feat: Fase 1 – Fondamenta complete (backend FastAPI + auth + permessi)

- docker-compose.yml: PostgreSQL 16, Redis 7, MinIO, Nginx - backend FastAPI: struttura monorepo, config pydantic-settings - modelli SQLAlchemy: tutti i modelli (tenants, users, mailboxes, messages, archival, permissions, labels, audit_log) - migrazione Alembic 0001: schema completo in pure SQL - auth API: login JWT, refresh token rotation, logout, 2FA TOTP (setup/verify/disable) - CRUD utenti: lista, crea, modifica, reset password, soft delete - permessi granulari (Fase 1-A): mailbox_permissions, assegna/revoca/lista - CRUD tenant: gestione super-admin - sicurezza: AES-256-GCM cifratura credenziali IMAP/SMTP, bcrypt password - RLS PostgreSQL: isolamento multi-tenant per request - seed sviluppo: tenant demo + admin + operator - test unit: security (bcrypt, JWT, AES), auth_service - test integration: auth endpoints, users endpoints - CI GitHub Actions: lint (ruff), test (pytest), build Docker, security scan - infra: nginx.conf, redis.conf - Makefile con comandi make dev/test/migrate/seed Definition of Done: ✅ Login, refresh token e TOTP funzionanti ✅ make dev porta in piedi tutto lo stack locale ✅ CI configurata
2026-06-16 12:45:42 +02:00 · 2026-03-18 16:42:01 +01:00
parent 0251c2bbb0
commit 58a233236c
60 changed files with 6942 additions and 0 deletions
@@ -0,0 +1 @@
+# API routers
@@ -0,0 +1 @@
+# API v1 routers
@@ -0,0 +1,173 @@
+"""
+Router autenticazione – login, refresh, logout, 2FA TOTP.
+
+Endpoint:
+  POST /api/v1/auth/login           → access + refresh token
+  POST /api/v1/auth/refresh         → rinnova token
+  POST /api/v1/auth/logout          → revoca refresh token
+  GET  /api/v1/auth/me              → utente corrente
+  POST /api/v1/auth/totp/setup      → genera segreto TOTP + QR
+  POST /api/v1/auth/totp/verify     → verifica e attiva TOTP
+  POST /api/v1/auth/totp/disable    → disabilita TOTP
+  POST /api/v1/auth/change-password → cambio password
+"""
+
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, Request
+from slowapi import Limiter
+from slowapi.util import get_remote_address
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.config import get_settings
+from app.core.exceptions import InvalidCredentialsError
+from app.database import get_db
+from app.dependencies import CurrentUser, DB
+from app.schemas.auth import (
+    LoginRequest,
+    PasswordChangeRequest,
+    RefreshRequest,
+    TOTPSetupResponse,
+    TOTPStatusResponse,
+    TOTPVerifyRequest,
+    TokenResponse,
+)
+from app.schemas.user import UserResponse
+from app.services.auth_service import AuthService
+
+settings = get_settings()
+router = APIRouter(prefix="/auth", tags=["Autenticazione"])
+limiter = Limiter(key_func=get_remote_address)
+
+
+@router.post(
+    "/login",
+    response_model=TokenResponse,
+    summary="Login con email e password",
+    description="Autentica l'utente. Se 2FA è attivo, richiede anche il codice TOTP.",
+)
+async def login(
+    request: Request,
+    body: LoginRequest,
+    db: DB,
+) -> TokenResponse:
+    ip = request.client.host if request.client else None
+    ua = request.headers.get("user-agent")
+
+    service = AuthService(db)
+    access_token, refresh_token = await service.login(
+        email=body.email,
+        password=body.password,
+        totp_code=body.totp_code,
+        ip_address=ip,
+        user_agent=ua,
+    )
+
+    return TokenResponse(
+        access_token=access_token,
+        refresh_token=refresh_token,
+        expires_in=settings.access_token_expire_minutes * 60,
+    )
+
+
+@router.post(
+    "/refresh",
+    response_model=TokenResponse,
+    summary="Rinnova access token",
+)
+async def refresh_tokens(
+    body: RefreshRequest,
+    db: DB,
+) -> TokenResponse:
+    service = AuthService(db)
+    access_token, refresh_token = await service.refresh_tokens(body.refresh_token)
+
+    return TokenResponse(
+        access_token=access_token,
+        refresh_token=refresh_token,
+        expires_in=settings.access_token_expire_minutes * 60,
+    )
+
+
+@router.post(
+    "/logout",
+    status_code=204,
+    summary="Logout – revoca refresh token",
+)
+async def logout(
+    body: RefreshRequest,
+    db: DB,
+) -> None:
+    service = AuthService(db)
+    await service.logout(body.refresh_token)
+
+
+@router.get(
+    "/me",
+    response_model=UserResponse,
+    summary="Utente corrente autenticato",
+)
+async def me(current_user: CurrentUser) -> UserResponse:
+    return UserResponse.model_validate(current_user)
+
+
+@router.post(
+    "/totp/setup",
+    response_model=TOTPSetupResponse,
+    summary="Avvia setup 2FA TOTP",
+    description="Genera segreto TOTP e QR code. Il 2FA viene attivato solo dopo la verifica.",
+)
+async def totp_setup(
+    current_user: CurrentUser,
+    db: DB,
+) -> TOTPSetupResponse:
+    service = AuthService(db)
+    data = await service.setup_totp(current_user)
+    return TOTPSetupResponse(**data)
+
+
+@router.post(
+    "/totp/verify",
+    response_model=TOTPStatusResponse,
+    summary="Verifica codice TOTP e attiva 2FA",
+)
+async def totp_verify(
+    body: TOTPVerifyRequest,
+    current_user: CurrentUser,
+    db: DB,
+) -> TOTPStatusResponse:
+    service = AuthService(db)
+    await service.verify_and_enable_totp(current_user, body.totp_code)
+    return TOTPStatusResponse(totp_enabled=True)
+
+
+@router.post(
+    "/totp/disable",
+    response_model=TOTPStatusResponse,
+    summary="Disabilita 2FA TOTP",
+)
+async def totp_disable(
+    current_user: CurrentUser,
+    db: DB,
+) -> TOTPStatusResponse:
+    service = AuthService(db)
+    await service.disable_totp(current_user)
+    return TOTPStatusResponse(totp_enabled=False)
+
+
+@router.post(
+    "/change-password",
+    status_code=204,
+    summary="Cambio password utente corrente",
+)
+async def change_password(
+    body: PasswordChangeRequest,
+    current_user: CurrentUser,
+    db: DB,
+) -> None:
+    from app.core.security import verify_password, hash_password
+
+    if not verify_password(body.current_password, current_user.password_hash):
+        raise InvalidCredentialsError()
+
+    current_user.password_hash = hash_password(body.new_password)
@@ -0,0 +1,112 @@
+"""
+Router permessi granulari casella (Fase 1-A).
+
+Endpoint:
+  POST   /api/v1/permissions/mailboxes/{mailbox_id}/users/{user_id}  → assegna permesso
+  DELETE /api/v1/permissions/mailboxes/{mailbox_id}/users/{user_id}  → revoca permesso
+  GET    /api/v1/permissions/mailboxes/{mailbox_id}/users             → utenti con accesso
+  GET    /api/v1/permissions/users/{user_id}/mailboxes                → caselle accessibili
+"""
+
+import uuid
+
+from fastapi import APIRouter
+
+from app.dependencies import AdminUser, CurrentUser, DB
+from app.schemas.permission import (
+    MailboxUserPermissionResponse,
+    PermissionGrantRequest,
+    PermissionResponse,
+    UserMailboxPermissionResponse,
+)
+from app.services.permission_service import PermissionService
+
+router = APIRouter(prefix="/permissions", tags=["Permessi casella"])
+
+
+@router.post(
+    "/mailboxes/{mailbox_id}/users/{user_id}",
+    response_model=PermissionResponse,
+    status_code=201,
+    summary="Assegna permesso utente su casella",
+    description="Crea o aggiorna i permessi di un utente su una specifica casella PEC.",
+)
+async def grant_permission(
+    mailbox_id: uuid.UUID,
+    user_id: uuid.UUID,
+    body: PermissionGrantRequest,
+    current_user: AdminUser,
+    db: DB,
+) -> PermissionResponse:
+    service = PermissionService(db)
+    perm = await service.grant_permission(
+        tenant_id=current_user.tenant_id,
+        mailbox_id=mailbox_id,
+        user_id=user_id,
+        data=body,
+        granted_by=current_user,
+    )
+    return PermissionResponse.model_validate(perm)
+
+
+@router.delete(
+    "/mailboxes/{mailbox_id}/users/{user_id}",
+    status_code=204,
