aboutsummaryrefslogtreecommitdiff
path: root/gn_auth/auth/authorisation/resources/groups
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2023-09-14 12:06:23 +0300
committerFrederick Muriuki Muriithi2023-09-26 03:44:30 +0300
commite19b01571ce61e01f482a1dadeeb2fd835fda939 (patch)
tree27b8c7f86313a86bc1e6705ac65ff5996403eace /gn_auth/auth/authorisation/resources/groups
parent345e33fc8e1b12dda6626307ebac7e1206200974 (diff)
downloadgn-auth-e19b01571ce61e01f482a1dadeeb2fd835fda939.tar.gz
Move `groups` package under `resources` package
With user groups being resources that users can act on (with the recent changes), this commit moves the `groups` module to under the `resources` module. It also renames the `*_resources.py` modules by dropping the `_resources` part since the code is under the `resources` module anyway.
Diffstat (limited to 'gn_auth/auth/authorisation/resources/groups')
-rw-r--r--gn_auth/auth/authorisation/resources/groups/__init__.py3
-rw-r--r--gn_auth/auth/authorisation/resources/groups/data.py107
-rw-r--r--gn_auth/auth/authorisation/resources/groups/models.py453
-rw-r--r--gn_auth/auth/authorisation/resources/groups/views.py432
4 files changed, 995 insertions, 0 deletions
diff --git a/gn_auth/auth/authorisation/resources/groups/__init__.py b/gn_auth/auth/authorisation/resources/groups/__init__.py
new file mode 100644
index 0000000..1cb0bba
--- /dev/null
+++ b/gn_auth/auth/authorisation/resources/groups/__init__.py
@@ -0,0 +1,3 @@
+"""Initialise the `gn3.auth.authorisation.groups` package"""
+
+from .models import Group, GroupRole
diff --git a/gn_auth/auth/authorisation/resources/groups/data.py b/gn_auth/auth/authorisation/resources/groups/data.py
new file mode 100644
index 0000000..9fcdc6e
--- /dev/null
+++ b/gn_auth/auth/authorisation/resources/groups/data.py
@@ -0,0 +1,107 @@
+"""Handles the resource objects' data."""
+from MySQLdb.cursors import DictCursor
+
+from gn_auth.auth.db import mariadb as gn3db
+from gn_auth.auth.db import sqlite3 as authdb
+
+from gn_auth.auth.authorisation.checks import authorised_p
+from gn_auth.auth.authorisation.errors import NotFoundError
+from gn_auth.auth.authorisation.resources.groups import Group
+
+def __fetch_mrna_data_by_ids__(
+ conn: gn3db.DbConnection, dataset_ids: tuple[str, ...]) -> tuple[
+ dict, ...]:
+ """Fetch mRNA Assay data by ID."""
+ with conn.cursor(DictCursor) as cursor:
+ paramstr = ", ".join(["%s"] * len(dataset_ids))
+ cursor.execute(
+ "SELECT psf.Id, psf.Name AS dataset_name, "
+ "psf.FullName AS dataset_fullname, "
+ "ifiles.GN_AccesionId AS accession_id FROM ProbeSetFreeze AS psf "
+ "INNER JOIN InfoFiles AS ifiles ON psf.Name=ifiles.InfoPageName "
+ f"WHERE psf.Id IN ({paramstr})",
+ dataset_ids)
+ res = cursor.fetchall()
+ if res:
+ return tuple(dict(row) for row in res)
+ raise NotFoundError("Could not find mRNA Assay data with the given ID.")
+
+def __fetch_geno_data_by_ids__(
+ conn: gn3db.DbConnection, dataset_ids: tuple[str, ...]) -> tuple[
+ dict, ...]:
+ """Fetch genotype data by ID."""
+ with conn.cursor(DictCursor) as cursor:
+ paramstr = ", ".join(["%s"] * len(dataset_ids))
+ cursor.execute(
+ "SELECT gf.Id, gf.Name AS dataset_name, "
+ "gf.FullName AS dataset_fullname, "
+ "ifiles.GN_AccesionId AS accession_id FROM GenoFreeze AS gf "
+ "INNER JOIN InfoFiles AS ifiles ON gf.Name=ifiles.InfoPageName "
+ f"WHERE gf.Id IN ({paramstr})",
+ dataset_ids)
+ res = cursor.fetchall()
+ if res:
+ return tuple(dict(row) for row in res)
+ raise NotFoundError("Could not find Genotype data with the given ID.")
+
+def __fetch_pheno_data_by_ids__(
+ conn: gn3db.DbConnection, dataset_ids: tuple[str, ...]) -> tuple[
+ dict, ...]:
+ """Fetch phenotype data by ID."""
+ with conn.cursor(DictCursor) as cursor:
+ paramstr = ", ".join(["%s"] * len(dataset_ids))
+ cursor.execute(
+ "SELECT pxf.Id, iset.InbredSetName, pf.Id AS dataset_id, "
+ "pf.Name AS dataset_name, pf.FullName AS dataset_fullname, "
+ "ifiles.GN_AccesionId AS accession_id "
+ "FROM PublishXRef AS pxf "
+ "INNER JOIN InbredSet AS iset ON pxf.InbredSetId=iset.InbredSetId "
+ "INNER JOIN PublishFreeze AS pf ON iset.InbredSetId=pf.InbredSetId "
+ "INNER JOIN InfoFiles AS ifiles ON pf.Name=ifiles.InfoPageName "
+ f"WHERE pxf.Id IN ({paramstr})",
+ dataset_ids)
+ res = cursor.fetchall()
+ if res:
+ return tuple(dict(row) for row in res)
+ raise NotFoundError(
+ "Could not find Phenotype/Publish data with the given IDs.")
