import secrets from cryptography.exceptions import InvalidSignature from cryptography.hazmat.primitives.serialization import load_pem_public_key from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives import hashes from sqlalchemy.orm.attributes import flag_modified from database import db from models import Session, User, Organization from flask import jsonify from utils import Perm class SessionService: @staticmethod def create_session(user: User, org: Organization) -> Session: session = Session( user_id=user.id, org_id=org.id, token=secrets.token_hex(128), roles=[], challenge=secrets.token_hex(128), verified=False ) db.add(session) db.commit() db.refresh(session) return session @staticmethod def verify_session(token: str, signature: bytes): session = SessionService.get_session(token) if not session: return jsonify({"error": "Session not found"}), 401 public_key_pem = User.query.get(session.user_id).public_keys.get(str(session.org_id)) if not public_key_pem: return jsonify({"error": "Public key not found"}), 404 public_key = load_pem_public_key(public_key_pem.encode()) try: public_key.verify( signature, session.challenge.encode(), padding.PKCS1v15(), hashes.SHA256() ) except InvalidSignature: return jsonify({"error": "Invalid signature"}), 403 session.challenge = None session.verified = True db.commit() db.refresh(session) return session @staticmethod def get_session(token: str) -> Session | None: return db.query(Session).filter(Session.token == token).first() @staticmethod def delete_session(session: Session) -> None: db.delete(session) db.commit() @staticmethod def validate_session(token: str, required_perms: list[Perm] = None, doc_handle=None) -> tuple | Session: from services import OrganizationService if "Bearer" in token: token = token.split(" ")[1] session = SessionService.get_session(token) if not session: return jsonify({"error": "Not authenticated"}), 401 if not session.verified: return jsonify({"error": "Session has not yet been verified"}), 403 org = OrganizationService.get_organization(session.org_id) if not org: return jsonify({"error": "Organization not found"}), 404 status = OrganizationService.get_user_status(org, session.user_id) if status != "active": return jsonify({"error": "User is not active"}), 403 if required_perms: for perm in required_perms: if not SessionService.check_permission(session, perm, doc_handle): return jsonify({"error": f"Permission denied, missing required permission: {perm}"}), 403 return session @staticmethod def change_role(session: Session, role: str, operation: str): from services import OrganizationService org = OrganizationService.get_organization(session.org_id) if not org: return jsonify({"error": "Organization not found"}), 404 user = User.query.get(session.user_id) if not user: return jsonify({"error": "User not found"}), 404 if role not in org.roles: return jsonify({"error": f"Role {role} does not exist in organization {org.name}"}), 404 if operation == "add": if role not in user.roles[str(org.id)]: return jsonify({"error": f"User {user.username} does not have role {role}"}), 400 if role in session.roles: return jsonify({"error": f"User {user.username} already has role {role} in current session"}), 400 session.roles.append(role) elif operation == "drop": if role not in user.roles[str(org.id)]: print(user.roles) return jsonify({"error": f"User {user.username} does not have role {role}"}), 400 if role not in session.roles: return jsonify({"error": f"User {user.username} does not have role {role} in current session"}), 400 session.roles.remove(role) else: return jsonify({"error": "Invalid operation"}), 400 flag_modified(session, "roles") db.commit() db.refresh(session) return session @staticmethod def list_roles(session: Session) -> list: return session.roles @staticmethod def check_permission(session: Session, perm: Perm, doc_handle=None) -> bool: from services import OrganizationService, RoleService org = OrganizationService.get_organization(session.org_id) if not org: return False user = User.query.get(session.user_id) if not user: return False for role in session.roles: if RoleService.check_role_permission(org, role, perm, doc_handle): return True return False