elody 0.0.63__py3-none-any.whl → 0.0.162__py3-none-any.whl

elody/policies/authorization/generic_object_request_policy.py

@@ -1,10 +1,13 @@
 import re as regex
 
+from elody.policies.helpers import get_content
+from configuration import get_object_configuration_mapper  # pyright: ignore
 from elody.policies.permission_handler import (
     get_permissions,
-    get_mask_protected_content_post_request_hook,
+    handle_single_item_request,
+    mask_protected_content_post_request_hook,
 )
-from elody.util import get_item_metadata_value
+from elody.util import interpret_flat_key
 from flask import Request  # pyright: ignore
 from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
 from inuits_policy_based_auth.contexts.policy_context import (  # pyright: ignore
@@ -20,9 +23,7 @@ class GenericObjectRequestPolicy(BaseAuthorizationPolicy):
         self, policy_context: PolicyContext, user_context: UserContext, request_context
     ):
         request: Request = request_context.http_request
-        if not user_context.auth_objects.get("token") or not regex.match(
-            "^/[^/]+$|^/ngsi-ld/v1/entities$", request.path
-        ):
+        if not regex.match("^(/[^/]+/v[0-9]+)?/[^/]+$", request.path):
             return policy_context
 
         for role in user_context.x_tenant.roles:
@@ -37,7 +38,7 @@ class GenericObjectRequestPolicy(BaseAuthorizationPolicy):
                 if access_verdict != None:
                     policy_context.access_verdict = access_verdict
                     if not policy_context.access_verdict:
-                        return policy_context
+                        break
 
             if policy_context.access_verdict:
                 return policy_context
@@ -46,25 +47,20 @@ class GenericObjectRequestPolicy(BaseAuthorizationPolicy):
 
 
 class PostRequestRules:
-    def apply(self, _, request: Request, permissions) -> bool | None:
+    def apply(
+        self, user_context: UserContext, request: Request, permissions
+    ) -> bool | None:
         if request.method != "POST":
             return None
-
-        item = request.json or {}
-        if item["type"] in permissions["create"].keys():
-            restrictions = permissions["create"][item["type"]].get("restrictions", {})
-            for metadata in restrictions.get("metadata", []):
-                value = get_item_metadata_value(item, metadata["key"])
-                if isinstance(value, str):
-                    if value not in metadata["value"]:
-                        return None
-                elif isinstance(value, list):
-                    for expected_value in metadata["value"]:
-                        if expected_value not in value:
-                            return None
+        if request.args.get("dry_run", False):
+            return True
+        if regex.match(r"^/batch?$", request.path):
             return True
 
-        return None
+        content = get_content(request.json, request, request.json)
+        return handle_single_item_request(
+            user_context, request.json, permissions, "create", content
+        )
 
 
 class GetRequestRules:
@@ -73,45 +69,27 @@ class GetRequestRules:
     ) -> bool | None:
         if request.method != "GET":
             return None
-
-        type_query_parameter = request.args.get("type")
+        type_query_parameter = (
+            "mediafile"
+            if regex.match(r"^/mediafiles(?:\?(.*))?$", request.path)
+            else request.args.get("type")
+        )
         allowed_item_types = list(permissions["read"].keys())
         filters = []
 
         if type_query_parameter:
             if type_query_parameter in allowed_item_types:
+                config = get_object_configuration_mapper().get(type_query_parameter)
+                object_lists = config.document_info()["object_lists"]
+
                 restrictions = permissions["read"][type_query_parameter].get(
-                    "restrictions", {}
+                    "object_restrictions", {}
                 )
-                for parent_key in restrictions.keys():
-                    all_matches = []
-                    if parent_key == "metadata":
-                        for metadata in restrictions[parent_key]:
-                            all_matches.append(
-                                {
-                                    "$elemMatch": {
-                                        "key": metadata["key"],
-                                        "value": {"$in": metadata["value"]},
-                                    }
-                                }
-                            )
-                        filters.append({parent_key: {"$all": all_matches}})
-                    elif parent_key == "relations":
-                        for relation in restrictions[parent_key]:
-                            all_matches.append(
-                                {
-                                    "$elemMatch": {
-                                        "type": relation["key"],
-                                        "key": {"$in": relation["value"]},
-                                    }
-                                }
-                            )
-                        filters.append({parent_key: {"$all": all_matches}})
-                    elif parent_key == "root":
-                        for restriction in restrictions[parent_key]:
-                            filters.append(
-                                {restriction["key"]: {"$in": restriction["value"]}}
-                            )
+                for key, value in restrictions.items():
+                    keys_info = interpret_flat_key(key, object_lists)
+                    filters.append(
+                        _build_nested_matcher(object_lists, keys_info, value)
+                    )
             else:
                 return None
         else:
@@ -123,7 +101,10 @@ class GetRequestRules:
                             "key": user_context.bag.get(
                                 "tenant_defining_entity_id", user_context.x_tenant.id
                             ),
-                            "type": user_context.bag["tenant_relation_type"],
+                            "type": [
+                                user_context.bag["tenant_relation_type"],
+                                "belongsTo",
+                            ],
                         }
                     }
                 },
@@ -131,6 +112,26 @@ class GetRequestRules:
 
