elody 0.0.158__py3-none-any.whl → 0.0.159__py3-none-any.whl

elody/policies/authorization/filter_generic_objects_policy.py

@@ -45,7 +45,7 @@ class FilterGenericObjectsPolicy(BaseAuthorizationPolicy):
                 if access_verdict != None:
                     policy_context.access_verdict = access_verdict
                     if not policy_context.access_verdict:
-                        return policy_context
+                        break
 
             if policy_context.access_verdict:
                 return policy_context

elody/policies/authorization/filter_generic_objects_policy_v2.py

@@ -0,0 +1,166 @@
+import re as regex
+
+from copy import deepcopy
+from elody.policies.permission_handler import (
+    get_permissions,
+    mask_protected_content_post_request_hook,
+)
+from flask import Request  # pyright: ignore
+from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
+from inuits_policy_based_auth.contexts.policy_context import (  # pyright: ignore
+    PolicyContext,
+)
+from inuits_policy_based_auth.contexts.user_context import (  # pyright: ignore
+    UserContext,
+)
+
+
+class FilterGenericObjectsPolicyV2(BaseAuthorizationPolicy):
+    def authorize(
+        self, policy_context: PolicyContext, user_context: UserContext, request_context
+    ):
+        request: Request = request_context.http_request
+        if not regex.match("^(/[^/]+/v[0-9]+)?/[^/]+/filter$", request.path):
+            return policy_context
+
+        if not isinstance(user_context.access_restrictions.filters, list):
+            user_context.access_restrictions.filters = []
+        type_filter, filters = self.__split_type_filter(
+            user_context, deepcopy(request.json or [])
+        )
+        if not type_filter:
+            policy_context.access_verdict = True
+            return policy_context
+
+        policy_context.access_verdict = False
+        for role in user_context.x_tenant.roles:
+            permissions = get_permissions(role, user_context)
+            if not permissions:
+                continue
+
+            rules = [PostRequestRules]
+            access_verdict = None
+            for rule in rules:
+                access_verdict = rule().apply(
+                    type_filter["value"], filters, user_context, request, permissions
+                )
+                if access_verdict != None:
+                    policy_context.access_verdict = access_verdict
+                    if not policy_context.access_verdict:
+                        break
+
+            if policy_context.access_verdict:
+                return policy_context
+
+        return policy_context
+
+    def __split_type_filter(self, user_context: UserContext, request_body: list):
+        type_filter = None
+        for filter in request_body:
+            if filter["type"] == "type":
+                type_filter = filter
+            elif filter["type"] == "selection" and filter["key"] == "type":
+                type_filter = filter
+            elif item_types := filter.get("item_types"):
+                type_filter = {
+                    "type": "selection",
+                    "key": "type",
+                    "value": item_types,
+                    "match_exact": True,
+                }
+
+        if not type_filter:
+            if tenant_relation_type := user_context.bag.get("tenant_relation_type"):
+                user_context.access_restrictions.filters.append(  # pyright: ignore
+                    {
+                        "type": "selection",
+                        "key": tenant_relation_type,
+                        "value": [
+                            user_context.bag.get(
+                                "tenant_defining_entity_id", user_context.x_tenant.id
+                            )
+                        ],
+                        "match_exact": True,
+                    }
+                )
+            return None, request_body
+
+        try:
+            request_body.remove(type_filter)
+        except ValueError:
+            pass
+        return type_filter, request_body
+
+
+class PostRequestRules:
+    def apply(
+        self,
+        type_filter_values: str | list[str],
+        filters: list[dict],
+        user_context: UserContext,
+        request: Request,
+        permissions,
+    ) -> bool | None:
+        if request.method != "POST":
+            return None
+
+        if isinstance(type_filter_values, str):
+            type_filter_values = [type_filter_values]
+
+        type_filter_values_copy = deepcopy(type_filter_values)
+        for type_filter_value in type_filter_values_copy:
+            if type_filter_value not in permissions["read"].keys():
+                type_filter_values.remove(type_filter_value)
+                continue
+
+            restrictions_grouped_by_index = {}
+            schemas = permissions["read"][type_filter_value]
+            for schema in schemas.keys():
+                restrictions = schemas[schema].get("object_restrictions", {})
+                for restricted_key, restricting_value in restrictions.items():
+                    index, restricted_key = restricted_key.split(":")
+                    key = f"{schema}|{restricted_key}"
+                    if group := restrictions_grouped_by_index.get(index):
+                        group["key"].append(key)
+                    else:
+                        restrictions_grouped_by_index.update(
+                            {
+                                index: {
+                                    "key": [key],
+                                    "value": restricting_value,
+                                }
+                            }
+                        )
+
+            # support false soft call read responses
+            for filter in filters:
+                key = filter.get("key", "")
+                if isinstance(key, list):
+                    key = ",".join(key)
+                for restriction in restrictions_grouped_by_index.values():
+                    if key not in ",".join(restriction["key"]):
+                        continue
+                    values = (
+                        filter["value"]
+                        if isinstance(filter["value"], list)
+                        else [filter["value"]]
+                    )
+                    if not any(value in restriction["value"] for value in values):
+                        return False
+
+            for restriction in restrictions_grouped_by_index.values():
+                user_context.access_restrictions.filters.append(  # pyright: ignore
+                    {
+                        "type": "selection",
+                        "key": restriction["key"],
+                        "value": restriction["value"],
+                        "match_exact": True,
+                    }
+                )
+
+        if len(type_filter_values) == 0:
+            return False
+        user_context.access_restrictions.post_request_hook = (
+            mask_protected_content_post_request_hook(user_context, permissions)
+        )
+        return True

