ckanext-permissions 0.2.0__py3-none-any.whl

ckanext/permissions/migration/permissions/env.py

@@ -0,0 +1,85 @@
+# -*- coding: utf-8 -*-
+
+from __future__ import with_statement
+
+import os
+from logging.config import fileConfig
+
+from alembic import context
+from sqlalchemy import engine_from_config, pool
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+fileConfig(config.config_file_name)
+
+# add your model's MetaData object here
+# for 'autogenerate' support
+# from myapp import mymodel
+# target_metadata = mymodel.Base.metadata
+target_metadata = None
+
+# other values from the config, defined by the needs of env.py,
+# can be acquired:
+# my_important_option = config.get_main_option("my_important_option")
+# ... etc.
+
+name = os.path.basename(os.path.dirname(__file__))
+
+
+def run_migrations_offline():
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+
+    """
+
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        version_table="{}_alembic_version".format(name),
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online():
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+
+    """
+    connectable = engine_from_config(
+        config.get_section(config.config_ini_section),
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(
+            connection=connection,
+            target_metadata=target_metadata,
+            version_table="{}_alembic_version".format(name),
+        )
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

ckanext/permissions/migration/permissions/script.py.mako

@@ -0,0 +1,24 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision = ${repr(up_revision)}
+down_revision = ${repr(down_revision)}
+branch_labels = ${repr(branch_labels)}
+depends_on = ${repr(depends_on)}
+
+
+def upgrade():
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade():
+    ${downgrades if downgrades else "pass"}

ckanext/permissions/migration/permissions/versions/a849104ccfdc_init_tables.py

@@ -0,0 +1,69 @@
+"""Init tables
+
+Revision ID: a849104ccfdc
+Revises:
+Create Date: 2024-02-14 17:11:12.064281
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "a849104ccfdc"
+down_revision = None
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_table(
+        "perm_role",
+        sa.Column("id", sa.String(), primary_key=True),
+        sa.Column("label", sa.String(), nullable=False),
+        sa.Column("description", sa.String(), nullable=False),
+    )
+
+    op.create_table(
+        "perm_user_role",
+        sa.Column(
+            "user_id",
+            sa.String(),
+            sa.ForeignKey("user.id", ondelete="CASCADE"),
+            primary_key=True,
+        ),
+        sa.Column(
+            "role_id",
+            sa.String(),
+            sa.ForeignKey("perm_role.id", ondelete="CASCADE"),
+            primary_key=True,
+        ),
+        sa.Column(
+            "scope",
+            sa.String(),
+            primary_key=True,
+            default="global",
+        ),
+        sa.Column(
+            "scope_id",
+            sa.String(),
+            nullable=True,
+        ),
+    )
+
+    op.create_table(
+        "perm_role_permission",
+        sa.Column(
+            "role_id",
+            sa.String(),
+            sa.ForeignKey("perm_role.id", ondelete="CASCADE"),
+            primary_key=True,
+        ),
+        sa.Column("permission", sa.String(), nullable=False, primary_key=True),
+    )
+
+
+def downgrade():
+    op.drop_table("perm_role_permission")
+    op.drop_table("perm_user_role")
+    op.drop_table("perm_role")

