cloud-api/src/iam/service.py

"""
Business logic reusable functions related to IAM

Exports:
 - service_key_dependency: bool: verifies request headers contain the correct api key for the service
"""

from typing import Annotated
from datetime import datetime, timedelta, timezone
from fastapi import Request, Depends
from sqlalchemy.orm import Session

from src.database import db_dependency
from src.exceptions import UnauthorizedException
from src.utils import send_email, generate_jwt
from src.iam.models import Group
from src.organisation.models import Organisation as Org
from src.user.models import User
from src.iam.models import Permission as Perm

from src.service.models import Service
from src.service.schemas import HasServiceName


def valid_service_key(
	db: db_dependency, request: Request, request_model: HasServiceName
) -> bool:
	rn = request_model.rn
	api_key = request.headers.get("X-API-Key", None)
	if not api_key:
		raise UnauthorizedException("Missing API key")
	service = rn.service
	result = (
		db.query(Service)
		.filter(Service.name == service)
		.filter(Service.api_key == api_key)
		.first()
	)
	if result is None:
		raise UnauthorizedException("Invalid API key")

	return True


service_key_dependency = Annotated[bool, Depends(valid_service_key)]


async def send_user_group_invitation(
	user_email: str, org_name: str, org_id: int, group_id: int, group_name: str
):
	expiry_delta = timedelta(hours=24)
	expiry = datetime.now(timezone.utc) + expiry_delta
	claims = {
		"email": user_email,
		"org_id": org_id,
		"group_id": group_id,
		"group_name": group_name,
		"exp": expiry,
		"type": "group_invite",
	}

	token = await generate_jwt(claims)
	subject = f"You have been invited to join a group of {org_name}"
	body = f"You have been invited to join {group_name}.\nClick the link to accept.\nfrontend.capture/send/to/endpoint/{token}"

	await send_email(
		recipient=user_email,
		subject=subject,
		body=body,
	)


async def create_group_and_assign_perms(
	db: Session, org_model: Org, group_name: str, perm_list: list[int]
):
	new_group = Group(name=group_name, org_id=org_model.id)
	db.add(new_group)
	db.flush()

	for permission in perm_list:
		perm_model = db.get(Perm, permission)

		if perm_model is None:
			continue

		new_group.permission_rel.append(perm_model)
		db.flush()

	return new_group


async def assign_default_group(
	db: db_dependency,
	org_model: Org,
	user_model: User,
	group_name: str,
	perm_list: list[int],
):
	group_model = (
		db.query(Group)
		.filter(Group.org_id == org_model.id)
		.filter(Group.name == group_name)
		.first()
	)

	if group_model is None:
		group_model = await create_group_and_assign_perms(
			db=db, group_name=group_name, org_model=org_model, perm_list=perm_list
		)

	user_model.group_rel.append(group_model)
	db.flush()
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`"""`
docs: iam docstrings Issue: #13 2026-05-28 13:22:24 +01:00			`Business logic reusable functions related to IAM`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
docs: iam docstrings Issue: #13 2026-05-28 13:22:24 +01:00			`Exports:`
			`- service_key_dependency: bool: verifies request headers contain the correct api key for the service`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`"""`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`from typing import Annotated`
feat: sua added to group invitations Issue: #23 2026-06-09 16:52:22 +01:00			`from datetime import datetime, timedelta, timezone`
feat: service key dependency generic Dependency to verify service API key accepts the service_name from a RN generic, allowing for endpoints without a full RN to use it. 2026-06-16 16:09:17 +01:00			`from fastapi import Request, Depends`
feat: user and org defaults Root and User defaults made more generic and merged. Root user group assignment merged with org default perm assignment. Root user granted all default org permissions at org creation. 2026-06-17 10:49:58 +01:00			`from sqlalchemy.orm import Session`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
			`from src.database import db_dependency`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`from src.exceptions import UnauthorizedException`
feat: sua added to group invitations Issue: #23 2026-06-09 16:52:22 +01:00			`from src.utils import send_email, generate_jwt`
feat: default iam groups on org create Root user is given the `Default Users` and `Root User` permission groups on org creation. 2026-06-15 11:26:22 +01:00			`from src.iam.models import Group`
feat: user and org defaults Root and User defaults made more generic and merged. Root user group assignment merged with org default perm assignment. Root user granted all default org permissions at org creation. 2026-06-17 10:49:58 +01:00			`from src.organisation.models import Organisation as Org`
			`from src.user.models import User`
			`from src.iam.models import Permission as Perm`
feat: default iam groups on org create Root user is given the `Default Users` and `Root User` permission groups on org creation. 2026-06-15 11:26:22 +01:00
feat: service key dependency generic Dependency to verify service API key accepts the service_name from a RN generic, allowing for endpoints without a full RN to use it. 2026-06-16 16:09:17 +01:00			`from src.service.models import Service`
			`from src.service.schemas import HasServiceName`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00

