feat: Fase 1 – Fondamenta complete (backend FastAPI + auth + permessi)

- docker-compose.yml: PostgreSQL 16, Redis 7, MinIO, Nginx - backend FastAPI: struttura monorepo, config pydantic-settings - modelli SQLAlchemy: tutti i modelli (tenants, users, mailboxes, messages, archival, permissions, labels, audit_log) - migrazione Alembic 0001: schema completo in pure SQL - auth API: login JWT, refresh token rotation, logout, 2FA TOTP (setup/verify/disable) - CRUD utenti: lista, crea, modifica, reset password, soft delete - permessi granulari (Fase 1-A): mailbox_permissions, assegna/revoca/lista - CRUD tenant: gestione super-admin - sicurezza: AES-256-GCM cifratura credenziali IMAP/SMTP, bcrypt password - RLS PostgreSQL: isolamento multi-tenant per request - seed sviluppo: tenant demo + admin + operator - test unit: security (bcrypt, JWT, AES), auth_service - test integration: auth endpoints, users endpoints - CI GitHub Actions: lint (ruff), test (pytest), build Docker, security scan - infra: nginx.conf, redis.conf - Makefile con comandi make dev/test/migrate/seed Definition of Done: ✅ Login, refresh token e TOTP funzionanti ✅ make dev porta in piedi tutto lo stack locale ✅ CI configurata
2026-06-16 12:45:42 +02:00 · 2026-03-18 16:42:01 +01:00
parent 0251c2bbb0
commit 58a233236c
60 changed files with 6942 additions and 0 deletions
@@ -0,0 +1,71 @@
+"""
+Modello MailboxPermission – matrice permessi utente × casella (Fase 1-A).
+
+ADR permessi granulari: admin ha accesso implicito a tutto.
+Gli operator/readonly/supervisor devono avere un record esplicito.
+"""
+
+import uuid
+from datetime import datetime
+
+from sqlalchemy import (
+    Boolean,
+    DateTime,
+    ForeignKey,
+    Index,
+    UniqueConstraint,
+    func,
+)
+from sqlalchemy.dialects.postgresql import UUID
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+
+from app.database import Base
+
+
+class MailboxPermission(Base):
+    __tablename__ = "mailbox_permissions"
+
+    id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True), primary_key=True, default=uuid.uuid4
+    )
+    tenant_id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True), ForeignKey("tenants.id", ondelete="CASCADE"), nullable=False
+    )
+    user_id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True), ForeignKey("users.id", ondelete="CASCADE"), nullable=False
+    )
+    mailbox_id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True), ForeignKey("mailboxes.id", ondelete="CASCADE"), nullable=False
+    )
+
+    can_read: Mapped[bool] = mapped_column(Boolean, nullable=False, default=True)
+    can_send: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
+    can_manage: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
+
+    granted_by: Mapped[uuid.UUID | None] = mapped_column(
+        UUID(as_uuid=True), ForeignKey("users.id"), nullable=True
+    )
+    granted_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), nullable=False, server_default=func.now()
+    )
+
+    # Relazioni
+    user: Mapped["User"] = relationship(  # noqa: F821
+        "User", back_populates="mailbox_permissions", foreign_keys=[user_id]
+    )
+    mailbox: Mapped["Mailbox"] = relationship(  # noqa: F821
+        "Mailbox", back_populates="permissions"
+    )
+
+    __table_args__ = (
+        UniqueConstraint("user_id", "mailbox_id", name="uq_perm_user_mailbox"),
+        Index("idx_mbperm_user", "user_id"),
+        Index("idx_mbperm_mailbox", "mailbox_id"),
+        Index("idx_mbperm_tenant", "tenant_id"),
+    )
+
+    def __repr__(self) -> str:
+        return (
+            f"<MailboxPermission user={self.user_id} mailbox={self.mailbox_id} "
+            f"read={self.can_read} send={self.can_send}>"
+        )