         user_context.access_restrictions.filters = filters
         user_context.access_restrictions.post_request_hook = (
-            get_mask_protected_content_post_request_hook(user_context, permissions)
+            mask_protected_content_post_request_hook(user_context, permissions)
         )
         return True
+
+
+def _build_nested_matcher(object_lists, keys_info, value, index=0):
+    info = keys_info[index]
+
+    if info["object_list"]:
+        nested_matcher = _build_nested_matcher(
+            object_lists, keys_info, value, index + 1
+        )
+        elem_match = {
+            "$elemMatch": {
+                object_lists[info["key"]]: info["object_key"],
+                keys_info[index + 1]["key"]: nested_matcher,
+            }
+        }
+        return elem_match if index > 0 else {info["key"]: elem_match}
+
+    if isinstance(value, list):
+        value = {"$in": value}
+    return value if index > 0 else {info["key"]: value}

elody/policies/authorization/generic_object_request_policy_v2.py

@@ -0,0 +1,133 @@
+import re as regex
+
+from configuration import get_object_configuration_mapper  # pyright: ignore
+from elody.policies.helpers import get_content
+from elody.policies.permission_handler import (
+    get_permissions,
+    handle_single_item_request,
+    mask_protected_content_post_request_hook,
+)
+from flask import Request  # pyright: ignore
+from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
+from inuits_policy_based_auth.contexts.policy_context import (  # pyright: ignore
+    PolicyContext,
+)
+from inuits_policy_based_auth.contexts.user_context import (  # pyright: ignore
+    UserContext,
+)
+
+
+class GenericObjectRequestPolicyV2(BaseAuthorizationPolicy):
+    def authorize(
+        self, policy_context: PolicyContext, user_context: UserContext, request_context
+    ):
+        request: Request = request_context.http_request
+        if not regex.match("^(/[^/]+/v[0-9]+)?/[^/]+$", request.path):
+            return policy_context
+
+        for role in user_context.x_tenant.roles:
+            permissions = get_permissions(role, user_context)
+            if not permissions:
+                continue
+
+            rules = [PostRequestRules, GetRequestRules]
+            access_verdict = None
+            for rule in rules:
+                access_verdict = rule().apply(user_context, request, permissions)
+                if access_verdict != None:
+                    policy_context.access_verdict = access_verdict
+                    if not policy_context.access_verdict:
+                        break
+
+            if policy_context.access_verdict:
+                return policy_context
+
+        return policy_context
+
+
+class PostRequestRules:
+    def apply(
+        self, user_context: UserContext, request: Request, permissions
+    ) -> bool | None:
+        if request.method != "POST":
+            return None
+
+        content = get_content(request.json, request, request.json)
+        schema_type = get_object_configuration_mapper().get(content["type"]).SCHEMA_TYPE
+        item = {**content, "schema": {"type": schema_type}}
+        return handle_single_item_request(
+            user_context, item, permissions, "create", content
+        )
+
+
+class GetRequestRules:
+    def apply(
+        self, user_context: UserContext, request: Request, permissions
+    ) -> bool | None:
+        if request.method != "GET":
+            return None
+
+        type_query_parameter = request.args.get("type")
+        allowed_item_types = list(permissions["read"].keys())
+        filters = []
+
+        if type_query_parameter:
+            if type_query_parameter not in allowed_item_types:
+                return None
+            type_permissions = permissions["read"][type_query_parameter]
+            schemas = list(type_permissions.keys())
+            if len(schemas) > 0:
+                number_of_object_restrictions = len(
+                    type_permissions[schemas[0]].get("object_restrictions", {}).keys()
+                )
+                for i in range(number_of_object_restrictions):
+                    keys, values = [], []
+                    for schema in schemas:
+                        object_restrictions = type_permissions[schema].get(
+                            "object_restrictions", {}
+                        )
+                        key = [
+                            key
+                            for key in object_restrictions.keys()
+                            if key.startswith(f"{i}:")
+                        ][0]
+                        keys.append(f"{schema}|{key.split(':')[1]}")
+                        values = object_restrictions[key]
+                    filters.append(
+                        {
+                            "type": "selection",
+                            "key": keys,
+                            "value": values,
+                            "match_exact": True,
+                        }
+                    )
+            filters.insert(0, {"type": "type", "value": type_query_parameter})
+        else:
+            filters.append(
+                {
+                    "type": "selection",
+                    "key": "type",
+                    "value": allowed_item_types,
+                    "match_exact": True,
+                }
+            )
+            if tenant_relation_type := user_context.bag.get("tenant_relation_type"):
+                filters.append(
+                    {
+                        "type": "selection",
+                        "key": tenant_relation_type,
+                        "value": [
+                            "tenant:super",
+                            user_context.bag.get(
+                                "tenant_defining_entity_id", user_context.x_tenant.id
+                            ),
+                        ],
+                        "match_exact": True,
+                    }
+                )
+
+        user_context.access_restrictions.filters = filters
+        user_context.access_restrictions.post_request_hook = (
+            mask_protected_content_post_request_hook(user_context, permissions)
+        )
+        return True

elody/policies/authorization/mediafile_derivatives_policy.py

@@ -0,0 +1,92 @@
+import re as regex
+
+from elody.error_codes import ErrorCode, get_error_code, get_read, get_write
+from elody.policies.permission_handler import (
+    get_permissions,
+    handle_single_item_request,
+)
+from flask import Request  # pyright: ignore
+from flask_restful import abort  # pyright: ignore
+from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
+from inuits_policy_based_auth.contexts.policy_context import (  # pyright: ignore
+    PolicyContext,
+)
+from inuits_policy_based_auth.contexts.user_context import (  # pyright: ignore
+    UserContext,
+)
+from storage.storagemanager import StorageManager  # pyright: ignore
+
+
+class MediafileDerivativesPolicy(BaseAuthorizationPolicy):
+    def authorize(
+        self, policy_context: PolicyContext, user_context: UserContext, request_context
+    ):
+        request: Request = request_context.http_request
+        if not regex.match(r"^/mediafiles/(.+)/derivatives$", request.path):
+            return policy_context
+
+        view_args = request.view_args or {}
+        collection = view_args.get("collection", request.path.split("/")[-3])
+        id = view_args.get("id")
+        item = (
+            StorageManager()
+            .get_db_engine()
+            .get_item_from_collection_by_id(collection, id)
+        )
+        if not item:
+            abort(
+                404,
+                message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND_IN_COLLECTION, get_read())} | id:{id} | collection: {collection} - Item with id {id} doesn't exist in collection {collection}",
+            )
+
+        for role in user_context.x_tenant.roles:
+            permissions = get_permissions(role, user_context)
+            if not permissions:
+                continue
+
+            rules = [
+                PostRequestRules,
+                GetRequestRules,
+            ]
+            access_verdict = None
+            for rule in rules:
+                access_verdict = rule().apply(item, user_context, request, permissions)
+                if access_verdict != None:
+                    policy_context.access_verdict = access_verdict
+                    if not policy_context.access_verdict:
+                        break
+
+            if policy_context.access_verdict:
+                return policy_context
+
+        return policy_context
+
+
+class PostRequestRules:
+    def apply(
+        self, item, user_context: UserContext, request: Request, permissions
+    ) -> bool | None:
+        if request.method != "POST":
+            return None
+
+        return handle_single_item_request(user_context, item, permissions, "create")
+
+
+class GetRequestRules:
+    def apply(
+        self, item, user_context: UserContext, request: Request, permissions
+    ) -> bool | None:
+        if request.method != "GET":
+            return None
+
+        return handle_single_item_request(user_context, item, permissions, "read")
+
+
+class DeleteRequestRules:
+    def apply(
+        self, item, user_context: UserContext, request: Request, permissions
+    ) -> bool | None:
+        if request.method != "DELETE":
+            return None
+
+        return handle_single_item_request(user_context, item, permissions, "delete")

elody/policies/authorization/mediafile_download_policy.py

@@ -0,0 +1,71 @@
+import re as regex
+
+from elody.error_codes import ErrorCode, get_error_code, get_read
+from elody.policies.permission_handler import (
+    get_permissions,
+    handle_single_item_request,
+)
+from flask import Request  # pyright: ignore
+from flask_restful import abort  # pyright: ignore
+from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
+from inuits_policy_based_auth.contexts.policy_context import (  # pyright: ignore
+    PolicyContext,
+)
+from inuits_policy_based_auth.contexts.user_context import (  # pyright: ignore
+    UserContext,
+)
+from storage.storagemanager import StorageManager  # pyright: ignore
+
+
+class MediafileDownloadPolicy(BaseAuthorizationPolicy):
+    def authorize(
+        self, policy_context: PolicyContext, user_context: UserContext, request_context
+    ):
+        request: Request = request_context.http_request
+        if not regex.match(r"^/mediafiles/(.+)/download$", request.path):
+            return policy_context
+
+        view_args = request.view_args or {}
+        collection = view_args.get("collection", request.path.split("/")[-3])
+        id = view_args.get("id")
+        item = (
+            StorageManager()
+            .get_db_engine()
+            .get_item_from_collection_by_id(collection, id)
+        )
+        if not item:
+            abort(
+                404,
+                message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND_IN_COLLECTION, get_read())} | id:{id} | collection:{collection} - Item with id {id} doesn't exist in collection {collection}",
+            )
+
+        for role in user_context.x_tenant.roles:
+            permissions = get_permissions(role, user_context)
+            if not permissions:
+                continue
+
+            rules = [
+                GetRequestRules,
+            ]
+            access_verdict = None
+            for rule in rules:
+                access_verdict = rule().apply(item, user_context, request, permissions)
+                if access_verdict != None:
+                    policy_context.access_verdict = access_verdict
+                    if not policy_context.access_verdict:
+                        break
+
+            if policy_context.access_verdict:
+                return policy_context
+
+        return policy_context
+
+
+class GetRequestRules:
+    def apply(
+        self, item, user_context: UserContext, request: Request, permissions
+    ) -> bool | None:
+        if request.method != "GET":
+            return None
+
+        return handle_single_item_request(user_context, item, permissions, "read")

elody/policies/authorization/multi_tenant_policy.py

@@ -1,3 +1,5 @@
+from elody.error_codes import ErrorCode, get_error_code, get_read, get_write
+from configuration import get_collection_mapper
 from flask_restful import abort
 from inuits_policy_based_auth import BaseAuthorizationPolicy, RequestContext
 from inuits_policy_based_auth.contexts import UserContext, PolicyContext
@@ -41,18 +43,24 @@ class MultiTenantPolicy(BaseAuthorizationPolicy):
         policy_context.access_verdict = True
         if item_id:
             storage = StorageManager().get_db_engine()
-            collection = request.path.split("/")[1]
+            request_name = request.path.split("/")[1]
+            collection = get_collection_mapper().get(request_name, request_name)
             item = storage.get_item_from_collection_by_id(collection, item_id)
             if not item:
                 abort(
                     404,
-                    message=f"Item with id {id} doesn't exist in collection {collection}",
+                    message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND_IN_COLLECTION, get_read())} | id:{id} | collection:{collection} - Item with id {id} doesn't exist in collection {collection}",
                 )
             item_relations = storage.get_collection_item_relations(collection, item_id)
-            if not any(
-                x
-                for x in item_relations
-                if x["type"] == "isIn" and x["key"] == user_context.x_tenant.raw["_id"]
+            if (
+                item.get("type") != "ticket"
+                and not any(
+                    x
+                    for x in item_relations
+                    if x["type"] == "isIn"
+                    and x["key"] == user_context.x_tenant.raw["_id"]
+                )
+                and collection != "mediafiles"
             ):
                 policy_context.access_verdict = False
         if "/filter" in request.path:

elody/policies/authorization/tenant_request_policy.py

@@ -1,3 +1,5 @@
+import re as regex
+
 from elody.policies.permission_handler import get_permissions
 from flask import Request  # pyright: ignore
 from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
@@ -6,7 +8,7 @@ from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
 class TenantRequestPolicy(BaseAuthorizationPolicy):
     def authorize(self, policy_context, user_context, request_context):
         request: Request = request_context.http_request
-        if not user_context.auth_objects.get("token") or request.path != "/tenants":
+        if not regex.match("^(/[^/]+/v[0-9]+)?/tenants$", request.path):
             return policy_context
 
         set_restricting_filter = True

elody/policies/helpers.py

@@ -0,0 +1,37 @@
+from elody.error_codes import ErrorCode, get_error_code, get_read
+from configuration import get_object_configuration_mapper  # pyright: ignore
+from flask_restful import abort  # pyright: ignore
+from serialization.serialize import serialize  # pyright: ignore
+
+
+def get_content(item, request, content):
+    return serialize(
+        content,
+        type=item.get("type"),
+        from_format=serialize.get_format(
+            (request.view_args or {}).get("spec", "elody"), request.args
+        ),
+        to_format=get_object_configuration_mapper().get(item["type"]).SCHEMA_TYPE,
+    )
+
+
+def get_item(storage_manager, user_context_bag, view_args):
+    view_args = view_args or {}
+    id = view_args.get("id")
+    resolve_collections = user_context_bag.get("collection_resolver")
+    if not resolve_collections:
+        abort(
+            403,
+            message=f"{get_error_code(ErrorCode.UNDEFINED_COLLECTION_RESOLVER, get_read())} - Collection resolver not defined for user.",
+        )
+    collections = resolve_collections(collection=view_args.get("collection"), id=id)
+    for collection in collections:
+        if item := storage_manager.get_db_engine().get_item_from_collection_by_id(
+            collection, id
+        ):
+            return item
+    else:
+        abort(
+            404,
+            message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND, get_read())} | id:{id} - Item with id {id} does not exist.",
+        )