IAM implementation

trustgraph-base/trustgraph/base/iam_client.py

@@ -0,0 +1,124 @@
+
+from . request_response_spec import RequestResponse, RequestResponseSpec
+from .. schema import (
+    IamRequest, IamResponse,
+    UserInput, WorkspaceInput, ApiKeyInput,
+)
+
+IAM_TIMEOUT = 10
+
+
+class IamClient(RequestResponse):
+    """Client for the IAM service request/response pub/sub protocol.
+
+    Mirrors ``ConfigClient``: a thin wrapper around ``RequestResponse``
+    that knows the IAM request / response schemas.  Only the subset of
+    operations actually implemented by the server today has helper
+    methods here; callers that need an unimplemented operation can
+    build ``IamRequest`` and call ``request()`` directly.
+    """
+
+    async def _request(self, timeout=IAM_TIMEOUT, **kwargs):
+        resp = await self.request(
+            IamRequest(**kwargs),
+            timeout=timeout,
+        )
+        if resp.error:
+            raise RuntimeError(
+                f"{resp.error.type}: {resp.error.message}"
+            )
+        return resp
+
+    async def bootstrap(self, timeout=IAM_TIMEOUT):
+        """Initial-run IAM self-seed.  Returns a tuple of
+        ``(admin_user_id, admin_api_key_plaintext)``.  Both are empty
+        strings on repeat calls — the operation is a no-op once the
+        IAM tables are populated."""
+        resp = await self._request(
+            operation="bootstrap", timeout=timeout,
+        )
+        return resp.bootstrap_admin_user_id, resp.bootstrap_admin_api_key
+
+    async def resolve_api_key(self, api_key, timeout=IAM_TIMEOUT):
+        """Resolve a plaintext API key to its identity triple.
+
+        Returns ``(user_id, workspace, roles)`` or raises
+        ``RuntimeError`` with error type ``auth-failed`` if the key is
+        unknown / expired / revoked."""
+        resp = await self._request(
+            operation="resolve-api-key",
+            api_key=api_key,
+            timeout=timeout,
+        )
+        return (
+            resp.resolved_user_id,
+            resp.resolved_workspace,
+            list(resp.resolved_roles),
+        )
+
+    async def create_user(self, workspace, user, actor="",
+                          timeout=IAM_TIMEOUT):
+        """Create a user.  ``user`` is a ``UserInput``."""
+        resp = await self._request(
+            operation="create-user",
+            workspace=workspace,
+            actor=actor,
+            user=user,
+            timeout=timeout,
+        )
+        return resp.user
+
+    async def list_users(self, workspace, actor="", timeout=IAM_TIMEOUT):
+        resp = await self._request(
+            operation="list-users",
+            workspace=workspace,
+            actor=actor,
+            timeout=timeout,
+        )
+        return list(resp.users)
+
+    async def create_api_key(self, workspace, key, actor="",
+                             timeout=IAM_TIMEOUT):
+        """Create an API key.  ``key`` is an ``ApiKeyInput``.  Returns
+        ``(plaintext, record)`` — plaintext is returned once and the
+        caller is responsible for surfacing it to the operator."""
+        resp = await self._request(
+            operation="create-api-key",
+            workspace=workspace,
+            actor=actor,
+            key=key,
+            timeout=timeout,
+        )
+        return resp.api_key_plaintext, resp.api_key
+
+    async def list_api_keys(self, workspace, user_id, actor="",
+                            timeout=IAM_TIMEOUT):
+        resp = await self._request(
+            operation="list-api-keys",
+            workspace=workspace,
+            actor=actor,
+            user_id=user_id,
+            timeout=timeout,
+        )
+        return list(resp.api_keys)
+
+    async def revoke_api_key(self, workspace, key_id, actor="",
+                             timeout=IAM_TIMEOUT):
+        await self._request(
+            operation="revoke-api-key",
+            workspace=workspace,
+            actor=actor,
+            key_id=key_id,
+            timeout=timeout,
+        )
+
+
+class IamClientSpec(RequestResponseSpec):
+    def __init__(self, request_name, response_name):
+        super().__init__(
+            request_name=request_name,
+            request_schema=IamRequest,
+            response_name=response_name,
+            response_schema=IamResponse,
+            impl=IamClient,
+        )

