Ҫi=dZddlZddlZddlmZmZmZddlmZmZm Z ddl m Z ddl Z ddl Z ddlZejj!dddlmZmZddlmZej,eZd d d d d Ze GddZGddZy)an GHL OAuth Token Vault Handles encrypted storage, retrieval, and lifecycle management of OAuth tokens. Uses PostgreSQL for persistence and Redis for distributed locking during refresh. Token types: - 'agency': The main OAuth token from app installation. Has refresh_token. - 'location': Per-sub-account tokens exchanged via /oauth/locationToken. No refresh_token. N)datetimetimezone timedelta)OptionalDictAny) dataclassz)/mnt/e/genesis-system/data/genesis-memory)PostgresConfig RedisConfig)GHLOAuthConfig ) keepaliveskeepalives_idlekeepalives_intervalkeepalives_countceZdZUdZeed<eed<eeed<eeed<eed<eeed<eed<eed <eeed <eeed <e d e fd Z e d e fdZ e d e fdZ y) TokenRecordzA single OAuth token record.id token_type location_id location_name access_token refresh_tokenscopes expires_at last_used_at revoked_atreturncbtjtj|jk\SN)rnowrutcrselfs ./mnt/e/genesis-system/GHL/oauth/token_vault.py is_expiredzTokenRecord.is_expired3s||HLL)T__<<cttj}tjt j |j|z k\S)Nseconds)rr refresh_buffer_secondsrr$rr%r)r'buffers r( needs_refreshzTokenRecord.needs_refresh7s3>#H#HI||HLL)doo.FGGr*c<|j xr|jduSr#)r)r r&s r(is_validzTokenRecord.is_valid<s??">t$'>>r*N)__name__ __module__ __qualname____doc__str__annotations__rlistrpropertyboolr)r0r2r*r(rr%s& GO#C= C= L8$$"" =D==HtHH?$??r*rc VeZdZdZd deefdZdZdZdZ de d e d e d e d e f d Z de de de d e d e d e f dZd eefdZde d eefdZd e fdZd eefdZd!de de d eefdZde d ee fdZde d ee effdZd ee effdZde fdZde dee defdZed efdZy)" TokenVaultzLManages GHL OAuth tokens in PostgreSQL with Redis-based distributed locking.Nconfigc8|xs t|_d|_yr#)r r?_conn)r'r?s r(__init__zTokenVault.__init__Ds0 0  r*cz|j|jjrTtj}|j t t jdi||_d|j_ |jj5}|jdddd|jS#1swY|jSxYw#t$rbtj}|j t t jdi||_d|j_Y|jSwxYw)z,Get a PostgreSQL connection with keepalives.NTzSELECT 1r<) rAclosedr get_connection_paramsupdatePG_KEEPALIVE_PARAMSpsycopg2connect autocommitcursorexecute Exception)r'paramscurs r( _get_connzTokenVault._get_connHs :: !2!2#99;F MM- .!))3F3DJ$(DJJ ! )""$ ( J' (zz (zz  )#99;F MM- .!))3F3DJ$(DJJ !zz  )s18CB8$C8C =C CAD:9D:cRddl}|jditjS)z/Get a Redis connection for distributed locking.rNr<)redisRedisr rE)r'rRs r( _get_rediszTokenVault._get_redisZs"u{{A[>>@AAr*cd}t|5}|j}ddd|j}|j5}|j dddt j dy#1swYYxYw#1swY+xYw)z"Create tables if they don't exist.z-/mnt/e/genesis-system/GHL/oauth/db_schema.sqlNzGHL OAuth schema initialized)openreadrPrKrLloggerinfo)r' schema_pathfsqlconnrOs r( init_schemazTokenVault.init_schema_svE +  !&&(C ~~ [[] c KK   23     sA7B7BB rr expires_inrr!c tjtjt |z}|j }|j 5}|jd||||ft|jd}|jd|tjjd|jt|dfdddtj!d|jS#1swY1xYw) zAStore the agency-level OAuth token from initial app installation.r,aq INSERT INTO ghl_oauth_tokens (token_type, location_id, access_token, refresh_token, scopes, expires_at) VALUES ('agency', NULL, %s, %s, %s, %s) ON CONFLICT (token_type, location_id) DO UPDATE SET access_token = EXCLUDED.access_token, refresh_token = EXCLUDED.refresh_token, scopes = EXCLUDED.scopes, expires_at = EXCLUDED.expires_at, last_refreshed_at = NOW(), revoked_at = NULL RETURNING id rz INSERT INTO ghl_oauth_audit (token_id, operation, details) VALUES (%s, 'created', %s) agency)typer scope_countNzAgency token stored, expires )rr$rr%rrPrKrLr7fetchonerHextrasJson isoformatlenrXrY) r'rrr_rrr]rOtoken_ids r(store_agency_tokenzTokenVault.store_agency_tokenis\\(,,/)J2OO ~~ [[] c KK  vzB D3<<>!,-H KKHOO00 (224"6{2 ' 8  3J4H4H4J3KLM;  s A?DD rrc tjtjt |z}|j }|j 5}|jd|||||ft|jd} |jd| |tjj||jdfdddtjd|d|d  S#1swY'xYw) z>Store a per-location token from /oauth/locationToken exchange.r,aq INSERT INTO ghl_oauth_tokens (token_type, location_id, location_name, access_token, scopes, expires_at) VALUES ('location', %s, %s, %s, %s, %s) ON CONFLICT (token_type, location_id) DO UPDATE SET access_token = EXCLUDED.access_token, location_name = EXCLUDED.location_name, scopes = EXCLUDED.scopes, expires_at = EXCLUDED.expires_at, last_refreshed_at = NOW(), revoked_at = NULL RETURNING id rz INSERT INTO ghl_oauth_audit (token_id, operation, location_id, details) VALUES (%s, 'exchanged', %s, %s) )rrNzLocation token stored for  ())rr$rr%rrPrKrLr7rdrHrerfrgrXrY) r'rrrr_rrr]rOris r(store_location_tokenzTokenVault.store_location_tokens\\(,,/)J2OO ~~ [[] c KK }lFJO Q3<<>!,-H KKK)=)=!.(224?* # 2  0 R aPQ5  s A7C..C7c|j}|jtjj5}|j d|j }|s dddy|j|cdddS#1swYyxYw)zGet the current agency token.cursor_factoryz SELECT * FROM ghl_oauth_tokens WHERE token_type = 'agency' AND revoked_at IS NULL ORDER BY created_at DESC LIMIT 1 NrPrKrHre DictCursorrLrd_row_to_recordr'r]rOrows r(get_agency_tokenzTokenVault.get_agency_tokens{~~ [[(B(B[ C ,s KK  ,,.C , ,&&s+ , , ,s%B)BB c"|j}|jtjj5}|j d|f|j }|s dddy|j|cdddS#1swYyxYw)z4Get the token for a specific location (sub-account).rpz SELECT * FROM ghl_oauth_tokens WHERE token_type = 'location' AND location_id = %s AND revoked_at IS NULL ORDER BY created_at DESC LIMIT 1 Nrr)r'rr]rOrvs r(get_location_tokenzTokenVault.get_location_tokens~~ [[(B(B[ C ,s KK   !,,.C , ,&&s+ , , ,s'B+BBc(|j}|jtjj5}|j d|j Dcgc]}|j|c}cdddScc}w#1swYyxYw)zGet all active location tokens.rpz SELECT * FROM ghl_oauth_tokens WHERE token_type = 'location' AND revoked_at IS NULL ORDER BY location_name N)rPrKrHrersrLfetchallrtrus r(get_all_location_tokensz"TokenVault.get_all_location_tokenss~~ [[(B(B[ C Hs KK  9< GD'',G  H H H  H Hs$BB7BBBc |j}d}|j|ddds%tjd|j S |j }|r |j s(tj d |j|y|js||j|Stj|jj|jj|jjd |j d d d id }|jdk7rbtj d|jd|j |j#dd|j dd |j|y|j%}|j'd |j }|j)|d||j'd|jj*|j'dr!|j'ddj-dn |j.tjd|j |j|S#|j|wxYw)zSRefresh the agency token using the refresh_token. Uses Redis lock to prevent races.zghl_oauth:refresh_lock:agency1Tr)nxexz8Another process is refreshing the agency token, skippingz*No agency token or refresh_token availableNr) client_id client_secret grant_typer Content-Typez!application/x-www-form-urlencoded)dataheaderstimeoutzAgency token refresh failed:  failedrefresh_agencyerror operationrr_scope)rrr_rz#Agency token refreshed successfully)rTsetrXrYrwrrdeleter0requestspostr? token_urlrr status_codetext_auditjsongetrjaccess_token_ttl_secondssplitr)r'rlock_keyrarespr new_refreshs r(refresh_agency_tokenzTokenVault.refresh_agency_tokens OO 2uuXstu3 KKR S((* *( **,F!5!5 IJH HHX C''@ HHX === %%!%!6!6%)[[%>%>"1%+%9%9  ()LM D3& ((* HHX AHHX s 3I$ I$3CI$ CI$$I7c ~|j}|stjdy|jr|j }|syt j |jj|jj|dd|j|jjddd}|jd k7rStjd |d |jd |j|jd ||jddy|j}|j!|||d|j#d|jj$|j#dr!|j#ddj'd ngtj)d|d|d|j+|S)z;Exchange agency token for a location-specific access token.z/No agency token available for location exchangeN) companyId locationIdzBearer zapplication/json) AuthorizationVersionrr)rrrrz#Location token exchange failed for z: rrexchange_locationrrr_rr)rrrr_rzLocation token exchanged for rlrm)rwrXrr0rrrr?location_token_url company_idr api_versionrrrrrnrrrrYry)r'rrrarrs r(exchange_location_tokenz"TokenVault.exchange_location_tokens&&( LLJ K   ..0F}} KK * *![[33) $+6+>+>*?!@;;22 2      s " LL>{m2dN^N^M__`aeajaj`kl m KK+Qd/e fyy{ !!#'n-xx dkk.R.RS7;xx7H488GR(..s3b "   3K==/QRST&&{33r*cV|j|}|r?|jr3|js'|j|j|j S|r |j nd}|j||}|r3|jr'|j|j|j Sy)zBGet a valid access token for a location. Auto-refreshes if needed.rN)ryr2r0 _mark_usedrrrr)r'rtokenname new_tokens r(get_valid_tokenzTokenVault.get_valid_tokenBs'' 4 U^^E,?,? OOEHH %%% %',u""00dC ++ OOILL ))) )r* locationsci}|D]d}|jdxs|jd}|jdxs|jdd}|j||}|du||<f|S)zBExchange tokens for all locations. Returns {location_id: success}.rrrrrN)rr)r'rresultslocloc_idloc_namers r(exchange_all_locationsz!TokenVault.exchange_all_locationsTsu 0CWWT] NOW() THEN 'valid' ELSE 'expired' END as status FROM ghl_oauth_tokens WHERE revoked_at IS NULL ORDER BY token_type, location_name rrrrNrstatus)rbrrr last_usedr)tokenstotal) rPrKrHrersrLr{appendrgrh)r'r]rOrrvs r(rzTokenVault.status^s~~ [[(B(B[ C !>!@]a!(m  %s6{;) < < UPDATE ghl_oauth_tokens SET last_used_at = NOW() WHERE id = %sN)rPrKrL)r'rir]rOs r(rzTokenVault._mark_usedwsB~~ [[] c KKP     s >Ardetailsc |j}|j5}|jd||tjj |fdddy#1swYyxYw)zWrite an audit log entry.z INSERT INTO ghl_oauth_audit (operation, location_id, details) VALUES (%s, %s, %s) N)rPrKrLrHrerf)r'rrrr]rOs r(rzTokenVault._audits_~~ [[] Jc KK[(//*>*>w*GH J J J Js 3AA&c tt|d|d|d|d|d|d|dxsg|d|d |d  S) Nrrrrrrrrrr ) rrrrrrrrrr )rr7)rvs r(rtzTokenVault._row_to_recordsf3t9~<(M*o.^,o.x=&B<(^,<(  r*r#)r) r3r4r5r6rr rBrPrTr^r7intr9rjrnrrwryr|rrrrr;rrrrdictr staticmethodrtr<r*r(r>r>AsVx7$B 4''' '  ' 'R%%% %  %  % %N ,(;"7 ,,c,h{6K, H H2h{&;2h*43*4s*4T\]hTi*4X38C=$c4i<S#X<23JJ(3-J$J  {    r*r>)r6sysloggingrrrtypingrrr dataclassesr rHpsycopg2.extrasrpathrelestio_configr r GHL.oauth.configr getLoggerr3rXrGrr>r<r*r(rs  22&&!;<6+   8 $  ?? ?6U U r*