trovesuite 1.0.0__py3-none-any.whl

trovesuite/__init__.py

@@ -0,0 +1,16 @@
+"""
+TroveSuite Auth Package
+
+A comprehensive authentication and authorization service for ERP systems.
+Provides JWT token validation, user authorization, and permission checking.
+"""
+
+from .auth import AuthService
+
+__version__ = "1.0.8"
+__author__ = "Bright Debrah Owusu"
+__email__ = "owusu.debrah@deladetech.com"
+
+__all__ = [
+    "AuthService"
+]

trovesuite/auth/__init__.py

@@ -0,0 +1,16 @@
+"""
+TroveSuite Auth Module
+
+Authentication and authorization services for ERP systems.
+"""
+
+from .auth_service import AuthService
+from .auth_base import AuthBase
+from .auth_read_dto import AuthServiceReadDto, AuthControllerReadDto
+
+__all__ = [
+    "AuthService",
+    "AuthBase", 
+    "AuthServiceReadDto",
+    "AuthControllerReadDto"
+]

trovesuite/auth/auth_base.py

@@ -0,0 +1,4 @@
+from pydantic import BaseModel
+
+class AuthBase(BaseModel):
+    token: str

trovesuite/auth/auth_controller.py

@@ -0,0 +1,10 @@
+from fastapi import APIRouter
+from src.trovesuite.auth.auth_write_dto import AuthControllerWriteDto
+from src.trovesuite.auth.auth_read_dto import AuthControllerReadDto
+from src.trovesuite.auth.auth_service import AuthService
+
+auth_router = APIRouter()
+
+@auth_router.post("/auth", response_model=AuthControllerReadDto)
+async def authorize(data: AuthControllerWriteDto):
+    return AuthService.authorize(data=data)

trovesuite/auth/auth_read_dto.py

@@ -0,0 +1,18 @@
+from typing import Optional, List
+from pydantic import BaseModel
+
+class AuthControllerReadDto(BaseModel):
+    org_id: Optional[str] = None
+    bus_id: Optional[str] = None 
+    app_id: Optional[str] = None 
+    shared_resource_id: Optional[str] = None
+    user_id: Optional[str] = None
+    group_id: Optional[str] = None
+    role_id: Optional[str] = None
+    tenant_id: Optional[str] = None
+    permissions: Optional[List[str]] = None
+    shared_resource_id: Optional[str] = None
+    resource_id: Optional[str] = None
+
+class AuthServiceReadDto(AuthControllerReadDto):
+    pass

