From 7e8ec082831b96c46893d98bc1aac54abc89d3a5 Mon Sep 17 00:00:00 2001 From: luxferre Date: Wed, 27 May 2026 15:35:06 +0100 Subject: [PATCH] feat: auth requirements to iam endpoints --- src/iam/router.py | 76 +++++++++++++++++++++++++---------------------- 1 file changed, 41 insertions(+), 35 deletions(-) diff --git a/src/iam/router.py b/src/iam/router.py index 0c9c59a..a87baf0 100644 --- a/src/iam/router.py +++ b/src/iam/router.py @@ -7,24 +7,26 @@ Endpoints: """ from fastapi import APIRouter, status -from auth.exceptions import UnauthorizedException + from src.database import db_dependency +from src.schemas import ResourceName +from src.auth.exceptions import UnauthorizedException +from src.auth.service import claims_dependency +from src.auth.dependencies import org_model_root_claim_query_dependency, org_model_root_claim_body_dependency, \ + super_admin_dependency +from src.user.models import User +from src.user.dependencies import user_model_body_dependency +from src.organisation.models import Organisation as Org +from src.service.models import Service + +from src.iam.service import service_key_dependency +from src.iam.models import Permission as Perm, GroupPermissions as GPerms, Group, UserGroups +from src.iam.dependencies import group_model_query_dependency, group_model_body_dependency, perm_model_body_dependency from src.iam.schemas import IAMGetGroupPermissionsResponse, IAMGetGroupUsersResponse, IAMPostGroupRequest, \ GroupResponse, IAMPostGroupResponse, IAMPutGroupPermissionRequest, IAMPutGroupPermissionResponse, \ IAMPutGroupUserRequest, IAMPutGroupUserResponse, IAMDeleteGroupPermissionRequest, IAMDeleteGroupPermissionResponse, \ IAMDeleteGroupUserRequest, IAMDeleteGroupUserResponse, IAMGetPermissionsResponse, IAMPostPermissionRequest, \ IAMPostPermissionResponse, PermissionResponse, IAMDeletePermissionRequest, IAMGetPermissionsSearchRequest, IAMGetPermissionsSearchResponse -from src.schemas import ResourceName -from src.auth.service import claims_dependency -from src.user.models import User -from src.user.dependencies import user_model_body_dependency -from src.organisation.models import Organisation as Org -from src.service.models import Service -from src.organisation.dependencies import org_model_body_dependency - -from src.iam.service import service_key_dependency -from src.iam.models import Permission as Perm, GroupPermissions as GPerms, Group, UserGroups -from src.iam.dependencies import group_model_query_dependency, group_model_body_dependency, perm_model_body_dependency router = APIRouter( tags=["IAM"], @@ -64,21 +66,21 @@ async def can_act_on_resource(valid_key: service_key_dependency, db: db_dependen @router.get("/group/permissions", response_model=IAMGetGroupPermissionsResponse) -async def get_group_permissions(group_model: group_model_query_dependency): - # TODO: root_user_dependency +async def get_group_permissions(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency): + if group_model.org_id != org_model.id: + raise UnauthorizedException() return {"permissions": group_model.permission_rel} @router.get("/group/users", response_model=IAMGetGroupUsersResponse) -async def get_group_users(group_model: group_model_query_dependency): - # TODO: root_user_dependency +async def get_group_users(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency): + if group_model.org_id == org_model.id: + raise UnauthorizedException() return {"users": group_model.user_rel} @router.post("/group", response_model=IAMPostGroupResponse) -async def create_group(db: db_dependency, request_model: IAMPostGroupRequest, org_model: org_model_body_dependency): - # TODO: root_user_dependency - # TODO: get org ID from dependency instead of query (needs updated dep first) +async def create_group(db: db_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPostGroupRequest): group_model = Group(name=request_model.name, org_id=org_model.id) db.add(group_model) @@ -89,8 +91,10 @@ async def create_group(db: db_dependency, request_model: IAMPostGroupRequest, or @router.put("/group/permission", response_model=IAMPutGroupPermissionResponse) -async def add_group_permission(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, request_model: IAMPutGroupPermissionRequest): - # TODO: root_user_dependency +async def add_group_permission(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPutGroupPermissionRequest): + if group_model.org_id == org_model.id: + raise UnauthorizedException() + group_model.permission_rel.append(perm_model) db.flush() @@ -100,8 +104,10 @@ async def add_group_permission(db: db_dependency, group_model: group_model_body_ @router.put("/group/user") -async def add_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, request_model: IAMPutGroupUserRequest): - # TODO: root_user_dependency +async def add_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPutGroupUserRequest): + if group_model.org_id == org_model.id: + raise UnauthorizedException() + group_model.user_rel.append(user_model) db.flush() response = IAMPutGroupUserResponse(group=GroupResponse(**group_model.__dict__), users=group_model.user_rel) @@ -110,8 +116,10 @@ async def add_group_user(db: db_dependency, group_model: group_model_body_depend @router.delete("/group/permissions") -async def remove_group_permissions(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, request_model: IAMDeleteGroupPermissionRequest): - # TODO: root_user_dependency +async def remove_group_permissions(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMDeleteGroupPermissionRequest): + if group_model.org_id == org_model.id: + raise UnauthorizedException() + group_model.permission_rel.remove(perm_model) db.flush() response = IAMDeleteGroupPermissionResponse(group=GroupResponse(**group_model.__dict__), @@ -121,8 +129,10 @@ async def remove_group_permissions(db: db_dependency, group_model: group_model_b @router.delete("/group/user") -async def remove_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, request_model: IAMDeleteGroupUserRequest): - # TODO: root_user_dependency +async def remove_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMDeleteGroupUserRequest): + if group_model.org_id == org_model.id: + raise UnauthorizedException() + user_model.group_rel.remove(group_model) db.flush() response = IAMDeleteGroupUserResponse(group=GroupResponse(**group_model.__dict__), users=group_model.user_rel) @@ -132,16 +142,14 @@ async def remove_group_user(db: db_dependency, group_model: group_model_body_dep @router.get("/permissions", response_model=IAMGetPermissionsResponse) -async def get_permissions(db: db_dependency): - # TODO: root_user_dependency +async def get_permissions(db: db_dependency, org_model: org_model_root_claim_body_dependency): permission_models = db.query(Perm).all() return {"permissions": permission_models} @router.post("/permission") -async def create_new_permission(db: db_dependency, request_mode: IAMPostPermissionRequest): - # TODO: super_admin_dependency +async def create_new_permission(db: db_dependency, su: super_admin_dependency, request_mode: IAMPostPermissionRequest): perm_model = Perm(**request_mode.__dict__) db.add(perm_model) @@ -152,15 +160,13 @@ async def create_new_permission(db: db_dependency, request_mode: IAMPostPermissi @router.delete("/permission", status_code=status.HTTP_204_NO_CONTENT) -async def delete_permission(db: db_dependency, perm_model: perm_model_body_dependency, request_model: IAMDeletePermissionRequest): - # TODO: super_admin_dependency +async def delete_permission(db: db_dependency, su: super_admin_dependency, perm_model: perm_model_body_dependency, request_model: IAMDeletePermissionRequest): db.delete(perm_model) db.commit() @router.get("/permissions/search", response_model=IAMGetPermissionsSearchResponse) -async def get_permissions(db: db_dependency, search: IAMGetPermissionsSearchRequest): - # TODO: root_user_dependency +async def get_permissions(db: db_dependency, org_model: org_model_root_claim_body_dependency, search: IAMGetPermissionsSearchRequest): permission_query = db.query(Perm) if search.service_id is not None: