13a2867ef6
End-to-end implementation per docs/sprint-2.5-plan.md. New requirement added by user mid-sprint: 4-role RBAC (Super Admin / Engineer / Owner / User) with dual-auth for Engineer flashing firmware, plus a "mini Arduino IDE" inside the Studio. Tests: pytest 231/231 green (129 Sprint 2 + 102 Sprint 2.5 new). RBAC core (arautopilot/core/): - rbac.py: 4 roles, 12 capabilities, immutable capability matrix, has() / capabilities_of() / require() / requires_dual_auth() helpers. Engineer flashing firmware needs SA approval; everything else is single-factor. - user.py: User model with PBKDF2-HMAC-SHA256 PIN hashing (200k iters, 16-byte salt, self-describing hash format for future migrations). 4-8 digit numeric PINs enforced. - user_store.py: JSON-backed user database. seed_demo_users() for first-run UX. - audit.py: append-only JSONL audit log. AuditEvent with timestamp, user_id, role, action, target, outcome, reason, secondary_user_id for dual-auth, optional extra payload. Crypto signing of lines deferred to Sprint 8. Studio GUI (arautopilot/studio/): - app.py: real entry point (replaces Sprint 0 stub). --seed-demo populates demo users without launching GUI; --data-dir overrides the ~/.ar-autopilot/studio/ default. - session.py: Session + SessionHolder. check() always audits the decision; verify_super_admin_pin() + log_dual_auth_grant() for dual-auth flows. - login_window.py: modal login dialog with user picker + PIN field. Audits login attempts (success and bad-PIN denials). - main_window.py: top-level window with sidebar (user + role + caps) and tab area (Overview, Flash Console, Project placeholder, Telemetry placeholder). - flash_console.py: the "mini Arduino IDE". Lists serial ports via pyserial; picks firmware variant (esp32-dev / esp32-debug); compiles via 'pio run'; flashes via 'pio run -t upload --upload-port <port>'; streams pio output to a dark-themed read-only console; supports cancel. For Engineer flashes, asks the Super Admin for their PIN inline before invoking pio. Records dual-auth grant + pio exit code in the audit log. Dependencies: - New [project.optional-dependencies] group 'studio': PySide6>=6.6, pyserial>=3.5, platformio>=6.1. Kept optional so the core can be installed in lean / CI environments. Tests (arautopilot/tests/): - test_rbac.py: 32 tests for capability matrix, dual-auth policy, no-privilege-escalation invariants, partial overlap between roles. - test_user.py: 11 tests for PIN hashing, verification, salting, serialisation, field validators. - test_audit.py: 9 tests for JSONL append, immutability, round-trip, corrupt-line detection, dual-auth event shape, blank-line tolerance. - test_user_store.py: 10 tests for CRUD, persistence, role filtering, demo seed idempotency. - test_session.py: 9 tests for capability checks + audit side effects, SA PIN verification, dual-auth recording, SessionHolder lifecycle. - test_studio_smoke.py: 5 headless tests verifying Studio modules import without a display server, --seed-demo works, helpers safe to call without hardware. NOT in Sprint 2.5 (intentional): - Crypto signing of audit log lines (hash-chain) -- Sprint 8 - HWID binding of the user store -- Sprint 8 - Project configurator + .appack compiler -- Sprint 4 - Flutter bridge display -- Sprint 4 - Telemetry dashboard tab -- Sprint 4 - Serial monitor as a separate tab -- future enhancement Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
109 lines
3.7 KiB
Python
109 lines
3.7 KiB
Python
"""Local user database (JSON file).
|
|
|
|
Sprint 2.5: persists the list of Users + their hashed PINs to a single
|
|
JSON file (per Studio install). On the bridge display the same format
|
|
is consumed but typically managed by the Owner via the Studio UI.