trovesuite/auth/auth_service.py

@@ -0,0 +1,334 @@
+"""Auth Service - Business logic for user authentication and authorization"""
+from datetime import datetime, timezone
+from typing import Annotated
+from fastapi import HTTPException
+from fastapi.params import Depends
+from fastapi.security import OAuth2PasswordBearer
+from ..utils.helper import Helper
+from ..configs.settings import db_settings
+from ..configs.database import DatabaseManager
+from ..configs.logging import get_logger
+from ..entities.sh_response import Respons
+from .auth_read_dto import AuthServiceReadDto
+from .auth_write_dto import AuthServiceWriteDto
+import jwt
+
+logger = get_logger("auth_service")
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
+
+class AuthService:
+    """Service class for authentication and authorization operations"""
+
+    def __init__(self) -> None:
+        """Initialize the service"""
+        pass
+    
+    @staticmethod
+    def decode_token(token: Annotated[str, Depends(oauth2_scheme)]) -> dict:
+        credentials_exception = HTTPException(
+            status_code=401,
+            detail="Could not validate credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+        try:
+            payload = jwt.decode(token, db_settings.SECRET_KEY, algorithms=[db_settings.ALGORITHM])
+            user_id = payload.get("user_id")
+            tenant_id = payload.get("tenant_id")
+
+            if user_id is None or tenant_id is None:
+                raise credentials_exception
+
+            return {"user_id": user_id, "tenant_id": tenant_id}
+
+        except jwt.InvalidTokenError as exc:
+            raise credentials_exception from exc
+        
+    @staticmethod
+    def authorize(data: AuthServiceWriteDto) -> Respons[AuthServiceReadDto]:
+        
+        user_id: str = data.user_id
+        tenant_id: str = data.tenant_id
+
+        """Check if a user is authorized based on login settings and roles"""
+        # Input validation
+        if not user_id or not isinstance(user_id, str):
+            return Respons[AuthServiceReadDto](
+                detail="Invalid user_id: must be a non-empty string",
+                data=[],
+                success=False,
+                status_code=400,
+                error="INVALID_USER_ID"
+            )
+        
+        if not tenant_id or not isinstance(tenant_id, str):
+            return Respons[AuthServiceReadDto](
+                detail="Invalid tenant_id: must be a non-empty string",
+                data=[],
+                success=False,
+                status_code=400,
+                error="INVALID_TENANT_ID"
+            )
+        
+        try:
+
+            is_tenant_verified = DatabaseManager.execute_query(
+                f"SELECT is_verified FROM {db_settings.MAIN_TENANTS_TABLE} WHERE delete_status = 'NOT_DELETED' AND id = %s",
+                (tenant_id,),
+            )
+
+            if not is_tenant_verified or len(is_tenant_verified) == 0:
+                logger.warning("Login failed - tenant not found: %s", tenant_id)
+                return Respons[AuthServiceReadDto](
+                    detail=f"Tenant '{tenant_id}' not found or has been deleted",
+                    data=[],
+                    success=False,
+                    status_code=404,
+                    error="TENANT_NOT_FOUND"
+                )
+            
+            if not is_tenant_verified[0]['is_verified']:
+                logger.warning("Login failed - tenant not verified for user: %s, tenant: %s", user_id, tenant_id)
+                return Respons[AuthServiceReadDto](
+                    detail=f"Tenant '{tenant_id}' is not verified. Please contact your administrator.",
+                    data=[],
+                    success=False,
+                    status_code=403,
+                    error="TENANT_NOT_VERIFIED"
+                )
+
+            login_settings_details = DatabaseManager.execute_query(
+                f"""SELECT user_id, group_id, is_suspended, can_always_login,
+                is_multi_factor_enabled, is_login_before, working_days,
+                login_on, logout_on FROM "{tenant_id}".{db_settings.TENANT_LOGIN_SETTINGS_TABLE} 
+                WHERE (delete_status = 'NOT_DELETED' AND is_active = true ) AND user_id = %s""",
+                (user_id,),
+            )
+
+            if not login_settings_details or len(login_settings_details) == 0:
+                logger.warning("Authorization failed - user not found: %s in tenant: %s", user_id, tenant_id)
+                return Respons[AuthServiceReadDto](
+                    detail=f"User '{user_id}' not found in tenant '{tenant_id}' or account is inactive",
+                    data=[],
+                    success=False,
+                    status_code=404,
+                    error="USER_NOT_FOUND"
+                )
