minor: ruff formatter
All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas
This commit is contained in:
parent
b2e5dd2ebb
commit
c689ac1e10
91 changed files with 1710 additions and 689 deletions
|
|
@ -15,6 +15,7 @@ Endpoints:
|
|||
- [DELETE](/iam/permission): [super admin]: Removes a permission
|
||||
- [GET](/iam/permissions/search): [root user]: Returns a list of permissions matching a filter(service|resource|action)
|
||||
"""
|
||||
|
||||
from fastapi import APIRouter, status
|
||||
from sqlalchemy.exc import IntegrityError
|
||||
from psycopg import errors
|
||||
|
|
@ -25,21 +26,49 @@ from src.database import db_dependency
|
|||
from src.schemas import ResourceName
|
||||
from src.auth.exceptions import UnauthorizedException
|
||||
from src.auth.service import claims_dependency
|
||||
from src.auth.dependencies import org_model_root_claim_query_dependency, org_model_root_claim_body_dependency, \
|
||||
super_admin_dependency
|
||||
from src.auth.dependencies import (
|
||||
org_model_root_claim_query_dependency,
|
||||
org_model_root_claim_body_dependency,
|
||||
super_admin_dependency,
|
||||
)
|
||||
from src.user.models import User
|
||||
from src.user.dependencies import user_model_body_dependency
|
||||
from src.organisation.models import Organisation as Org
|
||||
from src.service.models import Service
|
||||
|
||||
from src.iam.service import service_key_dependency
|
||||
from src.iam.models import Permission as Perm, GroupPermissions as GPerms, Group, UserGroups
|
||||
from src.iam.dependencies import group_model_query_dependency, group_model_body_dependency, perm_model_body_dependency
|
||||
from src.iam.schemas import IAMGetGroupPermissionsResponse, IAMGetGroupUsersResponse, IAMPostGroupRequest, \
|
||||
GroupSchema, IAMPostGroupResponse, IAMPutGroupPermissionRequest, IAMPutGroupPermissionResponse, \
|
||||
IAMPutGroupUserRequest, IAMPutGroupUserResponse, IAMDeleteGroupPermissionRequest, IAMDeleteGroupPermissionResponse, \
|
||||
IAMDeleteGroupUserRequest, IAMDeleteGroupUserResponse, IAMGetPermissionsResponse, IAMPostPermissionRequest, \
|
||||
IAMPostPermissionResponse, IAMDeletePermissionRequest, IAMGetPermissionsSearchRequest, IAMGetPermissionsSearchResponse
|
||||
from src.iam.models import (
|
||||
Permission as Perm,
|
||||
GroupPermissions as GPerms,
|
||||
Group,
|
||||
UserGroups,
|
||||
)
|
||||
from src.iam.dependencies import (
|
||||
group_model_query_dependency,
|
||||
group_model_body_dependency,
|
||||
perm_model_body_dependency,
|
||||
)
|
||||
from src.iam.schemas import (
|
||||
IAMGetGroupPermissionsResponse,
|
||||
IAMGetGroupUsersResponse,
|
||||
IAMPostGroupRequest,
|
||||
GroupSchema,
|
||||
IAMPostGroupResponse,
|
||||
IAMPutGroupPermissionRequest,
|
||||
IAMPutGroupPermissionResponse,
|
||||
IAMPutGroupUserRequest,
|
||||
IAMPutGroupUserResponse,
|
||||
IAMDeleteGroupPermissionRequest,
|
||||
IAMDeleteGroupPermissionResponse,
|
||||
IAMDeleteGroupUserRequest,
|
||||
IAMDeleteGroupUserResponse,
|
||||
IAMGetPermissionsResponse,
|
||||
IAMPostPermissionRequest,
|
||||
IAMPostPermissionResponse,
|
||||
IAMDeletePermissionRequest,
|
||||
IAMGetPermissionsSearchRequest,
|
||||
IAMGetPermissionsSearchResponse,
|
||||
)
|
||||
|
||||
router = APIRouter(
|
||||
tags=["IAM"],
|
||||
|
|
@ -48,26 +77,32 @@ router = APIRouter(
|
|||
|
||||
|
||||
@router.post("/can_act_on_resource")
|
||||
async def can_act_on_resource(valid_key: service_key_dependency, db: db_dependency, user_claims: claims_dependency,
|
||||
rn: ResourceName, action: str) -> bool:
|
||||
async def can_act_on_resource(
|
||||
valid_key: service_key_dependency,
|
||||
db: db_dependency,
|
||||
user_claims: claims_dependency,
|
||||
rn: ResourceName,
|
||||
