Added enumerable order & added array & removed collection

Reviewed-on: #193

.gitea/workflows/test_before_merge.yaml

@@ -0,0 +1,26 @@
+name: Test before pr merge
+run-name: Test before pr merge
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+      - ready_for_review
+
+jobs:
+  test-lint:
+    runs-on: [ runner ]
+    container: git.sh-edraft.de/sh-edraft.de/act-runner:latest
+    steps:
+      - name: Clone Repository
+        uses: https://github.com/actions/checkout@v3
+        with:
+          token: ${{ secrets.CI_ACCESS_TOKEN }}
+
+      - name: Installing black
+        run: python3.12 -m pip install black
+
+      - name: Checking black
+        run: python3.12 -m black src --check

.gitignore

@@ -139,3 +139,6 @@ PythonImportHelper-v2-Completion.json
 
 # cpl unittest stuff
 unittests/test_*_playground
+
+# cpl logs
+**/logs/*.jsonl

example/custom/api/src/main.py

@@ -0,0 +1,47 @@
+from starlette.responses import JSONResponse
+
+from cpl import api
+from cpl.api.application.web_app import WebApp
+from cpl.application import ApplicationBuilder
+from cpl.auth.permission.permissions import Permissions
+from cpl.auth.schema import AuthUser, Role
+from cpl.core.configuration import Configuration
+from cpl.core.environment import Environment
+from cpl.core.utils.cache import Cache
+from service import PingService
+
+
+def main():
+    builder = ApplicationBuilder[WebApp](WebApp)
+
+    Configuration.add_json_file(f"appsettings.json")
+    Configuration.add_json_file(f"appsettings.{Environment.get_environment()}.json")
+    Configuration.add_json_file(f"appsettings.{Environment.get_host_name()}.json", optional=True)
+
+    # builder.services.add_logging()
+    builder.services.add_structured_logging()
+    builder.services.add_transient(PingService)
+    builder.services.add_module(api)
+
+    builder.services.add_cache(AuthUser)
+    builder.services.add_cache(Role)
+
+    app = builder.build()
+    app.with_logging()
+    app.with_database()
+
+    app.with_authentication()
+    app.with_authorization()
+
+    app.with_route(path="/route1", fn=lambda r: JSONResponse("route1"), method="GET", authentication=True, permissions=[Permissions.administrator])
+    app.with_routes_directory("routes")
+
+    provider = builder.service_provider
+    user_cache = provider.get_service(Cache[AuthUser])
+    role_cache = provider.get_service(Cache[Role])
+
+    app.run()
+
+
+if __name__ == "__main__":
+    main()

example/custom/api/src/routes/ping.py

@@ -0,0 +1,16 @@
+from urllib.request import Request
+
+from service import PingService
+from starlette.responses import JSONResponse
+
+from cpl.api import APILogger
+from cpl.api.router import Router
+
+
+@Router.authenticate()
+# @Router.authorize(permissions=[Permissions.administrator])
+# @Router.authorize(policies=["test"])
+@Router.get(f"/ping")
+async def ping(r: Request, ping: PingService, logger: APILogger):
+    logger.info(f"Ping: {ping}")
+    return JSONResponse(ping.ping(r))

example/custom/database/src/appsettings.edrafts-pc.json

@@ -0,0 +1,26 @@
+{
+  "TimeFormat": {
+    "DateFormat": "%Y-%m-%d",
+    "TimeFormat": "%H:%M:%S",
+    "DateTimeFormat": "%Y-%m-%d %H:%M:%S.%f",
+    "DateTimeLogFormat": "%Y-%m-%d_%H-%M-%S"
+  },
+
+  "Log": {
+    "Path": "logs/",
+    "Filename": "log_$start_time.log",
+    "ConsoleLevel": "TRACE",
+    "Level": "TRACE"
+  },
+
+  "Database": {
+    "Host": "localhost",
+    "User": "cpl",
+    "Port": 3306,
+    "Password": "cpl",
+    "Database": "cpl",
+    "Charset": "utf8mb4",
+    "UseUnicode": "true",
+    "Buffered": "true"
+  }
+}

example/custom/database/src/appsettings.json

@@ -0,0 +1,15 @@
+{
+  "TimeFormat": {
+    "DateFormat": "%Y-%m-%d",
+    "TimeFormat": "%H:%M:%S",
+    "DateTimeFormat": "%Y-%m-%d %H:%M:%S.%f",
+    "DateTimeLogFormat": "%Y-%m-%d_%H-%M-%S"
+  },
+
+  "Log": {
+    "Path": "logs/",
+    "Filename": "log_$start_time.log",
+    "ConsoleLevel": "ERROR",
+    "Level": "WARNING"
+  }
+}

example/custom/database/src/model/city_dao.py

@@ -5,7 +5,7 @@ from model.city import City
 class CityDao(DbModelDaoABC[City]):
 
     def __init__(self):
-        DbModelDaoABC.__init__(self, __name__, City, "city")
+        DbModelDaoABC.__init__(self, City, "city")
 
         self.attribute(City.name, str)
         self.attribute(City.zip, int)

example/custom/database/src/model/user_dao.py

@@ -5,7 +5,7 @@ from model.user import User
 class UserDao(DbModelDaoABC[User]):
 
     def __init__(self):
-        DbModelDaoABC.__init__(self, __name__, User, "users")
+        DbModelDaoABC.__init__(self, User, "users")
 
         self.attribute(User.name, str)
         self.attribute(User.city_id, int, db_name="CityId")

example/custom/general/src/general/appsettings.development.json

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "Path": "logs/",
+    "Filename": "log_$start_time.log",
+    "ConsoleLevel": "TRACE",
+    "Level": "TRACE"
+  }
+}

example/custom/query/main.py

@@ -0,0 +1,60 @@
+from cpl.core.console import Console
+from cpl.core.utils.benchmark import Benchmark
+from cpl.query.enumerable import Enumerable
+from cpl.query.immutable_list import ImmutableList
+from cpl.query.list import List
+from cpl.query.set import Set
+
+
+def _default():
+    Console.write_line(Enumerable.empty().to_list())
+
+    Console.write_line(Enumerable.range(0, 100).length)
+    Console.write_line(Enumerable.range(0, 100).to_list())
+
+    Console.write_line(Enumerable.range(0, 100).where(lambda x: x % 2 == 0).length)
+    Console.write_line(
+        Enumerable.range(0, 100).where(lambda x: x % 2 == 0).to_list().select(lambda x: str(x)).to_list()
+    )
+    Console.write_line(List)
+
+    s =Enumerable.range(0, 10).to_set()
+    Console.write_line(s)
+    s.add(1)
+    Console.write_line(s)
+
+    data = Enumerable(
+        [
+            {"name": "Alice", "age": 30},
+            {"name": "Dave", "age": 35},
+            {"name": "Charlie", "age": 25},
+            {"name": "Bob", "age": 25},
+        ]
+    )
+
+    Console.write_line(data.order_by(lambda x: x["age"]).to_list())
+    Console.write_line(data.order_by(lambda x: x["age"]).then_by(lambda x: x["name"]).to_list())
+    Console.write_line(data.order_by(lambda x: x["name"]).then_by(lambda x: x["age"]).to_list())
+
+
+def t_benchmark(data: list):
+    Benchmark.all("Enumerable", lambda: Enumerable(data).where(lambda x: x % 2 == 0).select(lambda x: x * 2).to_list())
+    Benchmark.all("Set", lambda: Set(data).where(lambda x: x % 2 == 0).select(lambda x: x * 2).to_list())
+    Benchmark.all("List", lambda: List(data).where(lambda x: x % 2 == 0).select(lambda x: x * 2).to_list())
+    Benchmark.all(
+        "ImmutableList", lambda: ImmutableList(data).where(lambda x: x % 2 == 0).select(lambda x: x * 2).to_list()
+    )
+    Benchmark.all("List comprehension", lambda: [x * 2 for x in data if x % 2 == 0])
+
+
+def main():
+    N = 10_000_000
+    data = list(range(N))
+    #t_benchmark(data)
+
+    Console.write_line()
+    _default()
+
+
+if __name__ == "__main__":
+    main()

install.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Find and combine requirements from src/cpl-*/requirements.txt,
+# filtering out lines whose *package name* starts with "cpl-".
+# Works with pinned versions, extras, markers, editable installs, and VCS refs.
+
+shopt -s nullglob
+
+req_files=(src/cpl-*/requirements.txt)
+if ((${#req_files[@]} == 0)); then
+  echo "No requirements files found at src/cpl-*/requirements.txt" >&2
+  exit 1
+fi
+
+tmp_combined="$(mktemp)"
+trap 'rm -f "$tmp_combined"' EXIT
+
+# Concatenate, trim comments/whitespace, filter out cpl-* packages, dedupe.
+# We keep non-package options/flags/constraints as-is.
+awk '
+  function trim(s){ sub(/^[[:space:]]+/,"",s); sub(/[[:space:]]+$/,"",s); return s }
+
+  {
+    line=$0
+    # drop full-line comments and strip inline comments
+    if (line ~ /^[[:space:]]*#/) next
+    sub(/#[^!].*$/,"",line)  # strip trailing comment (simple heuristic)
+    line=trim(line)
+    if (line == "") next
+
+    # Determine the package *name* even for "-e", extras, pins, markers, or VCS "@"
+    e = line
+    sub(/^-e[[:space:]]+/,"",e)           # remove editable prefix
+    # Tokenize up to the first of these separators: space, [ < > = ! ~ ; @
+    token = e
+    sub(/\[.*/,"",token)                  # remove extras quickly
+    n = split(token, a, /[<>=!~;@[:space:]]/)
+    name = tolower(a[1])
+
+    # If the first token (name) starts with "cpl-", skip this requirement
+    if (name ~ /^cpl-/) next
+
+    print line
+  }
+' "${req_files[@]}" | sort -u > "$tmp_combined"
+
+if ! [ -s "$tmp_combined" ]; then
+  echo "Nothing to install after filtering out cpl-* packages." >&2
+  exit 0
+fi
+
+echo "Installing dependencies (excluding cpl-*) from:"
+printf '  - %s\n' "${req_files[@]}"
+echo
+echo "Final set to install:"
+cat "$tmp_combined"
+echo
+
+# Use python -m pip for reliability; change to python3 if needed.
+python -m pip install -r "$tmp_combined"

src/cpl-api/cpl/api/__init__.py

@@ -0,0 +1,36 @@
+from cpl.dependency.service_collection import ServiceCollection as _ServiceCollection
+
+from .error import APIError, AlreadyExists, EndpointNotImplemented, Forbidden, NotFound, Unauthorized
+from .logger import APILogger
+from .settings import ApiSettings
+
+
+def add_api(collection: _ServiceCollection):
+    try:
+        from cpl.database import mysql
+
+        collection.add_module(mysql)
+    except ImportError as e:
+        from cpl.core.errors import dependency_error
+
+        dependency_error("cpl-database", e)
+
+    try:
+        from cpl import auth
+        from cpl.auth import permission
+
+        collection.add_module(auth)
+        collection.add_module(permission)
+    except ImportError as e:
+        from cpl.core.errors import dependency_error
+
+        dependency_error("cpl-auth", e)
+
+    from cpl.api.registry.policy import PolicyRegistry
+    from cpl.api.registry.route import RouteRegistry
+
+    collection.add_singleton(PolicyRegistry)
+    collection.add_singleton(RouteRegistry)
+
+
+_ServiceCollection.with_module(add_api, __name__)

