Added internal imports

.gitea/workflows/test_before_merge.yaml

@@ -0,0 +1,26 @@
+name: Test before pr merge
+run-name: Test before pr merge
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+      - ready_for_review
+
+jobs:
+  test-lint:
+    runs-on: [ runner ]
+    container: git.sh-edraft.de/sh-edraft.de/act-runner:latest
+    steps:
+      - name: Clone Repository
+        uses: https://github.com/actions/checkout@v3
+        with:
+          token: ${{ secrets.CI_ACCESS_TOKEN }}
+
+      - name: Installing black
+        run: python3.12 -m pip install black
+
+      - name: Checking black
+        run: python3.12 -m black src --check

src/cpl-api/cpl/api/__init__.py

@@ -1,20 +1,35 @@
 from cpl.dependency.service_collection import ServiceCollection as _ServiceCollection
 
+from .error import APIError, AlreadyExists, EndpointNotImplemented, Forbidden, NotFound, Unauthorized
+from .logger import APILogger
+from .settings import ApiSettings
+
 def add_api(collection: _ServiceCollection):
     try:
         from cpl.database import mysql
+
         collection.add_module(mysql)
     except ImportError as e:
         from cpl.core.errors import dependency_error
+
         dependency_error("cpl-database", e)
 
     try:
         from cpl import auth
         from cpl.auth import permission
+
         collection.add_module(auth)
         collection.add_module(permission)
     except ImportError as e:
         from cpl.core.errors import dependency_error
+
         dependency_error("cpl-auth", e)
 
-_ServiceCollection.with_module(add_api, __name__)
+    from cpl.api.registry.policy import PolicyRegistry
+    from cpl.api.registry.route import RouteRegistry
+
+    collection.add_singleton(PolicyRegistry)
+    collection.add_singleton(RouteRegistry)
+
+
+_ServiceCollection.with_module(add_api, __name__)

src/cpl-api/cpl/api/abc/__init__.py

@@ -0,0 +1 @@
+from .asgi_middleware_abc import ASGIMiddleware

src/cpl-api/cpl/api/application/__init__.py

@@ -0,0 +1 @@
+from .web_app import WebApp

src/cpl-api/cpl/api/application/web_app.py

@@ -1,5 +1,6 @@
 import os
-from typing import Mapping, Any, Callable
+from enum import Enum
+from typing import Mapping, Any, Callable, Self, Union
 
 import uvicorn
 from starlette.applications import Starlette
@@ -7,24 +8,31 @@ from starlette.middleware import Middleware
 from starlette.middleware.cors import CORSMiddleware
 from starlette.requests import Request
 from starlette.responses import JSONResponse
-from starlette.routing import Route
 from starlette.types import ExceptionHandler
 
 from cpl import api, auth
-from cpl.api.api_logger import APILogger
-from cpl.api.api_settings import ApiSettings
 from cpl.api.error import APIError
+from cpl.api.logger import APILogger
 from cpl.api.middleware.authentication import AuthenticationMiddleware
+from cpl.api.middleware.authorization import AuthorizationMiddleware
 from cpl.api.middleware.logging import LoggingMiddleware
 from cpl.api.middleware.request import RequestMiddleware
+from cpl.api.model.api_route import ApiRoute
+from cpl.api.model.policy import Policy
+from cpl.api.model.validation_match import ValidationMatch
+from cpl.api.registry.policy import PolicyRegistry
+from cpl.api.registry.route import RouteRegistry
 from cpl.api.router import Router
-from cpl.api.typing import HTTPMethods, PartialMiddleware
+from cpl.api.settings import ApiSettings
+from cpl.api.typing import HTTPMethods, PartialMiddleware, PolicyResolver
 from cpl.application.abc.application_abc import ApplicationABC
 from cpl.core.configuration import Configuration
 from cpl.dependency.service_provider_abc import ServiceProviderABC
 
 _logger = APILogger("API")
 
+PolicyInput = Union[dict[str, PolicyResolver], Policy]
+
 
 class WebApp(ApplicationABC):
     def __init__(self, services: ServiceProviderABC):
@@ -32,8 +40,9 @@ class WebApp(ApplicationABC):
         self._app: Starlette | None = None
 
         self._api_settings = Configuration.get(ApiSettings)
+        self._policies = services.get_service(PolicyRegistry)
+        self._routes = services.get_service(RouteRegistry)
 
-        self._routes: list[Route] = []
         self._middleware: list[Middleware] = [
             Middleware(RequestMiddleware),
             Middleware(LoggingMiddleware),
@@ -66,11 +75,12 @@ class WebApp(ApplicationABC):
         _logger.debug(f"Allowed origins: {origins}")
         return origins.split(",")
 
-    def with_database(self):
+    def with_database(self) -> Self:
         self.with_migrations()
         self.with_seeders()
+        return self
 
-    def with_app(self, app: Starlette):
+    def with_app(self, app: Starlette) -> Self:
         assert app is not None, "app must not be None"
         assert isinstance(app, Starlette), "app must be an instance of Starlette"
         self._app = app
@@ -80,7 +90,7 @@ class WebApp(ApplicationABC):
         if self._app is not None:
             raise ValueError("App is already set, cannot add routes or middleware")
 
-    def with_routes_directory(self, directory: str) -> "WebApp":
+    def with_routes_directory(self, directory: str) -> Self:
         self._check_for_app()
         assert directory is not None, "directory must not be None"
 
@@ -94,30 +104,67 @@ class WebApp(ApplicationABC):
 
         return self
 
-    def with_routes(self, routes: list[Route]) -> "WebApp":
+    def with_routes(
+        self,
+        routes: list[ApiRoute],
+        method: HTTPMethods,
+        authentication: bool = False,
+        roles: list[str | Enum] = None,
+        permissions: list[str | Enum] = None,
+        policies: list[str] = None,
+        match: ValidationMatch = None,
+    ) -> Self:
         self._check_for_app()
         assert self._routes is not None, "routes must not be None"
-        assert all(isinstance(route, Route) for route in routes), "all routes must be of type starlette.routing.Route"
-        self._routes.extend(routes)
+        assert all(isinstance(route, ApiRoute) for route in routes), "all routes must be of type ApiRoute"
+        for route in routes:
+            self.with_route(
+                route.path,
+                route.fn,
+                method,
+                authentication,
+                roles,
+                permissions,
+                policies,
+                match,
+            )
         return self
 
-    def with_route(self, path: str, fn: Callable[[Request], Any], method: HTTPMethods, **kwargs) -> "WebApp":
+    def with_route(
+        self,
+        path: str,
+        fn: Callable[[Request], Any],
+        method: HTTPMethods,
+        authentication: bool = False,
+        roles: list[str | Enum] = None,
+        permissions: list[str | Enum] = None,
+        policies: list[str] = None,
+        match: ValidationMatch = None,
+    ) -> Self:
         self._check_for_app()
         assert path is not None, "path must not be None"
         assert fn is not None, "fn must not be None"
         assert method in [
             "GET",
+            "HEAD",
             "POST",
             "PUT",
-            "DELETE",
             "PATCH",
+            "DELETE",
             "OPTIONS",
-            "HEAD",
         ], "method must be a valid HTTP method"
-        self._routes.append(Route(path, fn, methods=[method], **kwargs))
+
+        Router.route(path, method, registry=self._routes)(fn)
+
+        if authentication:
+            Router.authenticate()(fn)
+
+        if roles or permissions or policies:
+            Router.authorize(roles, permissions, policies, match)(fn)
+
         return self
 
-    def with_middleware(self, middleware: PartialMiddleware) -> "WebApp":
+    def with_middleware(self, middleware: PartialMiddleware) -> Self:
         self._check_for_app()
 
         if isinstance(middleware, Middleware):
@@ -129,25 +176,51 @@ class WebApp(ApplicationABC):
 
         return self
 
-    def with_authentication(self):
+    def with_authentication(self) -> Self:
         self.with_middleware(AuthenticationMiddleware)
         return self
 
-    def with_authorization(self):
-        pass
+    def with_authorization(self, *policies: list[PolicyInput] | PolicyInput) -> Self:
+        if policies:
+            _policies = []
+
+            if not isinstance(policies, list):
+                policies = list(policies)
+
+            for i, policy in enumerate(policies):
+                if isinstance(policy, dict):
+                    for name, resolver in policy.items():
+                        if not isinstance(name, str):
+                            _logger.warning(f"Skipping policy at index {i}, name must be a string")
+                            continue
+
+                        if not callable(resolver):
+                            _logger.warning(f"Skipping policy {name}, resolver must be callable")
+                            continue
+
+                        _policies.append(Policy(name, resolver))
+                    continue
+
+                _policies.append(policy)
+
+            self._policies.extend_policies(_policies)
+
+        self.with_middleware(AuthorizationMiddleware)
+        return self
+
+    def _validate_policies(self):
+        for rule in Router.get_authorization_rules():
+            for policy_name in rule["policies"]:
+                policy = self._policies.get(policy_name)
+                if not policy:
+                    _logger.fatal(f"Authorization policy '{policy_name}' not found")
 
