infrahub-server 1.1.0b2__py3-none-any.whl → 1.1.2__py3-none-any.whl

infrahub/message_bus/operations/requests/generator_definition.py

@@ -2,21 +2,23 @@ from typing import Optional
 
 from infrahub_sdk.uuidt import UUIDT
 from prefect import flow
+from prefect.logging import get_run_logger
 
 from infrahub.core.constants import InfrahubKind, ValidatorConclusion, ValidatorState
 from infrahub.core.timestamp import Timestamp
 from infrahub.message_bus import InfrahubMessage, Meta, messages
 from infrahub.message_bus.types import KVTTL
 from infrahub.services import InfrahubServices
+from infrahub.workflows.utils import add_tags
 
 
-@flow(name="generator-definition-check")
+@flow(
+    name="generator-definition-check",
+    flow_run_name="Validate Generator selection for {message.generator_definition.definition_name}",
+)
 async def check(message: messages.RequestGeneratorDefinitionCheck, service: InfrahubServices) -> None:
-    service.log.info(
-        "Validating Generator selection",
-        generator_definition=message.generator_definition.definition_id,
-        source_branch=message.source_branch,
-    )
+    log = get_run_logger()
+    await add_tags(branches=[message.source_branch], nodes=[message.proposed_change])
     events: list[InfrahubMessage] = []
 
     proposed_change = await service.client.get(kind=InfrahubKind.PROPOSEDCHANGE, id=message.proposed_change)
@@ -87,6 +89,7 @@ async def check(message: messages.RequestGeneratorDefinitionCheck, service: Infr
             check_execution_id = str(UUIDT())
             check_execution_ids.append(check_execution_id)
             requested_instances += 1
+            log.info(f"Trigger execution of {message.generator_definition.definition_name} for {member.display_label}")
             events.append(
                 messages.CheckGeneratorRun(
                     generator_definition=message.generator_definition,
@@ -101,6 +104,7 @@ async def check(message: messages.RequestGeneratorDefinitionCheck, service: Infr
                     target_id=member.id,
                     target_name=member.display_label,
                     validator_id=validator.id,
+                    proposed_change=message.proposed_change,
                     meta=Meta(validator_execution_id=validator_execution_id, check_execution_id=check_execution_id),
                 )
             )

infrahub/message_bus/operations/requests/proposed_change.py

@@ -2,7 +2,8 @@ from __future__ import annotations
 
 from enum import IntFlag
 
-from prefect import flow
+from prefect import flow, task
+from prefect.logging import get_run_logger
 from pydantic import BaseModel
 
 from infrahub import lock
@@ -11,7 +12,6 @@ from infrahub.core.diff.coordinator import DiffCoordinator
 from infrahub.core.registry import registry
 from infrahub.dependencies.registry import get_component_registry
 from infrahub.git.repository import InfrahubRepository
-from infrahub.log import get_logger
 from infrahub.message_bus import InfrahubMessage, messages
 from infrahub.message_bus.types import (
     ProposedChangeArtifactDefinition,
@@ -26,7 +26,7 @@ from infrahub.proposed_change.models import (
     RequestProposedChangeSchemaIntegrity,
     RequestProposedChangeUserTests,
 )
-from infrahub.services import InfrahubServices  # noqa: TCH001
+from infrahub.services import InfrahubServices  # noqa: TC001
 from infrahub.workflows.catalogue import (
     REQUEST_PROPOSED_CHANGE_DATA_INTEGRITY,
     REQUEST_PROPOSED_CHANGE_REPOSITORY_CHECKS,
@@ -34,8 +34,7 @@ from infrahub.workflows.catalogue import (
     REQUEST_PROPOSED_CHANGE_SCHEMA_INTEGRITY,
     REQUEST_PROPOSED_CHANGE_USER_TESTS,
 )
-
-log = get_logger()
+from infrahub.workflows.utils import add_tags
 
 
 class DefinitionSelect(IntFlag):
@@ -64,13 +63,15 @@ class DefinitionSelect(IntFlag):
         return "Doesn't require changes due to no relevant modified kinds or file changes in Git"
 
 
-@flow(name="proposed-changed-pipeline")
+@flow(name="proposed-changed-pipeline", flow_run_name="Execute Pipeline")
 async def pipeline(message: messages.RequestProposedChangePipeline, service: InfrahubServices) -> None:
     events: list[InfrahubMessage] = []
 
     repositories = await _get_proposed_change_repositories(message=message, service=service)
 
