^ ijdZddlmZddlmZmZddlmZmZm Z m Z ddl m Z m Z ddlmZmZddlmZddlmZer*dd lmZdd lmZdd lmZdd lmZdd lmZddlm Z ddl!m"Z"e dZ#e dZ$GddeZ%d2dZ&d3dZ'd4dZ(d5dZ)d6d!Z*d7d#Z+d8d&Z,d9d)Z-d:d-Z.d;d0Z/d1S)", "office_id": "O_17", "dept_id": "D_05", "area_id": "A_01", "role_ids": ["R_03"] } 从 JWT 中提取的用户身份信息,贯穿整个请求生命周期, 用于权限过滤和操作审计。 struser_id office_iddept_idarea_idz list[str]role_idsN) __name__ __module__ __qualname____doc____annotations__rrrr &D:\work\zm-rag\backend\app\api\deps.pyrr$sk LLLIGGHr'rrequestrreturn 'ESClient'c$|jjjS)u\Yield the shared :class:`ESClient` instance. 返回共享的 ES 客户端单例。 )appstate es_clientr)s r( get_es_clientr1As ;  &&r' 'Neo4jClient'c$|jjjS)ubYield the shared :class:`Neo4jClient` instance. 返回共享的 Neo4j 客户端单例。 )r-r. neo4j_clientr0s r(get_neo4j_clientr5I ;  ))r' 'RedisClient'c$|jjjS)ubYield the shared :class:`RedisClient` instance. 返回共享的 Redis 客户端单例。 )r-r. redis_clientr0s r(get_redis_clientr:Qr6r''MySQLClient | None'c8t|jjddS)uYield the shared MySQL client instance, if configured. 返回共享的 MySQL 客户端单例;未配置时返回 None。 mysql_clientN)getattrr-r.r0s r(get_mysql_clientr?Ys 7;$nd ; ;;r''EmbeddingClient'c$|jjjS)ujYield the shared :class:`EmbeddingClient` instance. 返回共享的 Embedding 客户端单例。 )r-r.embedding_clientr0s r(get_embedding_clientrCas ;  --r' 'LLMClient'c$|jjjS)u^Yield the shared :class:`LLMClient` instance. 返回共享的 LLM 客户端单例。 )r-r. llm_clientr0s r(get_llm_clientrGis ;  ''r' credentials@Annotated[HTTPAuthorizationCredentials, Depends(_bearer_scheme)]c  K|j} tj|tjtjg}n4#t $r'}ttj d|ddi|d}~wwxYw| d}|sttj dddit|| d d | d d | d d | d gS)uDecode and validate the JWT, returning a :class:`UserContext`. 解码并验证 Bearer Token,提取用户身份信息。 验证失败时返回 401 Unauthorized。  algorithmsInvalid or expired token: WWW-AuthenticateBearer status_codedetailheadersNsubToken missing 'sub' claimrrrrr rrrrr rHr decoder jwt_secret jwt_algorithmr rr HTTP_401_UNAUTHORIZEDgetrrHtokenpayloadexcrs r(get_current_userrats8  #E *    ./    4555'2     "++e,,G  4.'2    ++k2.. Ir** Ir**Z,,    s,8 A)"A$$A)PAnnotated[HTTPAuthorizationCredentials | None, Depends(_optional_bearer_scheme)]UserContext | Nonec K|dS|j} tj|tjtjg}n4#t $r'}ttj d|ddi|d}~wwxYw| d}|sttj dddit|| d d | d d | d d | d gS)z:Decode JWT when present, otherwise allow anonymous access.NrKrMrNrOrPrTrUrrrrr rVrWr]s r(get_optional_current_userresCt  #E *    ./    4555'2     "++e,,G  4.'2    ++k2.. Ir** Ir**Z,,    s,< A-"A((A-user1Annotated[UserContext, Depends(get_current_user)]'PermissionContext'cKddlm}|jjj}||}||d{VS)zEResolve the request user's permission context for ACL-aware handlers.rPermissionServicer9Napp.core.permissionrkr-r.r9resolver)rfrkr9services r(get_permission_contextrrs^ 655555;$1L\:::G&& & & & & & &&r'AAnnotated[UserContext | None, Depends(get_optional_current_user)]'PermissionContext | None'cK|dSddlm}|jjj}||}||d{VS)zFResolve permission context when JWT is present, otherwise return None.Nrrjrlrmrps r(get_optional_permission_contextrvsh  |t555555;$1L\:::G&& & & & & & &&r'N)r)rr*r+)r)rr*r2)r)rr*r7)r)rr*r;)r)rr*r@)r)rr*rD)rHrIr*r)rHrbr*rc)r)rrfrgr*rh)r)rrfrsr*rt)0r$ __future__rtypingrrfastapirrrr fastapi.securityr r joser r pydanticr app.configrrnr#app.infrastructure.embedding_clientrapp.infrastructure.es_clientrapp.infrastructure.llm_clientrapp.infrastructure.mysql_clientrapp.infrastructure.neo4j_clientrapp.infrastructure.redis_clientr_bearer_scheme_optional_bearer_schemerr1r5r:r?rCrGrarerrrvr&r'r(rs^#"""""++++++++;;;;;;;;;;;;EEEEEEEE<555555CCCCCC555555777777;;;;;;;;;;;;;;;;;;t,,,$*666 ):''''********<<<<....(((($$$$N""""J ' ' ' ' ' ' ' ' ' 'r'