elody 0.0.63__py3-none-any.whl → 0.0.163__py3-none-any.whl

elody/policies/authorization/multi_tenant_policy.py

@@ -1,3 +1,5 @@
+from elody.error_codes import ErrorCode, get_error_code, get_read, get_write
+from configuration import get_collection_mapper
 from flask_restful import abort
 from inuits_policy_based_auth import BaseAuthorizationPolicy, RequestContext
 from inuits_policy_based_auth.contexts import UserContext, PolicyContext
@@ -41,18 +43,24 @@ class MultiTenantPolicy(BaseAuthorizationPolicy):
         policy_context.access_verdict = True
         if item_id:
             storage = StorageManager().get_db_engine()
-            collection = request.path.split("/")[1]
+            request_name = request.path.split("/")[1]
+            collection = get_collection_mapper().get(request_name, request_name)
             item = storage.get_item_from_collection_by_id(collection, item_id)
             if not item:
                 abort(
                     404,
-                    message=f"Item with id {id} doesn't exist in collection {collection}",
+                    message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND_IN_COLLECTION, get_read())} | id:{id} | collection:{collection} - Item with id {id} doesn't exist in collection {collection}",
                 )
             item_relations = storage.get_collection_item_relations(collection, item_id)
-            if not any(
-                x
-                for x in item_relations
-                if x["type"] == "isIn" and x["key"] == user_context.x_tenant.raw["_id"]
+            if (
+                item.get("type") != "ticket"
+                and not any(
+                    x
+                    for x in item_relations
+                    if x["type"] == "isIn"
+                    and x["key"] == user_context.x_tenant.raw["_id"]
+                )
+                and collection != "mediafiles"
             ):
                 policy_context.access_verdict = False
         if "/filter" in request.path:

elody/policies/authorization/tenant_request_policy.py

@@ -1,3 +1,5 @@
+import re as regex
+
 from elody.policies.permission_handler import get_permissions
 from flask import Request  # pyright: ignore
 from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
@@ -6,7 +8,7 @@ from inuits_policy_based_auth import BaseAuthorizationPolicy  # pyright: ignore
 class TenantRequestPolicy(BaseAuthorizationPolicy):
     def authorize(self, policy_context, user_context, request_context):
         request: Request = request_context.http_request
-        if not user_context.auth_objects.get("token") or request.path != "/tenants":
+        if not regex.match("^(/[^/]+/v[0-9]+)?/tenants$", request.path):
             return policy_context
 
         set_restricting_filter = True

elody/policies/helpers.py

@@ -0,0 +1,37 @@
+from elody.error_codes import ErrorCode, get_error_code, get_read
+from configuration import get_object_configuration_mapper  # pyright: ignore
+from flask_restful import abort  # pyright: ignore
+from serialization.serialize import serialize  # pyright: ignore
+
+
+def get_content(item, request, content):
+    return serialize(
+        content,
+        type=item.get("type"),
+        from_format=serialize.get_format(
+            (request.view_args or {}).get("spec", "elody"), request.args
+        ),
+        to_format=get_object_configuration_mapper().get(item["type"]).SCHEMA_TYPE,
+    )
+
+
+def get_item(storage_manager, user_context_bag, view_args):
+    view_args = view_args or {}
+    id = view_args.get("id")
+    resolve_collections = user_context_bag.get("collection_resolver")
+    if not resolve_collections:
+        abort(
+            403,
+            message=f"{get_error_code(ErrorCode.UNDEFINED_COLLECTION_RESOLVER, get_read())} - Collection resolver not defined for user.",
+        )
+    collections = resolve_collections(collection=view_args.get("collection"), id=id)
+    for collection in collections:
+        if item := storage_manager.get_db_engine().get_item_from_collection_by_id(
+            collection, id
+        ):
+            return item
+    else:
+        abort(
+            404,
+            message=f"{get_error_code(ErrorCode.ITEM_NOT_FOUND, get_read())} | id:{id} - Item with id {id} does not exist.",
+        )

elody/policies/permission_handler.py

@@ -1,61 +1,34 @@
+import re as regex
+
+from configuration import get_object_configuration_mapper  # pyright: ignore
 from copy import deepcopy
-from elody.util import get_item_metadata_value
+from elody.error_codes import ErrorCode, get_error_code, get_read
+from elody.util import flatten_dict, interpret_flat_key
 from inuits_policy_based_auth.contexts.user_context import UserContext
+from logging_elody.log import log  # pyright: ignore
 
 
 _permissions = {}
+_placeholders = ["X_TENANT_ID", "TENANT_DEFINING_ENTITY_ID"]
 