     async def main(self):
         _logger.debug(f"Preparing API")
+        self._validate_policies()
+
         if self._app is None:
-            routes = [
-                Route(
-                    path=route.path,
-                    endpoint=self._services.inject(route.endpoint),
-                    methods=route.methods,
-                    name=route.name,
-                )
-                for route in self._routes + Router.get_routes()
-            ]
+            routes = [route.to_starlette(self._services.inject) for route in self._routes.all()]
 
             app = Starlette(
                 routes=routes,
@@ -166,20 +239,9 @@ class WebApp(ApplicationABC):
             app = self._app
 
         _logger.info(f"Start API on {self._api_settings.host}:{self._api_settings.port}")
-        # uvicorn.run(
-        #     app,
-        #     host=self._api_settings.host,
-        #     port=self._api_settings.port,
-        #     log_config=None,
-        #     loop="asyncio"
-        # )
 
         config = uvicorn.Config(
-            app,
-            host=self._api_settings.host,
-            port=self._api_settings.port,
-            log_config=None,
-            loop="asyncio"
+            app, host=self._api_settings.host, port=self._api_settings.port, log_config=None, loop="asyncio"
         )
         server = uvicorn.Server(config)
         await server.serve()

src/cpl-api/cpl/api/error.py

@@ -7,14 +7,23 @@ from starlette.types import Scope, Receive, Send
 class APIError(HTTPException):
     status_code = 500
 
-    @classmethod
-    async def asgi_response(cls, scope: Scope, receive: Receive, send: Send):
-        r = JSONResponse({"error": cls.__name__}, status_code=cls.status_code)
+    def __init__(self, message: str = ""):
+        super().__init__(self.status_code, message)
+        self._message = message
+
+    @property
+    def error_message(self) -> str:
+        if self._message:
+            return f"{type(self).__name__}: {self._message}"
+
+        return f"{type(self).__name__}"
+
+    async def asgi_response(self, scope: Scope, receive: Receive, send: Send):
+        r = JSONResponse({"error": self.error_message}, status_code=self.status_code)
         return await r(scope, receive, send)
 
-    @classmethod
-    def response(cls):
-        return JSONResponse({"error": cls.__name__}, status_code=cls.status_code)
+    def response(self):
+        return JSONResponse({"error": self.error_message}, status_code=self.status_code)
 
 
 class Unauthorized(APIError):

src/cpl-api/cpl/api/middleware/__init__.py

@@ -0,0 +1,4 @@
+from .authentication import AuthenticationMiddleware
+from .authorization import AuthorizationMiddleware
+from .logging import LoggingMiddleware
+from .request import RequestMiddleware

src/cpl-api/cpl/api/middleware/authentication.py

@@ -2,12 +2,13 @@ from keycloak import KeycloakAuthenticationError
 from starlette.types import Scope, Receive, Send
 
 from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
-from cpl.api.api_logger import APILogger
+from cpl.api.logger import APILogger
 from cpl.api.error import Unauthorized
 from cpl.api.middleware.request import get_request
 from cpl.api.router import Router
 from cpl.auth.keycloak import KeycloakClient
 from cpl.auth.schema import AuthUserDao, AuthUser
+from cpl.core.ctx import set_user
 from cpl.dependency import ServiceProviderABC
 
 _logger = APILogger(__name__)
@@ -53,6 +54,9 @@ class AuthenticationMiddleware(ASGIMiddleware):
             _logger.debug(f"Unauthorized access to {url}, user is deleted")
             return await Unauthorized("User is deleted").asgi_response(scope, receive, send)
 
+        request.state.user = user
+        set_user(user)
+
         return await self._call_next(scope, receive, send)
 
     async def _get_or_crate_user(self, keycloak_id: str) -> AuthUser:

