From e19b01571ce61e01f482a1dadeeb2fd835fda939 Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Thu, 14 Sep 2023 12:06:23 +0300 Subject: Move `groups` package under `resources` package With user groups being resources that users can act on (with the recent changes), this commit moves the `groups` module to under the `resources` module. It also renames the `*_resources.py` modules by dropping the `_resources` part since the code is under the `resources` module anyway. --- gn_auth/auth/authorisation/data/genotypes.py | 10 +- gn_auth/auth/authorisation/data/mrna.py | 10 +- gn_auth/auth/authorisation/data/phenotypes.py | 11 +- gn_auth/auth/authorisation/data/views.py | 4 +- gn_auth/auth/authorisation/groups/__init__.py | 3 - gn_auth/auth/authorisation/groups/data.py | 107 ----- gn_auth/auth/authorisation/groups/models.py | 433 -------------------- gn_auth/auth/authorisation/groups/views.py | 431 -------------------- gn_auth/auth/authorisation/resources/errors.py | 6 + gn_auth/auth/authorisation/resources/genotype.py | 69 ++++ .../authorisation/resources/genotype_resource.py | 69 ---- .../authorisation/resources/groups/__init__.py | 3 + .../auth/authorisation/resources/groups/data.py | 107 +++++ .../auth/authorisation/resources/groups/models.py | 453 +++++++++++++++++++++ .../auth/authorisation/resources/groups/views.py | 432 ++++++++++++++++++++ gn_auth/auth/authorisation/resources/models.py | 46 +-- gn_auth/auth/authorisation/resources/mrna.py | 66 +++ .../auth/authorisation/resources/mrna_resource.py | 66 --- gn_auth/auth/authorisation/resources/phenotype.py | 71 ++++ .../authorisation/resources/phenotype_resource.py | 71 ---- gn_auth/auth/authorisation/resources/views.py | 28 +- gn_auth/auth/authorisation/users/views.py | 30 +- gn_auth/auth/views.py | 2 +- scripts/migrate_existing_data.py | 3 +- tests/unit/auth/fixtures/group_fixtures.py | 2 +- tests/unit/auth/test_groups.py | 12 +- tests/unit/auth/test_resources.py | 2 +- 27 files changed, 1280 insertions(+), 1267 deletions(-) delete mode 100644 gn_auth/auth/authorisation/groups/__init__.py delete mode 100644 gn_auth/auth/authorisation/groups/data.py delete mode 100644 gn_auth/auth/authorisation/groups/models.py delete mode 100644 gn_auth/auth/authorisation/groups/views.py create mode 100644 gn_auth/auth/authorisation/resources/errors.py create mode 100644 gn_auth/auth/authorisation/resources/genotype.py delete mode 100644 gn_auth/auth/authorisation/resources/genotype_resource.py create mode 100644 gn_auth/auth/authorisation/resources/groups/__init__.py create mode 100644 gn_auth/auth/authorisation/resources/groups/data.py create mode 100644 gn_auth/auth/authorisation/resources/groups/models.py create mode 100644 gn_auth/auth/authorisation/resources/groups/views.py create mode 100644 gn_auth/auth/authorisation/resources/mrna.py delete mode 100644 gn_auth/auth/authorisation/resources/mrna_resource.py create mode 100644 gn_auth/auth/authorisation/resources/phenotype.py delete mode 100644 gn_auth/auth/authorisation/resources/phenotype_resource.py diff --git a/gn_auth/auth/authorisation/data/genotypes.py b/gn_auth/auth/authorisation/data/genotypes.py index 818f72d..bfddfc1 100644 --- a/gn_auth/auth/authorisation/data/genotypes.py +++ b/gn_auth/auth/authorisation/data/genotypes.py @@ -4,12 +4,12 @@ from typing import Iterable from MySQLdb.cursors import DictCursor -from ..checks import authorised_p -from ..groups.models import Group +from gn_auth.auth.dictify import dictify +from gn_auth.auth.db import mariadb as gn3db +from gn_auth.auth.db import sqlite3 as authdb -from ...dictify import dictify -from ...db import mariadb as gn3db -from ...db import sqlite3 as authdb +from gn_auth.auth.authorisation.checks import authorised_p +from gn_auth.auth.authorisation.resources.groups.models import Group def linked_genotype_data(conn: authdb.DbConnection) -> Iterable[dict]: """Retrive genotype data that is linked to user groups.""" diff --git a/gn_auth/auth/authorisation/data/mrna.py b/gn_auth/auth/authorisation/data/mrna.py index 53f9bf9..edcd29e 100644 --- a/gn_auth/auth/authorisation/data/mrna.py +++ b/gn_auth/auth/authorisation/data/mrna.py @@ -3,12 +3,12 @@ import uuid from typing import Iterable from MySQLdb.cursors import DictCursor -from ..checks import authorised_p -from ..groups.models import Group +from gn_auth.auth.dictify import dictify +from gn_auth.auth.db import sqlite3 as authdb +from gn_auth.auth.db import mariadb as gn3db -from ...dictify import dictify -from ...db import sqlite3 as authdb -from ...db import mariadb as gn3db +from gn_auth.auth.authorisation.checks import authorised_p +from gn_auth.auth.authorisation.resources.groups.models import Group def linked_mrna_data(conn: authdb.DbConnection) -> Iterable[dict]: """Retrieve mRNA Assay data that is linked to user groups.""" diff --git a/gn_auth/auth/authorisation/data/phenotypes.py b/gn_auth/auth/authorisation/data/phenotypes.py index 84fc089..17555ec 100644 --- a/gn_auth/auth/authorisation/data/phenotypes.py +++ b/gn_auth/auth/authorisation/data/phenotypes.py @@ -4,13 +4,12 @@ from typing import Any, Iterable from MySQLdb.cursors import DictCursor +from gn_auth.auth.dictify import dictify +from gn_auth.auth.db import sqlite3 as authdb +from gn_auth.auth.db import mariadb as gn3db -from ..checks import authorised_p -from ..groups.models import Group - -from ...dictify import dictify -from ...db import sqlite3 as authdb -from ...db import mariadb as gn3db +from gn_auth.auth.authorisation.checks import authorised_p +from gn_auth.auth.authorisation.resources.groups.models import Group def linked_phenotype_data( authconn: authdb.DbConnection, gn3conn: gn3db.DbConnection, diff --git a/gn_auth/auth/authorisation/data/views.py b/gn_auth/auth/authorisation/data/views.py index 3c49ae5..a674ab4 100644 --- a/gn_auth/auth/authorisation/data/views.py +++ b/gn_auth/auth/authorisation/data/views.py @@ -13,6 +13,8 @@ from flask import request, jsonify, Response, Blueprint, current_app as app from gn_auth import jobs from gn_auth.commands import run_async_cmd +from gn_auth.auth.authorisation.resources.groups.models import group_by_id + from ...db import sqlite3 as db from ...db import mariadb as gn3db from ...db.sqlite3 import with_db_connection @@ -20,8 +22,6 @@ from ...db.sqlite3 import with_db_connection from ..checks import require_json from ..errors import InvalidData, NotFoundError -from ..groups.models import group_by_id - from ..users.models import user_resource_roles from ..resources.checks import authorised_for diff --git a/gn_auth/auth/authorisation/groups/__init__.py b/gn_auth/auth/authorisation/groups/__init__.py deleted file mode 100644 index 1cb0bba..0000000 --- a/gn_auth/auth/authorisation/groups/__init__.py +++ /dev/null @@ -1,3 +0,0 @@ -"""Initialise the `gn3.auth.authorisation.groups` package""" - -from .models import Group, GroupRole diff --git a/gn_auth/auth/authorisation/groups/data.py b/gn_auth/auth/authorisation/groups/data.py deleted file mode 100644 index 1650405..0000000 --- a/gn_auth/auth/authorisation/groups/data.py +++ /dev/null @@ -1,107 +0,0 @@ -"""Handles the resource objects' data.""" -from MySQLdb.cursors import DictCursor - -from ..groups import Group -from ..checks import authorised_p -from ..errors import NotFoundError - -from ...db import mariadb as gn3db -from ...db import sqlite3 as authdb - -def __fetch_mrna_data_by_ids__( - conn: gn3db.DbConnection, dataset_ids: tuple[str, ...]) -> tuple[ - dict, ...]: - """Fetch mRNA Assay data by ID.""" - with conn.cursor(DictCursor) as cursor: - paramstr = ", ".join(["%s"] * len(dataset_ids)) - cursor.execute( - "SELECT psf.Id, psf.Name AS dataset_name, " - "psf.FullName AS dataset_fullname, " - "ifiles.GN_AccesionId AS accession_id FROM ProbeSetFreeze AS psf " - "INNER JOIN InfoFiles AS ifiles ON psf.Name=ifiles.InfoPageName " - f"WHERE psf.Id IN ({paramstr})", - dataset_ids) - res = cursor.fetchall() - if res: - return tuple(dict(row) for row in res) - raise NotFoundError("Could not find mRNA Assay data with the given ID.") - -def __fetch_geno_data_by_ids__( - conn: gn3db.DbConnection, dataset_ids: tuple[str, ...]) -> tuple[ - dict, ...]: - """Fetch genotype data by ID.""" - with conn.cursor(DictCursor) as cursor: - paramstr = ", ".join(["%s"] * len(dataset_ids)) - cursor.execute( - "SELECT gf.Id, gf.Name AS dataset_name, " - "gf.FullName AS dataset_fullname, " - "ifiles.GN_AccesionId AS accession_id FROM GenoFreeze AS gf " - "INNER JOIN InfoFiles AS ifiles ON gf.Name=ifiles.InfoPageName " - f"WHERE gf.Id IN ({paramstr})", - dataset_ids) - res = cursor.fetchall() - if res: - return tuple(dict(row) for row in res) - raise NotFoundError("Could not find Genotype data with the given ID.") - -def __fetch_pheno_data_by_ids__( - conn: gn3db.DbConnection, dataset_ids: tuple[str, ...]) -> tuple[ - dict, ...]: - """Fetch phenotype data by ID.""" - with conn.cursor(DictCursor) as cursor: - paramstr = ", ".join(["%s"] * len(dataset_ids)) - cursor.execute( - "SELECT pxf.Id, iset.InbredSetName, pf.Id AS dataset_id, " - "pf.Name AS dataset_name, pf.FullName AS dataset_fullname, " - "ifiles.GN_AccesionId AS accession_id " - "FROM PublishXRef AS pxf " - "INNER JOIN InbredSet AS iset ON pxf.InbredSetId=iset.InbredSetId " - "INNER JOIN PublishFreeze AS pf ON iset.InbredSetId=pf.InbredSetId " - "INNER JOIN InfoFiles AS ifiles ON pf.Name=ifiles.InfoPageName " - f"WHERE pxf.Id IN ({paramstr})", - dataset_ids) - res = cursor.fetchall() - if res: - return tuple(dict(row) for row in res) - raise NotFoundError( - "Could not find Phenotype/Publish data with the given IDs.") - -def __fetch_data_by_id( - conn: gn3db.DbConnection, dataset_type: str, - dataset_ids: tuple[str, ...]) -> tuple[dict, ...]: - """Fetch data from MySQL by IDs.""" - fetch_fns = { - "mrna": __fetch_mrna_data_by_ids__, - "genotype": __fetch_geno_data_by_ids__, - "phenotype": __fetch_pheno_data_by_ids__ - } - return fetch_fns[dataset_type](conn, dataset_ids) - -@authorised_p(("system:data:link-to-group",), - error_description=( - "You do not have sufficient privileges to link data to (a) " - "group(s)."), - oauth2_scope="profile group resource") -def link_data_to_group( - authconn: authdb.DbConnection, gn3conn: gn3db.DbConnection, - dataset_type: str, dataset_ids: tuple[str, ...], group: Group) -> tuple[ - dict, ...]: - """Link the given data to the specified group.""" - the_data = __fetch_data_by_id(gn3conn, dataset_type, dataset_ids) - with authdb.cursor(authconn) as cursor: - params = tuple({ - "group_id": str(group.group_id), "dataset_type": { - "mrna": "mRNA", "genotype": "Genotype", - "phenotype": "Phenotype" - }[dataset_type], - "dataset_or_trait_id": item["Id"], - "dataset_name": item["dataset_name"], - "dataset_fullname": item["dataset_fullname"], - "accession_id": item["accession_id"] - } for item in the_data) - cursor.executemany( - "INSERT INTO linked_group_data VALUES" - "(:group_id, :dataset_type, :dataset_or_trait_id, :dataset_name, " - ":dataset_fullname, :accession_id)", - params) - return params diff --git a/gn_auth/auth/authorisation/groups/models.py b/gn_auth/auth/authorisation/groups/models.py deleted file mode 100644 index c40adbd..0000000 --- a/gn_auth/auth/authorisation/groups/models.py +++ /dev/null @@ -1,433 +0,0 @@ -"""Handle the management of resource/user groups.""" -import json -from uuid import UUID, uuid4 -from functools import reduce -from typing import Any, Sequence, Iterable, Optional, NamedTuple - -from flask import g -from pymonad.maybe import Just, Maybe, Nothing - -from ...db import sqlite3 as db -from ...dictify import dictify -from ...authentication.users import User, user_by_id - -from ..checks import authorised_p -from ..privileges import Privilege -from ..errors import NotFoundError, AuthorisationError, InconsistencyError -from ..roles.models import ( - Role, create_role, check_user_editable, revoke_user_role_by_name, - assign_user_role_by_name) - -class Group(NamedTuple): - """Class representing a group.""" - group_id: UUID - group_name: str - group_metadata: dict[str, Any] - - def dictify(self): - """Return a dict representation of `Group` objects.""" - return { - "group_id": self.group_id, "group_name": self.group_name, - "group_metadata": self.group_metadata - } - -DUMMY_GROUP = Group( - group_id=UUID("77cee65b-fe29-4383-ae41-3cb3b480cc70"), - group_name="GN3_DUMMY_GROUP", - group_metadata={ - "group-description": "This is a dummy group to use as a placeholder" - }) - -class GroupRole(NamedTuple): - """Class representing a role tied/belonging to a group.""" - group_role_id: UUID - group: Group - role: Role - - def dictify(self) -> dict[str, Any]: - """Return a dict representation of `GroupRole` objects.""" - return { - "group_role_id": self.group_role_id, "group": dictify(self.group), - "role": dictify(self.role) - } - -class GroupCreationError(AuthorisationError): - """Raised whenever a group creation fails""" - -class MembershipError(AuthorisationError): - """Raised when there is an error with a user's membership to a group.""" - - def __init__(self, user: User, groups: Sequence[Group]): - """Initialise the `MembershipError` exception object.""" - groups_str = ", ".join(group.group_name for group in groups) - error_description = ( - f"User '{user.name} ({user.email})' is a member of {len(groups)} " - f"groups ({groups_str})") - super().__init__(f"{type(self).