src/cpl-api/cpl/api/abc/__init__.py

@@ -0,0 +1 @@
+from .asgi_middleware_abc import ASGIMiddleware

src/cpl-api/cpl/api/abc/asgi_middleware_abc.py

@@ -0,0 +1,15 @@
+from abc import ABC, abstractmethod
+
+from starlette.types import Scope, Receive, Send
+
+
+class ASGIMiddleware(ABC):
+    @abstractmethod
+    def __init__(self, app):
+        self._app = app
+
+    def _call_next(self, scope: Scope, receive: Receive, send: Send):
+        return self._app(scope, receive, send)
+
+    @abstractmethod
+    async def __call__(self, scope: Scope, receive: Receive, send: Send): ...

src/cpl-api/cpl/api/api_logger.py

@@ -1,7 +0,0 @@
-from cpl.core.log.logger import Logger
-
-
-class APILogger(Logger):
-
-    def __init__(self, source: str):
-        Logger.__init__(self, source, "api")

src/cpl-api/cpl/api/application/__init__.py

@@ -0,0 +1 @@
+from .web_app import WebApp

src/cpl-api/cpl/api/application/web_app.py

@@ -0,0 +1,249 @@
+import os
+from enum import Enum
+from typing import Mapping, Any, Callable, Self, Union
+
+import uvicorn
+from starlette.applications import Starlette
+from starlette.middleware import Middleware
+from starlette.middleware.cors import CORSMiddleware
+from starlette.requests import Request
+from starlette.responses import JSONResponse
+from starlette.types import ExceptionHandler
+
+from cpl import api, auth
+from cpl.api.error import APIError
+from cpl.api.logger import APILogger
+from cpl.api.middleware.authentication import AuthenticationMiddleware
+from cpl.api.middleware.authorization import AuthorizationMiddleware
+from cpl.api.middleware.logging import LoggingMiddleware
+from cpl.api.middleware.request import RequestMiddleware
+from cpl.api.model.api_route import ApiRoute
+from cpl.api.model.policy import Policy
+from cpl.api.model.validation_match import ValidationMatch
+from cpl.api.registry.policy import PolicyRegistry
+from cpl.api.registry.route import RouteRegistry
+from cpl.api.router import Router
+from cpl.api.settings import ApiSettings
+from cpl.api.typing import HTTPMethods, PartialMiddleware, PolicyResolver
+from cpl.application.abc.application_abc import ApplicationABC
+from cpl.core.configuration import Configuration
+from cpl.dependency.service_provider_abc import ServiceProviderABC
+
+
+PolicyInput = Union[dict[str, PolicyResolver], Policy]
+
+
+class WebApp(ApplicationABC):
+    def __init__(self, services: ServiceProviderABC):
+        super().__init__(services, [auth, api])
+        self._app: Starlette | None = None
+
+        self._logger = services.get_service(APILogger)
+
+        self._api_settings = Configuration.get(ApiSettings)
+        self._policies = services.get_service(PolicyRegistry)
+        self._routes = services.get_service(RouteRegistry)
+
+        self._middleware: list[Middleware] = [
+            Middleware(RequestMiddleware),
+            Middleware(LoggingMiddleware),
+        ]
+        self._exception_handlers: Mapping[Any, ExceptionHandler] = {
+            Exception: self._handle_exception,
+            APIError: self._handle_exception,
+        }
+
+    async def _handle_exception(self, request: Request, exc: Exception):
+        if isinstance(exc, APIError):
+            self._logger.error(exc)
+            return JSONResponse({"error": str(exc)}, status_code=exc.status_code)
+
+        if hasattr(request.state, "request_id"):
+            self._logger.error(f"Request {request.state.request_id}", exc)
+        else:
+            self._logger.error("Request unknown", exc)
+
+        return JSONResponse({"error": str(exc)}, status_code=500)
+
+    def _get_allowed_origins(self):
+        origins = self._api_settings.allowed_origins
+
+        if origins is None or origins == "":
+            self._logger.warning("No allowed origins specified, allowing all origins")
+            return ["*"]
+
+        self._logger.debug(f"Allowed origins: {origins}")
+        return origins.split(",")
+
+    def with_database(self) -> Self:
+        self.with_migrations()
+        self.with_seeders()
+        return self
+
+    def with_app(self, app: Starlette) -> Self:
+        assert app is not None, "app must not be None"
+        assert isinstance(app, Starlette), "app must be an instance of Starlette"
+        self._app = app
+        return self
+
+    def _check_for_app(self):
+        if self._app is not None:
+            raise ValueError("App is already set, cannot add routes or middleware")
+
+    def with_routes_directory(self, directory: str) -> Self:
+        self._check_for_app()
+        assert directory is not None, "directory must not be None"
+
+        base = directory.replace("/", ".").replace("\\", ".")
+
+        for filename in os.listdir(directory):
+            if not filename.endswith(".py") or filename == "__init__.py":
+                continue
+
+            __import__(f"{base}.{filename[:-3]}")
+
+        return self
+
+    def with_routes(
+        self,
+        routes: list[ApiRoute],
+        method: HTTPMethods,
+        authentication: bool = False,
+        roles: list[str | Enum] = None,
+        permissions: list[str | Enum] = None,
+        policies: list[str] = None,
+        match: ValidationMatch = None,
+    ) -> Self:
+        self._check_for_app()
+        assert self._routes is not None, "routes must not be None"
+        assert all(isinstance(route, ApiRoute) for route in routes), "all routes must be of type ApiRoute"
+        for route in routes:
+            self.with_route(
+                route.path,
+                route.fn,
+                method,
+                authentication,
+                roles,
+                permissions,
+                policies,
+                match,
+            )
+        return self
+
+    def with_route(
+        self,
+        path: str,
+        fn: Callable[[Request], Any],
+        method: HTTPMethods,
+        authentication: bool = False,
+        roles: list[str | Enum] = None,
+        permissions: list[str | Enum] = None,
+        policies: list[str] = None,
+        match: ValidationMatch = None,
+    ) -> Self:
+        self._check_for_app()
+        assert path is not None, "path must not be None"
+        assert fn is not None, "fn must not be None"
+        assert method in [
+            "GET",
+            "HEAD",
+            "POST",
+            "PUT",
+            "PATCH",
+            "DELETE",
+            "OPTIONS",
+        ], "method must be a valid HTTP method"
+
+        Router.route(path, method, registry=self._routes)(fn)
+
+        if authentication:
+            Router.authenticate()(fn)
+
+        if roles or permissions or policies:
+            Router.authorize(roles, permissions, policies, match)(fn)
+
+        return self
+
+    def with_middleware(self, middleware: PartialMiddleware) -> Self:
+        self._check_for_app()
+
+        if isinstance(middleware, Middleware):
+            self._middleware.append(middleware)
+        elif callable(middleware):
+            self._middleware.append(Middleware(middleware))
+        else:
+            raise ValueError("middleware must be of type starlette.middleware.Middleware or a callable")
+
+        return self
+
+    def with_authentication(self) -> Self:
+        self.with_middleware(AuthenticationMiddleware)
+        return self
+
+    def with_authorization(self, *policies: list[PolicyInput] | PolicyInput) -> Self:
+        if policies:
+            _policies = []
+
+            if not isinstance(policies, list):
+                policies = list(policies)
+
+            for i, policy in enumerate(policies):
+                if isinstance(policy, dict):
+                    for name, resolver in policy.items():
+                        if not isinstance(name, str):
+                            self._logger.warning(f"Skipping policy at index {i}, name must be a string")
+                            continue
+
+                        if not callable(resolver):
+                            self._logger.warning(f"Skipping policy {name}, resolver must be callable")
+                            continue
+
+                        _policies.append(Policy(name, resolver))
+                    continue
+
+                _policies.append(policy)
+
+            self._policies.extend(_policies)
+
+        self.with_middleware(AuthorizationMiddleware)
+        return self
+
+    def _validate_policies(self):
+        for rule in Router.get_authorization_rules():
+            for policy_name in rule["policies"]:
+                policy = self._policies.get(policy_name)
+                if not policy:
+                    self._logger.fatal(f"Authorization policy '{policy_name}' not found")
+
+    async def main(self):
+        self._logger.debug(f"Preparing API")
+        self._validate_policies()
+
+        if self._app is None:
+            routes = [route.to_starlette(self._services.inject) for route in self._routes.all()]
+
+            app = Starlette(
+                routes=routes,
+                middleware=[
+                    *self._middleware,
+                    Middleware(
+                        CORSMiddleware,
+                        allow_origins=self._get_allowed_origins(),
+                        allow_methods=["*"],
+                        allow_headers=["*"],
+                    ),
+                ],
+                exception_handlers=self._exception_handlers,
+            )
+        else:
+            app = self._app
+
+        self._logger.info(f"Start API on {self._api_settings.host}:{self._api_settings.port}")
+
+        config = uvicorn.Config(
+            app, host=self._api_settings.host, port=self._api_settings.port, log_config=None, loop="asyncio"
+        )
+        server = uvicorn.Server(config)
+        await server.serve()
+
+        self._logger.info("Shutdown API")