src/cpl-api/cpl/api/middleware/authorization.py

@@ -0,0 +1,73 @@
+from starlette.types import Scope, Receive, Send
+
+from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
+from cpl.api.error import Unauthorized, Forbidden
+from cpl.api.logger import APILogger
+from cpl.api.middleware.request import get_request
+from cpl.api.model.validation_match import ValidationMatch
+from cpl.api.registry.policy import PolicyRegistry
+from cpl.api.router import Router
+from cpl.auth.schema._administration.auth_user_dao import AuthUserDao
+from cpl.core.ctx.user_context import get_user
+from cpl.dependency.service_provider_abc import ServiceProviderABC
+
+_logger = APILogger(__name__)
+
+
+class AuthorizationMiddleware(ASGIMiddleware):
+
+    @ServiceProviderABC.inject
+    def __init__(self, app, policies: PolicyRegistry, user_dao: AuthUserDao):
+        ASGIMiddleware.__init__(self, app)
+
+        self._policies = policies
+        self._user_dao = user_dao
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send):
+        request = get_request()
+        url = request.url.path
+
+        if url not in Router.get_authorization_rules_paths():
+            _logger.trace(f"No authorization required for {url}")
+            return await self._app(scope, receive, send)
+
+        user = get_user()
+        if not user:
+            return await Unauthorized(f"Unknown user").asgi_response(scope, receive, send)
+
+        roles = await user.roles
+        request.state.roles = roles
+        role_names = [r.name for r in roles]
+
+        perms = await user.permissions
+        request.state.permissions = perms
+        perm_names = [p.name for p in perms]
+
+        for rule in Router.get_authorization_rules():
+            match = rule["match"]
+            if rule["roles"]:
+                if match == ValidationMatch.all and not all(r in role_names for r in rule["roles"]):
+                    return await Forbidden(f"missing roles: {rule["roles"]}").asgi_response(scope, receive, send)
+                if match == ValidationMatch.any and not any(r in role_names for r in rule["roles"]):
+                    return await Forbidden(f"missing roles: {rule["roles"]}").asgi_response(scope, receive, send)
+
+            if rule["permissions"]:
+                if match == ValidationMatch.all and not all(p in perm_names for p in rule["permissions"]):
+                    return await Forbidden(f"missing permissions: {rule["permissions"]}").asgi_response(
+                        scope, receive, send
+                    )
+                if match == ValidationMatch.any and not any(p in perm_names for p in rule["permissions"]):
+                    return await Forbidden(f"missing permissions: {rule["permissions"]}").asgi_response(
+                        scope, receive, send
+                    )
+
+            for policy_name in rule["policies"]:
+                policy = self._policies.get(policy_name)
+                if not policy:
+                    _logger.warning(f"Authorization policy '{policy_name}' not found")
+                    continue
+
+                if not await policy.resolve(user):
+                    return await Forbidden(f"policy {policy.name} failed").asgi_response(scope, receive, send)
+
+        return await self._call_next(scope, receive, send)

src/cpl-api/cpl/api/middleware/logging.py

@@ -4,11 +4,12 @@ from starlette.requests import Request
 from starlette.types import Receive, Scope, Send
 
 from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
-from cpl.api.api_logger import APILogger
+from cpl.api.logger import APILogger
 from cpl.api.middleware.request import get_request
 
 _logger = APILogger(__name__)
 
+
 class LoggingMiddleware(ASGIMiddleware):
 
     def __init__(self, app):
@@ -83,4 +84,4 @@ class LoggingMiddleware(ASGIMiddleware):
     async def _log_after_request(request: Request, status_code: int, duration: float):
         _logger.info(
             f"Request finished {getattr(request.state, 'request_id', '-')}: {status_code}-{request.method}@{request.url.path} from {request.client.host} in {duration:.2f}ms"
-        )
+        )

src/cpl-api/cpl/api/middleware/request.py

@@ -5,10 +5,9 @@ from uuid import uuid4
 
 from starlette.requests import Request
 from starlette.types import Scope, Receive, Send
-from starlette.websockets import WebSocket
 
 from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
-from cpl.api.api_logger import APILogger
+from cpl.api.logger import APILogger
 from cpl.api.typing import TRequest
 
 _request_context: ContextVar[Union[TRequest, None]] = ContextVar("request", default=None)
@@ -50,5 +49,5 @@ class RequestMiddleware(ASGIMiddleware):
         _request_context.reset(self._ctx_token)
 
 
-def get_request() -> Optional[Union[TRequest, WebSocket]]:
-    return _request_context.get()
+def get_request() -> Optional[TRequest]:
+    return _request_context.get()

src/cpl-api/cpl/api/model/__init__.py

@@ -0,0 +1,3 @@
+from .api_route import ApiRoute
+from .policy import Policy
+from .validation_match import ValidationMatch

src/cpl-api/cpl/api/model/api_route.py

@@ -0,0 +1,43 @@
+from typing import Callable
+
+from starlette.routing import Route
+
+from cpl.api.typing import HTTPMethods
+
+
+class ApiRoute:
+
+    def __init__(self, path: str, fn: Callable, method: HTTPMethods, **kwargs):
+        self._path = path
+        self._fn = fn
+        self._method = method
+
+        self._kwargs = kwargs
+
+    @property
+    def name(self) -> str:
+        return self._fn.__name__
+
+    @property
+    def fn(self) -> Callable:
+        return self._fn
+
+    @property
+    def path(self) -> str:
+        return self._path
+
+    @property
+    def method(self) -> HTTPMethods:
+        return self._method
+
+    @property
+    def kwargs(self) -> dict:
+        return self._kwargs
+
+    def to_starlette(self, wrap_endpoint: Callable = None) -> Route:
+        return Route(
+            self._path,
+            self._fn if not wrap_endpoint else wrap_endpoint(self._fn),
+            methods=[self._method],
+            **self._kwargs,
+        )

src/cpl-api/cpl/api/model/policy.py

@@ -0,0 +1,34 @@
+from asyncio import iscoroutinefunction
+from typing import Optional, Any, Coroutine, Awaitable
+
+from cpl.api.typing import PolicyResolver
+from cpl.core.ctx import get_user
+
+
+class Policy:
+    def __init__(
+        self,
+        name: str,
+        resolver: PolicyResolver = None,
+    ):
+        self._name = name
+        self._resolver: Optional[PolicyResolver] = resolver
+
+    @property
+    def name(self) -> str:
+        return self._name
+
+    @property
+    def resolvers(self) -> PolicyResolver:
+        return self._resolver
+
+    async def resolve(self, *args, **kwargs) -> bool:
+        if not self._resolver:
+            return True
+
+        if callable(self._resolver):
+            if iscoroutinefunction(self._resolver):
+                return await self._resolver(get_user())
+
+            return self._resolver(get_user())
+        return False

src/cpl-api/cpl/api/model/validation_match.py

@@ -0,0 +1,6 @@
+from enum import Enum
+
+
+class ValidationMatch(Enum):
+    any = "any"
+    all = "all"

src/cpl-api/cpl/api/registry/__init__.py

@@ -0,0 +1,2 @@
+from .policy import PolicyRegistry
+from .route import RouteRegistry

src/cpl-api/cpl/api/registry/policy.py

@@ -0,0 +1,28 @@
+from typing import Optional
+
+from cpl.api.model.policy import Policy
+from cpl.core.abc.registry_abc import RegistryABC
+
+
+class PolicyRegistry(RegistryABC):
+
+    def __init__(self):
+        RegistryABC.__init__(self)
+
+    def extend(self, items: list[Policy]):
+        for policy in items:
+            self.add(policy)
+
+    def add(self, item: Policy):
+        assert isinstance(item, Policy), "policy must be an instance of Policy"
+
+        if item.name in self._items:
+            raise ValueError(f"Policy {item.name} is already registered")
+
+        self._items[item.name] = item
+
+    def get(self, key: str) -> Optional[Policy]:
+        return self._items.get(key)
+
+    def all(self) -> list[Policy]:
+        return list(self._items.values())

src/cpl-api/cpl/api/registry/route.py

@@ -0,0 +1,33 @@
+from typing import Optional
+
+from cpl.api.model.policy import Policy
+from cpl.api.model.api_route import ApiRoute
+from cpl.core.abc.registry_abc import RegistryABC
+
+
+class RouteRegistry(RegistryABC):
+
+    def __init__(self):
+        RegistryABC.__init__(self)
+
+    def extend(self, items: list[ApiRoute]):
+        for policy in items:
+            self.add(policy)
+
+    def add(self, item: ApiRoute):
+        assert isinstance(item, ApiRoute), "route must be an instance of ApiRoute"
+
+        if item.path in self._items:
+            raise ValueError(f"ApiRoute {item.path} is already registered")
+
+        self._items[item.path] = item
+
+    def set(self, item: ApiRoute):
+        assert isinstance(item, ApiRoute), "route must be an instance of ApiRoute"
+        self._items[item.path] = item
+
+    def get(self, key: str) -> Optional[ApiRoute]:
+        return self._items.get(key)
+
+    def all(self) -> list[ApiRoute]:
+        return list(self._items.values())

src/cpl-api/cpl/api/router.py

@@ -1,18 +1,26 @@
-from starlette.routing import Route
+from enum import Enum
+
+from cpl.api.model.validation_match import ValidationMatch
+from cpl.api.registry.route import RouteRegistry
+from cpl.api.typing import HTTPMethods
 
 
 class Router:
-    _registered_routes: list[Route] = []
     _auth_required: list[str] = []
-
-    @classmethod
-    def get_routes(cls) -> list[Route]:
-        return cls._registered_routes
+    _authorization_rules: dict[str, dict] = {}
 
