gooddata-pipelines 1.47.1.dev1__py3-none-any.whl

gooddata_pipelines/provisioning/entities/users/models/permissions.py

@@ -0,0 +1,242 @@
+# (C) 2025 GoodData Corporation
+from dataclasses import dataclass
+from enum import Enum
+from typing import Any, Iterator, TypeAlias
+
+from gooddata_sdk.catalog.identifier import CatalogAssigneeIdentifier
+from gooddata_sdk.catalog.permission.declarative_model.permission import (
+    CatalogDeclarativeSingleWorkspacePermission,
+    CatalogDeclarativeWorkspacePermissions,
+)
+
+from gooddata_pipelines.provisioning.utils.exceptions import BaseUserException
+
+# TODO: refactor the full load and incremental load models to reuse as much as possible
+# TODO: use pydantic models instead of dataclasses?
+# TODO: make the validation logic more readable (as in PermissionIncrementalLoad)
+
+TargetsPermissionDict: TypeAlias = dict[str, dict[str, bool]]
+
+
+class PermissionType(Enum):
+    user = "user"
+    user_group = "userGroup"
+
+
+@dataclass(frozen=True)
+class PermissionIncrementalLoad:
+    permission: str
+    workspace_id: str
+    id: str
+    type: PermissionType
+    is_active: bool
+
+    @classmethod
+    def from_list_of_dicts(
+        cls, data: list[dict[str, Any]]
+    ) -> list["PermissionIncrementalLoad"]:
+        """Creates a list of User objects from list of dicts."""
+        id: str
+        permissions = []
+        for permission in data:
+            user_id: str | None = permission.get("user_id")
+            user_group_id: str | None = permission.get("ug_id")
+
+            if user_id is not None:
+                target_type = PermissionType.user
+                id = user_id
+            elif user_group_id is not None:
+                target_type = PermissionType.user_group
+                id = user_group_id
+
+            permissions.append(
+                PermissionIncrementalLoad(
+                    permission=permission["ws_permissions"],
+                    workspace_id=permission["ws_id"],
+                    id=id,
+                    type=target_type,
+                    is_active=str(permission["is_active"]).lower() == "true",
+                )
+            )
+        return permissions
+
+
+@dataclass(frozen=True)
+class PermissionFullLoad:
+    permission: str
+    workspace_id: str
+    id: str
+    type: PermissionType
+
+    @classmethod
+    def from_list_of_dicts(
+        cls, data: list[dict[str, Any]]
+    ) -> list["PermissionFullLoad"]:
+        """Creates a list of User objects from list of dicts."""
+        permissions = []
+        for permission in data:
+            id = (
+                permission["user_id"]
+                if permission["user_id"]
+                else permission["ug_id"]
+            )
+
+            if permission["user_id"]:
+                target_type = PermissionType.user
+            else:
+                target_type = PermissionType.user_group
+
+            permissions.append(
+                PermissionFullLoad(
+                    permission=permission["ws_permissions"],
+                    workspace_id=permission["ws_id"],
+                    id=id,
+                    type=target_type,
+                )
+            )
+        return permissions
+
+
+@dataclass
+class PermissionDeclaration:
+    users: TargetsPermissionDict
+    user_groups: TargetsPermissionDict
+
+    @classmethod
+    def from_sdk_api(
+        cls, declaration: CatalogDeclarativeWorkspacePermissions
+    ) -> "PermissionDeclaration":
+        """
+        Constructs an WSPermissionDeclaration instance
+        from GoodData SDK CatalogDeclarativeWorkspacePermissions.
+        """
+        users: TargetsPermissionDict = {}
+        user_groups: TargetsPermissionDict = {}
+
+        for permission in declaration.permissions:
+            permission_type, id = (
+                permission.assignee.type,
+                permission.assignee.id,
+            )
+
+            if permission_type == PermissionType.user.value:
+                target_dict = users
+            else:
+                target_dict = user_groups
+
+            id_permissions = target_dict.get(id)
+            if not id_permissions:
+                target_dict[id] = dict()
+
+            target_dict[id][permission.name] = True
+
+        return PermissionDeclaration(users, user_groups)
+
+    @staticmethod
+    def _construct_upstream_permission(
+        permission: str, assignee: CatalogAssigneeIdentifier
+    ) -> CatalogDeclarativeSingleWorkspacePermission | None:
+        """Constructs single permission declaration for the SDK API."""
+        try:
+            return CatalogDeclarativeSingleWorkspacePermission(
+                name=permission, assignee=assignee
+            )
+        except Exception as e:
+            raise BaseUserException(
+                f"Failed to construct SDK declaration for type={assignee.type} ",
+                f"id={assignee.id}. Error: {e}",
+            )
+
+    def _permissions_for_target(
+        self, permissions: dict[str, bool], assignee: CatalogAssigneeIdentifier
+    ) -> Iterator[CatalogDeclarativeSingleWorkspacePermission]:
+        """Constructs permission declarations for a single target."""
+        for permission, is_active in permissions.items():
+            if not is_active:
+                continue
+            declaration = self._construct_upstream_permission(
+                permission, assignee
+            )
+            if not declaration:
+                continue
+            yield declaration
+
+    def to_sdk_api(self) -> CatalogDeclarativeWorkspacePermissions:
+        """
+        Constructs the GoodData SDK CatalogDeclarativeWorkspacePermissions
+        object from the WSPermissionDeclaration instance.
+        """
+        permission_declarations: list[
+            CatalogDeclarativeSingleWorkspacePermission
+        ] = []
+
+        for user_id, permissions in self.users.items():
+            assignee = CatalogAssigneeIdentifier(
+                id=user_id, type=PermissionType.user.value
+            )
+            for declaration in self._permissions_for_target(
+                permissions, assignee
+            ):
+                permission_declarations.append(declaration)
+
+        for ug_id, permissions in self.user_groups.items():
+            assignee = CatalogAssigneeIdentifier(
+                id=ug_id, type=PermissionType.user_group.value
+            )
+            for declaration in self._permissions_for_target(
+                permissions, assignee
+            ):
+                permission_declarations.append(declaration)
+
+        return CatalogDeclarativeWorkspacePermissions(
+            permissions=permission_declarations
+        )
+
+    def add_permission(self, permission: PermissionIncrementalLoad) -> None:
+        """
+        Adds WSPermission object into respective field within the instance.
+        Handles duplicate permissions and different combinations of input
+        and upstream is_active permission states.
+        """
+        target_dict = (
+            self.users
+            if permission.type == PermissionType.user
+            else self.user_groups
+        )
+
+        if permission.id not in target_dict:
+            target_dict[permission.id] = {}
+
+        is_active = permission.is_active
+        target_permissions = target_dict[permission.id]
+        permission_value = permission.permission
+
+        if permission_value not in target_permissions:
+            target_permissions[permission_value] = is_active
+        elif not is_active and target_permissions[permission_value] is True:
+            print(
+                "isActive=False provided after True has been specificed for the "
+                + f"same input. Skipping '{permission}'"
+            )
+        elif is_active and target_permissions[permission_value] is False:
+            print(
+                "isActive=True provided after False has been specified for the "
+                + f"same input. Overwriting '{permission}'"
+            )
+            target_permissions[permission_value] = is_active
+
+    def upsert(self, other: "PermissionDeclaration") -> None:
+        """
+        Modifies the owner object by merging with the other.
+        Keeps the unmodified users/userGroups untouched.
+        If some user/userGroup is modified, it gets overwritten with permissions
+        defined in the input.
+        """
+        for user_id, permissions in other.users.items():
+            self.users[user_id] = permissions
+
+        for ug_id, permissions in other.user_groups.items():
+            self.user_groups[ug_id] = permissions
+
+
+WSPermissionsDeclarations: TypeAlias = dict[str, PermissionDeclaration]

gooddata_pipelines/provisioning/entities/users/models/user_groups.py

@@ -0,0 +1,64 @@
+# (C) 2025 GoodData Corporation
+
+from typing import Any
+
+from pydantic import BaseModel
+
+from gooddata_pipelines.provisioning.utils.utils import SplitMixin
+
+
+class BaseUserGroup(BaseModel, SplitMixin):
+    user_group_id: str
+    user_group_name: str
+    parent_user_groups: list[str]
+
+    @classmethod
+    def _create_from_dict_data(
+        cls, user_group_data: dict[str, Any], delimiter: str = ","
+    ) -> dict[str, Any]:
+        """Helper method to extract common data from dict."""
+        parent_user_groups = cls.split(
+            user_group_data["parent_user_groups"], delimiter=delimiter
+        )
+        user_group_name = user_group_data["user_group_name"]
+        if not user_group_name:
+            user_group_name = user_group_data["user_group_id"]
+
+        return {
+            "user_group_id": user_group_data["user_group_id"],
+            "user_group_name": user_group_name,
+            "parent_user_groups": parent_user_groups,
+        }
+
+
+class UserGroupIncrementalLoad(BaseUserGroup):
+    is_active: bool
+
+    @classmethod
+    def from_list_of_dicts(
+        cls, data: list[dict[str, Any]], delimiter: str = ","
+    ) -> list["UserGroupIncrementalLoad"]:
+        """Creates a list of User objects from list of dicts."""
+        user_groups = []
+        for user_group in data:
+            base_data = cls._create_from_dict_data(user_group, delimiter)
+            base_data["is_active"] = user_group["is_active"]
+
+            user_groups.append(UserGroupIncrementalLoad(**base_data))
+
+        return user_groups
+
+
+class UserGroupFullLoad(BaseUserGroup):
+    @classmethod
+    def from_list_of_dicts(
+        cls, data: list[dict[str, Any]], delimiter: str = ","
+    ) -> list["UserGroupFullLoad"]:
+        """Creates a list of User objects from list of dicts."""
+        user_groups = []
+        for user_group in data:
+            base_data = cls._create_from_dict_data(user_group, delimiter)
+
+            user_groups.append(UserGroupFullLoad(**base_data))
+
+        return user_groups

gooddata_pipelines/provisioning/entities/users/models/users.py

@@ -0,0 +1,114 @@
+# (C) 2025 GoodData Corporation
+
+from typing import Any
+
+from gooddata_sdk.catalog.user.entity_model.user import CatalogUser
+from pydantic import BaseModel
+
+from gooddata_pipelines.provisioning.utils.utils import SplitMixin
+
+
+class BaseUser(BaseModel, SplitMixin):
+    """Base class containing shared user fields and functionality."""
+
+    user_id: str
+    firstname: str | None
+    lastname: str | None
+    email: str | None
+    auth_id: str | None
+    user_groups: list[str]
+
+    @classmethod
+    def _create_from_dict_data(
+        cls, user_data: dict[str, Any], delimiter: str = ","
+    ) -> dict[str, Any]:
+        """Helper method to extract common data from dict."""
+        user_groups = cls.split(user_data["user_groups"], delimiter=delimiter)
+        return {
+            "user_id": user_data["user_id"],
+            "firstname": user_data["firstname"],
+            "lastname": user_data["lastname"],
+            "email": user_data["email"],
+            "auth_id": user_data["auth_id"],
+            "user_groups": user_groups,
+        }
+
+    @classmethod
+    def _create_from_sdk_data(cls, obj: CatalogUser) -> dict[str, Any]:
+        """Helper method to extract common data from SDK object."""
+        if obj.attributes:
+            firstname = obj.attributes.firstname
+            lastname = obj.attributes.lastname
+            email = obj.attributes.email
+            auth_id = obj.attributes.authentication_id
+        else:
+            firstname = None
+            lastname = None
+            email = None
+            auth_id = None
+
+        return {
+            "user_id": obj.id,
+            "firstname": firstname,
+            "lastname": lastname,
+            "email": email,
+            "auth_id": auth_id,
+            "user_groups": [ug.id for ug in obj.user_groups],
+        }
+
+    def to_sdk_obj(self) -> CatalogUser:
+        """Converts to CatalogUser SDK object."""
+        return CatalogUser.init(
+            user_id=self.user_id,
+            firstname=self.firstname,
+            lastname=self.lastname,
+            email=self.email,
+            authentication_id=self.auth_id,
+            user_group_ids=self.user_groups,
+        )
+
+
+class UserIncrementalLoad(BaseUser):
+    """User model for incremental load operations with active status tracking."""
+
+    is_active: bool
+
+    @classmethod
+    def from_list_of_dicts(
+        cls, data: list[dict[str, Any]], delimiter: str = ","
+    ) -> list["UserIncrementalLoad"]:
+        """Creates a list of User objects from list of dicts."""
+        converted_users = []
+        for user in data:
+            base_data = cls._create_from_dict_data(user, delimiter)
+            base_data["is_active"] = user["is_active"]
+            converted_users.append(cls(**base_data))
+        return converted_users
+
+    @classmethod
+    def from_sdk_obj(cls, obj: CatalogUser) -> "UserIncrementalLoad":
+        """Creates GDUserTarget from CatalogUser SDK object."""
+        base_data = cls._create_from_sdk_data(obj)
+        base_data["is_active"] = True
+        return cls(**base_data)
+
+
+class UserFullLoad(BaseUser):
+    """User model for full load operations."""
+
+    @classmethod
+    def from_list_of_dicts(
+        cls, data: list[dict[str, Any]], delimiter: str = ","
+    ) -> list["UserFullLoad"]:
+        """Creates a list of User objects from list of dicts."""
+        converted_users = []
+        for user in data:
+            base_data = cls._create_from_dict_data(user, delimiter)
+            converted_users.append(cls(**base_data))
+        return converted_users
+
+    @classmethod
+    def from_sdk_obj(cls, obj: CatalogUser) -> "UserFullLoad":
+        """Creates GDUserTarget from CatalogUser SDK object."""
+        base_data = cls._create_from_sdk_data(obj)
+        return cls(**base_data)

gooddata_pipelines/provisioning/entities/users/permissions.py

@@ -0,0 +1,153 @@
+# (C) 2025 GoodData Corporation
+
+"""Module for provisioning user permissions in GoodData workspaces."""
+
+from gooddata_pipelines.api.exceptions import GoodDataApiException
+from gooddata_pipelines.provisioning.entities.users.models.permissions import (
+    PermissionDeclaration,
+    PermissionFullLoad,
+    PermissionIncrementalLoad,
+    PermissionType,
+    TargetsPermissionDict,
+    WSPermissionsDeclarations,
+)
+from gooddata_pipelines.provisioning.provisioning import Provisioning
+from gooddata_pipelines.provisioning.utils.exceptions import BaseUserException
+
+
+class PermissionProvisioner(
+    Provisioning[PermissionFullLoad, PermissionIncrementalLoad]
+):
+    """Provisioning class for user permissions in GoodData workspaces.
+
+    This class handles the provisioning of user permissions based on the provided
+    source data.
+    """
+
+    source_group_incremental: list[PermissionIncrementalLoad]
+    source_group_full: list[PermissionFullLoad]
+
+    def _get_ws_declaration(self, ws_id: str) -> PermissionDeclaration:
+        users: TargetsPermissionDict = {}
+        user_groups: TargetsPermissionDict = {}
+
+        upstream_declaration = self._api.get_declarative_permissions(ws_id)
+
+        for permission in upstream_declaration.permissions:
+            permission_type, id = (
+                permission.assignee.type,
+                permission.assignee.id,
+            )
+            target_dict = (
+                users
+                if permission_type == PermissionType.user.value
+                else user_groups
+            )
+
+            id_permissions = target_dict.get(id)
+            if not id_permissions:
+                target_dict[id] = dict()
+
+            target_dict[id][permission.name] = True
+
+        return PermissionDeclaration(users, user_groups)
+
+    def _get_upstream_declaration(
+        self, ws_id: str
+    ) -> PermissionDeclaration | None:
+        """Retrieves upstream permission declaration for a workspace."""