+
+            if login_settings_details[0]['is_suspended']:
+                logger.warning("Authorization failed - user suspended: %s", user_id)
+                return Respons[AuthServiceReadDto](
+                    detail="Your account has been suspended. Please contact your administrator.",
+                    data=[],
+                    success=False,
+                    status_code=403,
+                    error="USER_SUSPENDED"
+                )
+
+            if not login_settings_details[0]['can_always_login']:
+                current_day = datetime.now().strftime("%A").upper()
+                
+                if current_day not in login_settings_details[0]['working_days']:
+                    logger.warning("Authorization failed - outside working days for user: %s checking custom login period", user_id)
+              
+                    # Get current datetime (full date and time) with timezone
+                    current_datetime = datetime.now(timezone.utc).replace(microsecond=0, second=0)
+                    
+                    # Get from database (should already be datetime objects)
+                    login_on = login_settings_details[0]['login_on']
+                    logout_on = login_settings_details[0]['logout_on']
+                    
+                    # Set defaults if None (with timezone awareness)
+                    if not login_on:
+                        login_on = datetime.min.replace(tzinfo=timezone.utc)
+                    if not logout_on:
+                        logout_on = datetime.max.replace(tzinfo=timezone.utc)
+
+                    # Compare full datetime objects (both date and time)
+                    if not (login_on <= current_datetime <= logout_on):
+                        logger.warning("Authorization failed - outside allowed period for user: %s", user_id)
+                        return Respons[AuthServiceReadDto](
+                            detail="Login is not allowed at this time. Please check your access schedule.",
+                            data=[],
+                            success=False,
+                            status_code=403,
+                            error="LOGIN_TIME_RESTRICTED"
+                        )
+            
+            # 1️⃣ Get all groups the user belongs to
+            user_groups = DatabaseManager.execute_query(
+                f"""SELECT group_id FROM "{tenant_id}".{db_settings.USER_GROUPS_TABLE}
+                    WHERE delete_status = 'NOT_DELETED' AND is_active = true AND user_id = %s""",(user_id,),
+            )
+
+            # 2️⃣ Prepare list of group_ids
+            group_ids = [g["group_id"] for g in user_groups] if user_groups else []
+
+            # 3️⃣ Build query dynamically to include groups (if any) + user
+            if group_ids:
+                get_user_roles = DatabaseManager.execute_query(
+                    f"""
+                        SELECT DISTINCT ON (org_id, group_id, bus_id, app_id, shared_resource_id, resource_id, user_id, role_id)
+                            org_id, group_id, bus_id, app_id, shared_resource_id, resource_id, user_id, role_id
+                        FROM "{tenant_id}".{db_settings.ASSIGN_ROLES_TABLE}
+                        WHERE delete_status = 'NOT_DELETED'
+                        AND is_active = true
+                        AND (user_id = %s OR group_id = ANY(%s))
+                        ORDER BY org_id, group_id, bus_id, app_id, shared_resource_id, resource_id, user_id, role_id;
+                    """,
+                    (user_id, group_ids),
+                )
+            else:
+                # No groups, just check roles for user
+                get_user_roles = DatabaseManager.execute_query(
+                    f"""
+                        SELECT DISTINCT ON (org_id, bus_id, app_id, shared_resource_id, resource_id, user_id, role_id)
+                            org_id, bus_id, app_id, shared_resource_id, resource_id, user_id, role_id
+                        FROM "{tenant_id}".{db_settings.ASSIGN_ROLES_TABLE}
+                        WHERE delete_status = 'NOT_DELETED'
+                        AND is_active = true
+                        AND user_id = %s
+                        ORDER BY org_id, bus_id, app_id, shared_resource_id, resource_id, user_id, role_id;
+                    """,
+                    (user_id,),
+                )
+
+            # GET permissions and Append to Role
+            get_user_roles_with_tenant_and_permissions = []
+            for role in get_user_roles:
+                permissions = DatabaseManager.execute_query(
+                    f"""SELECT permission_id FROM {db_settings.ROLE_PERMISSIONS_TABLE} WHERE role_id = %s""",
+                    params=(role["role_id"],),)
+
+                role_dict = {**role, "tenant_id": tenant_id, "permissions": [p['permission_id'] for p in permissions]}
