semantics: complete DEF-to-region migration, fix regressions
- Convert legacy [DEF🆔Type] anchors to #region/#endregion across 329 files
- Reinstate _normalize_timestamp_value in sql_generator.py
- Fix MarkerLogger→logger migration in events.py (molecular CoT markers)
- Fix dataset_review orchestrator dependencies (_build_execution_snapshot)
- Fix config_manager stale-record deletion (moved to save path only)
- Add 77 missing [/DEF:] closers in 5 unbalanced test files
- Update assistant_chat.integration.test.js for #region format
- Apply molecular-cot-logging markers (REASON/REFLECT/EXPLORE) via logger.* methods
This commit is contained in:
@@ -1,16 +1,16 @@
|
||||
# #region auth_service [C:5] [TYPE Module] [SEMANTICS auth, service, business-logic, login, jwt, adfs, jit-provisioning]
|
||||
# @BRIEF Orchestrates credential authentication and ADFS JIT user provisioning.
|
||||
# @LAYER Domain
|
||||
# @PRE Core auth models and security utilities available.
|
||||
# @POST User identity verified and session tokens issued according to role scopes.
|
||||
# @SIDE_EFFECT Writes last login timestamps and JIT-provisions external users.
|
||||
# @DATA_CONTRACT [Credentials | ADFSClaims] -> [UserEntity | SessionToken]
|
||||
# @INVARIANT Authentication succeeds only for active users with valid credentials; issued sessions encode subject and scopes from assigned roles.
|
||||
# @LAYER: Domain
|
||||
# @RELATION DEPENDS_ON -> [AuthRepository]
|
||||
# @RELATION DEPENDS_ON -> [verify_password]
|
||||
# @RELATION DEPENDS_ON -> [create_access_token]
|
||||
# @RELATION DEPENDS_ON -> [User]
|
||||
# @RELATION DEPENDS_ON -> [Role]
|
||||
# @INVARIANT: Authentication succeeds only for active users with valid credentials; issued sessions encode subject and scopes from assigned roles.
|
||||
# @PRE: Core auth models and security utilities available.
|
||||
# @POST: User identity verified and session tokens issued according to role scopes.
|
||||
# @SIDE_EFFECT: Writes last login timestamps and JIT-provisions external users.
|
||||
# @DATA_CONTRACT: [Credentials | ADFSClaims] -> [UserEntity | SessionToken]
|
||||
|
||||
from typing import Dict, Any, Optional, List
|
||||
from datetime import datetime
|
||||
@@ -30,28 +30,30 @@ from ..core.logger import belief_scope
|
||||
# @RELATION DEPENDS_ON -> [User]
|
||||
# @RELATION DEPENDS_ON -> [Role]
|
||||
class AuthService:
|
||||
# #region AuthService_init [C:1] [TYPE Function]
|
||||
# @BRIEF Initializes the authentication service with repository access over an active DB session.
|
||||
# @PRE db is a valid SQLAlchemy Session instance bound to the auth persistence context.
|
||||
# @POST self.repo is initialized and ready for auth user/role CRUD operations.
|
||||
# @SIDE_EFFECT Allocates AuthRepository and binds it to the provided Session.
|
||||
# @DATA_CONTRACT Input(Session) -> Model(AuthRepository)
|
||||
# [DEF:AuthService_init:Function]
|
||||
# @COMPLEXITY: 1
|
||||
# @PURPOSE: Initializes the authentication service with repository access over an active DB session.
|
||||
# @PRE: db is a valid SQLAlchemy Session instance bound to the auth persistence context.
|
||||
# @POST: self.repo is initialized and ready for auth user/role CRUD operations.
|
||||
# @SIDE_EFFECT: Allocates AuthRepository and binds it to the provided Session.
|
||||
# @DATA_CONTRACT: Input(Session) -> Model(AuthRepository)
|
||||
# @PARAM: db (Session) - SQLAlchemy session.
|
||||
def __init__(self, db: Session):
|
||||
self.db = db
|
||||
self.repo = AuthRepository(db)
