Xj,UddlZddlmZddlZddlZddlmZddlmZddl m Z ddl m Z e e ZeddZeeed <daejdzed <daejdzed <d ejfd Zd ejfdZ d-dededededededzf dZdededededef dZd.dededefdZdedededed ef dZdededed efdZdededed efdZ deded e!efd Z"deded e!efd!Z#deded e!efd"Z$dedededed ef d#Z%dedededed ef d$Z&deded e!e!efd%Z'd efd&Z(d efd'Z)deded dfd(Z*deded dfd)Z+d efd*Z,d efd+Z-d e!efd,Z.dS)/N) ContextVar)Adapter)settings) SessionLocal) get_loggerrequest_context)default_request_context _enforcer _redis_clientreturnctntjr!tjtjdanAtjtjtjtjtj datS)NT)decode_responses)hostportdbpasswordr) r r REDIS_URLredisfrom_urlRedis REDIS_HOST REDIS_PORTREDIS_DBREDIS_PASSWORD.domain_match*g%7C 7r resource1 resource2c||kp|dkSr%r)r)r*s rresource_matchz$get_enforcer..resource_match-s )=Y#-= =raction1action2c||kp|dkSr%r)r-r.s r action_matchz"get_enforcer..action_match0r(r domainMatch resourceMatch actionMatchu5✅ Casbin enforcer initialized with database adapterz Model: z Database: @)r ospathdirnameabspath__file__joinrr DATABASE_URLr!Enforcerstrbool add_functionloggerinfosplit)base_dir model_pathadapterr'r,r0s r get_enforcerrG"s7??27??27??27??S[C\C\3]3]#^#^__W\\(HlCC (/00OJ88  8# 8 8 8 8 8 8 >c >c >d > > > > 8# 8 8 8 8 8 8 }l;;;???}l;;; KLLL ---... JH$9$?$?$D$DR$HJJKKK ruser_id tenant_idresourceactionresultrole_idc ^ ddlm}t}||||||||d|d|d dS#t $r(}t d|Yd}~dSd}~wwxYw)Nr)log_permission_check ip_address user_agentr7) rHrIrJrKrLrMrPrQ request_pathz&Failed to queue permission check log: )app.tasks.audit_tasksrOr getdelay ExceptionrAerror) rHrIrJrKrLrMrOctxes r_log_permission_checkrZ<sC>>>>>>""$$""ww|,,ww|,, #  CCC AaAABBBBBBBBBCsA6A:: B,B''B, action_typerolec  ddlm}t}|||||||dd|d|d|d dS#t $r(}t d|Yd}~dSd}~wwxYw) Nr)log_permission_changerHrPrQr7) r[rIrJrKr\rHrPrQrRz'Failed to queue permission change log: )rSr^r rTrUrVrArW)r[rIrJrKr\r^rXrYs r_log_permission_changer_WsD??????""$$###GGIq))ww|,,ww|,, $  DDD BqBBCCCCCCCCCDsB B CB;;CrPrQr7cBt|||ddS)NrPrQr7)r setras rset_request_contextrcks' *VZ[[\\\\\rc d|d|d|d|} t}||}|3td|d|d|d|dk|||dkSn4#t$r'}td |Yd}~nd}~wwxYwt }d |} t|} || | ||} td |d|d| || | |d | rdnd n4#t$r'}td|Yd}~nd}~wwxYw| S)Nperm::zPermission check cached: user= , resource= , action=z , result=1)rHrIzRedis cache error: user:zPermission check: resource=i,0zRedis cache write error: ) rrTrArBrVwarningrGr>enforcesetex) rHrIrJrK cache_key redis_clientcachedrYenforcersubjectdomainrLs rcheck_permissionruos AAA)AAhAAAAI2')) !!),,   KKAAAXAA`fAAqw{~q~AAKR^gK h h hS=   2220Q00111111112~~HgG ^^F   gvx @ @F KKZhZZZZRXZZdkxAKBBB89c&+A33cBBBB 8886166777777778 Ms0AA)) B3BB>D E $EE c&ddlm}ddlm}ddlm}t } |||j |k }|std|d|||j |k }|std|d|j |j |krtd|d|d |vr| d d n|} |||j| k } | std | d| jr|j | d vrtd | d| j | j |krtd | d|t!} d|} t#|} | | || }|rH| t(d|d|d|t-||n#t(d|d|d|||S#|wxYw)Nr)Role)Tenant)UserzUser z does not existzTenant z does not belong to tenant rfr5zRole > platform_userplatform_adminzCannot assign platform role z to tenant userrju✅ Added role z for user in tenant u⚠️ Failed to add role )app.models.rolerwapp.models.tenantrxapp.models.userryrqueryfilteridfirst ValueErrorrIrCcode is_systemrGr>add_grouping_policy load_policyrArBinvalidate_user_permissionsrlclose)rHr\rIrwrxryrusertenant role_coderole_objrrrsrtsuccesss radd_role_for_userrs$$$$$$(((((($$$$$$ B!xx~~$$TW%788>>@@ ?=W===>> >&!!((i)?@@FFHH CAyAAABB B > %$.I*E*ETWTTTTUU U+.$;;DJJsOOB''D 88D>>((i)?@@FFHH A?Y???@@ @   X*AAAVIVVVWW W   )h.@I.M.MVYVV9VVWW W>>#'##Y..wfEE  i  " " " KKY$YY'YYiYY Z Z Z ' ; ; ; ; NNggggg\egg h h h   s II::Jc t}d|}t|}||||}|rG|td|d|d|t |||S)Nrju✅ Removed role z from user r|)rGr>remove_grouping_policyrrArBr)rHr\rIrrrsrtrs rremove_role_for_userrs~~HgG ^^F--gtVDDG8 XXXXXYXXYYY#GY777 Nrcvt}d|}t|}|||}|S)Nrj)rGr>get_roles_for_user_in_domain)rHrIrrrsrtroless rget_roles_for_userrs=~~HgG ^^F  1 1'6 B BE Lrc:t||}d|DS)Nc>g|]}d|ddiS)rzrole:)replace).0r\s r z"get_user_roles..s+ G G G[$,,w33 4 G G Gr)r)rHrIrs rget_user_rolesrs% w 2 2E G G G G GGrclt}t|}|||}|SN)rGr>get_users_for_role_in_domain)r\rIrrrtuserss rget_users_for_rolers0~~H ^^F  1 1$ ? ?E Lrc .t}t|}|||||}|r]|td|d|d|d|t d||||t|||S)Nu✅ Added permission: role= , tenant=rgrhgrant)rGr> add_policyrrArBr__invalidate_role_permissionsr\rIrJrKrrrtrs radd_permission_for_rolers~~H ^^F!!$&AAG6 j$ j j j jx j jbh j j    w 8VTJJJ$T9555 Nrc .t}t|}|||||}|r]|td|d|d|d|t d||||t|||S)Nu✅ Removed permission: role=rrgrhrevoke)rGr> remove_policyrrArBr_rrs rremove_permission_for_rolers~~H ^^F$$T68VDDG6 lD l l9 l lQY l ldj l l    xHfdKKK$T9555 Nrcnt}t|}|d||}|S)Nr)rGr>get_filtered_policy)r\rIrrrt permissionss rget_permissions_for_rolers3~~H ^^F..q$??K rcFt}|Sr)rG save_policyrrs rrr~~H    ! !!rcFt}|Sr)rGrrs rrrrrc@ t}d|d|d}||}|r9|j|tdt |d|dSdS#t $r(}td|Yd}~dSd}~wwxYw)Nrerfz:*z Invalidated z cached permissions for user z(Failed to invalidate permissions cache: )rkeysdeleterArBlenrVrl)rHrIrppatternrrYs rrrsG')) 1'11I111  ))  Z L  & & KKXs4yyXXwXX Y Y Y Y Y Z Z GGGE!EEFFFFFFFFFGsA%A++ B5BBc6 t||}|D]O}|dr8t|dd}t ||PdS#t $r(}t d|Yd}~dSd}~wwxYw)Nrjrfz'Failed to invalidate role permissions: )r startswithintrCrrVrArl)r\rIr user_subjectrHrYs rrrsF"433! @ @L&&w// @l0055a899+GY??? @ @ FFFDDDEEEEEEEEEFsA"A&& B0BBc|jdvrdS|jdkr|j|jkS|jdkr |j|jkp|j|jkSdSNr{rzTcustomer_admin customer_userF)r\rI created_byr)rkbs rcan_access_knowledge_basersa y777t y$$$|t~-- yO##}'I2<4>+II 5rc|jdvrdS|jdkr|j|jkS|jdkr|j|jkSdSr)r\rI)rdocs rcan_access_documentrsS y777t y$$$}.. yO##}.. 5rcTddlm}ddlm}|jdvr6d||jDS|jdkrWd||j|j |j kDS|jdkrod ||j||j |jk|j |j kDSgS) Nr)or_) KnowledgeBasercg|] }|j Srrrrs rrz2get_accessible_knowledge_bases..-sAAA"AAArrcg|] }|j Srrrs rrz2get_accessible_knowledge_bases../s*    E   rrcg|] }|j Srrrs rrz2get_accessible_knowledge_bases..6s*    E   r) sqlalchemyrapp.models.knowledge_baserr\rrallrrIr)rrrrs rget_accessible_knowledge_basesr'sF777777 y777AA)9 : : > > @ @AAAA y$$$  hh}/00 VM+t~= > > SUU      yO##  hh}/00 VM,79PTXTb9bccSUU      Irr)NNN)/r6 contextvarsrr!rcasbin_sqlalchemy_adapterr app.configrapp.db.sessionrcommon_loggingr__name__rAr dict__annotations__r r=r rrrGrr>r?rZr_rcrurrlistrrrrrrrrrrrrrrrrrs """""" ------''''''%%%%%% H  %/Z0A4%P%P%P*T"PPP$( 6?T !((($( u{T!((( %+     fo@ CC CCC  C  C 4Z CCCC6DDDsDTWD_bDDDD(]]C]C]c]]]]ccS#RV,'s'#'#'$''''T # S S T    S HCHCHDJHHHH SST#Y # #  c VZ     S S C QT Y]    334S ?"T"""" "T"""" G G G G G G GFsFsFtFFFF4dS r