+    summary="Revoca permesso utente su casella",
+)
+async def revoke_permission(
+    mailbox_id: uuid.UUID,
+    user_id: uuid.UUID,
+    current_user: AdminUser,
+    db: DB,
+) -> None:
+    service = PermissionService(db)
+    await service.revoke_permission(
+        mailbox_id=mailbox_id,
+        user_id=user_id,
+        revoked_by=current_user,
+    )
+
+
+@router.get(
+    "/mailboxes/{mailbox_id}/users",
+    response_model=list[MailboxUserPermissionResponse],
+    summary="Utenti con accesso a una casella",
+)
+async def list_mailbox_users(
+    mailbox_id: uuid.UUID,
+    current_user: AdminUser,
+    db: DB,
+) -> list[MailboxUserPermissionResponse]:
+    service = PermissionService(db)
+    rows = await service.list_mailbox_users(mailbox_id, current_user.tenant_id)
+    return [MailboxUserPermissionResponse(**row) for row in rows]
+
+
+@router.get(
+    "/users/{user_id}/mailboxes",
+    response_model=list[UserMailboxPermissionResponse],
+    summary="Caselle accessibili a un utente",
+)
+async def list_user_mailboxes(
+    user_id: uuid.UUID,
+    current_user: AdminUser,
+    db: DB,
+) -> list[UserMailboxPermissionResponse]:
+    service = PermissionService(db)
+    rows = await service.list_user_mailboxes(user_id, current_user.tenant_id)
+    return [UserMailboxPermissionResponse(**row) for row in rows]
+
+
+@router.get(
+    "/my/mailboxes",
+    response_model=list[UserMailboxPermissionResponse],
+    summary="Caselle accessibili all'utente corrente",
+)
+async def my_mailboxes(
+    current_user: CurrentUser,
+    db: DB,
+) -> list[UserMailboxPermissionResponse]:
+    service = PermissionService(db)
+    rows = await service.list_user_mailboxes(current_user.id, current_user.tenant_id)
+    return [UserMailboxPermissionResponse(**row) for row in rows]
@@ -0,0 +1,80 @@
+"""
+Router tenant – gestione organizzazioni (solo super_admin).
+
+Endpoint:
+  GET    /api/v1/tenants            → lista tenant
+  POST   /api/v1/tenants            → crea tenant + admin
+  GET    /api/v1/tenants/{id}       → dettaglio tenant
+  PATCH  /api/v1/tenants/{id}       → modifica tenant
+"""
+
+import uuid
+
+from fastapi import APIRouter
+
+from app.dependencies import SuperAdminUser, DB
+from app.schemas.tenant import TenantCreateRequest, TenantResponse, TenantUpdateRequest
+from app.services.tenant_service import TenantService
+
+router = APIRouter(prefix="/tenants", tags=["Tenant (super-admin)"])
+
+
+@router.get(
+    "",
+    response_model=list[TenantResponse],
+    summary="Lista tutti i tenant",
+)
+async def list_tenants(
+    _: SuperAdminUser,
+    db: DB,
+) -> list[TenantResponse]:
+    service = TenantService(db)
+    tenants = await service.list_tenants()
+    return [TenantResponse.model_validate(t) for t in tenants]
+
+
+@router.post(
+    "",
+    response_model=TenantResponse,
+    status_code=201,
+    summary="Crea nuovo tenant con admin iniziale",
+)
+async def create_tenant(
+    body: TenantCreateRequest,
+    _: SuperAdminUser,
+    db: DB,
+) -> TenantResponse:
+    service = TenantService(db)
+    tenant, _ = await service.create_tenant(body)
+    return TenantResponse.model_validate(tenant)
+
+
+@router.get(
+    "/{tenant_id}",
+    response_model=TenantResponse,
+    summary="Dettaglio tenant",
+)
+async def get_tenant(
+    tenant_id: uuid.UUID,
+    _: SuperAdminUser,
+    db: DB,
+) -> TenantResponse:
+    service = TenantService(db)
+    tenant = await service.get_tenant(tenant_id)
+    return TenantResponse.model_validate(tenant)
+
+
+@router.patch(
+    "/{tenant_id}",
+    response_model=TenantResponse,
+    summary="Modifica tenant",
+)
+async def update_tenant(
+    tenant_id: uuid.UUID,
+    body: TenantUpdateRequest,
+    _: SuperAdminUser,
+    db: DB,
+) -> TenantResponse:
+    service = TenantService(db)
+    tenant = await service.update_tenant(tenant_id, body)
+    return TenantResponse.model_validate(tenant)
@@ -0,0 +1,147 @@
+"""
+Router utenti – CRUD per admin del tenant.