-    if message.source_branch_sync_with_git and await _validate_repository_merge_conflicts(repositories=repositories):
+    if message.source_branch_sync_with_git and await _validate_repository_merge_conflicts(
+        repositories=repositories, service=service
+    ):
         for repo in repositories:
             if not repo.read_only and repo.internal_status == RepositoryInternalStatus.ACTIVE.value:
                 events.append(
@@ -86,7 +87,7 @@ async def pipeline(message: messages.RequestProposedChangePipeline, service: Inf
             await service.send(message=event)
         return
 
-    await _gather_repository_repository_diffs(repositories=repositories)
+    await _gather_repository_repository_diffs(repositories=repositories, service=service)
 
     async with service.database.start_transaction() as dbt:
         destination_branch = await registry.get_branch(db=dbt, branch=message.destination_branch)
@@ -187,9 +188,12 @@ async def pipeline(message: messages.RequestProposedChangePipeline, service: Inf
 
 @flow(
     name="proposed-changed-refresh-artifact",
-    flow_run_name="Refreshing artifacts for change_proposal={message.proposed_change}",
+    flow_run_name="Trigger artifacts refresh",
 )
 async def refresh_artifacts(message: messages.RequestProposedChangeRefreshArtifacts, service: InfrahubServices) -> None:
+    await add_tags(branches=[message.source_branch], nodes=[message.proposed_change])
+    log = get_run_logger()
+
     definition_information = await service.client.execute_graphql(
         query=GATHER_ARTIFACT_DEFINITIONS,
         branch_name=message.source_branch,
@@ -227,6 +231,7 @@ async def refresh_artifacts(message: messages.RequestProposedChangeRefreshArtifa
             )
 
         if select:
+            log.info(f"Trigger processing of {artifact_definition.definition_name}")
             msg = messages.RequestArtifactDefinitionCheck(
                 artifact_definition=artifact_definition,
                 branch_diff=message.branch_diff,
@@ -511,26 +516,39 @@ async def _get_proposed_change_repositories(
     return _parse_proposed_change_repositories(message=message, source=source_all, destination=destination_all)
 
 
-async def _validate_repository_merge_conflicts(repositories: list[ProposedChangeRepository]) -> bool:
+@task(name="proposed-change-validate-repository-conflicts", task_run_name="Validate conflicts on repository")
+async def _validate_repository_merge_conflicts(
+    repositories: list[ProposedChangeRepository], service: InfrahubServices
+) -> bool:
+    log = get_run_logger()
     conflicts = False
     for repo in repositories:
         if repo.has_diff and not repo.is_staging:
-            git_repo = await InfrahubRepository.init(id=repo.repository_id, name=repo.repository_name)
+            git_repo = await InfrahubRepository.init(
+                id=repo.repository_id, name=repo.repository_name, client=service.client
+            )
             async with lock.registry.get(name=repo.repository_name, namespace="repository"):
                 repo.conflicts = await git_repo.get_conflicts(
                     source_branch=repo.source_branch, dest_branch=repo.destination_branch
                 )
                 if repo.conflicts:
+                    log.info(f"{len(repo.conflicts)} conflict(s) identified on {repo.repository_name}")
                     conflicts = True
+                else:
+                    log.info(f"no conflict identified for {repo.repository_name}")
 
     return conflicts
 
 
-async def _gather_repository_repository_diffs(repositories: list[ProposedChangeRepository]) -> None:
+async def _gather_repository_repository_diffs(
+    repositories: list[ProposedChangeRepository], service: InfrahubServices
+) -> None:
     for repo in repositories:
         if repo.has_diff and repo.source_commit and repo.destination_commit:
             # TODO we need to find a way to return all files in the repo if the repo is new
-            git_repo = await InfrahubRepository.init(id=repo.repository_id, name=repo.repository_name)
+            git_repo = await InfrahubRepository.init(
+                id=repo.repository_id, name=repo.repository_name, client=service.client
+            )
 
             files_changed: list[str] = []
             files_added: list[str] = []

infrahub/message_bus/operations/requests/repository.py

@@ -1,24 +1,22 @@
-from typing import List
-
 from infrahub_sdk.uuidt import UUIDT
 from prefect import flow
+from prefect.logging import get_run_logger
 
 from infrahub.core.constants import InfrahubKind
 from infrahub.core.timestamp import Timestamp
-from infrahub.log import get_logger
 from infrahub.message_bus import InfrahubMessage, messages
 from infrahub.message_bus.types import KVTTL
 from infrahub.services import InfrahubServices
-
-log = get_logger()
+from infrahub.workflows.utils import add_tags
 
 
-@flow(name="repository-check")
+@flow(name="repository-check", flow_run_name="Running repository checks for repository {message.repository}")
 async def checks(message: messages.RequestRepositoryChecks, service: InfrahubServices) -> None:
     """Request to start validation checks on a specific repository."""
-    log.info("Running repository checks", repository_id=message.repository, proposed_change_id=message.proposed_change)
+    await add_tags(branches=[message.source_branch], nodes=[message.proposed_change])
+    log = get_run_logger()
 
-    events: List[InfrahubMessage] = []
+    events: list[InfrahubMessage] = []
 
     repository = await service.client.get(
         kind=InfrahubKind.GENERICREPOSITORY, id=message.repository, branch=message.source_branch
@@ -26,7 +24,7 @@ async def checks(message: messages.RequestRepositoryChecks, service: InfrahubSer
     proposed_change = await service.client.get(kind=InfrahubKind.PROPOSEDCHANGE, id=message.proposed_change)
 
     validator_execution_id = str(UUIDT())
-    check_execution_ids: List[str] = []
+    check_execution_ids: list[str] = []
     await proposed_change.validations.fetch()
     await repository.checks.fetch()
 
@@ -76,7 +74,7 @@ async def checks(message: messages.RequestRepositoryChecks, service: InfrahubSer
     )
 
     checks_in_execution = ",".join(check_execution_ids)
-    log.info("Checks in execution", checks=checks_in_execution)
+    log.info(f"Checks in execution {checks_in_execution}")
     await service.cache.set(
         key=f"validator_execution_id:{validator_execution_id}:checks",
         value=checks_in_execution,
@@ -98,14 +96,18 @@ async def checks(message: messages.RequestRepositoryChecks, service: InfrahubSer
 
 @flow(
     name="repository-users-check",
-    flow_run_name="Evaluating user-defined checks on repository {message.repository} and proposed change {message.proposed_change}",
+    flow_run_name="Evaluating user-defined checks on repository {message.repository_name}",
 )
 async def user_checks(message: messages.RequestRepositoryUserChecks, service: InfrahubServices) -> None:
     """Request to start validation checks on a specific repository for User-defined checks."""
-    events: List[InfrahubMessage] = []
+
+    await add_tags(branches=[message.source_branch], nodes=[message.proposed_change])
+    log = get_run_logger()
+
+    events: list[InfrahubMessage] = []
 
     repository = await service.client.get(
-        kind=InfrahubKind.GENERICREPOSITORY, id=message.repository, branch=message.source_branch, fragment=True
+        kind=InfrahubKind.GENERICREPOSITORY, id=message.repository_id, branch=message.source_branch, fragment=True
     )
     await repository.checks.fetch()
 

infrahub/message_bus/types.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import re
 from enum import Enum
 
-from infrahub_sdk.diff import NodeDiff  # noqa: TCH002
+from infrahub_sdk.diff import NodeDiff  # noqa: TC002
 from pydantic import BaseModel, Field
 
 from infrahub.core.constants import InfrahubKind, RepositoryInternalStatus

infrahub/permissions/__init__.py

@@ -1,4 +1,13 @@
-from .backend import PermissionBackend
-from .local_backend import LocalPermissionBackend
+from infrahub.permissions.backend import PermissionBackend
+from infrahub.permissions.local_backend import LocalPermissionBackend
+from infrahub.permissions.manager import PermissionManager
+from infrahub.permissions.report import report_schema_permissions
+from infrahub.permissions.types import AssignedPermissions
 
-__all__ = ["LocalPermissionBackend", "PermissionBackend"]
+__all__ = [
+    "AssignedPermissions",
+    "LocalPermissionBackend",
+    "PermissionBackend",
+    "PermissionManager",
+    "report_schema_permissions",
+]

infrahub/permissions/backend.py

@@ -5,28 +5,13 @@ from typing import TYPE_CHECKING
 
 if TYPE_CHECKING:
     from infrahub.auth import AccountSession
-    from infrahub.core.account import GlobalPermission, ObjectPermission
     from infrahub.core.branch import Branch
     from infrahub.database import InfrahubDatabase
-    from infrahub.permissions.constants import AssignedPermissions, PermissionDecisionFlag
+    from infrahub.permissions.types import AssignedPermissions
 
 
 class PermissionBackend(ABC):
     @abstractmethod
     async def load_permissions(
-        self, db: InfrahubDatabase, account_session: AccountSession, branch: Branch
+        self, db: InfrahubDatabase, branch: Branch, account_session: AccountSession
     ) -> AssignedPermissions: ...
-
-    @abstractmethod
-    def report_object_permission(
-        self, permissions: list[ObjectPermission], namespace: str, name: str, action: str
-    ) -> PermissionDecisionFlag: ...
-
-    @abstractmethod
-    async def has_permission(
-        self,
-        db: InfrahubDatabase,
-        account_session: AccountSession,
-        permission: GlobalPermission | ObjectPermission,
-        branch: Branch,
-    ) -> bool: ...

infrahub/permissions/constants.py

@@ -1,15 +1,8 @@
 from __future__ import annotations
 
 from enum import IntFlag, StrEnum, auto
-from typing import TYPE_CHECKING, TypedDict
 
-if TYPE_CHECKING:
-    from infrahub.core.account import GlobalPermission, ObjectPermission
-
-
-class AssignedPermissions(TypedDict):
-    global_permissions: list[GlobalPermission]
-    object_permissions: list[ObjectPermission]
+from infrahub.core.constants import GlobalPermissions
 
 
 class PermissionDecisionFlag(IntFlag):
@@ -26,3 +19,14 @@ class BranchRelativePermissionDecision(StrEnum):
     ALLOW = auto()
     ALLOW_DEFAULT = auto()
     ALLOW_OTHER = auto()
+
+
+GLOBAL_PERMISSION_DENIAL_MESSAGE = {
+    GlobalPermissions.EDIT_DEFAULT_BRANCH.value: "You are not allowed to change data in the default branch",
+    GlobalPermissions.MERGE_BRANCH.value: "You are not allowed to merge a branch",
+    GlobalPermissions.MERGE_PROPOSED_CHANGE.value: "You are not allowed to merge proposed changes",
+    GlobalPermissions.MANAGE_SCHEMA.value: "You are not allowed to manage the schema",
+    GlobalPermissions.MANAGE_ACCOUNTS.value: "You are not allowed to manage user accounts, groups or roles",
+    GlobalPermissions.MANAGE_PERMISSIONS.value: "You are not allowed to manage permissions",
+    GlobalPermissions.MANAGE_REPOSITORIES.value: "You are not allowed to manage repositories",
+}

infrahub/permissions/local_backend.py

@@ -3,11 +3,9 @@ from __future__ import annotations
 from typing import TYPE_CHECKING
 
 from infrahub import config
-from infrahub.core.account import GlobalPermission, ObjectPermission, fetch_permissions, fetch_role_permissions
-from infrahub.core.constants import GlobalPermissions, PermissionDecision
+from infrahub.core.account import fetch_permissions, fetch_role_permissions
 from infrahub.core.manager import NodeManager
 from infrahub.core.protocols import CoreAccountRole
-from infrahub.permissions.constants import PermissionDecisionFlag
 
 from .backend import PermissionBackend
 
@@ -15,79 +13,14 @@ if TYPE_CHECKING:
     from infrahub.auth import AccountSession
     from infrahub.core.branch import Branch
     from infrahub.database import InfrahubDatabase
-    from infrahub.permissions.constants import AssignedPermissions
+    from infrahub.permissions.types import AssignedPermissions
 
+__all__ = ["LocalPermissionBackend"]
 
