kinto 18.1.0__py3-none-any.whl → 20.4.0__py3-none-any.whl

kinto/core/cornice_swagger/templates/index.html

@@ -0,0 +1,73 @@
+<!-- HTML for static distribution bundle build -->
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Swagger UI</title>
+  <link href="https://fonts.googleapis.com/css?family=Open+Sans:400,700|Source+Code+Pro:300,600|Titillium+Web:400,600,700" rel="stylesheet">
+  <link rel="stylesheet" type="text/css" href="${ui_css_url}" >
+  <style>
+    html
+    {
+      box-sizing: border-box;
+      overflow: -moz-scrollbars-vertical;
+      overflow-y: scroll;
+    }
+    *,
+    *:before,
+    *:after
+    {
+      box-sizing: inherit;
+    }
+
+    body {
+      margin:0;
+      background: #fafafa;
+    }
+  </style>
+</head>
+
+<body>
+
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" style="position:absolute;width:0;height:0">
+  <defs>
+    <symbol viewBox="0 0 20 20" id="unlocked">
+          <path d="M15.8 8H14V5.6C14 2.703 12.665 1 10 1 7.334 1 6 2.703 6 5.6V6h2v-.801C8 3.754 8.797 3 10 3c1.203 0 2 .754 2 2.199V8H4c-.553 0-1 .646-1 1.199V17c0 .549.428 1.139.951 1.307l1.197.387C5.672 18.861 6.55 19 7.1 19h5.8c.549 0 1.428-.139 1.951-.307l1.196-.387c.524-.167.953-.757.953-1.306V9.199C17 8.646 16.352 8 15.8 8z"></path>
+    </symbol>
+
+    <symbol viewBox="0 0 20 20" id="locked">
+      <path d="M15.8 8H14V5.6C14 2.703 12.665 1 10 1 7.334 1 6 2.703 6 5.6V8H4c-.553 0-1 .646-1 1.199V17c0 .549.428 1.139.951 1.307l1.197.387C5.672 18.861 6.55 19 7.1 19h5.8c.549 0 1.428-.139 1.951-.307l1.196-.387c.524-.167.953-.757.953-1.306V9.199C17 8.646 16.352 8 15.8 8zM12 8H8V5.199C8 3.754 8.797 3 10 3c1.203 0 2 .754 2 2.199V8z"/>
+    </symbol>
+
+    <symbol viewBox="0 0 20 20" id="close">
+      <path d="M14.348 14.849c-.469.469-1.229.469-1.697 0L10 11.819l-2.651 3.029c-.469.469-1.229.469-1.697 0-.469-.469-.469-1.229 0-1.697l2.758-3.15-2.759-3.152c-.469-.469-.469-1.228 0-1.697.469-.469 1.228-.469 1.697 0L10 8.183l2.651-3.031c.469-.469 1.228-.469 1.697 0 .469.469.469 1.229 0 1.697l-2.758 3.152 2.758 3.15c.469.469.469 1.229 0 1.698z"/>
+    </symbol>
+
+    <symbol viewBox="0 0 20 20" id="large-arrow">
+      <path d="M13.25 10L6.109 2.58c-.268-.27-.268-.707 0-.979.268-.27.701-.27.969 0l7.83 7.908c.268.271.268.709 0 .979l-7.83 7.908c-.268.271-.701.27-.969 0-.268-.269-.268-.707 0-.979L13.25 10z"/>
+    </symbol>
+
+    <symbol viewBox="0 0 20 20" id="large-arrow-down">
+      <path d="M17.418 6.109c.272-.268.709-.268.979 0s.271.701 0 .969l-7.908 7.83c-.27.268-.707.268-.979 0l-7.908-7.83c-.27-.268-.27-.701 0-.969.271-.268.709-.268.979 0L10 13.25l7.418-7.141z"/>
+    </symbol>
+
+
+    <symbol viewBox="0 0 24 24" id="jump-to">
+      <path d="M19 7v4H5.83l3.58-3.59L8 6l-6 6 6 6 1.41-1.41L5.83 13H21V7z"/>
+    </symbol>
+
+    <symbol viewBox="0 0 24 24" id="expand">
+      <path d="M10 18h4v-2h-4v2zM3 6v2h18V6H3zm3 7h12v-2H6v2z"/>
+    </symbol>
+
+  </defs>
+</svg>
+
+<div id="swagger-ui"></div>
+
+<script src="${ui_js_bundle_url}"> </script>
+<script src="${ui_js_standalone_url}"> </script>
+${swagger_ui_script}
+</body>
+
+</html>