src/cpl-api/cpl/api/error.py

@@ -1,9 +1,30 @@
 from http.client import HTTPException
 
+from starlette.responses import JSONResponse
+from starlette.types import Scope, Receive, Send
+
 
 class APIError(HTTPException):
     status_code = 500
 
+    def __init__(self, message: str = ""):
+        super().__init__(self.status_code, message)
+        self._message = message
+
+    @property
+    def error_message(self) -> str:
+        if self._message:
+            return f"{type(self).__name__}: {self._message}"
+
+        return f"{type(self).__name__}"
+
+    async def asgi_response(self, scope: Scope, receive: Receive, send: Send):
+        r = JSONResponse({"error": self.error_message}, status_code=self.status_code)
+        return await r(scope, receive, send)
+
+    def response(self):
+        return JSONResponse({"error": self.error_message}, status_code=self.status_code)
+
 
 class Unauthorized(APIError):
     status_code = 401

src/cpl-api/cpl/api/logger.py

@@ -0,0 +1,7 @@
+from cpl.core.log.wrapped_logger import WrappedLogger
+
+
+class APILogger(WrappedLogger):
+
+    def __init__(self):
+        WrappedLogger.__init__(self, "api")

src/cpl-api/cpl/api/middleware/__init__.py

@@ -0,0 +1,4 @@
+from .authentication import AuthenticationMiddleware
+from .authorization import AuthorizationMiddleware
+from .logging import LoggingMiddleware
+from .request import RequestMiddleware