action: str,
|
||||
) -> bool:
|
||||
try:
|
||||
user_id = user_claims["db_id"]
|
||||
rn_org = rn.organisation
|
||||
rn_service = rn.service
|
||||
rn_resource = rn.resource
|
||||
|
||||
result = (db.query(Perm)
|
||||
.join(Service, Service.id == Perm.service_id)
|
||||
.join(GPerms, GPerms.permission_id == Perm.id)
|
||||
.join(Group, Group.id == GPerms.group_id)
|
||||
.join(Org, Org.id == Group.org_id)
|
||||
.join(UserGroups, UserGroups.group_id == Group.id)
|
||||
.join(User, User.id == UserGroups.user_id)
|
||||
.filter(User.id == user_id)
|
||||
.filter(Org.name == rn_org)
|
||||
.filter(Service.name == rn_service)
|
||||
.filter(Perm.resource == rn_resource)
|
||||
.filter(Perm.action == action)
|
||||
result = (
|
||||
db.query(Perm)
|
||||
.join(Service, Service.id == Perm.service_id)
|
||||
.join(GPerms, GPerms.permission_id == Perm.id)
|
||||
.join(Group, Group.id == GPerms.group_id)
|
||||
.join(Org, Org.id == Group.org_id)
|
||||
.join(UserGroups, UserGroups.group_id == Group.id)
|
||||
.join(User, User.id == UserGroups.user_id)
|
||||
.filter(User.id == user_id)
|
||||
.filter(Org.name == rn_org)
|
||||
.filter(Service.name == rn_service)
|
||||
.filter(Perm.resource == rn_resource)
|
||||
.filter(Perm.action == action)
|
||||
).first()
|
||||
|
||||
if result:
|
||||
|
|
@ -79,21 +114,31 @@ async def can_act_on_resource(valid_key: service_key_dependency, db: db_dependen
|
|||
|
||||
|
||||
@router.get("/group/permissions", response_model=IAMGetGroupPermissionsResponse)
|
||||
async def get_group_permissions(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency):
|
||||
async def get_group_permissions(
|
||||
group_model: group_model_query_dependency,
|
||||
org_model: org_model_root_claim_query_dependency,
|
||||
):
|
||||
if group_model.org_id != org_model.id:
|
||||
raise UnauthorizedException("Group does not belong to this organization")
|
||||
return {"permissions": group_model.permission_rel}
|
||||
|
||||
|
||||
@router.get("/group/users", response_model=IAMGetGroupUsersResponse)
|
||||
async def get_group_users(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency):
|
||||
async def get_group_users(
|
||||
group_model: group_model_query_dependency,
|
||||
org_model: org_model_root_claim_query_dependency,
|
||||
):
|
||||
if group_model.org_id != org_model.id:
|
||||
raise UnauthorizedException("Group does not belong to this organization")
|
||||
return {"users": group_model.user_rel}
|
||||
|
||||
|
||||
@router.post("/group", response_model=IAMPostGroupResponse)
|
||||
async def create_group(db: db_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPostGroupRequest):
|
||||
async def create_group(
|
||||
db: db_dependency,
|
||||
org_model: org_model_root_claim_body_dependency,
|
||||
request_model: IAMPostGroupRequest,
|
||||
):
|
||||
group_model = Group(name=request_model.name, org_id=org_model.id)
|
||||
|
||||
db.add(group_model)
|
||||
|
|
@ -101,9 +146,9 @@ async def create_group(db: db_dependency, org_model: org_model_root_claim_body_d
|
|||
db.flush()
|
||||
except IntegrityError as e:
|
||||
if (
|
||||
getattr(e.orig, "pgcode", None) == "23505" # Postgres unique violation
|
||||
or "UNIQUE constraint failed" in str(e.orig) # SQLite unique violation
|
||||
):
|
||||
getattr(e.orig, "pgcode", None) == "23505" # Postgres unique violation
|
||||
or "UNIQUE constraint failed" in str(e.orig) # SQLite unique violation
|
||||
):
|
||||
raise ConflictException("Group with this name already exists")
|
||||
response = GroupSchema(**group_model.__dict__)
|
||||
db.commit()
|
||||
|
|
@ -111,7 +156,13 @@ async def create_group(db: db_dependency, org_model: org_model_root_claim_body_d
|
|||
|
||||
|
||||
@router.put("/group/permission", response_model=IAMPutGroupPermissionResponse)
|
||||
async def add_group_permission(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPutGroupPermissionRequest):
|
||||
async def add_group_permission(
|
||||
db: db_dependency,
|
||||
group_model: group_model_body_dependency,
|
||||
perm_model: perm_model_body_dependency,
|
||||
org_model: org_model_root_claim_body_dependency,
|
||||
request_model: IAMPutGroupPermissionRequest,
|
||||
):
|
||||
if group_model.org_id != org_model.id:
|
||||
raise UnauthorizedException("Group does not belong to this organization")
|
||||
|
||||
|
|
@ -121,13 +172,22 @@ async def add_group_permission(db: db_dependency, group_model: group_model_body_
|
|||
group_model.permission_rel.append(perm_model)
|
||||
|
||||
db.flush()
|
||||
response = IAMPutGroupPermissionResponse(group=GroupSchema(**group_model.__dict__), permissions=group_model.permission_rel)
|
||||
response = IAMPutGroupPermissionResponse(
|
||||
group=GroupSchema(**group_model.__dict__),
|
||||
permissions=group_model.permission_rel,
|
||||
)
|
||||
db.commit()
|
||||
return response
|
||||
|
||||
|
||||
@router.put("/group/user", response_model=IAMPutGroupUserResponse)
|
||||
async def add_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPutGroupUserRequest):
|
||||
async def add_group_user(
|
||||
db: db_dependency,
|
||||
group_model: group_model_body_dependency,
|
||||
user_model: user_model_body_dependency,
|
||||
org_model: org_model_root_claim_body_dependency,
|
||||
request_model: IAMPutGroupUserRequest,
|
||||
):
|
||||
if group_model.org_id != org_model.id:
|
||||
raise UnauthorizedException("Group does not belong to this organization")
|
||||
|
||||
|
|
@ -136,46 +196,70 @@ async def add_group_user(db: db_dependency, group_model: group_model_body_depend
|
|||
|
||||
group_model.user_rel.append(user_model)
|
||||
db.flush()
|
||||
response = IAMPutGroupUserResponse(group=GroupSchema(**group_model.__dict__), users=group_model.user_rel)
|
||||
response = IAMPutGroupUserResponse(
|
||||
group=GroupSchema(**group_model.__dict__), users=group_model.user_rel
|
||||
)
|
||||
db.commit()
|
||||
return response
|
||||
|
||||
|
||||
@router.delete("/group/permissions")
|
||||
async def remove_group_permissions(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMDeleteGroupPermissionRequest):
|
||||
async def remove_group_permissions(
|
||||
db: db_dependency,
|
||||
group_model: group_model_body_dependency,
|
||||
perm_model: perm_model_body_dependency,
|
||||
org_model: org_model_root_claim_body_dependency,
|
||||
request_model: IAMDeleteGroupPermissionRequest,
|
||||
):
|
||||
if group_model.org_id != org_model.id:
|
||||
raise UnauthorizedException("Group does not belong to this organization")
|
||||
|
||||
group_model.permission_rel.remove(perm_model)
|
||||
db.flush()
|
||||
response = IAMDeleteGroupPermissionResponse(group=GroupSchema(**group_model.__dict__),
|
||||
permissions=group_model.permission_rel)
|
||||
response = IAMDeleteGroupPermissionResponse(
|
||||
group=GroupSchema(**group_model.__dict__),
|
||||
permissions=group_model.permission_rel,
|
||||
)
|
||||
db.commit()
|
||||
return response
|
||||
|
||||
|
||||
@router.delete("/group/user")
|
||||
async def remove_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMDeleteGroupUserRequest):
|
||||
async def remove_group_user(
|
||||
db: db_dependency,
|
||||
group_model: group_model_body_dependency,
|
||||
user_model: user_model_body_dependency,
|
||||
org_model: org_model_root_claim_body_dependency,
|
||||
request_model: IAMDeleteGroupUserRequest,
|
||||
):
|
||||
if group_model.org_id != org_model.id:
|
||||
raise UnauthorizedException("Group does not belong to this organization")
|