kinto/core/cornice_swagger/templates/index_script_template.html

@@ -0,0 +1,21 @@
+<script>
+    window.onload = function() {
+
+        // Build a system
+        const ui = SwaggerUIBundle({
+            url: "${swagger_spec_url}",
+            dom_id: '#swagger-ui',
+            deepLinking: true,
+            presets: [
+                SwaggerUIBundle.presets.apis,
+                SwaggerUIStandalonePreset
+            ],
+            plugins: [
+                SwaggerUIBundle.plugins.DownloadUrl
+            ],
+            layout: "StandaloneLayout"
+        })
+
+        window.ui = ui
+    }
+</script>

kinto/core/cornice_swagger/util.py

@@ -0,0 +1,42 @@
+import colander
+
+from kinto.core.cornice.validators import colander_body_validator
+
+
+def trim(docstring):
+    """
+    Remove the tabs to spaces, and remove the extra spaces / tabs that are in
+    front of the text in docstrings.
+
+    Implementation taken from http://www.python.org/dev/peps/pep-0257/
+    """
+    if not docstring:
+        return ""
+    # Convert tabs to spaces (following the normal Python rules)
+    # and split into a list of lines:
+    lines = docstring.expandtabs().splitlines()
+    lines = [line.strip() for line in lines]
+    res = "\n".join(lines)
+    return res
+
+
+def body_schema_transformer(schema, args):
+    validators = args.get("validators", [])
+    if colander_body_validator in validators:
+        body_schema = schema
+        schema = colander.MappingSchema()
+        schema["body"] = body_schema
+    return schema
+
+
+def merge_dicts(base, changes):
+    """Merge b into a recursively, without overwriting values.
+
+    :param base: the dict that will be altered.
+    :param changes: changes to update base.
+    """
+    for k, v in changes.items():
+        if isinstance(v, dict):
+            merge_dicts(base.setdefault(k, {}), v)
+        else:
+            base.setdefault(k, v)

kinto/core/cornice_swagger/views.py

@@ -0,0 +1,78 @@
+import importlib
+from string import Template
+
+import cornice
+import cornice_swagger
+import pkg_resources
+from pyramid.response import Response
+
+
+# hardcode for now since that will work for vast majority of users
+# maybe later add minified resources for behind firewall support?
+ui_css_url = "https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.23.11/swagger-ui.css"
+ui_js_bundle_url = "https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.23.11/swagger-ui-bundle.js"
+ui_js_standalone_url = (
+    "https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.23.11/swagger-ui-standalone-preset.js"
+)
+
+
+def swagger_ui_template_view(request):
+    """
+    Serves Swagger UI page, default Swagger UI config is used but you can
+    override the callable that generates the `<script>` tag by setting
+    `cornice_swagger.swagger_ui_script_generator` in pyramid config, it defaults
+    to 'cornice_swagger.views:swagger_ui_script_template'
+
+    :param request:
+    :return:
+    """
+    script_generator = request.registry.settings.get(
+        "cornice_swagger.swagger_ui_script_generator",
+        "cornice_swagger.views:swagger_ui_script_template",
+    )
+    package, callable = script_generator.split(":")
+    imported_package = importlib.import_module(package)
+    script_callable = getattr(imported_package, callable)
+    template = pkg_resources.resource_string("cornice_swagger", "templates/index.html").decode(
+        "utf8"
+    )
+
+    html = Template(template).safe_substitute(
+        ui_css_url=ui_css_url,
+        ui_js_bundle_url=ui_js_bundle_url,
+        ui_js_standalone_url=ui_js_standalone_url,
+        swagger_ui_script=script_callable(request),
+    )
+    return Response(html)
+
+
+def open_api_json_view(request):
+    """
+    :param request:
+    :return:
+
+    Generates JSON representation of Swagger spec
+    """
+    doc = cornice_swagger.CorniceSwagger(
+        cornice.service.get_services(), pyramid_registry=request.registry
+    )
+    kwargs = request.registry.settings["cornice_swagger.spec_kwargs"]
+    my_spec = doc.generate(**kwargs)
+    return my_spec
+
+
+def swagger_ui_script_template(request, **kwargs):
+    """
+    :param request:
+    :return:
+
+    Generates the <script> code that bootstraps Swagger UI, it will be injected
+    into index template
+    """
+    swagger_spec_url = request.route_url("cornice_swagger.open_api_path")
+    template = pkg_resources.resource_string(
+        "cornice_swagger", "templates/index_script_template.html"
+    ).decode("utf8")
+    return Template(template).safe_substitute(
+        swagger_spec_url=swagger_spec_url,
+    )