 
-def set_permissions(permissions: dict):
+def set_permissions(permissions: dict, placeholders: list[str] = []):
     global _permissions
     _permissions = permissions
+    _placeholders.extend(placeholders)
 
 
 def get_permissions(role: str, user_context: UserContext):
     permissions = deepcopy(_permissions)
-    placeholders = ["X_TENANT_ID", "TENANT_DEFINING_ENTITY_ID"]
 
-    for placeholder in placeholders:
+    for placeholder_key in _placeholders:
+        placeholder_value = user_context.bag.get(placeholder_key.lower())
         permissions = __replace_permission_placeholders(
-            permissions, placeholder, user_context.bag[placeholder.lower()]
+            permissions, placeholder_key, placeholder_value
         )
     return permissions.get(role, {})  # pyright: ignore
 
 
-def handle_single_item_request(
-    user_context: UserContext, item, permissions, crud, request_body={}
-):
-    is_allowed_to_crud_item = __is_allowed_to_crud_item(item, permissions, crud)
-    if not is_allowed_to_crud_item:
-        return is_allowed_to_crud_item
-
-    return __is_allowed_to_crud_item_keys(
-        user_context, item, permissions, crud, request_body
-    )
-
-
-def get_mask_protected_content_post_request_hook(
-    user_context: UserContext, permissions, item_type=None
-):
-    def __post_request_hook(
-        response, *, is_single_item_response=False, single_item_sub_route_key=""
-    ):
-        if is_single_item_response:
-            if single_item_sub_route_key in ["metadata", "relations"]:
-                items = [{single_item_sub_route_key: response[0], "type": item_type}]
-            else:
-                items = [response[0]]
-        else:
-            items = response[0]["results"]
-
-        for item in items:
-            __is_allowed_to_crud_item_keys(user_context, item, permissions, "read")
-
-        return response
-
-    return __post_request_hook
-
-
 def __replace_permission_placeholders(data, placeholder_key, placeholder_value):
     if isinstance(data, dict):
         for key, value in data.items():
@@ -68,183 +41,228 @@ def __replace_permission_placeholders(data, placeholder_key, placeholder_value):
             for item in data
         ]
     elif isinstance(data, str):
-        data = data.replace(placeholder_key, placeholder_value)
+        if isinstance(placeholder_value, str):
+            data = data.replace(placeholder_key, placeholder_value)
+        elif isinstance(placeholder_value, list) and data == placeholder_key:
+            data = placeholder_value
     return data
 
 
-def __is_allowed_to_crud_item(item, permissions, crud):
-    if item["type"] not in permissions[crud].keys():
-        return None
+def handle_single_item_request(
+    user_context: UserContext, item, permissions, crud, request_body: dict = {}
+):
+    try:
+        item_in_storage_format, flat_item, object_lists, restrictions_schema = (
+            __prepare_item_for_permission_check(item, permissions, crud)
+        )
 
-    restrictions = permissions[crud][item["type"]].get("restrictions", {})
+        is_allowed_to_crud_item = (
+            __is_allowed_to_crud_item(flat_item, restrictions_schema)
+            if flat_item
+            else None
+        )
+        if not is_allowed_to_crud_item:
+            return is_allowed_to_crud_item
+
+        return __is_allowed_to_crud_item_keys(
+            user_context,
+            item_in_storage_format,
+            flat_item,
+            restrictions_schema,
+            crud,
+            object_lists,
+            flatten_dict(object_lists, request_body),
+        )
+    except Exception as exception:
+        log.debug(
+            f"{exception.__class__.__name__}: {str(exception)}",
+            item.get("storage_format", item),
+        )
+        if crud != "read":
+            log.debug(f"Request body: {request_body}", {})
+        raise exception
 
-    for metadata in restrictions.get("metadata", []):
-        value = get_item_metadata_value(item, metadata["key"])
-        if isinstance(value, str):
-            if value not in metadata["value"]:
-                return None
-        elif isinstance(value, list):
-            for expected_value in metadata["value"]:
-                if expected_value in value:
-                    return True
-            return None
 
-    for relation in restrictions.get("relations", []):
-        keys = _get_relation_keys(item, relation["key"])
-        for expected_value in relation["value"]:
-            if expected_value in keys:
-                return True
-        return None
+def mask_protected_content_post_request_hook(user_context: UserContext, permissions):
+    def __post_request_hook(response):
+        items = []
+        for item in response["results"]:
+            try:
+                (
+                    item_in_storage_format,
+                    flat_item,
+                    object_lists,
+                    restrictions_schema,
+                ) = __prepare_item_for_permission_check(item, permissions, "read")
+                if not flat_item:
+                    continue
+
+                __is_allowed_to_crud_item_keys(
+                    user_context,
+                    item_in_storage_format,
+                    flat_item,
+                    restrictions_schema,
+                    "read",
+                    object_lists,
+                )
+                items.append(user_context.bag["requested_item"])
+            except Exception as exception:
+                log.debug(
+                    f"{exception.__class__.__name__}: {str(exception)}",
+                    item.get("storage_format", item),
+                )
+                raise exception
+
+        response["results"] = items
+        return response
 
-    return True
+    return __post_request_hook
 
 
-def _get_relation_keys(item: dict, relation_type: str):
-    return [
-        relation["key"]
-        for relation in item["relations"]
-        if relation["type"] == relation_type
-    ]
+def __prepare_item_for_permission_check(item, permissions, crud):
+    item = deepcopy(item.get("storage_format", item))
+    if item.get("type", "") not in permissions[crud].keys():
+        return item, None, None, None
 
+    config = get_object_configuration_mapper().get(item["type"])
+    object_lists = config.document_info().get("object_lists", {})
+    flat_item = flatten_dict(object_lists, item)
 
-def __is_allowed_to_crud_item_keys(
-    user_context: UserContext, item, permissions, crud, request_body={}
-):
-    user_context.bag["soft_call_response_body"] = []
-    keys_permissions, negate_condition = __get_keys_permissions(
-        permissions[crud][item["type"]]
+    return (
+        item,
+        flat_item,
+        object_lists,
+        __get_restrictions_schema(flat_item, permissions, crud),
     )
 
-    if keys_permissions:
-        initial_item = deepcopy(item)
-        for key in item.keys():
-            data_key = ""
-            if key == "metadata":
-                data_key = "key"
-                (
-                    permission_key_data_map,
-                    data_value_key,
-                ) = __determine_data_per_permission_key(item, key, data_key, "value")
-            elif key == "relations":
-                data_key = "type"
-                (
-                    permission_key_data_map,
-                    data_value_key,
-                ) = __determine_data_per_permission_key(item, key, data_key, "key")
-            else:
-                (
-                    permission_key_data_map,
-                    data_value_key,
-                ) = __determine_data_per_permission_key(item, key)
-
-            for permission_key, data in permission_key_data_map.items():
-                if __is_not_valid_request_on_key(
-                    initial_item,
-                    keys_permissions,
-                    negate_condition,
-                    key,
-                    permission_key,
-                    data_value_key,
-                ):
-                    if crud == "read":
-                        data[data_value_key] = "[protected content]"
-                    else:
-                        if key == data_value_key:
-                            if request_body.get(key):
-                                user_context.bag["soft_call_response_body"].append(key)
-                        else:
-                            for element in request_body.get(key, []):
-                                if f"{key}.{element[data_key]}" == permission_key:
-                                    user_context.bag["soft_call_response_body"].append(
-                                        permission_key
-                                    )
-
-    return len(user_context.bag["soft_call_response_body"]) == 0
-
-
-def __get_keys_permissions(item_permissions):
-    if item_permissions.get("keys"):
-        negate_condition = False
-        keys_permissions = item_permissions["keys"].get("allowed_only", {})
-        if not keys_permissions:
-            negate_condition = True
-            keys_permissions = item_permissions["keys"].get("disallowed_only", {})
-
-        return keys_permissions, negate_condition
-
-    return None, None
-
-
-def __determine_data_per_permission_key(item, root_key, data_key="", data_value_key=""):
-    key_data_map = {}
-
-    if data_key and data_value_key:
-        for data in item[root_key]:
-            key_data_map.update({f"{root_key}.{data[data_key]}": data})
-        value_key = data_value_key
-    else:
-        key_data_map.update({root_key: item})
-        value_key = root_key
-
-    return key_data_map, value_key
-
-
-def __is_not_valid_request_on_key(
-    initial_item,
-    keys_permissions,
-    negate_condition,
-    root_key,
-    key,
-    data_value_key,
-):
-    if root_key == data_value_key:
-        is_in_keys_permissions = lambda: key in keys_permissions.keys()
-    else:
-        is_in_keys_permissions = (
-            lambda: key in keys_permissions.keys()
-            or f"{root_key}.*" in keys_permissions.keys()
-        )
 
-    if is_in_keys_permissions():
-        if __check_key_conditions_disallow_request(
-            initial_item,
-            keys_permissions.get(key, keys_permissions.get(f"{root_key}.*")),
-            negate_condition,
-        ):
-            return True
-    elif not negate_condition:
-        return True
+def __get_restrictions_schema(flat_item, permissions, crud):
+    schema_type = flat_item.get("schema.type", "elody")
+    schema_version = flat_item.get("schema.version", "1")
+    schema = f"{schema_type}:{schema_version}"
+
+    schemas = permissions[crud][flat_item["type"]]
+    if restrictions_schema := schemas.get(schema):
+        return restrictions_schema
+
+    for schema in reversed(schemas.keys()):
+        if regex.match(f"^{schema_type}:[0-9]{1,3}?$", schema):
+            break
+        schema = None
+    return schemas[schema] if schemas and schema else {}
 
