o ?7Îih>ã@sœUdZddlZddlmZddlmZddlZddlZddlZddl m Z ddlmZddl mZe e¡Zedid Zeeed <daeejed<daeejed<d ejfdd„Zd ejfdd„Z dCdedededededeefdd„Zdededededef dd„ZdDdeded efd!d"„Z dedededed ef d#d$„Z!dededed efd%d&„Z"dededed efd'd(„Z#deded e$efd)d*„Z%deded e$efd+d,„Z&deded e$efd-d.„Z'dedededed ef d/d0„Z(dedededed ef d1d2„Z)deded e$e$efd3d4„Z*d efd5d6„Z+d efd7d8„Z,deded dfd9d:„Z-deded dfd;d<„Z.d efd=d>„Z/d efd?d@„Z0d e$efdAdB„Z1dS)Ez# Casbin RBAC Permission Management éN)ÚAdapter)ÚOptional)Úsettings)ÚSessionLocal)Ú ContextVarÚrequest_context)ÚdefaultÚ_request_contextÚ _enforcerÚ _redis_clientÚreturncCsBtdurtjrtjtjddatStjtjtjtjtj ddatS)zGet or create Redis clientNT)Údecode_responses)ÚhostÚportÚdbÚpasswordr ) rrÚ REDIS_URLÚredisÚfrom_urlÚRedisÚ REDIS_HOSTÚ REDIS_PORTÚREDIS_DBÚREDIS_PASSWORD©rrú.domain_matchÚ resource1Ú resource2cSr r!r)r%r&rrrÚresource_match=r$z$get_enforcer..resource_matchÚaction1Úaction2cSr r!r)r(r)rrrÚaction_match@r$z"get_enforcer..action_matchÚdomainMatchÚ resourceMatchÚactionMatchu5âœ… Casbin enforcer initialized with database adapterz Model: z Database: ú@éÿÿÿÿ)r ÚosÚpathÚdirnameÚabspathÚ__file__ÚjoinrrÚDATABASE_URLrÚEnforcerÚstrÚboolÚadd_functionÚloggerÚinfoÚsplit)Úbase_dirÚ model_pathÚadapterr#r'r*rrrÚget_enforcer%s $ rAÚuser_idÚ tenant_idÚresourceÚactionÚresultÚrole_idc Cs€z$ddlm}t ¡}|j||||||| d¡| d¡| d¡d WdSty?}zt d|›¡WYd}~dSd}~ww) z+Log permission check to audit table (async)r)Úlog_permission_checkÚ ip_addressÚ user_agentr1) rBrCrDrErFrGrIrJÚrequest_pathz&Failed to queue permission check log: N)Úapp.tasks.audit_tasksrHr ÚgetÚdelayÚ Exceptionr;Úerror) rBrCrDrErFrGrHÚctxÚerrrÚ_log_permission_checkNs$ ÷€ÿrSÚaction_typeÚrolecCsˆz(ddlm}t ¡}|j|||||| dd¡| d¡| d¡| d¡d Wd StyC}zt d|›¡WYd }~d Sd }~ww) z2Log permission grant/revoke to audit table (async)r)Úlog_permission_changerBrIrJr1) rTrCrDrErUrBrIrJrKz'Failed to queue permission change log: N)rLrVr rMrNrOr;rP)rTrCrDrErUrVrQrRrrrÚ_log_permission_changejs$ ÷€ÿrWrIrJr1cCst |||dœ¡dS)z%Set request context for audit logging©rIrJr1N)r ÚsetrXrrrÚset_request_context…s ýrZcCsd|›d|›d|›d|›}ztƒ}| |¡}|dur |dkWSWnty;}zt d|›¡WYd}~nd}~wwtƒ}d|›} t|ƒ} | | | ||¡}t d|›d|›d |›d |›d|› ¡z| |d|rmdnd ¡W|Sty}zt d|›¡WYd}~|Sd}~ww)a^ Check if user has permission to perform action on resource Args: user_id: User ID tenant_id: Tenant ID (domain) resource: Resource name (e.g., "knowledge_bases", "agents") action: Action name (e.g., "read", "create", "update", "delete") Returns: True if user has permission, False otherwise úperm:ú:NÚ1zRedis cache