src/cpl-api/cpl/api/middleware/authentication.py

@@ -0,0 +1,80 @@
+from keycloak import KeycloakAuthenticationError
+from starlette.types import Scope, Receive, Send
+
+from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
+from cpl.api.error import Unauthorized
+from cpl.api.logger import APILogger
+from cpl.api.middleware.request import get_request
+from cpl.api.router import Router
+from cpl.auth.keycloak import KeycloakClient
+from cpl.auth.schema import AuthUserDao, AuthUser
+from cpl.core.ctx import set_user
+from cpl.dependency import ServiceProviderABC
+
+
+class AuthenticationMiddleware(ASGIMiddleware):
+
+    @ServiceProviderABC.inject
+    def __init__(self, app, logger: APILogger, keycloak: KeycloakClient, user_dao: AuthUserDao):
+        ASGIMiddleware.__init__(self, app)
+
+        self._logger = logger
+
+        self._keycloak = keycloak
+        self._user_dao = user_dao
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send):
+        request = get_request()
+        url = request.url.path
+
+        if url not in Router.get_auth_required_routes():
+            self._logger.trace(f"No authentication required for {url}")
+            return await self._app(scope, receive, send)
+
+        if not request.headers.get("Authorization"):
+            self._logger.debug(f"Unauthorized access to {url}, missing Authorization header")
+            return await Unauthorized(f"Missing header Authorization").asgi_response(scope, receive, send)
+
+        auth_header = request.headers.get("Authorization", None)
+        if not auth_header or not auth_header.startswith("Bearer "):
+            return await Unauthorized("Invalid Authorization header").asgi_response(scope, receive, send)
+
+        token = auth_header.split("Bearer ")[1]
+        if not await self._verify_login(token):
+            self._logger.debug(f"Unauthorized access to {url}, invalid token")
+            return await Unauthorized("Invalid token").asgi_response(scope, receive, send)
+
+        # check user exists in db, if not create
+        keycloak_id = self._keycloak.get_user_id(token)
+        if keycloak_id is None:
+            return await Unauthorized("Failed to get user id from token").asgi_response(scope, receive, send)
+
+        user = await self._get_or_crate_user(keycloak_id)
+        if user.deleted:
+            self._logger.debug(f"Unauthorized access to {url}, user is deleted")
+            return await Unauthorized("User is deleted").asgi_response(scope, receive, send)
+
+        request.state.user = user
+        set_user(user)
+
+        return await self._call_next(scope, receive, send)
+
+    async def _get_or_crate_user(self, keycloak_id: str) -> AuthUser:
+        existing = await self._user_dao.find_by_keycloak_id(keycloak_id)
+        if existing is not None:
+            return existing
+
+        user = AuthUser(0, keycloak_id)
+        uid = await self._user_dao.create(user)
+        return await self._user_dao.get_by_id(uid)
+
+    async def _verify_login(self, token: str) -> bool:
+        try:
+            token_info = self._keycloak.introspect(token)
+            return token_info.get("active", False)
+        except KeycloakAuthenticationError as e:
+            self._logger.debug(f"Keycloak authentication error: {e}")
+            return False
+        except Exception as e:
+            self._logger.error(f"Unexpected error during token verification: {e}")
+            return False

src/cpl-api/cpl/api/middleware/authorization.py

@@ -0,0 +1,73 @@
+from starlette.types import Scope, Receive, Send
+
+from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
+from cpl.api.error import Unauthorized, Forbidden
+from cpl.api.logger import APILogger
+from cpl.api.middleware.request import get_request
+from cpl.api.model.validation_match import ValidationMatch
+from cpl.api.registry.policy import PolicyRegistry
+from cpl.api.router import Router
+from cpl.auth.schema._administration.auth_user_dao import AuthUserDao
+from cpl.core.ctx.user_context import get_user
+from cpl.dependency.service_provider_abc import ServiceProviderABC
+
+
+class AuthorizationMiddleware(ASGIMiddleware):
+
+    @ServiceProviderABC.inject
+    def __init__(self, app, logger: APILogger, policies: PolicyRegistry, user_dao: AuthUserDao):
+        ASGIMiddleware.__init__(self, app)
+
+        self._logger = logger
+
+        self._policies = policies
+        self._user_dao = user_dao
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send):
+        request = get_request()
+        url = request.url.path
+
+        if url not in Router.get_authorization_rules_paths():
+            self._logger.trace(f"No authorization required for {url}")
+            return await self._app(scope, receive, send)
+
+        user = get_user()
+        if not user:
+            return await Unauthorized(f"Unknown user").asgi_response(scope, receive, send)
+
+        roles = await user.roles
+        request.state.roles = roles
+        role_names = [r.name for r in roles]
+
+        perms = await user.permissions
+        request.state.permissions = perms
+        perm_names = [p.name for p in perms]
+
+        for rule in Router.get_authorization_rules():
+            match = rule["match"]
+            if rule["roles"]:
+                if match == ValidationMatch.all and not all(r in role_names for r in rule["roles"]):
+                    return await Forbidden(f"missing roles: {rule["roles"]}").asgi_response(scope, receive, send)
+                if match == ValidationMatch.any and not any(r in role_names for r in rule["roles"]):
+                    return await Forbidden(f"missing roles: {rule["roles"]}").asgi_response(scope, receive, send)
+
+            if rule["permissions"]:
+                if match == ValidationMatch.all and not all(p in perm_names for p in rule["permissions"]):
+                    return await Forbidden(f"missing permissions: {rule["permissions"]}").asgi_response(
+                        scope, receive, send
+                    )
+                if match == ValidationMatch.any and not any(p in perm_names for p in rule["permissions"]):
+                    return await Forbidden(f"missing permissions: {rule["permissions"]}").asgi_response(
+                        scope, receive, send
+                    )
+
+            for policy_name in rule["policies"]:
+                policy = self._policies.get(policy_name)
+                if not policy:
+                    self._logger.warning(f"Authorization policy '{policy_name}' not found")
+                    continue
+
+                if not await policy.resolve(user):
+                    return await Forbidden(f"policy {policy.name} failed").asgi_response(scope, receive, send)
+
+        return await self._call_next(scope, receive, send)

src/cpl-api/cpl/api/middleware/logging.py

@@ -1,21 +1,46 @@
 import time
 
-from starlette.middleware.base import BaseHTTPMiddleware
 from starlette.requests import Request
-from starlette.responses import Response
+from starlette.types import Receive, Scope, Send
 
