aboutsummaryrefslogtreecommitdiff
path: root/gn3/auth
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2023-01-16 12:14:24 +0300
committerFrederick Muriuki Muriithi2023-01-16 12:14:24 +0300
commit98dc0c5b1a67a7c7b97a1fa02211e9f99360edce (patch)
treedc0c6f6bc82f11a4282be2dc1c2485340d68b7d0 /gn3/auth
parent53371fb668d1d18ba4696b3e4739f26edd677d8d (diff)
downloadgenenetwork3-98dc0c5b1a67a7c7b97a1fa02211e9f99360edce.tar.gz
auth: update privileges format
Save privileges with ids of the form <top-level>:<sub-level>:<privilege-name> rather than using a UUID, to reduce indirection levels. * migrations/auth/20230116_01_KwuJ3-rework-privileges-schema.py: new migration to change the schema and IDs for the privileges. * Update code to use new privileges format * gn3/auth/authorisation/checks.py * gn3/auth/authorisation/groups.py * gn3/auth/authorisation/privileges.py * gn3/auth/authorisation/resources.py * gn3/auth/authorisation/roles.py * migrations/auth/20230116_01_KwuJ3-rework-privileges-schema.py * tests/unit/auth/fixtures/role_fixtures.py * tests/unit/auth/test_groups.py * tests/unit/auth/test_privileges.py * tests/unit/auth/test_roles.py
Diffstat (limited to 'gn3/auth')
-rw-r--r--gn3/auth/authorisation/checks.py2
-rw-r--r--gn3/auth/authorisation/groups.py6
-rw-r--r--gn3/auth/authorisation/privileges.py9
-rw-r--r--gn3/auth/authorisation/resources.py3
-rw-r--r--gn3/auth/authorisation/roles.py10
5 files changed, 16 insertions, 14 deletions
diff --git a/gn3/auth/authorisation/checks.py b/gn3/auth/authorisation/checks.py
index dd041fe..d847c1e 100644
--- a/gn3/auth/authorisation/checks.py
+++ b/gn3/auth/authorisation/checks.py
@@ -19,7 +19,7 @@ def authorised_p(
if hasattr(g, "user") and g.user:
with db.connection(app.config["AUTH_DB"]) as conn:
user_privileges = tuple(
- priv.privilege_name for priv in
+ priv.privilege_id for priv in
auth_privs.user_privileges(conn, g.user))
not_assigned = [
diff --git a/gn3/auth/authorisation/groups.py b/gn3/auth/authorisation/groups.py
index ff4dc80..bbabd44 100644
--- a/gn3/auth/authorisation/groups.py
+++ b/gn3/auth/authorisation/groups.py
@@ -49,7 +49,8 @@ def user_membership(conn: db.DbConnection, user: User) -> Sequence[Group]:
return groups
@authenticated_p
-@authorised_p(("create-group",), error_message="Failed to create group.")
+@authorised_p(("system:group:create-group",),
+ error_message="Failed to create group.")
def create_group(conn: db.DbConnection, group_name: str,
group_leader: User) -> Group:
"""Create a group"""
@@ -69,7 +70,8 @@ def create_group(conn: db.DbConnection, group_name: str,
return group
@authenticated_p
-@authorised_p(("create-role",), error_message="Could not create the group role")
+@authorised_p(("group:role:create-role",),
+ error_message="Could not create the group role")
def create_group_role(
conn: db.DbConnection, group: Group, role_name: str,
privileges: Iterable[Privilege]) -> GroupRole:
diff --git a/gn3/auth/authorisation/privileges.py b/gn3/auth/authorisation/privileges.py
index 9e66bda..6cfd1d8 100644
--- a/gn3/auth/authorisation/privileges.py
+++ b/gn3/auth/authorisation/privileges.py
@@ -1,5 +1,4 @@
"""Handle privileges"""
-from uuid import UUID
from typing import Iterable, NamedTuple
from gn3.auth import db
@@ -7,14 +6,14 @@ from gn3.auth.authentication.users import User
class Privilege(NamedTuple):
"""Class representing a privilege: creates immutable objects."""
- privilege_id: UUID
- privilege_name: str
+ privilege_id: str
+ privilege_description: str
def user_privileges(conn: db.DbConnection, user: User) -> Iterable[Privilege]:
"""Fetch the user's privileges from the database."""
with db.cursor(conn) as cursor:
cursor.execute(
- ("SELECT p.privilege_id, p.privilege_name "
+ ("SELECT p.privilege_id, p.privilege_description "
"FROM user_roles AS ur "
"INNER JOIN role_privileges AS rp ON ur.role_id=rp.role_id "
"INNER JOIN privileges AS p ON rp.privilege_id=p.privilege_id "
@@ -22,4 +21,4 @@ def user_privileges(conn: db.DbConnection, user: User) -> Iterable[Privilege]:
(str(user.user_id),))
results = cursor.fetchall()
- return (Privilege(UUID(row[0]), row[1]) for row in results)
+ return (Privilege(row[0], row[1]) for row in results)
diff --git a/gn3/auth/authorisation/resources.py b/gn3/auth/authorisation/resources.py
index bc6ba44..f27d61a 100644
--- a/gn3/auth/authorisation/resources.py
+++ b/gn3/auth/authorisation/resources.py
@@ -26,7 +26,8 @@ class Resource(NamedTuple):
resource_category: ResourceCategory
public: bool
-@authorised_p(("create-resource",), error_message="Could not create resource")
+@authorised_p(("group:resource:create-resource",),
+ error_message="Could not create resource")
def create_resource(
conn: db.DbConnection, resource_name: str,
resource_category: ResourceCategory) -> Resource:
diff --git a/gn3/auth/authorisation/roles.py b/gn3/auth/authorisation/roles.py
index 6602c9f..606403e 100644
--- a/gn3/auth/authorisation/roles.py
+++ b/gn3/auth/authorisation/roles.py
@@ -17,7 +17,7 @@ class Role(NamedTuple):
privileges: Iterable[Privilege]
@authenticated_p
-@authorised_p(("create-role",), error_message="Could not create role")
+@authorised_p(("group:role:create-role",), error_message="Could not create role")
def create_role(
cursor: db.DbCursor, role_name: str,
privileges: Iterable[Privilege]) -> Role:
@@ -55,8 +55,8 @@ def __organise_privileges__(roles_dict, privilege_row):
UUID(role_id_str),
privilege_row["role_name"],
roles_dict[role_id_str].privileges + (
- Privilege(UUID(privilege_row["privilege_id"]),
- privilege_row["privilege_name"]),))
+ Privilege(privilege_row["privilege_id"],
+ privilege_row["privilege_description"]),))
}
return {
@@ -64,8 +64,8 @@ def __organise_privileges__(roles_dict, privilege_row):
role_id_str: Role(
UUID(role_id_str),
privilege_row["role_name"],
- (Privilege(UUID(privilege_row["privilege_id"]),
- privilege_row["privilege_name"]),))
+ (Privilege(privilege_row["privilege_id"],
+ privilege_row["privilege_description"]),))
}
def user_roles(conn: db.DbConnection, user: User):