elody/policies/authorization/generic_object_detail_policy.py

@@ -43,7 +43,7 @@ class GenericObjectDetailPolicy(BaseAuthorizationPolicy):
                 if access_verdict != None:
                     policy_context.access_verdict = access_verdict
                     if not policy_context.access_verdict:
-                        return policy_context
+                        break
 
             if policy_context.access_verdict:
                 return policy_context

elody/policies/authorization/generic_object_mediafiles_policy.py

@@ -54,7 +54,7 @@ class GenericObjectMediafilesPolicy(BaseAuthorizationPolicy):
                 if access_verdict != None:
                     policy_context.access_verdict = access_verdict
                     if not policy_context.access_verdict:
-                        return policy_context
+                        break
 
             if policy_context.access_verdict:
                 return policy_context

elody/policies/authorization/generic_object_metadata_policy.py

@@ -37,7 +37,7 @@ class GenericObjectMetadataPolicy(BaseAuthorizationPolicy):
                 if access_verdict != None:
                     policy_context.access_verdict = access_verdict
                     if not policy_context.access_verdict:
-                        return policy_context
+                        break
 
             if policy_context.access_verdict:
                 return policy_context

elody/policies/authorization/generic_object_relations_policy.py

@@ -43,7 +43,7 @@ class GenericObjectRelationsPolicy(BaseAuthorizationPolicy):
                 if access_verdict != None:
                     policy_context.access_verdict = access_verdict
                     if not policy_context.access_verdict:
-                        return policy_context
+                        break
 
             if policy_context.access_verdict:
                 return policy_context

elody/policies/authorization/generic_object_request_policy.py

@@ -38,7 +38,7 @@ class GenericObjectRequestPolicy(BaseAuthorizationPolicy):
                 if access_verdict != None:
                     policy_context.access_verdict = access_verdict
                     if not policy_context.access_verdict:
-                        return policy_context
+                        break
 
