zebra-day 0.0.37__py3-none-any.whl → 2.0.0__py3-none-any.whl

zebra_day/web/app.py

@@ -0,0 +1,248 @@
+"""
+FastAPI application factory for zebra_day.
+
+This module provides the main FastAPI application for the zebra_day web interface.
+"""
+from __future__ import annotations
+
+import os
+import subprocess
+from pathlib import Path
+from typing import Literal, Optional
+
+from fastapi import FastAPI, Request
+from fastapi.staticfiles import StaticFiles
+from fastapi.templating import Jinja2Templates
+from importlib.resources import files
+
+from zebra_day.logging_config import get_logger
+from zebra_day import paths as xdg
+from zebra_day.web.middleware import RequestLoggingMiddleware, print_rate_limiter
+
+_log = get_logger(__name__)
+
+# Package paths
+_PKG_PATH = Path(str(files("zebra_day")))
+_STATIC_PATH = _PKG_PATH / "static"
+_TEMPLATES_PATH = _PKG_PATH / "templates"
+
+
+def get_local_ip() -> str:
+    """Get the local IP address of this machine."""
+    ipcmd = r"""(ip addr show | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1' || ifconfig | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1') 2>/dev/null"""
+    result = subprocess.run(ipcmd, shell=True, capture_output=True, text=True)
+    lines = result.stdout.strip().split("\n")
+    return lines[0] if lines and lines[0] else "127.0.0.1"
+
+
+def create_app(
+    *,
+    debug: bool = False,
+    css_theme: str = "lsmc.css",
+    auth: Optional[Literal["none", "cognito"]] = None,
+) -> FastAPI:
+    """
+    Create and configure the FastAPI application.
+
+    Args:
+        debug: Enable debug mode
+        css_theme: Default CSS theme file name
+        auth: Authentication mode - "none" (public) or "cognito" (AWS Cognito).
+              If None, reads from ZEBRA_DAY_AUTH_MODE env var (defaults to "none").
+
+    Returns:
+        Configured FastAPI application
+    """
+    # Get auth mode from parameter or environment variable
+    if auth is None:
+        auth = os.environ.get("ZEBRA_DAY_AUTH_MODE", "none")  # type: ignore[assignment]
+
+    # Validate auth parameter
+    if auth not in ("none", "cognito"):
+        raise ValueError(f"Invalid auth mode: {auth!r}. Must be 'none' or 'cognito'.")
+
+    app = FastAPI(
+        title="Zebra Day",
+        description="Zebra printer fleet management and label printing",
+        version="0.5.0",
+        debug=debug,
+    )
+
+    # Add request logging middleware
+    app.add_middleware(RequestLoggingMiddleware)
+
+    # Configure authentication if enabled
+    if auth == "cognito":
+        from zebra_day.web.auth import CognitoAuthMiddleware, setup_cognito_auth
+
+        cognito_auth = setup_cognito_auth(app)
+        app.add_middleware(CognitoAuthMiddleware, cognito_auth=cognito_auth)
+        app.state.cognito_auth = cognito_auth
+        app.state.auth_mode = "cognito"
+        _log.info("Cognito authentication middleware enabled")
+    else:
+        app.state.auth_mode = "none"
+        _log.info("Authentication disabled (auth=none)")
+
+    # Store rate limiter in app state for use in endpoints
+    app.state.print_rate_limiter = print_rate_limiter
+
+    # Store app state
+    app.state.css_theme = css_theme
+    app.state.local_ip = get_local_ip()
+    app.state.pkg_path = _PKG_PATH
+
+    # Mount static files
+    app.mount("/static", StaticFiles(directory=str(_STATIC_PATH)), name="static")
+
+    # Also mount package directories that need to be served
+    files_dir = _PKG_PATH / "files"
+    if files_dir.exists():
+        app.mount("/files", StaticFiles(directory=str(files_dir)), name="files")
+
+    etc_dir = _PKG_PATH / "etc"
+    if etc_dir.exists():
+        app.mount("/etc", StaticFiles(directory=str(etc_dir)), name="etc")
+
+    # Setup Jinja2 templates
+    templates = Jinja2Templates(directory=str(_TEMPLATES_PATH))
+    app.state.templates = templates
+
+    # Register routers
+    from zebra_day.web.routers import ui, api
+
+    app.include_router(ui.router)
+    app.include_router(api.router, prefix="/api/v1", tags=["api"])
+
+    @app.on_event("startup")
+    async def startup_event():
+        """Initialize application state on startup."""
+        import zebra_day.print_mgr as zdpm
+