error: úuser:zPermission check: user=ú , tenant=ú, resource=ú , action=z -> i,Ú0zRedis cache write error: ) rrMrOr;ÚwarningrAr8ÚenforceÚdebugÚsetex)rBrCrDrEÚ cache_keyÚredis_clientÚcachedrRÚenforcerÚsubjectÚdomainrFrrrÚcheck_permissionŽs@ ÿ€ÿ ÿÿÿÿú€úrmcCsÖddlm}ddlm}ddlm}tƒ}zÐ| |¡ |j |k¡ ¡}|s-td|›dƒ‚| |¡ |j |k¡ ¡}|sDtd|›dƒ‚|jdurX|j|krXtd|›d |›ƒ‚d |vrc| d ¡dn|} | |¡ |j| k¡ ¡} | s|td| ›dƒ‚| jr|jdur| d vrtd| ›dƒ‚| jdur¤| j|kr¤td| ›d |›ƒ‚tƒ}d|›}t|ƒ} | ||| ¡}|rÑ| ¡t d|›d|›d|›¡t||ƒnt d|›d|›d|›¡|W| ¡S| ¡w)a Add a role for user in a specific tenant with validation Args: user_id: User ID role: Role name (e.g., "role:customer_admin") tenant_id: Tenant ID Returns: True if successful Raises: ValueError: If validation fails r)ÚUser)ÚTenant)ÚRolezUser z does not existzTenant Nz does not belong to tenant r\r/zRole >Ú platform_userÚplatform_adminzCannot assign platform role z to tenant userr^uâœ… Added role z for user ú in tenant uâš ï¸ Failed to add role )Úapp.models.userrnÚapp.models.tenantroÚapp.models.rolerprÚqueryÚfilterÚidÚfirstÚ ValueErrorrCr=ÚcodeÚ is_systemrAr8Úadd_grouping_policyÚload_policyr;r<Úinvalidate_user_permissionsrcÚclose)rBrUrCrnrorprÚuserÚtenantÚ role_codeÚrole_objrjrkrlÚsuccessrrrÚadd_role_for_userÁs@ r‡cCs\tƒ}d|›}t|ƒ}| |||¡}|r,| ¡t d|›d|›d|›¡t||ƒ|S)z¸ Remove a role from user in a specific tenant Args: user_id: User ID role: Role name tenant_id: Tenant ID Returns: True if successful r^uâœ… Removed role z from user rs)rAr8Úremove_grouping_policyrr;r<r€)rBrUrCrjrkrlr†rrrÚremove_role_for_user s r‰cCs(tƒ}d|›}t|ƒ}| ||¡}|S)zŸ Get all roles for user in a specific tenant Args: user_id: User ID tenant_id: Tenant ID Returns: List of role names r^)rAr8Úget_roles_for_user_in_domain)rBrCrjrkrlÚrolesrrrÚget_roles_for_user)s rŒcCst||ƒ}dd„|DƒS)zÚ Get user roles in format expected by API permissions Args: user_id: User ID tenant_id: Tenant ID Returns: List of dicts with role_code: [{'role_code': 'platform_admin'}, ...] cSsg|] }d| dd¡i‘qS)r„zrole:Ú)Úreplace)Ú.0rUrrrÚ Nsz"get_user_roles..)rŒ)rBrCr‹rrrÚget_user_rolesBs r‘cCstƒ}t|ƒ}| ||¡}|S)zÀ Get all users with a specific role in a tenant Args: role: Role name tenant_id: Tenant ID Returns: List of user IDs (as strings with "user:" prefix) )rAr8Úget_users_for_role_in_domain)rUrCrjrlÚusersrrrÚget_users_for_roleQsr”c Cójtƒ}t|ƒ}| ||||¡}|r3| ¡t d|›d|›d|›d|›¡td||||ƒt||ƒ|S)zß Add a permission for a role in a specific tenant Args: role: Role name tenant_id: Tenant ID resource: Resource name action: Action name Returns: True if successful