trustgraph-base/trustgraph/messaging/__init__.py

@@ -15,6 +15,7 @@ from .translators.library import LibraryRequestTranslator, LibraryResponseTransl
 from .translators.document_loading import DocumentTranslator, TextDocumentTranslator
 from .translators.config import ConfigRequestTranslator, ConfigResponseTranslator
 from .translators.flow import FlowRequestTranslator, FlowResponseTranslator
+from .translators.iam import IamRequestTranslator, IamResponseTranslator
 from .translators.prompt import PromptRequestTranslator, PromptResponseTranslator
 from .translators.tool import ToolRequestTranslator, ToolResponseTranslator
 from .translators.embeddings_query import (
@@ -85,11 +86,17 @@ TranslatorRegistry.register_service(
 )
 
 TranslatorRegistry.register_service(
-    "flow", 
-    FlowRequestTranslator(), 
+    "flow",
+    FlowRequestTranslator(),
     FlowResponseTranslator()
 )
 
+TranslatorRegistry.register_service(
+    "iam",
+    IamRequestTranslator(),
+    IamResponseTranslator()
+)
+
 TranslatorRegistry.register_service(
     "prompt", 
     PromptRequestTranslator(), 

trustgraph-base/trustgraph/messaging/translators/iam.py

@@ -0,0 +1,194 @@
+from typing import Dict, Any, Tuple
+
+from ...schema import IamRequest, IamResponse
+from ...schema import (
+    UserInput, UserRecord,
+    WorkspaceInput, WorkspaceRecord,
+    ApiKeyInput, ApiKeyRecord,
+)
+from .base import MessageTranslator
+
+
+def _user_input_from_dict(d):
+    if d is None:
+        return None
+    return UserInput(
+        username=d.get("username", ""),
+        name=d.get("name", ""),
+        email=d.get("email", ""),
+        password=d.get("password", ""),
+        roles=list(d.get("roles", [])),
+        enabled=d.get("enabled", True),
+        must_change_password=d.get("must_change_password", False),
+    )
+
+
+def _workspace_input_from_dict(d):
+    if d is None:
+        return None
+    return WorkspaceInput(
+        id=d.get("id", ""),
+        name=d.get("name", ""),
+        enabled=d.get("enabled", True),
+    )
+
+
+def _api_key_input_from_dict(d):
+    if d is None:
+        return None
+    return ApiKeyInput(
+        user_id=d.get("user_id", ""),
+        name=d.get("name", ""),
+        expires=d.get("expires", ""),
+    )
+
+
+def _user_record_to_dict(r):
+    if r is None:
+        return None
+    return {
+        "id": r.id,
+        "workspace": r.workspace,
+        "username": r.username,
+        "name": r.name,
+        "email": r.email,
+        "roles": list(r.roles),
+        "enabled": r.enabled,
+        "must_change_password": r.must_change_password,
+        "created": r.created,
+    }
+
+
+def _workspace_record_to_dict(r):
+    if r is None:
+        return None
+    return {
+        "id": r.id,
+        "name": r.name,
+        "enabled": r.enabled,
+        "created": r.created,
+    }
+
+
+def _api_key_record_to_dict(r):
+    if r is None:
+        return None
+    return {
+        "id": r.id,
+        "user_id": r.user_id,
+        "name": r.name,
+        "prefix": r.prefix,
+        "expires": r.expires,
+        "created": r.created,
+        "last_used": r.last_used,
+    }
+
+
+class IamRequestTranslator(MessageTranslator):
+
+    def decode(self, data: Dict[str, Any]) -> IamRequest:
+        return IamRequest(
+            operation=data.get("operation", ""),
+            workspace=data.get("workspace", ""),
+            actor=data.get("actor", ""),
+            user_id=data.get("user_id", ""),
+            username=data.get("username", ""),
+            key_id=data.get("key_id", ""),
+            api_key=data.get("api_key", ""),
+            password=data.get("password", ""),
+            new_password=data.get("new_password", ""),
+            user=_user_input_from_dict(data.get("user")),
+            workspace_record=_workspace_input_from_dict(
+                data.get("workspace_record")
