"""Handle the management of resource/user groups.""" import json from uuid import UUID, uuid4 from typing import Any, Sequence, Iterable, Optional, NamedTuple from flask import g from pymonad.maybe import Just, Maybe, Nothing from gn3.auth import db from gn3.auth.authentication.users import User from gn3.auth.dictify import register_dictifier from gn3.auth.authentication.checks import authenticated_p from .checks import authorised_p from .privileges import Privilege from .errors import AuthorisationError from .roles import ( Role, create_role, revoke_user_role_by_name, assign_user_role_by_name) class Group(NamedTuple): """Class representing a group.""" group_id: UUID group_name: str group_metadata: dict[str, Any] register_dictifier(Group, lambda grp: { "group_id": grp.group_id, "group_name": grp.group_name, "group_metadata": grp.group_metadata}) class GroupRole(NamedTuple): """Class representing a role tied/belonging to a group.""" group_role_id: UUID group: Group role: Role class GroupCreationError(AuthorisationError): """Raised whenever a group creation fails""" class MembershipError(AuthorisationError): """Raised when there is an error with a user's membership to a group.""" def __init__(self, user: User, groups: Sequence[Group]): """Initialise the `MembershipError` exception object.""" groups_str = ", ".join(group.group_name for group in groups) error_message = ( f"User '{user.name} ({user.email})' is a member of {len(groups)} " f"groups ({groups_str})") super().__init__(f"{type(self).__name__}: {error_message}.") def user_membership(conn: db.DbConnection, user: User) -> Sequence[Group]: """Returns all the groups that a member belongs to""" query = ( "SELECT groups.group_id, group_name, groups.group_metadata " "FROM group_users INNER JOIN groups " "ON group_users.group_id=groups.group_id " "WHERE group_users.user_id=?") with db.cursor(conn) as cursor: cursor.execute(query, (str(user.user_id),)) groups = tuple(Group(row[0], row[1], json.loads(row[2])) for row in cursor.fetchall()) return groups @authenticated_p def create_group( conn: db.DbConnection, group_name: str, group_leader: User, group_description: Optional[str] = None) -> Group: """Create a new group.""" user_groups = user_membership(conn, group_leader) if len(user_groups) > 0: raise MembershipError(group_leader, user_groups) @authorised_p( ("system:group:create-group",), ( "You do not have the appropriate privileges to enable you to " "create a new group."), group_leader) def __create_group__(): with db.cursor(conn) as cursor: new_group = __save_group__( cursor, group_name,( {"group_description": group_description} if group_description else {})) add_user_to_group(cursor, new_group, group_leader) revoke_user_role_by_name(cursor, group_leader, "group-creator") assign_user_role_by_name(cursor, group_leader, "group-leader") return new_group return __create_group__() @authenticated_p @authorised_p(("group:role:create-role",), error_message="Could not create the group role") def create_group_role( conn: db.DbConnection, group: Group, role_name: str, privileges: Iterable[Privilege]) -> GroupRole: """Create a role attached to a group.""" with db.cursor(conn) as cursor: group_role_id = uuid4() role = create_role(cursor, role_name, privileges) cursor.execute( ("INSERT INTO group_roles(group_role_id, group_id, role_id) " "VALUES(?, ?, ?)"), (str(group_role_id), str(group.group_id), str(role.role_id))) return GroupRole(group_role_id, group, role) @authenticated_p def authenticated_user_group(conn) -> Maybe: """ Returns the currently authenticated user's group. Look into returning a Maybe object. """ user = g.user with db.cursor(conn) as cursor: cursor.execute( ("SELECT groups.* FROM group_users " "INNER JOIN groups ON group_users.group_id=groups.group_id " "WHERE group_users.user_id = ?"), (str(user.user_id),)) groups = tuple(Group(UUID(row[0]), row[1], json.loads(row[2] or "{}")) for row in cursor.fetchall()) if len(groups) > 1: raise MembershipError(user, groups) if len(groups) == 1: return Just(groups[0]) return Nothing def user_group(cursor: db.DbCursor, user: User) -> Maybe[Group]: """Returns the given user's group""" cursor.execute( ("SELECT groups.group_id, groups.group_name, groups.group_metadata " "FROM group_users " "INNER JOIN groups ON group_users.group_id=groups.group_id " "WHERE group_users.user_id = ?"), (str(user.user_id),)) groups = tuple( Group(UUID(row[0]), row[1], json.loads(row[2] or "{}")) for row in cursor.fetchall()) if len(groups) > 1: raise MembershipError(user, groups) if len(groups) == 1: return Just(groups[0]) return Nothing def is_group_leader(cursor: db.DbCursor, user: User, group: Group): """Check whether the given `user` is the leader of `group`.""" ugroup = user_group(cursor, user).maybe(False, lambda val: val) # type: ignore[arg-type, misc] if not group: # User cannot be a group leader if not a member of ANY group return False if not ugroup == group: # User cannot be a group leader if not a member of THIS group return False cursor.execute( ("SELECT roles.role_name FROM user_roles LEFT JOIN roles " "ON user_roles.role_id = roles.role_id WHERE user_id = ?"), (str(user.user_id),)) role_names = tuple(row[0] for row in cursor.fetchall()) return "group-leader" in role_names def all_groups(conn: db.DbConnection) -> Maybe[Sequence[Group]]: """Retrieve all existing groups""" with db.cursor(conn) as cursor: cursor.execute("SELECT * FROM groups") res = cursor.fetchall() if res: return Just(tuple( Group(row["group_id"], row["group_name"], json.loads(row["group_metadata"])) for row in res)) return Nothing def __save_group__( cursor: db.DbCursor, group_name: str, group_metadata: dict[str, Any]) -> Group: """Save a group to db""" the_group = Group(uuid4(), group_name, group_metadata) cursor.execute( ("INSERT INTO groups " "VALUES(:group_id, :group_name, :group_metadata) " "ON CONFLICT (group_id) DO UPDATE SET " "group_name=:group_name, group_metadata=:group_metadata"), {"group_id": str(the_group.group_id), "group_name": the_group.group_name, "group_metadata": json.dumps(the_group.group_metadata)}) return the_group def add_user_to_group(cursor: db.DbCursor, the_group: Group, user: User): """Add `user` to `the_group` as a member.""" cursor.execute( ("INSERT INTO group_users VALUES (:group_id, :user_id) " "ON CONFLICT (group_id, user_id) DO NOTHING"), {"group_id": str(the_group.group_id), "user_id": str(user.user_id)})