Feat(Chore): Verify Flow, Invites, Suspend, Depart Cert Policy

feat: add password reset and email verification flow feat: add org invite listing, cancellation, and invite link fallback feat: add user suspend/unsuspend with audit logging feat: add department certificate policy (expiry, extensions) feat: enforce dept cert policy on SSH certificate signing feat: wire up OIDC consent and token flow (replace mocks) feat: rework CLI auth bridge to use frontend login flow feat: add admin OAuth provider management (CRUD) chore: refactor model import paths after module reorganisation chore: clean up config, decorators, and dev tooling
2026-03-01 16:50:27 +05:45
parent 07193a2d2e
commit a0d4e59c24
39 changed files with 2035 additions and 611 deletions
@@ -142,18 +142,33 @@ def change_password():
@full_access_required
 def get_my_organizations():
    """
-    Get all organizations current user is a member of.
+    Get all organizations current user is a member of, including the user's role.

    Returns:
-        200: List of organizations
+        200: List of organizations with role
        401: Not authenticated
    """
-    organizations = UserService.get_user_organizations(g.current_user)
+    from gatehouse_app.models.organization.organization_member import OrganizationMember
+
+    user = g.current_user
+    memberships = OrganizationMember.query.filter_by(
+        user_id=user.id,
+        deleted_at=None,
+    ).all()
+
+    orgs = []
+    for membership in memberships:
+        org = membership.organization
+        if not org or org.deleted_at is not None:
+            continue
+        org_dict = org.to_dict()
+        org_dict["role"] = membership.role.value if hasattr(membership.role, "value") else str(membership.role)
+        orgs.append(org_dict)

    return api_response(
        data={
-            "organizations": [org.to_dict() for org in organizations],
-            "count": len(organizations),
+            "organizations": orgs,
+            "count": len(orgs),
        },
        message="Organizations retrieved successfully",
    )
@@ -179,9 +194,9 @@ def get_my_principals():
            }]
        }
    """
-    from gatehouse_app.models.organization_member import OrganizationMember
-    from gatehouse_app.models.principal import Principal, PrincipalMembership
-    from gatehouse_app.models.department import DepartmentMembership, DepartmentPrincipal
+    from gatehouse_app.models.organization.organization_member import OrganizationMember
+    from gatehouse_app.models.organization.principal import Principal, PrincipalMembership
+    from gatehouse_app.models.organization.department import DepartmentMembership, DepartmentPrincipal
    from gatehouse_app.utils.constants import OrganizationRole

    user = g.current_user
@@ -202,7 +217,9 @@ def get_my_principals():
        is_admin = role in (OrganizationRole.ADMIN, OrganizationRole.OWNER)

        # Collect the user's effective principals for this org
-        effective_principal_ids = set()
+        # Track direct vs via-department separately
+        direct_principal_ids = set()
+        via_dept_principal_ids = set()

        # Direct memberships
        direct = PrincipalMembership.query.filter_by(
@@ -211,7 +228,7 @@ def get_my_principals():
        ).all()
        for pm in direct:
            if pm.principal and pm.principal.organization_id == org.id and pm.principal.deleted_at is None:
-                effective_principal_ids.add(pm.principal_id)
+                direct_principal_ids.add(pm.principal_id)

        # Via department
        dept_memberships = DepartmentMembership.query.filter_by(
@@ -226,7 +243,9 @@ def get_my_principals():
                ).all()
                for dp in dept_principals:
                    if dp.principal and dp.principal.deleted_at is None:
-                        effective_principal_ids.add(dp.principal_id)
+                        via_dept_principal_ids.add(dp.principal_id)
+
+        effective_principal_ids = direct_principal_ids | via_dept_principal_ids

        # Fetch principal objects
        my_principals = []
@@ -235,7 +254,16 @@ def get_my_principals():
                Principal.id.in_(list(effective_principal_ids)),
                Principal.deleted_at == None,
            ).all()
-            my_principals = [{"id": p.id, "name": p.name, "description": p.description} for p in my_p]
+            my_principals = [
+                {
+                    "id": p.id,
+                    "name": p.name,
+                    "description": p.description,
+                    # direct=True means removable via API; False=inherited via department
+                    "direct": p.id in direct_principal_ids,
+                }
+                for p in my_p
+            ]

        # For admins/owners: also return all principals in the org
        all_principals = []
@@ -263,6 +291,7 @@ def get_my_principals():

@api_v1_bp.route("/admin/users", methods=["GET"])
@login_required
+@full_access_required
 def admin_list_users():
    """List all users the caller has admin rights to see.