     @classmethod
     def get_auth_required_routes(cls) -> list[str]:
         return cls._auth_required
 
+    @classmethod
+    def get_authorization_rules_paths(cls) -> list[str]:
+        return list(cls._authorization_rules.keys())
+
+    @classmethod
+    def get_authorization_rules(cls) -> list[dict]:
+        return list(cls._authorization_rules.values())
+
     @classmethod
     def authenticate(cls):
         """
@@ -33,33 +41,95 @@ class Router:
         return inner
 
     @classmethod
-    def route(cls, path=None, **kwargs):
+    def authorize(
+        cls,
+        roles: list[str | Enum] = None,
+        permissions: list[str | Enum] = None,
+        policies: list[str] = None,
+        match: ValidationMatch = None,
+    ):
+        """
+        Decorator to mark a route as requiring authorization.
+        Usage:
+            @Route.authorize()
+            @Route.get("/example")
+            async def example_endpoint(request: TRequest):
+                ...
+        """
+        assert roles is None or isinstance(roles, list), "roles must be a list of strings"
+        assert permissions is None or isinstance(permissions, list), "permissions must be a list of strings"
+        assert policies is None or isinstance(policies, list), "policies must be a list of strings"
+        assert match is None or isinstance(match, ValidationMatch), "match must be an instance of ValidationMatch"
+
+        if roles is not None:
+            for role in roles:
+                if isinstance(role, Enum):
+                    roles[roles.index(role)] = role.value
+
+        if permissions is not None:
+            for perm in permissions:
+                if isinstance(perm, Enum):
+                    permissions[permissions.index(perm)] = perm.value
+
         def inner(fn):
-            cls._registered_routes.append(Route(path, fn, **kwargs))
+            path = getattr(fn, "_route_path", None)
+            if not path:
+                return fn
+
+            if path in cls._authorization_rules:
+                raise ValueError(f"Route {path} is already registered for authorization")
+
+            cls._authorization_rules[path] = {
+                "roles": roles or [],
+                "permissions": permissions or [],
+                "policies": policies or [],
+                "match": match or ValidationMatch.all,
+            }
+
+            return fn
+
+        return inner
+
+    @classmethod
+    def route(cls, path: str, method: HTTPMethods, registry: RouteRegistry = None, **kwargs):
+        if not registry:
+            from cpl.api.model.api_route import ApiRoute
+            from cpl.dependency.service_provider_abc import ServiceProviderABC
+
+            routes = ServiceProviderABC.get_global_service(RouteRegistry)
+        else:
+            routes = registry
+
+        def inner(fn):
+            routes.add(ApiRoute(path, fn, method, **kwargs))
             setattr(fn, "_route_path", path)
             return fn
 
         return inner
 
     @classmethod
-    def get(cls, path=None, **kwargs):
-        return cls.route(path, methods=["GET"], **kwargs)
+    def get(cls, path: str, **kwargs):
+        return cls.route(path, "GET", **kwargs)
 
     @classmethod
-    def post(cls, path=None, **kwargs):
-        return cls.route(path, methods=["POST"], **kwargs)
+    def head(cls, path: str, **kwargs):
+        return cls.route(path, "HEAD", **kwargs)
 
     @classmethod
-    def head(cls, path=None, **kwargs):
-        return cls.route(path, methods=["HEAD"], **kwargs)
+    def post(cls, path: str, **kwargs):
+        return cls.route(path, "POST", **kwargs)
 
     @classmethod
-    def put(cls, path=None, **kwargs):
-        return cls.route(path, methods=["PUT"], **kwargs)
+    def put(cls, path: str, **kwargs):
+        return cls.route(path, "PUT", **kwargs)
 
     @classmethod
-    def delete(cls, path=None, **kwargs):
-        return cls.route(path, methods=["DELETE"], **kwargs)
+    def patch(cls, path: str, **kwargs):
+        return cls.route(path, "PATCH", **kwargs)
+
+    @classmethod
+    def delete(cls, path: str, **kwargs):
+        return cls.route(path, "DELETE", **kwargs)
 
     @classmethod
     def override(cls):
@@ -72,13 +142,22 @@ class Router:
                 ...
         """
 
