kiwi-vpn/api/kiwi_vpn_api/routers/user.py

"""
/user endpoints.
"""

from fastapi import APIRouter, Depends, HTTPException, status
from fastapi.security import OAuth2PasswordRequestForm
from pydantic import BaseModel

from ..config import Config
from ..db import User, UserCapabilityType, UserCreate, UserRead
from ._common import Responses, get_current_user, get_current_user_if_admin

router = APIRouter(prefix="/user", tags=["user"])


class Token(BaseModel):
    """
    Response model for issuing tokens.
    """

    access_token: str
    token_type: str


@router.post("/authenticate", response_model=Token)
async def login(
    form_data: OAuth2PasswordRequestForm = Depends(),
    current_config: Config | None = Depends(Config.load),
):
    """
    POST ./authenticate: Authenticate a user. Issues a bearer token.
    """

    # fail if not installed
    if current_config is None:
        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)

    # try logging in
    if not (user := User.authenticate(
        name=form_data.username,
        password=form_data.password,
    )):
        # authentication failed
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Could not validate credentials",
            headers={"WWW-Authenticate": "Bearer"},
        )

    if not user.can(UserCapabilityType.login):
        # user cannot login
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

    # authentication succeeded
    access_token = await current_config.jwt.create_token(user.name)
    return {"access_token": access_token, "token_type": "bearer"}


@router.get("/current", response_model=UserRead)
async def get_current_user(
    current_user: User | None = Depends(get_current_user),
):
    """
    GET ./current: Respond with the currently logged-in user.
    """

    return current_user


@router.post(
    "",
    responses={
        status.HTTP_200_OK: Responses.OK,
        status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
        status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
        status.HTTP_403_FORBIDDEN: Responses.NEEDS_ADMIN,
        status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
    },
    response_model=User,
)
async def add_user(
    user: UserCreate,
    _: User = Depends(get_current_user_if_admin),
):
    """
    POST ./: Create a new user in the database.
    """

    # actually create the new user
    new_user = User.create(**user.dict())
    new_user.set_capabilities((UserCapabilityType.login))

    # fail if creation was unsuccessful
    if new_user is None:
        raise HTTPException(status_code=status.HTTP_409_CONFLICT)

    # return the created user on success
    return new_user


@router.delete(
    "/{user_name}",
    responses={
        status.HTTP_200_OK: Responses.OK,
        status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
        status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
        status.HTTP_403_FORBIDDEN: Responses.NEEDS_ADMIN,
        status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
    },
    response_model=User,
)
async def remove_user(
    user_name: str,
    _: User = Depends(get_current_user_if_admin),
):
    """
    DELETE ./{user_name}: Remove a user from the database.
    """

    # get the user
    user = User.get(user_name)

    # fail if user not found
    if user is None:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)

    # delete user
    user.delete()


@router.post(
    "/{user_name}/capabilities",
    responses={
        status.HTTP_200_OK: Responses.OK,
        status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
        status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
        status.HTTP_403_FORBIDDEN: Responses.NEEDS_ADMIN,
    },
)
async def extend_capabilities(
    user_name: str,
    capabilities: list[UserCapabilityType],
    _: User = Depends(get_current_user_if_admin),
):
    """
    POST ./{user_name}/capabilities: Add capabilities to a user.
    """

    # get and change the user
    user = User.get(user_name)

    user.set_capabilities(
        user.get_capabilities() | set(capabilities)
    )

    user.update()


@router.delete(
    "/{user_name}/capabilities",
    responses={
        status.HTTP_200_OK: Responses.OK,
        status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
        status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
        status.HTTP_403_FORBIDDEN: Responses.NEEDS_ADMIN,
    },
)
async def remove_capabilities(
    user_name: str,
    capabilities: list[UserCapabilityType],
    _: User = Depends(get_current_user_if_admin),
):
    """
    DELETE ./{user_name}/capabilities: Remove capabilities from a user.
    """

    # get and change the user
    user = User.get(user_name)

    user.set_capabilities(
        user.get_capabilities() - set(capabilities)
    )

    user.update()
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`"""`
			`/user endpoints.`
			`"""`

basic API with OAuth2 and a little sqlite DB 2022-03-15 16:19:37 +00:00			`from fastapi import APIRouter, Depends, HTTPException, status`
get_current_user into deps 2022-03-19 04:07:19 +00:00			`from fastapi.security import OAuth2PasswordRequestForm`
basic API with OAuth2 and a little sqlite DB 2022-03-15 16:19:37 +00:00			`from pydantic import BaseModel`