__name__}: {error_description}.") - -def user_membership(conn: db.DbConnection, user: User) -> Sequence[Group]: - """Returns all the groups that a member belongs to""" - query = ( - "SELECT groups.group_id, group_name, groups.group_metadata " - "FROM group_users INNER JOIN groups " - "ON group_users.group_id=groups.group_id " - "WHERE group_users.user_id=?") - with db.cursor(conn) as cursor: - cursor.execute(query, (str(user.user_id),)) - groups = tuple(Group(row[0], row[1], json.loads(row[2])) - for row in cursor.fetchall()) - - return groups - -@authorised_p( - privileges = ("system:group:create-group",), - error_description = ( - "You do not have the appropriate privileges to enable you to " - "create a new group."), - oauth2_scope = "profile group") -def create_group( - conn: db.DbConnection, group_name: str, group_leader: User, - group_description: Optional[str] = None) -> Group: - """Create a new group.""" - def resource_category_by_key( - cursor: db.DbCursor, category_key: str): - """Retrieve a resource category by its key.""" - cursor.execute( - "SELECT * FROM resource_categories WHERE " - "resource_category_key=?", - (category_key,)) - results = cursor.fetchone() - if results: - return dict(results) - raise NotFoundError( - f"Could not find a ResourceCategory with key '{category_key}'") - - user_groups = user_membership(conn, group_leader) - if len(user_groups) > 0: - raise MembershipError(group_leader, user_groups) - - with db.cursor(conn) as cursor: - new_group = save_group( - cursor, group_name,( - {"group_description": group_description} - if group_description else {})) - group_resource = { - "group_id": str(new_group.group_id), - "resource_id": str(uuid4()), - "resource_name": group_name, - "resource_category_id": str( - resource_category_by_key(cursor, "group")["resource_category_id"]), - "public": 0 - } - cursor.execute( - "INSERT INTO resources VALUES " - "(:resource_id, :resource_name, :resource_category_id, :public)", - group_resource) - cursor.execute( - "INSERT INTO group_resources(resource_id, group_id) " - "VALUES(:resource_id, :group_id)", - group_resource) - add_user_to_group(cursor, new_group, group_leader) - revoke_user_role_by_name(cursor, group_leader, "group-creator") - assign_user_role_by_name( - cursor, - group_leader, - UUID(str(group_resource["resource_id"])), - "group-leader") - return new_group - -@authorised_p(("group:role:create-role",), - error_description="Could not create the group role") -def create_group_role( - conn: db.DbConnection, group: Group, role_name: str, - privileges: Iterable[Privilege]) -> GroupRole: - """Create a role attached to a group.""" - with db.cursor(conn) as cursor: - group_role_id = uuid4() - role = create_role(cursor, role_name, privileges) - cursor.execute( - ("INSERT INTO group_roles(group_role_id, group_id, role_id) " - "VALUES(?, ?, ?)"), - (str(group_role_id), str(group.group_id), str(role.role_id))) - - return GroupRole(group_role_id, group, role) - -def authenticated_user_group(conn) -> Maybe: - """ - Returns the currently authenticated user's group. - - Look into returning a Maybe object. - """ - user = g.user - with db.cursor(conn) as cursor: - cursor.execute( - ("SELECT groups.* FROM group_users " - "INNER JOIN groups ON group_users.group_id=groups.group_id " - "WHERE group_users.user_id = ?"), - (str(user.user_id),)) - groups = tuple(Group(UUID(row[0]), row[1], json.loads(row[2] or "{}")) - for row in cursor.fetchall()) - - if len(groups) > 1: - raise MembershipError(user, groups) - - if len(groups) == 1: - return Just(groups[0]) - - return Nothing - -def user_group(conn: db.DbConnection, user: User) -> Maybe[Group]: - """Returns the given user's group""" - with db.cursor(conn) as cursor: - cursor.execute( - ("SELECT groups.group_id, groups.group_name, groups.group_metadata " - "FROM group_users " - "INNER JOIN groups ON group_users.group_id=groups.group_id " - "WHERE group_users.user_id = ?"), - (str(user.user_id),)) - groups = tuple( - Group(UUID(row[0]), row[1], json.loads(row[2] or "{}")) - for row in cursor.fetchall()) - - if len(groups) > 1: - raise MembershipError(user, groups) - - if len(groups) == 1: - return Just(groups[0]) - - return Nothing - -def is_group_leader(conn: db.DbConnection, user: User, group: Group) -> bool: - """Check whether the given `user` is the leader of `group`.""" - - ugroup = user_group(conn, user).maybe( - False, lambda val: val) # type: ignore[arg-type, misc] - if not group: - # User cannot be a group leader if not a member of ANY group - return False - - if not ugroup == group: - # User cannot be a group leader if not a member of THIS group - return False - - with db.cursor(conn) as cursor: - cursor.execute( - ("SELECT roles.role_name FROM user_roles LEFT JOIN roles " - "ON user_roles.role_id = roles.role_id WHERE user_id = ?"), - (str(user.user_id),)) - role_names = tuple(row[0] for row in cursor.fetchall()) - - return "group-leader" in role_names - -def all_groups(conn: db.DbConnection) -> Maybe[Sequence[Group]]: - """Retrieve all existing groups""" - with db.cursor(conn) as cursor: - cursor.execute("SELECT * FROM groups") - res = cursor.fetchall() - if res: - return Just(tuple( - Group(row["group_id"], row["group_name"], - json.loads(row["group_metadata"])) for row in res)) - - return Nothing - -def save_group( - cursor: db.DbCursor, group_name: str, - group_metadata: dict[str, Any]) -> Group: - """Save a group to db""" - the_group = Group(uuid4(), group_name, group_metadata) - cursor.execute( - ("INSERT INTO groups " - "VALUES(:group_id, :group_name, :group_metadata) " - "ON CONFLICT (group_id) DO UPDATE SET " - "group_name=:group_name, group_metadata=:group_metadata"), - {"group_id": str(the_group.group_id), "group_name": the_group.group_name, - "group_metadata": json.dumps(the_group.group_metadata)}) - return the_group - -def add_user_to_group(cursor: db.DbCursor, the_group: Group, user: User): - """Add `user` to `the_group` as a member.""" - cursor.execute( - ("INSERT INTO group_users VALUES (:group_id, :user_id) " - "ON CONFLICT (group_id, user_id) DO NOTHING"), - {"group_id": str(the_group.group_id), "user_id": str(user.user_id)}) - -@authorised_p( - privileges = ("system:group:view-group",), - error_description = ( - "You do not have the appropriate privileges to access the list of users" - " in the group.")) -def group_users(conn: db.DbConnection, group_id: UUID) -> Iterable[User]: - """Retrieve all users that are members of group with id `group_id`.""" - with db.cursor(conn) as cursor: - cursor.execute( - "SELECT u.* FROM group_users AS gu INNER JOIN users AS u " - "ON gu.user_id = u.user_id WHERE gu.group_id=:group_id", - {"group_id": str(group_id)}) - results = cursor.fetchall() - - return (User(UUID(row["user_id"]), row["email"], row["name"]) - for row in results) - -@authorised_p( - privileges = ("system:group:view-group",), - error_description = ( - "You do not have the appropriate privileges to access the group.")) -def group_by_id(conn: db.DbConnection, group_id: UUID) -> Group: - """Retrieve a group by its ID""" - with db.cursor(conn) as cursor: - cursor.execute("SELECT * FROM groups WHERE group_id=:group_id", - {"group_id": str(group_id)}) - row = cursor.fetchone() - if row: - return Group( - UUID(row["group_id"]), - row["group_name"], - json.loads(row["group_metadata"])) - - raise NotFoundError(f"Could not find group with ID '{group_id}'.") - -@authorised_p(("system:group:view-group", "system:group:edit-group"), - error_description=("You do not have the appropriate authorisation" - " to act upon the join requests."), - oauth2_scope="profile group") -def join_requests(conn: db.DbConnection, user: User): - """List all the join requests for the user's group.""" - with db.cursor(conn) as cursor: - group = user_group(conn, user).maybe(DUMMY_GROUP, lambda grp: grp)# type: ignore[misc] - if group != DUMMY_GROUP and is_group_leader(conn, user, group): - cursor.execute( - "SELECT gjr.*, u.email, u.name FROM group_join_requests AS gjr " - "INNER JOIN users AS u ON gjr.requester_id=u.user_id " - "WHERE gjr.group_id=? AND gjr.status='PENDING'", - (str(group.group_id),)) - return tuple(dict(row)for row in cursor.fetchall()) - - raise AuthorisationError( - "You do not have the appropriate authorisation to access the " - "group's join requests.") - -@authorised_p(("system:group:view-group", "system:group:edit-group"), - error_description=("You do not have the appropriate authorisation" - " to act upon the join requests."), - oauth2_scope="profile group") -def accept_reject_join_request( - conn: db.DbConnection, request_id: UUID, user: User, status: str) -> dict: - """Accept/Reject a join request.""" - assert status in ("ACCEPTED", "REJECTED"), f"Invalid status '{status}'." - with db.cursor(conn) as cursor: - group = user_group(conn, user).maybe(DUMMY_GROUP, lambda grp: grp) # type: ignore[misc] - cursor.execute("SELECT * FROM group_join_requests WHERE request_id=?", - (str(request_id),)) - row = cursor.fetchone() - if row: - if group.group_id == UUID(row["group_id"]): - try: - the_user = user_by_id(conn, UUID(row["requester_id"])) - if status == "ACCEPTED": - add_user_to_group(cursor, group, the_user) - revoke_user_role_by_name(cursor, the_user, "group-creator") - cursor.execute( - "UPDATE group_join_requests SET status=? " - "WHERE request_id=?", - (status, str(request_id))) - return {"request_id": request_id, "status": status} - except NotFoundError as nfe: - raise InconsistencyError( - "Could not find user associated with join request." - ) from nfe - raise AuthorisationError( - "You cannot act on other groups join requests") - raise NotFoundError(f"Could not find request with ID '{request_id}'") - -def __organise_privileges__(acc, row): - role_id = UUID(row["role_id"]) - role = acc.get(role_id, False) - if role: - return { - **acc, - role_id: Role( - role.role_id, role.role_name, - bool(int(row["user_editable"])), - role.privileges + ( - Privilege(row["privilege_id"], - row["privilege_description"]),)) - } - return { - **acc, - role_id: Role( - UUID(row["role_id"]), row["role_name"], - bool(int(row["user_editable"])), - (Privilege(row["privilege_id"], row["privilege_description"]),)) - } - -# @authorised_p(("group:role:view",), -# "Insufficient privileges to view role", -# oauth2_scope="profile group role") -def group_role_by_id( - conn: db.DbConnection, group: Group, group_role_id: UUID) -> GroupRole: - """Retrieve GroupRole from id by its `group_role_id`.""" - ## TODO: do privileges check before running actual query - ## the check commented out above doesn't work correctly - with db.cursor(conn) as cursor: - cursor.execute( - "SELECT gr.group_role_id, r.*, p.* " - "FROM group_roles AS gr " - "INNER JOIN roles AS r ON gr.role_id=r.role_id " - "INNER JOIN role_privileges AS rp ON rp.role_id=r.role_id " - "INNER JOIN privileges AS p ON p.privilege_id=rp.privilege_id " - "WHERE gr.group_role_id=? AND gr.group_id=?", - (str(group_role_id), str(group.group_id))) - rows = cursor.fetchall() - if rows: - roles: tuple[Role,...] = tuple(reduce( - __organise_privileges__, rows, {}).values()) - assert len(roles) == 1 - return GroupRole(group_role_id, group, roles[0]) - raise NotFoundError( - f"Group role with ID '{group_role_id}' does not exist.") - -@authorised_p(("group:role:edit-role",), - "You do not have the privilege to edit a role.", - oauth2_scope="profile group role") -def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole, - privilege: Privilege) -> GroupRole: - """Add `privilege` to `group_role`.""" - ## TODO: do privileges check. - check_user_editable(group_role.role) - with db.cursor(conn) as cursor: - cursor.execute( - "INSERT INTO role_privileges(role_id,privilege_id) " - "VALUES (?, ?) ON CONFLICT (role_id, privilege_id) " - "DO NOTHING", - (str(group_role.role.role_id), str(privilege.privilege_id))) - return GroupRole( - group_role.group_role_id, - group_role.group, - Role(group_role.role.role_id, - group_role.role.role_name, - group_role.role.user_editable, - group_role.role.privileges + (privilege,))) - -@authorised_p(("group:role:edit-role",), - "You do not have the privilege to edit a role.", - oauth2_scope="profile group role") -def delete_privilege_from_group_role( - conn: db.DbConnection, group_role: GroupRole, - privilege: Privilege) -> GroupRole: - """Delete `privilege` to `group_role`.""" - ## TODO: do privileges check. - check_user_editable(group_role.role) - with db.cursor(conn) as cursor: - cursor.execute( - "DELETE FROM role_privileges WHERE " - "role_id=? AND privilege_id=?", - (str(group_role.role.role_id), str(privilege.privilege_id))) - return GroupRole( - group_role.group_role_id, - group_role.group, - Role(group_role.role.role_id, - group_role.role.role_name, - group_role.role.user_editable, - tuple(priv for priv in group_role.role.privileges - if priv != privilege))) diff --git a/gn_auth/auth/authorisation/groups/views.py b/gn_auth/auth/authorisation/groups/views.py deleted file mode 100644 index 4dc17e0..0000000 --- a/gn_auth/auth/authorisation/groups/views.py +++ /dev/null @@ -1,431 +0,0 @@ -"""The views/routes for the `gn3.auth.authorisation.groups` package.""" -import uuid -import datetime -from typing import Iterable -from functools import partial - -from MySQLdb.cursors import DictCursor -from flask import request, jsonify, Response, Blueprint, current_app - -from ...db import sqlite3 as db -from ...db import mariadb as gn3db - -from ...dictify import dictify -from ...db.sqlite3 import with_db_connection - -from .data import link_data_to_group -from .models import ( - Group, user_group, all_groups, DUMMY_GROUP, GroupRole, group_by_id, - join_requests, group_role_by_id, GroupCreationError, - accept_reject_join_request, group_users as _group_users, - create_group as _create_group, add_privilege_to_group_role, - delete_privilege_from_group_role, create_group_role as _create_group_role) - -from ..roles.models import Role -from ..roles.models import user_roles - -from ..checks import authorised_p -from ..privileges import Privilege, privileges_by_ids -from ..errors import InvalidData, NotFoundError, AuthorisationError - -from ...authentication.users import User -from ...authentication.oauth2.resource_server import require_oauth - -groups = Blueprint("groups", __name__) - -@groups.route("/list", methods=["GET"]) -@require_oauth("profile group") -def list_groups(): - """Return the list of groups that exist.""" - with db.connection(current_app.config["AUTH_DB"]) as conn: - the_groups = all_groups(conn) - - return jsonify(the_groups.maybe( - [], lambda grps: [dictify(grp) for grp in grps])) - -@groups.route("/create", methods=["POST"]) -@require_oauth("profile group") -def create_group(): - """Create a new group.""" - with require_oauth.acquire("profile group") as the_token: - group_name=request.form.get("group_name", "").strip() - if not bool(group_name): - raise GroupCreationError("Could not create the group.") - - db_uri = current_app.config["AUTH_DB"] - with db.connection(db_uri) as conn: - user = the_token.user - new_group = _create_group( - conn, group_name, user, request.form.get("group_description")) - return jsonify({ - **dictify(new_group), "group_leader": dictify(user) - }) - -@groups.route("/members/", methods=["GET"]) -@require_oauth("profile group") -def group_members(group_id: uuid.UUID) -> Response: - """Retrieve all the members of a group.""" - with require_oauth.acquire("profile group") as the_token:# pylint: disable=[unused-variable] - db_uri = current_app.config["AUTH_DB"] - ## Check that user has appropriate privileges and remove the pylint disable above - with db.connection(db_uri) as conn: - return jsonify(tuple( - dictify(user) for user in _group_users(conn, group_id))) - -@groups.route("/requests/join/", methods=["POST"]) -@require_oauth("profile group") -def request_to_join(group_id: uuid.UUID) -> Response: - """Request to join a group.""" - def __request__(conn: db.DbConnection, user: User, group_id: uuid.UUID, - message: str): - with db.cursor(conn) as cursor: - group = user_group(conn, user).maybe(# type: ignore[misc] - False, lambda grp: grp)# type: ignore[arg-type] - if group: - error = AuthorisationError( - "You cannot request to join a new group while being a " - "member of an existing group.") - error.error_code = 400 - raise error - request_id = uuid.uuid4() - cursor.execute( - "INSERT INTO group_join_requests VALUES " - "(:request_id, :group_id, :user_id, :ts, :status, :msg)", - { - "request_id": str(request_id), - "group_id": str(group_id), - "user_id": str(user.user_id), - "ts": datetime.datetime.now().timestamp(), - "status": "PENDING", - "msg": message - }) - return { - "request_id": request_id, - "message": "Successfully sent the join request." - } - - with require_oauth.acquire("profile group") as the_token: - form = request.form - results = with_db_connection(partial( - __request__, user=the_token.user, group_id=group_id, message=form.get( - "message", "I hereby request that you add me to your group."))) - return jsonify(results) - -@groups.route("/requests/join/list", methods=["GET"]) -@require_oauth("profile group") -def list_join_requests() -> Response: - """List the pending join requests.""" - with require_oauth.acquire("profile group") as the_token: - return jsonify(with_db_connection(partial( - join_requests, user=the_token.user))) - -@groups.route("/requests/join/accept", methods=["POST"]) -@require_oauth("profile group") -def accept_join_requests() -> Response: - """Accept a join request.""" - with require_oauth.acquire("profile group") as the_token: - form = request.form - request_id = uuid.UUID(form.get("request_id")) - return jsonify(with_db_connection(partial( - accept_reject_join_request, request_id=request_id, - user=the_token.user, status="ACCEPTED"))) - -@groups.route("/requests/join/reject", methods=["POST"]) -@require_oauth("profile group") -def reject_join_requests() -> Response: - """Reject a join request.""" - with require_oauth.acquire("profile group") as the_token: - form = request.form - request_id = uuid.UUID(form.get("request_id")) - return jsonify(with_db_connection(partial( - accept_reject_join_request, request_id=request_id, - user=the_token.user, status="REJECTED"))) - -def unlinked_mrna_data( - conn: db.DbConnection, group: Group) -> tuple[dict, ...]: - """ - Retrieve all mRNA Assay data linked to a group but not linked to any - resource. - """ - query = ( - "SELECT lmd.* FROM linked_mrna_data lmd " - "LEFT JOIN mrna_resources mr ON lmd.data_link_id=mr.data_link_id " - "WHERE lmd.group_id=? AND mr.data_link_id IS NULL") - with db.cursor(conn) as cursor: - cursor.execute(query, (str(group.group_id),)) - return tuple(dict(row) for row in cursor.fetchall()) - -def unlinked_genotype_data( - conn: db.DbConnection, group: Group) -> tuple[dict, ...]: - """ - Retrieve all genotype data linked to a group but not linked to any resource. - """ - query = ( - "SELECT lgd.* FROM linked_genotype_data lgd " - "LEFT JOIN genotype_resources gr ON lgd.data_link_id=gr.data_link_id " - "WHERE lgd.group_id=? AND gr.data_link_id IS NULL") - with db.cursor(conn) as cursor: - cursor.execute(query, (str(group.group_id),)) - return tuple(dict(row) for row in cursor.fetchall()) - -def unlinked_phenotype_data( - authconn: db.DbConnection, gn3conn: gn3db.DbConnection, - group: Group) -> tuple[dict, ...]: - """ - Retrieve all phenotype data linked to a group but not linked to any - resource. - """ - with db.cursor(authconn) as authcur, gn3conn.cursor(DictCursor) as gn3cur: - authcur.execute( - "SELECT lpd.* FROM linked_phenotype_data AS lpd " - "LEFT JOIN phenotype_resources AS pr " - "ON lpd.data_link_id=pr.data_link_id " - "WHERE lpd.group_id=? AND pr.data_link_id IS NULL", - (str(group.group_id),)) - results = authcur.fetchall() - ids: dict[tuple[str, ...], str] = { - ( - row["SpeciesId"], row["InbredSetId"], row["PublishFreezeId"], - row["PublishXRefId"]): row["data_link_id"] - for row in results - } - if len(ids.keys()) < 1: - return tuple() - paramstr = ", ".join(["(%s, %s, %s, %s)"] * len(ids.keys())) - gn3cur.execute( - "SELECT spc.SpeciesId, spc.SpeciesName, iset.InbredSetId, " - "iset.InbredSetName, pf.Id AS PublishFreezeId, " - "pf.Name AS dataset_name, pf.FullName AS dataset_fullname, " - "pf.ShortName AS dataset_shortname, pxr.Id AS PublishXRefId, " - "pub.PubMed_ID, pub.Title, pub.Year, " - "phen.Pre_publication_description, " - "phen.Post_publication_description, phen.Original_description " - "FROM " - "Species AS spc " - "INNER JOIN InbredSet AS iset " - "ON spc.SpeciesId=iset.SpeciesId " - "INNER JOIN PublishFreeze AS pf " - "ON iset.InbredSetId=pf.InbredSetId " - "INNER JOIN PublishXRef AS pxr " - "ON pf.InbredSetId=pxr.InbredSetId " - "INNER JOIN Publication AS pub " - "ON pxr.PublicationId=pub.Id " - "INNER JOIN Phenotype AS phen " - "ON pxr.PhenotypeId=phen.Id " - "WHERE (spc.SpeciesId, iset.InbredSetId, pf.Id, pxr.Id) " - f"IN ({paramstr})", - tuple(item for sublist in ids.keys() for item in sublist)) - return tuple({ - **{key: value for key, value in row.items() if key not in - ("Post_publication_description", "Pre_publication_description", - "Original_description")}, - "description": ( - row["Post_publication_description"] or - row["Pre_publication_description"] or - row["Original_description"]), - "data_link_id": ids[tuple(str(row[key]) for key in ( - "SpeciesId", "InbredSetId", "PublishFreezeId", - "PublishXRefId"))] - } for row in gn3cur.fetchall()) - -@groups.route("//unlinked-data") -@require_oauth("profile group resource") -def unlinked_data(resource_type: str) -> Response: - """View data linked to the group but not linked to any resource.""" - if resource_type not in ("all", "mrna", "genotype", "phenotype"): - raise AuthorisationError(f"Invalid resource type {resource_type}") - - with require_oauth.acquire("profile group resource") as the_token: - db_uri = current_app.config["AUTH_DB"] - gn3db_uri = current_app.config["SQL_URI"] - with (db.connection(db_uri) as authconn, - gn3db.database_connection(gn3db_uri) as gn3conn): - ugroup = user_group(authconn, the_token.user).maybe(# type: ignore[misc] - DUMMY_GROUP, lambda grp: grp) - if ugroup == DUMMY_GROUP: - return jsonify(tuple()) - - unlinked_fns = { - "mrna": unlinked_mrna_data, - "genotype": unlinked_genotype_data, - "phenotype": lambda conn, grp: partial( - unlinked_phenotype_data, gn3conn=gn3conn)( - authconn=conn, group=grp) - } - return jsonify(tuple( - dict(row) for row in unlinked_fns[resource_type]( - authconn, ugroup))) - - return jsonify(tuple()) - -@groups.route("/data/link", methods=["POST"]) -@require_oauth("profile group resource") -def link_data() -> Response: - """Link selected data to specified group.""" - with require_oauth.acquire("profile group resource") as _the_token: - form = request.form - group_id = uuid.UUID(form["group_id"]) - dataset_ids = form.getlist("dataset_ids") - dataset_type = form.get("dataset_type") - if dataset_type not in ("mrna", "genotype", "phenotype"): - raise InvalidData("Unexpected dataset type requested!") - def __link__(conn: db.DbConnection): - group = group_by_id(conn, group_id) - with gn3db.database_connection(current_app.config["SQL_URI"]) as gn3conn: - return link_data_to_group( - conn, gn3conn, dataset_type, dataset_ids, group) - - return jsonify(with_db_connection(__link__)) - -@groups.route("/roles", methods=["GET"]) -@require_oauth("profile group") -def group_roles(): - """Return a list of all available group roles.""" - with require_oauth.acquire("profile group role") as the_token: - def __list_roles__(conn: db.DbConnection): - ## TODO: Check that user has appropriate privileges - with db.cursor(conn) as cursor: - group = user_group(conn, the_token.user).maybe(# type: ignore[misc] - DUMMY_GROUP, lambda grp: grp) - if group == DUMMY_GROUP: - return tuple() - cursor.execute( - "SELECT gr.group_role_id, r.* " - "FROM group_roles AS gr INNER JOIN roles AS r " - "ON gr.role_id=r.role_id " - "WHERE group_id=?", - (str(group.group_id),)) - return tuple( - GroupRole(uuid.UUID(row["group_role_id"]), - group, - Role(uuid.UUID(row["role_id"]), - row["role_name"], - bool(int(row["user_editable"])), - tuple())) - for row in cursor.fetchall()) - return jsonify(tuple( - dictify(role) for role in with_db_connection(__list_roles__))) - -@groups.route("/privileges", methods=["GET"]) -@require_oauth("profile group") -def group_privileges(): - """Return a list of all available group roles.""" - with require_oauth.acquire("profile group role") as the_token: - def __list_privileges__(conn: db.DbConnection) -> Iterable[Privilege]: - ## TODO: Check that user has appropriate privileges - this_user_roles = user_roles(conn, the_token.user) - with db.cursor(conn) as cursor: - cursor.execute("SELECT * FROM privileges " - "WHERE privilege_id LIKE 'group:%'") - group_level_roles = tuple( - Privilege(row["privilege_id"], row["privilege_description"]) - for row in cursor.fetchall()) - return tuple(privilege for arole in this_user_roles - for privilege in arole.privileges) + group_level_roles - return jsonify(tuple( - dictify(priv) for priv in with_db_connection(__list_privileges__))) - - - -@groups.route("/role/create", methods=["POST"]) -@require_oauth("profile group") -def create_group_role(): - """Create a new group role.""" - with require_oauth.acquire("profile group role") as the_token: - ## TODO: Check that user has appropriate privileges - @authorised_p(("group:role:create-role",), - "You do not have the privilege to create new roles", - oauth2_scope="profile group role") - def __create__(conn: db.DbConnection) -> GroupRole: - ## TODO: Check user cannot assign any privilege they don't have. - form = request.form - role_name = form.get("role_name", "").strip() - privileges_ids = form.getlist("privileges[]") - if len(role_name) == 0: - raise InvalidData("Role name not provided!") - if len(privileges_ids) == 0: - raise InvalidData( - "At least one privilege needs to be provided.") - - group = user_group(conn, the_token.user).maybe(# type: ignore[misc] - DUMMY_GROUP, lambda grp: grp) - - if group == DUMMY_GROUP: - raise AuthorisationError( - "A user without a group cannot create a new role.") - privileges = privileges_by_ids(conn, tuple(privileges_ids)) - if len(privileges_ids) != len(privileges): - raise InvalidData( - f"{len(privileges_ids) - len(privileges)} of the selected " - "privileges were not found in the database.") - - return _create_group_role(conn, group, role_name, privileges) - - return jsonify(with_db_connection(__create__)) - -@groups.route("/role/", methods=["GET"]) -@require_oauth("profile group") -def view_group_role(group_role_id: uuid.UUID): - """Return the details of the given role.""" - with require_oauth.acquire("profile group role") as the_token: - def __group_role__(conn: db.DbConnection) -> GroupRole: - group = user_group(conn, the_token.user).maybe(#type: ignore[misc] - DUMMY_GROUP, lambda grp: grp) - - if group == DUMMY_GROUP: - raise AuthorisationError( - "A user without a group cannot view group roles.") - return group_role_by_id(conn, group, group_role_id) - return jsonify(dictify(with_db_connection(__group_role__))) - -def __add_remove_priv_to_from_role__(conn: db.DbConnection, - group_role_id: uuid.UUID, - direction: str, - user: User) -> GroupRole: - assert direction in ("ADD", "DELETE") - group = user_group(conn, user).maybe(# type: ignore[misc] - DUMMY_GROUP, lambda grp: grp) - - if group == DUMMY_GROUP: - raise AuthorisationError( - "You need to be a member of a group to edit roles.") - try: - privilege_id = request.form.get("privilege_id", "") - assert bool(privilege_id), "Privilege to add must be provided." - privileges = privileges_by_ids(conn, (privilege_id,)) - if len(privileges) == 0: - raise NotFoundError("Privilege not found.") - dir_fns = { - "ADD": add_privilege_to_group_role, - "DELETE": delete_privilege_from_group_role - } - return dir_fns[direction]( - conn, - group_role_by_id(conn, group, group_role_id), - privileges[0]) - except AssertionError as aerr: - raise InvalidData(aerr.args[0]) from aerr - -@groups.route("/role//privilege/add", methods=["POST"]) -@require_oauth("profile group") -def add_priv_to_role(group_role_id: uuid.UUID) -> Response: - """Add privilege to group role.""" - with require_oauth.acquire("profile group role") as the_token: - return jsonify({ - **dictify(with_db_connection(partial( - __add_remove_priv_to_from_role__, group_role_id=group_role_id, - direction="ADD", user=the_token.user))), - "description": "Privilege added successfully" - }) - -@groups.route("/role//privilege/delete", methods=["POST"]) -@require_oauth("profile group") -def delete_priv_from_role(group_role_id: uuid.UUID) -> Response: - """Delete privilege from group role.""" - with require_oauth.acquire("profile group role") as the_token: - return jsonify({ - **dictify(with_db_connection(partial( - __add_remove_priv_to_from_role__, group_role_id=group_role_id, - direction="DELETE", user=the_token.user))), - "description": "Privilege deleted successfully" - }) diff --git a/gn_auth/auth/authorisation/resources/errors.py b/gn_auth/auth/authorisation/resources/errors.py new file mode 100644 index 0000000..dc6c379 --- /dev/null +++ b/gn_auth/auth/authorisation/resources/errors.py @@ -0,0 +1,6 @@ +"""Exceptions for Authorisation""" + +from gn_auth.auth.authorisation.errors import AuthorisationError + +class MissingGroupError(AuthorisationError): + """Raised for any resource operation without a group.""" diff --git a/gn_auth/auth/authorisation/resources/genotype.py b/gn_auth/auth/authorisation/resources/genotype.py new file mode 100644 index 0000000..206ab61 --- /dev/null +++ b/gn_auth/auth/authorisation/resources/genotype.py @@ -0,0 +1,69 @@ +"""Genotype data resources functions and utilities.""" +import uuid +from typing import Optional, Sequence + +import sqlite3 + +import gn_auth.auth.db.sqlite3 as db + +from .base import Resource +from .data import __attach_data__ + + +def resource_data( + cursor: db.DbCursor, + resource_id: uuid.UUID, + offset: int = 0, + limit: Optional[int] = None) -> Sequence[sqlite3.Row]: + """Fetch data linked to a Genotype resource""" + cursor.execute( + (("SELECT * FROM genotype_resources AS gr " + "INNER JOIN linked_genotype_data AS lgd " + "ON gr.data_link_id=lgd.data_link_id " + "WHERE gr.resource_id=?") + ( + f" LIMIT {limit} OFFSET {offset}" if bool(limit) else "")), + (str(resource_id),)) + return cursor.fetchall() + +def link_data_to_resource( + conn: db.DbConnection, + resource: Resource, + data_link_id: uuid.UUID) -> dict: + """Link Genotype data with a resource.""" + with db.cursor(conn) as cursor: + params = { + "resource_id": str(resource.resource_id), + "data_link_id": str(data_link_id) + } + cursor.execute( + "INSERT INTO genotype_resources VALUES" + "(:resource_id, :data_link_id)", + params) + return params + +def unlink_data_from_resource( + conn: db.DbConnection, + resource: Resource, + data_link_id: uuid.UUID) -> dict: + """Unlink data from Genotype resources""" + with db.cursor(conn) as cursor: + cursor.execute("DELETE FROM genotype_resources " + "WHERE resource_id=? AND data_link_id=?", + (str(resource.resource_id), str(data_link_id))) + return { + "resource_id": str(resource.resource_id), + "dataset_type": resource.resource_category.resource_category_key, + "data_link_id": data_link_id + } + +def attach_resources_data( + cursor, resources: Sequence[Resource]) -> Sequence[Resource]: + """Attach linked data to Genotype resources""" + placeholders = ", ".join(["?"] * len(resources)) + cursor.execute( + "SELECT * FROM genotype_resources AS gr " + "INNER JOIN linked_genotype_data AS lgd " + "ON gr.data_link_id=lgd.data_link_id " + f"WHERE gr.resource_id IN ({placeholders})", + tuple(str(resource.resource_id) for resource in resources)) + return __attach_data__(cursor.fetchall(), resources) diff --git a/gn_auth/auth/authorisation/resources/genotype_resource.py b/gn_auth/auth/authorisation/resources/genotype_resource.py deleted file mode 100644 index 206ab61..0000000 --- a/gn_auth/auth/authorisation/resources/genotype_resource.py +++ /dev/null @@ -1,69 +0,0 @@ -"""Genotype data resources functions and utilities.""" -import uuid -from typing import Optional, Sequence - -import sqlite3 - -import gn_auth.auth.db.sqlite3 as db - -from .base import Resource -from .data import __attach_data__ - - -def resource_data( - cursor: db.DbCursor, - resource_id: uuid.UUID, - offset: int = 0, - limit: Optional[int] = None) -> Sequence[sqlite3.Row]: - """Fetch data linked to a Genotype resource""" - cursor.execute( - (("SELECT * FROM genotype_resources AS gr " - "INNER JOIN linked_genotype_data AS lgd " - "ON gr.data_link_id=lgd.data_link_id " - "WHERE gr.resource_id=?") + ( - f" LIMIT {limit} OFFSET {offset}" if bool(limit) else "")), - (str(resource_id),)) - return cursor.fetchall() - -def link_data_to_resource( - conn: db.DbConnection, - resource: Resource, - data_link_id: uuid.UUID) -> dict: - """Link Genotype data with a resource.""" - with db.cursor(conn) as cursor: - params = { - "resource_id": str(resource.resource_id), - "data_link_id": str(data_link_id) - } - cursor.execute( - "INSERT INTO genotype_resources VALUES" - "(:resource_id, :data_link_id)", - params) - return params - -def unlink_data_from_resource( - conn: db.DbConnection, - resource: Resource, - data_link_id: uuid.UUID) -> dict: - """Unlink data from Genotype resources""" - with db.cursor(conn) as cursor: - cursor.execute("DELETE FROM genotype_resources " - "WHERE resource_id=? AND data_link_id=?", - (str(resource.resource_id), str(data_link_id))) - return { - "resource_id": str(resource.resource_id), - "dataset_type": resource.resource_category.resource_category_key, - "data_link_id": data_link_id - } - -def attach_resources_data( - cursor, resources: Sequence[Resource]) -> Sequence[Resource]: - """Attach linked data to Genotype resources""" - placeholders = ", ".join(["?"] * len(resources)) - cursor.execute( - "SELECT * FROM genotype_resources AS gr " - "INNER JOIN linked_genotype_data AS lgd " - "ON gr.data_link_id=lgd.data_link_id " - f"WHERE gr.resource_id IN ({placeholders})", - tuple(str(resource.resource_id) for resource in resources)) - return __attach_data__(cursor.fetchall(), resources) diff --git a/gn_auth/auth/authorisation/resources/groups/__init__.py b/gn_auth/auth/authorisation/resources/groups/__init__.py new file mode 100644 index 0000000..1cb0bba --- /dev/null +++ b/gn_auth/auth/authorisation/resources/groups/__init__.py @@ -0,0 +1,3 @@ +"""Initialise the `gn3.auth.authorisation.groups` package""" + +from .models import Group, GroupRole diff --git a/gn_auth/auth/authorisation/resources/groups/data.py b/gn_auth/auth/authorisation/resources/groups/data.py new file mode 100644 index 0000000..9fcdc6e --- /dev/null +++ b/gn_auth/auth/authorisation/resources/groups/data.py @@ -0,0 +1,107 @@ +"""Handles the resource objects' data.""" +from MySQLdb.cursors import DictCursor + +from gn_auth.auth.db import mariadb as gn3db +from gn_auth.auth.db import sqlite3 as authdb + +from gn_auth.auth.authorisation.checks import authorised_p +from gn_auth.auth.authorisation.errors import NotFoundError +from gn_auth.auth.authorisation.resources.groups import Group + +def __fetch_mrna_data_by_ids__( + conn: gn3db.DbConnection, dataset_ids: tuple[str, ...]) -> tuple[ + dict, ...]: + """Fetch mRNA Assay data by ID.""" + with conn.cursor(DictCursor) as cursor: + paramstr = ", ".join(["%s"] * len(dataset_ids)) + cursor.execute( + "SELECT psf.Id, psf.Name AS dataset_name, " + "psf.FullName AS dataset_fullname, " + "ifiles.GN_AccesionId AS accession_id FROM ProbeSetFreeze AS psf " + "INNER JOIN InfoFiles AS ifiles ON psf.Name=ifiles.InfoPageName " + f"WHERE psf.Id IN ({paramstr})", + dataset_ids) + res = cursor.fetchall() + if res: + return tuple(dict(row) for row in res) + raise NotFoundError("Could not find mRNA Assay data with the given ID.") + +def __fetch_geno_data_by_ids__( + conn: gn3db.DbConnection, dataset_ids: tuple[str, ...]) -> tuple[ + dict, ...]: + """Fetch genotype data by ID.""" + with conn.cursor(DictCursor) as cursor: + paramstr = ", ".join(["%s"] * len(dataset_ids)) + cursor.execute( + "SELECT gf.Id, gf.Name AS dataset_name, " + "gf.FullName AS dataset_fullname, " + "ifiles.GN_AccesionId AS accession_id FROM GenoFreeze AS gf " + "INNER JOIN InfoFiles AS ifiles ON gf.Name=ifiles.InfoPageName " + f"WHERE gf.Id IN ({paramstr})", + dataset_ids) + res = cursor.fetchall() + if res: + return tuple(dict(row) for row in res) + raise NotFoundError("Could not find Genotype data with the given ID.") + +def __fetch_pheno_data_by_ids__( + conn: gn3db.DbConnection, dataset_ids: tuple[str, ...]) -> tuple[ + dict, ...]: + """Fetch phenotype data by ID.""" + with conn.cursor(DictCursor) as cursor: + paramstr = ", ".join(["%s"] * len(dataset_ids)) + cursor.execute( + "SELECT pxf.Id, iset.InbredSetName, pf.Id AS dataset_id, " + "pf.Name AS dataset_name, pf.FullName AS dataset_fullname, " + "ifiles.GN_AccesionId AS accession_id " + "FROM PublishXRef AS pxf " + "INNER JOIN InbredSet AS iset ON pxf.InbredSetId=iset.InbredSetId " + "INNER JOIN PublishFreeze AS pf ON iset.InbredSetId=pf.InbredSetId " + "INNER JOIN InfoFiles AS ifiles ON pf.Name=ifiles.InfoPageName " + f"WHERE pxf.Id IN ({paramstr})", + dataset_ids) + res = cursor.fetchall() + if res: + return tuple(dict(row) for row in res) + raise NotFoundError( + "Could not find Phenotype/Publish data with the given IDs.") + +def __fetch_data_by_id( + conn: gn3db.DbConnection, dataset_type: str, + dataset_ids: tuple[str, ...]) -> tuple[dict, ...]: + """Fetch data from MySQL by IDs.""" + fetch_fns = { + "mrna": __fetch_mrna_data_by_ids__, + "genotype": __fetch_geno_data_by_ids__, + "phenotype": __fetch_pheno_data_by_ids__ + } + return fetch_fns[dataset_type](conn, dataset_ids) + +@authorised_p(("system:data:link-to-group",), + error_description=( + "You do not have sufficient privileges to link data to (a) " + "group(s)."), + oauth2_scope="profile group resource") +def link_data_to_group( + authconn: authdb.DbConnection, gn3conn: gn3db.DbConnection, + dataset_type: str, dataset_ids: tuple[str, ...], group: Group) -> tuple[ + dict, ...]: + """Link the given data to the specified group.""" + the_data = __fetch_data_by_id(gn3conn, dataset_type, dataset_ids) + with authdb.cursor(authconn) as cursor: + params = tuple({ + "group_id": str(group.group_id), "dataset_type": { + "mrna": "mRNA", "genotype": "Genotype", + "phenotype": "Phenotype" + }[dataset_type], + "dataset_or_trait_id": item["Id"], + "dataset_name": item["dataset_name"], + "dataset_fullname": item["dataset_fullname"], + "accession_id": item["accession_id"] + } for item in the_data) + cursor.executemany( + "INSERT INTO linked_group_data VALUES" + "(:group_id, :dataset_type, :dataset_or_trait_id, :dataset_name, " + ":dataset_fullname, :accession_id)", + params) + return params diff --git a/gn_auth/auth/authorisation/resources/groups/models.py b/gn_auth/auth/authorisation/resources/groups/models.py new file mode 100644 index 0000000..5ec26c5 --- /dev/null +++ b/gn_auth/auth/authorisation/resources/groups/models.py @@ -0,0 +1,453 @@ +"""Handle the management of resource/user groups.""" +import json +from uuid import UUID, uuid4 +from functools import reduce +from typing import Any, Sequence, Iterable, Optional, NamedTuple + +from flask import g +from pymonad.maybe import Just, Maybe, Nothing + +from gn_auth.auth.db import sqlite3 as db +from gn_auth.auth.dictify import dictify +from gn_auth.auth.authentication.users import User, user_by_id + +from gn_auth.auth.authorisation.checks import authorised_p +from gn_auth.auth.authorisation.privileges import Privilege +from gn_auth.auth.authorisation.resources.base import Resource +from gn_auth.auth.authorisation.resources.errors import MissingGroupError +from gn_auth.auth.authorisation.errors import ( + NotFoundError, AuthorisationError, InconsistencyError) +from gn_auth.auth.authorisation.roles.models import ( + Role, create_role, check_user_editable, revoke_user_role_by_name, + assign_user_role_by_name) + +class Group(NamedTuple): + """Class representing a group.""" + group_id: UUID + group_name: str + group_metadata: dict[str, Any] + + def dictify(self): + """Return a dict representation of `Group` objects.""" + return { + "group_id": self.group_id, "group_name": self.group_name, + "group_metadata": self.group_metadata + } + +DUMMY_GROUP = Group( + group_id=UUID("77cee65b-fe29-4383-ae41-3cb3b480cc70"), + group_name="GN3_DUMMY_GROUP", + group_metadata={ + "group-description": "This is a dummy group to use as a placeholder" + }) + +class GroupRole(NamedTuple): + """Class representing a role tied/belonging to a group.""" + group_role_id: UUID + group: Group + role: Role + + def dictify(self) -> dict[str, Any]: + """Return a dict representation of `GroupRole` objects.""" + return { + "group_role_id": self.group_role_id, "group": dictify(self.group), + "role": dictify(self.role) + } + +class GroupCreationError(AuthorisationError): + """Raised whenever a group creation fails""" + +class MembershipError(AuthorisationError): + """Raised when there is an error with a user's membership to a group.""" + + def __init__(self, user: User, groups: Sequence[Group]): + """Initialise the `MembershipError` exception object.""" + groups_str = ", ".join(group.group_name for group in groups) + error_description = ( + f"User '{user.name} ({user.email})' is a member of {len(groups)} " + f"groups ({groups_str})") + super().__init__(f"{type(self).__name__}: {error_description}.") + +def user_membership(conn: db.DbConnection, user: User) -> Sequence[Group]: + """Returns all the groups that a member belongs to""" + query = ( + "SELECT groups.group_id, group_name, groups.group_metadata " + "FROM group_users INNER JOIN groups " + "ON group_users.group_id=groups.group_id " + "WHERE group_users.user_id=?") + with db.cursor(conn) as cursor: + cursor.execute(query, (str(user.user_id),)) + groups = tuple(Group(row[0], row[1], json.loads(row[2])) + for row in cursor.fetchall()) + + return groups + +@authorised_p( + privileges = ("system:group:create-group",), + error_description = ( + "You do not have the appropriate privileges to enable you to " + "create a new group."), + oauth2_scope = "profile group") +def create_group( + conn: db.DbConnection, group_name: str, group_leader: User, + group_description: Optional[str] = None) -> Group: + """Create a new group.""" + def resource_category_by_key( + cursor: db.DbCursor, category_key: str): + """Retrieve a resource category by its key.""" + cursor.execute( + "SELECT * FROM resource_categories WHERE " + "resource_category_key=?", + (category_key,)) + results = cursor.fetchone() + if results: + return dict(results) + raise NotFoundError( + f"Could not find a ResourceCategory with key '{category_key}'") + + user_groups = user_membership(conn, group_leader) + if len(user_groups) > 0: + raise MembershipError(group_leader, user_groups) + + with db.cursor(conn) as cursor: + new_group = save_group( + cursor, group_name,( + {"group_description": group_description} + if group_description else {})) + group_resource = { + "group_id": str(new_group.group_id), + "resource_id": str(uuid4()), + "resource_name": group_name, + "resource_category_id": str( + resource_category_by_key(cursor, "group")["resource_category_id"]), + "public": 0 + } + cursor.execute( + "INSERT INTO resources VALUES " + "(:resource_id, :resource_name, :resource_category_id, :public)", + group_resource) + cursor.execute( + "INSERT INTO group_resources(resource_id, group_id) " + "VALUES(:resource_id, :group_id)", + group_resource) + add_user_to_group(cursor, new_group, group_leader) + revoke_user_role_by_name(cursor, group_leader, "group-creator") + assign_user_role_by_name( + cursor, + group_leader, + UUID(str(group_resource["resource_id"])), + "group-leader") + return new_group + +@authorised_p(("group:role:create-role",), + error_description="Could not create the group role") +def create_group_role( + conn: db.DbConnection, group: Group, role_name: str, + privileges: Iterable[Privilege]) -> GroupRole: + """Create a role attached to a group.""" + with db.cursor(conn) as cursor: + group_role_id = uuid4() + role = create_role(cursor, role_name, privileges) + cursor.execute( + ("INSERT INTO group_roles(group_role_id, group_id, role_id) " + "VALUES(?, ?, ?)"), + (str(group_role_id), str(group.group_id), str(role.role_id))) + + return GroupRole(group_role_id, group, role) + +def authenticated_user_group(conn) -> Maybe: + """ + Returns the currently authenticated user's group. + + Look into returning a Maybe object. + """ + user = g.user + with db.cursor(conn) as cursor: + cursor.execute( + ("SELECT groups.* FROM group_users " + "INNER JOIN groups ON group_users.group_id=groups.group_id " + "WHERE group_users.user_id = ?"), + (str(user.user_id),)) + groups = tuple(Group(UUID(row[0]), row[1], json.loads(row[2] or "{}")) + for row in cursor.fetchall()) + + if len(groups) > 1: + raise MembershipError(user, groups) + + if len(groups) == 1: + return Just(groups[0]) + + return Nothing + +def user_group(conn: db.DbConnection, user: User) -> Maybe[Group]: + """Returns the given user's group""" + with db.cursor(conn) as cursor: + cursor.execute( + ("SELECT groups.group_id, groups.group_name, groups.group_metadata " + "FROM group_users " + "INNER JOIN groups ON group_users.group_id=groups.group_id " + "WHERE group_users.user_id = ?"), + (str(user.user_id),)) + groups = tuple( + Group(UUID(row[0]), row[1], json.loads(row[2] or "{}")) + for row in cursor.fetchall()) + + if len(groups) > 1: + raise MembershipError(user, groups) + + if len(groups) == 1: + return Just(groups[0]) + + return Nothing + +def is_group_leader(conn: db.DbConnection, user: User, group: Group) -> bool: + """Check whether the given `user` is the leader of `group`.""" + + ugroup = user_group(conn, user).maybe( + False, lambda val: val) # type: ignore[arg-type, misc] + if not group: + # User cannot be a group leader if not a member of ANY group + return False + + if not ugroup == group: + # User cannot be a group leader if not a member of THIS group + return False + + with db.cursor(conn) as cursor: + cursor.execute( + ("SELECT roles.role_name FROM user_roles LEFT JOIN roles " + "ON user_roles.role_id = roles.role_id WHERE user_id = ?"), + (str(user.user_id),)) + role_names = tuple(row[0] for row in cursor.fetchall()) + + return "group-leader" in role_names + +def all_groups(conn: db.DbConnection) -> Maybe[Sequence[Group]]: + """Retrieve all existing groups""" + with db.cursor(conn) as cursor: + cursor.execute("SELECT * FROM groups") + res = cursor.fetchall() + if res: + return Just(tuple( + Group(row["group_id"], row["group_name"], + json.loads(row["group_metadata"])) for row in res)) + + return Nothing + +def save_group( + cursor: db.DbCursor, group_name: str, + group_metadata: dict[str, Any]) -> Group: + """Save a group to db""" + the_group = Group(uuid4(), group_name, group_metadata) + cursor.execute( + ("INSERT INTO groups " + "VALUES(:group_id, :group_name, :group_metadata) " + "ON CONFLICT (group_id) DO UPDATE SET " + "group_name=:group_name, group_metadata=:group_metadata"), + {"group_id": str(the_group.group_id), "group_name": the_group.group_name, + "group_metadata": json.dumps(the_group.group_metadata)}) + return the_group + +def add_user_to_group(cursor: db.DbCursor, the_group: Group, user: User): + """Add `user` to `the_group` as a member.""" + cursor.execute( + ("INSERT INTO group_users VALUES (:group_id, :user_id) " + "ON CONFLICT (group_id, user_id) DO NOTHING"), + {"group_id": str(the_group.group_id), "user_id": str(user.user_id)}) + +@authorised_p( + privileges = ("system:group:view-group",), + error_description = ( + "You do not have the appropriate privileges to access the list of users" + " in the group.")) +def group_users(conn: db.DbConnection, group_id: UUID) -> Iterable[User]: + """Retrieve all users that are members of group with id `group_id`.""" + with db.cursor(conn) as cursor: + cursor.execute( + "SELECT u.* FROM group_users AS gu INNER JOIN users AS u " + "ON gu.user_id = u.user_id WHERE gu.group_id=:group_id", + {"group_id": str(group_id)}) + results = cursor.fetchall() + + return (User(UUID(row["user_id"]), row["email"], row["name"]) + for row in results) + +@authorised_p( + privileges = ("system:group:view-group",), + error_description = ( + "You do not have the appropriate privileges to access the group.")) +def group_by_id(conn: db.DbConnection, group_id: UUID) -> Group: + """Retrieve a group by its ID""" + with db.cursor(conn) as cursor: + cursor.execute("SELECT * FROM groups WHERE group_id=:group_id", + {"group_id": str(group_id)}) + row = cursor.fetchone() + if row: + return Group( + UUID(row["group_id"]), + row["group_name"], + json.loads(row["group_metadata"])) + + raise NotFoundError(f"Could not find group with ID '{group_id}'.") + +@authorised_p(("system:group:view-group", "system:group:edit-group"), + error_description=("You do not have the appropriate authorisation" + " to act upon the join requests."), + oauth2_scope="profile group") +def join_requests(conn: db.DbConnection, user: User): + """List all the join requests for the user's group.""" + with db.cursor(conn) as cursor: + group = user_group(conn, user).maybe(DUMMY_GROUP, lambda grp: grp)# type: ignore[misc] + if group != DUMMY_GROUP and is_group_leader(conn, user, group): + cursor.execute( + "SELECT gjr.*, u.email, u.name FROM group_join_requests AS gjr " + "INNER JOIN users AS u ON gjr.requester_id=u.user_id " + "WHERE gjr.group_id=? AND gjr.status='PENDING'", + (str(group.group_id),)) + return tuple(dict(row)for row in cursor.fetchall()) + + raise AuthorisationError( + "You do not have the appropriate authorisation to access the " + "group's join requests.") + +@authorised_p(("system:group:view-group", "system:group:edit-group"), + error_description=("You do not have the appropriate authorisation" + " to act upon the join requests."), + oauth2_scope="profile group") +def accept_reject_join_request( + conn: db.DbConnection, request_id: UUID, user: User, status: str) -> dict: + """Accept/Reject a join request.""" + assert status in ("ACCEPTED", "REJECTED"), f"Invalid status '{status}'." + with db.cursor(conn) as cursor: + group = user_group(conn, user).maybe(DUMMY_GROUP, lambda grp: grp) # type: ignore[misc] + cursor.execute("SELECT * FROM group_join_requests WHERE request_id=?", + (str(request_id),)) + row = cursor.fetchone() + if row: + if group.group_id == UUID(row["group_id"]): + try: + the_user = user_by_id(conn, UUID(row["requester_id"])) + if status == "ACCEPTED": + add_user_to_group(cursor, group, the_user) + revoke_user_role_by_name(cursor, the_user, "group-creator") + cursor.execute( + "UPDATE group_join_requests SET status=? " + "WHERE request_id=?", + (status, str(request_id))) + return {"request_id": request_id, "status": status} + except NotFoundError as nfe: + raise InconsistencyError( + "Could not find user associated with join request." + ) from nfe + raise AuthorisationError( + "You cannot act on other groups join requests") + raise NotFoundError(f"Could not find request with ID '{request_id}'") + +def __organise_privileges__(acc, row): + role_id = UUID(row["role_id"]) + role = acc.get(role_id, False) + if role: + return { + **acc, + role_id: Role( + role.role_id, role.role_name, + bool(int(row["user_editable"])), + role.privileges + ( + Privilege(row["privilege_id"], + row["privilege_description"]),)) + } + return { + **acc, + role_id: Role( + UUID(row["role_id"]), row["role_name"], + bool(int(row["user_editable"])), + (Privilege(row["privilege_id"], row["privilege_description"]),)) + } + +# @authorised_p(("group:role:view",), +# "Insufficient privileges to view role", +# oauth2_scope="profile group role") +def group_role_by_id( + conn: db.DbConnection, group: Group, group_role_id: UUID) -> GroupRole: + """Retrieve GroupRole from id by its `group_role_id`.""" + ## TODO: do privileges check before running actual query + ## the check commented out above doesn't work correctly + with db.cursor(conn) as cursor: + cursor.execute( + "SELECT gr.group_role_id, r.*, p.* " + "FROM group_roles AS gr " + "INNER JOIN roles AS r ON gr.role_id=r.role_id " + "INNER JOIN role_privileges AS rp ON rp.role_id=r.role_id " + "INNER JOIN privileges AS p ON p.privilege_id=rp.privilege_id " + "WHERE gr.group_role_id=? AND gr.group_id=?", + (str(group_role_id), str(group.group_id))) + rows = cursor.fetchall() + if rows: + roles: tuple[Role,...] = tuple(reduce( + __organise_privileges__, rows, {}).values()) + assert len(roles) == 1 + return GroupRole(group_role_id, group, roles[0]) + raise NotFoundError( + f"Group role with ID '{group_role_id}' does not exist.") + +@authorised_p(("group:role:edit-role",), + "You do not have the privilege to edit a role.", + oauth2_scope="profile group role") +def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole, + privilege: Privilege) -> GroupRole: + """Add `privilege` to `group_role`.""" + ## TODO: do privileges check. + check_user_editable(group_role.role) + with db.cursor(conn) as cursor: + cursor.execute( + "INSERT INTO role_privileges(role_id,privilege_id) " + "VALUES (?, ?) ON CONFLICT (role_id, privilege_id) " + "DO NOTHING", + (str(group_role.role.role_id), str(privilege.privilege_id))) + return GroupRole( + group_role.group_role_id, + group_role.group, + Role(group_role.role.role_id, + group_role.role.role_name, + group_role.role.user_editable, + group_role.role.privileges + (privilege,))) + +@authorised_p(("group:role:edit-role",), + "You do not have the privilege to edit a role.", + oauth2_scope="profile group role") +def delete_privilege_from_group_role( + conn: db.DbConnection, group_role: GroupRole, + privilege: Privilege) -> GroupRole: + """Delete `privilege` to `group_role`.""" + ## TODO: do privileges check. + check_user_editable(group_role.role) + with db.cursor(conn) as cursor: + cursor.execute( + "DELETE FROM role_privileges WHERE " + "role_id=? AND privilege_id=?", + (str(group_role.role.role_id), str(privilege.privilege_id))) + return GroupRole( + group_role.group_role_id, + group_role.group, + Role(group_role.role.role_id, + group_role.role.role_name, + group_role.role.user_editable, + tuple(priv for priv in group_role.role.privileges + if priv != privilege))) + +def resource_owner(conn: db.DbConnection, resource: Resource) -> Group: + """Return the user group that owns the resource.""" + with db.cursor(conn) as cursor: + cursor.execute( + "SELECT g.