Initialise package to handle resources of type "system".

4 files changed, 70 insertions, 0 deletions

diff --git a/gn_auth/auth/authorisation/resources/system/__init__.py b/gn_auth/auth/authorisation/resources/system/__init__.py
new file mode 100644
index 0000000..50584d7
--- /dev/null
+++ b/gn_auth/auth/authorisation/resources/system/__init__.py
@@ -0,0 +1 @@
+"""System resource(s) package initialisation."""
diff --git a/gn_auth/auth/authorisation/resources/system/models.py b/gn_auth/auth/authorisation/resources/system/models.py
new file mode 100644
index 0000000..7c176aa
--- /dev/null
+++ b/gn_auth/auth/authorisation/resources/system/models.py
@@ -0,0 +1,47 @@
+"""Base functions and utilities for system resources."""
+from uuid import UUID
+from functools import reduce
+from typing import Sequence
+
+from gn_auth.auth.db import sqlite3 as db
+
+from gn_auth.auth.authentication.users import User
+
+from gn_auth.auth.authorisation.roles import Role
+from gn_auth.auth.authorisation.privileges import Privilege
+
+def __organise_privileges__(acc, row):
+    role_id = UUID(row["role_id"])
+    role = acc.get(role_id, Role(
+        role_id, row["role_name"], bool(int(row["user_editable"])), tuple()))
+    return {
+        **acc,
+        role_id: Role(
+            role.role_id,
+            role.role_name,
+            role.user_editable,
+            (role.privileges +
+             (Privilege(row["privilege_id"], row["privilege_description"]),)))
+    }
+
+def user_roles_on_system(conn: db.DbConnection, user: User) -> Sequence[Role]:
+    """
+    Retrieve all roles assigned to the `user` that act on `system` resources.
+    """
+    with db.cursor(conn) as cursor:
+        role_ids_query = (
+            "SELECT ur.role_id FROM user_roles AS ur INNER JOIN resources AS r "
+            "ON ur.resource_id=r.resource_id "
+            "INNER JOIN resource_categories AS rc "
+            "ON r.resource_category_id=rc.resource_category_id "
+            "WHERE user_id=? AND rc.resource_category_key='system'")
+        cursor.execute(
+            "SELECT r.*, p.* FROM roles AS r "
+            "INNER JOIN role_privileges AS rp ON r.role_id=rp.role_id "
+            "INNER JOIN privileges AS p ON rp.privilege_id=p.privilege_id "
+            f"WHERE r.role_id IN ({role_ids_query})",
+            (str(user.user_id),))
+
+        return tuple(reduce(
+            __organise_privileges__, cursor.fetchall(), {}).values())
+    return tuple()
diff --git a/gn_auth/auth/authorisation/resources/system/views.py b/gn_auth/auth/authorisation/resources/system/views.py
new file mode 100644
index 0000000..70e28d6
--- /dev/null
+++ b/gn_auth/auth/authorisation/resources/system/views.py
@@ -0,0 +1,20 @@
+"""Views relating to `System` resource(s)."""
+from flask import jsonify, Blueprint
+
+from gn_auth.auth.db.sqlite3 import with_db_connection
+
+from gn_auth.auth.authentication.oauth2.resource_server import require_oauth
+
+from gn_auth.auth.dictify import dictify
+
+from .models import user_roles_on_system
+
+system = Blueprint("system", __name__)
+
+@system.route("/roles")
+def system_roles():
+    """Get the roles that a user has that act on the system."""
+    with require_oauth.acquire("profile group") as the_token:
+        roles = with_db_connection(
+            lambda conn: user_roles_on_system(conn, the_token.user))
+        return jsonify(tuple(dictify(role) for role in roles))
diff --git a/gn_auth/auth/views.py b/gn_auth/auth/views.py
index cd1cb6f..1060ea9 100644
--- a/gn_auth/auth/views.py
+++ b/gn_auth/auth/views.py
@@ -9,6 +9,7 @@ from .authorisation.users.admin import admin
 from .authorisation.roles.views import roles
 from .authorisation.resources.views import resources
 from .authorisation.resources.groups.views import groups
+from .authorisation.resources.system.views import system
 
 oauth2 = Blueprint("oauth2", __name__)
 
@@ -18,4 +19,5 @@ oauth2.register_blueprint(users, url_prefix="/user")
 oauth2.register_blueprint(roles, url_prefix="/role")
 oauth2.register_blueprint(admin, url_prefix="/admin")
 oauth2.register_blueprint(groups, url_prefix="/group")
+oauth2.register_blueprint(system, url_prefix="/system")
 oauth2.register_blueprint(resources, url_prefix="/resource")