# [DEF:backend.src.models.auth:Module] # # @TIER: STANDARD # @SEMANTICS: auth, models, user, role, permission, sqlalchemy # @PURPOSE: SQLAlchemy models for multi-user authentication and authorization. # @LAYER: Domain # @RELATION: INHERITS_FROM -> backend.src.models.mapping.Base # # @INVARIANT: Usernames and emails must be unique. # [SECTION: IMPORTS] import uuid from datetime import datetime from sqlalchemy import Column, String, Boolean, DateTime, ForeignKey, Table from sqlalchemy.orm import relationship from .mapping import Base # [/SECTION] # [DEF:generate_uuid:Function] # @PURPOSE: Generates a unique UUID string. # @POST: Returns a string representation of a new UUID. def generate_uuid(): return str(uuid.uuid4()) # [/DEF:generate_uuid:Function] # [DEF:user_roles:Table] # @PURPOSE: Association table for many-to-many relationship between Users and Roles. user_roles = Table( "user_roles", Base.metadata, Column("user_id", String, ForeignKey("users.id"), primary_key=True), Column("role_id", String, ForeignKey("roles.id"), primary_key=True), ) # [/DEF:user_roles:Table] # [DEF:role_permissions:Table] # @PURPOSE: Association table for many-to-many relationship between Roles and Permissions. role_permissions = Table( "role_permissions", Base.metadata, Column("role_id", String, ForeignKey("roles.id"), primary_key=True), Column("permission_id", String, ForeignKey("permissions.id"), primary_key=True), ) # [/DEF:role_permissions:Table] # [DEF:User:Class] # @PURPOSE: Represents an identity that can authenticate to the system. # @RELATION: HAS_MANY -> Role (via user_roles) class User(Base): __tablename__ = "users" id = Column(String, primary_key=True, default=generate_uuid) username = Column(String, unique=True, index=True, nullable=False) email = Column(String, unique=True, index=True, nullable=True) password_hash = Column(String, nullable=True) auth_source = Column(String, default="LOCAL") # LOCAL or ADFS is_active = Column(Boolean, default=True) created_at = Column(DateTime, default=datetime.utcnow) last_login = Column(DateTime, nullable=True) roles = relationship("Role", secondary=user_roles, back_populates="users") # [/DEF:User:Class] # [DEF:Role:Class] # @PURPOSE: Represents a collection of permissions. # @RELATION: HAS_MANY -> User (via user_roles) # @RELATION: HAS_MANY -> Permission (via role_permissions) class Role(Base): __tablename__ = "roles" id = Column(String, primary_key=True, default=generate_uuid) name = Column(String, unique=True, index=True, nullable=False) description = Column(String, nullable=True) users = relationship("User", secondary=user_roles, back_populates="roles") permissions = relationship("Permission", secondary=role_permissions, back_populates="roles") # [/DEF:Role:Class] # [DEF:Permission:Class] # @PURPOSE: Represents a specific capability within the system. # @RELATION: HAS_MANY -> Role (via role_permissions) class Permission(Base): __tablename__ = "permissions" id = Column(String, primary_key=True, default=generate_uuid) resource = Column(String, nullable=False) # e.g. "plugin:backup" action = Column(String, nullable=False) # e.g. "READ", "EXECUTE", "WRITE" roles = relationship("Role", secondary=role_permissions, back_populates="permissions") # [/DEF:Permission:Class] # [DEF:ADGroupMapping:Class] # @PURPOSE: Maps an Active Directory group to a local System Role. # @RELATION: DEPENDS_ON -> Role class ADGroupMapping(Base): __tablename__ = "ad_group_mappings" id = Column(String, primary_key=True, default=generate_uuid) ad_group = Column(String, unique=True, index=True, nullable=False) role_id = Column(String, ForeignKey("roles.id"), nullable=False) role = relationship("Role") # [/DEF:ADGroupMapping:Class] # [/DEF:backend.src.models.auth:Module]