ckanext/permissions/model.py

@@ -0,0 +1,148 @@
+from __future__ import annotations
+
+import logging
+
+from sqlalchemy import Column, ForeignKey, String
+from sqlalchemy.orm import Query, backref, relationship
+from typing_extensions import Self
+
+import ckan.model as model
+import ckan.types as types
+from ckan.plugins import toolkit as tk
+
+import ckanext.permissions.types as perm_types
+
+log = logging.getLogger(__name__)
+
+
+class Role(tk.BaseModel):
+    __tablename__ = "perm_role"
+
+    id = Column(String, primary_key=True)
+    label = Column(String, nullable=False)
+    description = Column(String, nullable=False)
+
+    @classmethod
+    def create(cls, id: str, label: str, description: str) -> Self:
+        role = cls(id=id, label=label, description=description)
+
+        model.Session.add(role)
+        model.Session.commit()
+
+        return role
+
+    @classmethod
+    def get(cls, role: str) -> Self | None:
+        return model.Session.query(cls).filter(cls.id == role).one_or_none()
+
+    @classmethod
+    def all(cls) -> list[Self]:
+        return [role.dictize({}) for role in model.Session.query(cls).all()]
+
+    def update(self, description: str) -> None:
+        self.description = description
+
+        model.Session.commit()
+
+    def dictize(self, context: types.Context) -> perm_types.Role:
+        return perm_types.Role(
+            id=str(self.id),
+            label=str(self.label),
+            description=str(self.description),
+        )
+
+    def delete(self) -> None:
+        model.Session.delete(self)
+        model.Session.commit()
+
+
+class UserRole(tk.BaseModel):
+    __tablename__ = "perm_user_role"
+
+    user_id = Column(String, ForeignKey("user.id", ondelete="CASCADE"), primary_key=True)
+    role_id = Column(String, ForeignKey("perm_role.id", ondelete="CASCADE"), primary_key=True)
+
+    scope = Column(String, primary_key=True, default="global")
+    scope_id = Column(String, nullable=True)
+
+    user = relationship(
+        model.User,
+        backref=backref("roles", cascade="all, delete"),
+    )
+
+    role = relationship(Role, cascade="all, delete")
+
+    @classmethod
+    def get(cls, user_id: str, scope: str = "global", scope_id: str | None = None) -> list[Self]:
+        query: Query = model.Session.query(cls).filter(cls.user_id == user_id).filter(cls.scope == scope)
+
+        if scope_id:
+            query = query.filter(cls.scope_id == scope_id)
+
+        return query.all()
+
+    @classmethod
+    def create(
+        cls,
+        user_id: str,
+        role: str,
+        scope: str = "global",
+        scope_id: str | None = None,
+    ) -> Self:
+        for user_role in cls.get(user_id, scope, scope_id):
+            if user_role.role_id != role:
+                continue
+
+            return user_role
+
+        user_role = cls(user_id=user_id, role_id=role, scope=scope, scope_id=scope_id)
+
+        model.Session.add(user_role)
+        model.Session.commit()
+
+        return user_role
+
+    @classmethod
+    def clear_user_roles(cls, user_id: str, scope: str = "", scope_id: str | None = None) -> None:
+        perm = model.Session.query(UserRole).filter(UserRole.user_id == user_id)
+
+        if scope:
+            perm = perm.filter_by(scope=scope)
+            if scope_id:
+                perm = perm.filter_by(scope_id=scope_id)
+
+        perm.delete()
+        model.Session.commit()
+
+    @classmethod
+    def delete(cls, user_id: str, role: str) -> None:
+        model.Session.query(cls).filter(cls.user_id == user_id, cls.role_id == role).delete()
+        model.Session.commit()
+
+
+class RolePermission(tk.BaseModel):
+    __tablename__ = "perm_role_permission"
+
+    role_id = Column(String, ForeignKey("perm_role.id"), primary_key=True)
+    permission = Column(String, primary_key=True)
+
+    @classmethod
+    def get(cls, role_id: str, permission: str) -> Self | None:
+        query: Query = model.Session.query(cls).filter(cls.role_id == role_id, cls.permission == permission)
+
+        return query.one_or_none()
+
+    @classmethod
+    def create(cls, role_id: str, permission: str, defer_commit: bool = True) -> Self:
+        role_permission = cls(role_id=role_id, permission=permission)
+
+        model.Session.add(role_permission)
+
+        if defer_commit:
+            model.Session.commit()
+
+        return role_permission
+
+    def delete(self) -> None:
+        model.Session().autoflush = False
+        model.Session.delete(self)

ckanext/permissions/plugin.py

@@ -0,0 +1,67 @@
+from __future__ import annotations
+
+import ckan.plugins as p
+import ckan.plugins.toolkit as tk
+from ckan import types
+
+from ckanext.permissions import const as perm_const
+from ckanext.permissions import implementation
+from ckanext.permissions import types as perm_types
+from ckanext.permissions import utils
+
+
+@tk.blanket.cli
+@tk.blanket.validators
+@tk.blanket.actions
+@tk.blanket.helpers
+@tk.blanket.auth_functions
+@tk.blanket.config_declarations
+class PermissionsPlugin(implementation.PermissionLabels, p.SingletonPlugin):
+    p.implements(p.IConfigurer)
+    p.implements(p.ISignal)
+
+    _permissions_groups: perm_types.PermissionGroup | None = None
+    _permissions = dict[str, perm_types.PermissionDefinition]
+
+    # IConfigurer
+
+    def update_config(self, config_: tk.CKANConfig):
+        if not PermissionsPlugin._permissions_groups:  # type: ignore
+            PermissionsPlugin._permissions_groups = list(  # type: ignore
+                utils.parse_permission_group_schemas().values()
+            )
+            PermissionsPlugin._permissions = {  # type: ignore
+                permission["key"]: permission
+                for group in PermissionsPlugin._permissions_groups  # type: ignore
+                for permission in group["permissions"]
+            }
+
+        tk.add_template_directory(config_, "templates")
+
+    # ISignal
+
+    def get_signal_subscriptions(self) -> types.SignalMapping:
+        return {tk.signals.action_succeeded: [self.assign_default_user_role]}
+
+    @staticmethod
+    def assign_default_user_role(
+        action_name: str,
+        context: types.Context,
+        data_dict: types.DataDict,
+        result: types.DataDict,
+    ):
+        """Assign the default user role to a new user
+
+        Args:
+            action_name: The name of the action
+            context: The action context
+            data_dict: The action payload
+            result: The action result
+        """
+
+        if action_name != "user_create":
+            return
+
+        utils.assign_role_to_user(
+            result["id"], perm_const.Roles.Authenticated.value, "global"
+        )

ckanext/permissions/tests/actions/test_permission.py

@@ -0,0 +1,68 @@
+import pytest
+
+import ckan.plugins.toolkit as tk
+from ckan.tests.helpers import call_action
+
+from ckanext.permissions import model as perm_model
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestPermissionsUpdate:
+    def test_permissions_update(self):
+        result = call_action(
+            "permissions_update",
+            permissions={
+                "perm_1": {
+                    "anonymous": False,
+                    "authenticated": True,
+                    "administrator": True,
+                },
+                "perm_2": {
+                    "anonymous": False,
+                    "authenticated": True,
+                    "administrator": True,
+                },
+            },
+        )
+
+        assert not result["missing_permissions"]
+        assert result["updated_permissions"] == {
+            "perm_1": {"authenticated": True, "administrator": True},
+            "perm_2": {"authenticated": True, "administrator": True},
+        }
+
+        assert not perm_model.RolePermission.get("anonymous", "perm_1")
+        assert perm_model.RolePermission.get("authenticated", "perm_1")
+        assert perm_model.RolePermission.get("administrator", "perm_1")
+
+        result = call_action(
+            "permissions_update",
+            permissions={"perm_1": {"anonymous": True}},
+        )
+
+        assert perm_model.RolePermission.get("anonymous", "perm_1")
+
+    def test_permissions_update_unregistered_permission_key(self):
+        result = call_action("permissions_update", permissions={"xxx": {}})
+
+        assert result["missing_permissions"] == ["xxx"]
+        assert not result["updated_permissions"]
+
+    def test_not_string_permission_key(self):
+        with pytest.raises(tk.ValidationError, match="Invalid permission key"):
+            call_action("permissions_update", permissions={1: {}})
+
+    def test_not_dict_roles_mapping(self):
+        with pytest.raises(tk.ValidationError, match="Invalid permission mapping"):
+            call_action("permissions_update", permissions={"perm_1": 1})
+
+    def test_not_bool_permission_value(self):
+        with pytest.raises(tk.ValidationError, match="Invalid permission value"):
+            call_action(
+                "permissions_update",
+                permissions={"perm_1": {"anonymous": "xxx", "authenticated": "yyy"}},
+            )
+
+    def test_role_id_not_exists(self):
+        with pytest.raises(tk.ValidationError, match="Role xxx doesn't exists"):
+            call_action("permissions_update", permissions={"perm_1": {"xxx": True}})

ckanext/permissions/tests/actions/test_role.py

@@ -0,0 +1,110 @@
+from typing import Any
+
+import pytest
+
+import ckan.plugins.toolkit as tk
+from ckan.tests.helpers import call_action
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestPermissionRoleCreate:
+    def test_permission_role_create(self):
+        result = call_action(
+            "permission_role_create",
+            id="admin",
+            label="Admin",
+            description="Admin role",
+        )
+        assert result["id"] == "admin"
+        assert result["label"] == "Admin"
+        assert result["description"] == "Admin role"
+
+    @pytest.mark.parametrize("field", ["id", "label", "description"])
+    def test_permission_role_create_missing_required_fields(self, field):
+        data = {"id": "admin", "label": "Admin", "description": "Admin role"}
+        data.pop(field)
+
+        with pytest.raises(tk.ValidationError) as e:
+            call_action("permission_role_create", **data)
+
+        assert e.value.error_dict[field] == ["Missing value"]
+
+    def test_permission_role_create_duplicate_id(self):
+        call_action(
+            "permission_role_create",
+            id="admin",
+            label="Admin",
+            description="Admin role",
+        )
+
+        with pytest.raises(tk.ValidationError) as e:
+            call_action(
+                "permission_role_create",
+                id="admin",
+                label="Another Admin",
+                description="Another admin role",
+            )
+
+        assert e.value.error_dict["id"] == ["Role admin is already exists"]
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestPermissionRoleDelete:
+    def test_permission_role_delete(self):
+        # Create a role first
+        call_action(
+            "permission_role_create",
+            id="custom_role",
+            label="Custom Role",
+            description="Custom role for testing",
+        )
+
+        call_action("permission_role_delete", id="custom_role")
+
+        with pytest.raises(tk.ValidationError) as e:
+            call_action("permission_role_delete", id="xxx")
+
+        assert e.value.error_dict["id"] == ["Role xxx doesn't exists"]
+
+    def test_permission_role_delete_missing_id(self):
+        with pytest.raises(tk.ValidationError) as e:
+            call_action("permission_role_delete")
+
+        assert e.value.error_dict["id"] == ["Missing value"]
+
+    def test_permission_role_delete_nonexistent_role(self):
+        with pytest.raises(tk.ValidationError) as e:
+            call_action("permission_role_delete", id="xxx")
+
+        assert e.value.error_dict["id"] == ["Role xxx doesn't exists"]
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestPermissionRoleUpdate:
+    def test_permission_role_update(self, test_role: dict[str, Any]):
+        result = call_action("permission_role_update", id=test_role["id"], description="New description")
+
+        assert result["id"] == test_role["id"]
+        assert result["description"] == "New description"
+
+    def test_permission_role_update_missing_id(self):
+        with pytest.raises(tk.ValidationError) as e:
+            call_action("permission_role_update")
+
+        assert e.value.error_dict["id"] == ["Missing value"]
+
+    def test_permission_role_update_nonexistent_role(self):
+        with pytest.raises(tk.ValidationError) as e:
+            call_action("permission_role_update", id="xxx")
+
+        assert e.value.error_dict["id"] == ["Role xxx doesn't exists"]
+
+    def test_permission_role_update_cant_update_label(self, test_role: dict[str, Any]):
+        result = call_action(
+            "permission_role_update",
+            id=test_role["id"],
+            label="XXX",
+            description="New description",
+        )
+
+        assert test_role["label"] == result["label"]

ckanext/permissions/tests/conftest.py

@@ -0,0 +1,52 @@
+from __future__ import annotations
+
+import factory
+import pytest
+from faker import Faker
+from pytest_factoryboy import register
+
+from ckan.tests import factories
+
+import ckanext.permissions.model as perm_model
+from ckanext.permissions import utils as perm_utils
+
+fake = Faker()
+
+
+@pytest.fixture()
+def clean_db(reset_db, migrate_db_for):
+    reset_db()
+    migrate_db_for("permissions")
+
+    perm_utils.ensure_default_roles()
+
+
+@register(_name="test_role")
+class RoleFactory(factories.CKANFactory):
+    class Meta:
+        model = perm_model.Role
+        action = "permission_role_create"
+
+    id = "creator"
+    label = "Creator"
+    description = factory.LazyFunction(lambda: fake.sentence(nb_words=5))
+
+
+@register(_name="dataset")
+class DatasetFactory(factories.Dataset):
+    owner_org = factory.LazyFunction(lambda: OrganizationFactory()["id"])
+
+
+@register(_name="organization")
+class OrganizationFactory(factories.Organization):
+    pass
+
+
+@register(_name="sysadmin")
+class SysadminFactory(factories.SysadminWithToken):
+    pass
+
+
+@register(_name="user")
+class UserFactory(factories.UserWithToken):
+    pass

ckanext/permissions/tests/test_autoassign.py

@@ -0,0 +1,26 @@
+import pytest
+
+import ckan.plugins.toolkit as tk
+from ckan.tests.helpers import call_action
+
+import ckanext.permissions.model as perm_model
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestRoleAutoassignment:
+    def test_assign_user_role_on_create(self, user):
+        """Test if a role is assigned to a user when it's created"""
+        roles = tk.h.get_user_roles(user["id"])
+        assert roles == ["authenticated"]
+
+    def test_user_roles_deleted_with_role(self, user, test_role):
+        """Test if user roles are deleted when the role is deleted"""
+        perm_model.UserRole.create(user["id"], test_role["id"])
+
+        result = tk.h.get_user_roles(user["id"])
+        assert "authenticated" in result
+        assert "creator" in result
+
+        call_action("permission_role_delete", id=test_role["id"])
+
+        assert tk.h.get_user_roles(user["id"]) == ["authenticated"]