
    $j                     r    d Z ddlmZ ddlmZmZmZmZ ddlm	Z	  G d de          Z
 G d de          Zd	S )
z*Built-in tenant extension implementations.    )
get_config)AuthenticationErrorTenantTenantContextTenantExtension)RequestContextc                   `     e Zd ZdZdeeef         f fdZdedefdZ	de
e         fdZ xZS )DefaultTenantExtensiona  
    Default single-tenant extension with no authentication.

    This is the default extension used when no tenant extension is configured.
    It provides single-tenant behavior using the configured schema from
    HINDSIGHT_API_DATABASE_SCHEMA (defaults to 'public').

    Features:
    - No authentication required (passes all requests)
    - Uses configured schema from environment
    - Perfect for single-tenant deployments without auth

    Configuration:
        HINDSIGHT_API_DATABASE_SCHEMA=your-schema (optional, defaults to 'public')

    This is automatically enabled by default. To use custom authentication,
    configure a different tenant extension:
        HINDSIGHT_API_TENANT_EXTENSION=hindsight_api.extensions.builtin.tenant:ApiKeyTenantExtension
    configc                     t                                          |           |                    dt                      j                  | _        d S )Nschema)super__init__getr   database_schema_schemaselfr   	__class__s     o/home/rurouni/.hermes/hermes-agent/venv/lib/python3.11/site-packages/hindsight_api/extensions/builtin/tenant.pyr   zDefaultTenantExtension.__init__   s=        zz(JLL,HII    contextreturnc                 0   K   t          | j                  S )z4Return configured schema without any authentication.schema_name)r   r   r   r   s     r   authenticatez#DefaultTenantExtension.authenticate#   s      6666r   c                 2   K   t          | j                  gS z1Return configured schema for single-tenant setup.)r   )r   r   r   s    r   list_tenantsz#DefaultTenantExtension.list_tenants'   s      dl+++,,r   )__name__
__module____qualname____doc__dictstrr   r   r   r   listr   r"   __classcell__r   s   @r   r
   r
      s         (JtCH~ J J J J J J7. 7] 7 7 7 7-DL - - - - - - - -r   r
   c                   p     e Zd ZdZdeeef         f fdZdedefdZ	de
e         fdZdedefdZ xZS )	ApiKeyTenantExtensionaJ  
    Built-in tenant extension that validates API key against an environment variable.

    This is a simple implementation that:
    1. Validates the API key matches HINDSIGHT_API_TENANT_API_KEY
    2. Returns the configured schema (HINDSIGHT_API_DATABASE_SCHEMA, default 'public')
       for all authenticated requests

    Configuration:
        HINDSIGHT_API_TENANT_EXTENSION=hindsight_api.extensions.builtin.tenant:ApiKeyTenantExtension
        HINDSIGHT_API_TENANT_API_KEY=your-secret-key
        HINDSIGHT_API_DATABASE_SCHEMA=your-schema (optional, defaults to 'public')
        HINDSIGHT_API_TENANT_MCP_AUTH_DISABLED=true (optional, disable auth for MCP endpoints)

    For multi-tenant setups with separate schemas per tenant, implement a custom
    TenantExtension that looks up the schema based on the API key or token claims.
    r   c                    t                                          |           |                    d          | _        | j        st	          d          |                    dd                                          dv | _        d S )Napi_keyzIHINDSIGHT_API_TENANT_API_KEY is required when using ApiKeyTenantExtensionmcp_auth_disabled )true1yes)r   r   r   expected_api_key
ValueErrorlowerr0   r   s     r   r   zApiKeyTenantExtension.__init__?   sy        &

9 5 5$ 	jhiii!',?!D!D!J!J!L!LPd!dr   r   r   c                    K   |j         | j        k    rt          d          t          t	                      j                  S )z6Validate API key and return configured schema context.zInvalid API keyr   )r/   r5   r   r   r   r   r   s     r   r   z"ApiKeyTenantExtension.authenticateG   s=      ?d333%&7888)EFFFFr   c                 J   K   t          t                      j                  gS r    )r   r   r   r!   s    r   r"   z"ApiKeyTenantExtension.list_tenantsM   s!      jll:;;;<<r   c                    K   | j         r!t          t                      j                  S |                     |           d{V S )z
        Authenticate MCP requests.

        If mcp_auth_disabled is set, skip authentication for backwards compatibility.
        Otherwise, delegate to authenticate().
        r   N)r0   r   r   r   r   r   s     r   authenticate_mcpz&ApiKeyTenantExtension.authenticate_mcpQ   sR       ! 	K Z\\-IJJJJ&&w/////////r   )r#   r$   r%   r&   r'   r(   r   r   r   r   r)   r   r"   r;   r*   r+   s   @r   r-   r-   ,   s         $etCH~ e e e e e eG. G] G G G G=DL = = = =	0n 	0 	0 	0 	0 	0 	0 	0 	0 	0r   r-   N)r&   hindsight_api.configr   hindsight_api.extensions.tenantr   r   r   r   hindsight_api.modelsr   r
   r-    r   r   <module>r@      s    0 0 + + + + + + g g g g g g g g g g g g / / / / / /!- !- !- !- !-_ !- !- !-H.0 .0 .0 .0 .0O .0 .0 .0 .0 .0r   