Expose identity lookup API
This commit is contained in:
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
|
|||||||
|
|
||||||
[project]
|
[project]
|
||||||
name = "govoplan-identity"
|
name = "govoplan-identity"
|
||||||
version = "0.1.6"
|
version = "0.1.7"
|
||||||
description = "GovOPlaN identity directory module."
|
description = "GovOPlaN identity directory module."
|
||||||
readme = "README.md"
|
readme = "README.md"
|
||||||
requires-python = ">=3.12"
|
requires-python = ">=3.12"
|
||||||
|
|||||||
1
src/govoplan_identity/backend/api/__init__.py
Normal file
1
src/govoplan_identity/backend/api/__init__.py
Normal file
@@ -0,0 +1 @@
|
|||||||
|
"""Identity API package."""
|
||||||
1
src/govoplan_identity/backend/api/v1/__init__.py
Normal file
1
src/govoplan_identity/backend/api/v1/__init__.py
Normal file
@@ -0,0 +1 @@
|
|||||||
|
"""Identity API v1 package."""
|
||||||
82
src/govoplan_identity/backend/api/v1/routes.py
Normal file
82
src/govoplan_identity/backend/api/v1/routes.py
Normal file
@@ -0,0 +1,82 @@
|
|||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
from fastapi import APIRouter, Depends, Query
|
||||||
|
from sqlalchemy import func, or_
|
||||||
|
from sqlalchemy.orm import Session
|
||||||
|
|
||||||
|
from govoplan_core.auth import ApiPrincipal, require_any_scope
|
||||||
|
from govoplan_core.db.session import get_session
|
||||||
|
from govoplan_identity.backend.db.models import Identity, IdentityAccountLink
|
||||||
|
|
||||||
|
from .schemas import IdentityItem, IdentityListResponse
|
||||||
|
|
||||||
|
|
||||||
|
router = APIRouter(prefix="/identity", tags=["identity"])
|
||||||
|
|
||||||
|
IDENTITY_READ_SCOPES = (
|
||||||
|
"identity:identity:read",
|
||||||
|
"identity:read",
|
||||||
|
"admin:users:read",
|
||||||
|
"system:accounts:read",
|
||||||
|
"organizations:function:assign",
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@router.get("/identities", response_model=IdentityListResponse)
|
||||||
|
def list_identities(
|
||||||
|
query: str | None = Query(default=None, min_length=1, max_length=255),
|
||||||
|
limit: int = Query(default=25, ge=1, le=100),
|
||||||
|
include_inactive: bool = False,
|
||||||
|
session: Session = Depends(get_session),
|
||||||
|
principal: ApiPrincipal = Depends(require_any_scope(*IDENTITY_READ_SCOPES)),
|
||||||
|
) -> IdentityListResponse:
|
||||||
|
del principal
|
||||||
|
identity_query = session.query(Identity)
|
||||||
|
if not include_inactive:
|
||||||
|
identity_query = identity_query.filter(Identity.is_active.is_(True))
|
||||||
|
if query:
|
||||||
|
pattern = f"%{query.strip().casefold()}%"
|
||||||
|
matching_account_links = session.query(IdentityAccountLink.identity_id).filter(
|
||||||
|
func.lower(IdentityAccountLink.account_id).like(pattern)
|
||||||
|
)
|
||||||
|
identity_query = identity_query.filter(
|
||||||
|
or_(
|
||||||
|
func.lower(Identity.id).like(pattern),
|
||||||
|
func.lower(Identity.display_name).like(pattern),
|
||||||
|
func.lower(Identity.external_subject).like(pattern),
|
||||||
|
Identity.id.in_(matching_account_links),
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
identities = identity_query.order_by(Identity.display_name.asc(), Identity.id.asc()).limit(limit).all()
|
||||||
|
identity_ids = [identity.id for identity in identities]
|
||||||
|
links_by_identity: dict[str, list[IdentityAccountLink]] = {identity_id: [] for identity_id in identity_ids}
|
||||||
|
if identity_ids:
|
||||||
|
links = (
|
||||||
|
session.query(IdentityAccountLink)
|
||||||
|
.filter(IdentityAccountLink.identity_id.in_(identity_ids))
|
||||||
|
.order_by(IdentityAccountLink.is_primary.desc(), IdentityAccountLink.account_id.asc())
|
||||||
|
.all()
|
||||||
|
)
|
||||||
|
for link in links:
|
||||||
|
links_by_identity.setdefault(link.identity_id, []).append(link)
|
||||||
|
|
||||||
|
return IdentityListResponse(
|
||||||
|
identities=[
|
||||||
|
_identity_item(identity, links_by_identity.get(identity.id, []))
|
||||||
|
for identity in identities
|
||||||
|
]
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def _identity_item(identity: Identity, links: list[IdentityAccountLink]) -> IdentityItem:
|
||||||
|
primary_link = next((link for link in links if link.is_primary), None)
|
||||||
|
return IdentityItem(
|
||||||
|
id=identity.id,
|
||||||
|
display_name=identity.display_name,
|
||||||
|
