xenfra 0.1.7__py3-none-any.whl → 0.1.9__py3-none-any.whl

xenfra/api/auth.py

@@ -0,0 +1,51 @@
+# src/xenfra/api/auth.py
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordRequestForm
+from sqlmodel import Session, select
+
+from xenfra.db.session import get_session
+from xenfra.db.models import User, UserCreate, UserRead
+from xenfra.security import get_password_hash, verify_password, create_access_token
+
+router = APIRouter()
+
+@router.post("/register", response_model=UserRead)
+def register_user(user: UserCreate, session: Session = Depends(get_session)):
+    """
+    Create a new user.
+    """
+    db_user = session.exec(select(User).where(User.email == user.email)).first()
+    if db_user:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Email already registered",
+        )
+    
+    hashed_password = get_password_hash(user.password)
+    new_user = User(email=user.email, hashed_password=hashed_password, is_active=True)
+    
+    session.add(new_user)
+    session.commit()
+    session.refresh(new_user)
+    
+    return new_user
+
+@router.post("/token")
+def login_for_access_token(form_data: OAuth2PasswordRequestForm = Depends(), session: Session = Depends(get_session)):
+    """
+    Login user and return a JWT access token.
+    """
+    user = session.exec(select(User).where(User.email == form_data.username)).first()
+    if not user or not verify_password(form_data.password, user.hashed_password):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect username or password",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    
+    if not user.is_active:
+        raise HTTPException(status_code=400, detail="Inactive user")
+
+    access_token = create_access_token(data={"sub": user.email})
+    return {"access_token": access_token, "token_type": "bearer"}

xenfra/api/billing.py

@@ -0,0 +1,80 @@
+# src/xenfra/api/billing.py
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlmodel import Session, select
+from pydantic import BaseModel
+
+from xenfra.db.session import get_session
+from xenfra.db.models import User, Credential
+from xenfra.dependencies import get_current_active_user # Corrected import
+from xenfra.engine import InfraEngine
+from xenfra.security import decrypt_token
+from xenfra.models import DropletCostRead # Import new model
+
+router = APIRouter()
+
+class BalanceRead(BaseModel):
+    month_to_date_balance: str
+    account_balance: str
+    month_to_date_usage: str
+    generated_at: str
+    error: str | None = None
+
+@router.get("/balance", response_model=BalanceRead)
+def get_billing_balance(
+    session: Session = Depends(get_session), 
+    user: User = Depends(get_current_active_user)
+):
+    """
+    Get the current DigitalOcean account balance and month-to-date usage.
+    """
+    # Find the user's DigitalOcean credential
+    do_credential = session.exec(
+        select(Credential).where(Credential.user_id == user.id, Credential.service == "digitalocean")
+    ).first()
+    
+    if not do_credential:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="DigitalOcean credential not found for this user. Please connect your account.",
+        )
+
+    try:
+        do_token = decrypt_token(do_credential.encrypted_token)
+        engine = InfraEngine(token=do_token)
+        balance_data = engine.get_account_balance()
+        return BalanceRead(**balance_data)
+    except Exception as e:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail=f"Failed to fetch balance from DigitalOcean: {e}",
+        )
+
+@router.get("/droplets", response_model=list[DropletCostRead])
+def get_billing_droplets(
+    session: Session = Depends(get_session), 
+    user: User = Depends(get_current_active_user)
+):
+    """
+    Get a list of Xenfra-managed DigitalOcean droplets with their estimated monthly costs.
+    """
+    do_credential = session.exec(
+        select(Credential).where(Credential.user_id == user.id, Credential.service == "digitalocean")
+    ).first()
+    
+    if not do_credential:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="DigitalOcean credential not found for this user. Please connect your account.",
+        )
+
+    try:
+        do_token = decrypt_token(do_credential.encrypted_token)
+        engine = InfraEngine(token=do_token)
+        droplets_data = engine.get_droplet_cost_estimates()
+        return [DropletCostRead(**d) for d in droplets_data]
+    except Exception as e:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail=f"Failed to fetch droplet cost estimates from DigitalOcean: {e}",
+        )

xenfra/api/connections.py

@@ -0,0 +1,163 @@
+# src/xenfra/api/connections.py
+
+import httpx
+from fastapi import APIRouter, Depends, HTTPException, status, Request
+from fastapi.responses import RedirectResponse
+from sqlmodel import Session, select
+import secrets
+
+from xenfra.db.session import get_session
+from xenfra.db.models import User, Credential, CredentialCreate
+from xenfra.dependencies import get_current_active_user # Corrected import
+from xenfra.security import encrypt_token
+from xenfra.config import settings
+
+router = APIRouter()
+
+# --- GitHub OAuth ---
+# GITHUB_CLIENT_ID = os.getenv("GITHUB_CLIENT_ID") # Moved inside function
+# GITHUB_CLIENT_SECRET = os.getenv("GITHUB_CLIENT_SECRET") # Moved inside function
+# GITHUB_REDIRECT_URI = os.getenv("GITHUB_REDIRECT_URI", "http://localhost:8000/connections/github/callback") # Moved inside function
+
+@router.get("/github/login")
+def github_login(request: Request): # Add request: Request
+    """Redirects the user to GitHub for authorization."""
+    GITHUB_CLIENT_ID = settings.GITHUB_CLIENT_ID
+    GITHUB_REDIRECT_URI = settings.GITHUB_REDIRECT_URI
+    
+    state = secrets.token_urlsafe(32)
+    request.session["github_oauth_state"] = state
+    
+    return RedirectResponse(
+        f"https://github.com/login/oauth/authorize?client_id={GITHUB_CLIENT_ID}&scope=repo%20user:email&redirect_uri={GITHUB_REDIRECT_URI}&state={state}",
+        status_code=302
+    )
+
+@router.get("/github/callback")
+async def github_callback(code: str, request: Request, session: Session = Depends(get_session), user: User = Depends(get_current_active_user)):
+    """
+    Handles the callback from GitHub, exchanges the code for a token,
+    and stores the encrypted token.
+    """
+    received_state = request.query_params.get("state")
+    stored_state = request.session.pop("github_oauth_state", None)
+
+    if not received_state or not stored_state or received_state != stored_state:
+        raise HTTPException(status_code=400, detail="Invalid OAuth state. Possible CSRF attack.")
+
+    GITHUB_CLIENT_ID = settings.GITHUB_CLIENT_ID
+    GITHUB_CLIENT_SECRET = settings.GITHUB_CLIENT_SECRET
+    if not GITHUB_CLIENT_SECRET: # Explicit check for client secret
+        raise HTTPException(status_code=500, detail="GitHub client secret not configured.")
+    # GITHUB_REDIRECT_URI is not needed here
+    
+    async with httpx.AsyncClient() as client:
+        token_response = await client.post(
+            "https://github.com/login/oauth/access_token",
+            json={"client_id": GITHUB_CLIENT_ID, "client_secret": GITHUB_CLIENT_SECRET, "code": code},
+            headers={"Accept": "application/json"}
+        )
+    
+    token_data = await token_response.json() # Await the json() coroutine
+    access_token = token_data.get("access_token")
+
+    if not access_token:
+        # GitHub might return an error in token_data, e.g., {'error': 'bad_verification_code'}
+        error_detail = token_data.get("error_description", token_data.get("error", "Unknown error during token exchange"))
+        raise HTTPException(status_code=400, detail=f"Could not fetch GitHub access token: {error_detail}")
+
+    # Encrypt and store the token
+    encrypted_token = encrypt_token(access_token)
+
+    # Fetch GitHub App installation ID
+    async with httpx.AsyncClient() as client:
+        installations_response = await client.get(
+            "https://api.github.com/user/installations",
+            headers={
+                "Authorization": f"token {access_token}",
+                "Accept": "application/vnd.github.v3+json"
+            }
+        )
+    installations_data = await installations_response.json()
+    installation_id = None
+    if installations_data and "installations" in installations_data and len(installations_data["installations"]) > 0:
+        installation_id = installations_data["installations"][0]["id"]
+    
+    new_credential = CredentialCreate(
+        service="github", 
+        encrypted_token=encrypted_token, 
+        user_id=user.id, 
+        github_installation_id=installation_id
+    )
+    db_credential = Credential.model_validate(new_credential)
+    session.add(db_credential)
+    session.commit()
+
+    # Redirect user back to the frontend (URL should be configurable)
+    return RedirectResponse(url=f"{settings.FRONTEND_OAUTH_REDIRECT_SUCCESS}?success=github", status_code=302)
+
+
+# --- DigitalOcean OAuth ---
+# DO_CLIENT_ID = os.getenv("DO_CLIENT_ID") # Moved inside function
+# DO_CLIENT_SECRET = os.getenv("DO_CLIENT_SECRET") # Moved inside function
+# DO_REDIRECT_URI = os.getenv("DO_REDIRECT_URI", "http://localhost:8000/connections/digitalocean/callback") # Moved inside function
+
+@router.get("/digitalocean/login")
+def digitalocean_login(request: Request): # Add request: Request
+    """Redirects the user to DigitalOcean for authorization."""
+    DO_CLIENT_ID = settings.DO_CLIENT_ID
+    DO_REDIRECT_URI = settings.DO_REDIRECT_URI
+        
+    state = secrets.token_urlsafe(32)
+    request.session["digitalocean_oauth_state"] = state
+
+    return RedirectResponse(
+        f"https://cloud.digitalocean.com/v1/oauth/authorize?client_id={DO_CLIENT_ID}&response_type=code&scope=read%20write&redirect_uri={DO_REDIRECT_URI}&state={state}",
+        status_code=302
+    )
+
+@router.get("/digitalocean/callback")
+async def digitalocean_callback(code: str, request: Request, session: Session = Depends(get_session), user: User = Depends(get_current_active_user)):
+    """
+    Handles the callback from DigitalOcean, exchanges the code for a token,
+    and stores the encrypted token.
+    """
+    received_state = request.query_params.get("state")
+    stored_state = request.session.pop("digitalocean_oauth_state", None)
+
+    if not received_state or not stored_state or received_state != stored_state:
+        raise HTTPException(status_code=400, detail="Invalid OAuth state. Possible CSRF attack.")
+
+    DO_CLIENT_ID = settings.DO_CLIENT_ID
+    DO_CLIENT_SECRET = settings.DO_CLIENT_SECRET
+    DO_REDIRECT_URI = settings.DO_REDIRECT_URI
+    if not DO_CLIENT_SECRET: # Explicit check for client secret
+        raise HTTPException(status_code=500, detail="DigitalOcean client secret not configured.")
+    
+    
+    async with httpx.AsyncClient() as client:
+        token_response = await client.post(
+            "https://cloud.digitalocean.com/v1/oauth/token",
+            params={
+                "grant_type": "authorization_code",
+                "client_id": DO_CLIENT_ID,
+                "client_secret": DO_CLIENT_SECRET,
+                "code": code,
+                "redirect_uri": DO_REDIRECT_URI
+            }
+        )
+
+    token_data = await token_response.json() # Await the json() coroutine
+    access_token = token_data.get("access_token")
+
+    if not access_token:
+        error_detail = token_data.get("error_description", token_data.get("error", "Unknown error during token exchange"))
+        raise HTTPException(status_code=400, detail=f"Could not fetch DigitalOcean access token: {error_detail}")
+
+    encrypted_token = encrypt_token(access_token)
+    new_credential = CredentialCreate(service="digitalocean", encrypted_token=encrypted_token, user_id=user.id)
+    db_credential = Credential.model_validate(new_credential)
+    session.add(db_credential)
+    session.commit()
+    
+    return RedirectResponse(url=f"{settings.FRONTEND_OAUTH_REDIRECT_SUCCESS}?success=digitalocean", status_code=302)

xenfra/api/main.py

@@ -0,0 +1,175 @@
+from fastapi import FastAPI, Depends, HTTPException, status, Request, BackgroundTasks
+from fastapi.middleware.cors import CORSMiddleware
+from starlette.middleware.sessions import SessionMiddleware # Import SessionMiddleware
+from fastapi.security import OAuth2PasswordBearer # This will be removed, as oauth2_scheme is in dependencies
+from sqlmodel import Session, select
+from jose import JWTError
+from typing import List
+from datetime import datetime
+
+import os # Keep os import for now as it is used in other places.
+
+from xenfra.engine import InfraEngine
+from xenfra.models import Deployment, ProjectRead # Import ProjectRead
+from xenfra.db.session import create_db_and_tables, get_session
+from xenfra.db.models import User, UserRead, Credential, CredentialRead
+from xenfra.security import decode_token, decrypt_token
+from xenfra.dependencies import get_current_user, get_current_active_user, oauth2_scheme # Import oauth2_scheme from dependencies
+from pydantic import BaseModel
+from xenfra.config import settings
+
+
+# --- Lifespan ---
+from contextlib import asynccontextmanager
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    create_db_and_tables()
+    yield
+
+# --- App Initialization ---
+app = FastAPI(
+    title="Xenfra API",
+    description="API for the Xenfra deployment engine.",
+    version="0.1.0",
+    lifespan=lifespan
+)
+
+# --- Middleware ---
+app.add_middleware(SessionMiddleware, secret_key=settings.SECRET_KEY) # Use settings.SECRET_KEY here
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["*"],  # For dev, allow all. In prod, strict listing.
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+# --- Router Imports (Moved after app initialization) ---
+from xenfra.api import auth, connections, webhooks, billing
+
+# --- Routers ---
+app.include_router(auth.router, prefix="/auth", tags=["Authentication"])
+app.include_router(connections.router, prefix="/connections", tags=["Connections"])
+app.include_router(webhooks.router, prefix="/webhooks", tags=["Webhooks"])
+app.include_router(billing.router, prefix="/billing", tags=["Billing"])
+
+
+# --- Models for Frontend Requests ---
+class DeploymentCreateRequest(BaseModel):
+    name: str
+    region: str
+    size: str
+    image: str
+    email: str
+    domain: str | None = None
+    repo_url: str | None = None # For future Git deployments via web UI
+
+
+# --- Endpoints ---
+@app.get("/")
+def read_root():
+    return {"message": "Welcome to the Xenfra API"}
+
+@app.post("/deployments/new")
+def create_new_deployment(
+    request: DeploymentCreateRequest,
+    background_tasks: BackgroundTasks,
+    session: Session = Depends(get_session),
+    user: User = Depends(get_current_active_user)
+):
+    """
+    Triggers a new deployment based on provided configuration.
+    """
+    do_credential = session.exec(
+        select(Credential).where(Credential.user_id == user.id, Credential.service == "digitalocean")
+    ).first()
+    
+    if not do_credential:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="DigitalOcean credential not found for this user. Please connect your account.",
+        )
+
+    try:
+        do_token = decrypt_token(do_credential.encrypted_token)
+        engine = InfraEngine(token=do_token)
+        
+        # Offload the deployment to a background task
+        background_tasks.add_task(
+            engine.deploy_server,
+            name=request.name,
+            region=request.region,
+            size=request.size,
+            image=request.image,
+            email=request.email,
+            domain=request.domain,
+            repo_url=request.repo_url
+        )
+        return {"status": "success", "message": "Deployment initiated in background."}
+    except Exception as e:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail=f"Deployment failed: {e}",
+        )
+
+@app.get("/users/me", response_model=UserRead)
+def read_users_me(current_user: User = Depends(get_current_active_user)):
+    """
+    Fetch the current logged in user.
+    """
+    return current_user
+
+@app.get("/users/me/connections", response_model=List[CredentialRead])
+def read_user_connections(current_user: User = Depends(get_current_active_user), session: Session = Depends(get_session)):
+    """
+    Fetch the current logged in user's connected credentials (GitHub, DigitalOcean).
+    """
+    credentials = session.exec(select(Credential).where(Credential.user_id == current_user.id)).all()
+    return credentials
+
+@app.get("/projects", response_model=List[ProjectRead])
+def list_projects(
+    session: Session = Depends(get_session),
+    user: User = Depends(get_current_active_user)
+):
+    """
+    Lists Xenfra-managed Droplets as projects.
+    """
+    do_credential = session.exec(
+        select(Credential).where(Credential.user_id == user.id, Credential.service == "digitalocean")
+    ).first()
+    
+    if not do_credential:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="DigitalOcean credential not found for this user. Please connect your account.",
+        )
+    
+    try:
+        do_token = decrypt_token(do_credential.encrypted_token)
+        engine = InfraEngine(token=do_token)
+        
+        droplets = engine.list_servers()
+        projects = []
+        for droplet in droplets:
+            # For V0, a "project" is simply a Xenfra-managed Droplet
+            # We filter by name convention 'xenfra-'
+            if droplet.name.startswith("xenfra-"):
+                estimated_monthly_cost = droplet.size['price_monthly'] if droplet.size else None
+                projects.append(ProjectRead(
+                    id=droplet.id,
+                    name=droplet.name,
+                    ip_address=droplet.ip_address,
+                    status=droplet.status,
+                    region=droplet.region['slug'],
+                    size_slug=droplet.size['slug'],
+                    estimated_monthly_cost=estimated_monthly_cost,
+                    created_at=datetime.fromisoformat(droplet.created_at.replace('Z', '+00:00')) # Ensure datetime is timezone aware
+                ))
+        return projects
+    except Exception as e:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail=f"Failed to list projects from DigitalOcean: {e}",
+        )

xenfra/api/webhooks.py

@@ -0,0 +1,146 @@
+# src/xenfra/api/webhooks.py
+
+import hmac
+import hashlib
+from fastapi import APIRouter, Depends, HTTPException, status, Request, BackgroundTasks
+from sqlmodel import Session, select
+
+from xenfra.db.session import get_session
+from xenfra.db.models import User, Credential
+from xenfra.dependencies import get_current_active_user # Corrected import
+from xenfra.engine import InfraEngine
+from xenfra.security import decrypt_token
+from xenfra.config import settings
+
+router = APIRouter()
+
+# This secret should be configured in your GitHub App's webhook settings
+GITHUB_WEBHOOK_SECRET = settings.GITHUB_WEBHOOK_SECRET
+
+async def verify_github_signature(request: Request):
+    """
+    Verify that the incoming webhook request is genuinely from GitHub.
+    """
+    if not GITHUB_WEBHOOK_SECRET:
+        raise HTTPException(status_code=500, detail="GitHub webhook secret not configured.")
+
+    signature_header = request.headers.get("X-Hub-Signature-256")
+    if not signature_header:
+        raise HTTPException(status_code=400, detail="X-Hub-Signature-256 header is missing.")
+
+    signature_parts = signature_header.split("=", 1)
+    if len(signature_parts) != 2 or signature_parts[0] != "sha256":
+        raise HTTPException(status_code=400, detail="Invalid signature format.")
+
+    signature = signature_parts[1]
+    body = await request.body()
+    
+    expected_signature = hmac.new(
+        key=GITHUB_WEBHOOK_SECRET.encode(),
+        msg=body,
+        digestmod=hashlib.sha256
+    ).hexdigest()
+
+    if not hmac.compare_digest(expected_signature, signature):
+        raise HTTPException(status_code=400, detail="Invalid signature.")
+
+
+@router.post("/github", dependencies=[Depends(verify_github_signature)])
+async def github_webhook(request: Request, background_tasks: BackgroundTasks, session: Session = Depends(get_session)):
+    """
+    Handles incoming webhooks from GitHub to manage Preview Environments.