|
||||
|
||||
# #endregion AuthService_init
|
||||
# [/DEF:AuthService_init:Function]
|
||||
|
||||
# #region AuthService.authenticate_user [C:3] [TYPE Function]
|
||||
# @BRIEF Validates credentials and account state for local username/password authentication.
|
||||
# @PRE username and password are non-empty credential inputs.
|
||||
# @POST Returns User only when user exists, is active, and password hash verification succeeds; otherwise returns None.
|
||||
# @SIDE_EFFECT Persists last_login update for successful authentications via repository.
|
||||
# @DATA_CONTRACT Input(str username, str password) -> Output(User | None)
|
||||
# @RELATION DEPENDS_ON -> [AuthRepository]
|
||||
# @RELATION CALLS -> [verify_password]
|
||||
# @RELATION DEPENDS_ON -> [User]
|
||||
# [DEF:AuthService.authenticate_user:Function]
|
||||
# @COMPLEXITY: 3
|
||||
# @PURPOSE: Validates credentials and account state for local username/password authentication.
|
||||
# @PRE: username and password are non-empty credential inputs.
|
||||
# @POST: Returns User only when user exists, is active, and password hash verification succeeds; otherwise returns None.
|
||||
# @SIDE_EFFECT: Persists last_login update for successful authentications via repository.
|
||||
# @DATA_CONTRACT: Input(str username, str password) -> Output(User | None)
|
||||
# @RELATION: [DEPENDS_ON] ->[AuthRepository]
|
||||
# @RELATION: [CALLS] ->[verify_password]
|
||||
# @RELATION: [DEPENDS_ON] ->[User]
|
||||
# @PARAM: username (str) - The username.
|
||||
# @PARAM: password (str) - The plain password.
|
||||
# @RETURN: Optional[User] - The authenticated user or None.
|
||||
@@ -71,17 +73,18 @@ class AuthService:
|
||||
|
||||
return user
|
||||
|
||||
# #endregion AuthService.authenticate_user
|
||||
# [/DEF:AuthService.authenticate_user:Function]
|
||||
|
||||
# #region AuthService.create_session [C:3] [TYPE Function]
|
||||
# @BRIEF Issues an access token payload for an already authenticated user.
|
||||
# @PRE user is a valid User entity containing username and iterable roles with role.name values.
|
||||
# @POST Returns session dict with non-empty access_token and token_type='bearer'.
|
||||
# @SIDE_EFFECT Generates signed JWT via auth JWT provider.
|
||||
# @DATA_CONTRACT Input(User) -> Output(Dict[str, str]{access_token, token_type})
|
||||
# @RELATION CALLS -> [create_access_token]
|
||||
# @RELATION DEPENDS_ON -> [User]
|
||||
# @RELATION DEPENDS_ON -> [Role]
|
||||
# [DEF:AuthService.create_session:Function]
|
||||
# @COMPLEXITY: 3
|
||||
# @PURPOSE: Issues an access token payload for an already authenticated user.
|
||||
# @PRE: user is a valid User entity containing username and iterable roles with role.name values.
|
||||
# @POST: Returns session dict with non-empty access_token and token_type='bearer'.
|
||||
# @SIDE_EFFECT: Generates signed JWT via auth JWT provider.
|
||||
# @DATA_CONTRACT: Input(User) -> Output(Dict[str, str]{access_token, token_type})
|
||||
# @RELATION: [CALLS] ->[create_access_token]
|
||||
# @RELATION: [DEPENDS_ON] ->[User]
|
||||
# @RELATION: [DEPENDS_ON] ->[Role]
|
||||
# @PARAM: user (User) - The authenticated user.
|
||||
# @RETURN: Dict[str, str] - Session data.
|
||||
def create_session(self, user: User) -> Dict[str, str]:
|
||||
@@ -92,17 +95,18 @@ class AuthService:
|
||||
)
|
||||
return {"access_token": access_token, "token_type": "bearer"}
|
||||
|
||||
# #endregion AuthService.create_session
|
||||
# [/DEF:AuthService.create_session:Function]
|
||||
|
||||
# #region AuthService.provision_adfs_user [C:3] [TYPE Function]
|
||||
# @BRIEF Performs ADFS Just-In-Time provisioning and role synchronization from AD group mappings.
|
||||
# @PRE user_info contains identity claims where at least one of 'upn' or 'email' is present; 'groups' may be absent.
|
||||
# @POST Returns persisted user entity with roles synchronized to mapped AD groups and refreshed state.
|
||||
# @SIDE_EFFECT May insert new User, mutate user.roles, commit transaction, and refresh ORM state.
|
||||
# @DATA_CONTRACT Input(Dict[str, Any]{upn|email, email, groups[]}) -> Output(User persisted)
|
||||
# @RELATION DEPENDS_ON -> [AuthRepository]
|
||||
# @RELATION DEPENDS_ON -> [User]
|
||||
# @RELATION DEPENDS_ON -> [Role]
|
||||
# [DEF:AuthService.provision_adfs_user:Function]
|
||||
# @COMPLEXITY: 3
|
||||
# @PURPOSE: Performs ADFS Just-In-Time provisioning and role synchronization from AD group mappings.
|
||||
# @PRE: user_info contains identity claims where at least one of 'upn' or 'email' is present; 'groups' may be absent.
|
||||
# @POST: Returns persisted user entity with roles synchronized to mapped AD groups and refreshed state.
|
||||
# @SIDE_EFFECT: May insert new User, mutate user.roles, commit transaction, and refresh ORM state.
|
||||
# @DATA_CONTRACT: Input(Dict[str, Any]{upn|email, email, groups[]}) -> Output(User persisted)
|
||||
# @RELATION: [DEPENDS_ON] ->[AuthRepository]
|
||||
# @RELATION: [DEPENDS_ON] ->[User]
|
||||
# @RELATION: [DEPENDS_ON] ->[Role]
|
||||
# @PARAM: user_info (Dict[str, Any]) - Claims from ADFS token.
|
||||
# @RETURN: User - The provisioned user.
|
||||
def provision_adfs_user(self, user_info: Dict[str, Any]) -> User:
|
||||
@@ -134,7 +138,9 @@ class AuthService:
|
||||
|
||||
return user
|
||||
|
||||
# #endregion AuthService.provision_adfs_user
|
||||
# [/DEF:AuthService.provision_adfs_user:Function]
|
||||
|
||||
|
||||
# #endregion AuthService
|
||||
|
||||
# #endregion auth_service
|
||||
|
||||
Reference in New Issue
Block a user