13a2867ef6
End-to-end implementation per docs/sprint-2.5-plan.md. New requirement added by user mid-sprint: 4-role RBAC (Super Admin / Engineer / Owner / User) with dual-auth for Engineer flashing firmware, plus a "mini Arduino IDE" inside the Studio. Tests: pytest 231/231 green (129 Sprint 2 + 102 Sprint 2.5 new). RBAC core (arautopilot/core/): - rbac.py: 4 roles, 12 capabilities, immutable capability matrix, has() / capabilities_of() / require() / requires_dual_auth() helpers. Engineer flashing firmware needs SA approval; everything else is single-factor. - user.py: User model with PBKDF2-HMAC-SHA256 PIN hashing (200k iters, 16-byte salt, self-describing hash format for future migrations). 4-8 digit numeric PINs enforced. - user_store.py: JSON-backed user database. seed_demo_users() for first-run UX. - audit.py: append-only JSONL audit log. AuditEvent with timestamp, user_id, role, action, target, outcome, reason, secondary_user_id for dual-auth, optional extra payload. Crypto signing of lines deferred to Sprint 8. Studio GUI (arautopilot/studio/): - app.py: real entry point (replaces Sprint 0 stub). --seed-demo populates demo users without launching GUI; --data-dir overrides the ~/.ar-autopilot/studio/ default. - session.py: Session + SessionHolder. check() always audits the decision; verify_super_admin_pin() + log_dual_auth_grant() for dual-auth flows. - login_window.py: modal login dialog with user picker + PIN field. Audits login attempts (success and bad-PIN denials). - main_window.py: top-level window with sidebar (user + role + caps) and tab area (Overview, Flash Console, Project placeholder, Telemetry placeholder). - flash_console.py: the "mini Arduino IDE". Lists serial ports via pyserial; picks firmware variant (esp32-dev / esp32-debug); compiles via 'pio run'; flashes via 'pio run -t upload --upload-port <port>'; streams pio output to a dark-themed read-only console; supports cancel. For Engineer flashes, asks the Super Admin for their PIN inline before invoking pio. Records dual-auth grant + pio exit code in the audit log. Dependencies: - New [project.optional-dependencies] group 'studio': PySide6>=6.6, pyserial>=3.5, platformio>=6.1. Kept optional so the core can be installed in lean / CI environments. Tests (arautopilot/tests/): - test_rbac.py: 32 tests for capability matrix, dual-auth policy, no-privilege-escalation invariants, partial overlap between roles. - test_user.py: 11 tests for PIN hashing, verification, salting, serialisation, field validators. - test_audit.py: 9 tests for JSONL append, immutability, round-trip, corrupt-line detection, dual-auth event shape, blank-line tolerance. - test_user_store.py: 10 tests for CRUD, persistence, role filtering, demo seed idempotency. - test_session.py: 9 tests for capability checks + audit side effects, SA PIN verification, dual-auth recording, SessionHolder lifecycle. - test_studio_smoke.py: 5 headless tests verifying Studio modules import without a display server, --seed-demo works, helpers safe to call without hardware. NOT in Sprint 2.5 (intentional): - Crypto signing of audit log lines (hash-chain) -- Sprint 8 - HWID binding of the user store -- Sprint 8 - Project configurator + .appack compiler -- Sprint 4 - Flutter bridge display -- Sprint 4 - Telemetry dashboard tab -- Sprint 4 - Serial monitor as a separate tab -- future enhancement Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
147 lines
4.5 KiB
Python
147 lines
4.5 KiB
Python
"""Authenticated session state for the Studio.
|
|
|
|
A ``Session`` is the runtime context of a logged-in user. It carries the
|
|
:class:`User`, exposes capability checks, and writes audit events for
|
|
every gated decision (granted or denied). Window code reaches for the
|
|
current Session via the :class:`SessionHolder` singleton; tests can swap
|
|
it out trivially.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from pathlib import Path
|
|
from typing import Optional
|
|
|
|
from arautopilot.core.audit import AuditEvent, AuditLog, AuditOutcome
|
|
from arautopilot.core.rbac import Capability, Role, has, requires_dual_auth
|
|
from arautopilot.core.user import User
|
|
from arautopilot.core.user_store import UserStore
|
|
|
|
|
|
class Session:
|
|
"""The current user + their audit log + capability gate."""
|
|
|
|
def __init__(
|
|
self,
|
|
user: User,
|
|
store: UserStore,
|
|
audit: AuditLog,
|
|
) -> None:
|
|
self.user = user
|
|
self.store = store
|
|
self.audit = audit
|
|
|
|
@property
|
|
def role(self) -> Role:
|
|
return self.user.role
|
|
|
|
def can(self, capability: Capability) -> bool:
|
|
return has(self.user.role, capability)
|
|
|
|
def check(self, capability: Capability, *, target: str | None = None,
|
|
extra: dict[str, object] | None = None) -> bool:
|
|
"""Capability check with audit side effect.
|
|
|
|
Returns True on grant, False on denial. Records an audit event
|
|
either way so the trail is complete.
|
|
"""
|
|
granted = self.can(capability)
|
|
self.audit.append(
|
|
AuditEvent(
|
|
user_id=self.user.user_id,
|
|
role=self.user.role.value,
|
|
action=f"check:{capability.value}",
|
|
target=target,
|
|
outcome=AuditOutcome.SUCCESS if granted else AuditOutcome.DENIED,
|
|
reason="" if granted
|
|
else f"role {self.user.role.value!r} lacks {capability.value!r}",
|
|
extra=extra or {},
|
|
)
|
|
)
|
|
return granted
|
|
|
|
def needs_dual_auth(self, capability: Capability) -> bool:
|
|
return requires_dual_auth(self.user.role, capability)
|
|
|
|
def verify_super_admin_pin(self, pin: str) -> Optional[User]:
|
|
"""Look up the (first) Super Admin in the store and verify the PIN.
|
|
|
|
Returns the SA :class:`User` on success, ``None`` on failure.
|
|
"""
|
|
for sa in self.store.by_role(Role.SUPER_ADMIN):
|
|
if sa.verify_pin(pin):
|
|
return sa
|
|
return None
|
|
|
|
def log_dual_auth_grant(
|
|
self,
|
|
capability: Capability,
|
|
sa_user: User,
|
|
*,
|
|
target: str | None = None,
|
|
extra: dict[str, object] | None = None,
|
|
) -> None:
|
|
"""Record an audit event for a successful dual-auth approval."""
|
|
self.audit.append(
|
|
AuditEvent(
|
|
user_id=self.user.user_id,
|
|
role=self.user.role.value,
|
|
action=f"dual_auth_approved:{capability.value}",
|
|
target=target,
|
|
outcome=AuditOutcome.SUCCESS,
|
|
secondary_user_id=sa_user.user_id,
|
|
reason=f"approved by Super Admin {sa_user.display_name!r}",
|
|
extra=extra or {},
|
|
)
|
|
)
|
|
|
|
def log_action(
|
|
self,
|
|
action: str,
|
|
*,
|
|
outcome: AuditOutcome = AuditOutcome.SUCCESS,
|
|
target: str | None = None,
|
|
reason: str = "",
|
|
extra: dict[str, object] | None = None,
|
|
) -> None:
|
|
"""Free-form audit event for downstream business actions."""
|
|
self.audit.append(
|
|
AuditEvent(
|
|
user_id=self.user.user_id,
|
|
role=self.user.role.value,
|
|
action=action,
|
|
target=target,
|
|
outcome=outcome,
|
|
reason=reason,
|
|
extra=extra or {},
|
|
)
|
|
)
|
|
|
|
|
|
class SessionHolder:
|
|
"""Process-global current session (set after login)."""
|
|
|
|
_current: Session | None = None
|
|
|
|
@classmethod
|
|
def set(cls, session: Session | None) -> None:
|
|
cls._current = session
|
|
|
|
@classmethod
|
|
def current(cls) -> Session | None:
|
|
return cls._current
|
|
|
|
@classmethod
|
|
def require(cls) -> Session:
|
|
if cls._current is None:
|
|
raise RuntimeError("no active Studio session -- log in first")
|
|
return cls._current
|
|
|
|
|
|
def studio_data_dir() -> Path:
|
|
"""Per-user directory under ``~/.ar-autopilot/studio/`` for the local
|
|
user store and audit log."""
|
|
base = Path.home() / ".ar-autopilot" / "studio"
|
|
base.mkdir(parents=True, exist_ok=True)
|
|
return base
|