+        app.state.zp = zdpm.zpl()
+        _log.info(
+            "zebra_day web server starting at %s:8118",
+            app.state.local_ip,
+        )
+
+    @app.get("/healthz")
+    async def healthz():
+        """Health check endpoint."""
+        return {"status": "healthy"}
+
+    @app.get("/readyz")
+    async def readyz():
+        """Readiness check endpoint."""
+        # Check if printer manager is initialized
+        if hasattr(app.state, "zp") and app.state.zp is not None:
+            return {"status": "ready"}
+        return {"status": "not_ready"}, 503
+
+    return app
+
+
+def get_default_cert_paths() -> tuple[Optional[Path], Optional[Path]]:
+    """
+    Get default certificate paths from XDG config directory.
+
+    Returns:
+        Tuple of (cert_path, key_path) or (None, None) if not found.
+    """
+    config_dir = xdg.get_config_dir()
+    cert_dir = config_dir / "certs"
+    cert_file = cert_dir / "server.crt"
+    key_file = cert_dir / "server.key"
+
+    if cert_file.exists() and key_file.exists():
+        return cert_file, key_file
+    return None, None
+
+
+def run_server(
+    host: str = "0.0.0.0",
+    port: int = 8118,
+    reload: bool = False,
+    auth: Literal["none", "cognito"] = "none",
+    ssl_certfile: Optional[str] = None,
+    ssl_keyfile: Optional[str] = None,
+):
+    """
+    Run the FastAPI server using uvicorn.
+
+    Args:
+        host: Host to bind to
+        port: Port to listen on
+        reload: Enable auto-reload for development
+        auth: Authentication mode - "none" (public) or "cognito" (AWS Cognito)
+        ssl_certfile: Path to SSL certificate file (PEM format)
+        ssl_keyfile: Path to SSL private key file (PEM format)
+
+    If ssl_certfile and ssl_keyfile are not provided, the server will:
+    1. Check SSL_CERT_PATH and SSL_KEY_PATH environment variables
+    2. Check for certificates in ~/.config/zebra_day/certs/
+    3. Fall back to HTTP with a warning if no certificates are found
+    """
+    import uvicorn
+
+    # Store auth mode in environment for factory function
+    os.environ["ZEBRA_DAY_AUTH_MODE"] = auth
+
+    # Resolve SSL certificate paths
+    cert_path = ssl_certfile
+    key_path = ssl_keyfile
+
+    # Check environment variables if not provided
+    if not cert_path:
+        cert_path = os.environ.get("SSL_CERT_PATH")
+    if not key_path:
+        key_path = os.environ.get("SSL_KEY_PATH")
+
+    # Check default XDG paths if still not found
+    if not cert_path or not key_path:
+        default_cert, default_key = get_default_cert_paths()
+        if default_cert and default_key:
+            cert_path = str(default_cert)
+            key_path = str(default_key)
+
+    # Validate certificate files exist
+    use_ssl = False
+    if cert_path and key_path:
+        cert_exists = Path(cert_path).exists()
+        key_exists = Path(key_path).exists()
+        if cert_exists and key_exists:
+            use_ssl = True
+            _log.info("HTTPS enabled with certificates:")
+            _log.info("  Certificate: %s", cert_path)
+            _log.info("  Private key: %s", key_path)
+        else:
+            if not cert_exists:
+                _log.warning("SSL certificate not found: %s", cert_path)
+            if not key_exists:
+                _log.warning("SSL private key not found: %s", key_path)
+            _log.warning("Falling back to HTTP (insecure)")
+    else:
+        _log.warning(
+            "No SSL certificates configured. Running in HTTP mode (insecure). "
+            "For HTTPS, run: mkcert -install && mkcert -cert-file ~/.config/zebra_day/certs/server.crt "
+            "-key-file ~/.config/zebra_day/certs/server.key localhost 127.0.0.1 ::1"
+        )
+
+    # Build uvicorn config
+    uvicorn_kwargs = {
+        "host": host,
+        "port": port,
+        "reload": reload,
+        "factory": True,
+    }
+
+    if use_ssl:
+        uvicorn_kwargs["ssl_certfile"] = cert_path
+        uvicorn_kwargs["ssl_keyfile"] = key_path
+        protocol = "https"
+    else:
+        protocol = "http"
+
+    _log.info("Starting server at %s://%s:%d", protocol, host, port)
+
+    uvicorn.run("zebra_day.web.app:create_app", **uvicorn_kwargs)
+

