XjN(BUddlmZddlmZddlmZddlmZmZm Z ddl m Z ddl m Z ddlmZddlmZdd lmZdd lmZeeZd d d ddd ddd ddd dZded<eeZddhZddhZdZdZ dZ!dZ"GddZ#d S)!) annotations)Sequence)Session) get_enforcerinvalidate_user_permissions load_policy) SessionLocal)Role)Tenant)User)UserRole) get_loggeru平台管理员u平台级系统管理员)name descriptionu 平台用户u平台级普通用户u企业管理员u租户级管理员u 企业用户u租户级普通用户)platform_admin platform_usercustomer_admin customer_userzdict[str, dict[str, str]]SYSTEM_ROLE_DEFINITIONSrrrr) usersrolesknowledge_basesknowledge_categoriesknowledge_tagsagents workflows documents audit_logsmenus providersmodels))rread)rcreate)rupdate)rdelete)rr"rr")rr#)rr$)rr%rr")rr#)rr$)rr%rr")rr#)rr$)rr%rr")rr#)rr$)rr%rr")rr#)rr$)rr%)rr"r r"r!r"rr")r&r'r(r*r)r+r,r-ceZdZeddZed dZe d!d"dZed#dZed$dZed%dZ ed&dZ e d!d'dZ dS)(RBACBootstrapServicedbrreturndict[str, Role]ci}tD]\}}|ttj|k}|St||d|ddd}||t d|n/|d|_ |d|_ d|_ d|_ d|_|||<||S)NrrT)coderr is_system tenant_idzCreated system role: F)ritemsqueryr filterr4firstaddloggerinforrr5r6 is_deletedflush)r0 roles_by_coder4 definitionroles R/lsinfo/ai/hellotax_ai/base_platform/app/services/access/rbac_bootstrap_service.pyensure_system_rolesz(RBACBootstrapService.ensure_system_roles^s)+ 7 = = ? ? ' ' D*88D>>((d):;;AACCD|#F+ *= 9"" t  :D::;;;;&v. #-m#< !%!%"'"&M$    Nonec2t}d}tD]$}dD]}|dd|||dz } %tD]"\}}|dd|||dz }#t|}|D]e}t |}tD]"\}}|d||||dz }#tD]"\}}|d||||dz }#ft d |d t|d dS) Nr)r"r#r$r%executezrole:platform_admin0zrole:platform_userzrole:customer_adminzrole:customer_userzEnsured z default role policies for z tenants) rPLATFORM_RESOURCES add_policyPLATFORM_USER_POLICIESr/_get_active_tenant_idsstrCUSTOMER_ADMIN_POLICIESCUSTOMER_USER_POLICIESr<r=len)r0enforcer policy_countresourceaction tenant_idsr6domains rCensure_default_role_policiesz1RBACBootstrapService.ensure_default_role_policieswss>> * " "HK " "##$93&QQQ!  "!7   Hf    4c8V L L L A LL)@@DD # " "I^^F$; " " &##$968VTTT! $: " " &##$8&(FSSS!  "  a|aaJaaabbbbbrENuserr previous_role str | Noneprevious_tenant_id int | Noneboolc|j}|tvr#td||jdS|t vr*|js#td||jdSt |}t |||}t ||j}t ||j|jt |j|||||tt!|j||||krt!|j|dS)Nz9Skipping RBAC bootstrap for non-system role %s on user %sFzFCannot bind tenant-scoped system role %s for user %s without tenant_id)user_iddesired_role_codedesired_domainr[r]T)rBSYSTEM_ROLE_CODESr<debugidTENANT_ROLE_CODESr6warningr/rDrY_get_role_domain_sync_user_role_records_sync_grouping_policiescommitrr)r0rZr[r] role_coder@ desired_rolercs rCsync_user_role_bindingz+RBACBootstrapService.sync_user_role_bindings_I - - - LLKYX\X_   5 ) ) )4> ) NNX    5,@@DD 99"===$Y/ ->>y$.YY44R,/RRR44G')'1 5     #DG^<<<  ).@N.R.R '1C D D DtrEct} t|t||t t j }|D]}|j tvr|j tvr|j s(|tjtj|j k}|t||j|t|j |j }t|j|j |t)|j||t-t.dn=#t2$r0|t.dwxYw |dS#|wxYw)N)rarbrcz%RBAC bootstrap completed successfullyzFailed to bootstrap RBAC state)r r/rDrYr8r r9r>allrBrdrgr6r rfr4scalarrjrirkrrlrr<r= Exceptionrollback exceptionclose)r0rrZdesired_role_idrcs rCbootstrap_legacy_rbac_statez0RBACBootstrapService.bootstrap_legacy_rbac_states ^^  4 4R 8 8 8 = =b A A AHHTNN))do*=>>BBDDE E E9$5559 1114>1"$((47"3"3":":49 ;Q"R"R"Y"Y"["["*$< > >   A HHJJJJJBHHJJJJsGGH':H  H''H= Sequence[int]cd|tjtj tjdkDS)Ncg|]\}|Sr|).0r6s rC z?RBACBootstrapService._get_active_tenant_ids..s*        rEr)r8r rfr9r>rq)r0s rCrNz+RBACBootstrapService._get_active_tenant_idssU   hhvy11 V))69q= 9 9 SUU     rErmrOr6intc:|tvrdSt|pdS)Nr)PLATFORM_ROLE_CODESr)rmr6s rCriz%RBACBootstrapService._get_role_domains% + + +19>"""rErarwc|ttj|k}d}|D]}|j|kr d|_d}|s$|t|||tttj tjktj|ktj ttj |ktj }|D] }d|_ |dS)NFT)rarole_id)r8r r9rarqrr>r;joinr rfr4in_rdr?)r0rarw role_links desired_foundlink system_linkss rCrjz,RBACBootstrapService._sync_user_role_recordss-XXh''..x/?7/JKKOOQQ   % %D|.."' $  G FF8G_EEE F F F HHX   T$8#33 4 4 V G+ /00?*''  SUU ! # #D"DOO  rErbrcc t}d|}d|}d|h}|||tD];} |D]6} | |kr| |kr||d| t | 7<|rH||krBt ||} ||d|t | |||t |dS)Nzuser:zrole:r)rr;rdremove_grouping_policyrOr/riadd_grouping_policy) rarbrcr[r]rSsubjectrncleanup_domainsrmrX old_domains rCrkz,RBACBootstrapService._sync_grouping_policiess3 >>#'##2022 n-  )    2 3 3 3* [ [I) [ [ 111f6N6N//9L9L9LcRXkkZZZZ [  _].???->>}N`aaJ  + +G5L]5L5LcR\oo ^ ^ ^$$WlCrs"""""""$$$$$$""""""WWWWWWWWWW'''''' $$$$$$ ))))))%%%%%% H  0A[\\,=TUU0AUVV,=TUU 66 E1668899'9%7 >  uQuQuQuQuQuQuQuQuQuQrE