+
+def __fetch_data_by_id(
+ conn: gn3db.DbConnection, dataset_type: str,
+ dataset_ids: tuple[str, ...]) -> tuple[dict, ...]:
+ """Fetch data from MySQL by IDs."""
+ fetch_fns = {
+ "mrna": __fetch_mrna_data_by_ids__,
+ "genotype": __fetch_geno_data_by_ids__,
+ "phenotype": __fetch_pheno_data_by_ids__
+ }
+ return fetch_fns[dataset_type](conn, dataset_ids)
+
+@authorised_p(("system:data:link-to-group",),
+ error_description=(
+ "You do not have sufficient privileges to link data to (a) "
+ "group(s)."),
+ oauth2_scope="profile group resource")
+def link_data_to_group(
+ authconn: authdb.DbConnection, gn3conn: gn3db.DbConnection,
+ dataset_type: str, dataset_ids: tuple[str, ...], group: Group) -> tuple[
+ dict, ...]:
+ """Link the given data to the specified group."""
+ the_data = __fetch_data_by_id(gn3conn, dataset_type, dataset_ids)
+ with authdb.cursor(authconn) as cursor:
+ params = tuple({
+ "group_id": str(group.group_id), "dataset_type": {
+ "mrna": "mRNA", "genotype": "Genotype",
+ "phenotype": "Phenotype"
+ }[dataset_type],
+ "dataset_or_trait_id": item["Id"],
+ "dataset_name": item["dataset_name"],
+ "dataset_fullname": item["dataset_fullname"],
+ "accession_id": item["accession_id"]
+ } for item in the_data)
+ cursor.executemany(
+ "INSERT INTO linked_group_data VALUES"
+ "(:group_id, :dataset_type, :dataset_or_trait_id, :dataset_name, "
+ ":dataset_fullname, :accession_id)",
+ params)
+ return params
diff --git a/gn_auth/auth/authorisation/resources/groups/models.py b/gn_auth/auth/authorisation/resources/groups/models.py
new file mode 100644
index 0000000..5ec26c5
--- /dev/null
+++ b/gn_auth/auth/authorisation/resources/groups/models.py
@@ -0,0 +1,453 @@
+"""Handle the management of resource/user groups."""
+import json
+from uuid import UUID, uuid4
+from functools import reduce
+from typing import Any, Sequence, Iterable, Optional, NamedTuple
+
+from flask import g
+from pymonad.maybe import Just, Maybe, Nothing
+
+from gn_auth.auth.db import sqlite3 as db
+from gn_auth.auth.dictify import dictify
+from gn_auth.auth.authentication.users import User, user_by_id
+
+from gn_auth.auth.authorisation.checks import authorised_p
+from gn_auth.auth.authorisation.privileges import Privilege
+from gn_auth.auth.authorisation.resources.base import Resource
+from gn_auth.auth.authorisation.resources.errors import MissingGroupError
+from gn_auth.auth.authorisation.errors import (
+ NotFoundError, AuthorisationError, InconsistencyError)
+from gn_auth.auth.authorisation.roles.models import (
+ Role, create_role, check_user_editable, revoke_user_role_by_name,
+ assign_user_role_by_name)
+
+class Group(NamedTuple):
+ """Class representing a group."""
+ group_id: UUID
+ group_name: str
+ group_metadata: dict[str, Any]
+
+ def dictify(self):
+ """Return a dict representation of `Group` objects."""
+ return {
+ "group_id": self.group_id, "group_name": self.group_name,
+ "group_metadata": self.group_metadata
+ }
+
+DUMMY_GROUP = Group(
+ group_id=UUID("77cee65b-fe29-4383-ae41-3cb3b480cc70"),
+ group_name="GN3_DUMMY_GROUP",
+ group_metadata={
+ "group-description": "This is a dummy group to use as a placeholder"
+ })
+
+class GroupRole(NamedTuple):
+ """Class representing a role tied/belonging to a group."""
+ group_role_id: UUID
+ group: Group
+ role: Role
+
+ def dictify(self) -> dict[str, Any]:
+ """Return a dict representation of `GroupRole` objects."""
+ return {
+ "group_role_id": self.group_role_id, "group": dictify(self.group),
+ "role": dictify(self.role)
+ }
+
+class GroupCreationError(AuthorisationError):
+ """Raised whenever a group creation fails"""
+
+class MembershipError(AuthorisationError):
+ """Raised when there is an error with a user's membership to a group."""
+
+ def __init__(self, user: User, groups: Sequence[Group]):
+ """Initialise the `MembershipError` exception object."""
+ groups_str = ", ".join(group.group_name for group in groups)
+ error_description = (
+ f"User '{user.name} ({user.email})' is a member of {len(groups)} "
+ f"groups ({groups_str})")
+ super().__init__(f"{type(self).__name__}: {error_description}.")
+
+def user_membership(conn: db.DbConnection, user: User) -> Sequence[Group]:
+ """Returns all the groups that a member belongs to"""
+ query = (
+ "SELECT groups.group_id, group_name, groups.group_metadata "
+ "FROM group_users INNER JOIN groups "
+ "ON group_users.group_id=groups.group_id "
+ "WHERE group_users.user_id=?")
+ with db.cursor(conn) as cursor:
+ cursor.execute(query, (str(user.user_id),))
+ groups = tuple(Group(row[0], row[1], json.loads(row[2]))
+ for row in cursor.fetchall())
+
+ return groups
+
+@authorised_p(
+ privileges = ("system:group:create-group",),
+ error_description = (
+ "You do not have the appropriate privileges to enable you to "
+ "create a new group."),
+ oauth2_scope = "profile group")
+def create_group(
+ conn: db.DbConnection, group_name: str, group_leader: User,
+ group_description: Optional[str] = None) -> Group:
+ """Create a new group."""
+ def resource_category_by_key(
+ cursor: db.DbCursor, category_key: str):
+ """Retrieve a resource category by its key."""
+ cursor.execute(
+ "SELECT * FROM resource_categories WHERE "
+ "resource_category_key=?",
+ (category_key,))
+ results = cursor.fetchone()
+ if results:
+ return dict(results)
+ raise NotFoundError(
+ f"Could not find a ResourceCategory with key '{category_key}'")
+
+ user_groups = user_membership(conn, group_leader)
+ if len(user_groups) > 0:
+ raise MembershipError(group_leader, user_groups)
+
+ with db.cursor(conn) as cursor:
+ new_group = save_group(
+ cursor, group_name,(
+ {"group_description": group_description}
+ if group_description else {}))
+ group_resource = {
+ "group_id": str(new_group.group_id),
+ "resource_id": str(uuid4()),
+ "resource_name": group_name,
+ "resource_category_id": str(
+ resource_category_by_key(cursor, "group")["resource_category_id"]),
+ "public": 0
+ }
+ cursor.execute(
+ "INSERT INTO resources VALUES "
+ "(:resource_id, :resource_name, :resource_category_id, :public)",
+ group_resource)
+ cursor.execute(
+ "INSERT INTO group_resources(resource_id, group_id) "
+ "VALUES(:resource_id, :group_id)",
+ group_resource)
+ add_user_to_group(cursor, new_group, group_leader)
+ revoke_user_role_by_name(cursor, group_leader, "group-creator")
+ assign_user_role_by_name(
+ cursor,
+ group_leader,
+ UUID(str(group_resource["resource_id"])),
+ "group-leader")
+ return new_group
+
+@authorised_p(("group:role:create-role",),
+ error_description="Could not create the group role")
+def create_group_role(
+ conn: db.DbConnection, group: Group, role_name: str,
+ privileges: Iterable[Privilege]) -> GroupRole:
+ """Create a role attached to a group."""
+ with db.cursor(conn) as cursor:
+ group_role_id = uuid4()
+ role = create_role(cursor, role_name, privileges)
+ cursor.execute(
+ ("INSERT INTO group_roles(group_role_id, group_id, role_id) "
+ "VALUES(?, ?, ?)"),
+ (str(group_role_id), str(group.group_id), str(role.role_id)))
+
+ return GroupRole(group_role_id, group, role)
+
+def authenticated_user_group(conn) -> Maybe:
+ """
+ Returns the currently authenticated user's group.
+
+ Look into returning a Maybe object.
+ """
+ user = g.user
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ ("SELECT groups.* FROM group_users "
+ "INNER JOIN groups ON group_users.group_id=groups.group_id "
+ "WHERE group_users.user_id = ?"),
+ (str(user.user_id),))
+ groups = tuple(Group(UUID(row[0]), row[1], json.loads(row[2] or "{}"))
+ for row in cursor.fetchall())
+
+ if len(groups) > 1:
+ raise MembershipError(user, groups)
+
+ if len(groups) == 1:
+ return Just(groups[0])
+
+ return Nothing
+
+def user_group(conn: db.DbConnection, user: User) -> Maybe[Group]:
+ """Returns the given user's group"""
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ ("SELECT groups.group_id, groups.group_name, groups.group_metadata "
+ "FROM group_users "
+ "INNER JOIN groups ON group_users.group_id=groups.group_id "
+ "WHERE group_users.user_id = ?"),
+ (str(user.user_id),))
+ groups = tuple(
+ Group(UUID(row[0]), row[1], json.loads(row[2] or "{}"))
+ for row in cursor.fetchall())
+
+ if len(groups) > 1:
+ raise MembershipError(user, groups)
+
+ if len(groups) == 1:
+ return Just(groups[0])
+
+ return Nothing
+
+def is_group_leader(conn: db.DbConnection, user: User, group: Group) -> bool:
+ """Check whether the given `user` is the leader of `group`."""
+
+ ugroup = user_group(conn, user).maybe(
+ False, lambda val: val) # type: ignore[arg-type, misc]
+ if not group:
+ # User cannot be a group leader if not a member of ANY group
+ return False
+
+ if not ugroup == group:
+ # User cannot be a group leader if not a member of THIS group
+ return False
+
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ ("SELECT roles.role_name FROM user_roles LEFT JOIN roles "
+ "ON user_roles.role_id = roles.role_id WHERE user_id = ?"),
+ (str(user.user_id),))
+ role_names = tuple(row[0] for row in cursor.fetchall())
+
+ return "group-leader" in role_names
+
+def all_groups(conn: db.DbConnection) -> Maybe[Sequence[Group]]:
+ """Retrieve all existing groups"""
+ with db.cursor(conn) as cursor:
+ cursor.execute("SELECT * FROM groups")
+ res = cursor.fetchall()
+ if res:
+ return Just(tuple(
+ Group(row["group_id"], row["group_name"],
+ json.loads(row["group_metadata"])) for row in res))
+
+ return Nothing
+
+def save_group(
+ cursor: db.DbCursor, group_name: str,
+ group_metadata: dict[str, Any]) -> Group:
+ """Save a group to db"""
+ the_group = Group(uuid4(), group_name, group_metadata)
+ cursor.execute(
+ ("INSERT INTO groups "
+ "VALUES(:group_id, :group_name, :group_metadata) "
+ "ON CONFLICT (group_id) DO UPDATE SET "
+ "group_name=:group_name, group_metadata=:group_metadata"),
+ {"group_id": str(the_group.group_id), "group_name": the_group.group_name,
+ "group_metadata": json.dumps(the_group.group_metadata)})
+ return the_group
+
+def add_user_to_group(cursor: db.DbCursor, the_group: Group, user: User):
+ """Add `user` to `the_group` as a member."""