+
+Endpoint:
+  GET    /api/v1/users              → lista utenti (admin)
+  POST   /api/v1/users              → crea utente (admin)
+  GET    /api/v1/users/{id}         → dettaglio utente (admin)
+  PATCH  /api/v1/users/{id}         → modifica utente (admin)
+  DELETE /api/v1/users/{id}         → disabilita utente (admin)
+  POST   /api/v1/users/{id}/reset-password → reset password (admin)
+"""
+
+import uuid
+
+from fastapi import APIRouter, Query
+
+from app.dependencies import AdminUser, DB
+from app.schemas.user import (
+    UserCreateRequest,
+    UserListResponse,
+    UserPasswordResetRequest,
+    UserResponse,
+    UserUpdateRequest,
+)
+from app.services.user_service import UserService
+
+router = APIRouter(prefix="/users", tags=["Utenti"])
+
+
+@router.get(
+    "",
+    response_model=UserListResponse,
+    summary="Lista utenti del tenant",
+)
+async def list_users(
+    current_user: AdminUser,
+    db: DB,
+    page: int = Query(default=1, ge=1),
+    page_size: int = Query(default=25, ge=1, le=100),
+) -> UserListResponse:
+    service = UserService(db)
+    users, total = await service.list_users(
+        tenant_id=current_user.tenant_id,
+        page=page,
+        page_size=page_size,
+    )
+    import math
+    return UserListResponse(
+        items=[UserResponse.model_validate(u) for u in users],
+        total=total,
+        page=page,
+        page_size=page_size,
+        pages=math.ceil(total / page_size) if page_size else 0,
+    )
+
+
+@router.post(
+    "",
+    response_model=UserResponse,
+    status_code=201,
+    summary="Crea nuovo utente nel tenant",
+)
+async def create_user(
+    body: UserCreateRequest,
+    current_user: AdminUser,
+    db: DB,
+) -> UserResponse:
+    service = UserService(db)
+    user = await service.create_user(
+        tenant_id=current_user.tenant_id,
+        data=body,
+        created_by=current_user,
+    )
+    return UserResponse.model_validate(user)
+
+
+@router.get(
+    "/{user_id}",
+    response_model=UserResponse,
+    summary="Dettaglio utente",
+)
+async def get_user(
+    user_id: uuid.UUID,
+    current_user: AdminUser,
+    db: DB,
+) -> UserResponse:
+    service = UserService(db)
+    user = await service.get_user(user_id, current_user.tenant_id)
+    return UserResponse.model_validate(user)
+
+
+@router.patch(
+    "/{user_id}",
+    response_model=UserResponse,
+    summary="Modifica utente",
+)
+async def update_user(
+    user_id: uuid.UUID,
+    body: UserUpdateRequest,
+    current_user: AdminUser,
+    db: DB,
+) -> UserResponse:
+    service = UserService(db)
+    user = await service.update_user(
+        user_id=user_id,
+        tenant_id=current_user.tenant_id,
+        data=body,
+        updated_by=current_user,
+    )
+    return UserResponse.model_validate(user)
+
+
+@router.delete(
+    "/{user_id}",
+    status_code=204,
+    summary="Disabilita utente (soft delete)",
+)
+async def delete_user(
+    user_id: uuid.UUID,
+    current_user: AdminUser,
+    db: DB,
+) -> None:
+    service = UserService(db)
+    await service.delete_user(
+        user_id=user_id,
+        tenant_id=current_user.tenant_id,
+        deleted_by=current_user,
+    )
+
+
+@router.post(
+    "/{user_id}/reset-password",
+    status_code=204,
+    summary="Reset password utente (admin)",
+)
+async def reset_password(
+    user_id: uuid.UUID,
+    body: UserPasswordResetRequest,
+    current_user: AdminUser,
+    db: DB,
+) -> None:
+    service = UserService(db)
+    await service.reset_password(
+        user_id=user_id,
+        tenant_id=current_user.tenant_id,
+        new_password=body.new_password,
+    )