Aegis/backend/app/models/user.py

import uuid
from sqlalchemy import Column, String, Boolean, DateTime, func
from sqlalchemy.dialects.postgresql import UUID, JSONB

from app.database import Base


class User(Base):
    """
    User model for authentication and authorization.
    
    Possible roles:
    - admin: Full system access
    - red_tech: Red team technician - can create and edit tests
    - blue_tech: Blue team technician - can create and edit tests
    - red_lead: Red team lead - can validate tests
    - blue_lead: Blue team lead - can validate tests
    - viewer: Read-only access (default)
    """
    __tablename__ = "users"

    id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
    username = Column(String, unique=True, nullable=False)
    email = Column(String, nullable=True)
    hashed_password = Column(String, nullable=False)
    role = Column(String, nullable=False, default="viewer")
    is_active = Column(Boolean, default=True)
    must_change_password = Column(Boolean, default=True)
    created_at = Column(DateTime(timezone=True), server_default=func.now())
    last_login = Column(DateTime, nullable=True)
    notification_preferences = Column(JSONB, nullable=True, server_default='{"email_on_test_validated": true, "email_on_campaign_completed": true, "email_on_new_mitre_techniques": false, "in_app_all": true}')
    jira_account_id = Column(String(100), nullable=True)
    jira_api_token = Column(String(500), nullable=True)   # personal Atlassian token
    jira_email = Column(String(255), nullable=True)        # Atlassian email (overrides account email)
    tempo_api_token = Column(String(500), nullable=True)  # personal Tempo API token