* FROM resource_ownership AS ro " + "INNER JOIN groups AS g ON ro.group_id=g.group_id " + "WHERE ro.resource_id=?", + (str(resource.resource_id),)) + row = cursor.fetchone() + if row: + return Group( + UUID(row["group_id"]), + row["group_name"], + json.loads(row["group_metadata"])) + + raise MissingGroupError("Resource has no 'owning' group.") diff --git a/gn_auth/auth/authorisation/resources/groups/views.py b/gn_auth/auth/authorisation/resources/groups/views.py new file mode 100644 index 0000000..f146ffd --- /dev/null +++ b/gn_auth/auth/authorisation/resources/groups/views.py @@ -0,0 +1,432 @@ +""" +The views/routes for the `gn3.auth.authorisation.resources.groups` package. +""" +import uuid +import datetime +from typing import Iterable +from functools import partial + +from MySQLdb.cursors import DictCursor +from flask import request, jsonify, Response, Blueprint, current_app + +from gn_auth.auth.db import sqlite3 as db +from gn_auth.auth.db import mariadb as gn3db +from gn_auth.auth.db.sqlite3 import with_db_connection +from gn_auth.auth.dictify import dictify + +from gn_auth.auth.authorisation.roles.models import Role +from gn_auth.auth.authorisation.roles.models import user_roles + +from gn_auth.auth.authorisation.checks import authorised_p +from gn_auth.auth.authorisation.privileges import Privilege, privileges_by_ids +from gn_auth.auth.authorisation.errors import InvalidData, NotFoundError, AuthorisationError + +from gn_auth.auth.authentication.users import User +from gn_auth.auth.authentication.oauth2.resource_server import require_oauth + +from .data import link_data_to_group +from .models import ( + Group, user_group, all_groups, DUMMY_GROUP, GroupRole, group_by_id, + join_requests, group_role_by_id, GroupCreationError, + accept_reject_join_request, group_users as _group_users, + create_group as _create_group, add_privilege_to_group_role, + delete_privilege_from_group_role, create_group_role as _create_group_role) + +groups = Blueprint("groups", __name__) + +@groups.route("/list", methods=["GET"]) +@require_oauth("profile group") +def list_groups(): + """Return the list of groups that exist.""" + with db.connection(current_app.config["AUTH_DB"]) as conn: + the_groups = all_groups(conn) + + return jsonify(the_groups.maybe( + [], lambda grps: [dictify(grp) for grp in grps])) + +@groups.route("/create", methods=["POST"]) +@require_oauth("profile group") +def create_group(): + """Create a new group.""" + with require_oauth.acquire("profile group") as the_token: + group_name=request.form.get("group_name", "").strip() + if not bool(group_name): + raise GroupCreationError("Could not create the group.") + + db_uri = current_app.config["AUTH_DB"] + with db.connection(db_uri) as conn: + user = the_token.user + new_group = _create_group( + conn, group_name, user, request.form.get("group_description")) + return jsonify({ + **dictify(new_group), "group_leader": dictify(user) + }) + +@groups.route("/members/", methods=["GET"]) +@require_oauth("profile group") +def group_members(group_id: uuid.UUID) -> Response: + """Retrieve all the members of a group.""" + with require_oauth.acquire("profile group") as the_token:# pylint: disable=[unused-variable] + db_uri = current_app.config["AUTH_DB"] + ## Check that user has appropriate privileges and remove the pylint disable above + with db.connection(db_uri) as conn: + return jsonify(tuple( + dictify(user) for user in _group_users(conn, group_id))) + +@groups.route("/requests/join/", methods=["POST"]) +@require_oauth("profile group") +def request_to_join(group_id: uuid.UUID) -> Response: + """Request to join a group.""" + def __request__(conn: db.DbConnection, user: User, group_id: uuid.UUID, + message: str): + with db.cursor(conn) as cursor: + group = user_group(conn, user).maybe(# type: ignore[misc] + False, lambda grp: grp)# type: ignore[arg-type] + if group: + error = AuthorisationError( + "You cannot request to join a new group while being a " + "member of an existing group.") + error.error_code = 400 + raise error + request_id = uuid.uuid4() + cursor.execute( + "INSERT INTO group_join_requests VALUES " + "(:request_id, :group_id, :user_id, :ts, :status, :msg)", + { + "request_id": str(request_id), + "group_id": str(group_id), + "user_id": str(user.user_id), + "ts": datetime.datetime.now().timestamp(), + "status": "PENDING", + "msg": message + }) + return { + "request_id": request_id, + "message": "Successfully sent the join request." + } + + with require_oauth.acquire("profile group") as the_token: + form = request.form + results = with_db_connection(partial( + __request__, user=the_token.user, group_id=group_id, message=form.get( + "message", "I hereby request that you add me to your group."))) + return jsonify(results) + +@groups.route("/requests/join/list", methods=["GET"]) +@require_oauth("profile group") +def list_join_requests() -> Response: + """List the pending join requests.""" + with require_oauth.acquire("profile group") as the_token: + return jsonify(with_db_connection(partial( + join_requests, user=the_token.user))) + +@groups.route("/requests/join/accept", methods=["POST"]) +@require_oauth("profile group") +def accept_join_requests() -> Response: + """Accept a join request.""" + with require_oauth.acquire("profile group") as the_token: + form = request.form + request_id = uuid.UUID(form.get("request_id")) + return jsonify(with_db_connection(partial( + accept_reject_join_request, request_id=request_id, + user=the_token.user, status="ACCEPTED"))) + +@groups.route("/requests/join/reject", methods=["POST"]) +@require_oauth("profile group") +def reject_join_requests() -> Response: + """Reject a join request.""" + with require_oauth.acquire("profile group") as the_token: + form = request.form + request_id = uuid.UUID(form.get("request_id")) + return jsonify(with_db_connection(partial( + accept_reject_join_request, request_id=request_id, + user=the_token.user, status="REJECTED"))) + +def unlinked_mrna_data( + conn: db.DbConnection, group: Group) -> tuple[dict, ...]: + """ + Retrieve all mRNA Assay data linked to a group but not linked to any + resource. + """ + query = ( + "SELECT lmd.* FROM linked_mrna_data lmd " + "LEFT JOIN mrna_resources mr ON lmd.data_link_id=mr.data_link_id " + "WHERE lmd.group_id=? AND mr.data_link_id IS NULL") + with db.cursor(conn) as cursor: + cursor.execute(query, (str(group.group_id),)) + return tuple(dict(row) for row in cursor.fetchall()) + +def unlinked_genotype_data( + conn: db.DbConnection, group: Group) -> tuple[dict, ...]: + """ + Retrieve all genotype data linked to a group but not linked to any resource. + """ + query = ( + "SELECT lgd.* FROM linked_genotype_data lgd " + "LEFT JOIN genotype_resources gr ON lgd.data_link_id=gr.data_link_id " + "WHERE lgd.group_id=? AND gr.data_link_id IS NULL") + with db.cursor(conn) as cursor: + cursor.execute(query, (str(group.group_id),)) + return tuple(dict(row) for row in cursor.fetchall()) + +def unlinked_phenotype_data( + authconn: db.DbConnection, gn3conn: gn3db.DbConnection, + group: Group) -> tuple[dict, ...]: + """ + Retrieve all phenotype data linked to a group but not linked to any + resource. + """ + with db.cursor(authconn) as authcur, gn3conn.cursor(DictCursor) as gn3cur: + authcur.execute( + "SELECT lpd.* FROM linked_phenotype_data AS lpd " + "LEFT JOIN phenotype_resources AS pr " + "ON lpd.data_link_id=pr.data_link_id " + "WHERE lpd.group_id=? AND pr.data_link_id IS NULL", + (str(group.group_id),)) + results = authcur.fetchall() + ids: dict[tuple[str, ...], str] = { + ( + row["SpeciesId"], row["InbredSetId"], row["PublishFreezeId"], + row["PublishXRefId"]): row["data_link_id"] + for row in results + } + if len(ids.keys()) < 1: + return tuple() + paramstr = ", ".join(["(%s, %s, %s, %s)"] * len(ids.keys())) + gn3cur.execute( + "SELECT spc.SpeciesId, spc.SpeciesName, iset.InbredSetId, " + "iset.InbredSetName, pf.Id AS PublishFreezeId, " + "pf.Name AS dataset_name, pf.FullName AS dataset_fullname, " + "pf.ShortName AS dataset_shortname, pxr.Id AS PublishXRefId, " + "pub.PubMed_ID, pub.Title, pub.Year, " + "phen.Pre_publication_description, " + "phen.Post_publication_description, phen.Original_description " + "FROM " + "Species AS spc " + "INNER JOIN InbredSet AS iset " + "ON spc.SpeciesId=iset.SpeciesId " + "INNER JOIN PublishFreeze AS pf " + "ON iset.InbredSetId=pf.InbredSetId " + "INNER JOIN PublishXRef AS pxr " + "ON pf.InbredSetId=pxr.InbredSetId " + "INNER JOIN Publication AS pub " + "ON pxr.PublicationId=pub.Id " + "INNER JOIN Phenotype AS phen " + "ON pxr.PhenotypeId=phen.Id " + "WHERE (spc.SpeciesId, iset.InbredSetId, pf.Id, pxr.Id) " + f"IN ({paramstr})", + tuple(item for sublist in ids.keys() for item in sublist)) + return tuple({ + **{key: value for key, value in row.items() if key not in + ("Post_publication_description", "Pre_publication_description", + "Original_description")}, + "description": ( + row["Post_publication_description"] or + row["Pre_publication_description"] or + row["Original_description"]), + "data_link_id": ids[tuple(str(row[key]) for key in ( + "SpeciesId", "InbredSetId", "PublishFreezeId", + "PublishXRefId"))] + } for row in gn3cur.fetchall()) + +@groups.route("//unlinked-data") +@require_oauth("profile group resource") +def unlinked_data(resource_type: str) -> Response: + """View data linked to the group but not linked to any resource.""" + if resource_type not in ("all", "mrna", "genotype", "phenotype"): + raise AuthorisationError(f"Invalid resource type {resource_type}") + + with require_oauth.acquire("profile group resource") as the_token: + db_uri = current_app.config["AUTH_DB"] + gn3db_uri = current_app.config["SQL_URI"] + with (db.connection(db_uri) as authconn, + gn3db.database_connection(gn3db_uri) as gn3conn): + ugroup = user_group(authconn, the_token.user).maybe(# type: ignore[misc] + DUMMY_GROUP, lambda grp: grp) + if ugroup == DUMMY_GROUP: + return jsonify(tuple()) + + unlinked_fns = { + "mrna": unlinked_mrna_data, + "genotype": unlinked_genotype_data, + "phenotype": lambda conn, grp: partial( + unlinked_phenotype_data, gn3conn=gn3conn)( + authconn=conn, group=grp) + } + return jsonify(tuple( + dict(row) for row in unlinked_fns[resource_type]( + authconn, ugroup))) + + return jsonify(tuple()) + +@groups.route("/data/link", methods=["POST"]) +@require_oauth("profile group resource") +def link_data() -> Response: + """Link selected data to specified group.""" + with require_oauth.acquire("profile group resource") as _the_token: + form = request.form + group_id = uuid.UUID(form["group_id"]) + dataset_ids = form.getlist("dataset_ids") + dataset_type = form.get("dataset_type") + if dataset_type not in ("mrna", "genotype", "phenotype"): + raise InvalidData("Unexpected dataset type requested!") + def __link__(conn: db.DbConnection): + group = group_by_id(conn, group_id) + with gn3db.database_connection(current_app.config["SQL_URI"]) as gn3conn: + return link_data_to_group( + conn, gn3conn, dataset_type, dataset_ids, group) + + return jsonify(with_db_connection(__link__)) + +@groups.route("/roles", methods=["GET"]) +@require_oauth("profile group") +def group_roles(): + """Return a list of all available group roles.""" + with require_oauth.acquire("profile group role") as the_token: + def __list_roles__(conn: db.DbConnection): + ## TODO: Check that user has appropriate privileges + with db.cursor(conn) as cursor: + group = user_group(conn, the_token.user).maybe(# type: ignore[misc] + DUMMY_GROUP, lambda grp: grp) + if group == DUMMY_GROUP: + return tuple() + cursor.execute( + "SELECT gr.group_role_id, r.