Merge pull request #543 from lbedner/rbac-5

Rbac 5

Author: lbedner

aegis/core/copier_manager.py

@@ -116,6 +116,9 @@ def generate_with_copier(
         AnswerKeys.OBSERVABILITY: template_context.get(AnswerKeys.OBSERVABILITY, "no")
         == "yes",
         AnswerKeys.AUTH: template_context.get(AnswerKeys.AUTH, "no") == "yes",
+        AnswerKeys.AUTH_LEVEL: template_context.get(AnswerKeys.AUTH_LEVEL, "basic"),
+        AnswerKeys.AUTH_RBAC: template_context.get(AnswerKeys.AUTH_RBAC, "no") == "yes",
+        AnswerKeys.AUTH_ORG: template_context.get(AnswerKeys.AUTH_ORG, "no") == "yes",
         AnswerKeys.AI: template_context.get(AnswerKeys.AI, "no") == "yes",
         AnswerKeys.COMMS: template_context.get(AnswerKeys.COMMS, "no") == "yes",
         AnswerKeys.AI_FRAMEWORK: template_context.get(
@@ -249,6 +252,8 @@ def generate_with_copier(
         ai_voice_enabled: bool = copier_data.get(AnswerKeys.AI_VOICE, False) is True
         context = {
             "include_auth": is_auth_included,
+            "include_auth_org": copier_data.get(AnswerKeys.AUTH_ORG, False) is True,
+            "auth_level": copier_data.get(AnswerKeys.AUTH_LEVEL, "basic"),
             "include_ai": is_ai_included,
             "ai_backend": ai_backend_str,
             "ai_voice": ai_voice_enabled,
@@ -356,6 +361,19 @@ def generate_with_copier(
                 # Production mode: use GitHub URL
                 answers["_src_path"] = GITHUB_TEMPLATE_URL
 
+            # Persist conditional auth fields (Copier may omit conditional
+            # questions from answers file when values are provided via data)
+            if copier_data.get(AnswerKeys.AUTH):
+                answers[AnswerKeys.AUTH_LEVEL] = copier_data.get(
+                    AnswerKeys.AUTH_LEVEL, "basic"
+                )
+                answers[AnswerKeys.AUTH_RBAC] = copier_data.get(
+                    AnswerKeys.AUTH_RBAC, False
+                )
+                answers[AnswerKeys.AUTH_ORG] = copier_data.get(
+                    AnswerKeys.AUTH_ORG, False
+                )
+
             with open(answers_file, "w") as f:
                 yaml.safe_dump(answers, f, default_flow_style=False, sort_keys=False)
 

aegis/templates/copier-aegis-project/{{ project_slug }}/.copier-answers.yml.jinja

@@ -18,6 +18,9 @@ include_database: {{ include_database }}
 database_engine: {{ database_engine }}
 include_cache: {{ include_cache }}
 include_auth: {{ include_auth }}
+auth_level: {{ auth_level }}
+include_auth_rbac: {{ include_auth_rbac }}
+include_auth_org: {{ include_auth_org }}
 include_ai: {{ include_ai }}
 include_comms: {{ include_comms }}
 ai_providers: {{ ai_providers }}

aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/api/orgs/__init__.py

@@ -0,0 +1,260 @@
+"""Organization API routes."""
+{% if include_auth_org %}
+
+from app.components.backend.api.deps import get_async_db
+from app.models.org import (
+    MemberResponse,
+    OrgCreate,
+    OrgResponse,
+    OrganizationMember,
+    ORG_ROLE_OWNER,
+    ORG_ROLE_ADMIN,
+)
+from app.services.auth.auth_service import get_current_user_from_token
+from app.services.auth.membership_service import MembershipService
+from app.services.auth.org_service import OrgService
+from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from sqlmodel.ext.asyncio.session import AsyncSession
+
+router = APIRouter(prefix="/orgs", tags=["organizations"])
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/token")
+
+
+async def _get_current_user(
+    token: str = Depends(oauth2_scheme),
+    db: AsyncSession = Depends(get_async_db),
+):
+    """Get authenticated user."""
+    return await get_current_user_from_token(token, db)
+
+
+async def _require_org_role(
+    org_id: int,
+    db: AsyncSession,
+    user_id: int,
+    allowed_roles: set[str],
+) -> OrganizationMember:
+    """Check user has required org role. Raises 403 if not."""
+    membership_service = MembershipService(db)
+    member = await membership_service.get_member(org_id, user_id)
+    if not member or member.role not in allowed_roles:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Insufficient organization permissions",
+        )
+    return member
+
+
+# =============================================================================
+# Organization CRUD
+# =============================================================================
+
+
+@router.post("", response_model=OrgResponse, status_code=status.HTTP_201_CREATED)
+async def create_org(
+    org_data: OrgCreate,
+    user=Depends(_get_current_user),
+    db: AsyncSession = Depends(get_async_db),
+) -> OrgResponse:
+    """Create a new organization. Creator becomes owner."""
+    org_service = OrgService(db)
+
+    # Check slug uniqueness
+    existing = await org_service.get_org_by_slug(org_data.slug)
+    if existing:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Organization slug already taken",
+        )
+
+    org = await org_service.create_org(org_data)
+
+    # Add creator as owner
+    membership_service = MembershipService(db)
+    await membership_service.add_member(org.id, user.id, role=ORG_ROLE_OWNER)
+
+    return OrgResponse.model_validate(org)
+
+
+@router.get("", response_model=list[OrgResponse])
+async def list_my_orgs(
+    user=Depends(_get_current_user),
+    db: AsyncSession = Depends(get_async_db),
+) -> list[OrgResponse]:
+    """List organizations the current user belongs to."""
+    membership_service = MembershipService(db)
+    orgs = await membership_service.list_user_orgs(user.id)
+    return [OrgResponse.model_validate(org) for org in orgs]
+
+
+@router.get("/{org_id}", response_model=OrgResponse)
+async def get_org(
+    org_id: int,
+    user=Depends(_get_current_user),
+    db: AsyncSession = Depends(get_async_db),
+) -> OrgResponse:
+    """Get organization details."""
+    org_service = OrgService(db)
+    org = await org_service.get_org_by_id(org_id)
+    if not org:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Organization not found",
+        )
+    return OrgResponse.model_validate(org)
+
+
+@router.patch("/{org_id}", response_model=OrgResponse)
+async def update_org(
+    org_id: int,
+    name: str | None = None,
+    description: str | None = None,
+    user=Depends(_get_current_user),
+    db: AsyncSession = Depends(get_async_db),
+) -> OrgResponse:
+    """Update organization. Requires admin or owner role."""
+    await _require_org_role(org_id, db, user.id, {ORG_ROLE_ADMIN, ORG_ROLE_OWNER})
+
+    updates: dict[str, str] = {}
+    if name is not None:
+        updates["name"] = name
+    if description is not None:
+        updates["description"] = description
+
+    if not updates:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="No fields to update",
+        )
+
+    org_service = OrgService(db)
+    org = await org_service.update_org(org_id, **updates)
+    if not org:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Organization not found",
+        )
+    return OrgResponse.model_validate(org)
+
+
+@router.delete("/{org_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_org(
+    org_id: int,
+    user=Depends(_get_current_user),