-from cpl.api.api_logger import APILogger
-
-_logger = APILogger(__name__)
+from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
+from cpl.api.logger import APILogger
+from cpl.api.middleware.request import get_request
+from cpl.dependency import ServiceProviderABC
 
 
-class LoggingMiddleware(BaseHTTPMiddleware):
-    async def dispatch(self, request: Request, call_next):
+class LoggingMiddleware(ASGIMiddleware):
+
+    @ServiceProviderABC.inject
+    def __init__(self, app, logger: APILogger):
+        ASGIMiddleware.__init__(self, app)
+
+        self._logger = logger
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send):
+        if scope["type"] != "http":
+            await self._call_next(scope, receive, send)
+            return
+
+        request = get_request()
         await self._log_request(request)
-        response = await call_next(request)
-        await self._log_after_request(request, response)
+        start_time = time.time()
 
-        return response
+        response_body = b""
+        status_code = 500
+
+        async def send_wrapper(message):
+            nonlocal response_body, status_code
+            if message["type"] == "http.response.start":
+                status_code = message["status"]
+            if message["type"] == "http.response.body":
+                response_body += message.get("body", b"")
+            await send(message)
+
+        await self._call_next(scope, receive, send_wrapper)
+
+        duration = (time.time() - start_time) * 1000
+        await self._log_after_request(request, status_code, duration)
 
     @staticmethod
     def _filter_relevant_headers(headers: dict) -> dict:
@@ -30,10 +55,9 @@ class LoggingMiddleware(BaseHTTPMiddleware):
         }
         return {key: value for key, value in headers.items() if key in relevant_keys}
 
-    @classmethod
-    async def _log_request(cls, request: Request):
-        _logger.debug(
-            f"Request {request.state.request_id}: {request.method}@{request.url.path} from {request.client.host}"
+    async def _log_request(self, request: Request):
+        self._logger.debug(
+            f"Request {getattr(request.state, 'request_id', '-')}: {request.method}@{request.url.path} from {request.client.host}"
         )
 
         from cpl.core.ctx.user_context import get_user
@@ -41,7 +65,7 @@ class LoggingMiddleware(BaseHTTPMiddleware):
         user = get_user()
 
         request_info = {
-            "headers": cls._filter_relevant_headers(dict(request.headers)),
+            "headers": self._filter_relevant_headers(dict(request.headers)),
             "args": dict(request.query_params),
             "form-data": (
                 await request.form()
@@ -55,11 +79,9 @@ class LoggingMiddleware(BaseHTTPMiddleware):
             ),
         }
 
-        _logger.trace(f"Request {request.state.request_id}: {request_info}")
+        self._logger.trace(f"Request {getattr(request.state, 'request_id', '-')}: {request_info}")
 
-    @staticmethod
-    async def _log_after_request(request: Request, response: Response):
-        duration = (time.time() - request.state.start_time) * 1000
-        _logger.info(
-            f"Request finished {request.state.request_id}: {response.status_code}-{request.method}@{request.url.path} from {request.client.host} in {duration:.2f}ms"
+    async def _log_after_request(self, request: Request, status_code: int, duration: float):
+        self._logger.info(
+            f"Request finished {getattr(request.state, 'request_id', '-')}: {status_code}-{request.method}@{request.url.path} from {request.client.host} in {duration:.2f}ms"
         )

src/cpl-api/cpl/api/middleware/request.py

@@ -3,46 +3,54 @@ from contextvars import ContextVar
 from typing import Optional, Union
 from uuid import uuid4
 
-from starlette.middleware.base import BaseHTTPMiddleware
-from starlette.websockets import WebSocket
+from starlette.requests import Request
+from starlette.types import Scope, Receive, Send
 
-from cpl.api.api_logger import APILogger
+from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
+from cpl.api.logger import APILogger
 from cpl.api.typing import TRequest
+from cpl.dependency import ServiceProviderABC
 
 _request_context: ContextVar[Union[TRequest, None]] = ContextVar("request", default=None)
 
-_logger = APILogger(__name__)
 
+class RequestMiddleware(ASGIMiddleware):
 
-class RequestMiddleware(BaseHTTPMiddleware):
-    _request_token = {}
-    _user_token = {}
+    @ServiceProviderABC.inject
+    def __init__(self, app, logger: APILogger):
+        ASGIMiddleware.__init__(self, app)
 
-    @classmethod
-    async def set_request_data(cls, request: TRequest):
+        self._logger = logger
+
+        self._ctx_token = None
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send):
+        request = Request(scope, receive, send)
+        await self.set_request_data(request)
+
+        try:
+            await self._app(scope, receive, send)
+        finally:
+            await self.clean_request_data()
+
+    async def set_request_data(self, request: TRequest):
         request.state.request_id = uuid4()
         request.state.start_time = time.time()
-        _logger.trace(f"Set new current request: {request.state.request_id}")
+        self._logger.trace(f"Set new current request: {request.state.request_id}")
 
-        cls._request_token[request.state.request_id] = _request_context.set(request)
+        self._ctx_token = _request_context.set(request)
 