+            ),
+            key=_api_key_input_from_dict(data.get("key")),
+        )
+
+    def encode(self, obj: IamRequest) -> Dict[str, Any]:
+        result = {"operation": obj.operation}
+        for fname in (
+                "workspace", "actor", "user_id", "username", "key_id",
+                "api_key", "password", "new_password",
+        ):
+            v = getattr(obj, fname, "")
+            if v:
+                result[fname] = v
+        if obj.user is not None:
+            result["user"] = {
+                "username": obj.user.username,
+                "name": obj.user.name,
+                "email": obj.user.email,
+                "password": obj.user.password,
+                "roles": list(obj.user.roles),
+                "enabled": obj.user.enabled,
+                "must_change_password": obj.user.must_change_password,
+            }
+        if obj.workspace_record is not None:
+            result["workspace_record"] = {
+                "id": obj.workspace_record.id,
+                "name": obj.workspace_record.name,
+                "enabled": obj.workspace_record.enabled,
+            }
+        if obj.key is not None:
+            result["key"] = {
+                "user_id": obj.key.user_id,
+                "name": obj.key.name,
+                "expires": obj.key.expires,
+            }
+        return result
+
+
+class IamResponseTranslator(MessageTranslator):
+
+    def decode(self, data: Dict[str, Any]) -> IamResponse:
+        raise NotImplementedError(
+            "IamResponse is a server-produced message; no HTTP→schema "
+            "path is needed"
+        )
+
+    def encode(self, obj: IamResponse) -> Dict[str, Any]:
+        result: Dict[str, Any] = {}
+
+        if obj.user is not None:
+            result["user"] = _user_record_to_dict(obj.user)
+        if obj.users:
+            result["users"] = [_user_record_to_dict(u) for u in obj.users]
+        if obj.workspace is not None:
+            result["workspace"] = _workspace_record_to_dict(obj.workspace)
+        if obj.workspaces:
+            result["workspaces"] = [
+                _workspace_record_to_dict(w) for w in obj.workspaces
+            ]
+        if obj.api_key_plaintext:
+            result["api_key_plaintext"] = obj.api_key_plaintext
+        if obj.api_key is not None:
+            result["api_key"] = _api_key_record_to_dict(obj.api_key)
+        if obj.api_keys:
+            result["api_keys"] = [
+                _api_key_record_to_dict(k) for k in obj.api_keys
+            ]
+        if obj.jwt:
+            result["jwt"] = obj.jwt
+        if obj.jwt_expires:
+            result["jwt_expires"] = obj.jwt_expires
+        if obj.signing_key_public:
+            result["signing_key_public"] = obj.signing_key_public
+        if obj.resolved_user_id:
+            result["resolved_user_id"] = obj.resolved_user_id
+        if obj.resolved_workspace:
+            result["resolved_workspace"] = obj.resolved_workspace
+        if obj.resolved_roles:
+            result["resolved_roles"] = list(obj.resolved_roles)
+        if obj.temporary_password:
+            result["temporary_password"] = obj.temporary_password
+        if obj.bootstrap_admin_user_id:
+            result["bootstrap_admin_user_id"] = obj.bootstrap_admin_user_id
+        if obj.bootstrap_admin_api_key:
+            result["bootstrap_admin_api_key"] = obj.bootstrap_admin_api_key
+
+        return result
+
+    def encode_with_completion(
+            self, obj: IamResponse,
+    ) -> Tuple[Dict[str, Any], bool]:
+        return self.encode(obj), True

trustgraph-base/trustgraph/schema/services/__init__.py

@@ -5,6 +5,7 @@ from .agent import *
 from .flow import *
 from .prompt import *
 from .config import *
+from .iam import *
 from .library import *
 from .lookup import *
 from .nlp_query import *

