aboutsummaryrefslogtreecommitdiff
path: root/gn3/auth/authorisation
diff options
context:
space:
mode:
Diffstat (limited to 'gn3/auth/authorisation')
-rw-r--r--gn3/auth/authorisation/checks.py29
-rw-r--r--gn3/auth/authorisation/groups/models.py43
-rw-r--r--gn3/auth/authorisation/resources/models.py3
-rw-r--r--gn3/auth/authorisation/roles/models.py4
4 files changed, 44 insertions, 35 deletions
diff --git a/gn3/auth/authorisation/checks.py b/gn3/auth/authorisation/checks.py
index 8fef209..6579afc 100644
--- a/gn3/auth/authorisation/checks.py
+++ b/gn3/auth/authorisation/checks.py
@@ -10,29 +10,32 @@ from . import privileges as auth_privs
from .errors import AuthorisationError
from ..authentication.users import User
+from ..authentication.oauth2.resource_server import require_oauth
def authorised_p(
privileges: tuple[str],
- error_message: str = (
+ error_description: str = (
"You lack authorisation to perform requested action"),
- user: Optional[User] = None):
+ oauth2_scope = "profile"):
"""Authorisation decorator."""
assert len(privileges) > 0, "You must provide at least one privilege"
def __build_authoriser__(func: Callable):
@wraps(func)
def __authoriser__(*args, **kwargs):
- the_user = user or (hasattr(g, "user") and g.user)
- if the_user:
- with db.connection(app.config["AUTH_DB"]) as conn:
- user_privileges = tuple(
- priv.privilege_id for priv in
- auth_privs.user_privileges(conn, the_user))
+ # the_user = user or (hasattr(g, "user") and g.user)
+ with require_oauth.acquire(oauth2_scope) as the_token:
+ the_user = the_token.user
+ if the_user:
+ with db.connection(app.config["AUTH_DB"]) as conn:
+ user_privileges = tuple(
+ priv.privilege_id for priv in
+ auth_privs.user_privileges(conn, the_user))
- not_assigned = [
- priv for priv in privileges if priv not in user_privileges]
- if len(not_assigned) == 0:
- return func(*args, **kwargs)
+ not_assigned = [
+ priv for priv in privileges if priv not in user_privileges]
+ if len(not_assigned) == 0:
+ return func(*args, **kwargs)
- raise AuthorisationError(error_message)
+ raise AuthorisationError(error_message)
return __authoriser__
return __build_authoriser__
diff --git a/gn3/auth/authorisation/groups/models.py b/gn3/auth/authorisation/groups/models.py
index 0750419..c5c9370 100644
--- a/gn3/auth/authorisation/groups/models.py
+++ b/gn3/auth/authorisation/groups/models.py
@@ -51,10 +51,10 @@ class MembershipError(AuthorisationError):
def __init__(self, user: User, groups: Sequence[Group]):
"""Initialise the `MembershipError` exception object."""
groups_str = ", ".join(group.group_name for group in groups)
- error_message = (
+ error_description = (
f"User '{user.name} ({user.email})' is a member of {len(groups)} "
f"groups ({groups_str})")
- super().__init__(f"{type(self).__name__}: {error_message}.")
+ super().__init__(f"{type(self).__name__}: {error_description}.")
def user_membership(conn: db.DbConnection, user: User) -> Sequence[Group]:
"""Returns all the groups that a member belongs to"""
@@ -70,6 +70,12 @@ def user_membership(conn: db.DbConnection, user: User) -> Sequence[Group]:
return groups
+@authorised_p(
+ privileges = ("system:group:create-group",),
+ error_description = (
+ "You do not have the appropriate privileges to enable you to "
+ "create a new group."),
+ oauth2_scope = "profile group")
def create_group(
conn: db.DbConnection, group_name: str, group_leader: User,
group_description: Optional[str] = None) -> Group:
@@ -78,26 +84,18 @@ def create_group(
if len(user_groups) > 0:
raise MembershipError(group_leader, user_groups)
- @authorised_p(
- ("system:group:create-group",), (
- "You do not have the appropriate privileges to enable you to "
- "create a new group."),
- group_leader)
- def __create_group__():
- with db.cursor(conn) as cursor:
- new_group = __save_group__(
- cursor, group_name,(
- {"group_description": group_description}
- if group_description else {}))
- add_user_to_group(cursor, new_group, group_leader)
- revoke_user_role_by_name(cursor, group_leader, "group-creator")
- assign_user_role_by_name(cursor, group_leader, "group-leader")
- return new_group
-
- return __create_group__()
+ with db.cursor(conn) as cursor:
+ new_group = __save_group__(
+ cursor, group_name,(
+ {"group_description": group_description}
+ if group_description else {}))
+ add_user_to_group(cursor, new_group, group_leader)
+ revoke_user_role_by_name(cursor, group_leader, "group-creator")
+ assign_user_role_by_name(cursor, group_leader, "group-leader")
+ return new_group
@authorised_p(("group:role:create-role",),
- error_message="Could not create the group role")
+ error_description="Could not create the group role")
def create_group_role(
conn: db.DbConnection, group: Group, role_name: str,
privileges: Iterable[Privilege]) -> GroupRole:
@@ -210,6 +208,11 @@ def add_user_to_group(cursor: db.DbCursor, the_group: Group, user: User):
"ON CONFLICT (group_id, user_id) DO NOTHING"),
{"group_id": str(the_group.group_id), "user_id": str(user.user_id)})
+@authorised_p(
+ privileges = ("system:group:view-group",),
+ error_description = (
+ "You do not have the appropriate privileges to access the list of users"
+ " in the group."))
def group_users(conn: db.DbConnection, group_id: UUID) -> Iterable[User]:
"""Retrieve all users that are members of group with id `group_id`."""
with db.cursor(conn) as cursor:
diff --git a/gn3/auth/authorisation/resources/models.py b/gn3/auth/authorisation/resources/models.py
index 1959362..8d45ef4 100644
--- a/gn3/auth/authorisation/resources/models.py
+++ b/gn3/auth/authorisation/resources/models.py
@@ -47,7 +47,8 @@ class Resource(NamedTuple):
}
@authorised_p(("group:resource:create-resource",),
- error_message="Could not create resource")
+ error_description="Insufficient privileges to create a resource",
+ oauth2_scope="profile resource")
def create_resource(
conn: db.DbConnection, resource_name: str,
resource_category: ResourceCategory) -> Resource:
diff --git a/gn3/auth/authorisation/roles/models.py b/gn3/auth/authorisation/roles/models.py
index b1aac75..26b8f0a 100644
--- a/gn3/auth/authorisation/roles/models.py
+++ b/gn3/auth/authorisation/roles/models.py
@@ -27,7 +27,9 @@ class Role(NamedTuple):
"privileges": tuple(dictify(priv) for priv in self.privileges)
}
-@authorised_p(("group:role:create-role",), error_message="Could not create role")
+@authorised_p(
+ privileges = ("group:role:create-role",),
+ error_description="Could not create role")
def create_role(
cursor: db.DbCursor, role_name: str,
privileges: Iterable[Privilege]) -> Role: