feat: Fase 1 – Fondamenta complete (backend FastAPI + auth + permessi)

- docker-compose.yml: PostgreSQL 16, Redis 7, MinIO, Nginx - backend FastAPI: struttura monorepo, config pydantic-settings - modelli SQLAlchemy: tutti i modelli (tenants, users, mailboxes, messages, archival, permissions, labels, audit_log) - migrazione Alembic 0001: schema completo in pure SQL - auth API: login JWT, refresh token rotation, logout, 2FA TOTP (setup/verify/disable) - CRUD utenti: lista, crea, modifica, reset password, soft delete - permessi granulari (Fase 1-A): mailbox_permissions, assegna/revoca/lista - CRUD tenant: gestione super-admin - sicurezza: AES-256-GCM cifratura credenziali IMAP/SMTP, bcrypt password - RLS PostgreSQL: isolamento multi-tenant per request - seed sviluppo: tenant demo + admin + operator - test unit: security (bcrypt, JWT, AES), auth_service - test integration: auth endpoints, users endpoints - CI GitHub Actions: lint (ruff), test (pytest), build Docker, security scan - infra: nginx.conf, redis.conf - Makefile con comandi make dev/test/migrate/seed Definition of Done: ✅ Login, refresh token e TOTP funzionanti ✅ make dev porta in piedi tutto lo stack locale ✅ CI configurata
2026-06-16 12:45:42 +02:00 · 2026-03-18 16:42:01 +01:00
parent 0251c2bbb0
commit 58a233236c
60 changed files with 6942 additions and 0 deletions
@@ -0,0 +1 @@
+# Schemas Pydantic
@@ -0,0 +1,68 @@
+"""
+Schema Pydantic per autenticazione e autorizzazione.
+"""
+
+import uuid
+from datetime import datetime
+
+from pydantic import BaseModel, EmailStr, Field, field_validator
+
+
+# ─── Request ──────────────────────────────────────────────────────────────────
+
+class LoginRequest(BaseModel):
+    email: EmailStr
+    password: str = Field(min_length=1)
+    totp_code: str | None = Field(default=None, description="Codice TOTP 6 cifre (se 2FA attivo)")
+
+
+class RefreshRequest(BaseModel):
+    refresh_token: str
+
+
+class TOTPVerifyRequest(BaseModel):
+    totp_code: str = Field(min_length=6, max_length=6, description="Codice TOTP 6 cifre")
+
+
+class PasswordChangeRequest(BaseModel):
+    current_password: str
+    new_password: str = Field(min_length=8)
+
+    @field_validator("new_password")
+    @classmethod
+    def validate_password_strength(cls, v: str) -> str:
+        if len(v) < 8:
+            raise ValueError("La password deve essere almeno 8 caratteri")
+        if not any(c.isupper() for c in v):
+            raise ValueError("La password deve contenere almeno una lettera maiuscola")
+        if not any(c.isdigit() for c in v):
+            raise ValueError("La password deve contenere almeno un numero")
+        return v
+
+
+# ─── Response ─────────────────────────────────────────────────────────────────
+
+class TokenResponse(BaseModel):
+    access_token: str
+    refresh_token: str
+    token_type: str = "bearer"
+    expires_in: int = Field(description="Scadenza access token in secondi")
+
+
+class TOTPSetupResponse(BaseModel):
+    """Dati per configurare TOTP sull'authenticator app."""
+    secret: str = Field(description="Segreto TOTP base32 (da inserire manualmente)")
+    qr_uri: str = Field(description="URI otpauth:// per il QR code")
+    qr_image_base64: str = Field(description="QR code come immagine PNG base64")
+
+
+class TOTPStatusResponse(BaseModel):
+    totp_enabled: bool
+
+
+class UserTokenData(BaseModel):
+    """Dati estratti dal JWT per l'utente corrente."""
+    user_id: uuid.UUID
+    tenant_id: uuid.UUID
+    role: str
+    email: str | None = None
@@ -0,0 +1,50 @@
+"""
+Schema Pydantic per permessi granulari casella (Fase 1-A).
+"""
+
+import uuid
+from datetime import datetime
+
+from pydantic import BaseModel
+
+
+class PermissionGrantRequest(BaseModel):
+    can_read: bool = True
+    can_send: bool = False
+    can_manage: bool = False
+
+
+class PermissionResponse(BaseModel):
+    id: uuid.UUID
+    tenant_id: uuid.UUID
+    user_id: uuid.UUID
+    mailbox_id: uuid.UUID
+    can_read: bool
+    can_send: bool
+    can_manage: bool
+    granted_by: uuid.UUID | None
+    granted_at: datetime
+
+    model_config = {"from_attributes": True}
+
+
+class UserMailboxPermissionResponse(BaseModel):
+    """Vista utente: caselle accessibili con relativi permessi."""
+    mailbox_id: uuid.UUID
+    mailbox_email: str
+    mailbox_display_name: str | None
+    can_read: bool
+    can_send: bool
+    can_manage: bool
+
+
+class MailboxUserPermissionResponse(BaseModel):
+    """Vista casella: utenti con accesso."""
+    user_id: uuid.UUID
+    user_email: str
+    user_full_name: str
+    user_role: str
+    can_read: bool
+    can_send: bool
+    can_manage: bool
+    granted_at: datetime
@@ -0,0 +1,54 @@
+"""
+Schema Pydantic per tenant (super-admin).
+"""
+
+import uuid
+from datetime import datetime
+from typing import Literal
+
+from pydantic import BaseModel, Field, field_validator
+
+TenantPlanType = Literal["starter", "pro", "enterprise"]
+
+
+class TenantCreateRequest(BaseModel):
+    slug: str = Field(min_length=3, max_length=63, pattern=r"^[a-z0-9-]+$")
+    name: str = Field(min_length=2, max_length=255)
+    plan: TenantPlanType = "starter"
+    max_mailboxes: int = Field(default=5, ge=1, le=1000)
+    max_users: int = Field(default=10, ge=1, le=1000)
+
+    # Utente admin iniziale
+    admin_email: str
+    admin_password: str = Field(min_length=8)
+    admin_full_name: str = Field(min_length=2, max_length=255)
+
+    @field_validator("slug")
+    @classmethod
+    def validate_slug(cls, v: str) -> str:
+        reserved = {"api", "admin", "www", "mail", "smtp", "imap", "pecflow", "app"}
+        if v in reserved:
+            raise ValueError(f"Slug '{v}' riservato")
+        return v.lower()
+
+
+class TenantUpdateRequest(BaseModel):
+    name: str | None = Field(default=None, min_length=2, max_length=255)
+    plan: TenantPlanType | None = None
+    is_active: bool | None = None
+    max_mailboxes: int | None = Field(default=None, ge=1, le=1000)
+    max_users: int | None = Field(default=None, ge=1, le=1000)
+
+
+class TenantResponse(BaseModel):
+    id: uuid.UUID
+    slug: str
+    name: str
+    plan: str
+    is_active: bool
+    max_mailboxes: int
+    max_users: int
+    created_at: datetime
+    updated_at: datetime
+
+    model_config = {"from_attributes": True}
@@ -0,0 +1,89 @@
+"""
+Schema Pydantic per utenti.
+"""
+
+import uuid
+from datetime import datetime
+from typing import Literal
+
+from pydantic import BaseModel, EmailStr, Field, field_validator
+
+UserRoleType = Literal["super_admin", "admin", "supervisor", "operator", "readonly"]
+
+
+# ─── Request ──────────────────────────────────────────────────────────────────
+
+class UserCreateRequest(BaseModel):
+    email: EmailStr
+    password: str = Field(min_length=8)
+    full_name: str = Field(min_length=2, max_length=255)
+    role: UserRoleType = "operator"
+
+    @field_validator("password")
+    @classmethod
+    def validate_password(cls, v: str) -> str:
+        if len(v) < 8:
+            raise ValueError("La password deve essere almeno 8 caratteri")
+        if not any(c.isupper() for c in v):
+            raise ValueError("Almeno una lettera maiuscola richiesta")
+        if not any(c.isdigit() for c in v):
+            raise ValueError("Almeno un numero richiesto")
+        return v
+
+    @field_validator("role")
+    @classmethod
+    def validate_role_not_superadmin(cls, v: str) -> str:
+        if v == "super_admin":
+            raise ValueError("Non è possibile creare utenti super_admin via API")
+        return v
+
+
+class UserUpdateRequest(BaseModel):
+    full_name: str | None = Field(default=None, min_length=2, max_length=255)
+    role: UserRoleType | None = None
+    is_active: bool | None = None
+
+    @field_validator("role")
+    @classmethod
+    def validate_role_not_superadmin(cls, v: str | None) -> str | None:
+        if v == "super_admin":
+            raise ValueError("Non è possibile assegnare il ruolo super_admin via API")
+        return v
+
+
+class UserPasswordResetRequest(BaseModel):
+    new_password: str = Field(min_length=8)
+
+    @field_validator("new_password")
+    @classmethod
+    def validate_password(cls, v: str) -> str:
+        if not any(c.isupper() for c in v):
+            raise ValueError("Almeno una lettera maiuscola richiesta")
+        if not any(c.isdigit() for c in v):
+            raise ValueError("Almeno un numero richiesto")
+        return v
+
+
+# ─── Response ─────────────────────────────────────────────────────────────────
+
+class UserResponse(BaseModel):
+    id: uuid.UUID
+    tenant_id: uuid.UUID
+    email: str
+    full_name: str
+    role: str
+    is_active: bool
+    totp_enabled: bool
+    last_login_at: datetime | None
+    created_at: datetime
+    updated_at: datetime
+
+    model_config = {"from_attributes": True}
+
+
+class UserListResponse(BaseModel):
+    items: list[UserResponse]
+    total: int
+    page: int
+    page_size: int
+    pages: int