-    @classmethod
-    async def clean_request_data(cls):
+    async def clean_request_data(self):
         request = get_request()
         if request is None:
             return
 
-        if request.state.request_id in cls._request_token:
-            _request_context.reset(cls._request_token[request.state.request_id])
+        if self._ctx_token is None:
+            return
 
-    async def dispatch(self, request: TRequest, call_next):
-        await self.set_request_data(request)
-        try:
-            response = await call_next(request)
-            return response
-        finally:
-            await self.clean_request_data()
+        self._logger.trace(f"Clearing current request: {request.state.request_id}")
+        _request_context.reset(self._ctx_token)
 
 
-def get_request() -> Optional[Union[TRequest, WebSocket]]:
+def get_request() -> Optional[TRequest]:
     return _request_context.get()

src/cpl-api/cpl/api/model/__init__.py

@@ -0,0 +1,3 @@
+from .api_route import ApiRoute
+from .policy import Policy
+from .validation_match import ValidationMatch

src/cpl-api/cpl/api/model/api_route.py

@@ -0,0 +1,43 @@
+from typing import Callable
+
+from starlette.routing import Route
+
+from cpl.api.typing import HTTPMethods
+
+
+class ApiRoute:
+
+    def __init__(self, path: str, fn: Callable, method: HTTPMethods, **kwargs):
+        self._path = path
+        self._fn = fn
+        self._method = method
+
+        self._kwargs = kwargs
+
+    @property
+    def name(self) -> str:
+        return self._fn.__name__
+
+    @property
+    def fn(self) -> Callable:
+        return self._fn
+
+    @property
+    def path(self) -> str:
+        return self._path
+
+    @property
+    def method(self) -> HTTPMethods:
+        return self._method
+
+    @property
+    def kwargs(self) -> dict:
+        return self._kwargs
+
+    def to_starlette(self, wrap_endpoint: Callable = None) -> Route:
+        return Route(
+            self._path,
+            self._fn if not wrap_endpoint else wrap_endpoint(self._fn),
+            methods=[self._method],
+            **self._kwargs,
+        )

src/cpl-api/cpl/api/model/policy.py

@@ -0,0 +1,34 @@
+from asyncio import iscoroutinefunction
+from typing import Optional
+
+from cpl.api.typing import PolicyResolver
+from cpl.core.ctx import get_user
+
+
+class Policy:
+    def __init__(
+        self,
+        name: str,
+        resolver: PolicyResolver = None,
+    ):
+        self._name = name
+        self._resolver: Optional[PolicyResolver] = resolver
+
+    @property
+    def name(self) -> str:
+        return self._name
+
+    @property
+    def resolvers(self) -> PolicyResolver:
+        return self._resolver
+
+    async def resolve(self, *args, **kwargs) -> bool:
+        if not self._resolver:
+            return True
+
+        if callable(self._resolver):
+            if iscoroutinefunction(self._resolver):
+                return await self._resolver(get_user())
+
+            return self._resolver(get_user())
+        return False

src/cpl-api/cpl/api/model/validation_match.py

@@ -0,0 +1,6 @@
+from enum import Enum
+
+
+class ValidationMatch(Enum):
+    any = "any"
+    all = "all"

src/cpl-api/cpl/api/registry/__init__.py

@@ -0,0 +1,2 @@
+from .policy import PolicyRegistry
+from .route import RouteRegistry

src/cpl-api/cpl/api/registry/policy.py

@@ -0,0 +1,28 @@
+from typing import Optional
+
+from cpl.api.model.policy import Policy
+from cpl.core.abc.registry_abc import RegistryABC
+
+
+class PolicyRegistry(RegistryABC):
+
+    def __init__(self):
+        RegistryABC.__init__(self)
+
+    def extend(self, items: list[Policy]):
+        for policy in items:
+            self.add(policy)
+
+    def add(self, item: Policy):
+        assert isinstance(item, Policy), "policy must be an instance of Policy"
+
+        if item.name in self._items:
+            raise ValueError(f"Policy {item.name} is already registered")
+
+        self._items[item.name] = item
+
+    def get(self, key: str) -> Optional[Policy]:
+        return self._items.get(key)
+
+    def all(self) -> list[Policy]:
+        return list(self._items.values())

src/cpl-api/cpl/api/registry/route.py

@@ -0,0 +1,32 @@
+from typing import Optional
+
+from cpl.api.model.api_route import ApiRoute
+from cpl.core.abc.registry_abc import RegistryABC
+
+
+class RouteRegistry(RegistryABC):
+
+    def __init__(self):
+        RegistryABC.__init__(self)
+
+    def extend(self, items: list[ApiRoute]):
+        for policy in items:
+            self.add(policy)
+
+    def add(self, item: ApiRoute):
+        assert isinstance(item, ApiRoute), "route must be an instance of ApiRoute"
+
+        if item.path in self._items:
+            raise ValueError(f"ApiRoute {item.path} is already registered")
+
+        self._items[item.path] = item
+
+    def set(self, item: ApiRoute):
+        assert isinstance(item, ApiRoute), "route must be an instance of ApiRoute"
+        self._items[item.path] = item
+
+    def get(self, key: str) -> Optional[ApiRoute]:
+        return self._items.get(key)
+
+    def all(self) -> list[ApiRoute]:
+        return list(self._items.values())

src/cpl-api/cpl/api/router.py

@@ -1,41 +1,136 @@
-from starlette.routing import Route
+from enum import Enum
+
+from cpl.api.model.validation_match import ValidationMatch
+from cpl.api.registry.route import RouteRegistry
+from cpl.api.typing import HTTPMethods
 
 
 class Router:
-    _registered_routes: list[Route] = []
+    _auth_required: list[str] = []
+    _authorization_rules: dict[str, dict] = {}
 