@@ -275,8 +304,8 @@ def admin_list_users():
        page    – page number (default 1)
        per_page – page size (default 50, max 200)
    """
-    from gatehouse_app.models.organization_member import OrganizationMember
-    from gatehouse_app.models.user import User as _User
+    from gatehouse_app.models.organization.organization_member import OrganizationMember
+    from gatehouse_app.models.user.user import User as _User
    from gatehouse_app.extensions import db as _db
    from sqlalchemy import or_

@@ -355,11 +384,12 @@ def admin_list_users():

@api_v1_bp.route("/admin/users/<user_id>", methods=["GET"])
@login_required
+@full_access_required
 def admin_get_user(user_id):
    """Get a single user's profile (admin view with SSH keys)."""
-    from gatehouse_app.models.organization_member import OrganizationMember
-    from gatehouse_app.models.user import User as _User
-    from gatehouse_app.models.ssh_key import SSHKey
+    from gatehouse_app.models.organization.organization_member import OrganizationMember
+    from gatehouse_app.models.user.user import User as _User
+    from gatehouse_app.models.ssh_ca.ssh_key import SSHKey

    caller = g.current_user

@@ -388,3 +418,230 @@ def admin_get_user(user_id):
        },
        message="User retrieved",
    )
+
+
+@api_v1_bp.route("/admin/users/<user_id>/suspend", methods=["POST"])
+@login_required
+@full_access_required
+def admin_suspend_user(user_id):
+    """Suspend a user account (blocks CA issuance and login).
+
+    The caller must be an OWNER or ADMIN of an organization the target user belongs to.
+    """
+    from gatehouse_app.models.organization.organization_member import OrganizationMember
+    from gatehouse_app.models.user.user import User as _User
+    from gatehouse_app.extensions import db as _db
+    from gatehouse_app.utils.constants import UserStatus, AuditAction
+    from gatehouse_app.services.audit_service import AuditService
+
+    caller = g.current_user
+    target = _User.query.filter_by(id=user_id, deleted_at=None).first()
+    if not target:
+        return api_response(success=False, message="User not found", status=404, error_type="NOT_FOUND")
+
+    if target.id == caller.id:
+        return api_response(success=False, message="Cannot suspend yourself", status=400, error_type="BAD_REQUEST")
+
+    # Verify caller has admin access to a shared org
+    target_org_ids = {m.organization_id for m in target.organization_memberships if m.deleted_at is None}
+    admin_in_shared_org = OrganizationMember.query.filter(
+        OrganizationMember.user_id == caller.id,
+        OrganizationMember.organization_id.in_(target_org_ids),
+        OrganizationMember.role.in_(["OWNER", "ADMIN"]),
+        OrganizationMember.deleted_at == None,
+    ).first()
+
+    if not admin_in_shared_org:
+        return api_response(success=False, message="Access denied", status=403, error_type="AUTHORIZATION_ERROR")
+
+    if target.status == UserStatus.SUSPENDED:
+        return api_response(success=False, message="User is already suspended", status=409, error_type="CONFLICT")
+
+    target.status = UserStatus.SUSPENDED
+    _db.session.commit()
+
+    AuditService.log_action(
+        action=AuditAction.USER_SUSPEND,
+        user_id=caller.id,
+        organization_id=admin_in_shared_org.organization_id,
+        resource_type="user",
+        resource_id=str(target.id),
+        description=f"Admin suspended user {target.email}",
+        metadata={"target_user_id": str(target.id), "target_email": target.email},
+    )
+
+    return api_response(data={"user": target.to_dict()}, message="User suspended successfully")
+
+
+@api_v1_bp.route("/admin/users/<user_id>/unsuspend", methods=["POST"])
+@login_required
+@full_access_required
+def admin_unsuspend_user(user_id):
+    """Restore a suspended user account to active status."""
+    from gatehouse_app.models.organization.organization_member import OrganizationMember
+    from gatehouse_app.models.user.user import User as _User
+    from gatehouse_app.extensions import db as _db
+    from gatehouse_app.utils.constants import UserStatus, AuditAction
+    from gatehouse_app.services.audit_service import AuditService
+
+    caller = g.current_user
+    target = _User.query.filter_by(id=user_id, deleted_at=None).first()
+    if not target:
+        return api_response(success=False, message="User not found", status=404, error_type="NOT_FOUND")
+
+    # Verify caller has admin access to a shared org
+    target_org_ids = {m.organization_id for m in target.organization_memberships if m.deleted_at is None}
+    admin_in_shared_org = OrganizationMember.query.filter(
+        OrganizationMember.user_id == caller.id,
+        OrganizationMember.organization_id.in_(target_org_ids),
+        OrganizationMember.role.in_(["OWNER", "ADMIN"]),
+        OrganizationMember.deleted_at == None,
+    ).first()
+
+    if not admin_in_shared_org:
+        return api_response(success=False, message="Access denied", status=403, error_type="AUTHORIZATION_ERROR")
+
+    if target.status != UserStatus.SUSPENDED:
+        return api_response(success=False, message="User is not suspended", status=409, error_type="CONFLICT")
+
+    target.status = UserStatus.ACTIVE
+    _db.session.commit()
+
+    AuditService.log_action(
+        action=AuditAction.USER_UNSUSPEND,
+        user_id=caller.id,
+        organization_id=admin_in_shared_org.organization_id,
+        resource_type="user",
+        resource_id=str(target.id),
+        description=f"Admin unsuspended user {target.email}",
+        metadata={"target_user_id": str(target.id), "target_email": target.email},
+    )
+
+    return api_response(data={"user": target.to_dict()}, message="User unsuspended successfully")
+
+
+@api_v1_bp.route("/users/me/invites", methods=["GET"])
+@login_required
+def get_my_pending_invites():
+    """Return pending (unaccepted, non-expired) invitations for the current user's email."""
+    from gatehouse_app.models.organization.org_invite_token import OrgInviteToken
+    from datetime import datetime, timezone
+
+    user = g.current_user
+    now = datetime.now(timezone.utc)
+
+    invites = OrgInviteToken.query.filter(
+        OrgInviteToken.email == user.email,
+        OrgInviteToken.accepted_at.is_(None),
+        OrgInviteToken.expires_at > now,
+        OrgInviteToken.deleted_at.is_(None),
+    ).all()
+
+    return api_response(
+        data={
+            "invites": [
+                {
+                    "token": i.token,
+                    "organization": {"id": str(i.organization_id), "name": i.organization.name},
+                    "role": i.role,
+                    "expires_at": i.expires_at.isoformat(),
+                }
+                for i in invites
+            ]
+        },
+        message="Pending invitations retrieved",
+    )
+
+
+@api_v1_bp.route("/users/me/memberships", methods=["GET"])
+@login_required
+def get_my_memberships():
+    """Return the current user's department and principal memberships across all orgs.
+
+    Returns:
+        200: {
+            orgs: [{
+                org_id, org_name, role,
+                departments: [{id, name, description}],
+                principals: [{id, name, description, via_department: bool}]
+            }]
+        }
+    """
+    from gatehouse_app.models.organization.organization_member import OrganizationMember
+    from gatehouse_app.models.organization.department import DepartmentMembership, DepartmentPrincipal, Department
+    from gatehouse_app.models.organization.principal import Principal, PrincipalMembership
+
+    user = g.current_user
+
+    memberships = OrganizationMember.query.filter_by(
+        user_id=user.id,
+        deleted_at=None,
+    ).all()
+
+    orgs_result = []
+    for membership in memberships:
+        org = membership.organization
+        if not org or org.deleted_at is not None:
+            continue
+
+        # Departments the user belongs to
+        dept_memberships = DepartmentMembership.query.filter_by(
+            user_id=user.id,
+            deleted_at=None,
+        ).all()
+        user_depts = [
+            dm.department for dm in dept_memberships
+            if dm.department
+            and dm.department.organization_id == org.id
+            and dm.department.deleted_at is None
+        ]
+
+        # Principals: direct
+        direct_pm = PrincipalMembership.query.filter_by(
+            user_id=user.id,
+            deleted_at=None,
+        ).all()
+        direct_principal_ids = {
+            pm.principal_id for pm in direct_pm
+            if pm.principal
+            and pm.principal.organization_id == org.id
+            and pm.principal.deleted_at is None
+        }
+
+        # Principals: via department
+        via_dept_principal_ids = set()
+        for dept in user_depts:
+            for dp in DepartmentPrincipal.query.filter_by(department_id=dept.id, deleted_at=None).all():
+                if dp.principal and dp.principal.deleted_at is None:
+                    via_dept_principal_ids.add(dp.principal_id)
+
+        all_principal_ids = direct_principal_ids | via_dept_principal_ids
+        principals_list = []
+        if all_principal_ids:
+            for p in Principal.query.filter(
+                Principal.id.in_(list(all_principal_ids)),
+                Principal.deleted_at == None,
+            ).all():
+                principals_list.append({
+                    "id": str(p.id),
+                    "name": p.name,
+                    "description": p.description,
+                    "via_department": p.id not in direct_principal_ids,
+                })
+
+        role = membership.role
+        orgs_result.append({
+            "org_id": str(org.id),
+            "org_name": org.name,
+            "role": role.value if hasattr(role, "value") else role,
+            "departments": [
+                {"id": str(d.id), "name": d.name, "description": d.description}
+                for d in user_depts
+            ],
+            "principals": principals_list,
+        })
+
+    return api_response(
+        data={"orgs": orgs_result},
+        message="Memberships retrieved",
+    )