PyPI - elody - Versions diffs - 0.0.194__tar.gz → 0.0.196__tar.gz - Mend

elody 0.0.194tar.gz → 0.0.196tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

{elody-0.0.194 → elody-0.0.196}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: elody
-Version: 0.0.194
+Version: 0.0.196
 Summary: elody SDK for Python
 Author-email: Inuits <developers@inuits.eu>
 License:                     GNU GENERAL PUBLIC LICENSE

{elody-0.0.194 → elody-0.0.196}/pyproject.toml RENAMED Viewed

@@ -6,7 +6,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "elody"
-version = "0.0.194"
+version = "0.0.196"
 description = "elody SDK for Python"
 readme = "README.md"
 authors = [{ name = "Inuits", email = "developers@inuits.eu" }]

elody-0.0.196/src/elody/policies/authentication/base_user_tenant_validation_policy.py ADDED Viewed

@@ -0,0 +1,132 @@
+import re as regex
+from abc import ABC, abstractmethod
+from configuration import get_object_configuration_mapper  # pyright: ignore
+from copy import deepcopy
+from inuits_policy_based_auth.contexts.user_context import (  # pyright: ignore
+    UserContext,
+)
+from inuits_policy_based_auth.helpers.tenant import Tenant  # pyright: ignore
+from werkzeug.exceptions import Forbidden  # pyright: ignore
+class BaseUserTenantValidationPolicy(ABC):
+    @abstractmethod
+    def get_user(
+        self,
+        id: str,
+        user_context: UserContext,
+        storage,
+        *,
+        user_metadata_key_for_global_roles="roles",
+        user_tenant_relation_type="hasTenant",
+    ) -> dict:
+        config = get_object_configuration_mapper().get("user")
+        collection = config.crud()["collection"]
+        serialize = config.serialization(config.SCHEMA_TYPE, "elody")
+        user = storage.get_item_from_collection_by_id(collection, id) or {}
+        self.user = serialize(user)
+        user_context.bag["roles_from_idp"] = deepcopy(user_context.x_tenant.roles)
+        user_context.bag["user_metadata_key_for_global_roles"] = (
+            user_metadata_key_for_global_roles
+        )
+        user_context.bag["user_tenant_relation_type"] = user_tenant_relation_type
+        return self.user
+    @abstractmethod
+    def build_user_context_for_anonymous_user(
+        self, request, user_context: UserContext
+    ) -> UserContext:
+        user_context = self.__build_user_context(request, user_context)
+        user_context.id = "anonymous"
+        user_context.x_tenant = Tenant()
+        user_context.x_tenant.id = ""
+        user_context.x_tenant.roles = ["anonymous"]
+        return user_context
+    @abstractmethod
+    def build_user_context_for_authenticated_user(
+        self, request, user_context: UserContext, user: dict
+    ) -> UserContext:
+        user_context = self.__build_user_context(request, user_context)
+        user_context.x_tenant = Tenant()
+        user_context.x_tenant.id = self._determine_tenant_id(request, user_context)
+        user_context.x_tenant.roles = self.__get_tenant_roles(request, user_context)
+        return user_context
+    @abstractmethod
+    def _determine_tenant_id(self, request, user_context: UserContext) -> str:
+        pass
+    def __build_user_context(self, request, user_context: UserContext):
+        user_context.bag["http_method"] = request.method
+        user_context.bag["requested_endpoint"] = request.endpoint
+        user_context.bag["full_path"] = request.full_path
+        user_context.bag["collection_resolver"] = (
+            self._resolve_collections  # pyright: ignore
+        )
+        return user_context
+    def __get_tenant_roles(self, request, user_context: UserContext) -> list[str]:
+        """
+        Gathering multiple tenants are supported, but there are some important notes:
+            - all roles are stored in a combined way in user_context.x_tenant.roles
+            - those combination of different tenant roles will work, as long as:
+                - the roles are the same
+                - the object restrictions allow all tenants that are linked with the user
+                => to make it fully work, see #143185
+            - with combined roles, when combaring rol_a vs rol_b
+                - if rol_a allow and role_b does not allow access: the role allowing access will always win
+                - if both roles allow, but just have different restrictions: the first allowing role will win
+                    - this is completely random
+                    => currently no logic in policies to determine which allowing role to apply
+        """
+        roles = []
+        for metadata in self.user.get("metadata", []):
+            if (
+                metadata["key"]
+                == user_context.bag["user_metadata_key_for_global_roles"]
+            ):
+                roles.extend(metadata["value"])
+        if user_context.x_tenant.id:
+            tenant_ids = user_context.x_tenant.id.split(",")
+            for tenant_id in tenant_ids:
+                try:
+                    user_tenant_relation = self.__get_user_tenant_relation(
+                        tenant_id, user_context.bag["user_tenant_relation_type"]
+                    )
+                except Forbidden as error:
+                    user_tenant_relation = {}
+                    if len(roles) == 0:
+                        raise Forbidden(error.description)
+                roles.extend(user_tenant_relation.get("roles", []))
+        if len(roles) == 0 and not regex.match(
+            "(/[^/]+/v[0-9]+)?/tenants$", request.path
+        ):
+            raise Forbidden("User has no global roles, switch to a specific tenant.")
+        return list(set(roles))
+    def __get_user_tenant_relation(
+        self, tenant_id: str, user_tenant_relation_type: str
+    ) -> dict:
+        user_tenant_relation = None
+        for relation in self.user.get("relations", []):
+            if (
+                relation["key"] == tenant_id
+                and relation["type"] == user_tenant_relation_type
+            ):
+                user_tenant_relation = relation
+                break
+        if not user_tenant_relation:
+            if tenant_id:
+                raise Forbidden(f"User is not a member of tenant {tenant_id}.")
+            return {}
+        return user_tenant_relation

{elody-0.0.194 → elody-0.0.196}/src/elody/policies/authorization/filter_generic_objects_policy_v2.py RENAMED Viewed

@@ -1,11 +1,12 @@
 import re as regex
 from copy import deepcopy
+from elody.policies.helpers import generate_filter_key_and_lookup_from_restricted_key
 from elody.policies.permission_handler import (
     get_permissions,
     mask_protected_content_post_request_hook,
 )
-from flask import Request  # pyright: ignore
+from flask import g, Request  # pyright: ignore
 from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
 from inuits_policy_based_auth.contexts.policy_context import (  # pyright: ignore
     PolicyContext,
@@ -26,7 +27,7 @@ class FilterGenericObjectsPolicyV2(BaseAuthorizationPolicy):
         if not isinstance(user_context.access_restrictions.filters, list):
             user_context.access_restrictions.filters = []
         type_filter, filters = self.__split_type_filter(
-            user_context, deepcopy(request.json or [])
+            user_context, deepcopy(g.get("content") or request.json or [])
         )
         if not type_filter:
             policy_context.access_verdict = True
@@ -123,6 +124,11 @@ class PostRequestRules:
                 restrictions = schemas[schema].get("object_restrictions", {})
                 for restricted_key, restricting_value in restrictions.items():
                     index, restricted_key = restricted_key.split(":")
+                    restricted_key, lookup = (
+                        generate_filter_key_and_lookup_from_restricted_key(
+                            restricted_key
+                        )
+                    )
                     key = f"{schema}|{restricted_key}"
                     if group := restrictions_grouped_by_index.get(index):
                         group["key"].append(key)
@@ -130,6 +136,7 @@ class PostRequestRules:
                         restrictions_grouped_by_index.update(
                             {
                                 index: {
+                                    "lookup": lookup,
                                     "key": [key],
                                     "value": restricting_value,
                                 }
@@ -155,6 +162,7 @@ class PostRequestRules:
             for restriction in restrictions_grouped_by_index.values():
                 user_context.access_restrictions.filters.append(  # pyright: ignore
                     {
+                        "lookup": restriction["lookup"],
                         "type": "selection",
                         "key": restriction["key"],
                         "value": restriction["value"],

{elody-0.0.194 → elody-0.0.196}/src/elody/policies/authorization/generic_object_request_policy_v2.py RENAMED Viewed

@@ -1,7 +1,10 @@
 import re as regex
 from configuration import get_object_configuration_mapper  # pyright: ignore
-from elody.policies.helpers import get_content
+from elody.policies.helpers import (
+    generate_filter_key_and_lookup_from_restricted_key,
+    get_content,
+)
 from elody.policies.permission_handler import (
     get_permissions,
     handle_single_item_request,
@@ -82,7 +85,7 @@ class GetRequestRules:
                     type_permissions[schemas[0]].get("object_restrictions", {}).keys()
                 )
                 for i in range(number_of_object_restrictions):
-                    keys, values = [], []
+                    lookup, keys, values = {}, [], []
                     for schema in schemas:
                         object_restrictions = type_permissions[schema].get(
                             "object_restrictions", {}
@@ -92,10 +95,16 @@ class GetRequestRules:
                             for key in object_restrictions.keys()
                             if key.startswith(f"{i}:")
                         ][0]
-                        keys.append(f"{schema}|{key.split(':')[1]}")
                         values = object_restrictions[key]
+                        key, lookup = (
+                            generate_filter_key_and_lookup_from_restricted_key(
+                                key.split(":")[1]
+                            )
+                        )
+                        keys.append(f"{schema}|{key}")
                     filters.append(
                         {
+                            "lookup": lookup,
                             "type": "selection",
                             "key": keys,
                             "value": values,

{elody-0.0.194 → elody-0.0.196}/src/elody/policies/authorization/mediafile_derivatives_policy.py RENAMED Viewed

@@ -1,12 +1,12 @@
 import re as regex
-from elody.error_codes import ErrorCode, get_error_code, get_read, get_write
+from configuration import get_object_configuration_mapper  # pyright: ignore
+from elody.policies.helpers import get_content, get_item
 from elody.policies.permission_handler import (
     get_permissions,
     handle_single_item_request,
 )
-from flask import Request  # pyright: ignore
-from flask_restful import abort  # pyright: ignore
+from flask import g, Request  # pyright: ignore
 from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
 from inuits_policy_based_auth.contexts.policy_context import (  # pyright: ignore
     PolicyContext,
@@ -22,32 +22,18 @@ class MediafileDerivativesPolicy(BaseAuthorizationPolicy):
         self, policy_context: PolicyContext, user_context: UserContext, request_context
     ):
         request: Request = request_context.http_request
-        if not regex.match(r"^/mediafiles/(.+)/derivatives$", request.path):
+        if not regex.match(
+            "^(/elody/v[0-9]+)?/mediafiles/[^/]+/derivatives$", request.path
+        ):
             return policy_context
-        view_args = request.view_args or {}
-        collection = view_args.get("collection", request.path.split("/")[-3])
-        id = view_args.get("id")
-        item = (
-            StorageManager()
-            .get_db_engine()
-            .get_item_from_collection_by_id(collection, id)
-        )
-        if not item:
-            abort(
-                404,
-                message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND_IN_COLLECTION, get_read())} | id:{id} | collection: {collection} - Item with id {id} doesn't exist in collection {collection}",
-            )
+        item = get_item(StorageManager(), user_context.bag, request.view_args)
         for role in user_context.x_tenant.roles:
             permissions = get_permissions(role, user_context)
             if not permissions:
                 continue
-            rules = [
-                PostRequestRules,
-                GetRequestRules,
-            ]
+            rules = [PostRequestRules, GetRequestRules]
             access_verdict = None
             for rule in rules:
                 access_verdict = rule().apply(item, user_context, request, permissions)
@@ -69,7 +55,13 @@ class PostRequestRules:
         if request.method != "POST":
             return None
-        return handle_single_item_request(user_context, item, permissions, "create")
+        content = g.get("content") or request.json
+        content = get_content(content, request, content)
+        schema_type = get_object_configuration_mapper().get(content["type"]).SCHEMA_TYPE
+        item = {**content, "schema": {"type": schema_type}}
+        return handle_single_item_request(
+            user_context, item, permissions, "create", content
+        )
 class GetRequestRules:
@@ -80,13 +72,3 @@ class GetRequestRules:
             return None
         return handle_single_item_request(user_context, item, permissions, "read")
-class DeleteRequestRules:
-    def apply(
-        self, item, user_context: UserContext, request: Request, permissions
-    ) -> bool | None:
-        if request.method != "DELETE":
-            return None
-        return handle_single_item_request(user_context, item, permissions, "delete")

{elody-0.0.194 → elody-0.0.196}/src/elody/policies/authorization/mediafile_download_policy.py RENAMED Viewed

@@ -1,12 +1,11 @@
 import re as regex
-from elody.error_codes import ErrorCode, get_error_code, get_read
+from elody.policies.helpers import get_item
 from elody.policies.permission_handler import (
     get_permissions,
     handle_single_item_request,
 )
 from flask import Request  # pyright: ignore
-from flask_restful import abort  # pyright: ignore
 from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
 from inuits_policy_based_auth.contexts.policy_context import (  # pyright: ignore
     PolicyContext,
@@ -22,31 +21,18 @@ class MediafileDownloadPolicy(BaseAuthorizationPolicy):
         self, policy_context: PolicyContext, user_context: UserContext, request_context
     ):
         request: Request = request_context.http_request
-        if not regex.match(r"^/mediafiles/(.+)/download$", request.path):
+        if not regex.match(
+            "^(/elody/v[0-9]+)?/mediafiles/[^/]+/download$", request.path
+        ):
             return policy_context
-        view_args = request.view_args or {}
-        collection = view_args.get("collection", request.path.split("/")[-3])
-        id = view_args.get("id")
-        item = (
-            StorageManager()
-            .get_db_engine()
-            .get_item_from_collection_by_id(collection, id)
-        )
-        if not item:
-            abort(
-                404,
-                message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND_IN_COLLECTION, get_read())} | id:{id} | collection:{collection} - Item with id {id} doesn't exist in collection {collection}",
-            )
+        item = get_item(StorageManager(), user_context.bag, request.view_args)
         for role in user_context.x_tenant.roles:
             permissions = get_permissions(role, user_context)
             if not permissions:
                 continue
-            rules = [
-                GetRequestRules,
-            ]
+            rules = [GetRequestRules]
             access_verdict = None
             for rule in rules:
                 access_verdict = rule().apply(item, user_context, request, permissions)

elody-0.0.196/src/elody/policies/helpers.py ADDED Viewed

@@ -0,0 +1,49 @@
+from configuration import get_object_configuration_mapper  # pyright: ignore
+from elody.error_codes import ErrorCode, get_error_code, get_read
+from serialization.serialize import serialize  # pyright: ignore
+from werkzeug.exceptions import NotFound
+def generate_filter_key_and_lookup_from_restricted_key(key):
+    if (keys := key.split("@", 1)) and len(keys) == 1:
+        return key, {}
+    local_field = keys[0]
+    document_type, key = keys[1].split("-", 1)
+    collection = (
+        get_object_configuration_mapper().get(document_type).crud()["collection"]
+    )
+    lookup = {
+        "from": collection,
+        "local_field": local_field,
+        "foreign_field": "identifiers",
+        "as": f"__lookup.virtual_relations.{document_type}",
+    }
+    return f"{lookup['as']}.{key}", lookup
+def get_content(item, request, content):
+    return serialize(
+        content,
+        type=item.get("type"),
+        from_format=serialize.get_format(
+            (request.view_args or {}).get("spec", "elody"), request.args
+        ),
+        to_format=get_object_configuration_mapper().get(item["type"]).SCHEMA_TYPE,
+    )
+def get_item(storage_manager, user_context_bag, view_args) -> dict:
+    view_args = view_args or {}
+    if id := view_args.get("id"):
+        resolve_collections = user_context_bag.get("collection_resolver")
+        collections = resolve_collections(collection=view_args.get("collection"), id=id)
+        for collection in collections:
+            if item := storage_manager.get_db_engine().get_item_from_collection_by_id(
+                collection, id
+            ):
+                return item
+    raise NotFound(
+        f"{get_error_code(ErrorCode.ITEM_NOT_FOUND, get_read())} | id:{id} - Item with id {id} does not exist."
+    )

{elody-0.0.194 → elody-0.0.196}/src/elody/policies/permission_handler.py RENAMED Viewed

@@ -3,9 +3,11 @@ import re as regex
 from configuration import get_object_configuration_mapper  # pyright: ignore
 from copy import deepcopy
 from elody.error_codes import ErrorCode, get_error_code, get_read
+from elody.policies.helpers import get_item
 from elody.util import flatten_dict, interpret_flat_key
 from inuits_policy_based_auth.contexts.user_context import UserContext
 from logging_elody.log import log  # pyright: ignore
+from storage.storagemanager import StorageManager  # pyright: ignore
 _permissions = {}
@@ -63,7 +65,7 @@ def handle_single_item_request(
         )
         is_allowed_to_crud_item = (
-            __is_allowed_to_crud_item(flat_item, restrictions_schema)
+            __is_allowed_to_crud_item(flat_item, restrictions_schema, user_context)
             if flat_item
             else None
         )
@@ -131,10 +133,7 @@ def __prepare_item_for_permission_check(item, permissions, crud):
     if item.get("type", "") not in permissions[crud].keys():
         return item, None, None, None
-    config = get_object_configuration_mapper().get(item["type"])
-    object_lists = config.document_info().get("object_lists", {})
-    flat_item = flatten_dict(object_lists, item)
+    flat_item, object_lists = __get_flat_item_and_object_lists(item)
     return (
         item,
         flat_item,
@@ -159,13 +158,15 @@ def __get_restrictions_schema(flat_item, permissions, crud):
     return schemas[schema] if schemas and schema else {}
-def __is_allowed_to_crud_item(flat_item, restrictions_schema):
+def __is_allowed_to_crud_item(
+    flat_item, restrictions_schema, user_context: UserContext
+):
     restrictions = restrictions_schema.get("object_restrictions", {})
     for restricted_key, restricting_values in restrictions.items():
         restricted_key = restricted_key.split(":")[1]
         item_value_in_restricting_values = __item_value_in_values(
-            flat_item, restricted_key, restricting_values
+            flat_item, restricted_key, restricting_values, {}, user_context
         )
         if not item_value_in_restricting_values:
             return None
@@ -192,7 +193,11 @@ def __is_allowed_to_crud_item_keys(
         condition_match = True
         for condition_key, condition_values in restricting_conditions.items():
             condition_match = __item_value_in_values(
-                flat_item, condition_key, condition_values, flat_request_body
+                flat_item,
+                condition_key,
+                condition_values,
+                flat_request_body,
+                user_context,
             )
             if not condition_match:
                 break
@@ -228,7 +233,9 @@ def __is_allowed_to_crud_item_keys(
     return len(user_context.bag["restricted_keys"]) == 0
-def __item_value_in_values(flat_item, key, values: list, flat_request_body: dict = {}):
+def __item_value_in_values(
+    flat_item, key, values: list, flat_request_body, user_context: UserContext
+):
     negate_condition = False
     is_optional = False
@@ -239,6 +246,10 @@ def __item_value_in_values(flat_item, key, values: list, flat_request_body: dict
         key = key[1:]
         is_optional = True
+    key_of_relation = None
+    if (keys := key.split("@", 1)) and len(keys) == 2:
+        key = keys[0]
+        key_of_relation = keys[1].split("-", 1)[1]
     try:
         item_value = flat_request_body.get(key, flat_item[key])
         if is_optional:
@@ -249,6 +260,15 @@ def __item_value_in_values(flat_item, key, values: list, flat_request_body: dict
                 f"{get_error_code(ErrorCode.METADATA_KEY_UNDEFINED, get_read())} | key:{key} | document:{flat_item.get('_id', flat_item["type"])} - Key {key} not found in document {flat_item.get('_id', flat_item["type"])}. Either prefix the key with '?' in your permission configuration to make it an optional restriction, or patch the document to include the key. '?' will allow access if key does not exist, '!?' will deny access if key does not exist."
             )
         return not negate_condition
+    else:
+        if key_of_relation:
+            if isinstance(item_value, list):
+                item_value = item_value[0]
+            item = get_item(StorageManager(), user_context.bag, {"id": item_value})
+            flat_item, _ = __get_flat_item_and_object_lists(item)
+            return __item_value_in_values(
+                flat_item, key_of_relation, values, flat_request_body, user_context
+            )
     expected_values = []
     for value in values:
@@ -280,3 +300,9 @@ def __get_element_from_object_list_of_item(
         if element[object_lists[object_list]] == key:
             return element
     return {}
+def __get_flat_item_and_object_lists(item):
+    config = get_object_configuration_mapper().get(item["type"])
+    object_lists = config.document_info().get("object_lists", {})
+    return flatten_dict(object_lists, item), object_lists

{elody-0.0.194 → elody-0.0.196}/src/elody.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: elody
-Version: 0.0.194
+Version: 0.0.196
 Summary: elody SDK for Python
 Author-email: Inuits <developers@inuits.eu>
 License:                     GNU GENERAL PUBLIC LICENSE

{elody-0.0.194 → elody-0.0.196}/src/elody.egg-info/SOURCES.txt RENAMED Viewed

@@ -26,7 +26,6 @@ src/elody/object_configurations/job_configuration.py
 src/elody/policies/__init__.py
 src/elody/policies/helpers.py
 src/elody/policies/permission_handler.py
-src/elody/policies/tenant_id_resolver.py
 src/elody/policies/authentication/__init__.py
 src/elody/policies/authentication/base_user_tenant_validation_policy.py
 src/elody/policies/authentication/multi_tenant_policy.py

elody-0.0.194/src/elody/policies/authentication/base_user_tenant_validation_policy.py DELETED Viewed

@@ -1,125 +0,0 @@
-import re as regex
-from abc import ABC, abstractmethod
-from configuration import get_object_configuration_mapper  # pyright: ignore
-from copy import deepcopy
-from elody.util import get_raw_id
-from inuits_policy_based_auth.contexts.user_context import (  # pyright: ignore
-    UserContext,
-)
-from inuits_policy_based_auth.helpers.tenant import Tenant  # pyright: ignore
-from storage.storagemanager import StorageManager  # pyright: ignore
-from werkzeug.exceptions import Forbidden  # pyright: ignore
-class BaseUserTenantValidationPolicy(ABC):
-    def __init__(self) -> None:
-        self.storage = StorageManager().get_db_engine()
-        self.super_tenant_id = "tenant:super"
-        self.user = {}
-    @abstractmethod
-    def get_user(self, id: str, user_context: UserContext) -> dict:
-        user_context.bag["roles_from_idp"] = deepcopy(user_context.x_tenant.roles)
-    @abstractmethod
-    def build_user_context_for_authenticated_user(
-        self, request, user_context: UserContext, user: dict
-    ):
-        self.user = user
-        user_context.x_tenant = Tenant()
-        user_context.x_tenant.id = self._determine_tenant_id(request, user)
-        user_context.x_tenant.roles = self.__get_tenant_roles(
-            user_context.x_tenant.id, request
-        )
-        user_context.x_tenant.raw = self.__get_x_tenant_raw(user_context.x_tenant.id)
-        user_context.tenants = [user_context.x_tenant]
-        user_context.bag["x_tenant_id"] = user_context.x_tenant.id
-        user_context.bag["tenant_defining_entity_id"] = user_context.x_tenant.id
-        user_context.bag["tenant_relation_type"] = "isIn"
-        user_context.bag["user_ids"] = self.user["identifiers"]
-        user_context.bag["http_method"] = request.method
-        user_context.bag["requested_endpoint"] = request.endpoint
-        user_context.bag["full_path"] = request.full_path
-    @abstractmethod
-    def build_user_context_for_anonymous_user(
-        self, user_context: UserContext, user: dict
-    ):
-        self.user = user
-        user_context.id = get_raw_id(user)
-        user_context.x_tenant = Tenant()
-        user_context.x_tenant.id = self.super_tenant_id
-        user_context.x_tenant.roles = ["anonymous"]
-        user_context.x_tenant.raw = self.__get_x_tenant_raw(user_context.x_tenant.id)
-        user_context.tenants = [user_context.x_tenant]
-        user_context.bag["x_tenant_id"] = user_context.x_tenant.id
-        user_context.bag["tenant_defining_entity_id"] = user_context.x_tenant.id
-        user_context.bag["tenant_relation_type"] = "isIn"
-        user_context.bag["user_ids"] = self.user["identifiers"]
-    @abstractmethod
-    def _determine_tenant_id(self, request, user) -> str:
-        pass
-    def __get_tenant_roles(self, x_tenant_id: str, request) -> list[str]:
-        roles = self.__get_user_tenant_relation(self.super_tenant_id).get("roles", [])
-        if x_tenant_id != self.super_tenant_id:
-            try:
-                user_tenant_relation = self.__get_user_tenant_relation(x_tenant_id)
-            except Forbidden as error:
-                user_tenant_relation = {}
-                if len(roles) == 0:
-                    raise Forbidden(error.description)
-            roles.extend(user_tenant_relation.get("roles", []))
-        if len(roles) == 0 and not regex.match(
-            "(/[^/]+/v[0-9]+)?/tenants$", request.path
-        ):
-            raise Forbidden("User has no global roles, switch to a specific tenant.")
-        return roles
-    def __get_user_tenant_relation(self, x_tenant_id: str) -> dict:
-        user_tenant_relation = None
-        for relation in self.user.get("relations", []):
-            if relation["key"] == x_tenant_id and relation["type"] == "hasTenant":
-                user_tenant_relation = relation
-                break
-        if not user_tenant_relation:
-            if x_tenant_id != self.super_tenant_id:
-                raise Forbidden(f"User is not a member of tenant {x_tenant_id}.")
-            else:
-                return {}
-        return user_tenant_relation
-    def __get_x_tenant_raw(self, x_tenant_id: str) -> dict:
-        collection = (
-            get_object_configuration_mapper().get("tenant").crud()["collection"]
-        )
-        x_tenant_raw = (
-            self.storage.get_item_from_collection_by_id(collection, x_tenant_id) or {}
-        )
-        if x_tenant_raw.get("type") != "tenant":
-            raise Forbidden(f"No tenant {x_tenant_id} exists.")
-        return x_tenant_raw
-    def _get_tenant_defining_entity_id(
-        self, x_tenant_id: str, x_tenant_raw: dict
-    ) -> str:
-        if x_tenant_id == self.super_tenant_id:
-            return x_tenant_id.removeprefix("tenant:")
-        tenant_defining_entity_id = None
-        for relation in x_tenant_raw.get("relations", []):
-            if relation["type"] == "definedBy":
-                tenant_defining_entity_id = relation["key"]
-                break
-        if not tenant_defining_entity_id:
-            raise Forbidden(
-                f"{x_tenant_raw['_id']} has no relation with a tenant defining entity."
-            )
-        return tenant_defining_entity_id

elody-0.0.194/src/elody/policies/helpers.py DELETED Viewed

@@ -1,37 +0,0 @@
-from elody.error_codes import ErrorCode, get_error_code, get_read
-from configuration import get_object_configuration_mapper  # pyright: ignore
-from flask_restful import abort  # pyright: ignore
-from serialization.serialize import serialize  # pyright: ignore
-def get_content(item, request, content):
-    return serialize(
-        content,
-        type=item.get("type"),
-        from_format=serialize.get_format(
-            (request.view_args or {}).get("spec", "elody"), request.args
-        ),
-        to_format=get_object_configuration_mapper().get(item["type"]).SCHEMA_TYPE,
-    )
-def get_item(storage_manager, user_context_bag, view_args):
-    view_args = view_args or {}
-    id = view_args.get("id")
-    resolve_collections = user_context_bag.get("collection_resolver")
-    if not resolve_collections:
-        abort(
-            403,
-            message=f"{get_error_code(ErrorCode.UNDEFINED_COLLECTION_RESOLVER, get_read())} - Collection resolver not defined for user.",
-        )
-    collections = resolve_collections(collection=view_args.get("collection"), id=id)
-    for collection in collections:
-        if item := storage_manager.get_db_engine().get_item_from_collection_by_id(
-            collection, id
-        ):
-            return item
-    else:
-        abort(
-            404,
-            message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND, get_read())} | id:{id} - Item with id {id} does not exist.",
-        )

