fix: finalize semantic repair and test updates
This commit is contained in:
@@ -3,11 +3,11 @@
|
||||
# @SEMANTICS: auth, service, business-logic, login, jwt, adfs, jit-provisioning
|
||||
# @PURPOSE: Orchestrates credential authentication and ADFS JIT user provisioning.
|
||||
# @LAYER: Domain
|
||||
# @RELATION: [DEPENDS_ON] ->[backend.src.core.auth.repository.AuthRepository]
|
||||
# @RELATION: [DEPENDS_ON] ->[backend.src.core.auth.security.verify_password]
|
||||
# @RELATION: [DEPENDS_ON] ->[backend.src.core.auth.jwt.create_access_token]
|
||||
# @RELATION: [DEPENDS_ON] ->[backend.src.models.auth.User]
|
||||
# @RELATION: [DEPENDS_ON] ->[backend.src.models.auth.Role]
|
||||
# @RELATION: DEPENDS_ON -> [AuthRepository]
|
||||
# @RELATION: DEPENDS_ON -> [verify_password]
|
||||
# @RELATION: DEPENDS_ON -> [create_access_token]
|
||||
# @RELATION: DEPENDS_ON -> [User]
|
||||
# @RELATION: DEPENDS_ON -> [Role]
|
||||
# @INVARIANT: Authentication succeeds only for active users with valid credentials; issued sessions encode subject and scopes from assigned roles.
|
||||
# @PRE: Core auth models and security utilities available.
|
||||
# @POST: User identity verified and session tokens issued according to role scopes.
|
||||
@@ -41,9 +41,10 @@ class AuthService:
|
||||
def __init__(self, db: Session):
|
||||
self.db = db
|
||||
self.repo = AuthRepository(db)
|
||||
|
||||
# [/DEF:AuthService_init:Function]
|
||||
|
||||
# [DEF:authenticate_user:Function]
|
||||
# [DEF:AuthService.authenticate_user:Function]
|
||||
# @COMPLEXITY: 3
|
||||
# @PURPOSE: Validates credentials and account state for local username/password authentication.
|
||||
# @PRE: username and password are non-empty credential inputs.
|
||||
@@ -58,19 +59,20 @@ class AuthService:
|
||||
user = self.repo.get_user_by_username(username)
|
||||
if not user or not user.is_active:
|
||||
return None
|
||||
|
||||
|
||||
if not verify_password(password, user.password_hash):
|
||||
return None
|
||||
|
||||
|
||||
# Update last login
|
||||
user.last_login = datetime.utcnow()
|
||||
self.db.commit()
|
||||
self.db.refresh(user)
|
||||
|
||||
return user
|
||||
# [/DEF:authenticate_user:Function]
|
||||
|
||||
# [DEF:create_session:Function]
|
||||
return user
|
||||
|
||||
# [/DEF:AuthService.authenticate_user:Function]
|
||||
|
||||
# [DEF:AuthService.create_session:Function]
|
||||
# @COMPLEXITY: 3
|
||||
# @PURPOSE: Issues an access token payload for an already authenticated user.
|
||||
# @PRE: user is a valid User entity containing username and iterable roles with role.name values.
|
||||
@@ -86,9 +88,10 @@ class AuthService:
|
||||
data={"sub": user.username, "scopes": roles}
|
||||
)
|
||||
return {"access_token": access_token, "token_type": "bearer"}
|
||||
# [/DEF:create_session:Function]
|
||||
|
||||
# [DEF:provision_adfs_user:Function]
|
||||
# [/DEF:AuthService.create_session:Function]
|
||||
|
||||
# [DEF:AuthService.provision_adfs_user:Function]
|
||||
# @COMPLEXITY: 3
|
||||
# @PURPOSE: Performs ADFS Just-In-Time provisioning and role synchronization from AD group mappings.
|
||||
# @PRE: user_info contains identity claims where at least one of 'upn' or 'email' is present; 'groups' may be absent.
|
||||
@@ -102,7 +105,7 @@ class AuthService:
|
||||
username = user_info.get("upn") or user_info.get("email")
|
||||
email = user_info.get("email")
|
||||
groups = user_info.get("groups", [])
|
||||
|
||||
|
||||
user = self.repo.get_user_by_username(username)
|
||||
if not user:
|
||||
user = User(
|
||||
@@ -111,21 +114,24 @@ class AuthService:
|
||||
full_name=user_info.get("name"),
|
||||
auth_source="ADFS",
|
||||
is_active=True,
|
||||
is_ad_user=True
|
||||
is_ad_user=True,
|
||||
)
|
||||
self.db.add(user)
|
||||
log_security_event("USER_PROVISIONED", username, {"source": "ADFS"})
|
||||
|
||||
|
||||
# Sync roles from AD groups
|
||||
mapped_roles = self.repo.get_roles_by_ad_groups(groups)
|
||||
user.roles = mapped_roles
|
||||
|
||||
|
||||
user.last_login = datetime.utcnow()
|
||||
self.db.commit()
|
||||
self.db.refresh(user)
|
||||
|
||||
|
||||
return user
|
||||
# [/DEF:provision_adfs_user:Function]
|
||||
|
||||
# [/DEF:AuthService.provision_adfs_user:Function]
|
||||
|
||||
|
||||
# [/DEF:AuthService:Class]
|
||||
|
||||
# [/DEF:auth_service:Module]
|
||||
# [/DEF:auth_service:Module]
|
||||
|
||||
Reference in New Issue
Block a user