+    db: AsyncSession = Depends(get_async_db),
+) -> None:
+    """Delete organization. Requires owner role."""
+    await _require_org_role(org_id, db, user.id, {ORG_ROLE_OWNER})
+
+    org_service = OrgService(db)
+    success = await org_service.delete_org(org_id)
+    if not success:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Organization not found",
+        )
+
+
+# =============================================================================
+# Membership Management
+# =============================================================================
+
+
+@router.get("/{org_id}/members", response_model=list[MemberResponse])
+async def list_members(
+    org_id: int,
+    user=Depends(_get_current_user),
+    db: AsyncSession = Depends(get_async_db),
+) -> list[MemberResponse]:
+    """List organization members. Requires membership."""
+    await _require_org_role(
+        org_id, db, user.id, {ORG_ROLE_OWNER, ORG_ROLE_ADMIN, "member"}
+    )
+
+    membership_service = MembershipService(db)
+    members = await membership_service.list_org_members(org_id)
+    return [MemberResponse.model_validate(m) for m in members]
+
+
+@router.post(
+    "/{org_id}/members",
+    response_model=MemberResponse,
+    status_code=status.HTTP_201_CREATED,
+)
+async def add_member(
+    org_id: int,
+    user_id: int,
+    role: str = "member",
+    user=Depends(_get_current_user),
+    db: AsyncSession = Depends(get_async_db),
+) -> MemberResponse:
+    """Add a member to organization. Requires admin or owner role."""
+    await _require_org_role(org_id, db, user.id, {ORG_ROLE_ADMIN, ORG_ROLE_OWNER})
+
+    membership_service = MembershipService(db)
+
+    # Check if already a member
+    existing = await membership_service.get_member(org_id, user_id)
+    if existing:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="User is already a member of this organization",
+        )
+
+    member = await membership_service.add_member(org_id, user_id, role)
+    return MemberResponse.model_validate(member)
+
+
+@router.patch("/{org_id}/members/{user_id}", response_model=MemberResponse)
+async def update_member_role(
+    org_id: int,
+    user_id: int,
+    role: str,
+    user=Depends(_get_current_user),
+    db: AsyncSession = Depends(get_async_db),
+) -> MemberResponse:
+    """Update a member's role. Requires admin or owner role."""
+    await _require_org_role(org_id, db, user.id, {ORG_ROLE_ADMIN, ORG_ROLE_OWNER})
+
+    membership_service = MembershipService(db)
+    member = await membership_service.update_member_role(org_id, user_id, role)
+    if not member:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Member not found",
+        )
+    return MemberResponse.model_validate(member)
+
+
+@router.delete(
+    "/{org_id}/members/{user_id}", status_code=status.HTTP_204_NO_CONTENT
+)
+async def remove_member(
+    org_id: int,
+    user_id: int,
+    user=Depends(_get_current_user),
+    db: AsyncSession = Depends(get_async_db),
+) -> None:
+    """Remove a member from organization. Owner cannot be removed."""
+    await _require_org_role(org_id, db, user.id, {ORG_ROLE_ADMIN, ORG_ROLE_OWNER})
+
+    # Prevent removing the owner
+    membership_service = MembershipService(db)
+    target = await membership_service.get_member(org_id, user_id)
+    if not target:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Member not found",
+        )
+    if target.role == ORG_ROLE_OWNER:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Cannot remove the organization owner",
+        )
+
+    await membership_service.remove_member(org_id, user_id)
+{% else %}
+# Organization endpoints not included (auth_level != org)
+{% endif %}

aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/api/orgs/router.py.jinja

@@ -12,6 +12,9 @@ from app.components.backend.api import scheduler
 {%- if include_auth %}
 from app.components.backend.api.auth.router import router as auth_router
 {%- endif %}
+{%- if include_auth_org %}
+from app.components.backend.api.orgs.router import router as org_router
+{%- endif %}
 {%- if include_ai %}
 from app.components.backend.api.ai.router import router as ai_router
 {%- if ai_voice %}
@@ -43,6 +46,9 @@ def include_routers(app: FastAPI) -> None:
     {%- if include_auth %}
     app.include_router(auth_router, prefix="/api/v1")
     {%- endif %}
+    {%- if include_auth_org %}
+    app.include_router(org_router, prefix="/api/v1")
+    {%- endif %}
     {%- if include_ai %}
     app.include_router(ai_router)
     {%- if ai_voice %}