external_subject=identity.external_subject,
|
||||||
|
source=identity.source,
|
||||||
|
primary_account_id=primary_link.account_id if primary_link is not None else None,
|
||||||
|
account_ids=[link.account_id for link in links],
|
||||||
|
status="active" if identity.is_active else "inactive",
|
||||||
|
)
|
||||||
17
src/govoplan_identity/backend/api/v1/schemas.py
Normal file
17
src/govoplan_identity/backend/api/v1/schemas.py
Normal file
@@ -0,0 +1,17 @@
|
|||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
from pydantic import BaseModel
|
||||||
|
|
||||||
|
|
||||||
|
class IdentityItem(BaseModel):
|
||||||
|
id: str
|
||||||
|
display_name: str | None = None
|
||||||
|
external_subject: str | None = None
|
||||||
|
source: str
|
||||||
|
primary_account_id: str | None = None
|
||||||
|
account_ids: list[str]
|
||||||
|
status: str
|
||||||
|
|
||||||
|
|
||||||
|
class IdentityListResponse(BaseModel):
|
||||||
|
identities: list[IdentityItem]
|
||||||
@@ -1,12 +1,48 @@
|
|||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
|
from govoplan_core.core.access import CAPABILITY_AUTH_PERMISSION_EVALUATOR, CAPABILITY_AUTH_PRINCIPAL_RESOLVER
|
||||||
from govoplan_core.core.identity import CAPABILITY_IDENTITY_DIRECTORY
|
from govoplan_core.core.identity import CAPABILITY_IDENTITY_DIRECTORY
|
||||||
from govoplan_core.core.module_guards import persistent_table_uninstall_guard
|
from govoplan_core.core.module_guards import persistent_table_uninstall_guard
|
||||||
from govoplan_core.core.modules import DocumentationTopic, MigrationSpec, ModuleContext, ModuleManifest
|
from govoplan_core.core.modules import DocumentationTopic, MigrationSpec, ModuleContext, ModuleManifest, PermissionDefinition, RoleTemplate
|
||||||
from govoplan_core.db.base import Base
|
from govoplan_core.db.base import Base
|
||||||
from govoplan_identity.backend.db import models as identity_models # noqa: F401 - populate metadata
|
from govoplan_identity.backend.db import models as identity_models # noqa: F401 - populate metadata
|
||||||
|
|
||||||
|
|
||||||
|
def _permission(scope: str, label: str, description: str) -> PermissionDefinition:
|
||||||
|
module_id, resource, action = scope.split(":", 2)
|
||||||
|
return PermissionDefinition(
|
||||||
|
scope=scope,
|
||||||
|
label=label,
|
||||||
|
description=description,
|
||||||
|
category="Identity",
|
||||||
|
level="tenant",
|
||||||
|
module_id=module_id,
|
||||||
|
resource=resource,
|
||||||
|
action=action,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
PERMISSIONS = (
|
||||||
|
_permission("identity:identity:read", "View identities", "Search and read normalized identities and their account links."),
|
||||||
|
)
|
||||||
|
|
||||||
|
ROLE_TEMPLATES = (
|
||||||
|
RoleTemplate(
|
||||||
|
slug="identity_viewer",
|
||||||
|
name="Identity viewer",
|
||||||
|
description="Read normalized identities and account links.",
|
||||||
|
permissions=("identity:identity:read",),
|
||||||
|
),
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def _route_factory(context: ModuleContext):
|
||||||
|
del context
|
||||||
|
from govoplan_identity.backend.api.v1.routes import router
|
||||||
|
|
||||||
|
return router
|
||||||
|
|
||||||
|
|
||||||
def _identity_directory(context: ModuleContext) -> object:
|
def _identity_directory(context: ModuleContext) -> object:
|
||||||
del context
|
del context
|
||||||
from govoplan_identity.backend.directory import SqlIdentityDirectory
|
from govoplan_identity.backend.directory import SqlIdentityDirectory
|
||||||
@@ -17,7 +53,11 @@ def _identity_directory(context: ModuleContext) -> object:
|
|||||||
manifest = ModuleManifest(
|
manifest = ModuleManifest(
|
||||||
id="identity",
|
id="identity",
|
||||||
name="Identity",
|
name="Identity",
|
||||||
version="0.1.6",
|
version="0.1.7",
|
||||||
|
required_capabilities=(CAPABILITY_AUTH_PRINCIPAL_RESOLVER, CAPABILITY_AUTH_PERMISSION_EVALUATOR),
|
||||||
|
permissions=PERMISSIONS,
|
||||||
|
role_templates=ROLE_TEMPLATES,
|
||||||
|
route_factory=_route_factory,
|
||||||
migration_spec=MigrationSpec(module_id="identity", metadata=Base.metadata),
|
migration_spec=MigrationSpec(module_id="identity", metadata=Base.metadata),
|
||||||
uninstall_guard_providers=(
|
uninstall_guard_providers=(
|
||||||
persistent_table_uninstall_guard(
|
persistent_table_uninstall_guard(
|
||||||
|
|||||||
Reference in New Issue
Block a user