diff options
Diffstat (limited to 'gn_auth')
-rw-r--r-- | gn_auth/auth/authorisation/resources/system/__init__.py | 1 | ||||
-rw-r--r-- | gn_auth/auth/authorisation/resources/system/models.py | 47 | ||||
-rw-r--r-- | gn_auth/auth/authorisation/resources/system/views.py | 20 | ||||
-rw-r--r-- | gn_auth/auth/views.py | 2 |
4 files changed, 70 insertions, 0 deletions
diff --git a/gn_auth/auth/authorisation/resources/system/__init__.py b/gn_auth/auth/authorisation/resources/system/__init__.py new file mode 100644 index 0000000..50584d7 --- /dev/null +++ b/gn_auth/auth/authorisation/resources/system/__init__.py @@ -0,0 +1 @@ +"""System resource(s) package initialisation.""" diff --git a/gn_auth/auth/authorisation/resources/system/models.py b/gn_auth/auth/authorisation/resources/system/models.py new file mode 100644 index 0000000..7c176aa --- /dev/null +++ b/gn_auth/auth/authorisation/resources/system/models.py @@ -0,0 +1,47 @@ +"""Base functions and utilities for system resources.""" +from uuid import UUID +from functools import reduce +from typing import Sequence + +from gn_auth.auth.db import sqlite3 as db + +from gn_auth.auth.authentication.users import User + +from gn_auth.auth.authorisation.roles import Role +from gn_auth.auth.authorisation.privileges import Privilege + +def __organise_privileges__(acc, row): + role_id = UUID(row["role_id"]) + role = acc.get(role_id, Role( + role_id, row["role_name"], bool(int(row["user_editable"])), tuple())) + return { + **acc, + role_id: Role( + role.role_id, + role.role_name, + role.user_editable, + (role.privileges + + (Privilege(row["privilege_id"], row["privilege_description"]),))) + } + +def user_roles_on_system(conn: db.DbConnection, user: User) -> Sequence[Role]: + """ + Retrieve all roles assigned to the `user` that act on `system` resources. + """ + with db.cursor(conn) as cursor: + role_ids_query = ( + "SELECT ur.role_id FROM user_roles AS ur INNER JOIN resources AS r " + "ON ur.resource_id=r.resource_id " + "INNER JOIN resource_categories AS rc " + "ON r.resource_category_id=rc.resource_category_id " + "WHERE user_id=? AND rc.resource_category_key='system'") + cursor.execute( + "SELECT r.*, p.* FROM roles AS r " + "INNER JOIN role_privileges AS rp ON r.role_id=rp.role_id " + "INNER JOIN privileges AS p ON rp.privilege_id=p.privilege_id " + f"WHERE r.role_id IN ({role_ids_query})", + (str(user.user_id),)) + + return tuple(reduce( + __organise_privileges__, cursor.fetchall(), {}).values()) + return tuple() diff --git a/gn_auth/auth/authorisation/resources/system/views.py b/gn_auth/auth/authorisation/resources/system/views.py new file mode 100644 index 0000000..70e28d6 --- /dev/null +++ b/gn_auth/auth/authorisation/resources/system/views.py @@ -0,0 +1,20 @@ +"""Views relating to `System` resource(s).""" +from flask import jsonify, Blueprint + +from gn_auth.auth.db.sqlite3 import with_db_connection + +from gn_auth.auth.authentication.oauth2.resource_server import require_oauth + +from gn_auth.auth.dictify import dictify + +from .models import user_roles_on_system + +system = Blueprint("system", __name__) + +@system.route("/roles") +def system_roles(): + """Get the roles that a user has that act on the system.""" + with require_oauth.acquire("profile group") as the_token: + roles = with_db_connection( + lambda conn: user_roles_on_system(conn, the_token.user)) + return jsonify(tuple(dictify(role) for role in roles)) diff --git a/gn_auth/auth/views.py b/gn_auth/auth/views.py index cd1cb6f..1060ea9 100644 --- a/gn_auth/auth/views.py +++ b/gn_auth/auth/views.py @@ -9,6 +9,7 @@ from .authorisation.users.admin import admin from .authorisation.roles.views import roles from .authorisation.resources.views import resources from .authorisation.resources.groups.views import groups +from .authorisation.resources.system.views import system oauth2 = Blueprint("oauth2", __name__) @@ -18,4 +19,5 @@ oauth2.register_blueprint(users, url_prefix="/user") oauth2.register_blueprint(roles, url_prefix="/role") oauth2.register_blueprint(admin, url_prefix="/admin") oauth2.register_blueprint(groups, url_prefix="/group") +oauth2.register_blueprint(system, url_prefix="/system") oauth2.register_blueprint(resources, url_prefix="/resource") |