trustgraph-base/trustgraph/schema/services/iam.py

@@ -0,0 +1,142 @@
+
+from dataclasses import dataclass, field
+
+from ..core.topic import queue
+from ..core.primitives import Error
+
+############################################################################
+
+# IAM service — see docs/tech-specs/iam-protocol.md for the full protocol.
+#
+# Transport: request/response pub/sub, correlated by the `id` message
+# property.  Caller is the API gateway only; the IAM service trusts
+# the bus per the enforcement-boundary policy (no per-request auth
+# against the caller).
+
+
+@dataclass
+class UserInput:
+    username: str = ""
+    name: str = ""
+    email: str = ""
+    # Only populated on create-user; never on update-user.
+    password: str = ""
+    roles: list[str] = field(default_factory=list)
+    enabled: bool = True
+    must_change_password: bool = False
+
+
+@dataclass
+class UserRecord:
+    id: str = ""
+    workspace: str = ""
+    username: str = ""
+    name: str = ""
+    email: str = ""
+    roles: list[str] = field(default_factory=list)
+    enabled: bool = True
+    must_change_password: bool = False
+    created: str = ""
+
+
+@dataclass
+class WorkspaceInput:
+    id: str = ""
+    name: str = ""
+    enabled: bool = True
+
+
+@dataclass
+class WorkspaceRecord:
+    id: str = ""
+    name: str = ""
+    enabled: bool = True
+    created: str = ""
+
+
+@dataclass
+class ApiKeyInput:
+    user_id: str = ""
+    name: str = ""
+    expires: str = ""
+
+
+@dataclass
+class ApiKeyRecord:
+    id: str = ""
+    user_id: str = ""
+    name: str = ""
+    # First 4 chars of the plaintext token, for operator identification
+    # in list-api-keys.  Never enough to reconstruct the key.
+    prefix: str = ""
+    expires: str = ""
+    created: str = ""
+    last_used: str = ""
+
+
+@dataclass
+class IamRequest:
+    operation: str = ""
+
+    # Workspace scope.  Required on workspace-scoped operations;
+    # omitted for system-level ops (workspace CRUD, signing-key
+    # ops, bootstrap, resolve-api-key, login).
+    workspace: str = ""
+
+    # Acting user id for audit.  Empty for internal-origin and for
+    # operations that resolve an identity (login, resolve-api-key).
+    actor: str = ""
+
+    user_id: str = ""
+    username: str = ""
+    key_id: str = ""
+    api_key: str = ""
+
+    password: str = ""
+    new_password: str = ""
+
+    user: UserInput | None = None
+    workspace_record: WorkspaceInput | None = None
+    key: ApiKeyInput | None = None
+
+
+@dataclass
+class IamResponse:
+    user: UserRecord | None = None
+    users: list[UserRecord] = field(default_factory=list)
+
+    workspace: WorkspaceRecord | None = None
+    workspaces: list[WorkspaceRecord] = field(default_factory=list)
+
+    # create-api-key returns the plaintext once; never populated
+    # on any other operation.
+    api_key_plaintext: str = ""
+    api_key: ApiKeyRecord | None = None
+    api_keys: list[ApiKeyRecord] = field(default_factory=list)
+
+    # login, rotate-signing-key
+    jwt: str = ""
+    jwt_expires: str = ""
+
+    # get-signing-key-public
+    signing_key_public: str = ""
+
+    # resolve-api-key
+    resolved_user_id: str = ""
+    resolved_workspace: str = ""
+    resolved_roles: list[str] = field(default_factory=list)
+
+    # reset-password
+    temporary_password: str = ""
+
+    # bootstrap
+    bootstrap_admin_user_id: str = ""
+    bootstrap_admin_api_key: str = ""
+
+    error: Error | None = None
+
+
+iam_request_queue = queue('iam', cls='request')
+iam_response_queue = queue('iam', cls='response')
+
+############################################################################