Aegis/backend/app/services/user_service.py

"""User management service — framework-agnostic CRUD for users.

Uses domain exceptions from app.domain.errors. The router handles
HTTP concerns, auth, audit logging, and commit.
"""

# Enable future language features for compatibility
from __future__ import annotations

# Import uuid
import uuid

# Import Session from sqlalchemy.orm
from sqlalchemy.orm import Session

# Import hash_password from app.auth
from app.auth import hash_password

# Import  from app.domain.errors
from app.domain.errors import (
    BusinessRuleViolation,
    DuplicateEntityError,
    EntityNotFoundError,
)

# Import User from app.models.user
from app.models.user import User

# Assign VALID_ROLES = {"admin", "red_tech", "blue_tech", "red_lead", "blue_lead", "viewer"}
VALID_ROLES = {"admin", "red_tech", "blue_tech", "red_lead", "blue_lead", "viewer"}


# Define function list_users
def list_users(db: Session) -> list[User]:
    """Return a list of all users ordered by username."""
    # Return db.query(User).order_by(User.username).all()
    return db.query(User).order_by(User.username).all()


# Define function create_user
def create_user(
    # Entry: db
    db: Session,
    *,
    # Entry: username
    username: str,
    # Entry: email
    email: str | None,
    # Entry: password
    password: str,
    # Entry: role
    role: str,
) -> User:
    """Create a new user.

    Raises DuplicateEntityError if username already exists.
    Raises BusinessRuleViolation if role is invalid.
    Does not commit; the router handles that.
    """
    # Assign existing = db.query(User).filter(User.username == username).first()
    existing = db.query(User).filter(User.username == username).first()
    # Check: existing
    if existing:
        # Raise DuplicateEntityError
        raise DuplicateEntityError("User", "username", username)

    # Check: role not in VALID_ROLES
    if role not in VALID_ROLES:
        # Raise BusinessRuleViolation
        raise BusinessRuleViolation(
            f"Invalid role '{role}'. Must be one of: {', '.join(sorted(VALID_ROLES))}"
        )

    # Assign user = User(
    user = User(
        # Keyword argument: username
        username=username,
        # Keyword argument: email
        email=email,
        # Keyword argument: hashed_password
        hashed_password=hash_password(password),
        # Keyword argument: role
        role=role,
    )
    # Stage new record(s) for database insertion
    db.add(user)
    # Return user
    return user


# Define function get_user_or_raise
def get_user_or_raise(db: Session, user_id: uuid.UUID) -> User:
    """Return a user by ID or raise EntityNotFoundError."""
    # Assign user = db.query(User).filter(User.id == user_id).first()
    user = db.query(User).filter(User.id == user_id).first()
    # Check: user is None
    if user is None:
        # Raise EntityNotFoundError
        raise EntityNotFoundError("User", str(user_id))
    # Return user
    return user


# Define function update_user
def update_user(db: Session, user_id: uuid.UUID, **fields: object) -> User:
    """Update one or more fields of an existing user.

    Raises EntityNotFoundError if user does not exist.
    Raises BusinessRuleViolation if role is invalid.
    Handles 'password' by hashing and storing as 'hashed_password'.
    Does not commit; the router handles that.
    """
    # Assign user = get_user_or_raise(db, user_id)
    user = get_user_or_raise(db, user_id)
    # Assign update_data = dict(fields)
    update_data = dict(fields)

    # Check: "role" in update_data and update_data["role"] not in VALID_ROLES
    if "role" in update_data and update_data["role"] not in VALID_ROLES:
        # Raise BusinessRuleViolation
        raise BusinessRuleViolation(
            f"Invalid role '{update_data['role']}'. Must be one of: {', '.join(sorted(VALID_ROLES))}"
        )

    # Check: "password" in update_data
    if "password" in update_data:
        # Assign update_data["hashed_password"] = hash_password(str(update_data.pop("password")))
        update_data["hashed_password"] = hash_password(str(update_data.pop("password")))

    # Iterate over update_data.items()
    for field, value in update_data.items():
        # Call setattr()
        setattr(user, field, value)

    # Return user
    return user