kiwi-vpn/api/kiwi_vpn_api/db/user.py

"""
Python representation of `user` table.
"""

from __future__ import annotations

from typing import Any, Iterable, Sequence

from pydantic import root_validator
from sqlalchemy.exc import IntegrityError
from sqlmodel import Field, Relationship, SQLModel

from ..config import Config
from .connection import Connection
from .device import Device
from .tag import Tag, TagValue


class UserBase(SQLModel):
    """
    Common to all representations of users
    """

    name: str = Field(primary_key=True)
    email: str | None = Field(default=None)

    country: str | None = Field(default=None, max_length=2)
    state: str | None = Field(default=None)
    city: str | None = Field(default=None)
    organization: str | None = Field(default=None)
    organizational_unit: str | None = Field(default=None)


class UserCreate(UserBase):
    """
    Representation of a newly created user
    """

    password: str | None = Field(default=None)
    password_clear: str | None = Field(default=None)

    @root_validator
    @classmethod
    def hash_password(cls, values: dict[str, Any]) -> dict[str, Any]:
        """
        Ensure the `password` value of this user gets set.
        """

        if (values.get("password")) is not None:
            # password is set
            return values

        if (password_clear := values.get("password_clear")) is None:
            raise ValueError("No password to hash")

        if (current_config := Config._) is None:
            raise ValueError("Not configured")

        values["password"] = current_config.crypto.crypt_context.hash(
            password_clear)

        return values


class UserRead(UserBase):
    """
    Representation of a user read via the API
    """

    pass


class User(UserBase, table=True):
    """
    Representation of `user` table
    """

    password: str

    tags: list[Tag] = Relationship(
        back_populates="user",
        sa_relationship_kwargs={
            "lazy": "joined",
            "cascade": "all, delete-orphan",
        },
    )

    devices: list[Device] = Relationship(
        back_populates="owner",
    )

    @classmethod
    def create(
        cls,
        *,
        user: UserCreate,
    ) -> User | None:
        """
        Create a new user in the database.
        """

        try:
            with Connection.session as db:
                new_user = cls.from_orm(user)

                db.add(new_user)
                db.commit()
                db.refresh(new_user)

                return new_user

        except IntegrityError:
            # user already existed
            return None

    @classmethod
    def get(cls, name: str) -> User | None:
        """
        Load user from database by name.
        """

        with Connection.session as db:
            return db.get(cls, name)

    @classmethod
    def authenticate(
        cls,
        name: str,
        password: str,
    ) -> User | None:
        """
        Authenticate with name/password against users in database.
        """

        crypt_context = Config._.crypto.crypt_context

        if (user := cls.get(name)) is None:
            # nonexistent user, fake doing password verification
            crypt_context.dummy_verify()
            return None

        if not crypt_context.verify(password, user.password):
            # password hash mismatch
            return None

        if not (user.has_tag(TagValue.login)
                or user.has_tag(TagValue.admin)):
            # no login permission
            return None

        return user

    def update(self) -> None:
        """
        Update this user in the database.
        """

        with Connection.session as db:
            db.add(self)
            db.commit()
            db.refresh(self)

    def delete(self) -> None:
        """
        Delete this user from the database.
        """

        with Connection.session as db:
            db.delete(self)
            db.commit()

    def _get_tags(self) -> Iterable[TagValue]:
        """
        Return the tags of this user.
        """

        return (
            tag._
            for tag in self.tags
        )

    def has_tag(self, tag: TagValue) -> bool:
        """
        Check if this user has a tag.
        """

        return tag in self._get_tags()

    def add_tags(
        self,
        tags: Sequence[TagValue],
    ) -> None:
        """
        Add tags to this user.
        """

        self.tags = [
            tag._(self)
            for tag in (set(self._get_tags()) | set(tags))
        ]

    def remove_tags(
        self,
        tags: Sequence[TagValue],
    ) -> None:
        """
        remove tags from this user.
        """

        self.tags = [
            tag._(self)
            for tag in (set(self._get_tags()) - set(tags))
        ]

    def can_edit(
        self,
        target: User | Device,
    ) -> bool:
        """
        Check if this user can edit another user or a device.
        """

        # admin can "edit" everything
        if self.has_tag(TagValue.admin):
            return True

        # user can "edit" itself
        if isinstance(target, User) and target != self:
            return False

        # user can edit its owned devices
        return target.owner == self

    def can_admin(
        self,
        target: User | Device,
    ) -> bool:
        """
        Check if this user can administer another user or a device.
        """

        # only admin can "admin" anything
        if not self.has_tag(TagValue.admin):
            return False

        # admin canot "admin itself"!
        if isinstance(target, User) and target == self:
            return False

        # admin can "admin" everything else
        return True

    def can_create(
        self,
        target: type,
        owner: User | None = None,
    ) -> bool:
        """
        Check if this user can create another user or a device.
        """

        # can never create anything but users or devices
        if not issubclass(target, (User, Device)):
            return False

        # admin can "create" everything
        if self.has_tag(TagValue.admin):
            return True

        # user can only create devices for itself
        if target is Device and owner == self:
            return True

        # deny be default
        return False
Docstrings 2022-03-28 20:58:40 +00:00			`"""`
rollback tablename settings 2022-03-28 21:54:39 +00:00			Python representation of `user` table.
Docstrings 2022-03-28 20:58:40 +00:00			`"""`

"user" table with sqlmodel 2022-03-27 01:17:48 +00:00			`from __future__ import annotations`

rework User methods 2022-03-30 01:51:43 +00:00			`from typing import Any, Iterable, Sequence`
"user" table with sqlmodel 2022-03-27 01:17:48 +00:00
			`from pydantic import root_validator`
			`from sqlalchemy.exc import IntegrityError`
Capabilities 2022-03-27 13:47:38 +00:00			`from sqlmodel import Field, Relationship, SQLModel`
"user" table with sqlmodel 2022-03-27 01:17:48 +00:00
			`from ..config import Config`
			`from .connection import Connection`
add devices 2022-03-28 00:43:28 +00:00			`from .device import Device`
rename "capability" -> "tag" 2022-03-29 19:57:33 +00:00			`from .tag import Tag, TagValue`
"user" table with sqlmodel 2022-03-27 01:17:48 +00:00

			`class UserBase(SQLModel):`
Docstrings 2022-03-28 20:58:40 +00:00			`"""`
			`Common to all representations of users`
			`"""`

"user" table with sqlmodel 2022-03-27 01:17:48 +00:00			`name: str = Field(primary_key=True)`
don't require email 2022-03-28 01:00:07 +00:00			`email: str \| None = Field(default=None)`
"user" table with sqlmodel 2022-03-27 01:17:48 +00:00
country max_length 2022-03-30 08:30:20 +00:00			`country: str \| None = Field(default=None, max_length=2)`
"user" table with sqlmodel 2022-03-27 01:17:48 +00:00			`state: str \| None = Field(default=None)`
			`city: str \| None = Field(default=None)`
			`organization: str \| None = Field(default=None)`
			`organizational_unit: str \| None = Field(default=None)`


Docstrings 2022-03-28 20:58:40 +00:00			`class UserCreate(UserBase):`
			`"""`
			`Representation of a newly created user`
			`"""`

			`password: str \| None = Field(default=None)`
			`password_clear: str \| None = Field(default=None)`

			`@root_validator`
			`@classmethod`
			`def hash_password(cls, values: dict[str, Any]) -> dict[str, Any]:`
			`"""`
			Ensure the `password` value of this user gets set.
			`"""`

			`if (values.get("password")) is not None:`
			`# password is set`
			`return values`

			`if (password_clear := values.get("password_clear")) is None:`
			`raise ValueError("No password to hash")`

			`if (current_config := Config._) is None:`
			`raise ValueError("Not configured")`

			`values["password"] = current_config.crypto.crypt_context.hash(`
			`password_clear)`

			`return values`


			`class UserRead(UserBase):`
			`"""`
			`Representation of a user read via the API`
			`"""`

			`pass`


"user" table with sqlmodel 2022-03-27 01:17:48 +00:00			`class User(UserBase, table=True):`
Docstrings 2022-03-28 20:58:40 +00:00			`"""`
rollback tablename settings 2022-03-28 21:54:39 +00:00			Representation of `user` table
Docstrings 2022-03-28 20:58:40 +00:00			`"""`

"user" table with sqlmodel 2022-03-27 01:17:48 +00:00			`password: str`

rename "capability" -> "tag" 2022-03-29 19:57:33 +00:00			`tags: list[Tag] = Relationship(`
Capabilities 2022-03-27 13:47:38 +00:00			`back_populates="user",`
			`sa_relationship_kwargs={`
			`"lazy": "joined",`
			`"cascade": "all, delete-orphan",`
			`},`
			`)`

add devices 2022-03-28 00:43:28 +00:00			`devices: list[Device] = Relationship(`
			`back_populates="owner",`
			`)`

"user" table with sqlmodel 2022-03-27 01:17:48 +00:00			`@classmethod`
User.create() methods 2022-03-29 00:01:28 +00:00			`def create(`
			`cls,`
			`*,`
			`user: UserCreate,`
			`) -> User \| None:`
"user" table with sqlmodel 2022-03-27 01:17:48 +00:00			`"""`
			`Create a new user in the database.`
			`"""`

			`try:`
			`with Connection.session as db:`
User.create() methods 2022-03-29 00:01:28 +00:00			`new_user = cls.from_orm(user)`
"user" table with sqlmodel 2022-03-27 01:17:48 +00:00
User.create() methods 2022-03-29 00:01:28 +00:00			`db.add(new_user)`
"user" table with sqlmodel 2022-03-27 01:17:48 +00:00			`db.commit()`
User.create() methods 2022-03-29 00:01:28 +00:00			`db.refresh(new_user)`
"user" table with sqlmodel 2022-03-27 01:17:48 +00:00
User.create() methods 2022-03-29 00:01:28 +00:00			`return new_user`
"user" table with sqlmodel 2022-03-27 01:17:48 +00:00
			`except IntegrityError:`
			`# user already existed`
			`return None`

			`@classmethod`
			`def get(cls, name: str) -> User \| None:`
User CRUD 2022-03-27 13:47:18 +00:00			`"""`
			`Load user from database by name.`
			`"""`

"user" table with sqlmodel 2022-03-27 01:17:48 +00:00			`with Connection.session as db:`
			`return db.get(cls, name)`

User CRUD 2022-03-27 13:47:18 +00:00			`@classmethod`
			`def authenticate(`
			`cls,`
			`name: str,`
			`password: str,`
			`) -> User \| None:`
			`"""`
			`Authenticate with name/password against users in database.`
			`"""`

fix for crypt_context and load() 2022-03-28 02:23:00 +00:00			`crypt_context = Config._.crypto.crypt_context`
User CRUD 2022-03-27 13:47:18 +00:00
			`if (user := cls.get(name)) is None:`
			`# nonexistent user, fake doing password verification`
			`crypt_context.dummy_verify()`
			`return None`

			`if not crypt_context.verify(password, user.password):`
			`# password hash mismatch`
			`return None`
"user" table with sqlmodel 2022-03-27 01:17:48 +00:00
admin can login 2022-03-30 02:16:06 +00:00			`if not (user.has_tag(TagValue.login)`
			`or user.has_tag(TagValue.admin)):`
basic permissions system 2022-03-29 23:36:23 +00:00			`# no login permission`
			`return None`

User CRUD 2022-03-27 13:47:18 +00:00			`return user`

			`def update(self) -> None:`
			`"""`
			`Update this user in the database.`
			`"""`

			`with Connection.session as db:`
			`db.add(self)`
			`db.commit()`
			`db.refresh(self)`

User.delete return value 2022-03-28 20:18:00 +00:00			`def delete(self) -> None:`
User CRUD 2022-03-27 13:47:18 +00:00			`"""`
			`Delete this user from the database.`
			`"""`

			`with Connection.session as db:`
			`db.delete(self)`
			`db.commit()`
Capabilities 2022-03-27 13:47:38 +00:00
rework User methods 2022-03-30 01:51:43 +00:00			`def _get_tags(self) -> Iterable[TagValue]:`
Docstrings 2022-03-28 20:58:40 +00:00			`"""`
rename "capability" -> "tag" 2022-03-29 19:57:33 +00:00			`Return the tags of this user.`
Docstrings 2022-03-28 20:58:40 +00:00			`"""`

rework User methods 2022-03-30 01:51:43 +00:00			`return (`
rename "capability" -> "tag" 2022-03-29 19:57:33 +00:00			`tag._`
			`for tag in self.tags`
capabilities rework 2022-03-28 00:48:44 +00:00			`)`
Capabilities 2022-03-27 13:47:38 +00:00
rework User methods 2022-03-30 01:51:43 +00:00			`def has_tag(self, tag: TagValue) -> bool:`
			`"""`
			`Check if this user has a tag.`
			`"""`

typo 2022-03-30 02:11:04 +00:00			`return tag in self._get_tags()`
rework User methods 2022-03-30 01:51:43 +00:00
			`def add_tags(`
			`self,`
			`tags: Sequence[TagValue],`
			`) -> None:`
			`"""`
			`Add tags to this user.`
			`"""`

			`self.tags = [`
			`tag._(self)`
			`for tag in (set(self._get_tags()) \| set(tags))`
			`]`

			`def remove_tags(`
check: user can login, "admin" can do everything 2022-03-28 22:17:31 +00:00			`self,`
rename "capability" -> "tag" 2022-03-29 19:57:33 +00:00			`tags: Sequence[TagValue],`
check: user can login, "admin" can do everything 2022-03-28 22:17:31 +00:00			`) -> None:`
Docstrings 2022-03-28 20:58:40 +00:00			`"""`
rework User methods 2022-03-30 01:51:43 +00:00			`remove tags from this user.`
Docstrings 2022-03-28 20:58:40 +00:00			`"""`

rename "capability" -> "tag" 2022-03-29 19:57:33 +00:00			`self.tags = [`
rework User methods 2022-03-30 01:51:43 +00:00			`tag._(self)`
			`for tag in (set(self._get_tags()) - set(tags))`
capabilities rework 2022-03-28 00:48:44 +00:00			`]`
deleting a device 2022-03-29 15:56:12 +00:00
rework User methods 2022-03-30 01:51:43 +00:00			`def can_edit(`
dirty commit 2022-03-29 16:35:41 +00:00			`self,`
basic permissions system 2022-03-29 23:36:23 +00:00			`target: User \| Device,`
dirty commit 2022-03-29 16:35:41 +00:00			`) -> bool:`
			`"""`
basic permissions system 2022-03-29 23:36:23 +00:00			`Check if this user can edit another user or a device.`
dirty commit 2022-03-29 16:35:41 +00:00			`"""`

basic permissions system 2022-03-29 23:36:23 +00:00			`# admin can "edit" everything`
rework User methods 2022-03-30 01:51:43 +00:00			`if self.has_tag(TagValue.admin):`
basic permissions system 2022-03-29 23:36:23 +00:00			`return True`
dirty commit 2022-03-29 16:35:41 +00:00
basic permissions system 2022-03-29 23:36:23 +00:00			`# user can "edit" itself`
			`if isinstance(target, User) and target != self:`
			`return False`
refactor get_user_by_name_if_editable 2022-03-29 16:12:55 +00:00
basic permissions system 2022-03-29 23:36:23 +00:00			`# user can edit its owned devices`
			`return target.owner == self`
dirty commit 2022-03-29 16:35:41 +00:00
rework User methods 2022-03-30 01:51:43 +00:00			`def can_admin(`
dirty commit 2022-03-29 16:35:41 +00:00			`self,`
basic permissions system 2022-03-29 23:36:23 +00:00			`target: User \| Device,`
dirty commit 2022-03-29 16:35:41 +00:00			`) -> bool:`
			`"""`
basic permissions system 2022-03-29 23:36:23 +00:00			`Check if this user can administer another user or a device.`
dirty commit 2022-03-29 16:35:41 +00:00			`"""`

basic permissions system 2022-03-29 23:36:23 +00:00			`# only admin can "admin" anything`
rework User methods 2022-03-30 01:51:43 +00:00			`if not self.has_tag(TagValue.admin):`
basic permissions system 2022-03-29 23:36:23 +00:00			`return False`
dirty commit 2022-03-29 16:35:41 +00:00
basic permissions system 2022-03-29 23:36:23 +00:00			`# admin canot "admin itself"!`
			`if isinstance(target, User) and target == self:`
			`return False`
dirty commit 2022-03-29 16:35:41 +00:00
basic permissions system 2022-03-29 23:36:23 +00:00			`# admin can "admin" everything else`
			`return True`
dirty commit 2022-03-29 16:35:41 +00:00
rework User methods 2022-03-30 01:51:43 +00:00			`def can_create(`
dirty commit 2022-03-29 16:35:41 +00:00			`self,`
basic permissions system 2022-03-29 23:36:23 +00:00			`target: type,`
			`owner: User \| None = None,`
dirty commit 2022-03-29 16:35:41 +00:00			`) -> bool:`
			`"""`
basic permissions system 2022-03-29 23:36:23 +00:00			`Check if this user can create another user or a device.`
dirty commit 2022-03-29 16:35:41 +00:00			`"""`

basic permissions system 2022-03-29 23:36:23 +00:00			`# can never create anything but users or devices`
			`if not issubclass(target, (User, Device)):`
			`return False`
dirty commit 2022-03-29 16:35:41 +00:00
basic permissions system 2022-03-29 23:36:23 +00:00			`# admin can "create" everything`
rework User methods 2022-03-30 01:51:43 +00:00			`if self.has_tag(TagValue.admin):`
basic permissions system 2022-03-29 23:36:23 +00:00			`return True`
refactor get_user_by_name_if_editable 2022-03-29 16:12:55 +00:00
basic permissions system 2022-03-29 23:36:23 +00:00			`# user can only create devices for itself`
			`if target is Device and owner == self:`
			`return True`
deleting a device 2022-03-29 15:56:12 +00:00
basic permissions system 2022-03-29 23:36:23 +00:00			`# deny be default`
			`return False`