aboutsummaryrefslogtreecommitdiff
path: root/gn_auth/auth/authorisation/resources/views.py
blob: 0200222b29a145d301b8d0464370d195fa4f41b1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
"""The views/routes for the resources package"""
import uuid
import json
import operator
import sqlite3
import time

from dataclasses import asdict
from functools import reduce

from authlib.integrations.flask_oauth2.errors import _HTTPException
from authlib.jose import jwt
from flask import (make_response, request, jsonify, Response,
                   Blueprint, current_app as app)

from gn_auth.auth.db import sqlite3 as db
from gn_auth.auth.db.sqlite3 import with_db_connection

from gn_auth.auth.authorisation.roles import Role
from gn_auth.auth.errors import InvalidData, InconsistencyError, AuthorisationError

from gn_auth.auth.authentication.oauth2.resource_server import require_oauth
from gn_auth.auth.authentication.users import User, user_by_id, user_by_email

from .checks import authorised_for
from .models import (
    Resource, resource_data, resource_by_id, public_resources,
    resource_categories, assign_resource_user, link_data_to_resource,
    unassign_resource_user, resource_category_by_id, user_roles_on_resources,
    unlink_data_from_resource, create_resource as _create_resource,
    get_resource_id)
from .groups.models import Group, resource_owner, group_role_by_id

resources = Blueprint("resources", __name__)

@resources.route("/categories", methods=["GET"])
@require_oauth("profile group resource")
def list_resource_categories() -> Response:
    """Retrieve all resource categories"""
    db_uri = app.config["AUTH_DB"]
    with db.connection(db_uri) as conn:
        return jsonify(tuple(
            asdict(category) for category in resource_categories(conn)))

@resources.route("/create", methods=["POST"])
@require_oauth("profile group resource")
def create_resource() -> Response:
    """Create a new resource"""
    with require_oauth.acquire("profile group resource") as the_token:
        form = request.form
        resource_name = form.get("resource_name")
        resource_category_id = uuid.UUID(form.get("resource_category"))
        db_uri = app.config["AUTH_DB"]
        with db.connection(db_uri) as conn:
            try:
                resource = _create_resource(
                    conn,
                    resource_name,
                    resource_category_by_id(conn, resource_category_id),
                    the_token.user,
                    (form.get("public") == "on"))
                return jsonify(asdict(resource))
            except sqlite3.IntegrityError as sql3ie:
                if sql3ie.args[0] == ("UNIQUE constraint failed: "
                                      "resources.resource_name"):
                    raise InconsistencyError(
                        "You cannot have duplicate resource names.") from sql3ie
                app.logger.debug(
                    f"{type(sql3ie)=}: {sql3ie=}")
                raise

@resources.route("/view/<uuid:resource_id>")
@require_oauth("profile group resource")
def view_resource(resource_id: uuid.UUID) -> Response:
    """View a particular resource's details."""
    with require_oauth.acquire("profile group resource") as the_token:
        db_uri = app.config["AUTH_DB"]
        with db.connection(db_uri) as conn:
            return jsonify(
                asdict(
                    resource_by_id(conn, the_token.user, resource_id)
                )
            )

def __safe_get_requests_page__(key: str = "page") -> int:
    """Get the results page if it exists or default to the first page."""
    try:
        return abs(int(request.args.get(key, "1"), base=10))
    except ValueError as _valerr:
        return 1

def __safe_get_requests_count__(key: str = "count_per_page") -> int:
    """Get the results page if it exists or default to the first page."""
    try:
        count = request.args.get(key, "0")
        if count != 0:
            return abs(int(count, base=10))
        return 0
    except ValueError as _valerr:
        return 0

@resources.route("/view/<uuid:resource_id>/data")
@require_oauth("profile group resource")
def view_resource_data(resource_id: uuid.UUID) -> Response:
    """Retrieve a particular resource's data."""
    with require_oauth.acquire("profile group resource") as the_token:
        db_uri = app.config["AUTH_DB"]
        count_per_page = __safe_get_requests_count__("count_per_page")
        offset = (__safe_get_requests_page__("page") - 1)
        with db.connection(db_uri) as conn:
            resource = resource_by_id(conn, the_token.user, resource_id)
            return jsonify(resource_data(
                conn,
                resource,
                ((offset * count_per_page) if bool(count_per_page) else offset),
                count_per_page))

@resources.route("/data/link", methods=["POST"])
@require_oauth("profile group resource")
def link_data():
    """Link group data to a specific resource."""
    try:
        form = request.form
        assert "resource_id" in form, "Resource ID not provided."
        assert "data_link_id" in form, "Data Link ID not provided."
        assert "dataset_type" in form, "Dataset type not specified"
        assert form["dataset_type"].lower() in (
            "mrna", "genotype", "phenotype"), "Invalid dataset type provided."

        with require_oauth.acquire("profile group resource") as the_token:
            def __link__(conn: db.DbConnection):
                return link_data_to_resource(
                    conn, the_token.user, uuid.UUID(form["resource_id"]),
                    form["dataset_type"], uuid.UUID(form["data_link_id"]))

            return jsonify(with_db_connection(__link__))
    except AssertionError as aserr:
        raise InvalidData(aserr.args[0]) from aserr



@resources.route("/data/unlink", methods=["POST"])
@require_oauth("profile group resource")
def unlink_data():
    """Unlink data bound to a specific resource."""
    try:
        form = request.form
        assert "resource_id" in form, "Resource ID not provided."
        assert "data_link_id" in form, "Data Link ID not provided."

        with require_oauth.acquire("profile group resource") as the_token:
            def __unlink__(conn: db.DbConnection):
                return unlink_data_from_resource(
                    conn, the_token.user, uuid.UUID(form["resource_id"]),
                    uuid.UUID(form["data_link_id"]))
            return jsonify(with_db_connection(__unlink__))
    except AssertionError as aserr:
        raise InvalidData(aserr.args[0]) from aserr

@resources.route("<uuid:resource_id>/user/list", methods=["GET"])
@require_oauth("profile group resource")
def resource_users(resource_id: uuid.UUID):
    """Retrieve all users with access to the given resource."""
    with require_oauth.acquire("profile group resource") as the_token:
        def __the_users__(conn: db.DbConnection):
            authorised = authorised_for(
                conn, the_token.user,
                ("group:resource:edit-resource","group:resource:view-resource"),
                (resource_id,))
            if authorised.get(resource_id, False):
                with db.cursor(conn) as cursor:
                    def __organise_users_n_roles__(users_n_roles, row):
                        user_id = uuid.UUID(row["user_id"])
                        user = users_n_roles.get(user_id, {}).get(
                            "user", User(user_id, row["email"], row["name"]))
                        role = Role(
                            uuid.UUID(row["role_id"]), row["role_name"],
                            bool(int(row["user_editable"])), tuple())
                        return {
                            **users_n_roles,
                            user_id: {
                                "user": user,
                                "user_group": Group(
                                    uuid.UUID(row["group_id"]), row["group_name"],
                                    json.loads(row["group_metadata"])),
                                "roles": users_n_roles.get(
                                    user_id, {}).get("roles", tuple()) + (role,)
                            }
                        }
                    cursor.execute(
                        "SELECT g.*, u.*, r.* "
                        "FROM groups AS g INNER JOIN group_users AS gu "
                        "ON g.group_id=gu.group_id INNER JOIN users AS u "
                        "ON gu.user_id=u.user_id INNER JOIN user_roles AS ur "
                        "ON u.user_id=ur.user_id INNER JOIN roles AS r "
                        "ON ur.role_id=r.role_id "
                        "WHERE ur.resource_id=?",
                        (str(resource_id),))
                    return reduce(__organise_users_n_roles__, cursor.fetchall(), {})
            raise AuthorisationError(
                "You do not have sufficient privileges to view the resource "
                "users.")
        results = (
            {
                "user": asdict(row["user"]),
                "user_group": asdict(row["user_group"]),
                "roles": tuple(asdict(role) for role in row["roles"])
            } for row in (
                user_row for user_id, user_row
                in with_db_connection(__the_users__).items()))
        return jsonify(tuple(results))

