aboutsummaryrefslogtreecommitdiff
path: root/gn_auth
diff options
context:
space:
mode:
Diffstat (limited to 'gn_auth')
-rw-r--r--gn_auth/auth/authorisation/resources/system/__init__.py1
-rw-r--r--gn_auth/auth/authorisation/resources/system/models.py47
-rw-r--r--gn_auth/auth/authorisation/resources/system/views.py20
-rw-r--r--gn_auth/auth/views.py2
4 files changed, 70 insertions, 0 deletions
diff --git a/gn_auth/auth/authorisation/resources/system/__init__.py b/gn_auth/auth/authorisation/resources/system/__init__.py
new file mode 100644
index 0000000..50584d7
--- /dev/null
+++ b/gn_auth/auth/authorisation/resources/system/__init__.py
@@ -0,0 +1 @@
+"""System resource(s) package initialisation."""
diff --git a/gn_auth/auth/authorisation/resources/system/models.py b/gn_auth/auth/authorisation/resources/system/models.py
new file mode 100644
index 0000000..7c176aa
--- /dev/null
+++ b/gn_auth/auth/authorisation/resources/system/models.py
@@ -0,0 +1,47 @@
+"""Base functions and utilities for system resources."""
+from uuid import UUID
+from functools import reduce
+from typing import Sequence
+
+from gn_auth.auth.db import sqlite3 as db
+
+from gn_auth.auth.authentication.users import User
+
+from gn_auth.auth.authorisation.roles import Role
+from gn_auth.auth.authorisation.privileges import Privilege
+
+def __organise_privileges__(acc, row):
+ role_id = UUID(row["role_id"])
+ role = acc.get(role_id, Role(
+ role_id, row["role_name"], bool(int(row["user_editable"])), tuple()))
+ return {
+ **acc,
+ role_id: Role(
+ role.role_id,
+ role.role_name,
+ role.user_editable,
+ (role.privileges +
+ (Privilege(row["privilege_id"], row["privilege_description"]),)))
+ }
+
+def user_roles_on_system(conn: db.DbConnection, user: User) -> Sequence[Role]:
+ """
+ Retrieve all roles assigned to the `user` that act on `system` resources.
+ """
+ with db.cursor(conn) as cursor:
+ role_ids_query = (
+ "SELECT ur.role_id FROM user_roles AS ur INNER JOIN resources AS r "
+ "ON ur.resource_id=r.resource_id "
+ "INNER JOIN resource_categories AS rc "
+ "ON r.resource_category_id=rc.resource_category_id "
+ "WHERE user_id=? AND rc.resource_category_key='system'")
+ cursor.execute(
+ "SELECT r.*, p.* FROM roles AS r "
+ "INNER JOIN role_privileges AS rp ON r.role_id=rp.role_id "
+ "INNER JOIN privileges AS p ON rp.privilege_id=p.privilege_id "
+ f"WHERE r.role_id IN ({role_ids_query})",
+ (str(user.user_id),))
+
+ return tuple(reduce(
+ __organise_privileges__, cursor.fetchall(), {}).values())
+ return tuple()
diff --git a/gn_auth/auth/authorisation/resources/system/views.py b/gn_auth/auth/authorisation/resources/system/views.py
new file mode 100644
index 0000000..70e28d6
--- /dev/null
+++ b/gn_auth/auth/authorisation/resources/system/views.py
@@ -0,0 +1,20 @@
+"""Views relating to `System` resource(s)."""
+from flask import jsonify, Blueprint
+
+from gn_auth.auth.db.sqlite3 import with_db_connection
+
+from gn_auth.auth.authentication.oauth2.resource_server import require_oauth
+
+from gn_auth.auth.dictify import dictify
+
+from .models import user_roles_on_system
+
+system = Blueprint("system", __name__)
+
+@system.route("/roles")
+def system_roles():
+ """Get the roles that a user has that act on the system."""
+ with require_oauth.acquire("profile group") as the_token:
+ roles = with_db_connection(
+ lambda conn: user_roles_on_system(conn, the_token.user))
+ return jsonify(tuple(dictify(role) for role in roles))
diff --git a/gn_auth/auth/views.py b/gn_auth/auth/views.py
index cd1cb6f..1060ea9 100644
--- a/gn_auth/auth/views.py
+++ b/gn_auth/auth/views.py
@@ -9,6 +9,7 @@ from .authorisation.users.admin import admin
from .authorisation.roles.views import roles
from .authorisation.resources.views import resources
from .authorisation.resources.groups.views import groups
+from .authorisation.resources.system.views import system
oauth2 = Blueprint("oauth2", __name__)
@@ -18,4 +19,5 @@ oauth2.register_blueprint(users, url_prefix="/user")
oauth2.register_blueprint(roles, url_prefix="/role")
oauth2.register_blueprint(admin, url_prefix="/admin")
oauth2.register_blueprint(groups, url_prefix="/group")
+oauth2.register_blueprint(system, url_prefix="/system")
oauth2.register_blueprint(resources, url_prefix="/resource")