             if policy_context.access_verdict:
                 return policy_context

elody/policies/authorization/generic_object_request_policy_v2.py

@@ -0,0 +1,133 @@
+import re as regex
+
+from configuration import get_object_configuration_mapper  # pyright: ignore
+from elody.policies.helpers import get_content
+from elody.policies.permission_handler import (
+    get_permissions,
+    handle_single_item_request,
+    mask_protected_content_post_request_hook,
+)
+from flask import Request  # pyright: ignore
+from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
+from inuits_policy_based_auth.contexts.policy_context import (  # pyright: ignore
+    PolicyContext,
+)
+from inuits_policy_based_auth.contexts.user_context import (  # pyright: ignore
+    UserContext,
+)
+
+
+class GenericObjectRequestPolicyV2(BaseAuthorizationPolicy):
+    def authorize(
+        self, policy_context: PolicyContext, user_context: UserContext, request_context
+    ):
+        request: Request = request_context.http_request
+        if not regex.match("^(/[^/]+/v[0-9]+)?/[^/]+$", request.path):
+            return policy_context
+
+        for role in user_context.x_tenant.roles:
+            permissions = get_permissions(role, user_context)
+            if not permissions:
+                continue
+
+            rules = [PostRequestRules, GetRequestRules]
+            access_verdict = None
+            for rule in rules:
+                access_verdict = rule().apply(user_context, request, permissions)
+                if access_verdict != None:
+                    policy_context.access_verdict = access_verdict
+                    if not policy_context.access_verdict:
+                        break
+
+            if policy_context.access_verdict:
+                return policy_context
+
+        return policy_context
+
+
+class PostRequestRules:
+    def apply(
+        self, user_context: UserContext, request: Request, permissions
+    ) -> bool | None:
+        if request.method != "POST":
+            return None
+
+        content = get_content(request.json, request, request.json)
+        schema_type = get_object_configuration_mapper().get(content["type"]).SCHEMA_TYPE
+        item = {**content, "schema": {"type": schema_type}}
+        return handle_single_item_request(
+            user_context, item, permissions, "create", content
+        )
+
+
+class GetRequestRules:
+    def apply(
+        self, user_context: UserContext, request: Request, permissions
+    ) -> bool | None:
+        if request.method != "GET":
+            return None
+
+        type_query_parameter = request.args.get("type")
+        allowed_item_types = list(permissions["read"].keys())
+        filters = []
+
+        if type_query_parameter:
+            if type_query_parameter not in allowed_item_types:
+                return None
+            type_permissions = permissions["read"][type_query_parameter]
+            schemas = list(type_permissions.keys())
+            if len(schemas) > 0:
+                number_of_object_restrictions = len(
+                    type_permissions[schemas[0]].get("object_restrictions", {}).keys()
+                )
+                for i in range(number_of_object_restrictions):
+                    keys, values = [], []
+                    for schema in schemas:
+                        object_restrictions = type_permissions[schema].get(
+                            "object_restrictions", {}
+                        )
+                        key = [
+                            key
+                            for key in object_restrictions.keys()
+                            if key.startswith(f"{i}:")
+                        ][0]
+                        keys.append(f"{schema}|{key.split(':')[1]}")
+                        values = object_restrictions[key]
+                    filters.append(
+                        {
+                            "type": "selection",
+                            "key": keys,
+                            "value": values,
+                            "match_exact": True,
+                        }
+                    )
+            filters.insert(0, {"type": "type", "value": type_query_parameter})
+        else:
+            filters.append(
+                {
+                    "type": "selection",
+                    "key": "type",
+                    "value": allowed_item_types,
+                    "match_exact": True,
+                }
+            )
+            if tenant_relation_type := user_context.bag.get("tenant_relation_type"):
+                filters.append(
+                    {
+                        "type": "selection",
+                        "key": tenant_relation_type,
+                        "value": [
+                            "tenant:super",
+                            user_context.bag.get(
+                                "tenant_defining_entity_id", user_context.x_tenant.id
+                            ),
+                        ],
+                        "match_exact": True,
+                    }
+                )
+
+        user_context.access_restrictions.filters = filters
+        user_context.access_restrictions.post_request_hook = (
+            mask_protected_content_post_request_hook(user_context, permissions)
+        )
+        return True

elody/policies/authorization/mediafile_derivatives_policy.py

@@ -54,7 +54,7 @@ class MediafileDerivativesPolicy(BaseAuthorizationPolicy):
                 if access_verdict != None:
                     policy_context.access_verdict = access_verdict
                     if not policy_context.access_verdict:
-                        return policy_context
+                        break
 
             if policy_context.access_verdict:
                 return policy_context

elody/policies/authorization/mediafile_download_policy.py

@@ -53,7 +53,7 @@ class MediafileDownloadPolicy(BaseAuthorizationPolicy):
                 if access_verdict != None:
                     policy_context.access_verdict = access_verdict
                     if not policy_context.access_verdict:
-                        return policy_context
+                        break
 
             if policy_context.access_verdict:
                 return policy_context

{elody-0.0.158.dist-info → elody-0.0.159.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: elody
-Version: 0.0.158
+Version: 0.0.159
 Summary: elody SDK for Python
 Author-email: Inuits <developers@inuits.eu>
 License:                     GNU GENERAL PUBLIC LICENSE