@resources.route("<uuid:resource_id>/user/assign", methods=["POST"])
@require_oauth("profile group resource role")
def assign_role_to_user(resource_id: uuid.UUID) -> Response:
    """Assign a role on the specified resource to a user."""
    with require_oauth.acquire("profile group resource role") as the_token:
        try:
            form = request.form
            group_role_id = form.get("group_role_id", "")
            user_email = form.get("user_email", "")
            assert bool(group_role_id), "The role must be provided."
            assert bool(user_email), "The user email must be provided."

            def __assign__(conn: db.DbConnection) -> dict:
                resource = resource_by_id(conn, the_token.user, resource_id)
                user = user_by_email(conn, user_email)
                return assign_resource_user(
                    conn, resource, user,
                    group_role_by_id(conn,
                                     resource_owner(conn, resource),
                                     uuid.UUID(group_role_id)))
        except AssertionError as aserr:
            raise AuthorisationError(aserr.args[0]) from aserr

        return jsonify(with_db_connection(__assign__))

@resources.route("<uuid:resource_id>/user/unassign", methods=["POST"])
@require_oauth("profile group resource role")
def unassign_role_to_user(resource_id: uuid.UUID) -> Response:
    """Unassign a role on the specified resource from a user."""
    with require_oauth.acquire("profile group resource role") as the_token:
        try:
            form = request.form
            group_role_id = form.get("group_role_id", "")
            user_id = form.get("user_id", "")
            assert bool(group_role_id), "The role must be provided."
            assert bool(user_id), "The user id must be provided."

            def __assign__(conn: db.DbConnection) -> dict:
                resource = resource_by_id(conn, the_token.user, resource_id)
                return unassign_resource_user(
                    conn, resource, user_by_id(conn, uuid.UUID(user_id)),
                    group_role_by_id(conn,
                                     resource_owner(conn, resource),
                                     uuid.UUID(group_role_id)))
        except AssertionError as aserr:
            raise AuthorisationError(aserr.args[0]) from aserr

        return jsonify(with_db_connection(__assign__))

def __public_view_params__(cursor, user_id, resource_id):
    ignore = (str(user_id),)
    # sys admins
    cursor.execute(
        "SELECT ur.user_id FROM user_roles AS ur INNER JOIN roles AS r "
        "ON ur.role_id=r.role_id WHERE r.role_name='system-administrator'")
    ignore = ignore + tuple(
        row["user_id"] for row in cursor.fetchall())
    # group admins
    cursor.execute(
        "SELECT DISTINCT gu.user_id FROM resource_ownership AS ro "
        "INNER JOIN groups AS g ON ro.group_id=g.group_id "
        "INNER JOIN group_users AS gu ON g.group_id=gu.group_id "
        "INNER JOIN user_roles AS ur ON gu.user_id=ur.user_id "
        "INNER JOIN roles AS r ON ur.role_id=r.role_id "
        "WHERE ro.resource_id=? AND r.role_name='group-leader'",
        (str(resource_id),))
    ignore = tuple(set(
        ignore + tuple(row["user_id"] for row in cursor.fetchall())))

    cursor.execute(
        "SELECT user_id FROM users WHERE user_id NOT IN "
        f"({', '.join(['?'] * len(ignore))})",
        ignore)
    user_ids = tuple(row["user_id"] for row in cursor.fetchall())
    cursor.execute(
        "SELECT role_id FROM roles WHERE role_name='public-view'")
    role_id = cursor.fetchone()["role_id"]
    return tuple({
        "user_id": user_id,
        "role_id": role_id,
        "resource_id": str(resource_id)
    } for user_id in user_ids)

def __assign_revoke_public_view__(cursor, user_id, resource_id, public):
    if public:
        cursor.executemany(
            "INSERT INTO user_roles(user_id, role_id, resource_id) "
            "VALUES(:user_id, :role_id, :resource_id) "
            "ON CONFLICT (user_id, role_id, resource_id) "
            "DO NOTHING",
            __public_view_params__(cursor, user_id, resource_id))
        return
    cursor.executemany(
        "DELETE FROM user_roles WHERE user_id=:user_id "
        "AND role_id=:role_id AND resource_id=:resource_id",
        __public_view_params__(cursor, user_id, resource_id))

