' https://cdn.jsdelivr.net; "
+        "frame-ancestors 'none'; "
+        "base-uri 'self'; "
+        "form-action 'self'"
+    ),
 }
 
 

svc_infra/security/hibp.py

@@ -1,11 +1,14 @@
 from __future__ import annotations
 
 import hashlib
+import logging
 import time
 from dataclasses import dataclass
 from typing import Dict, Optional
 
-import httpx
+from svc_infra.http import new_httpx_client
+
+logger = logging.getLogger(__name__)
 
 
 def sha1_hex(data: str) -> str:
@@ -39,7 +42,11 @@ class HIBPClient:
         self.timeout = timeout
         self.user_agent = user_agent
         self._cache: Dict[str, CacheEntry] = {}
-        self._http = httpx.Client(timeout=self.timeout, headers={"User-Agent": self.user_agent})
+        # Use central factory for consistent defaults; retain explicit timeout override
+        self._http = new_httpx_client(
+            timeout_seconds=self.timeout,
+            headers={"User-Agent": self.user_agent},
+        )
 
     def _get_cached(self, prefix: str) -> Optional[str]:
         now = time.time()
@@ -49,7 +56,9 @@ class HIBPClient:
         return None
 
     def _set_cache(self, prefix: str, body: str) -> None:
-        self._cache[prefix] = CacheEntry(body=body, expires_at=time.time() + self.ttl_seconds)
+        self._cache[prefix] = CacheEntry(
+            body=body, expires_at=time.time() + self.ttl_seconds
+        )
 
     def range_query(self, prefix: str) -> str:
         cached = self._get_cached(prefix)
@@ -67,8 +76,9 @@ class HIBPClient:
         prefix, suffix = full[:5], full[5:]
         try:
             body = self.range_query(prefix)
-        except Exception:
+        except Exception as e:
             # Fail-open: if HIBP unavailable, do not block users.
+            logger.warning("HIBP password check failed (fail-open): %s", e)
             return False
 
         for line in body.splitlines():

svc_infra/security/jwt_rotation.py

@@ -1,9 +1,10 @@
 from __future__ import annotations
 
-from typing import Iterable, List, Optional, Union
+from typing import Any, Iterable, List, Optional, Union
 
-import jwt as pyjwt
+import jwt
 from fastapi_users.authentication.strategy.jwt import JWTStrategy
+from fastapi_users.jwt import decode_jwt
 
 
 class RotatingJWTStrategy(JWTStrategy):
@@ -21,33 +22,84 @@ class RotatingJWTStrategy(JWTStrategy):
         old_secrets: Optional[Iterable[str]] = None,
         token_audience: Optional[Union[str, List[str]]] = None,
     ):
+        # Normalize token_audience to list as required by parent JWTStrategy
+        aud_list: list[str] = (
+            [token_audience]
+            if isinstance(token_audience, str)
+            else list(token_audience)
+            if token_audience
+            else []
+        ) or ["fastapi-users:auth"]
         super().__init__(
-            secret=secret, lifetime_seconds=lifetime_seconds, token_audience=token_audience
+            secret=secret, lifetime_seconds=lifetime_seconds, token_audience=aud_list
         )
         self._verify_secrets: List[str] = [secret] + list(old_secrets or [])
+        self._lifetime_seconds = lifetime_seconds
 
-    async def read_token(self, token: str, audience: Optional[str] = None):  # type: ignore[override]
-        # Try with current strategy's configured secret first
-        eff_aud = audience or self.token_audience
-        try:
-            return await super().read_token(token, audience=eff_aud)
-        except Exception:
-            pass
-        # Try older secrets
-        for s in self._verify_secrets[1:]:
+    async def read_token(
+        self,
+        token: str | None,
+        user_manager: Any = None,
+        *,
+        audience: str | list[str] | None = None,
+    ) -> Any:
+        """Read/verify a token against the active + rotated secrets.
+
+        Compatibility:
+        - fastapi-users signature: (token, user_manager) -> user | None
+        - legacy/test helper usage: (token, *, audience=...) -> claims | None
+        """
+
+        if token is None:
+            return None
+
+        if user_manager is None:
+            aud_list: list[str]
+            if audience is None:
+                aud_list = self.token_audience
+            elif isinstance(audience, str):
+                aud_list = [audience]
+            else:
+                aud_list = audience
             try:
-                data = pyjwt.decode(
-                    token,
-                    s,
-                    algorithms=["HS256"],
-                    audience=eff_aud,
+                return decode_jwt(
+                    token, self.decode_key, aud_list, algorithms=[self.algorithm]
                 )
-                if data is not None:
-                    return data
-            except Exception:
+            except jwt.PyJWTError:
                 pass
-        # If none of the secrets validated the token, raise a generic error
-        raise ValueError("Invalid token for all configured secrets")
+
+            for secret in self._verify_secrets[1:]:
+                candidate: JWTStrategy[Any, Any] = JWTStrategy(
+                    secret=secret,
+                    lifetime_seconds=self._lifetime_seconds,
+                    token_audience=self.token_audience,
+                )
+                try:
+                    return decode_jwt(
+                        token,
+                        candidate.decode_key,
+                        aud_list,
+                        algorithms=[candidate.algorithm],
+                    )
+                except jwt.PyJWTError:
+                    continue
+            raise ValueError("Invalid token for all configured secrets")
+
+        user = await super().read_token(token, user_manager)
+        if user is not None:
+            return user
+
+        for secret in self._verify_secrets[1:]:
+            candidate = JWTStrategy(
+                secret=secret,
+                lifetime_seconds=self._lifetime_seconds,
+                token_audience=self.token_audience,
+            )
+            user = await candidate.read_token(token, user_manager)
+            if user is not None:
+                return user
+
+        return None
 
 
 __all__ = ["RotatingJWTStrategy"]

svc_infra/security/lockout.py

@@ -6,11 +6,12 @@ from datetime import datetime, timedelta, timezone
 from typing import Any, Optional, Sequence
 
 try:
-    from sqlalchemy import select
+    from sqlalchemy import or_, select
     from sqlalchemy.ext.asyncio import AsyncSession
 except Exception:  # pragma: no cover - optional import for type hints
-    AsyncSession = Any  # type: ignore[misc]
-    select = None  # type: ignore
+    AsyncSession = Any  # type: ignore[misc,assignment]
+    select = None  # type: ignore[assignment]
+    or_ = None  # type: ignore[assignment]
 
 from svc_infra.security.models import FailedAuthAttempt
 
@@ -77,10 +78,15 @@ async def get_lockout_status(
         FailedAuthAttempt.ts >= window_start,
         FailedAuthAttempt.success == False,  # noqa: E712
     )
+    # Use OR logic: lock out if EITHER user_id OR ip_hash has too many failures
+    # This prevents attackers from rotating IPs to bypass lockout
+    filters = []
     if user_id:
-        q = q.where(FailedAuthAttempt.user_id == user_id)
+        filters.append(FailedAuthAttempt.user_id == user_id)
     if ip_hash:
-        q = q.where(FailedAuthAttempt.ip_hash == ip_hash)
+        filters.append(FailedAuthAttempt.ip_hash == ip_hash)
+    if filters:
+        q = q.where(or_(*filters))
 
     rows: Sequence[FailedAuthAttempt] = (await session.execute(q)).scalars().all()
     fail_count = len(rows)