elody-0.0.194/src/elody/policies/tenant_id_resolver.py DELETED Viewed

@@ -1,375 +0,0 @@
-import re as regex
-from elody.error_codes import ErrorCode, get_error_code, get_read, get_write
-from flask import Request
-from flask_restful import abort
-from storage.storagemanager import StorageManager  # pyright: ignore
-from elody.util import get_item_metadata_value
-from elody.exceptions import NotFoundException, NoTenantException
-class TenantIdResolver:
-    def resolve(self, request, user):
-        endpoints = [
-            EntityGetRequest,
-            EntityPostRequest,
-            EntityDetailGetRequest,
-            EntityDetailUpdateRequest,
-            EntityDetailDeleteRequest,
-            EntityDetailGetRelationsRequest,
-            EntityDetailUpdateRelationsRequest,
-            EntityDetailCreateRelationsRequest,
-            EntityDetailDeleteRelationsRequest,
-            EntityDetailGetMetadataRequest,
-            EntityDetailUpdateMetadataRequest,
-            EntityDetailCreateMetadataRequest,
-            EntityDetailGetMediafilesRequest,
-            EntityDetailCreateMediafilesRequest,
-            MediafileGetRequest,
-            MediafilePostRequest,
-            MediafileDetailGetRequest,
-            MediafileDetailUpdateRequest,
-            MediafileDetailDeleteRequest,
-            MediafileDetailGetDerivativesRequest,
-            MediafileDetailCreateDerivativesRequest,
-            MediafileDetailDeleteDerivativesRequest,
-        ]
-        for endpoint in endpoints:
-            tenant_id = endpoint().get_tenant_id(request)
-            if tenant_id != None:
-                relations = user.get("relations", [])
-                if len(relations) < 1:
-                    raise NoTenantException(f"User is not attached to a tenant")
-                has_tenant_relation = any(
-                    relation.get("type") == "hasTenant"
-                    and relation.get("key") == tenant_id
-                    for relation in relations
-                )
-                if has_tenant_relation:
-                    return tenant_id
-                elif len(relations) == 1 and relations[0].get("key") == "tenant:super":
-                    return "tenant:super"
-                else:
-                    return relations[0].get("key")
-        return "tenant:super"
-class BaseRequest:
-    def __init__(self) -> None:
-        self.storage = StorageManager().get_db_engine()
-        self.super_tenant_id = "tenant:super"
-        # TODO refactor this in a more generic way
-        self.global_types = [
-            "language",
-            "type",
-            "collectionForm",
-            "institution",
-            "tag",
-            "triple",
-            "person",
-            "externalRecord",
-            "verzameling",
-            "arches_record",
-            "manufacturer",
-            "photographer",
-            "creator",
-            "assetPart",
-            "set",
-            "download",
-            "license",
-            "share_link"
-            # TODO Mediafile should have a link to an asset
-            "mediafile",
-            "savedSearch",
-            "original_data",
-            "user",
-        ]
-    def _get_tenant_id_from_entity(self, entity_id):
-        entity_relations = self.storage.get_collection_item_relations(
-            "entities", entity_id
-        )
-        entity = self.storage.get_item_from_collection_by_id("entities", entity_id)
-        if not entity:
-            abort(
-                404,
-                message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND, get_read())} | id:{entity_id} - Item with id {entity_id} doesn't exist",
-            )
-        type = entity.get("type")
-        if type in self.global_types:
-            return "tenant:super"
-        if entity_relations:
-            for entity_relation in entity_relations:
-                if entity_relation.get("type") == "isIn":
-                    tenant = self.storage.get_item_from_collection_by_id(
-                        "entities", entity_relation.get("key")
-                    )
-                    return tenant["_id"]
-                if entity_relation.get("type") == "hasInstitution":
-                    instution_relations = self.storage.get_collection_item_relations(
-                        "entities", entity_relation.get("key")
-                    )
-                    for institution_relation in instution_relations:
-                        if institution_relation.get("type") == "defines":
-                            return institution_relation.get("key")
-        if entity and get_item_metadata_value(entity, "institution"):
-            return f"tenant:{get_item_metadata_value(entity, 'institution')}"
-        abort(
-            400,
-            message=f"{get_error_code(ErrorCode.ENTITY_HAS_NO_TENANT, get_read())} - Entity has no tenant, and is suppose to have one.",
-        )
-    def _get_tenant_id_from_mediafile(self, mediafile_id):
-        mediafile_relations = self.storage.get_collection_item_relations(
-            "mediafiles", mediafile_id
-        )
-        for relation in mediafile_relations:
-            if relation.get("type") == "belongsTo":
-                return self._get_tenant_id_from_entity(relation.get("key"))
-    # TODO Mediafile should have a link to an asset
-    def _get_tenant_id_from_body(self, item, soft_call=False):
-        if soft_call:
-            return "tenant:super"
-        if item.get("type") in self.global_types or item.get("type") == "institution":
-            return "tenant:super"
-        if item.get("type") == "asset":
-            for relation in item.get("relations", []):
-                if relation.get("type") in [
-                    "hasArchesLink",
-                    "hasAdlibLink",
-                    "hasBrocadeLink",
-                ]:
-                    return "tenant:super"
-        institution_id = get_item_metadata_value(item, "institution")