@resources.route("<uuid:resource_id>/toggle-public", methods=["POST"])
@require_oauth("profile group resource role")
def toggle_public(resource_id: uuid.UUID) -> Response:
    """Make a resource public if it is private, or private if public."""
    with require_oauth.acquire("profile group resource") as the_token:
        def __toggle__(conn: db.DbConnection) -> Resource:
            old_rsc = resource_by_id(conn, the_token.user, resource_id)
            public = not old_rsc.public
            new_resource = Resource(
                old_rsc.resource_id, old_rsc.resource_name,
                old_rsc.resource_category, public,
                old_rsc.resource_data)
            with db.cursor(conn) as cursor:
                cursor.execute(
                    "UPDATE resources SET public=:public "
                    "WHERE resource_id=:resource_id",
                    {
                        "public": 1 if public else 0,
                        "resource_id": str(resource_id)
                    })
                __assign_revoke_public_view__(
                    cursor, the_token.user.user_id, resource_id, public)
                return new_resource
            return new_resource

        resource = with_db_connection(__toggle__)
        return jsonify({
            "resource": asdict(resource),
            "description": (
                "Made resource public" if resource.public
                else "Made resource private")})

@resources.route("/authorisation", methods=["POST"])
def resources_authorisation():
    """Get user authorisations for given resource(s):"""
    try:
        data = request.json
        assert (data and "resource-ids" in data)
        resource_ids = tuple(uuid.UUID(resid) for resid in data["resource-ids"])
        pubres = tuple(
            res.resource_id for res in with_db_connection(public_resources)
            if res.resource_id in resource_ids)
        with require_oauth.acquire("profile resource") as the_token:
            the_resources = with_db_connection(lambda conn: user_roles_on_resources(
                conn, the_token.user, resource_ids))
            resp = jsonify({
                str(resid): {
                    "public-read": resid in pubres,
                    "roles": tuple(
                        asdict(rol) for rol in
                        the_resources.get(resid, {}).get("roles", tuple()))
                } for resid in resource_ids
            })
    except _HTTPException as _httpe:
        err_msg = json.loads(_httpe.body)
        if err_msg["error"] == "missing_authorization":
            resp = jsonify({
                str(resid): {
                    "public-read": resid in pubres
                } for resid in resource_ids
            })
    except AssertionError as _aerr:
        resp = jsonify({
            "status": "bad-request",
            "error_description": (
                "Expected a JSON object with a 'resource-ids' key.")
        })
        resp.status_code = 400

    return resp


@resources.route("/authorisation/<name>", methods=["GET"])
def get_user_roles_on_resource(name) -> Response:
    """Get user authorisation for a given resource given it's name"""
    resid = with_db_connection(
        lambda conn: get_resource_id(conn, name)
    )
    def _extract_privilege_id(privileges):
        return tuple(
            p_.privilege_id for p_ in privileges
        )

    with require_oauth.acquire("profile resource") as _token:
        resources_ = with_db_connection(
            lambda conn: user_roles_on_resources(
                conn, _token.user, (resid,)
            )
        )
        roles: list = reduce (operator.iconcat,
                        tuple(
                            _extract_privilege_id(role.privileges)
            for role in
                            resources_.get(
                                uuid.UUID(resid), {}
                            ).get("roles", tuple())), [])
        response = make_response({
            # Flatten this list
            "roles": roles,
            "silly": "ausah",
        })
        iat = int(time.time())
        jose_header = {
            "alg": "RS256",
            "typ": "jwt",
            "cty": "json",
        }
        payload = {
            # Registered Claims
            "iss": request.url,  # Issuer Claim
            "iat": iat,  # Issued At
            "sub": name,  # Subject Claim
            "aud": f"Edit {name}",  # Audience Claim
            "exp": iat + 300,  # Expiration Time Claim
            "jti": str(uuid.uuid4()),  # Unique Identifier for this token
            # Private Claims
            "account-name": _token.user.name,
            "email": _token.user.email,
            "roles": roles,
        }
        token = jwt.encode(jose_header, payload, app.config["SSL_PRIVATE_KEY"])
        response.headers["Authorization"] = f"Bearer {token.decode('utf-8')}"
        return response