ss-tools/backend/src/models/auth.py

# [DEF:backend.src.models.auth:Module]
#
# @TIER:      STANDARD
# @SEMANTICS: auth, models, user, role, permission, sqlalchemy
# @PURPOSE:   SQLAlchemy models for multi-user authentication and authorization.
# @LAYER:     Domain
# @RELATION:  INHERITS_FROM -> backend.src.models.mapping.Base
#
# @INVARIANT: Usernames and emails must be unique.

# [SECTION: IMPORTS]
import uuid
from datetime import datetime
from sqlalchemy import Column, String, Boolean, DateTime, ForeignKey, Table
from sqlalchemy.orm import relationship
from .mapping import Base
# [/SECTION]

# [DEF:generate_uuid:Function]
# @PURPOSE: Generates a unique UUID string.
# @POST:    Returns a string representation of a new UUID.
def generate_uuid():
    return str(uuid.uuid4())
# [/DEF:generate_uuid:Function]

# [DEF:user_roles:Table]
# @PURPOSE: Association table for many-to-many relationship between Users and Roles.
user_roles = Table(
    "user_roles",
    Base.metadata,
    Column("user_id", String, ForeignKey("users.id"), primary_key=True),
    Column("role_id", String, ForeignKey("roles.id"), primary_key=True),
)
# [/DEF:user_roles:Table]

# [DEF:role_permissions:Table]
# @PURPOSE: Association table for many-to-many relationship between Roles and Permissions.
role_permissions = Table(
    "role_permissions",
    Base.metadata,
    Column("role_id", String, ForeignKey("roles.id"), primary_key=True),
    Column("permission_id", String, ForeignKey("permissions.id"), primary_key=True),
)
# [/DEF:role_permissions:Table]

# [DEF:User:Class]
# @PURPOSE: Represents an identity that can authenticate to the system.
# @RELATION: HAS_MANY -> Role (via user_roles)
class User(Base):
    __tablename__ = "users"
    
    id = Column(String, primary_key=True, default=generate_uuid)
    username = Column(String, unique=True, index=True, nullable=False)
    email = Column(String, unique=True, index=True, nullable=True)
    password_hash = Column(String, nullable=True)
    auth_source = Column(String, default="LOCAL") # LOCAL or ADFS
    is_active = Column(Boolean, default=True)
    created_at = Column(DateTime, default=datetime.utcnow)
    last_login = Column(DateTime, nullable=True)
    
    roles = relationship("Role", secondary=user_roles, back_populates="users")
# [/DEF:User:Class]

# [DEF:Role:Class]
# @PURPOSE: Represents a collection of permissions.
# @RELATION: HAS_MANY -> User (via user_roles)
# @RELATION: HAS_MANY -> Permission (via role_permissions)
class Role(Base):
    __tablename__ = "roles"
    
    id = Column(String, primary_key=True, default=generate_uuid)
    name = Column(String, unique=True, index=True, nullable=False)
    description = Column(String, nullable=True)
    
    users = relationship("User", secondary=user_roles, back_populates="roles")
    permissions = relationship("Permission", secondary=role_permissions, back_populates="roles")
# [/DEF:Role:Class]

# [DEF:Permission:Class]
# @PURPOSE: Represents a specific capability within the system.
# @RELATION: HAS_MANY -> Role (via role_permissions)
class Permission(Base):
    __tablename__ = "permissions"
    
    id = Column(String, primary_key=True, default=generate_uuid)
    resource = Column(String, nullable=False) # e.g. "plugin:backup"
    action = Column(String, nullable=False)   # e.g. "READ", "EXECUTE", "WRITE"
    
    roles = relationship("Role", secondary=role_permissions, back_populates="permissions")
# [/DEF:Permission:Class]

# [DEF:ADGroupMapping:Class]
# @PURPOSE: Maps an Active Directory group to a local System Role.
# @RELATION: DEPENDS_ON -> Role
class ADGroupMapping(Base):
    __tablename__ = "ad_group_mappings"
    
    id = Column(String, primary_key=True, default=generate_uuid)
    ad_group = Column(String, unique=True, index=True, nullable=False)
    role_id = Column(String, ForeignKey("roles.id"), nullable=False)
    
    role = relationship("Role")
# [/DEF:ADGroupMapping:Class]

# [/DEF:backend.src.models.auth:Module]