|
|
|
|
Sprint 8 will migrate this to a signed/encrypted store bound to the HWID.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import json
|
|
from pathlib import Path
|
|
|
|
from pydantic import TypeAdapter
|
|
|
|
from arautopilot.core.rbac import Role
|
|
from arautopilot.core.user import User
|
|
|
|
|
|
class UserStore:
|
|
"""Append/overwrite list of :class:`User` persisted to a JSON file."""
|
|
|
|
def __init__(self, path: Path | str) -> None:
|
|
self.path = Path(path)
|
|
self._users: dict[str, User] = {}
|
|
if self.path.exists():
|
|
self._load()
|
|
else:
|
|
self.path.parent.mkdir(parents=True, exist_ok=True)
|
|
|
|
# ----- Persistence ----------------------------------------------------
|
|
def _load(self) -> None:
|
|
text = self.path.read_text(encoding="utf-8")
|
|
if not text.strip():
|
|
return
|
|
data = json.loads(text)
|
|
if not isinstance(data, list):
|
|
raise ValueError(f"{self.path}: expected a JSON list at the top level")
|
|
adapter = TypeAdapter(list[User])
|
|
users = adapter.validate_python(data)
|
|
self._users = {u.user_id: u for u in users}
|
|
|
|
def save(self) -> None:
|
|
adapter = TypeAdapter(list[User])
|
|
data = adapter.dump_python(list(self._users.values()), mode="json")
|
|
self.path.write_text(
|
|
json.dumps(data, indent=2, ensure_ascii=False), encoding="utf-8"
|
|
)
|
|
|
|
# ----- CRUD -----------------------------------------------------------
|
|
def add(self, user: User) -> None:
|
|
if user.user_id in self._users:
|
|
raise ValueError(f"user_id {user.user_id!r} already exists")
|
|
self._users[user.user_id] = user
|
|
self.save()
|
|
|
|
def remove(self, user_id: str) -> None:
|
|
if user_id not in self._users:
|
|
raise KeyError(user_id)
|
|
del self._users[user_id]
|
|
self.save()
|
|
|
|
def replace(self, user: User) -> None:
|
|
"""Insert or update the user with this user_id."""
|
|
self._users[user.user_id] = user
|
|
self.save()
|
|
|
|
def get(self, user_id: str) -> User | None:
|
|
return self._users.get(user_id)
|
|
|
|
def find_by_name(self, display_name: str) -> User | None:
|
|
for u in self._users.values():
|
|
if u.display_name == display_name:
|
|
return u
|
|
return None
|
|
|
|
def all_users(self) -> list[User]:
|
|
"""Return every user, sorted by display_name."""
|
|
return sorted(self._users.values(), key=lambda u: u.display_name.lower())
|
|
|
|
def by_role(self, role: Role) -> list[User]:
|
|
return [u for u in self.all_users() if u.role is role]
|
|
|
|
def __len__(self) -> int:
|
|
return len(self._users)
|
|
|
|
def __contains__(self, user_id: object) -> bool:
|
|
return user_id in self._users
|
|
|
|
|
|
def seed_demo_users(store: UserStore) -> None:
|
|
"""Populate a fresh store with one user of each role for first-run UX.
|
|
|
|
Demo PINs (well-known, only used in dev/sample stores -- the user is
|
|
expected to change these immediately):
|
|
|
|
Super Admin "Alvaro" PIN 1111
|
|
Engineer "Eng Demo" PIN 2222
|
|
Owner "Captain" PIN 3333
|
|
User "Crew" PIN 4444
|
|
"""
|
|
if len(store) > 0:
|
|
return
|
|
store.add(User.create(display_name="Alvaro", role=Role.SUPER_ADMIN, pin="1111"))
|
|
store.add(User.create(display_name="Eng Demo", role=Role.ENGINEER, pin="2222"))
|
|
store.add(User.create(display_name="Captain", role=Role.OWNER, pin="3333"))
|
|
store.add(User.create(display_name="Crew", role=Role.USER, pin="4444"))
|