+                get_user_roles_with_tenant_and_permissions.append(role_dict)
+
+            roles_dto = Helper.map_to_dto(get_user_roles_with_tenant_and_permissions, AuthServiceReadDto)
+
+            return Respons[AuthServiceReadDto](
+                detail="Authorized",
+                data=roles_dto,
+                success=True,
+                status_code=200,
+                error=None,
+            )
+
+        except HTTPException as http_ex:
+            raise http_ex
+
+        except Exception as e:
+            logger.error("Authorization check failed for user: %s", str(e))
+            return Respons[AuthServiceReadDto](
+                detail=None,
+                data=[],
+                success=False,
+                status_code=500,
+                error="Authorization check failed due to an internal error"
+            )
+        
+    @staticmethod
+    def check_permission(users_data: list, action=None, org_id=None, bus_id=None, app_id=None,
+                     resource_id=None, shared_resource_id=None) -> bool:
+        """
+        Check if user has a given permission (action) for a specific target.
+        
+        Hierarchy: organization > business > app > location > resource/shared_resource
+        If a field in role is None, it applies to all under that level.
+        """
+        for user_data in users_data:
+            # Check hierarchy: None means "all"
+            if user_data.org_id not in (None, org_id):
+                continue
+            if user_data.bus_id not in (None, bus_id):
+                continue
+            if user_data.app_id not in (None, app_id):
+                continue
+            if user_data.resource_id not in (None, resource_id):
+                continue
+            if user_data.shared_resource_id not in (None, shared_resource_id):
+                continue
+
+            # Check if the permission exists
+            if action in user_data.permissions:
+                return True
+
+        return False
+    
+    @staticmethod
+    def get_user_info_from_token(token: str) -> dict:
+        """
+        Convenience method to get user information from a JWT token.
+        
+        Args:
+            token: JWT token string
+            
+        Returns:
+            dict: User information including user_id and tenant_id
+            
+        Raises:
+            HTTPException: If token is invalid
+        """
+        return AuthService.decode_token(token)
+    
+    @staticmethod
+    def authorize_user_from_token(token: str) -> Respons[AuthServiceReadDto]:
+        """
+        Convenience method to authorize a user directly from a JWT token.
+        
+        Args:
+            token: JWT token string
+            
+        Returns:
+            Respons[AuthServiceReadDto]: Authorization result with user roles and permissions
+            
+        Raises:
+            HTTPException: If token is invalid
+        """
+        user_info = AuthService.decode_token(token)
+        return AuthService.authorize(user_info["user_id"], user_info["tenant_id"])
+    
+    @staticmethod
+    def get_user_permissions(user_roles: list) -> list:
+        """
+        Get all unique permissions for a user across all their roles.
+        
+        Args:
+            user_roles: List of user roles from authorization
+            
+        Returns:
+            list: Unique list of permissions
+        """
+        permissions = set()
+        for role in user_roles:
+            if role.permissions:
+                permissions.update(role.permissions)
+        return list(permissions)
+    
+    @staticmethod
+    def has_any_permission(user_roles: list, required_permissions: list) -> bool:
+        """
+        Check if user has any of the required permissions.
+        
+        Args:
+            user_roles: List of user roles from authorization
+            required_permissions: List of permissions to check for
+            
+        Returns:
+            bool: True if user has any of the required permissions
+        """
+        user_permissions = AuthService.get_user_permissions(user_roles)
+        return any(perm in user_permissions for perm in required_permissions)
+    
+    @staticmethod
+    def has_all_permissions(user_roles: list, required_permissions: list) -> bool:
+        """
+        Check if user has all of the required permissions.
+        
+        Args:
+            user_roles: List of user roles from authorization
+            required_permissions: List of permissions to check for
+            
+        Returns:
+            bool: True if user has all of the required permissions
+        """
+        user_permissions = AuthService.get_user_permissions(user_roles)
+        return all(perm in user_permissions for perm in required_permissions)