* " + "FROM group_roles AS gr INNER JOIN roles AS r " + "ON gr.role_id=r.role_id " + "WHERE group_id=?", + (str(group.group_id),)) + return tuple( + GroupRole(uuid.UUID(row["group_role_id"]), + group, + Role(uuid.UUID(row["role_id"]), + row["role_name"], + bool(int(row["user_editable"])), + tuple())) + for row in cursor.fetchall()) + return jsonify(tuple( + dictify(role) for role in with_db_connection(__list_roles__))) + +@groups.route("/privileges", methods=["GET"]) +@require_oauth("profile group") +def group_privileges(): + """Return a list of all available group roles.""" + with require_oauth.acquire("profile group role") as the_token: + def __list_privileges__(conn: db.DbConnection) -> Iterable[Privilege]: + ## TODO: Check that user has appropriate privileges + this_user_roles = user_roles(conn, the_token.user) + with db.cursor(conn) as cursor: + cursor.execute("SELECT * FROM privileges " + "WHERE privilege_id LIKE 'group:%'") + group_level_roles = tuple( + Privilege(row["privilege_id"], row["privilege_description"]) + for row in cursor.fetchall()) + return tuple(privilege for arole in this_user_roles + for privilege in arole.privileges) + group_level_roles + return jsonify(tuple( + dictify(priv) for priv in with_db_connection(__list_privileges__))) + + + +@groups.route("/role/create", methods=["POST"]) +@require_oauth("profile group") +def create_group_role(): + """Create a new group role.""" + with require_oauth.acquire("profile group role") as the_token: + ## TODO: Check that user has appropriate privileges + @authorised_p(("group:role:create-role",), + "You do not have the privilege to create new roles", + oauth2_scope="profile group role") + def __create__(conn: db.DbConnection) -> GroupRole: + ## TODO: Check user cannot assign any privilege they don't have. + form = request.form + role_name = form.get("role_name", "").strip() + privileges_ids = form.getlist("privileges[]") + if len(role_name) == 0: + raise InvalidData("Role name not provided!") + if len(privileges_ids) == 0: + raise InvalidData( + "At least one privilege needs to be provided.") + + group = user_group(conn, the_token.user).maybe(# type: ignore[misc] + DUMMY_GROUP, lambda grp: grp) + + if group == DUMMY_GROUP: + raise AuthorisationError( + "A user without a group cannot create a new role.") + privileges = privileges_by_ids(conn, tuple(privileges_ids)) + if len(privileges_ids) != len(privileges): + raise InvalidData( + f"{len(privileges_ids) - len(privileges)} of the selected " + "privileges were not found in the database.") + + return _create_group_role(conn, group, role_name, privileges) + + return jsonify(with_db_connection(__create__)) + +@groups.route("/role/", methods=["GET"]) +@require_oauth("profile group") +def view_group_role(group_role_id: uuid.UUID): + """Return the details of the given role.""" + with require_oauth.acquire("profile group role") as the_token: + def __group_role__(conn: db.DbConnection) -> GroupRole: + group = user_group(conn, the_token.user).maybe(#type: ignore[misc] + DUMMY_GROUP, lambda grp: grp) + + if group == DUMMY_GROUP: + raise AuthorisationError( + "A user without a group cannot view group roles.") + return group_role_by_id(conn, group, group_role_id) + return jsonify(dictify(with_db_connection(__group_role__))) + +def __add_remove_priv_to_from_role__(conn: db.DbConnection, + group_role_id: uuid.UUID, + direction: str, + user: User) -> GroupRole: + assert direction in ("ADD", "DELETE") + group = user_group(conn, user).maybe(# type: ignore[misc] + DUMMY_GROUP, lambda grp: grp) + + if group == DUMMY_GROUP: + raise AuthorisationError( + "You need to be a member of a group to edit roles.") + try: + privilege_id = request.form.get("privilege_id", "") + assert bool(privilege_id), "Privilege to add must be provided." + privileges = privileges_by_ids(conn, (privilege_id,)) + if len(privileges) == 0: + raise NotFoundError("Privilege not found.") + dir_fns = { + "ADD": add_privilege_to_group_role, + "DELETE": delete_privilege_from_group_role + } + return dir_fns[direction]( + conn, + group_role_by_id(conn, group, group_role_id), + privileges[0]) + except AssertionError as aerr: + raise InvalidData(aerr.args[0]) from aerr + +@groups.route("/role//privilege/add", methods=["POST"]) +@require_oauth("profile group") +def add_priv_to_role(group_role_id: uuid.UUID) -> Response: + """Add privilege to group role.""" + with require_oauth.acquire("profile group role") as the_token: + return jsonify({ + **dictify(with_db_connection(partial( + __add_remove_priv_to_from_role__, group_role_id=group_role_id, + direction="ADD", user=the_token.user))), + "description": "Privilege added successfully" + }) + +@groups.route("/role//privilege/delete", methods=["POST"]) +@require_oauth("profile group") +def delete_priv_from_role(group_role_id: uuid.UUID) -> Response: + """Delete privilege from group role.""" + with require_oauth.acquire("profile group role") as the_token: + return jsonify({ + **dictify(with_db_connection(partial( + __add_remove_priv_to_from_role__, group_role_id=group_role_id, + direction="DELETE", user=the_token.user))), + "description": "Privilege deleted successfully" + }) diff --git a/gn_auth/auth/authorisation/resources/models.py b/gn_auth/auth/authorisation/resources/models.py index f307fdc..80820a5 100644 --- a/gn_auth/auth/authorisation/resources/models.py +++ b/gn_auth/auth/authorisation/resources/models.py @@ -1,38 +1,37 @@ """Handle the management of resources.""" -import json from uuid import UUID, uuid4 from functools import reduce, partial from typing import Dict, Sequence, Optional -from ...db import sqlite3 as db -from ...dictify import dictify -from ...authentication.users import User -from ...db.sqlite3 import with_db_connection +from gn_auth.auth.db import sqlite3 as db +from gn_auth.auth.dictify import dictify +from gn_auth.auth.authentication.users import User +from gn_auth.auth.db.sqlite3 import with_db_connection -from ..checks import authorised_p -from ..errors import NotFoundError, AuthorisationError -from ..groups.models import Group, GroupRole, user_group, is_group_leader +from gn_auth.auth.authorisation.checks import authorised_p +from gn_auth.auth.authorisation.errors import NotFoundError, AuthorisationError from .checks import authorised_for from .base import Resource, ResourceCategory -from .mrna_resource import ( +from .groups.models import ( + Group, GroupRole, user_group, resource_owner, is_group_leader) +from .mrna import ( resource_data as mrna_resource_data, attach_resources_data as mrna_attach_resources_data, link_data_to_resource as mrna_link_data_to_resource, unlink_data_from_resource as mrna_unlink_data_from_resource) -from .genotype_resource import ( +from .genotype import ( resource_data as genotype_resource_data, attach_resources_data as genotype_attach_resources_data, link_data_to_resource as genotype_link_data_to_resource, unlink_data_from_resource as genotype_unlink_data_from_resource) -from .phenotype_resource import ( +from .phenotype import ( resource_data as phenotype_resource_data, attach_resources_data as phenotype_attach_resources_data, link_data_to_resource as phenotype_link_data_to_resource, unlink_data_from_resource as phenotype_unlink_data_from_resource) -class MissingGroupError(AuthorisationError): - """Raised for any resource operation without a group.""" +from .errors import MissingGroupError def __assign_resource_owner_role__(cursor, resource, user, group): """Assign `user` the 'Resource Owner' role for `resource`.""" @@ -73,7 +72,7 @@ def create_resource( group = user_group(conn, user).maybe( False, lambda grp: grp)# type: ignore[misc, arg-type] if not group: - raise MissingGroupError( + raise MissingGroupError(# Not all resources require an owner group "User with no group cannot create a resource.") resource = Resource(uuid4(), resource_name, resource_category, public) cursor.execute( @@ -246,7 +245,7 @@ def link_data_to_resource( "genotype": genotype_link_data_to_resource, "phenotype": phenotype_link_data_to_resource, }[dataset_type.lower()]( - conn, resource, resource_group(conn, resource), data_link_id) + conn, resource, resource_owner(conn, resource), data_link_id) def unlink_data_from_resource( conn: db.DbConnection, user: User, resource_id: UUID, data_link_id: UUID): @@ -367,20 +366,3 @@ def save_resource( raise AuthorisationError( "You do not have the appropriate privileges to edit this resource.") - -def resource_group(conn: db.DbConnection, resource: Resource) -> Group: - """Return the group that owns the resource.""" - with db.cursor(conn) as cursor: - cursor.execute( - "SELECT g.* FROM resource_ownership AS ro " - "INNER JOIN groups AS g ON ro.group_id=g.group_id " - "WHERE ro.resource_id=?", - (str(resource.resource_id),)) - row = cursor.fetchone() - if row: - return Group( - UUID(row["group_id"]), - row["group_name"], - json.loads(row["group_metadata"])) - - raise MissingGroupError("Resource has no 'owning' group.") diff --git a/gn_auth/auth/authorisation/resources/mrna.py b/gn_auth/auth/authorisation/resources/mrna.py new file mode 100644 index 0000000..7fce227 --- /dev/null +++ b/gn_auth/auth/authorisation/resources/mrna.py @@ -0,0 +1,66 @@ +"""mRNA data resources functions and utilities""" +import uuid +from typing import Optional, Sequence + +import sqlite3 + +import gn_auth.auth.db.sqlite3 as db + +from .base import Resource +from .data import __attach_data__ + +def resource_data(cursor: db.DbCursor, + resource_id: uuid.UUID, + offset: int = 0, + limit: Optional[int] = None) -> Sequence[sqlite3.Row]: + """Fetch data linked to a mRNA resource""" + cursor.execute( + (("SELECT * FROM mrna_resources AS mr " + "INNER JOIN linked_mrna_data AS lmr " + "ON mr.data_link_id=lmr.data_link_id " + "WHERE mr.resource_id=?") + ( + f" LIMIT {limit} OFFSET {offset}" if bool(limit) else "")), + (str(resource_id),)) + return cursor.fetchall() + +def link_data_to_resource( + conn: db.DbConnection, + resource: Resource, + data_link_id: uuid.UUID) -> dict: + """Link mRNA Assay data with a resource.""" + with db.cursor(conn) as cursor: + params = { + "resource_id": str(resource.resource_id), + "data_link_id": str(data_link_id) + } + cursor.execute( + "INSERT INTO mrna_resources VALUES" + "(:resource_id, :data_link_id)", + params) + return params + +def unlink_data_from_resource( + conn: db.DbConnection, + resource: Resource, + data_link_id: uuid.UUID) -> dict: + """Unlink data from mRNA Assay resources""" + with db.cursor(conn) as cursor: + cursor.execute("DELETE FROM mrna_resources " + "WHERE resource_id=? AND data_link_id=?", + (str(resource.resource_id), str(data_link_id))) + return { + "resource_id": str(resource.resource_id), + "dataset_type": resource.resource_category.resource_category_key, + "data_link_id": data_link_id + } + +def attach_resources_data( + cursor, resources: Sequence[Resource]) -> Sequence[Resource]: + """Attach linked data to mRNA Assay resources""" + placeholders = ", ".join(["?"] * len(resources)) + cursor.execute( + "SELECT * FROM mrna_resources AS mr INNER JOIN linked_mrna_data AS lmd" + " ON mr.data_link_id=lmd.data_link_id " + f"WHERE mr.resource_id IN ({placeholders})", + tuple(str(resource.resource_id) for resource in resources)) + return __attach_data__(cursor.fetchall(), resources) diff --git a/gn_auth/auth/authorisation/resources/mrna_resource.py b/gn_auth/auth/authorisation/resources/mrna_resource.py deleted file mode 100644 index 7fce227..0000000 --- a/gn_auth/auth/authorisation/resources/mrna_resource.py +++ /dev/null @@ -1,66 +0,0 @@ -"""mRNA data resources functions and utilities""" -import uuid -from typing import Optional, Sequence - -import sqlite3 - -import gn_auth.auth.db.sqlite3 as db - -from .base import Resource -from .data import __attach_data__ - -def resource_data(cursor: db.DbCursor, - resource_id: uuid.UUID, - offset: int = 0, - limit: Optional[int] = None) -> Sequence[sqlite3.Row]: - """Fetch data linked to a mRNA resource""" - cursor.execute( - (("SELECT * FROM mrna_resources AS mr " - "INNER JOIN linked_mrna_data AS lmr " - "ON mr.data_link_id=lmr.data_link_id " - "WHERE mr.resource_id=?") + ( - f" LIMIT {limit} OFFSET {offset}" if bool(limit) else "")), - (str(resource_id),)) - return cursor.fetchall() - -def link_data_to_resource( - conn: db.DbConnection, - resource: Resource, - data_link_id: uuid.UUID) -> dict: - """Link mRNA Assay data with a resource.""" - with db.cursor(conn) as cursor: - params = { - "resource_id": str(resource.resource_id), - "data_link_id": str(data_link_id) - } - cursor.execute( - "INSERT INTO mrna_resources VALUES" - "(:resource_id, :data_link_id)", - params) - return params - -def unlink_data_from_resource( - conn: db.DbConnection, - resource: Resource, - data_link_id: uuid.UUID) -> dict: - """Unlink data from mRNA Assay resources""" - with db.cursor(conn) as cursor: - cursor.execute("DELETE FROM mrna_resources " - "WHERE resource_id=? AND data_link_id=?", - (str(resource.resource_id), str(data_link_id))) - return { - "resource_id": str(resource.resource_id), - "dataset_type": resource.resource_category.resource_category_key, - "data_link_id": data_link_id - } - -def attach_resources_data( - cursor, resources: Sequence[Resource]) -> Sequence[Resource]: - """Attach linked data to mRNA Assay resources""" - placeholders = ", ".join(["?"] * len(resources)) - cursor.execute( - "SELECT * FROM mrna_resources AS mr INNER JOIN linked_mrna_data AS lmd" - " ON mr.data_link_id=lmd.data_link_id " - f"WHERE mr.resource_id IN ({placeholders})", - tuple(str(resource.resource_id) for resource in resources)) - return __attach_data__(cursor.fetchall(), resources) diff --git a/gn_auth/auth/authorisation/resources/phenotype.py b/gn_auth/auth/authorisation/resources/phenotype.py new file mode 100644 index 0000000..cd3f23d --- /dev/null +++ b/gn_auth/auth/authorisation/resources/phenotype.py @@ -0,0 +1,71 @@ +"""Phenotype data resources functions and utilities.""" +import uuid +from typing import Optional, Sequence + +import sqlite3 + +import gn_auth.auth.db.sqlite3 as db + +from .groups import Group +from .base import Resource +from .data import __attach_data__ + +def resource_data( + cursor: db.DbCursor, + resource_id: uuid.UUID, + offset: int = 0, + limit: Optional[int] = None) -> Sequence[sqlite3.Row]: + """Fetch data linked to a Phenotype resource""" + cursor.execute( + ("SELECT * FROM phenotype_resources AS pr " + "INNER JOIN linked_phenotype_data AS lpd " + "ON pr.data_link_id=lpd.data_link_id " + "WHERE pr.resource_id=?") + ( + f" LIMIT {limit} OFFSET {offset}" if bool(limit) else ""), + (str(resource_id),)) + return cursor.fetchall() + +def link_data_to_resource( + conn: db.DbConnection, + resource: Resource, + group: Group, + data_link_id: uuid.UUID) -> dict: + """Link Phenotype data with a resource.""" + with db.cursor(conn) as cursor: + params = { + "group_id": str(group.group_id), + "resource_id": str(resource.resource_id), + "data_link_id": str(data_link_id) + } + cursor.execute( + "INSERT INTO phenotype_resources