-        if not institution_id:
-            for relation in item.get("relations", []):
-                if relation.get("type") == "hasInstitution":
-                    institution_id = relation.get("key")
-        if institution_id:
-            return f"tenant:{institution_id}"
-        abort(
-            400,
-            message=f"{get_error_code(ErrorCode.ENTITY_HAS_NO_TENANT, get_read())} - Item in body doesn't have an institution.",
-        )
-class EntityGetRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities(?:\?(.*))?$", request.path)
-            and request.method == "GET"
-        ):
-            return self.super_tenant_id
-        return None
-class EntityPostRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities(?:\?(.*))?$", request.path)
-            and request.method == "POST"
-        ):
-            is_soft_call = request.args.get("soft") is not None
-            return self._get_tenant_id_from_body(request.json, soft_call=is_soft_call)
-        return None
-class EntityDetailGetRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if regex.match(r"/entities/(.+)$", request.path) and request.method == "GET":
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-class EntityDetailUpdateRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if regex.match(r"^/entities/(.+)$", request.path) and request.method in [
-            "PUT",
-            "PATCH",
-        ]:
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-class EntityDetailDeleteRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/([^/]+)$", request.path)
-            and request.method == "DELETE"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-class EntityDetailGetRelationsRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/relations$", request.path)
-            and request.method == "GET"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-class EntityDetailUpdateRelationsRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if regex.match(
-            r"^/entities/(.+)/relations$", request.path
-        ) and request.method in ["PUT", "PATCH"]:
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-class EntityDetailCreateRelationsRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/relations$", request.path)
-            and request.method == "POST"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-class EntityDetailDeleteRelationsRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/relations$", request.path)
-            and request.method == "DELETE"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-class EntityDetailGetMetadataRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/metadata$", request.path)
-            and request.method == "GET"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-class EntityDetailUpdateMetadataRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if regex.match(
-            r"^/entities/(.+)/metadata$", request.path
-        ) and request.method in ["PUT", "PATCH"]:
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-class EntityDetailCreateMetadataRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/metadata$", request.path)
-            and request.method == "POST"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-class EntityDetailGetMediafilesRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/mediafiles$", request.path)
-            and request.method == "GET"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-class EntityDetailCreateMediafilesRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/entities/(.+)/mediafiles$", request.path)
-            and request.method == "POST"
-        ):
-            return self._get_tenant_id_from_entity(request.view_args.get("id"))
-        return None
-# Mediafiles
-class MediafileGetRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles(?:\?(.*))?$", request.path)
-            and request.method == "GET"
-        ):
-            return self.super_tenant_id
-        return None
-class MediafilePostRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles(?:\?(.*))?$", request.path)
-            and request.method == "POST"
-        ):
-            is_soft_call = request.args.get("soft") is not None
-            return self._get_tenant_id_from_body(request.json, soft_call=is_soft_call)
-        return None
-class MediafileDetailGetRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles/([^/]+)$", request.path)
-            and request.method == "GET"
-        ):
-            return self.super_tenant_id
-        return None
-class MediafileDetailUpdateRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if regex.match(r"^/mediafiles/(.+)$", request.path) and request.method in [
-            "PUT",
-            "PATCH",
-        ]:
-            return self._get_tenant_id_from_mediafile(request.view_args.get("id"))
-        return None
-class MediafileDetailDeleteRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles/(.+)$", request.path)
-            and request.method == "DELETE"
-        ):
-            return self._get_tenant_id_from_mediafile(request.view_args.get("id"))
-        return None
-class MediafileDetailGetDerivativesRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles/(.+)/derivatives$", request.path)
-            and request.method == "GET"
-        ):
-            return self.super_tenant_id
-        return None
-class MediafileDetailCreateDerivativesRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles/(.+)/derivatives$", request.path)
-            and request.method == "POST"
-        ):
-            return self._get_tenant_id_from_mediafile(request.view_args.get("id"))
-        return None
-class MediafileDetailDeleteDerivativesRequest(BaseRequest):
-    def get_tenant_id(self, request: Request) -> str | None:
-        if (
-            regex.match(r"^/mediafiles/(.+)/derivatives$", request.path)
-            and request.method == "DELETE"
-        ):
-            return self._get_tenant_id_from_mediafile(request.view_args.get("id"))
-        return None