ckanext-permissions 0.2.0__py3-none-any.whl

ckanext/permissions/tests/test_helpers.py

@@ -0,0 +1,67 @@
+import pytest
+
+from ckan.tests.helpers import call_action
+
+from ckanext.permissions import const, helpers, model
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestGetRegisteredRoles:
+    def test_get_default_roles(self):
+        result = helpers.get_registered_roles()
+
+        assert len(result) == 3
+
+        assert result[const.Roles.Anonymous.value]
+        assert result[const.Roles.Authenticated.value]
+        assert result[const.Roles.Administrator.value]
+
+    def test_with_custom_roles(self, test_role: dict[str, str]):
+        result = helpers.get_registered_roles()
+
+        assert len(result) == 4
+        assert result[test_role["id"]] == test_role["label"]
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestGetRolePermissions:
+    def test_no_permission(self, test_role: dict[str, str]):
+        assert not helpers.get_role_permissions(test_role["id"], "read_any_dataset")
+
+    def test_with_permission(self, test_role: dict[str, str]):
+        call_action(
+            "permissions_update",
+            permissions={"read_any_dataset": {test_role["id"]: True}},
+        )
+
+        assert helpers.get_role_permissions(test_role["id"], "read_any_dataset")
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestGetUserRoles:
+    def test_only_default_roles(self, user: dict[str, str]):
+        assert helpers.get_user_roles(user["id"]) == ["authenticated"]
+
+    def test_add_new_role(self, user: dict[str, str], test_role: dict[str, str]):
+        model.UserRole.create(user["id"], test_role["id"])
+        result = helpers.get_user_roles(user["id"])
+        assert "authenticated" in result
+        assert test_role["id"] in result
+
+    def test_remove_role(self, user: dict[str, str], test_role: dict[str, str]):
+        model.UserRole.create(user["id"], test_role["id"])
+        result = helpers.get_user_roles(user["id"])
+        assert "authenticated" in result
+        assert test_role["id"] in result
+
+        model.UserRole.delete(user["id"], test_role["id"])
+        assert helpers.get_user_roles(user["id"]) == ["authenticated"]
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestIsDefaultRole:
+    def test_is_default_role(self):
+        assert helpers.is_default_role(const.Roles.Authenticated.value)
+
+    def test_is_not_default_role(self, test_role: dict[str, str]):
+        assert not helpers.is_default_role("test_role")

ckanext/permissions/tests/test_permission_labels.py

@@ -0,0 +1,28 @@
+from typing import Any, Callable
+
+import pytest
+
+import ckan.plugins.toolkit as tk
+from ckan.tests.helpers import call_action
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_index", "clean_db")
+class TestPermissionLabels:
+    def test_private_dataset_is_not_visible_to_anonymous_user(
+        self, app, dataset_factory: Callable[..., dict[str, Any]]
+    ):
+        dataset = dataset_factory(private=True)
+
+        app.get(tk.h.url_for("dataset.read", id=dataset["id"]), headers={}, status=404)
+
+    def test_private_dataset_make_anon_user_to_read_private_dataset(
+        self, app, dataset_factory: Callable[..., dict[str, Any]]
+    ):
+        dataset = dataset_factory(private=True)
+
+        call_action(
+            "permissions_update",
+            permissions={"read_private_dataset": {"anonymous": True}},
+        )
+
+        app.get(tk.h.url_for("dataset.read", id=dataset["id"]), headers={}, status=200)

ckanext/permissions/tests/test_utils.py

@@ -0,0 +1,275 @@
+import pytest
+
+import ckan.plugins.toolkit as tk
+from ckan import model
+from ckan.tests.helpers import call_action
+
+from ckanext.permissions import const, utils
+from ckanext.permissions.types import PermissionDefinition, PermissionGroup
+from ckanext.permissions.utils import validate_groups
+
+
+@pytest.mark.usefixtures("with_plugins")
+class TestParsePermissionGroupSchemas:
+    def test_valid_schema(self):
+        assert utils.parse_permission_group_schemas()
+
+
+@pytest.mark.usefixtures("with_plugins")
+class TestParsePermissionGroupsValidation:
+    def test_valid_group(self):
+        validate_groups(
+            {
+                "new_group": PermissionGroup(
+                    name="xxx",
+                    description="xxx",
+                    permissions=[
+                        PermissionDefinition(
+                            key="xxx",
+                            label="xxx",
+                            description="xxx",
+                        )
+                    ],
+                )
+            }
+        )
+
+    def test_group_missing_name(self):
+        with pytest.raises(tk.ValidationError, match="Missing value"):
+            validate_groups(
+                {
+                    "new_group": PermissionGroup(
+                        name="",
+                        description="xxx",
+                        permissions=[],
+                    )
+                }
+            )
+
+    def test_group_missing_description(self):
+        with pytest.raises(tk.ValidationError, match="Missing value"):
+            validate_groups(
+                {
+                    "new_group": PermissionGroup(
+                        name="xxx",
+                        description="",
+                        permissions=[],
+                    )
+                }
+            )
+
+    def test_group_missing_permissions(self):
+        with pytest.raises(tk.ValidationError, match="Missing permissions"):
+            validate_groups(
+                {
+                    "new_group": PermissionGroup(
+                        name="xxx",
+                        description="xxx",
+                        permissions=[],
+                    )
+                }
+            )
+
+    def test_group_permissions_empty_list(self):
+        with pytest.raises(tk.ValidationError, match="Missing permissions"):
+            validate_groups(
+                {
+                    "new_group": PermissionGroup(
+                        name="xxx",
+                        description="xxx",
+                        permissions=[],
+                    )
+                }
+            )
+
+    def test_missing_permission_key(self):
+        with pytest.raises(tk.ValidationError, match="Missing value"):
+            validate_groups(
+                {
+                    "new_group": PermissionGroup(
+                        name="xxx",
+                        description="xxx",
+                        permissions=[
+                            PermissionDefinition(
+                                key="",
+                                label="xxx",
+                                description="xxx",
+                            )
+                        ],
+                    )
+                }
+            )
+
+    def test_missing_permission_label(self):
+        with pytest.raises(tk.ValidationError, match="Missing value"):
+            validate_groups(
+                {
+                    "new_group": PermissionGroup(
+                        name="xxx",
+                        description="xxx",
+                        permissions=[
+                            PermissionDefinition(key="xxx", label="", description="xxx")
+                        ],
+                    )
+                }
+            )
+
+    def test_allow_empty_permission_description(self):
+        validate_groups(
+            {
+                "new_group": PermissionGroup(
+                    name="xxx",
+                    description="xxx",
+                    permissions=[
+                        PermissionDefinition(key="xxx", label="xxx", description="")
+                    ],
+                ),
+            }
+        )
+
+
+@pytest.mark.usefixtures("with_plugins")
+class TestLoadSchemas:
+    def test_valid_schemas(self):
+        assert utils._load_schemas(
+            [
+                "ckanext.permissions:tests/data/test_group.yaml",
+                "ckanext.permissions:default_group.yaml",
+            ],
+            "name",
+        )
+
+    def test_nonexistent_file(self):
+        result = utils._load_schemas(["ckanext.permissions:tests:missing.yaml"], "name")
