Skip to content
This repository has been archived by the owner on Aug 5, 2024. It is now read-only.

Commit

Permalink
fix: Implement inheriting permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
robsavoye committed Mar 25, 2024
1 parent 0c25c56 commit c6c9ae5
Showing 1 changed file with 39 additions and 16 deletions.
55 changes: 39 additions & 16 deletions tm_admin/access.py
Original file line number Diff line number Diff line change
Expand Up @@ -83,14 +83,13 @@ def __init__(self,
if category == "domains":
for entry in values:
self.domains[entry] = self.rbac.create_domain(entry)
log.debug(f"Creating domain for {entry}")
# log.debug(f"Creating domain for {entry}")
continue
if category == "permissions":
for roles in values:
[[k, v]] = roles.items()
self.permissions[k] = dict()
self.roles[k] = self.rbac.create_role(k)
log.debug(f"Creating role for {k}")
self.permissions[k]['access'] = list()
# print(f"\t{k}, {v}")
if type(v) == list:
for i in v:
Expand All @@ -103,24 +102,36 @@ def __init__(self,
elif k1 == 'tables':
# print(f"TABLES: {v1}")
self.permissions[k]['tables'] = v1
log.debug(f"Setting permissions for {k} = {v1}")
# log.debug(f"Setting permissions for {k} = {v1}")
else:
# This is an access permission
# print(f"STR: {k} = {i}")
self.permissions[k]['access'] = i
self.permissions[k]['access'].append(i)
#for role in self.roles:
# subject.authorize(role)
# print(json.dumps(self.permissions, indent=4))
# print("------------------")
for k, v in self.permissions.items():
access = list()
children = list()
for perm in v['access']:
access.append(self.perms[perm])
if 'children' in v:
# print(f"CHILD: {k} = {v['children']}")
self.rbac.create_role(k, children=v['children'])
for child in v['children']:
children.append(self.roles[child])

self.roles[k] = self.rbac.create_role(k,
children=children, inherit=True)
else:
self.roles[k] = self.rbac.create_role(k, inherit=True)
if 'tables' in v:
print(f"TABLE: {k} = {v['tables']}")
# print(f"TABLE: {k} = {v['tables']}")
for table in v['tables']:
log.debug(f"Adding permission '{v['access']}' for '{k.upper()}' on '{table}'")
self.roles[k].add_permission(self.perms[v['access']], self.domains[table])
# log.debug(f"Adding permission(s) '{v['access']}' for '{k.upper()}' on '{table}'")
self.roles[k].add_permission(access, self.domains[table])
else:
self.roles[k].add_permission(access, self.domains[table])

# for role, data in self.roles.items():
for role in self.roles:
Expand All @@ -142,16 +153,22 @@ async def check(self,
] role (Roles): The role
op (Operation): The access permissions
"""
xxx = None
if domain not in self.domains:
log.error(f"Table {domain} is not a valid table!")
return False

result = None
try:
xxx = self.rbac.go(self.subjects[role.name.lower()],
result = self.rbac.go(self.subjects[role.name.lower()],
self.domains[domain.lower()],
self.perms[op.name.lower()])
except RBACAuthorizationError as e :
log.error(f"{e}")
print(f"\tARGS: {domain}, {role.name}, {op.name}")
log.error(f"{e}: {domain}, {role.name}, {op.name}")
return False

return xxx
if result is None:
log.debug(f"'{op.name.lower()}' access to '{domain}' granted for '{role.name.lower()}'")
return True

async def main():
"""This main function lets this class be run standalone by a bash script."""
Expand Down Expand Up @@ -180,10 +197,16 @@ async def main():
await acl.check('tasks', Roles.MAPPER, Operation.READ)
await acl.check('messages', Roles.MAPPER, Operation.READ)
await acl.check('campaigns', Roles.MAPPER, Operation.READ)
# await acl.check('campaigns', Roles.MAPPER, Operation.CREATE)
# This is supposed to fail
await acl.check('campaigns', Roles.MAPPER, Operation.CREATE)

await acl.check('projects', Roles.VALIDATOR, Operation.UPDATE)
# await acl.check('tasks', Roles.VALIDATOR, Operation.UPDATE)
await acl.check('tasks', Roles.VALIDATOR, Operation.READ)
await acl.check('tasks', Roles.VALIDATOR, Operation.UPDATE)

await acl.check('tasks', Roles.ASSOCIATE_MANAGER, Operation.UPDATE)
# FIXME: this should pass !
await acl.check('users', Roles.ASSOCIATE_MANAGER, Operation.READ)

if __name__ == "__main__":
"""This is just a hook so this file can be run standalone during development."""
Expand Down

0 comments on commit c6c9ae5

Please sign in to comment.