cloud-api/src/iam/service.py

"""
Business logic reusable functions related to IAM

Exports:
 - service_key_dependency: bool: verifies request headers contain the correct api key for the service
"""

from typing import Annotated
from datetime import datetime, timedelta, timezone
from fastapi import Request, Depends

from src.database import db_dependency
from src.exceptions import UnauthorizedException
from src.utils import send_email, generate_jwt
from src.iam.models import Group

from src.service.models import Service
from src.service.schemas import HasServiceName


def valid_service_key(
	db: db_dependency, request: Request, request_model: HasServiceName
) -> bool:
	rn = request_model.rn
	api_key = request.headers.get("X-API-Key", None)
	if not api_key:
		raise UnauthorizedException("Missing API key")
	service = rn.service
	result = (
		db.query(Service)
		.filter(Service.name == service)
		.filter(Service.api_key == api_key)
		.first()
	)
	if result is None:
		raise UnauthorizedException("Invalid API key")

	return True


service_key_dependency = Annotated[bool, Depends(valid_service_key)]


async def send_user_group_invitation(
	user_email: str, org_name: str, org_id: int, group_id: int, group_name: str
):
	expiry_delta = timedelta(hours=24)
	expiry = datetime.now(timezone.utc) + expiry_delta
	claims = {
		"email": user_email,
		"org_id": org_id,
		"group_id": group_id,
		"group_name": group_name,
		"exp": expiry,
		"type": "group_invite",
	}

	token = await generate_jwt(claims)
	subject = f"You have been invited to join a group of {org_name}"
	body = f"You have been invited to join {group_name}.\nClick the link to accept.\nfrontend.capture/send/to/endpoint/{token}"

	await send_email(
		recipient=user_email,
		subject=subject,
		body=body,
	)


async def create_default_user_group(db: db_dependency, org_model):
	new_group = Group(name="Default Users", org_id=org_model.id)
	db.add(new_group)
	db.flush()
	# Grant default permissions here
	db.flush()
	return new_group


async def assign_default_user_group(db: db_dependency, org_model, user_model):
	group_model = None
	for group in org_model.group_rel:
		if group.name == "Default Users":
			group_model = group
			break

	if group_model is None:
		group_model = await create_default_user_group(db=db, org_model=org_model)

	user_model.group_rel.append(group_model)
	db.flush()


async def create_default_root_group(db: db_dependency, org_model):
	new_group = Group(name="Root User", org_id=org_model.id)
	db.add(new_group)
	db.flush()
	# Grant default permissions here
	db.flush()
	return new_group


async def assign_default_root_group(db: db_dependency, org_model, user_model):
	group_model = None
	for group in org_model.group_rel:
		if group.name == "Root User":
			group_model = group
			break

	if group_model is None:
		group_model = await create_default_root_group(db=db, org_model=org_model)

	user_model.group_rel.append(group_model)
	db.flush()
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`"""`
docs: iam docstrings Issue: #13 2026-05-28 13:22:24 +01:00			`Business logic reusable functions related to IAM`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
docs: iam docstrings Issue: #13 2026-05-28 13:22:24 +01:00			`Exports:`
			`- service_key_dependency: bool: verifies request headers contain the correct api key for the service`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`"""`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`from typing import Annotated`
feat: sua added to group invitations Issue: #23 2026-06-09 16:52:22 +01:00			`from datetime import datetime, timedelta, timezone`
feat: service key dependency generic Dependency to verify service API key accepts the service_name from a RN generic, allowing for endpoints without a full RN to use it. 2026-06-16 16:09:17 +01:00			`from fastapi import Request, Depends`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
			`from src.database import db_dependency`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`from src.exceptions import UnauthorizedException`
feat: sua added to group invitations Issue: #23 2026-06-09 16:52:22 +01:00			`from src.utils import send_email, generate_jwt`
feat: default iam groups on org create Root user is given the `Default Users` and `Root User` permission groups on org creation. 2026-06-15 11:26:22 +01:00			`from src.iam.models import Group`