-class LocalPermissionBackend(PermissionBackend):
-    wildcard_values = ["*"]
-    wildcard_actions = ["any"]
-
-    def _compute_specificity(self, permission: ObjectPermission) -> int:
-        specificity = 0
-        if permission.namespace not in self.wildcard_values:
-            specificity += 1
-        if permission.name not in self.wildcard_values:
-            specificity += 1
-        if permission.action not in self.wildcard_actions:
-            specificity += 1
-        if not permission.decision & PermissionDecisionFlag.ALLOW_ALL:
-            specificity += 1
-        return specificity
-
-    def report_object_permission(
-        self, permissions: list[ObjectPermission], namespace: str, name: str, action: str
-    ) -> PermissionDecisionFlag:
-        """Given a set of permissions, return the permission decision for a given kind and action."""
-        highest_specificity: int = -1
-        combined_decision = PermissionDecisionFlag.DENY
-
-        for permission in permissions:
-            if (
-                permission.namespace in [namespace, *self.wildcard_values]
-                and permission.name in [name, *self.wildcard_values]
-                and permission.action in [action, *self.wildcard_actions]
-            ):
-                permission_decision = PermissionDecisionFlag(value=permission.decision)
-                # Compute the specifity of a permission to keep the decision of the most specific if two or more permissions overlap
-                specificity = self._compute_specificity(permission=permission)
-                if specificity > highest_specificity:
-                    combined_decision = permission_decision
-                    highest_specificity = specificity
-                elif specificity == highest_specificity and permission_decision != PermissionDecisionFlag.DENY:
-                    combined_decision |= permission_decision
-
-        return combined_decision
-
-    def resolve_object_permission(
-        self, permissions: list[ObjectPermission], permission_to_check: ObjectPermission
-    ) -> bool:
-        """Compute the permissions and check if the one provided is allowed."""
-        required_decision = PermissionDecisionFlag(value=permission_to_check.decision)
-        combined_decision = self.report_object_permission(
-            permissions=permissions,
-            namespace=permission_to_check.namespace,
-            name=permission_to_check.name,
-            action=permission_to_check.action,
-        )
-
-        return combined_decision & required_decision == required_decision
-
-    def resolve_global_permission(
-        self, permissions: list[GlobalPermission], permission_to_check: GlobalPermission
-    ) -> bool:
-        grant_permission = False
-
-        for permission in permissions:
-            if permission.action == permission_to_check.action:
-                # Early exit on deny as deny preempt allow
-                if permission.decision == PermissionDecisionFlag.DENY:
-                    return False
-                grant_permission = True
-
-        return grant_permission
 
+class LocalPermissionBackend(PermissionBackend):
     async def load_permissions(
-        self, db: InfrahubDatabase, account_session: AccountSession, branch: Branch
+        self, db: InfrahubDatabase, branch: Branch, account_session: AccountSession
     ) -> AssignedPermissions:
         if not account_session.authenticated:
             anonymous_permissions: AssignedPermissions = {"global_permissions": [], "object_permissions": []}
@@ -103,33 +36,3 @@ class LocalPermissionBackend(PermissionBackend):
             return anonymous_permissions
 
         return await fetch_permissions(db=db, account_id=account_session.account_id, branch=branch)
-
-    async def has_permission(
-        self,
-        db: InfrahubDatabase,
-        account_session: AccountSession,
-        permission: GlobalPermission | ObjectPermission,
-        branch: Branch,
-    ) -> bool:
-        granted_permissions = await self.load_permissions(db=db, account_session=account_session, branch=branch)
-        is_super_admin = self.resolve_global_permission(
-            permissions=granted_permissions["global_permissions"],
-            permission_to_check=GlobalPermission(
-                action=GlobalPermissions.SUPER_ADMIN, decision=PermissionDecision.ALLOW_ALL
-            ),
-        )
-
-        if isinstance(permission, GlobalPermission):
-            return (
-                self.resolve_global_permission(
-                    permissions=granted_permissions["global_permissions"], permission_to_check=permission
-                )
-                or is_super_admin
-            )
-
-        return (
-            self.resolve_object_permission(
-                permissions=granted_permissions["object_permissions"], permission_to_check=permission
-            )
-            or is_super_admin
-        )

infrahub/permissions/manager.py

@@ -0,0 +1,135 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Sequence
+
+from infrahub.core import registry
+from infrahub.core.account import GlobalPermission
+from infrahub.core.constants import GlobalPermissions, PermissionDecision
+from infrahub.exceptions import PermissionDeniedError
+from infrahub.permissions.constants import GLOBAL_PERMISSION_DENIAL_MESSAGE, PermissionDecisionFlag
+
+if TYPE_CHECKING:
+    from infrahub.auth import AccountSession
+    from infrahub.core.account import ObjectPermission
+    from infrahub.core.branch import Branch
+    from infrahub.database import InfrahubDatabase
+    from infrahub.permissions.types import AssignedPermissions
+
+__all__ = ["PermissionManager"]
+
+
+class PermissionManager:
+    wildcard_values = ["*"]
+    wildcard_actions = ["any"]
+
+    def __init__(self, account_session: AccountSession) -> None:
+        self.account_session = account_session
+        self.permissions: AssignedPermissions = {"global_permissions": [], "object_permissions": []}
+
+    async def load_permissions(self, db: InfrahubDatabase, branch: Branch) -> None:
+        """Load permissions from the configured backends into memory."""
+        for permission_backend in registry.permission_backends:
+            backend_permissions = await permission_backend.load_permissions(
+                db=db, branch=branch, account_session=self.account_session
+            )
+            self.permissions["global_permissions"].extend(backend_permissions["global_permissions"])
+            self.permissions["object_permissions"].extend(backend_permissions["object_permissions"])
+
+    def _compute_specificity(self, permission: ObjectPermission) -> int:
+        """Return how specific a permission is."""
+        specificity = 0
+        if permission.namespace not in self.wildcard_values:
+            specificity += 1
+        if permission.name not in self.wildcard_values:
+            specificity += 1
+        if permission.action not in self.wildcard_actions:
+            specificity += 1
+        if not permission.decision & PermissionDecisionFlag.ALLOW_ALL:
+            specificity += 1
+        return specificity
+
+    def report_object_permission(self, namespace: str, name: str, action: str) -> PermissionDecisionFlag:
+        """Given a set of permissions, return the permission decision for a given kind and action."""
+        highest_specificity: int = -1
+        combined_decision = PermissionDecisionFlag.DENY
+
+        for permission in self.permissions["object_permissions"]:
+            if (
+                permission.namespace in [namespace, *self.wildcard_values]
+                and permission.name in [name, *self.wildcard_values]
+                and permission.action in [action, *self.wildcard_actions]
+            ):
+                permission_decision = PermissionDecisionFlag(value=permission.decision)
+                # Compute the specifity of a permission to keep the decision of the most specific if two or more permissions overlap
+                specificity = self._compute_specificity(permission=permission)
+                if specificity > highest_specificity:
+                    combined_decision = permission_decision
+                    highest_specificity = specificity
+                elif specificity == highest_specificity and permission_decision != PermissionDecisionFlag.DENY:
+                    combined_decision |= permission_decision
+
+        return combined_decision
+
+    def resolve_object_permission(self, permission_to_check: ObjectPermission) -> bool:
+        """Compute the permissions and check if the one provided is granted."""
+        required_decision = PermissionDecisionFlag(value=permission_to_check.decision)
+        combined_decision = self.report_object_permission(
+            namespace=permission_to_check.namespace, name=permission_to_check.name, action=permission_to_check.action
+        )
+
+        return combined_decision & required_decision == required_decision
+
+    def resolve_global_permission(self, permission_to_check: GlobalPermission) -> bool:
+        """Tell if a global permission is granted."""
+        grant_permission = False
+
+        for permission in self.permissions["global_permissions"]:
+            if permission.action == permission_to_check.action:
+                # Early exit on deny as deny preempt allow
+                if permission.decision == PermissionDecisionFlag.DENY:
+                    return False
+                grant_permission = True
+
+        return grant_permission
+
+    def has_permission(self, permission: GlobalPermission | ObjectPermission) -> bool:
+        """Tell if a permission is granted given the permissions loaded in memory."""
+        is_super_admin = self.resolve_global_permission(
+            permission_to_check=GlobalPermission(
+                action=GlobalPermissions.SUPER_ADMIN, decision=PermissionDecision.ALLOW_ALL
+            ),
+        )
+
+        if isinstance(permission, GlobalPermission):
+            return self.resolve_global_permission(permission_to_check=permission) or is_super_admin
+
+        return self.resolve_object_permission(permission_to_check=permission) or is_super_admin
+
+    def has_permissions(self, permissions: Sequence[GlobalPermission | ObjectPermission]) -> bool:
+        """Same as `has_permission` but for multiple permissions, return `True` only if all permissions are granted."""
+        return all(self.has_permission(permission=permission) for permission in permissions)
+
+    def raise_for_permission(self, permission: GlobalPermission | ObjectPermission, message: str = "") -> None:
+        """Same as `has_permission` but raise a `PermissionDeniedError` if the permission is not granted."""
+        if self.has_permission(permission=permission):
+            return
+
+        if not message:
+            if isinstance(permission, GlobalPermission) and permission.action in GLOBAL_PERMISSION_DENIAL_MESSAGE:
+                message = GLOBAL_PERMISSION_DENIAL_MESSAGE[permission.action]
+            else:
+                message = f"You do not have the following permission: {permission!s}"
+
+        raise PermissionDeniedError(message=message)
+
+    def raise_for_permissions(
+        self, permissions: Sequence[GlobalPermission | ObjectPermission], message: str = ""
+    ) -> None:
+        """Same as `has_permissions` but raise a `PermissionDeniedError` if any of the permissions is not granted."""
+        if self.has_permissions(permissions=permissions):
+            return
+
+        if not message:
+            message = f"You do not have one of the following permissions: {' | '.join([str(p) for p in permissions])}"
+
+        raise PermissionDeniedError(message=message)