feat(enterprise): Phase 14 — API Key Management + SSO/SAML 2.0
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
- ApiKey model (SHA-256 hash, prefix, scopes, expiry) + Alembic migration (b040ent) - SsoConfig model for SAML 2.0 IdP settings (attribute mapping, auto-provision) - API key auth integrated into get_current_user (aegis_ prefix detection) - Routers: /api/v1/api-keys (full CRUD + revoke) and /api/v1/sso (metadata, login, callback, config) - python3-saml added to requirements; Dockerfile adds libxmlsec1-dev for SAML XML signing - QA script: 52 assertions covering key lifecycle, API key auth, SSO config Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
kitos
68
backend/app/schemas/api_key_schema.py
Normal file
68
backend/app/schemas/api_key_schema.py
Normal file
@@ -0,0 +1,68 @@
|
||||
"""Phase 14: API Key Pydantic schemas."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from datetime import datetime
|
||||
from typing import List, Optional
|
||||
from uuid import UUID
|
||||
|
||||
from pydantic import BaseModel, Field, field_validator
|
||||
|
||||
from app.models.api_key import VALID_SCOPES
|
||||
|
||||
|
||||
class ApiKeyCreate(BaseModel):
|
||||
name: str = Field(..., min_length=1, max_length=200)
|
||||
description: Optional[str] = None
|
||||
scopes: List[str] = Field(default=["read"])
|
||||
expires_at: Optional[datetime] = None
|
||||
|
||||
@field_validator("scopes")
|
||||
@classmethod
|
||||
def validate_scopes(cls, v: list) -> list:
|
||||
invalid = set(v) - VALID_SCOPES
|
||||
if invalid:
|
||||
raise ValueError(f"Invalid scopes: {invalid}. Valid: {VALID_SCOPES}")
|
||||
if not v:
|
||||
raise ValueError("At least one scope is required")
|
||||
return v
|
||||
|
||||
|
||||
class ApiKeyOut(BaseModel):
|
||||
"""Safe representation — never exposes key_hash."""
|
||||
id: UUID
|
||||
name: str
|
||||
description: Optional[str] = None
|
||||
key_prefix: str
|
||||
user_id: UUID
|
||||
scopes: List[str]
|
||||
last_used_at: Optional[datetime] = None
|
||||
expires_at: Optional[datetime] = None
|
||||
is_active: bool
|
||||
created_at: Optional[datetime] = None
|
||||
|
||||
class Config:
|
||||
from_attributes = True
|
||||
|
||||
|
||||
class ApiKeyCreated(ApiKeyOut):
|
||||
"""Returned only once at creation — includes the raw key."""
|
||||
raw_key: str = Field(..., description="The full API key — shown only this once.")
|
||||
|
||||
|
||||
class ApiKeyUpdate(BaseModel):
|
||||
name: Optional[str] = Field(None, min_length=1, max_length=200)
|
||||
description: Optional[str] = None
|
||||
scopes: Optional[List[str]] = None
|
||||
expires_at: Optional[datetime] = None
|
||||
is_active: Optional[bool] = None
|
||||
|
||||
@field_validator("scopes")
|
||||
@classmethod
|
||||
def validate_scopes(cls, v: Optional[list]) -> Optional[list]:
|
||||
if v is None:
|
||||
return v
|
||||
invalid = set(v) - VALID_SCOPES
|
||||
if invalid:
|
||||
raise ValueError(f"Invalid scopes: {invalid}")
|
||||
return v
|
||||
80
backend/app/schemas/sso_schema.py
Normal file
80
backend/app/schemas/sso_schema.py
Normal file
@@ -0,0 +1,80 @@
|
||||
"""Phase 14: SSO / SAML 2.0 Pydantic schemas."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from datetime import datetime
|
||||
from typing import Optional
|
||||
from uuid import UUID
|
||||
|
||||
from pydantic import BaseModel, Field
|
||||
|
||||
|
||||
class SsoConfigCreate(BaseModel):
|
||||
is_enabled: bool = False
|
||||
provider_name: Optional[str] = None
|
||||
|
||||
# SP settings (auto-derived if not provided)
|
||||
sp_entity_id: Optional[str] = None
|
||||
sp_acs_url: Optional[str] = None
|
||||
sp_slo_url: Optional[str] = None
|
||||
sp_certificate: Optional[str] = None
|
||||
sp_private_key: Optional[str] = None
|
||||
|
||||
# IdP settings
|
||||
idp_entity_id: Optional[str] = None
|
||||
idp_sso_url: Optional[str] = None
|
||||
idp_slo_url: Optional[str] = None
|
||||
idp_certificate: Optional[str] = None
|
||||
|
||||
# Attribute mapping
|
||||
attr_email: Optional[str] = "email"
|
||||
attr_username: Optional[str] = "username"
|
||||
attr_role: Optional[str] = "role"
|
||||
default_role: Optional[str] = "viewer"
|
||||
auto_provision: bool = True
|
||||
|
||||
|
||||
class SsoConfigUpdate(SsoConfigCreate):
|
||||
"""All fields optional for partial updates."""
|
||||
pass
|
||||
|
||||
|
||||
class SsoConfigOut(BaseModel):
|
||||
id: UUID
|
||||
is_enabled: bool
|
||||
provider_name: Optional[str] = None
|
||||
|
||||
sp_entity_id: Optional[str] = None
|
||||
sp_acs_url: Optional[str] = None
|
||||
sp_slo_url: Optional[str] = None
|
||||
sp_certificate: Optional[str] = None
|
||||
# sp_private_key is intentionally OMITTED from responses
|
||||
|
||||
idp_entity_id: Optional[str] = None
|
||||
idp_sso_url: Optional[str] = None
|
||||
idp_slo_url: Optional[str] = None
|
||||
idp_certificate: Optional[str] = None
|
||||
|
||||
attr_email: Optional[str] = None
|
||||
attr_username: Optional[str] = None
|
||||
attr_role: Optional[str] = None
|
||||
default_role: Optional[str] = None
|
||||
auto_provision: bool = True
|
||||
|
||||
created_at: Optional[datetime] = None
|
||||
updated_at: Optional[datetime] = None
|
||||
|
||||
class Config:
|
||||
from_attributes = True
|
||||
|
||||
|
||||
class SsoLoginInitResponse(BaseModel):
|
||||
redirect_url: str = Field(..., description="URL to redirect the browser to for IdP login")
|
||||
request_id: str = Field(..., description="SAML AuthnRequest ID for validation")
|
||||
|
||||
|
||||
class SsoStatusResponse(BaseModel):
|
||||
enabled: bool
|
||||
provider_name: Optional[str] = None
|
||||
configured: bool = Field(..., description="True if IdP settings are present")
|
||||
login_url: Optional[str] = None # /sso/login URL
|
||||
Reference in New Issue
Block a user