trovesuite/auth/auth_write_dto.py

@@ -0,0 +1,10 @@
+from typing import Optional
+from pydantic import BaseModel
+
+
+class AuthControllerWriteDto(BaseModel):
+    user_id: Optional[str] = None
+    tenant: Optional[str] = None
+
+class AuthServiceWriteDto(AuthControllerWriteDto):
+    pass

trovesuite/configs/__init__.py

@@ -0,0 +1,16 @@
+"""
+TroveSuite Configuration Module
+
+Configuration settings and database management for TroveSuite services.
+"""
+
+from .settings import db_settings
+from .database import DatabaseManager
+from .logging import setup_logging, get_logger
+
+__all__ = [
+    "db_settings",
+    "DatabaseManager", 
+    "setup_logging",
+    "get_logger"
+]

trovesuite/configs/database.py

@@ -0,0 +1,221 @@
+"""
+Database configuration and connection management
+"""
+from contextlib import contextmanager
+from typing import Generator, Optional
+import psycopg2
+import psycopg2.pool
+from psycopg2.extras import RealDictCursor
+from .settings import db_settings
+from .logging import get_logger
+
+logger = get_logger("database")
+
+# Database connection pool
+_connection_pool: Optional[psycopg2.pool.ThreadedConnectionPool] = None
+_sqlmodel_engine = None
+
+
+class DatabaseConfig:
+    """Database configuration and connection management"""
+    
+    def __init__(self):
+        self.settings = db_settings
+        self.pool_size = 5
+        self.max_overflow = 10
+    
+    @property
+    def database_url(self):
+        """Get database URL (lazy evaluation)"""
+        return self.settings.database_url
+        
+    def get_connection_params(self) -> dict:
+        """Get database connection parameters"""
+        return {
+            "host": self.settings.DB_HOST,
+            "port": self.settings.DB_PORT,
+            "database": self.settings.DB_NAME,
+            "user": self.settings.DB_USER,
+            "password": self.settings.DB_PASSWORD,
+            "cursor_factory": RealDictCursor,
+            "application_name": f"{self.settings.APP_NAME}_{self.settings.ENVIRONMENT}"
+        }
+    
+    def create_connection_pool(self) -> psycopg2.pool.ThreadedConnectionPool:
+        """Create a connection pool for psycopg2"""
+        try:
+            pool = psycopg2.pool.ThreadedConnectionPool(
+                minconn=1,
+                maxconn=self.pool_size,
+                **self.get_connection_params()
+            )
+            logger.info(f"Database connection pool created with {self.pool_size} connections")
+            return pool
+        except Exception as e:
+            logger.error(f"Failed to create database connection pool: {str(e)}")
+            raise
+    
+    def test_connection(self) -> bool:
+        """Test database connection"""
+        try:
+            with psycopg2.connect(**self.get_connection_params()) as conn:
+                with conn.cursor() as cursor:
+                    cursor.execute("SELECT 1")
+                    result = cursor.fetchone()
+                    if result:
+                        logger.info("Database connection test successful")
+                        return True
+        except Exception as e:
+            logger.error(f"Database connection test failed: {str(e)}")
+            return False
+        return False
+
+
+# Global database configuration
+db_config = DatabaseConfig()
+
+
+def initialize_database():
+    """Initialize database connections and pool"""
+    global _connection_pool
+    
+    try:
+        # Test connection first
+        if not db_config.test_connection():
+            raise Exception("Database connection test failed")
+        
+        # Create connection pool
+        _connection_pool = db_config.create_connection_pool()
+        
+        logger.info("Database initialization completed successfully")
+        
+    except Exception as e:
+        logger.error(f"Database initialization failed: {str(e)}")
+        raise
+
+
+def get_connection_pool() -> psycopg2.pool.ThreadedConnectionPool:
+    """Get the database connection pool"""
+    global _connection_pool
+    if _connection_pool is None:
+        raise Exception("Database not initialized. Call initialize_database() first.")
+    return _connection_pool
+
+
+def get_sqlmodel_engine():
+    """Get the SQLModel engine"""
+    global _sqlmodel_engine
+    if _sqlmodel_engine is None:
+        raise Exception("Database not initialized. Call initialize_database() first.")
+    return _sqlmodel_engine
+
+
+@contextmanager
+def get_db_connection():
+    """Get a database connection from the pool (context manager)"""
+    pool = get_connection_pool()
+    conn = None
+    try:
+        conn = pool.getconn()
+        logger.debug("Database connection acquired from pool")
+        yield conn
+    except Exception as e:
+        logger.error(f"Database connection error: {str(e)}")
+        if conn:
+            conn.rollback()
+        raise
+    finally:
+        if conn:
+            pool.putconn(conn)
+            logger.debug("Database connection returned to pool")
+
+
+@contextmanager
+def get_db_cursor():
+    """Get a database cursor (context manager)"""
+    with get_db_connection() as conn:
+        cursor = conn.cursor()
+        try:
+            yield cursor
+            conn.commit()
+        except Exception as e:
+            conn.rollback()
+            logger.error(f"Database cursor error: {str(e)}")
+            raise
+        finally:
+            cursor.close()
+
+
+class DatabaseManager:
+    """Database manager for common operations"""
+    
+    @staticmethod
+    def execute_query(query: str, params: tuple = None) -> list:
+        """Execute a SELECT query and return results"""
+        with get_db_cursor() as cursor:
+            cursor.execute(query, params)
+            return cursor.fetchall()
+    
+    @staticmethod
+    def execute_update(query: str, params: tuple = None) -> int:
+        """Execute an INSERT/UPDATE/DELETE query and return affected rows"""
+        with get_db_cursor() as cursor:
+            cursor.execute(query, params)
+            return cursor.rowcount
+    
+    @staticmethod
+    def execute_scalar(query: str, params: tuple = None):
+        """Execute a query and return a single value"""
+        with get_db_cursor() as cursor:
+            cursor.execute(query, params)
+            result = cursor.fetchone()
+            if result:
+                # Handle RealDictRow (dictionary-like) result
+                if hasattr(result, 'get'):
+                    # For RealDictRow, get the first value
+                    return list(result.values())[0] if result else None
+                else:
+                    # Handle tuple result
+                    return result[0] if len(result) > 0 else None
+            return None
+    
+    @staticmethod
+    def health_check() -> dict:
+        """Perform database health check"""
+        try:
+            with get_db_cursor() as cursor:
+                cursor.execute("SELECT version(), current_database(), current_user")
+                result = cursor.fetchone()
+                
+                if result:
+                    # Handle RealDictRow (dictionary-like) result
+                    if hasattr(result, 'get'):
+                        return {
+                            "status": "healthy",
+                            "database": result.get('current_database', 'unknown'),
+                            "user": result.get('current_user', 'unknown'),
+                            "version": result.get('version', 'unknown')
+                        }
+                    else:
+                        # Handle tuple result
+                        return {
+                            "status": "healthy",
+                            "database": result[1] if len(result) > 1 else "unknown",
+                            "user": result[2] if len(result) > 2 else "unknown",
+                            "version": result[0] if len(result) > 0 else "unknown"
+                        }
+                else:
+                    return {
+                        "status": "unhealthy",
+                        "error": "No result from database query"
+                    }
+        except Exception as e:
+            logger.error(f"Database health check failed: {str(e)}")
+            return {
+                "status": "unhealthy",
+                "error": str(e)
+            }
+
+
+# Database initialization is done lazily when needed
+# Call initialize_database() explicitly when you need to use the database