+    """
+    payload = await request.json()
+    event_type = request.headers.get("X-GitHub-Event")
+
+    if event_type == "pull_request":
+        action = payload.get("action")
+        pr_info = payload.get("pull_request", {})
+        repo_info = payload.get("repository", {})
+        
+        repo_full_name = repo_info.get("full_name")
+        pr_number = pr_info.get("number")
+        commit_sha = pr_info.get("head", {}).get("sha")
+        clone_url = repo_info.get("clone_url")
+        installation_id = payload.get("installation", {}).get("id")
+
+        if not all([repo_full_name, pr_number, commit_sha, clone_url, installation_id]):
+            raise HTTPException(status_code=400, detail="Incomplete pull request payload or missing installation ID.")
+
+        # Find the user associated with this GitHub App installation
+        github_credential = session.exec(
+            select(Credential).where(
+                Credential.service == "github",
+                Credential.github_installation_id == installation_id
+            )
+        ).first()
+
+        if not github_credential:
+            raise HTTPException(status_code=404, detail=f"No GitHub credential found for installation ID {installation_id}.")
+
+        user = session.exec(select(User).where(User.id == github_credential.user_id)).first()
+        if not user:
+            raise HTTPException(status_code=404, detail=f"User not found for credential with installation ID {installation_id}.")
+
+        # Find the user's DigitalOcean credential
+        do_credential = session.exec(
+            select(Credential).where(Credential.user_id == user.id, Credential.service == "digitalocean")
+        ).first()
+        
+        if not do_credential:
+            raise HTTPException(status_code=400, detail=f"No DigitalOcean credential found for user {user.email}.")
+
+        # Decrypt the token and instantiate the engine
+        try:
+            do_token = decrypt_token(do_credential.encrypted_token)
+            engine = InfraEngine(token=do_token) # InfraEngine needs to be adapted to accept a token
+            
+            print(f"DEBUG(WEBHOOKS): engine object id: {id(engine)}, type: {type(engine)}")
+            print(f"DEBUG(WEBHOOKS): engine.list_servers method id: {id(engine.list_servers)}, type: {type(engine.list_servers)}")
+
+        except Exception as e:
+            return {"status": "error", "detail": f"Failed to initialize engine: {e}"}
+
+        server_name = f"xenfra-pr-{repo_full_name.replace('/', '-')}-{pr_number}"
+
+        if action in ["opened", "synchronize"]:
+            print(f"🚀 Deploying preview for PR #{pr_number} from {repo_full_name} at {commit_sha[:7]}")
+            # This should be run in a background task in a real app
+            background_tasks.add_task(
+                engine.deploy_server,
+                name=server_name,
+                region="nyc3", # Using a default for now
+                size="s-1vcpu-1gb", # Using a default for now
+                image="ubuntu-22-04-x64", # Using a default for now
+                email=user.email,
+                repo_url=clone_url,
+                commit_sha=commit_sha
+            )
+            # TODO: Post comment back to GitHub with the preview URL
+            # TODO: Store the droplet_id and PR number association in the DB
+            
+            return {"status": "success", "action": "deploying in background"}
+
+
+        elif action == "closed":
+            print(f"🔥 Destroying preview for closed PR #{pr_number} from {repo_full_name}")
+            try:
+                # Find the droplet associated with this PR
+                servers = engine.list_servers()
+                droplet_to_destroy = None
+                for s in servers:
+                    if s.name == server_name:
+                        droplet_to_destroy = s
+                        break
+
+                if droplet_to_destroy:
+                    background_tasks.add_task(engine.destroy_server, droplet_to_destroy.id)
+                    print(f"✅ Droplet {droplet_to_destroy.name} ({droplet_to_destroy.id}) scheduled for destruction.")
+                else:
+                    print(f"⚠️ No droplet found with name {server_name} to destroy.")
+            except Exception as e:
+                print(f"❌ Failed to destroy preview environment: {e}")
+
+            return {"status": "success", "action": "destroying in background"}
+
+    return {"status": "success", "detail": "Webhook received"}