diff options
| -rw-r--r-- | .guix-channel | 2 | ||||
| -rw-r--r-- | gn_libs/jobs/launcher.py | 2 | ||||
| -rw-r--r-- | gn_libs/privileges/__init__.py | 6 | ||||
| -rw-r--r-- | gn_libs/privileges/authspec.py (renamed from gn_libs/privileges.py) | 10 | ||||
| -rw-r--r-- | gn_libs/privileges/resources.py | 72 |
5 files changed, 90 insertions, 2 deletions
diff --git a/.guix-channel b/.guix-channel index 63a4336..bfc31db 100644 --- a/.guix-channel +++ b/.guix-channel @@ -34,7 +34,7 @@ (channel (name guix-bioinformatics) (url "https://git.genenetwork.org/guix-bioinformatics") - (commit "903465c85c9b2ae28480b236c3364da873ca8f51")) + (commit "9b0955f14ec725990abb1f6af3b9f171e4943f77")) (channel (name guix-past) (url "https://codeberg.org/guix-science/guix-past") diff --git a/gn_libs/jobs/launcher.py b/gn_libs/jobs/launcher.py index f915b81..fd171b8 100644 --- a/gn_libs/jobs/launcher.py +++ b/gn_libs/jobs/launcher.py @@ -41,7 +41,7 @@ def run_job(conn, job, outputs_directory: Path): if bool(_job["metadata"].get("hangup_request")): process.send_signal(signal.SIGHUP) jobs.update_metadata(conn, job_id, "status", "stopped") - break; + break jobs.push_to_stream(conn, job_id, "stdout", stdout_in.read()) jobs.push_to_stream(conn, job_id, "stderr", stderr_in.read()) time.sleep(1) diff --git a/gn_libs/privileges/__init__.py b/gn_libs/privileges/__init__.py new file mode 100644 index 0000000..0cab6b3 --- /dev/null +++ b/gn_libs/privileges/__init__.py @@ -0,0 +1,6 @@ +"""This package contains code useful for checking privileges.""" +from .authspec import (check, + parse, + SpecificationValueError, + privileges_fulfill_specs) +from . import resources diff --git a/gn_libs/privileges.py b/gn_libs/privileges/authspec.py index 32c943d..2ae154f 100644 --- a/gn_libs/privileges.py +++ b/gn_libs/privileges/authspec.py @@ -164,3 +164,13 @@ def check(spec: str, privileges: tuple[str, ...]) -> bool: """Check that the sequence of `privileges` satisfies `spec`.""" _spec = parse(spec) return _OPERATOR_FUNCTION_[_spec[0]](privileges, *_spec[1:]) + + +def privileges_fulfill_specs( + queried_privileges: tuple[str, ...], + resource_spec: str, + system_spec: str +) -> bool: + """Check whether a user's privileges fulfill the given specs.""" + return (check(resource_spec, queried_privileges) or + check(system_spec, queried_privileges)) diff --git a/gn_libs/privileges/resources.py b/gn_libs/privileges/resources.py new file mode 100644 index 0000000..07cad22 --- /dev/null +++ b/gn_libs/privileges/resources.py @@ -0,0 +1,72 @@ +"""Privilege checks for resources""" +import logging +from functools import partial + +from .authspec import privileges_fulfill_specs + + +logger = logging.getLogger(__name__) + + +can_view = partial( + privileges_fulfill_specs, + resource_spec=( + "(OR group:resource:view-resource system:resource:view " + " system:inbredset:view-case-attribute)"), + system_spec="(OR system:system-wide:data:view system:resource:view)") + + +can_edit = partial( + privileges_fulfill_specs, + resource_spec=( + "(OR " + " (AND group:resource:view-resource group:resource:edit-resource) " + " (AND system:resource:view system:resource:edit) " + " (AND system:inbredset:view-case-attribute " + " system:inbredset:edit-case-attribute))"), + system_spec=( + "(OR " + " (AND system:system-wide:data:view system:system-wide:data:edit) " + " (AND system:resource:view system:resource:edit))")) + + +can_create = partial( + privileges_fulfill_specs, + resource_spec=("(OR group:resource:create-resource " + " system:inbredset:create-case-attribute)"), + system_spec="(OR system:system-wide:data:create)") + + +can_delete = partial( + privileges_fulfill_specs, + resource_spec=( + "(OR " + " (AND group:resource:view-resource " + " group:resource:edit-resource group:resource:delete-resource) " + " (AND system:inbredset:view-case-attribute " + " system:inbredset:edit-case-attribute " + " system:inbredset:delete-case-attribute) " + " (AND system:resource:view system:resource:edit " + " system:resource:delete))"), + system_spec=( + "(OR " + " (AND system:system-wide:data:view system:system-wide:data:edit " + " system:system-wide:data:delete) " + " (AND system:resource:view system:resource:edit " + " system:resource:delete))")) + + +can_apply_or_reject_edit = partial( + privileges_fulfill_specs, + resource_spec=( + "(AND system:inbredset:view-case-attribute " + " system:inbredset:edit-case-attribute " + " system:inbredset:delete-case-attribute " + " system:inbredset:apply-case-attribute-edit " + " system:inbredset:reject-case-attribute-edit)"), + system_spec=( + "(AND system:system-wide:inbredset:view-case-attribute " + " system:system-wide:inbredset:edit-case-attribute " + " system:system-wide:inbredset:delete-case-attribute " + " system:system-wide:inbredset:apply-case-attribute-edit " + " system:system-wide:inbredset:reject-case-attribute-edit)")) |