+        declaration = self._api.get_declarative_permissions(ws_id)
+        return PermissionDeclaration.from_sdk_api(declaration)
+
+    def _get_upstream_declarations(
+        self, input_ws_ids: list[str]
+    ) -> WSPermissionsDeclarations:
+        """Retrieves upstream permission declarations for a list of workspaces."""
+        ws_dict: WSPermissionsDeclarations = {}
+        for ws_id in input_ws_ids:
+            declaration = self._get_upstream_declaration(ws_id)
+            if declaration:
+                ws_dict[ws_id] = declaration
+        return ws_dict
+
+    @staticmethod
+    def _construct_declarations(
+        permissions: list[PermissionIncrementalLoad],
+    ) -> WSPermissionsDeclarations:
+        """Constructs workspace permission declarations from the input permissions."""
+        ws_dict: WSPermissionsDeclarations = {}
+        for permission in permissions:
+            ws_id = permission.workspace_id
+
+            if ws_id not in ws_dict:
+                ws_dict[ws_id] = PermissionDeclaration({}, {})
+
+            ws_dict[ws_id].add_permission(permission)
+        return ws_dict
+
+    def _check_user_group_exists(self, ug_id: str) -> None:
+        """Checks if user group with provided ID exists."""
+        self._api._sdk.catalog_user.get_user_group(ug_id)
+
+    def _validate_permission(
+        self, permission: PermissionIncrementalLoad
+    ) -> None:
+        """Validates if the permission is correctly defined."""
+        if permission.type == PermissionType.user:
+            self._api.get_user(permission.id, error_message="User not found")
+        else:
+            self._api.get_user_group(
+                permission.id, error_message="User group not found"
+            )
+
+        self._api.get_workspace(
+            permission.workspace_id, error_message="Workspace not found"
+        )
+
+    def _filter_invalid_permissions(
+        self, permissions: list[PermissionIncrementalLoad]
+    ) -> list[PermissionIncrementalLoad]:
+        """Filters out invalid permissions from the input list."""
+        valid_permissions: list[PermissionIncrementalLoad] = []
+        for permission in permissions:
+            try:
+                self._validate_permission(permission)
+            except (BaseUserException, GoodDataApiException) as e:
+                self.logger.error(
+                    f"Skipping {permission}. Error: {e.error_message} "
+                    + f"Context: {permission.__dict__}"
+                )
+                continue
+            valid_permissions.append(permission)
+        return valid_permissions
+
+    def _manage_permissions(
+        self, permissions: list[PermissionIncrementalLoad]
+    ) -> None:
+        """Manages permissions for a list of workspaces.
+        Modify upstream workspace declarations for each input workspace and skip non-existent ws_ids
+        """
+        valid_permissions = self._filter_invalid_permissions(permissions)
+
+        input_declarations = self._construct_declarations(valid_permissions)
+
+        input_ws_ids = list(input_declarations.keys())
+        upstream_declarations = self._get_upstream_declarations(input_ws_ids)
+
+        for ws_id, declaration in input_declarations.items():
+            if ws_id not in upstream_declarations:
+                continue
+
+            upstream_declarations[ws_id].upsert(declaration)
+
+            ws_permissions = upstream_declarations[ws_id].to_sdk_api()
+
+            self._api.put_declarative_permissions(ws_id, ws_permissions)
+            self.logger.info(f"Updated permissions for workspace {ws_id}")
+
+    def _provision_incremental_load(self) -> None:
+        """Provision permissions based on the source group."""
+        self._manage_permissions(self.source_group_incremental)
+
+    def _provision_full_load(self) -> None:
+        raise NotImplementedError("Not implemented yet.")