+ cursor.execute(
+ ("INSERT INTO group_users VALUES (:group_id, :user_id) "
+ "ON CONFLICT (group_id, user_id) DO NOTHING"),
+ {"group_id": str(the_group.group_id), "user_id": str(user.user_id)})
+
+@authorised_p(
+ privileges = ("system:group:view-group",),
+ error_description = (
+ "You do not have the appropriate privileges to access the list of users"
+ " in the group."))
+def group_users(conn: db.DbConnection, group_id: UUID) -> Iterable[User]:
+ """Retrieve all users that are members of group with id `group_id`."""
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ "SELECT u.* FROM group_users AS gu INNER JOIN users AS u "
+ "ON gu.user_id = u.user_id WHERE gu.group_id=:group_id",
+ {"group_id": str(group_id)})
+ results = cursor.fetchall()
+
+ return (User(UUID(row["user_id"]), row["email"], row["name"])
+ for row in results)
+
+@authorised_p(
+ privileges = ("system:group:view-group",),
+ error_description = (
+ "You do not have the appropriate privileges to access the group."))
+def group_by_id(conn: db.DbConnection, group_id: UUID) -> Group:
+ """Retrieve a group by its ID"""
+ with db.cursor(conn) as cursor:
+ cursor.execute("SELECT * FROM groups WHERE group_id=:group_id",
+ {"group_id": str(group_id)})
+ row = cursor.fetchone()
+ if row:
+ return Group(
+ UUID(row["group_id"]),
+ row["group_name"],
+ json.loads(row["group_metadata"]))
+
+ raise NotFoundError(f"Could not find group with ID '{group_id}'.")
+
+@authorised_p(("system:group:view-group", "system:group:edit-group"),
+ error_description=("You do not have the appropriate authorisation"
+ " to act upon the join requests."),
+ oauth2_scope="profile group")
+def join_requests(conn: db.DbConnection, user: User):
+ """List all the join requests for the user's group."""
+ with db.cursor(conn) as cursor:
+ group = user_group(conn, user).maybe(DUMMY_GROUP, lambda grp: grp)# type: ignore[misc]
+ if group != DUMMY_GROUP and is_group_leader(conn, user, group):
+ cursor.execute(
+ "SELECT gjr.*, u.email, u.name FROM group_join_requests AS gjr "
+ "INNER JOIN users AS u ON gjr.requester_id=u.user_id "
+ "WHERE gjr.group_id=? AND gjr.status='PENDING'",
+ (str(group.group_id),))
+ return tuple(dict(row)for row in cursor.fetchall())
+
+ raise AuthorisationError(
+ "You do not have the appropriate authorisation to access the "
+ "group's join requests.")
+
+@authorised_p(("system:group:view-group", "system:group:edit-group"),
+ error_description=("You do not have the appropriate authorisation"
+ " to act upon the join requests."),
+ oauth2_scope="profile group")
+def accept_reject_join_request(
+ conn: db.DbConnection, request_id: UUID, user: User, status: str) -> dict:
+ """Accept/Reject a join request."""
+ assert status in ("ACCEPTED", "REJECTED"), f"Invalid status '{status}'."
+ with db.cursor(conn) as cursor:
+ group = user_group(conn, user).maybe(DUMMY_GROUP, lambda grp: grp) # type: ignore[misc]
+ cursor.execute("SELECT * FROM group_join_requests WHERE request_id=?",
+ (str(request_id),))
+ row = cursor.fetchone()
+ if row:
+ if group.group_id == UUID(row["group_id"]):
+ try:
+ the_user = user_by_id(conn, UUID(row["requester_id"]))
+ if status == "ACCEPTED":
+ add_user_to_group(cursor, group, the_user)
+ revoke_user_role_by_name(cursor, the_user, "group-creator")
+ cursor.execute(
+ "UPDATE group_join_requests SET status=? "
+ "WHERE request_id=?",
+ (status, str(request_id)))
+ return {"request_id": request_id, "status": status}
+ except NotFoundError as nfe:
+ raise InconsistencyError(
+ "Could not find user associated with join request."
+ ) from nfe
+ raise AuthorisationError(
+ "You cannot act on other groups join requests")
+ raise NotFoundError(f"Could not find request with ID '{request_id}'")
+
+def __organise_privileges__(acc, row):
+ role_id = UUID(row["role_id"])
+ role = acc.get(role_id, False)
+ if role:
+ return {
+ **acc,
+ role_id: Role(
+ role.role_id, role.role_name,
+ bool(int(row["user_editable"])),
+ role.privileges + (
+ Privilege(row["privilege_id"],
+ row["privilege_description"]),))
+ }
+ return {
+ **acc,
+ role_id: Role(
+ UUID(row["role_id"]), row["role_name"],
+ bool(int(row["user_editable"])),
+ (Privilege(row["privilege_id"], row["privilege_description"]),))
+ }
+
+# @authorised_p(("group:role:view",),
+# "Insufficient privileges to view role",
+# oauth2_scope="profile group role")
+def group_role_by_id(
+ conn: db.DbConnection, group: Group, group_role_id: UUID) -> GroupRole:
+ """Retrieve GroupRole from id by its `group_role_id`."""
+ ## TODO: do privileges check before running actual query
+ ## the check commented out above doesn't work correctly
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ "SELECT gr.group_role_id, r.*, p.* "
+ "FROM group_roles AS gr "
+ "INNER JOIN roles AS r ON gr.role_id=r.role_id "
+ "INNER JOIN role_privileges AS rp ON rp.role_id=r.role_id "
+ "INNER JOIN privileges AS p ON p.privilege_id=rp.privilege_id "
+ "WHERE gr.group_role_id=? AND gr.group_id=?",
+ (str(group_role_id), str(group.group_id)))
+ rows = cursor.fetchall()
+ if rows:
+ roles: tuple[Role,...] = tuple(reduce(
+ __organise_privileges__, rows, {}).values())
+ assert len(roles) == 1
+ return GroupRole(group_role_id, group, roles[0])
+ raise NotFoundError(
+ f"Group role with ID '{group_role_id}' does not exist.")
+
+@authorised_p(("group:role:edit-role",),
+ "You do not have the privilege to edit a role.",
+ oauth2_scope="profile group role")
+def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole,
+ privilege: Privilege) -> GroupRole:
+ """Add `privilege` to `group_role`."""
+ ## TODO: do privileges check.
+ check_user_editable(group_role.role)
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ "INSERT INTO role_privileges(role_id,privilege_id) "
+ "VALUES (?, ?) ON CONFLICT (role_id, privilege_id) "
+ "DO NOTHING",
+ (str(group_role.role.role_id), str(privilege.privilege_id)))
+ return GroupRole(
+ group_role.group_role_id,
+ group_role.group,
+ Role(group_role.role.role_id,
+ group_role.role.role_name,
+ group_role.role.user_editable,
+ group_role.role.privileges + (privilege,)))
+
+@authorised_p(("group:role:edit-role",),
+ "You do not have the privilege to edit a role.",
+ oauth2_scope="profile group role")
+def delete_privilege_from_group_role(
+ conn: db.DbConnection, group_role: GroupRole,
+ privilege: Privilege) -> GroupRole:
+ """Delete `privilege` to `group_role`."""
+ ## TODO: do privileges check.
+ check_user_editable(group_role.role)
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ "DELETE FROM role_privileges WHERE "
+ "role_id=? AND privilege_id=?",
+ (str(group_role.role.role_id), str(privilege.privilege_id)))
+ return GroupRole(
+ group_role.group_role_id,
+ group_role.group,
+ Role(group_role.role.role_id,
+ group_role.role.role_name,
+ group_role.role.user_editable,
+ tuple(priv for priv in group_role.role.privileges
+ if priv != privilege)))
+
+def resource_owner(conn: db.DbConnection, resource: Resource) -> Group:
+ """Return the user group that owns the resource."""
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ "SELECT g.* FROM resource_ownership AS ro "
+ "INNER JOIN groups AS g ON ro.group_id=g.group_id "
+ "WHERE ro.resource_id=?",
+ (str(resource.resource_id),))
+ row = cursor.fetchone()
+ if row:
+ return Group(
+ UUID(row["group_id"]),
+ row["group_name"],
+ json.loads(row["group_metadata"]))
+
+ raise MissingGroupError("Resource has no 'owning' group.")
diff --git a/gn_auth/auth/authorisation/resources/groups/views.py b/gn_auth/auth/authorisation/resources/groups/views.py
new file mode 100644
index 0000000..f146ffd
--- /dev/null
+++ b/gn_auth/auth/authorisation/resources/groups/views.py
@@ -0,0 +1,432 @@
+"""
+The views/routes for the `gn3.auth.authorisation.resources.groups` package.
+"""
+import uuid
+import datetime
+from typing import Iterable
+from functools import partial
+
+from MySQLdb.cursors import DictCursor
+from flask import request, jsonify, Response, Blueprint, current_app
+
+from gn_auth.auth.db import sqlite3 as db
+from gn_auth.auth.db import mariadb as gn3db
+from gn_auth.auth.db.sqlite3 import with_db_connection
+from gn_auth.auth.dictify import dictify
+
+from gn_auth.auth.authorisation.roles.models import Role
+from gn_auth.auth.authorisation.roles.models import user_roles
+
+from gn_auth.auth.authorisation.checks import authorised_p
+from gn_auth.auth.authorisation.privileges import Privilege, privileges_by_ids
+from gn_auth.auth.authorisation.errors import InvalidData, NotFoundError, AuthorisationError
+
+from gn_auth.auth.authentication.users import User
+from gn_auth.auth.authentication.oauth2.resource_server import require_oauth
+
+from .data import link_data_to_group
+from .models import (
+ Group, user_group, all_groups, DUMMY_GROUP, GroupRole, group_by_id,
+ join_requests, group_role_by_id, GroupCreationError,
+ accept_reject_join_request, group_users as _group_users,
+ create_group as _create_group, add_privilege_to_group_role,
+ delete_privilege_from_group_role, create_group_role as _create_group_role)
+
+groups = Blueprint("groups", __name__)
+
+@groups.route("/list", methods=["GET"])
+@require_oauth("profile group")
+def list_groups():
+ """Return the list of groups that exist."""
+ with db.connection(current_app.config["AUTH_DB"]) as conn:
+ the_groups = all_groups(conn)
+
+ return jsonify(the_groups.maybe(
+ [], lambda grps: [dictify(grp) for grp in grps]))
+
+@groups.route("/create", methods=["POST"])
+@require_oauth("profile group")
+def create_group():
+ """Create a new group."""
+ with require_oauth.acquire("profile group") as the_token:
+ group_name=request.form.get("group_name", "").strip()
+ if not bool(group_name):
+ raise GroupCreationError("Could not create the group.")
+
+ db_uri = current_app.config["AUTH_DB"]
+ with db.connection(db_uri) as conn:
+ user = the_token.user
+ new_group = _create_group(
+ conn, group_name, user, request.form.get("group_description"))
+ return jsonify({
+ **dictify(new_group), "group_leader": dictify(user)
+ })
+
+@groups.route("/members/<uuid:group_id>", methods=["GET"])
+@require_oauth("profile group")
+def group_members(group_id: uuid.UUID) -> Response:
+ """Retrieve all the members of a group."""
+ with require_oauth.acquire("profile group") as the_token:# pylint: disable=[unused-variable]
+ db_uri = current_app.config["AUTH_DB"]
+ ## Check that user has appropriate privileges and remove the pylint disable above
+ with db.connection(db_uri) as conn:
+ return jsonify(tuple(
+ dictify(user) for user in _group_users(conn, group_id)))
+
+@groups.route("/requests/join/<uuid:group_id>", methods=["POST"])
+@require_oauth("profile group")
+def request_to_join(group_id: uuid.UUID) -> Response:
+ """Request to join a group."""
+ def __request__(conn: db.DbConnection, user: User, group_id: uuid.UUID,
+ message: str):
+ with db.cursor(conn) as cursor:
+ group = user_group(conn, user).maybe(# type: ignore[misc]
+ False, lambda grp: grp)# type: ignore[arg-type]
+ if group:
+ error = AuthorisationError(
+ "You cannot request to join a new group while being a "
+ "member of an existing group.")
+ error.error_code = 400
+ raise error
+ request_id = uuid.uuid4()
+ cursor.execute(
+ "INSERT INTO group_join_requests VALUES "
+ "(:request_id, :group_id, :user_id, :ts, :status, :msg)",
+ {
+ "request_id": str(request_id),
+ "group_id": str(group_id),
+ "user_id": str(user.user_id),
+ "ts": datetime.datetime.now().timestamp(),
+ "status": "PENDING",
+ "msg": message
+ })
+ return {
+ "request_id": request_id,
+ "message": "Successfully sent the join request."
+ }
+
+ with require_oauth.acquire("profile group") as the_token:
+ form = request.form
+ results = with_db_connection(partial(
+ __request__, user=the_token.user, group_id=group_id, message=form.get(
+ "message", "I hereby request that you add me to your group.")))
+ return jsonify(results)
+
+@groups.route("/requests/join/list", methods=["GET"])
+@require_oauth("profile group")
+def list_join_requests() -> Response:
+ """List the pending join requests."""
+ with require_oauth.acquire("profile group") as the_token:
+ return jsonify(with_db_connection(partial(
+ join_requests, user=the_token.user)))
+
+@groups.route("/requests/join/accept", methods=["POST"])
+@require_oauth("profile group")
+def accept_join_requests() -> Response:
+ """Accept a join request."""
+ with require_oauth.acquire("profile group") as the_token:
+ form = request.form
+ request_id = uuid.UUID(form.get("request_id"))
+ return jsonify(with_db_connection(partial(
+ accept_reject_join_request, request_id=request_id,
+ user=the_token.user, status="ACCEPTED")))
+
+@groups.route("/requests/join/reject", methods=["POST"])
+@require_oauth("profile group")
+def reject_join_requests() -> Response:
+ """Reject a join request."""
+ with require_oauth.acquire("profile group") as the_token:
+ form = request.form
+ request_id = uuid.UUID(form.get("request_id"))
+ return jsonify(with_db_connection(partial(
+ accept_reject_join_request, request_id=request_id,
+ user=the_token.user, status="REJECTED")))
+
+def unlinked_mrna_data(
+ conn: db.DbConnection, group: Group) -> tuple[dict, ...]:
+ """
+ Retrieve all mRNA Assay data linked to a group but not linked to any
+ resource.
+ """
+ query = (
+ "SELECT lmd.* FROM linked_mrna_data lmd "
+ "LEFT JOIN mrna_resources mr ON lmd.data_link_id=mr.data_link_id "
+ "WHERE lmd.group_id=? AND mr.data_link_id IS NULL")
+ with db.cursor(conn) as cursor:
+ cursor.execute(query, (str(group.group_id),))
+ return tuple(dict(row) for row in cursor.fetchall())
+
+def unlinked_genotype_data(
+ conn: db.DbConnection, group: Group) -> tuple[dict, ...]:
+ """
+ Retrieve all genotype data linked to a group but not linked to any resource.
+ """
+ query = (
+ "SELECT lgd.* FROM linked_genotype_data lgd "
+ "LEFT JOIN genotype_resources gr ON lgd.data_link_id=gr.data_link_id "
+ "WHERE lgd.group_id=? AND gr.data_link_id IS NULL")
+ with db.cursor(conn) as cursor:
+ cursor.execute(query, (str(group.group_id),))
+ return tuple(dict(row) for row in cursor.fetchall())
+
+def unlinked_phenotype_data(
+ authconn: db.DbConnection, gn3conn: gn3db.DbConnection,
+ group: Group) -> tuple[dict, ...]:
+ """
+ Retrieve all phenotype data linked to a group but not linked to any
+ resource.
+ """
+ with db.cursor(authconn) as authcur, gn3conn.cursor(DictCursor) as gn3cur:
+ authcur.execute(
+ "SELECT lpd.* FROM linked_phenotype_data AS lpd "
+ "LEFT JOIN phenotype_resources AS pr "
+ "ON lpd.data_link_id=pr.data_link_id "
+ "WHERE lpd.group_id=? AND pr.data_link_id IS NULL",
+ (str(group.group_id),))
+ results = authcur.fetchall()
+ ids: dict[tuple[str, ...], str] = {
+ (
+ row["SpeciesId"], row["InbredSetId"], row["PublishFreezeId"],
+ row["PublishXRefId"]): row["data_link_id"]
+ for row in results
+ }
+ if len(ids.keys()) < 1:
+ return tuple()
+ paramstr = ", ".join(["(%s, %s, %s, %s)"] * len(ids.keys()))
+ gn3cur.execute(
+ "SELECT spc.SpeciesId, spc.SpeciesName, iset.InbredSetId, "
+ "iset.InbredSetName, pf.Id AS PublishFreezeId, "
+ "pf.Name AS dataset_name, pf.FullName AS dataset_fullname, "
+ "pf.ShortName AS dataset_shortname, pxr.Id AS PublishXRefId, "
+ "pub.PubMed_ID, pub.Title, pub.Year, "
+ "phen.Pre_publication_description, "
+ "phen.Post_publication_description, phen.Original_description "
+ "FROM "
+ "Species AS spc "
+ "INNER JOIN InbredSet AS iset "
+ "ON spc.SpeciesId=iset.SpeciesId "
+ "INNER JOIN PublishFreeze AS pf "
+ "ON iset.InbredSetId=pf.InbredSetId "
+ "INNER JOIN PublishXRef AS pxr "
+ "ON pf.InbredSetId=pxr.InbredSetId "
+ "INNER JOIN Publication AS pub "
+ "ON pxr.PublicationId=pub.Id "
+ "INNER JOIN Phenotype AS phen "
+ "ON pxr.PhenotypeId=phen.Id "
+ "WHERE (spc.SpeciesId, iset.InbredSetId, pf.Id, pxr.Id) "
+ f"IN ({paramstr})",
+ tuple(item for sublist in ids.keys() for item in sublist))
+ return tuple({
+ **{key: value for key, value in row.items() if key not in
+ ("Post_publication_description", "Pre_publication_description",
+ "Original_description")},
+ "description": (
+ row["Post_publication_description"] or
+ row["Pre_publication_description"] or
+ row["Original_description"]),
+ "data_link_id": ids[tuple(str(row[key]) for key in (
+ "SpeciesId", "InbredSetId", "PublishFreezeId",
+ "PublishXRefId"))]
+ } for row in gn3cur.fetchall())
+
+@groups.route("/<string:resource_type>/unlinked-data")
+@require_oauth("profile group resource")
+def unlinked_data(resource_type: str) -> Response:
+ """View data linked to the group but not linked to any resource."""
+ if resource_type not in ("all", "mrna", "genotype", "phenotype"):
+ raise AuthorisationError(f"Invalid resource type {resource_type}")
+
+ with require_oauth.acquire("profile group resource") as the_token:
+ db_uri = current_app.config["AUTH_DB"]
+ gn3db_uri = current_app.config["SQL_URI"]
+ with (db.connection(db_uri) as authconn,
+ gn3db.database_connection(gn3db_uri) as gn3conn):
+ ugroup = user_group(authconn, the_token.user).maybe(# type: ignore[misc]
+ DUMMY_GROUP, lambda grp: grp)
+ if ugroup == DUMMY_GROUP:
+ return jsonify(tuple())
+
+ unlinked_fns = {
+ "mrna": unlinked_mrna_data,
+ "genotype": unlinked_genotype_data,
+ "phenotype": lambda conn, grp: partial(
+ unlinked_phenotype_data, gn3conn=gn3conn)(
+ authconn=conn, group=grp)
+ }
+ return jsonify(tuple(
+ dict(row) for row in unlinked_fns[resource_type](
+ authconn, ugroup)))
+
+ return jsonify(tuple())
+
+@groups.route("/data/link", methods=["POST"])
+@require_oauth("profile group resource")
+def link_data() -> Response:
+ """Link selected data to specified group."""
+ with require_oauth.acquire("profile group resource") as _the_token:
+ form = request.form
+ group_id = uuid.UUID(form["group_id"])
+ dataset_ids = form.getlist("dataset_ids")
+ dataset_type = form.get("dataset_type")
+ if dataset_type not in ("mrna", "genotype", "phenotype"):
+ raise InvalidData("Unexpected dataset type requested!")
+ def __link__(conn: db.DbConnection):
+ group = group_by_id(conn, group_id)
+ with gn3db.database_connection(current_app.config["SQL_URI"]) as gn3conn:
+ return link_data_to_group(
+ conn, gn3conn, dataset_type, dataset_ids, group)
+
+ return jsonify(with_db_connection(__link__))
+
+@groups.route("/roles", methods=["GET"])
+@require_oauth("profile group")
+def group_roles():
+ """Return a list of all available group roles."""
+ with require_oauth.acquire("profile group role") as the_token:
+ def __list_roles__(conn: db.DbConnection):
+ ## TODO: Check that user has appropriate privileges
+ with db.cursor(conn) as cursor:
+ group = user_group(conn, the_token.user).maybe(# type: ignore[misc]
+ DUMMY_GROUP, lambda grp: grp)
+ if group == DUMMY_GROUP:
+ return tuple()
+ cursor.execute(
+ "SELECT gr.group_role_id, r.* "
+ "FROM group_roles AS gr INNER JOIN roles AS r "
+ "ON gr.role_id=r.role_id "
+ "WHERE group_id=?",
+ (str(group.group_id),))
+ return tuple(
+ GroupRole(uuid.UUID(row["group_role_id"]),
+ group,
+ Role(uuid.UUID(row["role_id"]),
+ row["role_name"],
+ bool(int(row["user_editable"])),
+ tuple()))
+ for row in cursor.fetchall())
+ return jsonify(tuple(
+ dictify(role) for role in with_db_connection(__list_roles__)))
+
+@groups.route("/privileges", methods=["GET"])
+@require_oauth("profile group")
+def group_privileges():
+ """Return a list of all available group roles."""
+ with require_oauth.acquire("profile group role") as the_token:
+ def __list_privileges__(conn: db.DbConnection) -> Iterable[Privilege]:
+ ## TODO: Check that user has appropriate privileges
+ this_user_roles = user_roles(conn, the_token.user)
+ with db.cursor(conn) as cursor:
+ cursor.execute("SELECT * FROM privileges "
+ "WHERE privilege_id LIKE 'group:%'")
+ group_level_roles = tuple(
+ Privilege(row["privilege_id"], row["privilege_description"])
+ for row in cursor.fetchall())
+ return tuple(privilege for arole in this_user_roles
+ for privilege in arole.privileges) + group_level_roles
+ return jsonify(tuple(
+ dictify(priv) for priv in with_db_connection(__list_privileges__)))
+
+
+
+@groups.route("/role/create", methods=["POST"])
+@require_oauth("profile group")
+def create_group_role():
+ """Create a new group role."""
+ with require_oauth.acquire("profile group role") as the_token:
+ ## TODO: Check that user has appropriate privileges
+ @authorised_p(("group:role:create-role",),
+ "You do not have the privilege to create new roles",
+ oauth2_scope="profile group role")
+ def __create__(conn: db.DbConnection) -> GroupRole:
+ ## TODO: Check user cannot assign any privilege they don't have.
+ form = request.form
+ role_name = form.get("role_name", "").strip()
+ privileges_ids = form.getlist("privileges[]")
+ if len(role_name) == 0:
+ raise InvalidData("Role name not provided!")
+ if len(privileges_ids) == 0:
+ raise InvalidData(
+ "At least one privilege needs to be provided.")
+
+ group = user_group(conn, the_token.user).maybe(# type: ignore[misc]
+ DUMMY_GROUP, lambda grp: grp)
+
+ if group == DUMMY_GROUP:
+ raise AuthorisationError(
+ "A user without a group cannot create a new role.")
+ privileges = privileges_by_ids(conn, tuple(privileges_ids))
+ if len(privileges_ids) != len(privileges):
+ raise InvalidData(
+ f"{len(privileges_ids) - len(privileges)} of the selected "
+ "privileges were not found in the database.")
+
+ return _create_group_role(conn, group, role_name, privileges)
+
+ return jsonify(with_db_connection(__create__))
+
+@groups.route("/role/<uuid:group_role_id>", methods=["GET"])
+@require_oauth("profile group")
+def view_group_role(group_role_id: uuid.UUID):
+ """Return the details of the given role."""
+ with require_oauth.acquire("profile group role") as the_token:
+ def __group_role__(conn: db.DbConnection) -> GroupRole:
+ group = user_group(conn, the_token.user).maybe(#type: ignore[misc]
+ DUMMY_GROUP, lambda grp: grp)
+
+ if group == DUMMY_GROUP:
+ raise AuthorisationError(
+ "A user without a group cannot view group roles.")
+ return group_role_by_id(conn, group, group_role_id)
+ return jsonify(dictify(with_db_connection(__group_role__)))
+
+def __add_remove_priv_to_from_role__(conn: db.DbConnection,
+ group_role_id: uuid.UUID,
+ direction: str,
+ user: User) -> GroupRole:
+ assert direction in ("ADD", "DELETE")
+ group = user_group(conn, user).maybe(# type: ignore[misc]
+ DUMMY_GROUP, lambda grp: grp)
+
+ if group == DUMMY_GROUP:
+ raise AuthorisationError(
+ "You need to be a member of a group to edit roles.")
+ try:
+ privilege_id = request.form.get("privilege_id", "")
+ assert bool(privilege_id), "Privilege to add must be provided."
+ privileges = privileges_by_ids(conn, (privilege_id,))
+ if len(privileges) == 0:
+ raise NotFoundError("Privilege not found.")
+ dir_fns = {
+ "ADD": add_privilege_to_group_role,
+ "DELETE": delete_privilege_from_group_role
+ }
+ return dir_fns[direction](
+ conn,
+ group_role_by_id(conn, group, group_role_id),
+ privileges[0])
+ except AssertionError as aerr:
+ raise InvalidData(aerr.args[0]) from aerr
+
+@groups.route("/role/<uuid:group_role_id>/privilege/add", methods=["POST"])
+@require_oauth("profile group")
+def add_priv_to_role(group_role_id: uuid.UUID) -> Response:
+ """Add privilege to group role."""
+ with require_oauth.acquire("profile group role") as the_token:
+ return jsonify({
+ **dictify(with_db_connection(partial(
+ __add_remove_priv_to_from_role__, group_role_id=group_role_id,
+ direction="ADD", user=the_token.user))),
+ "description": "Privilege added successfully"
+ })
+
+@groups.route("/role/<uuid:group_role_id>/privilege/delete", methods=["POST"])
+@require_oauth("profile group")
+def delete_priv_from_role(group_role_id: uuid.UUID) -> Response:
+ """Delete privilege from group role."""
+ with require_oauth.acquire("profile group role") as the_token:
+ return jsonify({
+ **dictify(with_db_connection(partial(
+ __add_remove_priv_to_from_role__, group_role_id=group_role_id,
+ direction="DELETE", user=the_token.user))),
+ "description": "Privilege deleted successfully"
+ })