trovesuite 1.0.11__py3-none-any.whl → 1.0.13__py3-none-any.whl

trovesuite/auth/auth_service.py

@@ -77,7 +77,7 @@ class AuthService:
             )
 
             if not is_tenant_verified or len(is_tenant_verified) == 0:
-                logger.warning("Login failed - tenant not found: %s", tenant_id)
+                logger.warning("Authorization failed - tenant not found: %s", tenant_id)
                 return Respons[AuthServiceReadDto](
                     detail=f"Tenant '{tenant_id}' not found or has been deleted",
                     data=[],
@@ -87,7 +87,7 @@ class AuthService:
                 )
 
             if not is_tenant_verified[0]['is_verified']:
-                logger.warning("Login failed - tenant not verified for user: %s, tenant: %s", user_id, tenant_id)
+                logger.warning("Authorization failed - tenant not verified for user: %s, tenant: %s", user_id, tenant_id)
                 return Respons[AuthServiceReadDto](
                     detail=f"Tenant '{tenant_id}' is not verified. Please contact your administrator.",
                     data=[],
@@ -146,35 +146,54 @@ class AuthService:
                     error="USER_SUSPENDED"
                 )
 
+            # ✅ UPDATED: Mutually exclusive login restrictions logic
             if not login_settings_details[0]['can_always_login']:
-                current_day = datetime.now().strftime("%A").upper()
+                # Get from database (should already be datetime objects)
+                login_on = login_settings_details[0]['login_on']
+                logout_on = login_settings_details[0]['logout_on']
+                working_days = login_settings_details[0]['working_days']
 
-                if current_day not in login_settings_details[0]['working_days']:
-                    logger.warning("Authorization failed - outside working days for user: %s checking custom login period", user_id)
+                # Only ONE restriction type can be active at a time:
+                # 1. working_days restriction (if login_on/logout_on are NULL)
+                # 2. time period restriction (if login_on/logout_on are set)
 
-                    # Get current datetime (full date and time) with timezone
-                    current_datetime = datetime.now(timezone.utc).replace(microsecond=0, second=0)
-
-                    # Get from database (should already be datetime objects)
-                    login_on = login_settings_details[0]['login_on']
-                    logout_on = login_settings_details[0]['logout_on']
+                if login_on and logout_on:
+                    # Time period restriction is active
+                    logger.info(f"Checking time period restriction for user: {user_id}")
 
-                    # Set defaults if None (with timezone awareness)
-                    if not login_on:
-                        login_on = datetime.min.replace(tzinfo=timezone.utc)
-                    if not logout_on:
-                        logout_on = datetime.max.replace(tzinfo=timezone.utc)
+                    # Get current datetime (full date and time) with timezone
+                    current_datetime = datetime.now(timezone.utc).replace(
+                        microsecond=0, second=0
+                    )
 
                     # Compare full datetime objects (both date and time)
                     if not (login_on <= current_datetime <= logout_on):
-                        logger.warning("Authorization failed - outside allowed period for user: %s", user_id)
+                        logger.warning(
+                            f"Authorization failed - outside allowed period for user: {user_id}"
+                        )
                         return Respons[AuthServiceReadDto](
-                            detail="Login is not allowed at this time. Please check your access schedule.",
+                            detail="Access is not allowed at this time. Please check your access schedule.",
                             data=[],
                             success=False,
                             status_code=403,
                             error="LOGIN_TIME_RESTRICTED"
                         )
+                elif working_days:
+                    # Working days restriction is active
+                    logger.info(f"Checking working days restriction for user: {user_id}")
+                    current_day = datetime.now().strftime("%A").upper()
+
+                    if current_day not in working_days:
+                        logger.warning(
+                            f"Authorization failed - not a working day for user: {user_id}"
+                        )
+                        return Respons[AuthServiceReadDto](
+                            detail="Access is not allowed on this day. Please contact your administrator.",
+                            data=[],
+                            success=False,
+                            status_code=403,
+                            error="LOGIN_DAY_RESTRICTED"
+                        )
 
             # 4️⃣ Build query dynamically to include groups (if any) + user
             # ⚠️ CHANGED: Simplified to new schema - only select user_id, group_id, role_id, resource_type
@@ -206,18 +225,62 @@ class AuthService:
                     (user_id,),
                 )
 
+            # ✅ NEW: Get system-level roles from main.system_user_groups and main.system_assign_roles
+            logger.info(f"Fetching system-level roles for user: {user_id}")
+
+            system_roles = DatabaseManager.execute_query(
+                """
+                    SELECT DISTINCT sug.group_id, sug.user_id, sar.role_id, sar.resource_type
+                    FROM main.system_user_groups sug
+                    INNER JOIN main.system_assign_roles sar ON sug.group_id = sar.group_id
+                    WHERE sug.user_id = %s
+                    AND sug.delete_status = 'NOT_DELETED'
+                    AND sar.is_active = true
+                    AND sar.delete_status = 'NOT_DELETED'
+                """,
+                (user_id,)
+            )
+
+            if system_roles:
+                logger.info(f"Found {len(system_roles)} system-level role(s) for user: {user_id}")
+            else:
+                logger.info(f"No system-level roles found for user: {user_id}")
+
+            # ✅ NEW: Also check for direct system role assignments (user_id in system_assign_roles)
+            direct_system_roles = DatabaseManager.execute_query(
+                """
+                    SELECT DISTINCT NULL as group_id, sar.user_id, sar.role_id, sar.resource_type
+                    FROM main.system_assign_roles sar
+                    WHERE sar.user_id = %s
+                    AND sar.is_active = true
+                    AND sar.delete_status = 'NOT_DELETED'
+                """,
+                (user_id,)
+            )
+
+            if direct_system_roles:
+                logger.info(f"Found {len(direct_system_roles)} direct system-level role assignment(s) for user: {user_id}")
+                system_roles.extend(direct_system_roles)
+
+            # ✅ NEW: Merge tenant-level and system-level roles
+            all_roles = get_user_roles + system_roles
+            logger.info(f"Total roles (tenant + system) for user {user_id}: {len(all_roles)}")
+
             # GET permissions and Append to Role
             get_user_roles_with_tenant_and_permissions = []
-            for role in get_user_roles:
+            for role in all_roles:
                 permissions = DatabaseManager.execute_query(
                     f"""SELECT permission_id FROM {db_settings.MAIN_ROLE_PERMISSIONS_TABLE} WHERE role_id = %s""",
-                    params=(role["role_id"],),)
+                    params=(role["role_id"],),
+                )
 
                 role_dict = {**role, "tenant_id": tenant_id, "permissions": [p['permission_id'] for p in permissions]}
                 get_user_roles_with_tenant_and_permissions.append(role_dict)
 
             roles_dto = Helper.map_to_dto(get_user_roles_with_tenant_and_permissions, AuthServiceReadDto)
 
+            logger.info(f"Authorization successful for user: {user_id} with {len(roles_dto)} total role entries")
+
             return Respons[AuthServiceReadDto](
                 detail="Authorized",
                 data=roles_dto,
@@ -230,7 +293,7 @@ class AuthService:
             raise http_ex
 
         except Exception as e:
-            logger.error("Authorization check failed for user: %s", str(e))
+            logger.error("Authorization check failed for user: %s - Error: %s", user_id, str(e), exc_info=True)
             return Respons[AuthServiceReadDto](
                 detail=None,
                 data=[],
@@ -239,6 +302,7 @@ class AuthService:
                 error="Authorization check failed due to an internal error"
             )
 
+
     @staticmethod
     def check_permission(users_data: list, action=None, resource_type=None) -> bool:
         """

{trovesuite-1.0.11.dist-info → trovesuite-1.0.13.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: trovesuite
-Version: 1.0.11
+Version: 1.0.13
 Summary: TroveSuite services package providing authentication, authorization, notifications, Azure Storage, and other enterprise services for TroveSuite applications
 Home-page: https://dev.azure.com/brightgclt/trovesuite/_git/packages
 Author: Bright Debrah Owusu

{trovesuite-1.0.11.dist-info → trovesuite-1.0.13.dist-info}/RECORD

@@ -3,7 +3,7 @@ trovesuite/auth/__init__.py,sha256=OjZllVvjul1glDazJ-d5TrNjgHFigFlQQi1G99DYshk,2
 trovesuite/auth/auth_base.py,sha256=rZHQVLeJRBQ8GClgF5UwG-er4_HXVX5-nt8o6_Z29uY,75
 trovesuite/auth/auth_controller.py,sha256=PAgaVlf5TYEfkSfK4vGGsvO84i8zEmeVVXyUF2YBppI,420
 trovesuite/auth/auth_read_dto.py,sha256=e27JqKVPVUM83A_mYF452QCflsvGNo7aKje7q_urwFc,571
-trovesuite/auth/auth_service.py,sha256=CRGGXCdaAknznwq68ghmhtZ13NM73tu32OPJK8JJ2_Y,14488
+trovesuite/auth/auth_service.py,sha256=N5ax0rdGlHcu7cpJyAFrrwdkwKN8gsoh-t6ngIvXBAk,17548
 trovesuite/auth/auth_write_dto.py,sha256=rdwI7w6-9QZGv1H0PAGrjkLBCzaMHjgPIXeLb9RmNec,234
 trovesuite/configs/__init__.py,sha256=h1mSZOaZ3kUy1ZMO_m9O9KklsxywM0RfMVZLh9h9WvQ,328
 trovesuite/configs/database.py,sha256=IPSu8fXjxyYeJ3bFknJG06Qm2L2ub6Ht19xhKv8g7nA,11731
@@ -26,8 +26,8 @@ trovesuite/storage/storage_service.py,sha256=V7LIePIV6b_iuhm-9x8r4zwpZHgeRPL1YIe
 trovesuite/storage/storage_write_dto.py,sha256=vl1iCZ93bpFmpvkCrn587QtMtOA_TPDseXSoTuj9RTQ,1355
 trovesuite/utils/__init__.py,sha256=3UPKTz9cluTgAM-ldNsJxsnoPTZiqacXlAmzUEHy6q8,143
 trovesuite/utils/helper.py,sha256=lvZ1mvaqY84dkIPB5Ov0uwYDOWBziAS8twobEJZh2Ik,1002
-trovesuite-1.0.11.dist-info/licenses/LICENSE,sha256=EJT35ct-Q794JYPdAQy3XNczQGKkU1HzToLeK1YVw2s,1070
-trovesuite-1.0.11.dist-info/METADATA,sha256=HTQhhc9Yps3NbrJz8JqfP493kSVIMux4ToJB2F31_-8,21737
-trovesuite-1.0.11.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-trovesuite-1.0.11.dist-info/top_level.txt,sha256=GzKhG_-MTaxeHrIgkGkBH_nof2vroGFBrjeHKWUIwNc,11
-trovesuite-1.0.11.dist-info/RECORD,,
+trovesuite-1.0.13.dist-info/licenses/LICENSE,sha256=EJT35ct-Q794JYPdAQy3XNczQGKkU1HzToLeK1YVw2s,1070
+trovesuite-1.0.13.dist-info/METADATA,sha256=V0DYYd8qAzusR_UKkg--F4scCYY0PhONHhjoa6fZ91k,21737
+trovesuite-1.0.13.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+trovesuite-1.0.13.dist-info/top_level.txt,sha256=GzKhG_-MTaxeHrIgkGkBH_nof2vroGFBrjeHKWUIwNc,11
+trovesuite-1.0.13.dist-info/RECORD,,