feat: improved caor request model Issue: #23 2026-06-10 09:32:02 +01:00			`def valid_service_key(`
feat: service key dependency generic Dependency to verify service API key accepts the service_name from a RN generic, allowing for endpoints without a full RN to use it. 2026-06-16 16:09:17 +01:00			`db: db_dependency, request: Request, request_model: HasServiceName`
feat: improved caor request model Issue: #23 2026-06-10 09:32:02 +01:00			`) -> bool:`
			`rn = request_model.rn`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`api_key = request.headers.get("X-API-Key", None)`
			`if not api_key:`
minor: renames and error messages 2026-06-04 14:53:35 +01:00			`raise UnauthorizedException("Missing API key")`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`service = rn.service`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`result = (`
			`db.query(Service)`
			`.filter(Service.name == service)`
			`.filter(Service.api_key == api_key)`
			`.first()`
			`)`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`if result is None:`
minor: renames and error messages 2026-06-04 14:53:35 +01:00			`raise UnauthorizedException("Invalid API key")`
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00
			`return True`

minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00
feat: iam rbac system Endpoints and db architecture to support a role based IAM system. 2026-05-25 09:05:17 +01:00			`service_key_dependency = Annotated[bool, Depends(valid_service_key)]`
feat: sua added to group invitations Issue: #23 2026-06-09 16:52:22 +01:00

			`async def send_user_group_invitation(`
			`user_email: str, org_name: str, org_id: int, group_id: int, group_name: str`
			`):`
			`expiry_delta = timedelta(hours=24)`
			`expiry = datetime.now(timezone.utc) + expiry_delta`
			`claims = {`
			`"email": user_email,`
			`"org_id": org_id,`
			`"group_id": group_id,`
			`"group_name": group_name,`
			`"exp": expiry,`
			`"type": "group_invite",`
			`}`

			`token = await generate_jwt(claims)`
			`subject = f"You have been invited to join a group of {org_name}"`
			`body = f"You have been invited to join {group_name}.\nClick the link to accept.\nfrontend.capture/send/to/endpoint/{token}"`

			`await send_email(`
			`recipient=user_email,`
			`subject=subject,`
			`body=body,`
			`)`
feat: default iam groups on org create Root user is given the `Default Users` and `Root User` permission groups on org creation. 2026-06-15 11:26:22 +01:00

feat: user and org defaults Root and User defaults made more generic and merged. Root user group assignment merged with org default perm assignment. Root user granted all default org permissions at org creation. 2026-06-17 10:49:58 +01:00			`async def create_group_and_assign_perms(`
			`db: Session, org_model: Org, group_name: str, perm_list: list[int]`
			`):`
			`new_group = Group(name=group_name, org_id=org_model.id)`
feat: default iam groups on org create Root user is given the `Default Users` and `Root User` permission groups on org creation. 2026-06-15 11:26:22 +01:00			`db.add(new_group)`
			`db.flush()`

feat: user and org defaults Root and User defaults made more generic and merged. Root user group assignment merged with org default perm assignment. Root user granted all default org permissions at org creation. 2026-06-17 10:49:58 +01:00			`for permission in perm_list:`
			`perm_model = db.get(Perm, permission)`
feat: default iam groups on org create Root user is given the `Default Users` and `Root User` permission groups on org creation. 2026-06-15 11:26:22 +01:00
feat: user and org defaults Root and User defaults made more generic and merged. Root user group assignment merged with org default perm assignment. Root user granted all default org permissions at org creation. 2026-06-17 10:49:58 +01:00			`if perm_model is None:`
			`continue`
feat: default iam groups on org create Root user is given the `Default Users` and `Root User` permission groups on org creation. 2026-06-15 11:26:22 +01:00
feat: user and org defaults Root and User defaults made more generic and merged. Root user group assignment merged with org default perm assignment. Root user granted all default org permissions at org creation. 2026-06-17 10:49:58 +01:00			`new_group.permission_rel.append(perm_model)`
			`db.flush()`
feat: default iam groups on org create Root user is given the `Default Users` and `Root User` permission groups on org creation. 2026-06-15 11:26:22 +01:00
			`return new_group`


feat: user and org defaults Root and User defaults made more generic and merged. Root user group assignment merged with org default perm assignment. Root user granted all default org permissions at org creation. 2026-06-17 10:49:58 +01:00			`async def assign_default_group(`
			`db: db_dependency,`
			`org_model: Org,`
			`user_model: User,`
			`group_name: str,`
			`perm_list: list[int],`
			`):`
			`group_model = (`
			`db.query(Group)`
			`.filter(Group.org_id == org_model.id)`
			`.filter(Group.name == group_name)`
			`.first()`
			`)`
feat: default iam groups on org create Root user is given the `Default Users` and `Root User` permission groups on org creation. 2026-06-15 11:26:22 +01:00
			`if group_model is None:`
feat: user and org defaults Root and User defaults made more generic and merged. Root user group assignment merged with org default perm assignment. Root user granted all default org permissions at org creation. 2026-06-17 10:49:58 +01:00			`group_model = await create_group_and_assign_perms(`
			`db=db, group_name=group_name, org_model=org_model, perm_list=perm_list`
			`)`
feat: default iam groups on org create Root user is given the `Default Users` and `Root User` permission groups on org creation. 2026-06-15 11:26:22 +01:00
			`user_model.group_rel.append(group_model)`
			`db.flush()`