PyPI - elody - Versions diffs - 0.0.62__py3-none-any.whl → 0.0.162__py3-none-any.whl - Mend

elody 0.0.62py3-none-any.whl → 0.0.162py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

elody/client.py +70 -23
elody/csv.py +118 -21
elody/error_codes.py +112 -0
elody/exceptions.py +14 -0
elody/job.py +95 -0
elody/loader.py +33 -5
elody/migration/__init__.py +0 -0
elody/migration/base_object_migrator.py +18 -0
elody/object_configurations/__init__.py +0 -0
elody/object_configurations/base_object_configuration.py +174 -0
elody/object_configurations/elody_configuration.py +144 -0
elody/object_configurations/job_configuration.py +65 -0
elody/policies/authentication/base_user_tenant_validation_policy.py +48 -15
elody/policies/authorization/filter_generic_objects_policy.py +68 -22
elody/policies/authorization/filter_generic_objects_policy_v2.py +166 -0
elody/policies/authorization/generic_object_detail_policy.py +10 -27
elody/policies/authorization/generic_object_mediafiles_policy.py +82 -0
elody/policies/authorization/generic_object_metadata_policy.py +8 -27
elody/policies/authorization/generic_object_relations_policy.py +12 -29
elody/policies/authorization/generic_object_request_policy.py +56 -55
elody/policies/authorization/generic_object_request_policy_v2.py +133 -0
elody/policies/authorization/mediafile_derivatives_policy.py +92 -0
elody/policies/authorization/mediafile_download_policy.py +71 -0
elody/policies/authorization/multi_tenant_policy.py +14 -6
elody/policies/authorization/tenant_request_policy.py +3 -1
elody/policies/helpers.py +37 -0
elody/policies/permission_handler.py +217 -211
elody/policies/tenant_id_resolver.py +375 -0
elody/schemas.py +0 -3
elody/util.py +165 -11
{elody-0.0.62.dist-info → elody-0.0.162.dist-info}/METADATA +16 -11
elody-0.0.162.dist-info/RECORD +47 -0
{elody-0.0.62.dist-info → elody-0.0.162.dist-info}/WHEEL +1 -1
{elody-0.0.62.dist-info → elody-0.0.162.dist-info}/top_level.txt +1 -0
tests/__init_.py +0 -0
tests/data.py +74 -0
tests/unit/__init__.py +0 -0
tests/unit/test_csv.py +410 -0
tests/unit/test_utils.py +293 -0
elody-0.0.62.dist-info/RECORD +0 -27
{elody-0.0.62.dist-info → elody-0.0.162.dist-info}/LICENSE +0 -0

elody/policies/permission_handler.py CHANGED Viewed

@@ -1,61 +1,34 @@
+import re as regex
+from configuration import get_object_configuration_mapper  # pyright: ignore
 from copy import deepcopy
-from elody.util import get_item_metadata_value
+from elody.error_codes import ErrorCode, get_error_code, get_read
+from elody.util import flatten_dict, interpret_flat_key
 from inuits_policy_based_auth.contexts.user_context import UserContext
+from logging_elody.log import log  # pyright: ignore
 _permissions = {}
+_placeholders = ["X_TENANT_ID", "TENANT_DEFINING_ENTITY_ID"]
-def set_permissions(permissions: dict):
+def set_permissions(permissions: dict, placeholders: list[str] = []):
     global _permissions
     _permissions = permissions
+    _placeholders.extend(placeholders)
 def get_permissions(role: str, user_context: UserContext):
     permissions = deepcopy(_permissions)
-    placeholders = ["X_TENANT_ID", "TENANT_DEFINING_ENTITY_ID"]
-    for placeholder in placeholders:
+    for placeholder_key in _placeholders:
+        placeholder_value = user_context.bag.get(placeholder_key.lower())
         permissions = __replace_permission_placeholders(
-            permissions, placeholder, user_context.bag[placeholder.lower()]
+            permissions, placeholder_key, placeholder_value
         )
     return permissions.get(role, {})  # pyright: ignore
-def handle_single_item_request(
-    user_context: UserContext, item, permissions, crud, request_body={}
-):
-    is_allowed_to_crud_item = __is_allowed_to_crud_item(item, permissions, crud)
-    if not is_allowed_to_crud_item:
-        return is_allowed_to_crud_item
-    return __is_allowed_to_crud_item_keys(
-        user_context, item, permissions, crud, request_body
-    )
-def get_mask_protected_content_post_request_hook(
-    user_context: UserContext, permissions, item_type=None
-):
-    def __post_request_hook(
-        response, *, is_single_item_response=False, single_item_sub_route_key=""
-    ):
-        if is_single_item_response:
-            if single_item_sub_route_key in ["metadata", "relations"]:
-                items = [{single_item_sub_route_key: response[0], "type": item_type}]
-            else:
-                items = [response[0]]
-        else:
-            items = response[0]["results"]
-        for item in items:
-            __is_allowed_to_crud_item_keys(user_context, item, permissions, "read")
-        return response
-    return __post_request_hook
 def __replace_permission_placeholders(data, placeholder_key, placeholder_value):
     if isinstance(data, dict):
         for key, value in data.items():
@@ -68,195 +41,228 @@ def __replace_permission_placeholders(data, placeholder_key, placeholder_value):
             for item in data
         ]
     elif isinstance(data, str):
-        data = data.replace(placeholder_key, placeholder_value)
+        if isinstance(placeholder_value, str):
+            data = data.replace(placeholder_key, placeholder_value)
+        elif isinstance(placeholder_value, list) and data == placeholder_key:
+            data = placeholder_value
     return data
-def __is_allowed_to_crud_item(item, permissions, crud):
-    if item["type"] not in permissions[crud].keys():
-        return None
-    restrictions = permissions[crud][item["type"]].get("restrictions", {})
+def handle_single_item_request(
+    user_context: UserContext, item, permissions, crud, request_body: dict = {}
+):
+    try:
+        item_in_storage_format, flat_item, object_lists, restrictions_schema = (
+            __prepare_item_for_permission_check(item, permissions, crud)
+        )
-    for metadata in restrictions.get("metadata", []):
-        value = get_item_metadata_value(item, metadata["key"])
-        if isinstance(value, str):
-            if value not in metadata["value"]:
-                return None
-        elif isinstance(value, list):
-            for expected_value in metadata["value"]:
-                if expected_value in value:
-                    return True
-            return None
+        is_allowed_to_crud_item = (
+            __is_allowed_to_crud_item(flat_item, restrictions_schema)
+            if flat_item
+            else None
+        )
+        if not is_allowed_to_crud_item:
+            return is_allowed_to_crud_item
+        return __is_allowed_to_crud_item_keys(
+            user_context,
+            item_in_storage_format,
+            flat_item,
+            restrictions_schema,
+            crud,
+            object_lists,
+            flatten_dict(object_lists, request_body),
+        )
+    except Exception as exception:
+        log.debug(
+            f"{exception.__class__.__name__}: {str(exception)}",
+            item.get("storage_format", item),
+        )
+        if crud != "read":
+            log.debug(f"Request body: {request_body}", {})
+        raise exception
-    for relation in restrictions.get("relations", []):
-        keys = _get_relation_keys(item, relation["key"])
-        for expected_value in relation["value"]:
-            if expected_value in keys:
-                return True
-        return None
-    for root in restrictions.get("root", []):
-        value = item[root["key"]]
-        if isinstance(value, str):
-            if value not in root["value"]:
-                return None
-        elif isinstance(value, list):
-            for expected_value in root["value"]:
-                if expected_value in value:
-                    return True
-            return None
+def mask_protected_content_post_request_hook(user_context: UserContext, permissions):
+    def __post_request_hook(response):
+        items = []
+        for item in response["results"]:
+            try:
+                (
+                    item_in_storage_format,
+                    flat_item,
+                    object_lists,
+                    restrictions_schema,
+                ) = __prepare_item_for_permission_check(item, permissions, "read")
+                if not flat_item:
+                    continue
+                __is_allowed_to_crud_item_keys(
+                    user_context,
+                    item_in_storage_format,
+                    flat_item,
+                    restrictions_schema,
+                    "read",
+                    object_lists,
+                )
+                items.append(user_context.bag["requested_item"])
+            except Exception as exception:
+                log.debug(
+                    f"{exception.__class__.__name__}: {str(exception)}",
+                    item.get("storage_format", item),
+                )
+                raise exception
+        response["results"] = items
+        return response
-    return True
+    return __post_request_hook
-def _get_relation_keys(item: dict, relation_type: str):
-    return [
-        relation["key"]
-        for relation in item["relations"]
-        if relation["type"] == relation_type
-    ]
+def __prepare_item_for_permission_check(item, permissions, crud):
+    item = deepcopy(item.get("storage_format", item))
+    if item.get("type", "") not in permissions[crud].keys():
+        return item, None, None, None
+    config = get_object_configuration_mapper().get(item["type"])
+    object_lists = config.document_info().get("object_lists", {})
+    flat_item = flatten_dict(object_lists, item)
-def __is_allowed_to_crud_item_keys(
-    user_context: UserContext, item, permissions, crud, request_body={}
-):
-    user_context.bag["soft_call_response_body"] = []
-    keys_permissions, negate_condition = __get_keys_permissions(
-        permissions[crud][item["type"]]
+    return (
+        item,
+        flat_item,
+        object_lists,
+        __get_restrictions_schema(flat_item, permissions, crud),
     )
-    if keys_permissions:
-        initial_item = deepcopy(item)
-        for key in item.keys():
-            data_key = ""
-            if key == "metadata":
-                data_key = "key"
-                (
-                    permission_key_data_map,
-                    data_value_key,
-                ) = __determine_data_per_permission_key(item, key, data_key, "value")
-            elif key == "relations":
-                data_key = "type"
-                (
-                    permission_key_data_map,
-                    data_value_key,
-                ) = __determine_data_per_permission_key(item, key, data_key, "key")
-            else:
-                (
-                    permission_key_data_map,
-                    data_value_key,
-                ) = __determine_data_per_permission_key(item, key)
-            for permission_key, data in permission_key_data_map.items():
-                if __is_not_valid_request_on_key(
-                    initial_item,
-                    keys_permissions,
-                    negate_condition,
-                    key,
-                    permission_key,
-                    data_value_key,
-                ):
-                    if crud == "read":
-                        data[data_value_key] = "[protected content]"
-                    else:
-                        if key == data_value_key:
-                            if request_body.get(key):
-                                user_context.bag["soft_call_response_body"].append(key)
-                        else:
-                            for element in request_body.get(key, []):
-                                if f"{key}.{element[data_key]}" == permission_key:
-                                    user_context.bag["soft_call_response_body"].append(
-                                        permission_key
-                                    )
-    return len(user_context.bag["soft_call_response_body"]) == 0
-def __get_keys_permissions(item_permissions):
-    if item_permissions.get("keys"):
-        negate_condition = False
-        keys_permissions = item_permissions["keys"].get("allowed_only", {})
-        if not keys_permissions:
-            negate_condition = True
-            keys_permissions = item_permissions["keys"].get("disallowed_only", {})
-        return keys_permissions, negate_condition
-    return None, None
-def __determine_data_per_permission_key(item, root_key, data_key="", data_value_key=""):
-    key_data_map = {}
-    if data_key and data_value_key:
-        for data in item[root_key]:
-            key_data_map.update({f"{root_key}.{data[data_key]}": data})
-        value_key = data_value_key
-    else:
-        key_data_map.update({root_key: item})
-        value_key = root_key
-    return key_data_map, value_key
-def __is_not_valid_request_on_key(
-    initial_item,
-    keys_permissions,
-    negate_condition,
-    root_key,
-    key,
-    data_value_key,
-):
-    if root_key == data_value_key:
-        is_in_keys_permissions = lambda: key in keys_permissions.keys()
-    else:
-        is_in_keys_permissions = (
-            lambda: key in keys_permissions.keys()
-            or f"{root_key}.*" in keys_permissions.keys()
-        )
-    if is_in_keys_permissions():
-        if __check_key_conditions_disallow_request(
-            initial_item,
-            keys_permissions.get(key, keys_permissions.get(f"{root_key}.*")),
-            negate_condition,
-        ):
-            return True
-    elif not negate_condition:
-        return True
+def __get_restrictions_schema(flat_item, permissions, crud):
+    schema_type = flat_item.get("schema.type", "elody")
+    schema_version = flat_item.get("schema.version", "1")
+    schema = f"{schema_type}:{schema_version}"
+    schemas = permissions[crud][flat_item["type"]]
+    if restrictions_schema := schemas.get(schema):
+        return restrictions_schema
+    for schema in reversed(schemas.keys()):
+        if regex.match(f"^{schema_type}:[0-9]{1,3}?$", schema):
+            break
+        schema = None
+    return schemas[schema] if schemas and schema else {}
+def __is_allowed_to_crud_item(flat_item, restrictions_schema):
+    restrictions = restrictions_schema.get("object_restrictions", {})
-    return False
+    for restricted_key, restricting_values in restrictions.items():
+        restricted_key = restricted_key.split(":")[1]
+        item_value_in_restricting_values = __item_value_in_values(
+            flat_item, restricted_key, restricting_values
+        )
+        if not item_value_in_restricting_values:
+            return None
+    return True
-def __check_key_conditions_disallow_request(
-    initial_item, key_conditions, negate_condition
+def __is_allowed_to_crud_item_keys(
+    user_context: UserContext,
+    item_in_storage_format,
+    flat_item,
+    restrictions_schema,
+    crud,
+    object_lists,
+    flat_request_body: dict = {},
 ):
-    multiple_conditions = len(key_conditions) > 1
-    return_value = False if negate_condition and len(key_conditions) == 0 else True
-    switch_return_value = False
-    for key_condition in key_conditions:
-        metadata_key, expected_value = key_condition.split("==")
-        actual_value = get_item_metadata_value(initial_item, metadata_key)
-        if isinstance(actual_value, list):
-            is_condition_met = lambda: expected_value in actual_value
-        else:
-            is_condition_met = (
-                lambda: f"{expected_value}".lower() == f"{actual_value}".lower()
+    user_context.bag["restricted_keys"] = []
+    restrictions = restrictions_schema.get("key_restrictions", {})
+    for restricted_key, restricting_conditions in restrictions.items():
+        restricted_key = restricted_key.split(":")[1]
+        condition_match = True
+        for condition_key, condition_values in restricting_conditions.items():
+            condition_match = __item_value_in_values(
+                flat_item, condition_key, condition_values, flat_request_body
+            )
+            if not condition_match:
+                break
+        if condition_match:
+            if crud == "read":
+                keys_info = interpret_flat_key(restricted_key, object_lists)
+                for info in keys_info:
+                    if info["object_list"]:
+                        element = __get_element_from_object_list_of_item(
+                            item_in_storage_format,
+                            info["key"],
+                            info["object_key"],
+                            object_lists,
+                        )
+                        item_in_storage_format[info["key"]].remove(element)
+                        break
+                else:
+                    try:
+                        del item_in_storage_format[keys_info[0]["key"]][
+                            keys_info[1]["key"]
+                        ]
+                    except KeyError:
+                        pass
+            else:
+                if flat_request_body.get(restricted_key):
+                    user_context.bag["restricted_keys"].append(restricted_key)
+    user_context.bag["requested_item"] = item_in_storage_format
+    return len(user_context.bag["restricted_keys"]) == 0
+def __item_value_in_values(flat_item, key, values: list, flat_request_body: dict = {}):
+    negate_condition = False
+    is_optional = False
+    if key[0] == "!":
+        key = key[1:]
+        negate_condition = True
+    if key[0] == "?":
+        key = key[1:]
+        is_optional = True
+    try:
+        item_value = flat_request_body.get(key, flat_item[key])
+    except KeyError:
+        if not is_optional:
+            raise Exception(
+                f"{get_error_code(ErrorCode.METADATA_KEY_UNDEFINED, get_read())} | key:{key} | document:{flat_item.get('_id', flat_item["type"])} - Key {key} not found in document {flat_item.get('_id', flat_item["type"])}. Either prefix the key with '?' in your permission configuration to make it an optional restriction, or patch the document to include the key. '?' will allow access if key does not exist, '!?' will deny access if key does not exist."
             )
+        return not negate_condition
+    expected_values = []
+    for value in values:
+        if flat_item_key_value := flat_item.get(value):
+            value = flat_item_key_value
+        if isinstance(value, list):
+            expected_values.extend(value)
+        else:
+            expected_values.append(value)
+    if isinstance(item_value, (str, int, float, bool)):
+        if negate_condition:
+            return item_value not in expected_values
+        else:
+            return item_value in expected_values
+    elif isinstance(item_value, list):
+        for expected_value in expected_values:
+            if expected_value in item_value:
+                return True != negate_condition
+        return False != negate_condition
-        if is_condition_met():
-            if negate_condition:
-                if not multiple_conditions:
-                    return return_value
-                elif not switch_return_value:
-                    return_value = not return_value
-                    switch_return_value = True
-        elif not negate_condition:
-            return return_value
-        elif switch_return_value:
-            return False
-    return not return_value
+    raise Exception(f"Invalid item_value: {item_value}")
+def __get_element_from_object_list_of_item(
+    item: dict, object_list: str, key: str, object_lists: dict
+):
+    for element in item[object_list]:
+        if element[object_lists[object_list]] == key:
+            return element
+    return {}

elody 0.0.62__py3-none-any.whl → 0.0.162__py3-none-any.whl

elody 0.0.62py3-none-any.whl → 0.0.162py3-none-any.whl