     @classmethod
-    def get_routes(cls) -> list[Route]:
-        return cls._registered_routes
+    def get_auth_required_routes(cls) -> list[str]:
+        return cls._auth_required
 
     @classmethod
-    def route(cls, path=None, **kwargs):
+    def get_authorization_rules_paths(cls) -> list[str]:
+        return list(cls._authorization_rules.keys())
+
+    @classmethod
+    def get_authorization_rules(cls) -> list[dict]:
+        return list(cls._authorization_rules.values())
+
+    @classmethod
+    def authenticate(cls):
+        """
+        Decorator to mark a route as requiring authentication.
+        Usage:
+            @Route.authenticate()
+            @Route.get("/example")
+            async def example_endpoint(request: TRequest):
+                ...
+        """
+
         def inner(fn):
-            cls._registered_routes.append(Route(path, fn, **kwargs))
+            route_path = getattr(fn, "_route_path", None)
+            if route_path and route_path not in cls._auth_required:
+                cls._auth_required.append(route_path)
+            return fn
+
+        return inner
+
+    @classmethod
+    def authorize(
+        cls,
+        roles: list[str | Enum] = None,
+        permissions: list[str | Enum] = None,
+        policies: list[str] = None,
+        match: ValidationMatch = None,
+    ):
+        """
+        Decorator to mark a route as requiring authorization.
+        Usage:
+            @Route.authorize()
+            @Route.get("/example")
+            async def example_endpoint(request: TRequest):
+                ...
+        """
+        assert roles is None or isinstance(roles, list), "roles must be a list of strings"
+        assert permissions is None or isinstance(permissions, list), "permissions must be a list of strings"
+        assert policies is None or isinstance(policies, list), "policies must be a list of strings"
+        assert match is None or isinstance(match, ValidationMatch), "match must be an instance of ValidationMatch"
+
+        if roles is not None:
+            for role in roles:
+                if isinstance(role, Enum):
+                    roles[roles.index(role)] = role.value
+
+        if permissions is not None:
+            for perm in permissions:
+                if isinstance(perm, Enum):
+                    permissions[permissions.index(perm)] = perm.value
+
+        def inner(fn):
+            path = getattr(fn, "_route_path", None)
+            if not path:
+                return fn
+
+            if path in cls._authorization_rules:
+                raise ValueError(f"Route {path} is already registered for authorization")
+
+            cls._authorization_rules[path] = {
+                "roles": roles or [],
+                "permissions": permissions or [],
+                "policies": policies or [],
+                "match": match or ValidationMatch.all,
+            }
+
+            return fn
+
+        return inner
+
+    @classmethod
+    def route(cls, path: str, method: HTTPMethods, registry: RouteRegistry = None, **kwargs):
+        from cpl.api.model.api_route import ApiRoute
+
+        if not registry:
+            from cpl.dependency.service_provider_abc import ServiceProviderABC
+
+            routes = ServiceProviderABC.get_global_service(RouteRegistry)
+        else:
+            routes = registry
+
+        def inner(fn):
+            routes.add(ApiRoute(path, fn, method, **kwargs))
             setattr(fn, "_route_path", path)
             return fn
 
         return inner
 
     @classmethod
-    def get(cls, path=None, **kwargs):
-        return cls.route(path, methods=["GET"], **kwargs)
+    def get(cls, path: str, **kwargs):
+        return cls.route(path, "GET", **kwargs)
 
     @classmethod
-    def post(cls, path=None, **kwargs):
-        return cls.route(path, methods=["POST"], **kwargs)
+    def head(cls, path: str, **kwargs):
+        return cls.route(path, "HEAD", **kwargs)
 
     @classmethod
-    def head(cls, path=None, **kwargs):
-        return cls.route(path, methods=["HEAD"], **kwargs)
+    def post(cls, path: str, **kwargs):
+        return cls.route(path, "POST", **kwargs)
 
     @classmethod
-    def put(cls, path=None, **kwargs):
-        return cls.route(path, methods=["PUT"], **kwargs)
+    def put(cls, path: str, **kwargs):
+        return cls.route(path, "PUT", **kwargs)
 
     @classmethod
-    def delete(cls, path=None, **kwargs):
-        return cls.route(path, methods=["DELETE"], **kwargs)
+    def patch(cls, path: str, **kwargs):
+        return cls.route(path, "PATCH", **kwargs)
+
+    @classmethod
+    def delete(cls, path: str, **kwargs):
+        return cls.route(path, "DELETE", **kwargs)
 
     @classmethod
     def override(cls):
@@ -48,13 +143,22 @@ class Router:
                 ...
         """
 
+        from cpl.api.model.api_route import ApiRoute
+        from cpl.dependency.service_provider_abc import ServiceProviderABC
+
+        routes = ServiceProviderABC.get_global_service(RouteRegistry)
+
         def inner(fn):
-            route_path = getattr(fn, "_route_path", None)
+            path = getattr(fn, "_route_path", None)
+            if path is None:
+                raise ValueError("Cannot override a route that has not been registered yet")
 
-            routes = list(filter(lambda x: x.path == route_path, cls._registered_routes))
-            for route in routes[:-1]:
-                cls._registered_routes.remove(route)
+            route = routes.get(path)
+            if route is None:
+                raise ValueError(f"Cannot override a route that does not exist: {path}")
 
+            routes.add(ApiRoute(path, fn, route.method, **route.kwargs))
+            setattr(fn, "_route_path", path)
             return fn
 
-        return inner
+        return inner