+        assert result == {}
+
+
+@pytest.mark.usefixtures("with_plugins")
+class TestLoadSchema:
+    def test_valid_schema(self):
+        assert utils._load_schema(
+            "ckanext.permissions:tests/data/test_group.yaml",
+        )
+
+    def test_nonexistent_file(self):
+        assert not utils._load_schema(
+            "ckanext.permissions:tests/data/missing.yaml",
+        )
+
+
+@pytest.mark.usefixtures("with_plugins")
+class TestGetPermissionGroups:
+    def test_get_permission_groups(self):
+        result = utils.get_permission_groups()
+        assert isinstance(result, list)
+
+
+@pytest.mark.usefixtures("with_plugins")
+class TestGetPermissions:
+    def test_get_permissions(self):
+        result = utils.get_permissions()
+
+        assert isinstance(result, dict)
+        assert result["perm_1"] == PermissionDefinition(
+            key="perm_1", label="Permission 1"
+        )
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestCheckPermission:
+    def test_set_permission(self):
+        anon_user = model.AnonymousUser()
+        assert not utils.check_permission("perm_1", anon_user)
+
+        call_action(
+            "permissions_update",
+            permissions={"perm_1": {const.Roles.Anonymous.value: True}},
+        )
+
+        assert utils.check_permission("perm_1", anon_user)
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestEnsureDefaultRoles:
+    def test_creates_default_roles(self, reset_db, migrate_db_for):
+        """Test that ensure_default_roles creates all default roles"""
+        from ckanext.permissions import model as perm_model
+
+        for role in perm_model.Role.all():
+            perm_model.Role.delete(perm_model.Role.get(role["id"]))
+
+        assert len(perm_model.Role.all()) == 0
+
+        created_count = utils.ensure_default_roles()
+
+        assert created_count == 3
+
+        assert perm_model.Role.get("anonymous") is not None
+        assert perm_model.Role.get("authenticated") is not None
+        assert perm_model.Role.get("administrator") is not None
+
+    def test_reuse(self):
+        """Test that ensure_default_roles can be called multiple times"""
+        # Call ensure_default_roles after initial call in conftest.py
+        addiitonal_call = utils.ensure_default_roles()
+        assert addiitonal_call == 0
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestAssignRoleToUser:
+    def test_assign_role_to_user(self, user_factory):
+        """Test assigning a role to a user"""
+        from ckanext.permissions import model as perm_model
+
+        user = user_factory()
+
+        utils.assign_role_to_user(user["id"], const.Roles.Administrator.value)
+
+        user_roles = perm_model.UserRole.get(user["id"])
+        role_ids = [role.role_id for role in user_roles]
+        assert const.Roles.Administrator.value in role_ids
+
+    def test_assign_duplicate_role(self, user_factory):
+        """Test that assigning the same role twice doesn't create duplicates"""
+        from ckanext.permissions import model as perm_model
+
+        user = user_factory()
+
+        utils.assign_role_to_user(user["id"], const.Roles.Administrator.value)
+        utils.assign_role_to_user(user["id"], const.Roles.Administrator.value)
+
+        user_roles = perm_model.UserRole.get(user["id"])
+        role_ids = [role.role_id for role in user_roles]
+        assert len(role_ids) == 2
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestRemoveRoleFromUser:
+    def test_remove_role_from_user(self, user_factory):
+        """Test removing a role from a user"""
+        from ckanext.permissions import model as perm_model
+
+        user = user_factory()
+
+        utils.assign_role_to_user(user["id"], const.Roles.Administrator.value)
+        utils.remove_role_from_user(user["id"], const.Roles.Administrator.value)
+
+        user_roles = perm_model.UserRole.get(user["id"])
+        role_ids = [role.role_id for role in user_roles]
+        assert const.Roles.Administrator.value not in role_ids
+
+    def test_remove_role_doesnt_affect_other_roles(self, user_factory, test_role):
+        """Test that removing one role doesn't affect other roles"""
+        from ckanext.permissions import model as perm_model
+
+        user = user_factory()
+
+        utils.assign_role_to_user(user["id"], const.Roles.Administrator.value)
+
+        utils.remove_role_from_user(user["id"], const.Roles.Administrator.value)
+
+        # Verify only the correct role was removed
+        user_roles = perm_model.UserRole.get(user["id"])
+        role_ids = [role.role_id for role in user_roles]
+        assert const.Roles.Administrator.value not in role_ids
+        assert const.Roles.Authenticated.value in role_ids

ckanext/permissions/tests/test_validators.py

@@ -0,0 +1,98 @@
+from __future__ import annotations
+
+from typing import Callable
+
+import pytest
+
+import ckan.plugins.toolkit as tk
+
+import ckanext.permissions.logic.validators as perm_validators
+from ckanext.permissions.const import ROLE_ID_MAX_LENGTH, Roles
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestRoleDoesntExists:
+    def test_role_doesnt_exists_valid(self):
+        """Test role_doesnt_exists with non-existent role."""
+        assert perm_validators.role_doesnt_exists("new_role")
+
+    def test_role_doesnt_exists_invalid(self, test_role: dict[str, str]):
+        """Test role_doesnt_exists with existing role."""
+        with pytest.raises(tk.Invalid) as e:
+            perm_validators.role_doesnt_exists(test_role["id"])
+
+        assert e.value.error == f"Role {test_role['id']} is already exists"
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestRoleExists:
+    def test_role_exists_valid(self, test_role: dict[str, str]):
+        """Test permission_role_exists with existing role."""
+        assert (
+            perm_validators.permission_role_exists(test_role["id"]) == test_role["id"]
+        )
+
+    def test_role_exists_invalid(self):
+        """Test permission_role_exists with non-existent role."""
+        role_name = "non_existent_role"
+        with pytest.raises(tk.Invalid) as e:
+            perm_validators.permission_role_exists(role_name)
+
+        assert e.value.error == f"Role {role_name} doesn't exists"
+
+
+@pytest.mark.usefixtures("with_plugins", "clean_db")
+class TestRolesExists:
+    def test_roles_exists_valid(self, role_factory: Callable[..., dict[str, str]]):
+        """Test roles_exists with existing roles."""
+        role_names = ["creator", "moderator"]
+        for role in role_names:
+            role_factory(id=role)
+
+        assert perm_validators.roles_exists(role_names) == role_names
+
+    def test_roles_exists_invalid(self, role_factory: Callable[..., dict[str, str]]):
+        """Test roles_exists with non-existent role."""
+        role_names = ["creator", "moderator"]
+        role_factory(id=role_names[0])
+
+        with pytest.raises(tk.Invalid) as e:
+            perm_validators.roles_exists(role_names)
+
+        assert e.value.error == f"Role {role_names[1]} doesn't exists"
+
+
+class TestRoleIdValidator:
+    def test_valid_role_id(self):
+        """Test role_id_validator with valid role ID."""
+        role_id = "valid-role-id"
+        assert perm_validators.role_id_validator(role_id) == role_id
+
+    @pytest.mark.parametrize(
+        "invalid_id",
+        [
+            "A",  # too short
+            "a" * (ROLE_ID_MAX_LENGTH + 1),  # too long
+            "Invalid",  # uppercase
+            "invalid@role",  # invalid character
+            "test1",  # invalid character
+        ],
+    )
+    def test_invalid_role_id(self, invalid_id: str):
+        """Test role_id_validator with invalid role IDs."""
+        with pytest.raises(tk.Invalid):
+            perm_validators.role_id_validator(invalid_id)
+
+
+class TestNotDefaultRole:
+    def test_valid_custom_role(self):
+        """Test not_default_role with custom role."""
+        role_id = "custom-role"
+        assert perm_validators.not_default_role(role_id) == role_id
+
+    def test_invalid_default_role(self):
+        """Test not_default_role with default role."""
+        with pytest.raises(tk.Invalid) as e:
+            perm_validators.not_default_role(Roles.Administrator.value)
+
+        assert e.value.error == f"Role {Roles.Administrator.value} is a default role."

ckanext/permissions/types.py

@@ -0,0 +1,34 @@
+from __future__ import annotations
+
+from typing import Optional, TypedDict
+
+
+class PermissionGroup(TypedDict):
+    name: str
+    permissions: list["PermissionDefinition"]
+    description: Optional[str]
+
+
+class PermissionDefinition(TypedDict, total=False):
+    key: str
+    label: str
+    description: Optional[str]
+
+
+class PermissionRoleDefinition(TypedDict):
+    role: str
+    state: str
+
+
+class PermissionRolePayload(PermissionRoleDefinition):
+    permission: str
+
+
+class PermissionRole(PermissionRolePayload):
+    id: str
+
+
+class Role(TypedDict):
+    id: str
+    label: str
+    description: str

ckanext/permissions/utils.py

@@ -0,0 +1,197 @@
+from __future__ import annotations
+
+import inspect
+import os
+from typing import cast
+
+import yaml
+
+import ckan.plugins.toolkit as tk
+from ckan import model
+
+import ckanext.permissions.const as perm_const
+import ckanext.permissions.logic.schema as perm_schema
+import ckanext.permissions.model as perm_model
+import ckanext.permissions.types as perm_types
+
+
+def parse_permission_group_schemas() -> dict[str, perm_types.PermissionGroup]:
+    groups = _load_schemas(
+        tk.aslist(tk.config.get("ckanext.permissions.permission_groups")), "name"
+    )
+
+    validate_groups(groups)
+
+    return groups
+
+
+def _load_schemas(schemas: list[str], type_field: str):
+    result = {}
+
+    for path in schemas:
+        schema = _load_schema(path)
+
+        if not schema:
+            continue
+
+        result[schema[type_field]] = schema
+
+    return result
+
+
+def _load_schema(path: str):
+    """
+    Given a path like "ckanext.permissions:default_group.yaml"
+    find the second part relative to the import path of the first
+    """
+
+    module, file_name = path.split(":", 1)
+
+    try:
+        imp_module = __import__(module, fromlist=[""])
+    except ImportError:
+        return
+
+    file_path = os.path.join(os.path.dirname(inspect.getfile(imp_module)), file_name)
+
+    if not os.path.exists(file_path):
+        return
+
+    with open(file_path) as file:
+        return yaml.safe_load(file)
+
+
+def validate_groups(groups: dict[str, perm_types.PermissionGroup]) -> bool:
+    permissions = []
+
+    for group in groups.values():
+        data, errors = tk.navl_validate(
+            cast(dict, group), perm_schema.permission_group_schema()
+        )
+
+        if errors:
+            raise tk.ValidationError(errors)
+
+        if not data.get("permissions"):
+            raise tk.ValidationError("Missing permissions")
+
+        if not isinstance(data["permissions"], list):
+            raise tk.ValidationError("Permissions must be a list")
+
+        for permission in data["permissions"]:
+            if permission["key"] in permissions:
+                raise tk.ValidationError(
+                    f"Permission {permission['key']} is duplicated"
+                )
+
+            permissions.append(permission["key"])
+
+    return True
+
+
+def get_permission_groups() -> list[perm_types.PermissionGroup]:
+    from ckanext.permissions.plugin import PermissionsPlugin
+
+    return PermissionsPlugin._permissions_groups  # type: ignore
+
+
+def get_permissions() -> dict[str, perm_types.PermissionDefinition]:
+    from ckanext.permissions.plugin import PermissionsPlugin
+
+    return PermissionsPlugin._permissions  # type: ignore
+
+
+def get_registered_roles() -> dict[str, str]:
+    return {role["id"]: role["label"] for role in perm_model.Role.all()}
+
+
+def check_permission(
+    permission: str, user: model.User | model.AnonymousUser, scope: str = "global"
+) -> bool:
+    """Check if user has the given permission through any of their roles.
+
+    Args:
+        permission: The permission key to check
+        user: The user to check permissions for
+
+    Returns:
+        bool: True if user has the permission, False otherwise
+    """
+    if isinstance(user, model.AnonymousUser):
+        return (
+            perm_model.RolePermission.get(perm_const.Roles.Anonymous.value, permission)
+            is not None
+        )
+
+    for role in user.roles:  # type: ignore
+        if scope not in role.scope:
+            continue
+
+        if perm_model.RolePermission.get(str(role.role_id), permission) is not None:
+            return True
+
+    return False
+
+
+def assign_role_to_user(
+    user_id: str, role_id: str, scope: str = "global", scope_id: str | None = None
+):
+    """Assign role to an User.
+
+    Args:
+        role_id: The role to assign
+        user_id: The user to assign the role to
+        scope: The scope of the role
+        scope_id: The scope ID of the role
+    """
+
+    scope_roles = perm_model.UserRole.get(user_id, scope, scope_id)
+
+    if role_id not in [role.role_id for role in scope_roles]:
+        perm_model.UserRole.create(user_id, role_id)
+
+
+def remove_role_from_user(user_id: str, role_id: str):
+    """Remove role from an User.
+
+    Args:
+        role_id: The role to remove
+        user_id: The user to remove the role from
+    """
+
+    roles = perm_model.UserRole.get(user_id)
+
+    if role_id in [role.role_id for role in roles]:
+        perm_model.UserRole.delete(user_id, role_id)
+
+
+def ensure_default_roles() -> int:
+    """Ensure default roles exist in the database.
+
+    Creates anonymous, authenticated, and administrator roles if they don't exist.
+
+    Returns:
+        int: Number of roles created
+    """
+    default_roles = [
+        ("anonymous", "Anonymous", "Default role for anonymous users"),
+        (
+            "authenticated",
+            "Authenticated",
+            "Regular user that will be assigned automatically for all users on a portal",
+        ),
+        (
+            "administrator",
+            "Administrator",
+            "Administrator that should have all permissions",
+        ),
+    ]
+
+    created_count = 0
+    for role_id, label, description in default_roles:
+        existing_role = perm_model.Role.get(role_id)
+        if not existing_role:
+            perm_model.Role.create(role_id, label, description)
+            created_count += 1
+
+    return created_count