feat: service key dependency generic Dependency to verify service API key accepts the service_name from a RN generic, allowing for endpoints without a full RN to use it. 2026-06-16 16:09:17 +01:00			`from src.service.models import Service`
			`from src.service.schemas import HasServiceName`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00

feat: improved caor request model Issue: #23 2026-06-10 09:32:02 +01:00			`def valid_service_key(`
feat: service key dependency generic Dependency to verify service API key accepts the service_name from a RN generic, allowing for endpoints without a full RN to use it. 2026-06-16 16:09:17 +01:00			`db: db_dependency, request: Request, request_model: HasServiceName`
feat: improved caor request model Issue: #23 2026-06-10 09:32:02 +01:00			`) -> bool:`
			`rn = request_model.rn`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`api_key = request.headers.get("X-API-Key", None)`
			`if not api_key:`
minor: renames and error messages 2026-06-04 14:53:35 +01:00			`raise UnauthorizedException("Missing API key")`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`service = rn.service`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`result = (`
			`db.query(Service)`
			`.filter(Service.name == service)`
			`.filter(Service.api_key == api_key)`
			`.first()`
			`)`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`if result is None:`
minor: renames and error messages 2026-06-04 14:53:35 +01:00			`raise UnauthorizedException("Invalid API key")`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
			`return True`

minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`service_key_dependency = Annotated[bool, Depends(valid_service_key)]`
feat: sua added to group invitations Issue: #23 2026-06-09 16:52:22 +01:00

			`async def send_user_group_invitation(`
			`user_email: str, org_name: str, org_id: int, group_id: int, group_name: str`
			`):`
			`expiry_delta = timedelta(hours=24)`
			`expiry = datetime.now(timezone.utc) + expiry_delta`
			`claims = {`
			`"email": user_email,`
			`"org_id": org_id,`
			`"group_id": group_id,`
			`"group_name": group_name,`
			`"exp": expiry,`
			`"type": "group_invite",`
			`}`

			`token = await generate_jwt(claims)`
			`subject = f"You have been invited to join a group of {org_name}"`
			`body = f"You have been invited to join {group_name}.\nClick the link to accept.\nfrontend.capture/send/to/endpoint/{token}"`

			`await send_email(`
			`recipient=user_email,`
			`subject=subject,`
			`body=body,`
			`)`
feat: default iam groups on org create Root user is given the `Default Users` and `Root User` permission groups on org creation. 2026-06-15 11:26:22 +01:00

			`async def create_default_user_group(db: db_dependency, org_model):`
			`new_group = Group(name="Default Users", org_id=org_model.id)`
			`db.add(new_group)`
			`db.flush()`
			`# Grant default permissions here`
			`db.flush()`
			`return new_group`


			`async def assign_default_user_group(db: db_dependency, org_model, user_model):`
			`group_model = None`
			`for group in org_model.group_rel:`
			`if group.name == "Default Users":`
			`group_model = group`
			`break`

			`if group_model is None:`
			`group_model = await create_default_user_group(db=db, org_model=org_model)`

			`user_model.group_rel.append(group_model)`
			`db.flush()`


			`async def create_default_root_group(db: db_dependency, org_model):`
			`new_group = Group(name="Root User", org_id=org_model.id)`
			`db.add(new_group)`
			`db.flush()`
			`# Grant default permissions here`
			`db.flush()`
			`return new_group`


			`async def assign_default_root_group(db: db_dependency, org_model, user_model):`
			`group_model = None`
			`for group in org_model.group_rel:`
			`if group.name == "Root User":`
			`group_model = group`
			`break`

			`if group_model is None:`
			`group_model = await create_default_root_group(db=db, org_model=org_model)`

			`user_model.group_rel.append(group_model)`
			`db.flush()`