-    return False
 
+def __is_allowed_to_crud_item(flat_item, restrictions_schema):
+    restrictions = restrictions_schema.get("object_restrictions", {})
+
+    for restricted_key, restricting_values in restrictions.items():
+        restricted_key = restricted_key.split(":")[1]
+        item_value_in_restricting_values = __item_value_in_values(
+            flat_item, restricted_key, restricting_values
+        )
+        if not item_value_in_restricting_values:
+            return None
 
-def __check_key_conditions_disallow_request(
-    initial_item, key_conditions, negate_condition
+    return True
+
+
+def __is_allowed_to_crud_item_keys(
+    user_context: UserContext,
+    item_in_storage_format,
+    flat_item,
+    restrictions_schema,
+    crud,
+    object_lists,
+    flat_request_body: dict = {},
 ):
-    multiple_conditions = len(key_conditions) > 1
-    return_value = False if negate_condition and len(key_conditions) == 0 else True
-    switch_return_value = False
-
-    for key_condition in key_conditions:
-        metadata_key, expected_value = key_condition.split("==")
-        actual_value = get_item_metadata_value(initial_item, metadata_key)
-        if isinstance(actual_value, list):
-            is_condition_met = lambda: expected_value in actual_value
-        else:
-            is_condition_met = (
-                lambda: f"{expected_value}".lower() == f"{actual_value}".lower()
+    user_context.bag["restricted_keys"] = []
+    restrictions = restrictions_schema.get("key_restrictions", {})
+
+    for restricted_key, restricting_conditions in restrictions.items():
+        restricted_key = restricted_key.split(":")[1]
+        condition_match = True
+        for condition_key, condition_values in restricting_conditions.items():
+            condition_match = __item_value_in_values(
+                flat_item, condition_key, condition_values, flat_request_body
+            )
+            if not condition_match:
+                break
+
+        if condition_match:
+            if crud == "read":
+                keys_info = interpret_flat_key(restricted_key, object_lists)
+                for info in keys_info:
+                    if info["object_list"]:
+                        element = __get_element_from_object_list_of_item(
+                            item_in_storage_format,
+                            info["key"],
+                            info["object_key"],
+                            object_lists,
+                        )
+                        item_in_storage_format[info["key"]].remove(element)
+                        break
+                else:
+                    try:
+                        del item_in_storage_format[keys_info[0]["key"]][
+                            keys_info[1]["key"]
+                        ]
+                    except KeyError:
+                        pass
+            else:
+                if flat_request_body.get(restricted_key):
+                    user_context.bag["restricted_keys"].append(restricted_key)
+
+    user_context.bag["requested_item"] = item_in_storage_format
+    return len(user_context.bag["restricted_keys"]) == 0
+
+
+def __item_value_in_values(flat_item, key, values: list, flat_request_body: dict = {}):
+    negate_condition = False
+    is_optional = False
+
+    if key[0] == "!":
+        key = key[1:]
+        negate_condition = True
+    if key[0] == "?":
+        key = key[1:]
+        is_optional = True
+
+    try:
+        item_value = flat_request_body.get(key, flat_item[key])
+    except KeyError:
+        if not is_optional:
+            raise Exception(
+                f"{get_error_code(ErrorCode.METADATA_KEY_UNDEFINED, get_read())} | key:{key} | document:{flat_item.get('_id', flat_item["type"])} - Key {key} not found in document {flat_item.get('_id', flat_item["type"])}. Either prefix the key with '?' in your permission configuration to make it an optional restriction, or patch the document to include the key. '?' will allow access if key does not exist, '!?' will deny access if key does not exist."
             )
+        return not negate_condition
+
+    expected_values = []
+    for value in values:
+        if flat_item_key_value := flat_item.get(value):
+            value = flat_item_key_value
+        if isinstance(value, list):
+            expected_values.extend(value)
+        else:
+            expected_values.append(value)
+
+    if isinstance(item_value, (str, int, float, bool)):
+        if negate_condition:
+            return item_value not in expected_values
+        else:
+            return item_value in expected_values
+    elif isinstance(item_value, list):
+        for expected_value in expected_values:
+            if expected_value in item_value:
+                return True != negate_condition
+        return False != negate_condition
 
-        if is_condition_met():
-            if negate_condition:
-                if not multiple_conditions:
-                    return return_value
-                elif not switch_return_value:
-                    return_value = not return_value
-                    switch_return_value = True
-        elif not negate_condition:
-            return return_value
-        elif switch_return_value:
-            return False
-
-    return not return_value
+    raise Exception(f"Invalid item_value: {item_value}")
+
+
+def __get_element_from_object_list_of_item(
+    item: dict, object_list: str, key: str, object_lists: dict
+):
+    for element in item[object_list]:
+        if element[object_lists[object_list]] == key:
+            return element
+    return {}