zebra_day/web/auth.py

@@ -0,0 +1,172 @@
+"""Authentication integration for zebra_day web server.
+
+Provides optional Cognito authentication support via the daylily-cognito library.
+"""
+
+from __future__ import annotations
+
+import os
+from typing import TYPE_CHECKING, Any, Callable, Dict, List, Optional
+
+from fastapi import Depends, HTTPException, Request, status
+from starlette.middleware.base import BaseHTTPMiddleware
+from starlette.responses import Response
+
+from zebra_day.logging_config import get_logger
+
+if TYPE_CHECKING:
+    from fastapi import FastAPI
+
+_log = get_logger(__name__)
+
+# Endpoints that should never require authentication
+PUBLIC_PATHS: List[str] = [
+    "/healthz",
+    "/readyz",
+    "/docs",
+    "/openapi.json",
+    "/redoc",
+]
+
+# Try to import daylily-cognito components
+_COGNITO_AVAILABLE = False
+_COGNITO_IMPORT_ERROR: Optional[str] = None
+
+try:
+    from daylily_cognito import CognitoAuth, CognitoConfig, create_auth_dependency
+
+    _COGNITO_AVAILABLE = True
+except ImportError as e:
+    _COGNITO_IMPORT_ERROR = str(e)
+    CognitoAuth = None  # type: ignore[misc, assignment]
+    CognitoConfig = None  # type: ignore[misc, assignment]
+    create_auth_dependency = None  # type: ignore[misc, assignment]
+
+
+def is_cognito_available() -> bool:
+    """Check if daylily-cognito library is installed."""
+    return _COGNITO_AVAILABLE
+
+
+def get_cognito_import_error() -> Optional[str]:
+    """Get the import error message if daylily-cognito is not available."""
+    return _COGNITO_IMPORT_ERROR
+
+
+class CognitoAuthMiddleware(BaseHTTPMiddleware):
+    """Middleware that enforces Cognito authentication on protected endpoints.
+
+    Exempts health check endpoints and other public paths.
+    """
+
+    def __init__(self, app: "FastAPI", cognito_auth: Any) -> None:
+        super().__init__(app)
+        self.cognito_auth = cognito_auth
+        self.get_current_user = create_auth_dependency(cognito_auth, optional=False)
+
+    async def dispatch(self, request: Request, call_next: Callable) -> Response:
+        """Check authentication for protected endpoints."""
+        path = request.url.path
+
+        # Allow public endpoints without authentication
+        if any(path.startswith(public) for public in PUBLIC_PATHS):
+            return await call_next(request)
+
+        # Allow static files without authentication
+        if path.startswith("/static") or path.startswith("/files") or path.startswith("/etc"):
+            return await call_next(request)
+
+        # Check for Authorization header
+        auth_header = request.headers.get("Authorization")
+        if not auth_header:
+            return Response(
+                content='{"detail":"Authentication required"}',
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                media_type="application/json",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+
+        # Validate Bearer token
+        if not auth_header.startswith("Bearer "):
+            return Response(
+                content='{"detail":"Invalid authorization header format"}',
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                media_type="application/json",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+
+        token = auth_header[7:]  # Remove "Bearer " prefix
+        try:
+            # Verify token and attach user to request state
+            user_claims = self.cognito_auth.verify_token(token)
+            request.state.user = user_claims
+        except HTTPException:
+            return Response(
+                content='{"detail":"Invalid or expired token"}',
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                media_type="application/json",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+        except Exception as e:
+            _log.error("Authentication error: %s", str(e))
+            return Response(
+                content='{"detail":"Authentication failed"}',
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                media_type="application/json",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+
+        return await call_next(request)
+
+
+def setup_cognito_auth(app: "FastAPI") -> Any:
+    """Configure Cognito authentication for the FastAPI app.
+
+    Reads configuration from environment variables:
+        - COGNITO_USER_POOL_ID: Cognito User Pool ID (required)
+        - COGNITO_APP_CLIENT_ID or COGNITO_CLIENT_ID: App Client ID (required)
+        - COGNITO_REGION or AWS_REGION: AWS region (defaults to us-west-2)
+        - AWS_PROFILE: Optional AWS profile name
+
+    Returns:
+        CognitoAuth instance
+
+    Raises:
+        ValueError: If required environment variables are missing
+        ImportError: If daylily-cognito is not installed
+    """
+    if not _COGNITO_AVAILABLE:
+        raise ImportError(
+            f"daylily-cognito library is required for Cognito authentication. "
+            f"Install with: pip install -e '.[auth]'\n"
+            f"Import error: {_COGNITO_IMPORT_ERROR}"
+        )
+
+    # Load config from environment
+    try:
+        config = CognitoConfig.from_legacy_env()
+    except ValueError as e:
+        raise ValueError(
+            f"Missing required Cognito configuration. {e}\n"
+            "Set the following environment variables:\n"
+            "  COGNITO_USER_POOL_ID=your-pool-id\n"
+            "  COGNITO_APP_CLIENT_ID=your-client-id\n"
+            "  COGNITO_REGION=us-west-2  (optional, defaults to us-west-2)"
+        ) from e
+
+    # Create CognitoAuth instance
+    cognito_auth = CognitoAuth(
+        region=config.region,
+        user_pool_id=config.user_pool_id,
+        app_client_id=config.app_client_id,
+        profile=config.aws_profile,
+    )
+
+    _log.info(
+        "Cognito authentication enabled (region=%s, pool=%s)",
+        config.region,
+        config.user_pool_id,
+    )
+
+    return cognito_auth
+

zebra_day/web/middleware.py

@@ -0,0 +1,159 @@
+"""
+Middleware for the zebra_day FastAPI application.
+
+Provides request logging and rate limiting functionality.
+"""
+from __future__ import annotations
+
+import asyncio
+import time
+from collections import defaultdict
+from typing import Callable
+
+from fastapi import Request, Response
+from starlette.middleware.base import BaseHTTPMiddleware
+
+from zebra_day.logging_config import get_logger
+
+_log = get_logger(__name__)
+
+
+class RequestLoggingMiddleware(BaseHTTPMiddleware):
+    """
+    Middleware for structured request logging.
+
+    Logs client IP, request path, method, timing, and response status.
+    """
+
+    async def dispatch(self, request: Request, call_next: Callable) -> Response:
+        """Process request and log structured data."""
+        start_time = time.perf_counter()
+
+        # Extract client info
+        client_ip = request.client.host if request.client else "unknown"
+        method = request.method
+        path = request.url.path
+        query = str(request.query_params) if request.query_params else ""
+
+        # Extract relevant parameters for print operations
+        lab = request.query_params.get("lab", "")
+        printer = request.query_params.get("printer", "")
+        template = request.query_params.get("label_zpl_style", "")
+
+        try:
+            response = await call_next(request)
+            status_code = response.status_code
+            outcome = "success" if status_code < 400 else "error"
+        except Exception as exc:
+            status_code = 500
+            outcome = "exception"
+            _log.exception(
+                "Request failed",
+                extra={
+                    "client_ip": client_ip,
+                    "method": method,
+                    "path": path,
+                    "error": str(exc),
+                },
+            )
+            raise
+
+        elapsed_ms = (time.perf_counter() - start_time) * 1000
+
+        # Build log context
+        log_context = {
+            "client_ip": client_ip,
+            "method": method,
+            "path": path,
+            "status_code": status_code,
+            "elapsed_ms": round(elapsed_ms, 2),
+            "outcome": outcome,
+        }
+
+        # Add print-specific context if relevant
+        if lab:
+            log_context["lab"] = lab
+        if printer:
+            log_context["printer"] = printer
+        if template:
+            log_context["template"] = template
+
+        # Log at appropriate level
+        if status_code >= 500:
+            _log.error("Request completed", extra=log_context)
+        elif status_code >= 400:
+            _log.warning("Request completed", extra=log_context)
+        else:
+            _log.info("Request completed", extra=log_context)
+
+        return response
+
+
+class PrintRateLimiter:
+    """
+    Simple rate limiter for print endpoints.
+
+    Uses a sliding window approach with configurable limits.
+    """
+
+    def __init__(
+        self,
+        max_requests: int = 10,
+        window_seconds: float = 60.0,
+        max_concurrent: int = 3,
+    ):
+        """
+        Initialize rate limiter.
+
+        Args:
+            max_requests: Maximum requests per window per client IP
+            window_seconds: Time window in seconds
+            max_concurrent: Maximum concurrent print operations
+        """
+        self.max_requests = max_requests
+        self.window_seconds = window_seconds
+        self.max_concurrent = max_concurrent
+
+        self._request_times: dict[str, list[float]] = defaultdict(list)
+        self._semaphore = asyncio.Semaphore(max_concurrent)
+        self._lock = asyncio.Lock()
+
+    async def acquire(self, client_ip: str) -> tuple[bool, str]:
+        """
+        Try to acquire a print slot.
+
+        Returns:
+            Tuple of (allowed, reason)
+        """
+        now = time.time()
+
+        async with self._lock:
+            # Clean old entries
+            cutoff = now - self.window_seconds
+            self._request_times[client_ip] = [
+                t for t in self._request_times[client_ip] if t > cutoff
+            ]
+
+            # Check rate limit
+            if len(self._request_times[client_ip]) >= self.max_requests:
+                return False, f"Rate limit exceeded: {self.max_requests} requests per {self.window_seconds}s"
+
+            # Try to acquire semaphore (non-blocking check)
+            if self._semaphore.locked() and self._semaphore._value == 0:
+                return False, f"Too many concurrent print operations (max {self.max_concurrent})"
+
+            # Record this request
+            self._request_times[client_ip].append(now)
+
+        # Acquire semaphore for actual operation
+        await self._semaphore.acquire()
+        return True, ""
+
+    def release(self) -> None:
+        """Release a print slot after operation completes."""
+        self._semaphore.release()
+
+
+# Global rate limiter instance
+print_rate_limiter = PrintRateLimiter()
+

zebra_day/web/routers/__init__.py

@@ -0,0 +1,2 @@
+"""FastAPI routers for zebra_day web application."""
+