JWT handling 2022-03-19 02:22:49 +00:00			`from ..config import Config`
side effects 2022-03-28 22:07:12 +00:00			`from ..db import User, UserCapabilityType, UserCreate, UserRead`
brevity 2022-03-23 01:14:02 +00:00			`from ._common import Responses, get_current_user, get_current_user_if_admin`
relative imports 2022-03-15 16:25:07 +00:00
router tags 2022-03-24 23:45:01 +00:00			`router = APIRouter(prefix="/user", tags=["user"])`
basic API with OAuth2 and a little sqlite DB 2022-03-15 16:19:37 +00:00

			`class Token(BaseModel):`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`"""`
			`Response model for issuing tokens.`
			`"""`

basic API with OAuth2 and a little sqlite DB 2022-03-15 16:19:37 +00:00			`access_token: str`
			`token_type: str`


documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`@router.post("/authenticate", response_model=Token)`
refactor CRUD utils 2022-03-18 23:45:09 +00:00			`async def login(`
"auth" -> "user" 2022-03-18 23:04:28 +00:00			`form_data: OAuth2PasswordRequestForm = Depends(),`
get_current_user into deps 2022-03-19 04:07:19 +00:00			`current_config: Config \| None = Depends(Config.load),`
/user/auth and GET /user/current working 2022-03-19 00:38:57 +00:00			`):`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`"""`
			`POST ./authenticate: Authenticate a user. Issues a bearer token.`
			`"""`

			`# fail if not installed`
get_current_user into deps 2022-03-19 04:07:19 +00:00			`if current_config is None:`
			`raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)`

documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`# try logging in`
fix user router 2022-03-28 20:18:19 +00:00			`if not (user := User.authenticate(`
			`name=form_data.username,`
/user/auth and GET /user/current working 2022-03-19 00:38:57 +00:00			`password=form_data.password,`
fix user router 2022-03-28 20:18:19 +00:00			`)):`
make User.authenticate an instance function 2022-03-20 04:00:14 +00:00			`# authentication failed`
/user/auth and GET /user/current working 2022-03-19 00:38:57 +00:00			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Could not validate credentials",`
			`headers={"WWW-Authenticate": "Bearer"},`
			`)`

check: user can login, "admin" can do everything 2022-03-28 22:17:31 +00:00			`if not user.can(UserCapabilityType.login):`
			`# user cannot login`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)`

documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`# authentication succeeded`
get_current_user into deps 2022-03-19 04:07:19 +00:00			`access_token = await current_config.jwt.create_token(user.name)`
/user/auth and GET /user/current working 2022-03-19 00:38:57 +00:00			`return {"access_token": access_token, "token_type": "bearer"}`


fix user router 2022-03-28 20:18:19 +00:00			`@router.get("/current", response_model=UserRead)`
/user/auth and GET /user/current working 2022-03-19 00:38:57 +00:00			`async def get_current_user(`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`current_user: User \| None = Depends(get_current_user),`
/user/auth and GET /user/current working 2022-03-19 00:38:57 +00:00			`):`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`"""`
			`GET ./current: Respond with the currently logged-in user.`
			`"""`

/user/auth and GET /user/current working 2022-03-19 00:38:57 +00:00			`return current_user`
new user creation 2022-03-19 18:06:28 +00:00

			`@router.post(`
typo 2022-03-23 13:40:14 +00:00			`"",`
new user creation 2022-03-19 18:06:28 +00:00			`responses={`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`status.HTTP_200_OK: Responses.OK,`
			`status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,`
			`status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,`
			`status.HTTP_403_FORBIDDEN: Responses.NEEDS_ADMIN,`
			`status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,`
new user creation 2022-03-19 18:06:28 +00:00			`},`
brevity 2022-03-20 02:32:40 +00:00			`response_model=User,`
new user creation 2022-03-19 18:06:28 +00:00			`)`
			`async def add_user(`
brevity 2022-03-20 02:32:40 +00:00			`user: UserCreate,`
brevity 2022-03-23 01:14:02 +00:00			`_: User = Depends(get_current_user_if_admin),`
new user creation 2022-03-19 18:06:28 +00:00			`):`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`"""`
User creation/deletion 2022-03-23 13:25:00 +00:00			`POST ./: Create a new user in the database.`
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`"""`

			`# actually create the new user`
fix user router 2022-03-28 20:18:19 +00:00			`new_user = User.create(**user.dict())`
check: user can login, "admin" can do everything 2022-03-28 22:17:31 +00:00			`new_user.set_capabilities((UserCapabilityType.login))`
new user creation 2022-03-19 18:06:28 +00:00
documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`# fail if creation was unsuccessful`
new user creation 2022-03-19 18:06:28 +00:00			`if new_user is None:`
			`raise HTTPException(status_code=status.HTTP_409_CONFLICT)`

documentation & some minor refactoring 2022-03-20 03:45:40 +00:00			`# return the created user on success`
new user creation 2022-03-19 18:06:28 +00:00			`return new_user`
add and remove capabilities 2022-03-23 00:39:19 +00:00

User creation/deletion 2022-03-23 13:25:00 +00:00			`@router.delete(`
			`"/{user_name}",`
			`responses={`
			`status.HTTP_200_OK: Responses.OK,`
			`status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,`
			`status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,`
			`status.HTTP_403_FORBIDDEN: Responses.NEEDS_ADMIN,`
Error 404 2022-03-23 15:27:41 +00:00			`status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,`
User creation/deletion 2022-03-23 13:25:00 +00:00			`},`
			`response_model=User,`
			`)`
			`async def remove_user(`
			`user_name: str,`
			`_: User = Depends(get_current_user_if_admin),`
			`):`
			`"""`
			`DELETE ./{user_name}: Remove a user from the database.`
			`"""`

			`# get the user`
fix user router 2022-03-28 20:18:19 +00:00			`user = User.get(user_name)`
User creation/deletion 2022-03-23 13:25:00 +00:00
fix user router 2022-03-28 20:18:19 +00:00			`# fail if user not found`
			`if user is None:`
Error 404 2022-03-23 15:27:41 +00:00			`raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)`
User creation/deletion 2022-03-23 13:25:00 +00:00
fix user router 2022-03-28 20:18:19 +00:00			`# delete user`
			`user.delete()`

User creation/deletion 2022-03-23 13:25:00 +00:00
add and remove capabilities 2022-03-23 00:39:19 +00:00			`@router.post(`
			`"/{user_name}/capabilities",`
			`responses={`
			`status.HTTP_200_OK: Responses.OK,`
			`status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,`
			`status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,`
			`status.HTTP_403_FORBIDDEN: Responses.NEEDS_ADMIN,`
			`},`
			`)`
			`async def extend_capabilities(`
			`user_name: str,`
Capability -> UserCapabilityType 2022-03-28 21:41:49 +00:00			`capabilities: list[UserCapabilityType],`
brevity 2022-03-23 01:14:02 +00:00			`_: User = Depends(get_current_user_if_admin),`
add and remove capabilities 2022-03-23 00:39:19 +00:00			`):`
			`"""`
			`POST ./{user_name}/capabilities: Add capabilities to a user.`
			`"""`

			`# get and change the user`
fix user router 2022-03-28 20:18:19 +00:00			`user = User.get(user_name)`

			`user.set_capabilities(`
			`user.get_capabilities() \| set(capabilities)`
add and remove capabilities 2022-03-23 00:39:19 +00:00			`)`

fix user router 2022-03-28 20:18:19 +00:00			`user.update()`
add and remove capabilities 2022-03-23 00:39:19 +00:00

			`@router.delete(`
			`"/{user_name}/capabilities",`
			`responses={`
			`status.HTTP_200_OK: Responses.OK,`
			`status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,`
			`status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,`
			`status.HTTP_403_FORBIDDEN: Responses.NEEDS_ADMIN,`
			`},`
			`)`
			`async def remove_capabilities(`
			`user_name: str,`
Capability -> UserCapabilityType 2022-03-28 21:41:49 +00:00			`capabilities: list[UserCapabilityType],`
brevity 2022-03-23 01:14:02 +00:00			`_: User = Depends(get_current_user_if_admin),`
add and remove capabilities 2022-03-23 00:39:19 +00:00			`):`
			`"""`
brevity 2022-03-23 01:14:02 +00:00			`DELETE ./{user_name}/capabilities: Remove capabilities from a user.`
add and remove capabilities 2022-03-23 00:39:19 +00:00			`"""`

			`# get and change the user`
fix user router 2022-03-28 20:18:19 +00:00			`user = User.get(user_name)`
add and remove capabilities 2022-03-23 00:39:19 +00:00
fix user router 2022-03-28 20:18:19 +00:00			`user.set_capabilities(`
			`user.get_capabilities() - set(capabilities)`
			`)`
add and remove capabilities 2022-03-23 00:39:19 +00:00
fix user router 2022-03-28 20:18:19 +00:00			`user.update()`