From e66e0d24f76458aade54056e18de7d4e0762d06c Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Tue, 28 Feb 2023 12:45:57 +0300
Subject: auth: Unlink data from resources

Enable the data editor to unlink data from a particular resource.
---
 gn3/auth/authorisation/data/views.py       | 62 +++++++++++++++++++-----------
 gn3/auth/authorisation/resources/models.py |  4 +-
 2 files changed, 42 insertions(+), 24 deletions(-)

(limited to 'gn3')

diff --git a/gn3/auth/authorisation/data/views.py b/gn3/auth/authorisation/data/views.py
index 76f4158..08032db 100644
--- a/gn3/auth/authorisation/data/views.py
+++ b/gn3/auth/authorisation/data/views.py
@@ -1,16 +1,15 @@
 """Handle data endpoints."""
+import uuid
 import json
-from functools import reduce
 
-from flask import request, Response, Blueprint, current_app as app
 from authlib.integrations.flask_oauth2.errors import _HTTPException
-
-from gn3 import db_utils as gn3db
+from flask import request, jsonify, Response, Blueprint, current_app as app
 
 from gn3.db.traits import build_trait_name
 
 from gn3.auth import db
 from gn3.auth.authentication.oauth2.resource_server import require_oauth
+from gn3.auth.authorisation.resources.checks import authorised_for
 from gn3.auth.authorisation.resources.models import (
     user_resources, public_resources, attach_resources_data)
 
@@ -20,12 +19,22 @@ data = Blueprint("data", __name__)
 def authorisation() -> Response:
     """Retrive the authorisation level for datasets/traits for the user."""
     db_uri = app.config["AUTH_DB"]
-    the_user = "ANONYMOUS"
-    with db.connection(db_uri) as auth_conn, gn3db.database_connection() as gn3conn:
+    privileges = {}
+    with db.connection(db_uri) as auth_conn:
         try:
             with require_oauth.acquire("profile group resource") as the_token:
                 resources = attach_resources_data(
                     auth_conn, user_resources(auth_conn, the_token.user))
+                privileges = {
+                    resource_id: ("group:resource:view-resource",)
+                    for resource_id, is_authorised
+                    in authorised_for(
+                        auth_conn, the_token.user,
+                        ("group:resource:view-resource",), tuple(
+                            resource.resource_id for resource in resources
+                            if not resource.public)).items()
+                    if is_authorised
+                }
         except _HTTPException as exc:
             err_msg = json.loads(exc.body)
             if err_msg["error"] == "missing_authorization":
@@ -37,31 +46,40 @@ def authorisation() -> Response:
         # Access endpoint with somethin like:
         # curl -X GET http://127.0.0.1:8080/api/oauth2/data/authorisation \
         #    -H "Content-Type: application/json" \
-        #    -d '{"traits": ["HC_M2_0606_P::1442370_at", "BXDGeno::01.001.695", "BXDPublish::10001"]}'
+        #    -d '{"traits": ["HC_M2_0606_P::1442370_at", "BXDGeno::01.001.695",
+        #        "BXDPublish::10001"]}'
+        data_to_resource_map = {
+            (f"{data_item['dataset_type'].lower()}::"
+             f"{data_item['dataset_name']}"): resource.resource_id
+            for resource in resources
+            for data_item in resource.resource_data
+        }
+        privileges = {
+            **privileges,
+            **{
+                resource.resource_id: ("system:resource:public-read",)
+                for resource in resources if resource.public
+            }}
+
         args = request.get_json()
-        traits_names = args["traits"]
+        traits_names = args["traits"] # type: ignore[index]
         def __translate__(val):
             return {
                 "ProbeSet": "mRNA",
                 "Geno": "Genotype",
                 "Publish": "Phenotype"
             }[val]
-        traits = (
+        return jsonify(tuple(
             {
                 **{key:trait[key] for key in ("trait_fullname", "trait_name")},
                 "dataset_name": trait["db"]["dataset_name"],
-                "dataset_type": __translate__(trait["db"]["dataset_type"])
+                "dataset_type": __translate__(trait["db"]["dataset_type"]),
+                "privileges": privileges.get(
+                    data_to_resource_map.get(
+                        f"{__translate__(trait['db']['dataset_type']).lower()}"
+                        f"::{trait['db']['dataset_name']}",
+                        uuid.UUID("4afa415e-94cb-4189-b2c6-f9ce2b6a878d")),
+                    tuple())
             } for trait in
             (build_trait_name(trait_fullname)
-             for trait_fullname in traits_names))
-        # Retrieve the dataset/trait IDs from traits above
-
-        # Compare the traits/dataset names/ids from request with resources' data
-        # - Any trait not in resources' data is marked inaccessible
-        # - Any trait in resources' data:
-        #   - IF public is marked readable
-        #   - IF private and user has read privilege: mark readable
-        #   - ELSE mark inaccessible
-        
-
-        return "NOT COMPLETED! ..."
+             for trait_fullname in traits_names)))
diff --git a/gn3/auth/authorisation/resources/models.py b/gn3/auth/authorisation/resources/models.py
index 13f234f..be1bc17 100644
--- a/gn3/auth/authorisation/resources/models.py
+++ b/gn3/auth/authorisation/resources/models.py
@@ -414,12 +414,12 @@ def __attach_data__(
             **acc,
             resource_id: acc.get(resource_id, tuple()) + (dict(row),)
         }
-    organised = reduce(__organise__, data_rows, {})
+    organised: dict[UUID, tuple[dict, ...]] = reduce(__organise__, data_rows, {})
     return tuple(
         Resource(
             resource.group, resource.resource_id, resource.resource_name,
             resource.resource_category, resource.public,
-            organised[resource.resource_id])
+            organised.get(resource.resource_id, tuple()))
         for resource in resources)
 
 def attach_mrna_resources_data(
-- 
cgit v1.2.3