uâœ… Added permission: role=r_r`raÚgrant)rAr8Ú add_policyrr;r<rWÚ_invalidate_role_permissions©rUrCrDrErjrlr†rrrÚadd_permission_for_roleisÿÿÿ ršc Cr•)zã Remove a permission from a role in a specific tenant Args: role: Role name tenant_id: Tenant ID resource: Resource name action: Action name Returns: True if successful uâœ… Removed permission: role=r_r`raÚrevoke)rAr8Ú remove_policyrr;r<rWr˜r™rrrÚremove_permission_for_rolesÿÿÿ rcCs tƒ}t|ƒ}| d||¡}|S)zå Get all permissions for a role in a specific tenant Args: role: Role name tenant_id: Tenant ID Returns: List of permissions (each permission is a list: [role, domain, resource, action]) r)rAr8Úget_filtered_policy)rUrCrjrlÚpermissionsrrrÚget_permissions_for_role³sr cCótƒ}| ¡S)zN Save current policy to file Returns: True if successful )rAÚsave_policy©rjrrrr¢Êór¢cCr¡)zJ Reload policy from file Returns: True if successful )rArr£rrrrÕr¤rc CsŽz+tƒ}d|›d|›d}| |¡}|r)|j|Žt dt|ƒ›d|›¡WdSWdStyF}zt d|›¡WYd}~dSd}~ww)zs Invalidate cached permissions for a user Args: user_id: User ID tenant_id: Tenant ID r[r\z:*zInvalidated z cached permissions for user z(Failed to invalidate permissions cache: N)rÚkeysÚdeleter;r<ÚlenrOrc)rBrCrhÚpatternr¥rRrrrr€âs þ€ÿr€c Csxz t||ƒ}|D]}| d¡rt| d¡dƒ}t||ƒqWdSty;}zt d|›¡WYd}~dSd}~ww)zŠ Invalidate cached permissions for all users with a specific role Args: role: Role name tenant_id: Tenant ID r^r\éz'Failed to invalidate role permissions: N)r”Ú startswithÚintr=r€rOr;rc)rUrCr“Úuser_subjectrBrRrrrr˜õs €ý€ÿr˜cCsJ|jdvrdS|jdkr|j|jkS|jdkr#|j|jkp"|j|jkSdS)zDCheck if user has permission to access a knowledge base (deprecated)©rrrqTÚcustomer_adminÚ customer_userF)rUrCÚ created_byry)r‚ÚkbrrrÚcan_access_knowledge_base s r²cCs>|jdvrdS|jdkr|j|jkS|jdkr|j|jkSdS)z>Check if user has permission to access a document (deprecated)rTr®r¯F)rUrC)r‚ÚdocrrrÚcan_access_documents r´cCs²ddlm}ddlm}|jdvrdd„| |j¡ ¡DƒS|jdkr7dd„| |j¡ |j |j k¡ ¡DƒS|jd krWd d„| |j¡ ||j |jk|j |j kƒ¡ ¡DƒSgS)z@Get list of knowledge base IDs that user can access (deprecated)r)Ú KnowledgeBase)Úor_rcSóg|]}|j‘qSr©ry©rr±rrrr%óz2get_accessible_knowledge_bases..r®cSr·rr¸r¹rrrr'rºr¯cSr·rr¸r¹rrrr+rº)Úapp.models.knowledge_baserµÚ sqlalchemyr¶rUrwryÚallrxrCr°)rr‚rµr¶rrrÚget_accessible_knowledge_basess( ÿþ þÿûr¾)N)NNN)2Ú__doc__rÚcasbin_sqlalchemy_adapterrÚtypingrr0ÚloggingrÚ app.configrÚapp.db.sessionrÚcontextvarsrÚ getLoggerÚ__name__r;r ÚdictÚ__annotations__r r7rrrrAr«r8r9rSrWrZrmr‡r‰ÚlistrŒr‘r”ršrr r¢rr€r˜r²r´r¾rrrrÚsô /úÿþýüû úÿþýü û ÿþýü û3ÿþý üIÿþý üÿþ ýÿþ ýÿþýü û&ÿþýü û$ÿþ ý