trovesuite 1.0.10__tar.gz → 1.0.12__tar.gz

{trovesuite-1.0.10/src/trovesuite.egg-info → trovesuite-1.0.12}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: trovesuite
-Version: 1.0.10
+Version: 1.0.12
 Summary: TroveSuite services package providing authentication, authorization, notifications, Azure Storage, and other enterprise services for TroveSuite applications
 Home-page: https://dev.azure.com/brightgclt/trovesuite/_git/packages
 Author: Bright Debrah Owusu

{trovesuite-1.0.10 → trovesuite-1.0.12}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [tool.poetry]
 name = "trovesuite"
-version = "1.0.10"
+version = "1.0.12"
 description = "TroveSuite services package providing authentication, authorization, notifications, Azure Storage, and other enterprise services for TroveSuite applications"
 authors = ["brightgclt <brightgclt@gmail.com>"]
 license = "MIT"
@@ -58,7 +58,7 @@ Documentation = "https://dev.azure.com/brightgclt/trovesuite/_git/packages"
 
 [project]
 name = "trovesuite"
-version = "1.0.10"
+version = "1.0.12"
 description = "TroveSuite services package providing authentication, authorization, notifications, Azure Storage, and other enterprise services for TroveSuite applications"
 readme = "README.md"
 license = {text = "MIT"}

{trovesuite-1.0.10 → trovesuite-1.0.12}/setup.py

@@ -15,7 +15,7 @@ with open("pyproject.toml", "r", encoding="utf-8") as fh:
 
 setup(
     name="trovesuite",
-    version="1.0.10",
+    version="1.0.12",
     author="Bright Debrah Owusu",
     author_email="owusu.debrah@deladetech.com",
     description="TroveSuite services package providing authentication, authorization, notifications, and other enterprise services for TroveSuite applications",

{trovesuite-1.0.10 → trovesuite-1.0.12}/src/trovesuite/auth/auth_read_dto.py

@@ -3,8 +3,8 @@ from pydantic import BaseModel
 
 class AuthControllerReadDto(BaseModel):
     org_id: Optional[str] = None
-    bus_id: Optional[str] = None 
-    app_id: Optional[str] = None 
+    bus_id: Optional[str] = None
+    app_id: Optional[str] = None
     shared_resource_id: Optional[str] = None
     user_id: Optional[str] = None
     group_id: Optional[str] = None
@@ -12,6 +12,7 @@ class AuthControllerReadDto(BaseModel):
     tenant_id: Optional[str] = None
     permissions: Optional[List[str]] = None
     resource_id: Optional[str] = None
+    resource_type: Optional[str] = None
 
 class AuthServiceReadDto(AuthControllerReadDto):
     pass

{trovesuite-1.0.10 → trovesuite-1.0.12}/src/trovesuite/auth/auth_service.py

@@ -45,10 +45,10 @@ class AuthService:
         
     @staticmethod
     def authorize(data: AuthServiceWriteDto) -> Respons[AuthServiceReadDto]:
-        
+
         user_id: str = data.user_id
         tenant_id: str = data.tenant_id
-        
+
         """Check if a user is authorized based on login settings and roles"""
         # Input validation
         if not user_id or not isinstance(user_id, str):
@@ -59,7 +59,7 @@ class AuthService:
                 status_code=400,
                 error="INVALID_USER_ID"
             )
-        
+
         if not tenant_id or not isinstance(tenant_id, str):
             return Respons[AuthServiceReadDto](
                 detail="Invalid tenant_id: must be a non-empty string",
@@ -75,9 +75,9 @@ class AuthService:
                 f"SELECT is_verified FROM {db_settings.MAIN_TENANTS_TABLE} WHERE delete_status = 'NOT_DELETED' AND id = %s",
                 (tenant_id,),
             )
-            
+
             if not is_tenant_verified or len(is_tenant_verified) == 0:
-                logger.warning("Login failed - tenant not found: %s", tenant_id)
+                logger.warning("Authorization failed - tenant not found: %s", tenant_id)
                 return Respons[AuthServiceReadDto](
                     detail=f"Tenant '{tenant_id}' not found or has been deleted",
                     data=[],
@@ -85,9 +85,9 @@ class AuthService:
                     status_code=404,
                     error="TENANT_NOT_FOUND"
                 )
-            
+
             if not is_tenant_verified[0]['is_verified']:
-                logger.warning("Login failed - tenant not verified for user: %s, tenant: %s", user_id, tenant_id)
+                logger.warning("Authorization failed - tenant not verified for user: %s, tenant: %s", user_id, tenant_id)
                 return Respons[AuthServiceReadDto](
                     detail=f"Tenant '{tenant_id}' is not verified. Please contact your administrator.",
                     data=[],
@@ -96,14 +96,36 @@ class AuthService:
                     error="TENANT_NOT_VERIFIED"
                 )
 
-            login_settings_details = DatabaseManager.execute_query(
-                f"""SELECT user_id, group_id, is_suspended, can_always_login,
-                is_multi_factor_enabled, is_login_before, working_days,
-                login_on, logout_on FROM "{tenant_id}".{db_settings.TENANT_LOGIN_SETTINGS_TABLE} 
-                WHERE (delete_status = 'NOT_DELETED' AND is_active = true ) AND user_id = %s""",
-                (user_id,),
+            # 1️⃣ Get all groups the user belongs to
+            user_groups = DatabaseManager.execute_query(
+                f"""SELECT group_id FROM "{tenant_id}".{db_settings.TENANT_USER_GROUPS_TABLE}
+                    WHERE delete_status = 'NOT_DELETED' AND is_active = true AND user_id = %s""",(user_id,),
             )
 
+            # 2️⃣ Prepare list of group_ids
+            group_ids = [g["group_id"] for g in user_groups] if user_groups else []
+
+            # 3️⃣ Get login settings - check user-level first, then group-level
+            if group_ids:
+                login_settings_details = DatabaseManager.execute_query(
+                    f"""SELECT user_id, group_id, is_suspended, can_always_login,
+                    is_multi_factor_enabled, is_login_before, working_days,
+                    login_on, logout_on FROM "{tenant_id}".{db_settings.TENANT_LOGIN_SETTINGS_TABLE}
+                    WHERE (delete_status = 'NOT_DELETED' AND is_active = true )
+                    AND (user_id = %s OR group_id = ANY(%s))
+                    ORDER BY user_id NULLS LAST
+                    LIMIT 1""",
+                    (user_id, group_ids),
+                )
+            else:
+                login_settings_details = DatabaseManager.execute_query(
+                    f"""SELECT user_id, group_id, is_suspended, can_always_login,
+                    is_multi_factor_enabled, is_login_before, working_days,
+                    login_on, logout_on FROM "{tenant_id}".{db_settings.TENANT_LOGIN_SETTINGS_TABLE}
+                    WHERE (delete_status = 'NOT_DELETED' AND is_active = true ) AND user_id = %s""",
+                    (user_id,),
+                )
+
             if not login_settings_details or len(login_settings_details) == 0:
                 logger.warning("Authorization failed - user not found: %s in tenant: %s", user_id, tenant_id)
                 return Respons[AuthServiceReadDto](
@@ -124,56 +146,67 @@ class AuthService:
                     error="USER_SUSPENDED"
                 )
 
+            # ✅ UPDATED: Mutually exclusive login restrictions logic
             if not login_settings_details[0]['can_always_login']:
-                current_day = datetime.now().strftime("%A").upper()
-                
-                if current_day not in login_settings_details[0]['working_days']:
-                    logger.warning("Authorization failed - outside working days for user: %s checking custom login period", user_id)
-              
+                # Get from database (should already be datetime objects)
+                login_on = login_settings_details[0]['login_on']
+                logout_on = login_settings_details[0]['logout_on']
+                working_days = login_settings_details[0]['working_days']
+
+                # Only ONE restriction type can be active at a time:
+                # 1. working_days restriction (if login_on/logout_on are NULL)
+                # 2. time period restriction (if login_on/logout_on are set)
+
+                if login_on and logout_on:
+                    # Time period restriction is active
+                    logger.info(f"Checking time period restriction for user: {user_id}")
+
                     # Get current datetime (full date and time) with timezone
-                    current_datetime = datetime.now(timezone.utc).replace(microsecond=0, second=0)
-                    
-                    # Get from database (should already be datetime objects)
-                    login_on = login_settings_details[0]['login_on']
-                    logout_on = login_settings_details[0]['logout_on']
-                    
-                    # Set defaults if None (with timezone awareness)
-                    if not login_on:
-                        login_on = datetime.min.replace(tzinfo=timezone.utc)
-                    if not logout_on:
-                        logout_on = datetime.max.replace(tzinfo=timezone.utc)
+                    current_datetime = datetime.now(timezone.utc).replace(
+                        microsecond=0, second=0
+                    )
 
                     # Compare full datetime objects (both date and time)
                     if not (login_on <= current_datetime <= logout_on):
-                        logger.warning("Authorization failed - outside allowed period for user: %s", user_id)
+                        logger.warning(
+                            f"Authorization failed - outside allowed period for user: {user_id}"
+                        )
                         return Respons[AuthServiceReadDto](
-                            detail="Login is not allowed at this time. Please check your access schedule.",
+                            detail="Access is not allowed at this time. Please check your access schedule.",
                             data=[],
                             success=False,
                             status_code=403,
                             error="LOGIN_TIME_RESTRICTED"
                         )
-            
-            # 1️⃣ Get all groups the user belongs to
-            user_groups = DatabaseManager.execute_query(
-                f"""SELECT group_id FROM "{tenant_id}".{db_settings.TENANT_USER_GROUPS_TABLE}
-                    WHERE delete_status = 'NOT_DELETED' AND is_active = true AND user_id = %s""",(user_id,),
-            )
+                elif working_days:
+                    # Working days restriction is active
+                    logger.info(f"Checking working days restriction for user: {user_id}")
+                    current_day = datetime.now().strftime("%A").upper()
 
-            # 2️⃣ Prepare list of group_ids
-            group_ids = [g["group_id"] for g in user_groups] if user_groups else []
+                    if current_day not in working_days:
+                        logger.warning(
+                            f"Authorization failed - not a working day for user: {user_id}"
+                        )
+                        return Respons[AuthServiceReadDto](
+                            detail="Access is not allowed on this day. Please contact your administrator.",
+                            data=[],
+                            success=False,
+                            status_code=403,
+                            error="LOGIN_DAY_RESTRICTED"
+                        )
 
-            # 3️⃣ Build query dynamically to include groups (if any) + user
+            # 4️⃣ Build query dynamically to include groups (if any) + user
+            # ⚠️ CHANGED: Simplified to new schema - only select user_id, group_id, role_id, resource_type
             if group_ids:
                 get_user_roles = DatabaseManager.execute_query(
                     f"""
-                        SELECT DISTINCT ON (org_id, group_id, bus_id, app_id, shared_resource_id, resource_id, user_id, role_id)
-                            org_id, group_id, bus_id, app_id, shared_resource_id, resource_id, user_id, role_id
+                        SELECT DISTINCT ON (group_id, user_id, role_id)
+                            group_id, user_id, role_id, resource_type
                         FROM "{tenant_id}".{db_settings.TENANT_ASSIGN_ROLES_TABLE}
                         WHERE delete_status = 'NOT_DELETED'
                         AND is_active = true
                         AND (user_id = %s OR group_id = ANY(%s))
-                        ORDER BY org_id, group_id, bus_id, app_id, shared_resource_id, resource_id, user_id, role_id;
+                        ORDER BY group_id, user_id, role_id;
                     """,
                     (user_id, group_ids),
                 )
@@ -181,13 +214,13 @@ class AuthService:
                 # No groups, just check roles for user
                 get_user_roles = DatabaseManager.execute_query(
                     f"""
-                        SELECT DISTINCT ON (org_id, bus_id, app_id, shared_resource_id, resource_id, user_id, role_id)
-                            org_id, bus_id, app_id, shared_resource_id, resource_id, user_id, role_id
+                        SELECT DISTINCT ON (user_id, role_id)
+                            user_id, role_id, resource_type
                         FROM "{tenant_id}".{db_settings.TENANT_ASSIGN_ROLES_TABLE}
                         WHERE delete_status = 'NOT_DELETED'
                         AND is_active = true
                         AND user_id = %s
-                        ORDER BY org_id, bus_id, app_id, shared_resource_id, resource_id, user_id, role_id;
+                        ORDER BY user_id, role_id;
                     """,
                     (user_id,),
                 )
@@ -224,31 +257,27 @@ class AuthService:
                 status_code=500,
                 error="Authorization check failed due to an internal error"
             )
-        
+
     @staticmethod
-    def check_permission(users_data: list, action=None, org_id=None, bus_id=None, app_id=None,
-                     resource_id=None, shared_resource_id=None) -> bool:
+    def check_permission(users_data: list, action=None, resource_type=None) -> bool:
         """
-        Check if user has a given permission (action) for a specific target.
-        
-        Hierarchy: organization > business > app > location > resource/shared_resource
-        If a field in role is None, it applies to all under that level.
+        Check if user has a given permission (action).
+
+        Args:
+            users_data: List of user authorization data containing roles and permissions
+            action: The permission/action to check for
+            resource_type: Optional resource type filter (e.g., 'rt-user', 'rt-group')
+
+        Returns:
+            bool: True if user has the permission, False otherwise
         """
         for user_data in users_data:
-            # Check hierarchy: None means "all"
-            if user_data.org_id not in (None, org_id):
-                continue
-            if user_data.bus_id not in (None, bus_id):
-                continue
-            if user_data.app_id not in (None, app_id):
-                continue
-            if user_data.resource_id not in (None, resource_id):
-                continue
-            if user_data.shared_resource_id not in (None, shared_resource_id):
+            # Check resource_type if specified
+            if resource_type and user_data.resource_type and user_data.resource_type != resource_type:
                 continue
 
             # Check if the permission exists
-            if action in user_data.permissions:
+            if action and action in user_data.permissions:
                 return True
 
         return False

{trovesuite-1.0.10 → trovesuite-1.0.12/src/trovesuite.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: trovesuite
-Version: 1.0.10
+Version: 1.0.12
 Summary: TroveSuite services package providing authentication, authorization, notifications, Azure Storage, and other enterprise services for TroveSuite applications
 Home-page: https://dev.azure.com/brightgclt/trovesuite/_git/packages
 Author: Bright Debrah Owusu