From 50e458b8951f036c487d7854ebe438e4dfbd6c4f Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Fri, 7 Jun 2024 11:44:37 -0500 Subject: Update role assignment: user resource_roles table We no longer use the group_roles table, and have moved to the less privilege-escalation-prone resource_roles table. This commit updates the queries to use the newer resource_roles table. --- gn_auth/auth/authorisation/resources/models.py | 20 ++++++++++---------- scripts/migrate_existing_data.py | 6 ++---- 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/gn_auth/auth/authorisation/resources/models.py b/gn_auth/auth/authorisation/resources/models.py index e23aac5..95a7f1c 100644 --- a/gn_auth/auth/authorisation/resources/models.py +++ b/gn_auth/auth/authorisation/resources/models.py @@ -34,22 +34,22 @@ from .phenotype import ( from .errors import MissingGroupError -def __assign_resource_owner_role__(cursor, resource, user, group): +def __assign_resource_owner_role__(cursor, resource, user): """Assign `user` the 'Resource Owner' role for `resource`.""" cursor.execute( - "SELECT gr.* FROM group_roles AS gr INNER JOIN roles AS r " - "ON gr.role_id=r.role_id WHERE r.role_name='resource-owner' " - "AND gr.group_id=?", - (str(group.group_id),)) + "SELECT rr.* FROM resource_roles AS rr INNER JOIN roles AS r " + "ON rr.role_id=r.role_id WHERE r.role_name='resource-owner' " + "AND rr.resource_id=?", + (str(resource.resource_id),)) role = cursor.fetchone() if not role: cursor.execute("SELECT * FROM roles WHERE role_name='resource-owner'") role = cursor.fetchone() cursor.execute( - "INSERT INTO group_roles VALUES " - "(:group_role_id, :group_id, :role_id)", - {"group_role_id": str(uuid4()), - "group_id": str(group.group_id), + "INSERT INTO resource_roles(resource_id, role_created_by, role_id) " + "VALUES (:resource_id, :user_id, :role_id)", + {"resource_id": str(resource.resource_id), + "user_id": str(user.user_id), "role_id": role["role_id"]}) cursor.execute( @@ -86,7 +86,7 @@ def create_resource( cursor.execute("INSERT INTO resource_ownership (group_id, resource_id) " "VALUES (?, ?)", (str(group.group_id), str(resource.resource_id))) - __assign_resource_owner_role__(cursor, resource, user, group) + __assign_resource_owner_role__(cursor, resource, user) return resource diff --git a/scripts/migrate_existing_data.py b/scripts/migrate_existing_data.py index 1b44666..336ce72 100644 --- a/scripts/migrate_existing_data.py +++ b/scripts/migrate_existing_data.py @@ -383,15 +383,13 @@ def entry(authdbpath, mysqldburi): biodb.database_connection(mysqldburi) as bioconn): admin = select_sys_admin(sys_admins(authconn)) the_admin_group = admin_group(authconn, admin) - resources = default_resources( - authconn, the_admin_group) + resources = default_resources(authconn, the_admin_group) add_resources_to_group(authconn, resources, the_admin_group) for resource in resources: assign_data_to_resource( authconn, bioconn, resource, the_admin_group) with authdb.cursor(authconn) as cursor: - __assign_resource_owner_role__( - cursor, resource, admin, the_admin_group) + __assign_resource_owner_role__(cursor, resource, admin) except DataNotFound as dnf: print(dnf.args[0], file=sys.stderr) sys.exit(1) -- cgit v1.2.3