{elody-0.0.158.dist-info → elody-0.0.159.dist-info}/RECORD

@@ -23,14 +23,16 @@ elody/policies/authentication/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5N
 elody/policies/authentication/base_user_tenant_validation_policy.py,sha256=fxvrB4iG6fehBh6b4XS8AWewtNsCABgSooma5ljjZk4,5144
 elody/policies/authentication/multi_tenant_policy.py,sha256=jmV1RTsApt2IV8BgSRcfnIjWHhDtFjW4OHJgWNUDKRw,3822
 elody/policies/authorization/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-elody/policies/authorization/filter_generic_objects_policy.py,sha256=SXoUqSBk8_t7gDiM7nxztWwer8R8WU_qfKwqKyb-lXA,6534
-elody/policies/authorization/generic_object_detail_policy.py,sha256=BB9uvTRujvmZobRENTNsZnu2zfqDsv8lYvDXOPe5Sso,3471
-elody/policies/authorization/generic_object_mediafiles_policy.py,sha256=yHQ_ePUU3xgjf6v6zLF0Cay_RUJLsRfDYulvBkUDIso,2899
-elody/policies/authorization/generic_object_metadata_policy.py,sha256=neVuUdK3D5kOhBwKNM44eoQoSY1Fy6o8WV657eoM4WM,2799
-elody/policies/authorization/generic_object_relations_policy.py,sha256=CQaE0tpOwz54VWNpqpZLa1C-dROdD1s281fOorjV_mg,3724
-elody/policies/authorization/generic_object_request_policy.py,sha256=3H-exSOZYWhlrQ1vGkk0Dfw4XsKCG_NPxdq86DgfFMo,4879
-elody/policies/authorization/mediafile_derivatives_policy.py,sha256=1pIK7SHufB_Lu1aoj8gh2XGeLi3H-hTiBDYS7XMtz40,3177
-elody/policies/authorization/mediafile_download_policy.py,sha256=1wbPFruSkS_Wjj4rt39SnLsagXoXSJpY1tkOxCGhjf0,2547
+elody/policies/authorization/filter_generic_objects_policy.py,sha256=XjKGM__WKG7n-QaopQGwSyvamQkye1DD6a-8mx2Xkwc,6518
+elody/policies/authorization/filter_generic_objects_policy_v2.py,sha256=96lNmlxgzN8Lu4mXLRxAN-_pfGnK8BF5bXa-iSJofE0,6356
+elody/policies/authorization/generic_object_detail_policy.py,sha256=kk49gIyOCasHH1U8T1-dJUQSW-R37N4wPQi0tMTWvBA,3455
+elody/policies/authorization/generic_object_mediafiles_policy.py,sha256=bo9OL13-6vLhfG6dc_hg_EfynOk0fUbTZg-DmwTtBkU,2883
+elody/policies/authorization/generic_object_metadata_policy.py,sha256=K-tNO1QIrlACupFSiZ12gH-N7T0s3y2hpPIpiKC_maQ,2783
+elody/policies/authorization/generic_object_relations_policy.py,sha256=NRhywIntTpR69R_Lf1-sKfgWdXd7NW2K-lL8cGqWhhQ,3708
+elody/policies/authorization/generic_object_request_policy.py,sha256=H9VGCMLyXO1k4n6ZOHOKcQ6K5ofLjjKe9KVTHH2FPIY,4863
+elody/policies/authorization/generic_object_request_policy_v2.py,sha256=0bAjeq2uDunUDybOYApmNCpaaeCq97kNJEoqSfEUNMg,5051
+elody/policies/authorization/mediafile_derivatives_policy.py,sha256=-i_JRgMcLjDQ85rzjBcrm3hXevAoTn5Z6itgt83K2Ik,3161
+elody/policies/authorization/mediafile_download_policy.py,sha256=q5yib9EmXaWUcRMr-Kg2Fob7M7Mte6C8cmJ7K-rj_Go,2531
 elody/policies/authorization/multi_tenant_policy.py,sha256=SA9H7SBjzuh8mY3gYN7pDG8TV7hdI3GEUtNeiZeNL3M,3164
 elody/policies/authorization/tenant_request_policy.py,sha256=dEgblwRAqwWVcE-O7Jn8hVL3OnwDlQhDEOcPlcElBrk,1185
 tests/__init_.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -38,8 +40,8 @@ tests/data.py,sha256=Q3oxduf-E3m-Z5G_p3fcs8jVy6g10I7zXKL1m94UVMI,2906
 tests/unit/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 tests/unit/test_csv.py,sha256=NQaOhehfQ4GuXku0Y1SA8DYjJeqqidbF50zEHAi8RZA,15923
 tests/unit/test_utils.py,sha256=g63szcEZyHhCOtrW4BnNbcgVca3oYPIOLjBdIzNwwN0,8784
-elody-0.0.158.dist-info/LICENSE,sha256=gXf5dRMhNSbfLPYYTY_5hsZ1r7UU1OaKQEAQUhuIBkM,18092
-elody-0.0.158.dist-info/METADATA,sha256=aGFDMi4tnUeUA1bh3x1xuUgLQEHM5hSl240-xroWCng,23283
-elody-0.0.158.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
-elody-0.0.158.dist-info/top_level.txt,sha256=E0mImupLj0KmtUUCXRYEoLDRaSkuiGaOIIseAa0oQ-M,21
-elody-0.0.158.dist-info/RECORD,,
+elody-0.0.159.dist-info/LICENSE,sha256=gXf5dRMhNSbfLPYYTY_5hsZ1r7UU1OaKQEAQUhuIBkM,18092
+elody-0.0.159.dist-info/METADATA,sha256=QGOws6FXVtyOTq8KLLM0QmOc6nElR0UwKgSozfJMDiM,23283
+elody-0.0.159.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
+elody-0.0.159.dist-info/top_level.txt,sha256=E0mImupLj0KmtUUCXRYEoLDRaSkuiGaOIIseAa0oQ-M,21
+elody-0.0.159.dist-info/RECORD,,