+        from cpl.api.model.api_route import ApiRoute
+        from cpl.dependency.service_provider_abc import ServiceProviderABC
+
+        routes = ServiceProviderABC.get_global_service(RouteRegistry)
+
         def inner(fn):
-            route_path = getattr(fn, "_route_path", None)
+            path = getattr(fn, "_route_path", None)
+            if path is None:
+                raise ValueError("Cannot override a route that has not been registered yet")
 
-            routes = list(filter(lambda x: x.path == route_path, cls._registered_routes))
-            for route in routes[:-1]:
-                cls._registered_routes.remove(route)
+            route = routes.get(path)
+            if route is None:
+                raise ValueError(f"Cannot override a route that does not exist: {path}")
 
+            routes.add(ApiRoute(path, fn, route.method, **route.kwargs))
+            setattr(fn, "_route_path", path)
             return fn
 
         return inner

src/cpl-api/cpl/api/typing.py

@@ -1,13 +1,19 @@
-from typing import Union, Literal, Callable
+from typing import Union, Literal, Callable, Type, Awaitable
 from urllib.request import Request
 
 from starlette.middleware import Middleware
 from starlette.types import ASGIApp
 from starlette.websockets import WebSocket
 
+from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
+from cpl.auth.schema import AuthUser
+
 TRequest = Union[Request, WebSocket]
-HTTPMethods = Literal["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
+HTTPMethods = Literal["GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
 PartialMiddleware = Union[
+    ASGIMiddleware,
+    Type[ASGIMiddleware],
     Middleware,
     Callable[[ASGIApp], ASGIApp],
 ]
+PolicyResolver = Callable[[AuthUser], bool | Awaitable[bool]]

src/cpl-application/cpl/application/abc/application_abc.py

@@ -24,10 +24,9 @@ class ApplicationABC(ABC):
     @abstractmethod
     def __init__(self, services: ServiceProviderABC, required_modules: list[str | object] = None):
         self._services = services
-        self._required_modules = [
-            x.__name__ if not isinstance(x, str) else x
-            for x in required_modules
-        ] if required_modules else []
+        self._required_modules = (
+            [x.__name__ if not isinstance(x, str) else x for x in required_modules] if required_modules else []
+        )
 
     @property
     def required_modules(self) -> list[str]:

src/cpl-auth/cpl/auth/__init__.py

@@ -59,6 +59,7 @@ def add_auth(collection: _ServiceCollection):
             migration_service.with_directory(os.path.join(os.path.dirname(os.path.realpath(__file__)), "scripts/mysql"))
     except ImportError as e:
         from cpl.core.console import Console
+
         Console.error("cpl-database is not installed", str(e))
 
 
@@ -69,6 +70,7 @@ def add_permission(collection: _ServiceCollection):
 
     try:
         from cpl.database.abc.data_seeder_abc import DataSeederABC
+
         collection.add_singleton(DataSeederABC, PermissionSeeder)
         PermissionsRegistry.with_enum(Permissions)
     except ImportError as e:

src/cpl-auth/cpl/auth/keycloak/keycloak_client.py

@@ -22,4 +22,4 @@ class KeycloakClient(KeycloakOpenID):
 
     def get_user_id(self, token: str) -> Optional[str]:
         info = self.introspect(token)
-        return info.get("sub", None)
+        return info.get("sub", None)

src/cpl-auth/cpl/auth/schema/_administration/auth_user_dao.py

@@ -43,9 +43,9 @@ class AuthUserDao(DbModelDaoABC[AuthUser]):
         p = await permission_dao.get_by_name(permission if isinstance(permission, str) else permission.value)
         result = await self._db.select_map(
             f"""
-            SELECT COUNT(*)
-            FROM permission.role_users ru
-            JOIN permission.role_permissions rp ON ru.roleId = rp.roleId
+            SELECT COUNT(*) as count
+            FROM {TableManager.get("role_users")} ru
+            JOIN {TableManager.get("role_permissions")} rp ON ru.roleId = rp.roleId
             WHERE ru.userId = {user_id}
             AND rp.permissionId = {p.id}
             AND ru.deleted = FALSE
@@ -61,9 +61,9 @@ class AuthUserDao(DbModelDaoABC[AuthUser]):
         result = await self._db.select_map(
             f"""
             SELECT p.*
-            FROM permission.permissions p
-            JOIN permission.role_permissions rp ON p.id = rp.permissionId
-            JOIN permission.role_users ru ON rp.roleId = ru.roleId
+            FROM {TableManager.get("permissions")} p
+            JOIN {TableManager.get("role_permissions")} rp ON p.id = rp.permissionId
+            JOIN {TableManager.get("role_users")} ru ON rp.roleId = ru.roleId
             WHERE ru.userId = {user_id}
             AND rp.deleted = FALSE
             AND ru.deleted = FALSE;

src/cpl-core/cpl/core/abc/registry_abc.py

@@ -0,0 +1,23 @@
+from abc import abstractmethod, ABC
+from typing import Generic
+
+from cpl.core.typing import T
+
+
+class RegistryABC(ABC, Generic[T]):
+
+    @abstractmethod
+    def __init__(self):
+        self._items: dict[str, T] = {}
+
+    @abstractmethod
+    def extend(self, items: list[T]) -> None: ...
+
+    @abstractmethod
+    def add(self, item: T) -> None: ...
+
+    @abstractmethod
+    def get(self, key: str) -> T | None: ...
+
+    @abstractmethod
+    def all(self) -> list[T]: ...

src/cpl-core/cpl/core/errors.py

@@ -12,4 +12,4 @@ def dependency_error(package_name: str, e: ImportError) -> None:
     elif e is not None:
         Console.write_line("->", str(e))
 
-    exit(1)
+    exit(1)

src/cpl-database/cpl/database/abc/data_access_object_abc.py

@@ -487,7 +487,7 @@ class DataAccessObjectABC(ABC, Generic[T_DBM]):
             builder.with_temp_table(self._external_fields[temp])
 
         if for_count:
-            builder.with_attribute("COUNT(*)", ignore_table_name=True)
+            builder.with_attribute("COUNT(*) as count", ignore_table_name=True)
         else:
             builder.with_attribute("*")
 

src/cpl-database/cpl/database/mysql/mysql_pool.py

@@ -9,6 +9,7 @@ from cpl.database.model import DatabaseSettings
 
 _logger = DBLogger(__name__)
 
+
 class MySQLPool:
 
     def __init__(self, database_settings: DatabaseSettings):

src/cpl-database/cpl/database/table_manager.py

@@ -33,7 +33,7 @@ class TableManager:
         },
         "role_users": {
             ServerTypes.POSTGRES: "permission.role_users",
-            ServerTypes.MYSQL: "permission_role_users",
+            ServerTypes.MYSQL: "permission_role_auth_users",
         },
     }
 

src/cpl-dependency/cpl/dependency/service_provider_abc.py

@@ -115,6 +115,7 @@ class ServiceProviderABC(ABC):
             return functools.partial(cls.inject)
 
         if iscoroutinefunction(f):
+
             @functools.wraps(f)
             async def async_inner(*args, **kwargs):
                 if cls._provider is None:
@@ -132,4 +133,5 @@ class ServiceProviderABC(ABC):
 
             injection = [x for x in cls._provider._build_by_signature(signature(f)) if x is not None]
             return f(*args, *injection, **kwargs)
+
         return inner

tests/custom/api/src/main.py

@@ -1,8 +1,9 @@
 from starlette.responses import JSONResponse
 
 from cpl import api
-from cpl.api.web_app import WebApp
+from cpl.api.application.web_app import WebApp
 from cpl.application import ApplicationBuilder
+from cpl.auth.permission.permissions import Permissions
 from cpl.core.configuration import Configuration
 from cpl.core.environment import Environment
 from service import PingService
@@ -24,7 +25,9 @@ def main():
     app.with_database()
 
     app.with_authentication()
-    app.with_route(path="/route1", fn=lambda r: JSONResponse("route1"), method="GET")
+    app.with_authorization()
+
+    app.with_route(path="/route1", fn=lambda r: JSONResponse("route1"), method="GET", authentication=True, permissions=[Permissions.administrator])
     app.with_routes_directory("routes")
 
     app.run()

tests/custom/api/src/routes/ping.py

@@ -3,11 +3,14 @@ from urllib.request import Request
 from starlette.responses import JSONResponse
 
 from cpl.api.router import Router
+from cpl.auth.permission.permissions import Permissions
 from cpl.core.log import Logger
 from service import PingService
 
 
 @Router.authenticate()
+@Router.authorize(permissions=[Permissions.administrator])
+# @Router.authorize(policies=["test"])
 @Router.get(f"/ping")
 async def ping(r: Request, ping: PingService, logger: Logger):
     logger.info(f"Ping: {ping}")