||||
|
||||
user_model.group_rel.remove(group_model)
|
||||
db.flush()
|
||||
response = IAMDeleteGroupUserResponse(group=GroupSchema(**group_model.__dict__), users=group_model.user_rel)
|
||||
response = IAMDeleteGroupUserResponse(
|
||||
group=GroupSchema(**group_model.__dict__), users=group_model.user_rel
|
||||
)
|
||||
db.commit()
|
||||
|
||||
return response
|
||||
|
||||
|
||||
@router.get("/permissions", response_model=IAMGetPermissionsResponse)
|
||||
async def get_permissions(db: db_dependency, org_model: org_model_root_claim_query_dependency):
|
||||
async def get_permissions(
|
||||
db: db_dependency, org_model: org_model_root_claim_query_dependency
|
||||
):
|
||||
permission_models = db.query(Perm).all()
|
||||
|
||||
return {"permissions": permission_models}
|
||||
|
||||
|
||||
@router.post("/permission", response_model=IAMPostPermissionResponse)
|
||||
async def create_new_permission(db: db_dependency, su: super_admin_dependency, request_model: IAMPostPermissionRequest):
|
||||
async def create_new_permission(
|
||||
db: db_dependency,
|
||||
su: super_admin_dependency,
|
||||
request_model: IAMPostPermissionRequest,
|
||||
):
|
||||
service_model = db.get(Service, request_model.service_id)
|
||||
if service_model is None:
|
||||
raise ServiceNotFoundException(service_id=request_model.service_id)
|
||||
|
|
@ -186,29 +270,46 @@ async def create_new_permission(db: db_dependency, su: super_admin_dependency, r
|
|||
if isinstance(e.orig, errors.UniqueViolation):
|
||||
raise ConflictException(message="Permission already exists")
|
||||
db.flush()
|
||||
response = {"service_name": perm_model.service_name, "resource": perm_model.resource, "action": perm_model.action}
|
||||
response = {
|
||||
"service_name": perm_model.service_name,
|
||||
"resource": perm_model.resource,
|
||||
"action": perm_model.action,
|
||||
}
|
||||
db.commit()
|
||||
return {"permission": response}
|
||||
|
||||
|
||||
@router.delete("/permission", status_code=status.HTTP_204_NO_CONTENT)
|
||||
async def delete_permission(db: db_dependency, su: super_admin_dependency, perm_model: perm_model_body_dependency, request_model: IAMDeletePermissionRequest):
|
||||
async def delete_permission(
|
||||
db: db_dependency,
|
||||
su: super_admin_dependency,
|
||||
perm_model: perm_model_body_dependency,
|
||||
request_model: IAMDeletePermissionRequest,
|
||||
):
|
||||
db.delete(perm_model)
|
||||
db.commit()
|
||||
|
||||
|
||||
@router.post("/permissions/search", response_model=IAMGetPermissionsSearchResponse)
|
||||
async def post_permissions(db: db_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMGetPermissionsSearchRequest):
|
||||
async def post_permissions(
|
||||
db: db_dependency,
|
||||
org_model: org_model_root_claim_body_dependency,
|
||||
request_model: IAMGetPermissionsSearchRequest,
|
||||
):
|
||||
permission_query = db.query(Perm)
|
||||
|
||||
if request_model.service_id is not None:
|
||||
permission_query = permission_query.filter(Perm.service_id == request_model.service_id)
|
||||
permission_query = permission_query.filter(
|
||||
Perm.service_id == request_model.service_id
|
||||
)
|
||||
|
||||
if request_model.resource is not None:
|
||||
permission_query = permission_query.filter(Perm.resource == request_model.resource)
|
||||
permission_query = permission_query.filter(
|
||||
Perm.resource == request_model.resource
|
||||
)
|
||||
|
||||
if request_model.action is not None:
|
||||
permission_query = permission_query.filter(Perm.action == request_model. action)
|
||||
permission_query = permission_query.filter(Perm.action == request_model.action)
|
||||
|
||||
permission_models = permission_query.all()
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue