cmem-cmemc 24.2.0rc2__py3-none-any.whl → 24.3.0rc1__py3-none-any.whl

cmem_cmemc/__init__.py

@@ -1,4 +1,5 @@
 """The main command line interface."""
+
 import contextlib
 import os
 import sys
@@ -10,8 +11,8 @@ import click
 import requests.exceptions
 
 from cmem_cmemc import completion
+from cmem_cmemc.command_group import CmemcGroup
 from cmem_cmemc.commands import (
-    CmemcGroup,
     admin,
     config,
     dataset,
@@ -26,7 +27,7 @@ from cmem_cmemc.exceptions import InvalidConfigurationError
 from cmem_cmemc.manual_helper.graph import print_manual_graph
 from cmem_cmemc.manual_helper.multi_page import create_multi_page_documentation
 from cmem_cmemc.manual_helper.single_page import print_manual
-from cmem_cmemc.utils import extract_error_message, get_version
+from cmem_cmemc.utils import check_python_version, extract_error_message, get_version
 
 CMEMC_VERSION = get_version()
 
@@ -38,16 +39,10 @@ if os.environ.get("_CMEMC_COMPLETE", "") == "zsh_source":
 
 version = sys.version_info
 PYTHON_VERSION = f"{version.major}.{version.minor}.{version.micro}"
-PYTHON_EXPECTED = "3.11"
-PYTHON_GOT = f"{version.major}.{version.minor}"
-if PYTHON_EXPECTED != PYTHON_GOT and not CONTEXT.is_completing():
-    CONTEXT.echo_warning(
-        "Warning: You are running cmemc under a non-tested python "
-        f"environment (expected {PYTHON_EXPECTED}, got {PYTHON_GOT})"
-    )
+check_python_version(ctx=CONTEXT)
 
 # set the user-agent environment for the http request headers
-os.environ["CMEM_USER_AGENT"] = f"cmemc/{CMEMC_VERSION} " f"(Python {PYTHON_VERSION})"
+os.environ["CMEM_USER_AGENT"] = f"cmemc/{CMEMC_VERSION} (Python {PYTHON_VERSION})"
 
 # https://github.com/pallets/click/blob/master/examples/complex/complex/cli.py
 CONTEXT_SETTINGS = {"auto_envvar_prefix": "CMEMC", "help_option_names": ["-h", "--help"]}
@@ -123,11 +118,11 @@ def cli(
     ctx.obj.set_config_file(config_file)
     try:
         ctx.obj.set_connection(connection)
-    except InvalidConfigurationError as error:
+    except InvalidConfigurationError:
         # if config is broken still allow for "config edit"
         # means: do not forward this exception if "config edit"
         if " ".join(sys.argv).find("config edit") == -1:
-            raise ValueError("Broken config") from error
+            raise
 
 
 cli.add_command(admin.admin)

cmem_cmemc/command.py

@@ -0,0 +1,20 @@
+"""cmemc Click Command"""
+
+from click_help_colors import HelpColorsCommand
+
+
+class CmemcCommand(HelpColorsCommand):
+    """Wrapper click.Command class to have a single extension point.
+
+    Currently, wrapped click extensions and additional group features:#
+    - click-help-colors: https://github.com/click-contrib/click-help-colors
+    """
+
+    color_for_headers = "yellow"
+    color_for_options = "green"
+
+    def __init__(self, *args, **kwargs):  # noqa: ANN002, ANN003
+        """Init a cmemc group command."""
+        kwargs.setdefault("help_headers_color", self.color_for_headers)
+        kwargs.setdefault("help_options_color", self.color_for_options)
+        super().__init__(*args, **kwargs)

cmem_cmemc/command_group.py

@@ -0,0 +1,70 @@
+"""cmemc Click Command Group"""
+
+from click_didyoumean import DYMGroup
+from click_help_colors import HelpColorsGroup
+
+
+class CmemcGroup(HelpColorsGroup, DYMGroup):
+    """Wrapper click.Group class to have a single extension point.
+
+    Currently, wrapped click extensions and additional group features:#
+    - click-help-colors: https://github.com/click-contrib/click-help-colors
+    """
+
+    color_for_command_groups = "white"
+    color_for_writing_commands = "red"
+    color_for_headers = "yellow"
+    color_for_options = "green"
+
+    def __init__(self, *args, **kwargs):  # noqa: ANN002, ANN003
+        """Init a cmemc group command group."""
+        # set default colors
+        kwargs.setdefault("help_headers_color", self.color_for_headers)
+        kwargs.setdefault("help_options_color", self.color_for_options)
+        kwargs.setdefault(
+            "help_options_custom_colors",
+            {
+                "bootstrap": self.color_for_writing_commands,
+                "showcase": self.color_for_writing_commands,
+                "delete": self.color_for_writing_commands,
+                "password": self.color_for_writing_commands,
+                "secret": self.color_for_writing_commands,
+                "upload": self.color_for_writing_commands,
+                "import": self.color_for_writing_commands,
+                "create": self.color_for_writing_commands,
+                "enable": self.color_for_writing_commands,
+                "disable": self.color_for_writing_commands,
+                "execute": self.color_for_writing_commands,
+                "replay": self.color_for_writing_commands,
+                "io": self.color_for_writing_commands,
+                "install": self.color_for_writing_commands,
+                "uninstall": self.color_for_writing_commands,
+                "reload": self.color_for_writing_commands,
+                "update": self.color_for_writing_commands,
+                "eval": self.color_for_writing_commands,
+                "cancel": self.color_for_writing_commands,
+                "admin": self.color_for_command_groups,
+                "user": self.color_for_command_groups,
+                "store": self.color_for_command_groups,
+                "metrics": self.color_for_command_groups,
+                "config": self.color_for_command_groups,
+                "dataset": self.color_for_command_groups,
+                "graph": self.color_for_command_groups,
+                "project": self.color_for_command_groups,
+                "query": self.color_for_command_groups,
+                "scheduler": self.color_for_command_groups,
+                "vocabulary": self.color_for_command_groups,
+                "workflow": self.color_for_command_groups,
+                "workspace": self.color_for_command_groups,
+                "python": self.color_for_command_groups,
+                "cache": self.color_for_command_groups,
+                "resource": self.color_for_command_groups,
+                "acl": self.color_for_command_groups,
+                "client": self.color_for_command_groups,
+                "variable": self.color_for_command_groups,
+                "validation": self.color_for_command_groups,
+                "migrate": self.color_for_writing_commands,
+                "migrations": self.color_for_command_groups,
+            },
+        )
+        super().__init__(*args, **kwargs)

cmem_cmemc/commands/__init__.py

@@ -1,82 +1 @@
 """cmemc commands."""
-from click_didyoumean import DYMGroup
-from click_help_colors import HelpColorsCommand, HelpColorsGroup
-
-COLOR_FOR_COMMAND_GROUPS = "white"
-COLOR_FOR_WRITING_COMMANDS = "red"
-COLOR_FOR_HEADERS = "yellow"
-COLOR_FOR_OPTIONS = "green"
-
-
-# pylint: disable=too-many-ancestors
-class CmemcGroup(HelpColorsGroup, DYMGroup):
-    """Wrapper click.Group class to have a single extension point.
-
-    Currently, wrapped click extensions and additional group features:#
-    - click-help-colors: https://github.com/click-contrib/click-help-colors
-    """
-
-    def __init__(self, *args, **kwargs):  # noqa: ANN002, ANN003
-        """Init a cmemc group command group."""
-        # set default colors
-        kwargs.setdefault("help_headers_color", COLOR_FOR_HEADERS)
-        kwargs.setdefault("help_options_color", COLOR_FOR_OPTIONS)
-        kwargs.setdefault(
-            "help_options_custom_colors",
-            {
-                "bootstrap": COLOR_FOR_WRITING_COMMANDS,
-                "showcase": COLOR_FOR_WRITING_COMMANDS,
-                "delete": COLOR_FOR_WRITING_COMMANDS,
-                "password": COLOR_FOR_WRITING_COMMANDS,
-                "secret": COLOR_FOR_WRITING_COMMANDS,
-                "upload": COLOR_FOR_WRITING_COMMANDS,
-                "import": COLOR_FOR_WRITING_COMMANDS,
-                "create": COLOR_FOR_WRITING_COMMANDS,
-                "enable": COLOR_FOR_WRITING_COMMANDS,
-                "disable": COLOR_FOR_WRITING_COMMANDS,
-                "execute": COLOR_FOR_WRITING_COMMANDS,
-                "replay": COLOR_FOR_WRITING_COMMANDS,
-                "io": COLOR_FOR_WRITING_COMMANDS,
-                "install": COLOR_FOR_WRITING_COMMANDS,
-                "uninstall": COLOR_FOR_WRITING_COMMANDS,
-                "reload": COLOR_FOR_WRITING_COMMANDS,
-                "update": COLOR_FOR_WRITING_COMMANDS,
-                "eval": COLOR_FOR_WRITING_COMMANDS,
-                "cancel": COLOR_FOR_WRITING_COMMANDS,
-                "admin": COLOR_FOR_COMMAND_GROUPS,
-                "user": COLOR_FOR_COMMAND_GROUPS,
-                "store": COLOR_FOR_COMMAND_GROUPS,
-                "metrics": COLOR_FOR_COMMAND_GROUPS,
-                "config": COLOR_FOR_COMMAND_GROUPS,
-                "dataset": COLOR_FOR_COMMAND_GROUPS,
-                "graph": COLOR_FOR_COMMAND_GROUPS,
-                "project": COLOR_FOR_COMMAND_GROUPS,
-                "query": COLOR_FOR_COMMAND_GROUPS,
-                "scheduler": COLOR_FOR_COMMAND_GROUPS,
-                "vocabulary": COLOR_FOR_COMMAND_GROUPS,
-                "workflow": COLOR_FOR_COMMAND_GROUPS,
-                "workspace": COLOR_FOR_COMMAND_GROUPS,
-                "python": COLOR_FOR_COMMAND_GROUPS,
-                "cache": COLOR_FOR_COMMAND_GROUPS,
-                "resource": COLOR_FOR_COMMAND_GROUPS,
-                "acl": COLOR_FOR_COMMAND_GROUPS,
-                "client": COLOR_FOR_COMMAND_GROUPS,
-                "variable": COLOR_FOR_COMMAND_GROUPS,
-                "validation": COLOR_FOR_COMMAND_GROUPS,
-            },
-        )
-        super().__init__(*args, **kwargs)
-
-
-class CmemcCommand(HelpColorsCommand):
-    """Wrapper click.Command class to have a single extension point.
-
-    Currently, wrapped click extensions and additional group features:#
-    - click-help-colors: https://github.com/click-contrib/click-help-colors
-    """
-
-    def __init__(self, *args, **kwargs):  # noqa: ANN002, ANN003
-        """Init a cmemc group command."""
-        kwargs.setdefault("help_headers_color", COLOR_FOR_HEADERS)
-        kwargs.setdefault("help_options_color", COLOR_FOR_OPTIONS)
-        super().__init__(*args, **kwargs)

cmem_cmemc/commands/acl.py

@@ -2,7 +2,7 @@
 
 import click
 import requests.exceptions
-from click import Option, UsageError
+from click import Option
 from cmem.cmempy.dp.authorization.conditions import (
     create_access_condition,
     delete_access_condition,
@@ -14,25 +14,36 @@ from cmem.cmempy.dp.authorization.conditions import (
 from cmem.cmempy.keycloak.user import get_user_by_username, user_groups
 
 from cmem_cmemc import completion
-from cmem_cmemc.commands import CmemcCommand, CmemcGroup
-from cmem_cmemc.constants import NS_ACL, NS_GROUP, NS_USER
+from cmem_cmemc.command import CmemcCommand
+from cmem_cmemc.command_group import CmemcGroup
+from cmem_cmemc.constants import NS_ACL, NS_ACTION, NS_GROUP, NS_USER
 from cmem_cmemc.context import ApplicationContext
-from cmem_cmemc.utils import convert_iri_to_qname, convert_qname_to_iri, struct_to_table
+from cmem_cmemc.utils import (
+    convert_iri_to_qname,
+    convert_qname_to_iri,
+    get_query_text,
+    struct_to_table,
+)
 
 # option descriptions
 HELP_TEXTS = {
-    "name": "A short name or label.",
+    "name": "A optional name.",
     "id": "An optional ID (will be an UUID otherwise).",
     "description": "An optional description.",
     "user": "A specific user account required by the access condition.",
-    "group": "A membership in a user group required by the access condition",
+    "group": "A membership in a user group required by the access condition.",
     "read_graph": "Grants read access to a graph.",
     "write_graph": "Grants write access to a graph (includes read access).",
     "action": "Grants usage permissions to an action / functionality.",
+    "query": "Dynamic access condition query (file or the query catalog IRI).",
 }
 
-PUBLIC_USER_URI = "urn:elds-backend-anonymous-user"
-PUBLIC_GROUP_URI = "urn:elds-backend-public-group"
+WARNING_UNKNOWN_USER = "Unknown User or no access to get user info."
+WARNING_NO_GROUP_ACCESS = "You do not have the permission to retrieve user groups"
+WARNING_USE_GROUP = "Use the --group option to assign groups manually (what-if-scenario)."
+
+PUBLIC_USER_URI = "https://vocab.eccenca.com/auth/AnonymousUser"
+PUBLIC_GROUP_URI = "https://vocab.eccenca.com/auth/PublicGroup"
 
 KNOWN_ACCESS_CONDITION_URLS = [PUBLIC_USER_URI, PUBLIC_GROUP_URI]
 
@@ -55,12 +66,10 @@ def _value_to_acl_url(
 
     or not, if it is already a known URI .... or None
     """
-    if value in KNOWN_ACCESS_CONDITION_URLS:
+    if value == "" or value is None:
+        return value
+    if value.startswith(("http://", "https://")):
         return value
-    if value == "":
-        return ""
-    if value is None:
-        return None
     match param.name:
         case "groups":
             return f"{NS_GROUP}{value}"
@@ -69,8 +78,10 @@ def _value_to_acl_url(
     return f"{NS_ACL}{value}"
 
 
-def generate_acl_name(user: str | None, groups: list[str]) -> str:
+def generate_acl_name(user: str | None, groups: list[str], query: str | None) -> str:
     """Create an access condition name based on user and group assignments."""
+    if query is not None:
+        return "Query based Dynamic Access Condition"
     if len(groups) > 0:
         group_term = "groups" if len(groups) > 1 else "group"
         groups_labels = ", ".join(
@@ -113,7 +124,13 @@ def list_command(app: ApplicationContext, raw: bool, id_only: bool) -> None:
         (convert_iri_to_qname(iri=_.get("iri"), default_ns=NS_ACL), _.get("name", "-"))
         for _ in acls
     ]
-    app.echo_info_table(table, headers=["URI", "Name"], sort_column=0)
+    app.echo_info_table(
+        table,
+        headers=["URI", "Name"],
+        sort_column=0,
+        empty_table_message="No access conditions found. "
+        "Use the `admin acl create` command to create a new access condition.",
+    )
 
 
 @click.command(cls=CmemcCommand, name="inspect")
@@ -137,24 +154,6 @@ def inspect_command(app: ApplicationContext, access_condition_id: str, raw: bool
 
 
 @click.command(cls=CmemcCommand, name="create")
-@click.option(
-    "--name",
-    "name",
-    type=click.STRING,
-    help=HELP_TEXTS["name"],
-)
-@click.option(
-    "--id",
-    "id_",
-    type=click.STRING,
-    help=HELP_TEXTS["id"],
-)
-@click.option(
-    "--description",
-    "description",
-    type=click.STRING,
-    help=HELP_TEXTS["description"],
-)
 @click.option(
     "--user",
     type=click.STRING,
@@ -195,6 +194,31 @@ def inspect_command(app: ApplicationContext, access_condition_id: str, raw: bool
     shell_complete=completion.acl_actions,
     help=HELP_TEXTS["action"],
 )
+@click.option(
+    "--query",
+    "query",
+    type=click.STRING,
+    shell_complete=completion.remote_queries_and_sparql_files,
+    help=HELP_TEXTS["query"],
+)
+@click.option(
+    "--id",
+    "id_",
+    type=click.STRING,
+    help=HELP_TEXTS["id"],
+)
+@click.option(
+    "--name",
+    "name",
+    type=click.STRING,
+    help=HELP_TEXTS["name"],
+)
+@click.option(
+    "--description",
+    "description",
+    type=click.STRING,
+    help=HELP_TEXTS["description"],
+)
 @click.pass_obj
 # pylint: disable-msg=too-many-arguments
 def create_command(  # noqa: PLR0913
@@ -207,20 +231,43 @@ def create_command(  # noqa: PLR0913
     read_graphs: tuple[str],
     write_graphs: tuple[str],
     actions: tuple[str],
+    query: str,
 ) -> None:
-    """Create an access condition."""
-    if not read_graphs and not write_graphs and not actions:
+    """Create an access condition.
+
+    With this command, new access conditions can be created.
+
+    An access condition captures information about WHO gets access to WHAT.
+    In order to specify WHO gets access, use the `--user` and / or `--group` options.
+    In order to specify WHAT an account get access to, use the `--read-graph`,
+    `--write-graph` and `--action` options.`
+
+    In addition to that, you can specify a name, a description and an ID (all optional).
+
+    A special case are dynamic access conditions, based on a SPARQL query: Here you
+    have to provide a query with the projection variables `user`, `group` `readGraph`
+    and `writeGraph` to create multiple grants at once. You can either provide a query file
+    or a query URL from the query catalog.
+
+    Note: Queries for dynamic access conditions are copied into the ACL, so changing the
+    query in the query catalog does not change it in the access condition.
+
+    Example: cmemc admin acl create --group local-users --write-graph https://example.org/
+    """
+    if not read_graphs and not write_graphs and not actions and not query:
         raise click.UsageError(
             "Missing access / usage grant. Use at least one of the following options: "
-            "--read-graph, --write-graph or --action."
-        )
-    if not user and not groups:
-        app.echo_warning(
-            "Access conditions without a user and without a group assignment " "affect ALL users."
+            "--read-graph, --write-graph, --action or --query."
         )
+    query_str = None
+    if query:
+        query_str = get_query_text(query, {"user", "group", "readGraph", "writeGraph"})
+
+    if not user and not groups and not query:
+        app.echo_warning("Access conditions without a user or group assignment affect ALL users.")
 
     if not name:
-        name = generate_acl_name(user=user, groups=groups)
+        name = generate_acl_name(user=user, groups=groups, query=query)
 
     if not description:
         description = "This access condition was created with cmemc."
@@ -229,6 +276,7 @@ def create_command(  # noqa: PLR0913
         f"Creating access condition '{name}' ... ",
         nl=False,
     )
+
     create_access_condition(
         name=name,
         static_id=id_,
@@ -237,7 +285,8 @@ def create_command(  # noqa: PLR0913
         groups=groups,
         read_graphs=list(read_graphs),
         write_graphs=list(write_graphs),
-        actions=list(actions),
+        actions=[convert_qname_to_iri(qname=_, default_ns=NS_ACTION) for _ in actions],
+        query=query_str,
     )
     app.echo_success("done")
 
@@ -302,6 +351,13 @@ def create_command(  # noqa: PLR0913
     shell_complete=completion.acl_actions,
     help=HELP_TEXTS["action"],
 )
+@click.option(
+    "--query",
+    "query",
+    type=click.STRING,
+    shell_complete=completion.remote_queries_and_sparql_files,
+    help=HELP_TEXTS["query"],
+)
 @click.pass_obj
 # pylint: disable-msg=too-many-arguments
 def update_command(  # noqa: PLR0913
@@ -314,6 +370,7 @@ def update_command(  # noqa: PLR0913
     read_graphs: tuple[str],
     write_graphs: tuple[str],
     actions: tuple[str],
+    query: str,
 ) -> None:
     """Update an access condition.
 
@@ -326,6 +383,9 @@ def update_command(  # noqa: PLR0913
         f"Updating access condition {payload['name']} ... ",
         nl=False,
     )
+    query_str = None
+    if query:
+        query_str = get_query_text(query, {"user", "group", "readGraph", "writeGraph"})
 
     update_access_condition(
         iri=iri,
@@ -335,7 +395,8 @@ def update_command(  # noqa: PLR0913
         groups=groups,
         read_graphs=read_graphs,
         write_graphs=write_graphs,
-        actions=actions,
+        actions=[convert_qname_to_iri(qname=_, default_ns=NS_ACTION) for _ in actions],
+        query=query_str,
     )
     app.echo_success("done")
 
@@ -394,10 +455,9 @@ def review_command(app: ApplicationContext, raw: bool, user: str, groups: list[s
     """Review grants for a given account.
 
     This command has two working modes: (1) You can review the access conditions
-    of an actual account - this needs access to keycloak and the access condition API,
+    of an actual account,
     (2) You can review the access conditions of an imaginary account with a set of
-    freely added groups (what-if-scenario) - this only needs access to the access
-    condition API.
+    freely added groups (what-if-scenario).
 
     The output of the command is a list of grants the account has based on your input
     and all access conditions loaded in the store. In addition to that, some metadata
@@ -407,23 +467,19 @@ def review_command(app: ApplicationContext, raw: bool, user: str, groups: list[s
         app.echo_debug("Trying to fetch groups from keycloak.")
         keycloak_user = get_user_by_username(username=user)
         if not keycloak_user:
-            raise UsageError(
-                "Unknown User or no access to get user info.\n"
-                "Use the --group option to assign groups manually (what-if-scenario)."
-            )
-        try:
-            keycloak_user_groups = user_groups(user_id=keycloak_user[0]["id"])
-            groups = [f"{NS_GROUP}{_['name']}" for _ in keycloak_user_groups]
-        except requests.exceptions.HTTPError as error:
-            raise UsageError(
-                f"You do not have the permission to retrieve the groups for user {user}"
-                " from Keycloak.\n"
-                "Use the --group option to assign groups manually (what-if-scenario)."
-            ) from error
+            if user != PUBLIC_USER_URI:
+                app.echo_warning(WARNING_UNKNOWN_USER)
+                app.echo_warning(WARNING_USE_GROUP)
+        else:
+            try:
+                keycloak_user_groups = user_groups(user_id=keycloak_user[0]["id"])
+                groups = [f"{NS_GROUP}{_['name']}" for _ in keycloak_user_groups]
+            except (requests.exceptions.HTTPError, IndexError):
+                app.echo_warning(WARNING_NO_GROUP_ACCESS)
+                app.echo_warning(WARNING_USE_GROUP)
     app.echo_debug(f"Got groups: {groups}")
-    review_info: dict = review_graph_rights(
-        account_iri=f"{NS_USER}{user}", group_iris=groups
-    ).json()
+    account_iri = f"{NS_USER}{user}" if user != PUBLIC_USER_URI else PUBLIC_USER_URI
+    review_info: dict = review_graph_rights(account_iri=account_iri, group_iris=groups).json()
     review_info["groupIri"] = groups
     if raw:
         app.echo_info_json(review_info)