VALUES" + "(:group_id, :resource_id, :data_link_id)", + params) + return params + +def unlink_data_from_resource( + conn: db.DbConnection, + resource: Resource, + data_link_id: uuid.UUID) -> dict: + """Unlink data from Phenotype resources""" + with db.cursor(conn) as cursor: + cursor.execute("DELETE FROM phenotype_resources " + "WHERE resource_id=? AND data_link_id=?", + (str(resource.resource_id), str(data_link_id))) + return { + "resource_id": str(resource.resource_id), + "dataset_type": resource.resource_category.resource_category_key, + "data_link_id": str(data_link_id) + } + +def attach_resources_data( + cursor, resources: Sequence[Resource]) -> Sequence[Resource]: + """Attach linked data to Phenotype resources""" + placeholders = ", ".join(["?"] * len(resources)) + cursor.execute( + "SELECT * FROM phenotype_resources AS pr " + "INNER JOIN linked_phenotype_data AS lpd " + "ON pr.data_link_id=lpd.data_link_id " + f"WHERE pr.resource_id IN ({placeholders})", + tuple(str(resource.resource_id) for resource in resources)) + return __attach_data__(cursor.fetchall(), resources) diff --git a/gn_auth/auth/authorisation/resources/phenotype_resource.py b/gn_auth/auth/authorisation/resources/phenotype_resource.py deleted file mode 100644 index 046357c..0000000 --- a/gn_auth/auth/authorisation/resources/phenotype_resource.py +++ /dev/null @@ -1,71 +0,0 @@ -"""Phenotype data resources functions and utilities.""" -import uuid -from typing import Optional, Sequence - -import sqlite3 - -import gn_auth.auth.db.sqlite3 as db -from gn_auth.auth.authorisation.groups import Group - -from .base import Resource -from .data import __attach_data__ - -def resource_data( - cursor: db.DbCursor, - resource_id: uuid.UUID, - offset: int = 0, - limit: Optional[int] = None) -> Sequence[sqlite3.Row]: - """Fetch data linked to a Phenotype resource""" - cursor.execute( - ("SELECT * FROM phenotype_resources AS pr " - "INNER JOIN linked_phenotype_data AS lpd " - "ON pr.data_link_id=lpd.data_link_id " - "WHERE pr.resource_id=?") + ( - f" LIMIT {limit} OFFSET {offset}" if bool(limit) else ""), - (str(resource_id),)) - return cursor.fetchall() - -def link_data_to_resource( - conn: db.DbConnection, - resource: Resource, - group: Group, - data_link_id: uuid.UUID) -> dict: - """Link Phenotype data with a resource.""" - with db.cursor(conn) as cursor: - params = { - "group_id": str(group.group_id), - "resource_id": str(resource.resource_id), - "data_link_id": str(data_link_id) - } - cursor.execute( - "INSERT INTO phenotype_resources VALUES" - "(:group_id, :resource_id, :data_link_id)", - params) - return params - -def unlink_data_from_resource( - conn: db.DbConnection, - resource: Resource, - data_link_id: uuid.UUID) -> dict: - """Unlink data from Phenotype resources""" - with db.cursor(conn) as cursor: - cursor.execute("DELETE FROM phenotype_resources " - "WHERE resource_id=? AND data_link_id=?", - (str(resource.resource_id), str(data_link_id))) - return { - "resource_id": str(resource.resource_id), - "dataset_type": resource.resource_category.resource_category_key, - "data_link_id": str(data_link_id) - } - -def attach_resources_data( - cursor, resources: Sequence[Resource]) -> Sequence[Resource]: - """Attach linked data to Phenotype resources""" - placeholders = ", ".join(["?"] * len(resources)) - cursor.execute( - "SELECT * FROM phenotype_resources AS pr " - "INNER JOIN linked_phenotype_data AS lpd " - "ON pr.data_link_id=lpd.data_link_id " - f"WHERE pr.resource_id IN ({placeholders})", - tuple(str(resource.resource_id) for resource in resources)) - return __attach_data__(cursor.fetchall(), resources) diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py index 4fe04d9..0e44df5 100644 --- a/gn_auth/auth/authorisation/resources/views.py +++ b/gn_auth/auth/authorisation/resources/views.py @@ -6,23 +6,23 @@ from functools import reduce from flask import request, jsonify, Response, Blueprint, current_app as app -from ...db import sqlite3 as db -from ...db.sqlite3 import with_db_connection +from gn_auth.auth.db import sqlite3 as db +from gn_auth.auth.db.sqlite3 import with_db_connection + +from gn_auth.auth.authorisation.roles import Role +from gn_auth.auth.authorisation.errors import InvalidData, InconsistencyError, AuthorisationError + +from gn_auth.auth.dictify import dictify +from gn_auth.auth.authentication.oauth2.resource_server import require_oauth +from gn_auth.auth.authentication.users import User, user_by_id, user_by_email from .checks import authorised_for from .models import ( - Resource, save_resource, resource_data, resource_group, resource_by_id, + Resource, save_resource, resource_data, resource_by_id, resource_categories, assign_resource_user, link_data_to_resource, unassign_resource_user, resource_category_by_id, unlink_data_from_resource, create_resource as _create_resource) - -from ..roles import Role -from ..errors import InvalidData, InconsistencyError, AuthorisationError -from ..groups.models import Group, GroupRole, group_role_by_id - -from ...dictify import dictify -from ...authentication.oauth2.resource_server import require_oauth -from ...authentication.users import User, user_by_id, user_by_email +from .groups.models import Group, GroupRole, resource_owner, group_role_by_id resources = Blueprint("resources", __name__) @@ -165,7 +165,7 @@ def resource_users(resource_id: uuid.UUID): "user", User(user_id, row["email"], row["name"])) role = GroupRole( uuid.UUID(row["group_role_id"]), - resource_group(conn, resource), + resource_owner(conn, resource), Role(uuid.UUID(row["role_id"]), row["role_name"], bool(int(row["user_editable"])), tuple())) return { @@ -222,7 +222,7 @@ def assign_role_to_user(resource_id: uuid.UUID) -> Response: return assign_resource_user( conn, resource, user, group_role_by_id(conn, - resource_group(conn, resource), + resource_owner(conn, resource), uuid.UUID(group_role_id))) except AssertionError as aserr: raise AuthorisationError(aserr.args[0]) from aserr @@ -246,7 +246,7 @@ def unassign_role_to_user(resource_id: uuid.UUID) -> Response: return unassign_resource_user( conn, resource, user_by_id(conn, uuid.UUID(user_id)), group_role_by_id(conn, - resource_group(conn, resource), + resource_owner(conn, resource), uuid.UUID(group_role_id))) except AssertionError as aserr: raise AuthorisationError(aserr.args[0]) from aserr diff --git a/gn_auth/auth/authorisation/users/views.py b/gn_auth/auth/authorisation/users/views.py index 6de30da..50386ac 100644 --- a/gn_auth/auth/authorisation/users/views.py +++ b/gn_auth/auth/authorisation/users/views.py @@ -7,24 +7,28 @@ import sqlite3 from email_validator import validate_email, EmailNotValidError from flask import request, jsonify, Response, Blueprint, current_app -from ...db import sqlite3 as db -from ...dictify import dictify -from ...db.sqlite3 import with_db_connection +from gn_auth.auth.db import sqlite3 as db +from gn_auth.auth.dictify import dictify +from gn_auth.auth.db.sqlite3 import with_db_connection + +from gn_auth.auth.authorisation.resources.models import ( + user_resources as _user_resources) +from gn_auth.auth.authorisation.roles.models import ( + assign_default_roles, user_roles as _user_roles) +from gn_auth.auth.authorisation.errors import ( + NotFoundError, UsernameError, PasswordError, UserRegistrationError) +from gn_auth.auth.authorisation.resources.groups.models import ( + user_group as _user_group) + +from gn_auth.auth.authentication.oauth2.resource_server import require_oauth +from gn_auth.auth.authentication.users import User, save_user, set_user_password +from gn_auth.auth.authentication.oauth2.models.oauth2token import ( + token_by_access_token) from .models import list_users from .masquerade.views import masq from .collections.views import collections -from ..groups.models import user_group as _user_group -from ..resources.models import user_resources as _user_resources -from ..roles.models import assign_default_roles, user_roles as _user_roles -from ..errors import ( - NotFoundError, UsernameError, PasswordError, UserRegistrationError) - -from ...authentication.oauth2.resource_server import require_oauth -from ...authentication.users import User, save_user, set_user_password -from ...authentication.oauth2.models.oauth2token import token_by_access_token - users = Blueprint("users", __name__) users.register_blueprint(masq, url_prefix="/masquerade") users.register_blueprint(collections, url_prefix="/collections") diff --git a/gn_auth/auth/views.py b/gn_auth/auth/views.py index 56eace7..cd1cb6f 100644 --- a/gn_auth/auth/views.py +++ b/gn_auth/auth/views.py @@ -7,8 +7,8 @@ from .authorisation.data.views import data from .authorisation.users.views import users from .authorisation.users.admin import admin from .authorisation.roles.views import roles -from .authorisation.groups.views import groups from .authorisation.resources.views import resources +from .authorisation.resources.groups.views import groups oauth2 = Blueprint("oauth2", __name__) diff --git a/scripts/migrate_existing_data.py b/scripts/migrate_existing_data.py index db3f426..c9ac343 100644 --- a/scripts/migrate_existing_data.py +++ b/scripts/migrate_existing_data.py @@ -16,9 +16,10 @@ from gn_auth.auth.db import mariadb as biodb import gn_auth.auth.db.sqlite3 as authdb from gn_auth.auth.authentication.users import User -from gn_auth.auth.authorisation.groups.models import Group, save_group from gn_auth.auth.authorisation.roles.models import ( revoke_user_role_by_name, assign_user_role_by_name) + +from gn_auth.auth.authorisation.resources.groups.models import Group, save_group from gn_auth.auth.authorisation.resources.models import ( Resource, ResourceCategory, __assign_resource_owner_role__) diff --git a/tests/unit/auth/fixtures/group_fixtures.py b/tests/unit/auth/fixtures/group_fixtures.py index 8a4e79b..66edf5e 100644 --- a/tests/unit/auth/fixtures/group_fixtures.py +++ b/tests/unit/auth/fixtures/group_fixtures.py @@ -4,7 +4,7 @@ import uuid import pytest from gn_auth.auth.db import sqlite3 as db -from gn_auth.auth.authorisation.groups import Group, GroupRole +from gn_auth.auth.authorisation.resources.groups import Group, GroupRole from gn_auth.auth.authorisation.resources import Resource, ResourceCategory from .role_fixtures import RESOURCE_EDITOR_ROLE, RESOURCE_READER_ROLE diff --git a/tests/unit/auth/test_groups.py b/tests/unit/auth/test_groups.py index 9c4e760..a6a0da5 100644 --- a/tests/unit/auth/test_groups.py +++ b/tests/unit/auth/test_groups.py @@ -9,7 +9,7 @@ from gn_auth.auth.authentication.users import User from gn_auth.auth.authorisation.roles import Role from gn_auth.auth.authorisation.privileges import Privilege from gn_auth.auth.authorisation.errors import AuthorisationError -from gn_auth.auth.authorisation.groups.models import ( +from gn_auth.auth.authorisation.resources.groups.models import ( Group, GroupRole, user_group, create_group, create_group_role) from tests.unit.auth import conftest @@ -43,7 +43,7 @@ def test_create_group(# pylint: disable=[too-many-arguments] THEN: verify they are only able to create the group if they have the appropriate privileges """ - mocker.patch("gn_auth.auth.authorisation.groups.models.uuid4", conftest.uuid_fn) + mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", conftest.get_tokeniser(user)) with db.connection(auth_testdb_path) as conn: @@ -59,7 +59,7 @@ def test_create_group_raises_exception_with_non_privileged_user(# pylint: disabl WHEN: the user attempts to create a group THEN: verify the system raises an exception """ - mocker.patch("gn_auth.auth.authorisation.groups.models.uuid4", conftest.uuid_fn) + mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", conftest.get_tokeniser(user)) with db.connection(auth_testdb_path) as conn: @@ -86,7 +86,7 @@ def test_create_group_role(mocker, fxtr_users_in_group, user, expected): THEN: verify they are only able to create the role if they have the appropriate privileges and that the role is attached to the given group """ - mocker.patch("gn_auth.auth.authorisation.groups.models.uuid4", conftest.uuid_fn) + mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", conftest.get_tokeniser(user)) @@ -112,7 +112,7 @@ def test_create_group_role_raises_exception_with_unauthorised_users( THEN: verify they are only able to create the role if they have the appropriate privileges and that the role is attached to the given group """ - mocker.patch("gn_auth.auth.authorisation.groups.models.uuid4", conftest.uuid_fn) + mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", conftest.get_tokeniser(user)) @@ -130,7 +130,7 @@ def test_create_multiple_groups(mocker, fxtr_users): THEN: The system should prevent that, and respond with an appropriate error message """ - mocker.patch("gn_auth.auth.authorisation.groups.models.uuid4", conftest.uuid_fn) + mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) user = User( UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "group@lead.er", "Group Leader") diff --git a/tests/unit/auth/test_resources.py b/tests/unit/auth/test_resources.py index 57ccc1d..ee4f312 100644 --- a/tests/unit/auth/test_resources.py +++ b/tests/unit/auth/test_resources.py @@ -5,8 +5,8 @@ import pytest from gn_auth.auth.db import sqlite3 as db -from gn_auth.auth.authorisation.groups import Group from gn_auth.auth.authorisation.errors import AuthorisationError +from gn_auth.auth.authorisation.resources.groups import Group from gn_auth.auth.authorisation.resources.models import ( Resource, user_resources, create_resource, ResourceCategory, public_resources) -- cgit v1.2.3