kinto/core/errors.py

@@ -140,14 +140,16 @@ def json_error_handler(request):
     """
     errors = request.errors
     sorted_errors = sorted(errors, key=lambda x: str(x["name"]))
+    for error in sorted_errors:
+        # Decode in place.
+        if isinstance(error["description"], bytes):
+            error["description"] = error["description"].decode("utf-8")
+
     # In Cornice, we call error handler if at least one error was set.
     error = sorted_errors[0]
     name = error["name"]
     description = error["description"]
 
-    if isinstance(description, bytes):
-        description = error["description"].decode("utf-8")
-
     if name is not None:
         if str(name) in description:
             message = description
@@ -162,7 +164,7 @@ def json_error_handler(request):
         errno=ERRORS.INVALID_PARAMETERS.value,
         error="Invalid parameters",
         message=message,
-        details=errors,
+        details=sorted_errors,
     )
     response.status = errors.status
     response = reapply_cors(request, response)

kinto/core/initialization.py

@@ -1,11 +1,12 @@
 import logging
 import random
 import re
+import urllib.parse
 import warnings
 from datetime import datetime
-from secrets import token_hex
 
 from dateutil import parser as dateparser
+from dockerflow.logging import get_or_generate_request_id, request_id_context
 from pyramid.events import ApplicationCreated, NewRequest, NewResponse
 from pyramid.exceptions import ConfigurationError
 from pyramid.httpexceptions import (
@@ -21,7 +22,7 @@ from pyramid.security import NO_PERMISSION_REQUIRED
 from pyramid.settings import asbool, aslist
 from pyramid_multiauth import MultiAuthenticationPolicy, MultiAuthPolicySelected
 
-from kinto.core import cache, errors, permission, storage, utils
+from kinto.core import cache, errors, metrics, permission, storage, utils
 from kinto.core.events import ACTIONS, ResourceChanged, ResourceRead
 
 
@@ -212,7 +213,7 @@ def setup_deprecation(config):
 
 def _end_of_life_tween_factory(handler, registry):
     """Pyramid tween to handle service end of life."""
-    deprecation_msg = "The service you are trying to connect no longer exists" " at this location."
+    deprecation_msg = "The service you are trying to connect no longer exists at this location."
 
     def eos_tween(request):
         eos_date = registry.settings["eos"]
@@ -333,54 +334,6 @@ def setup_sentry(config):
         config.add_subscriber(on_app_created, ApplicationCreated)
 
 
-def setup_statsd(config):
-    settings = config.get_settings()
-    config.registry.statsd = None
-
-    if settings["statsd_url"]:
-        statsd_mod = settings["statsd_backend"]
-        statsd_mod = config.maybe_dotted(statsd_mod)
-        client = statsd_mod.load_from_config(config)
-
-        config.registry.statsd = client
-
-        client.watch_execution_time(config.registry.cache, prefix="backend")
-        client.watch_execution_time(config.registry.storage, prefix="backend")
-        client.watch_execution_time(config.registry.permission, prefix="backend")
-
-        # Commit so that configured policy can be queried.
-        config.commit()
-        policy = config.registry.queryUtility(IAuthenticationPolicy)
-        if isinstance(policy, MultiAuthenticationPolicy):
-            for name, subpolicy in policy.get_policies():
-                client.watch_execution_time(subpolicy, prefix="authentication", classname=name)
-        else:
-            client.watch_execution_time(policy, prefix="authentication")
-
-        def on_new_response(event):
-            request = event.request
-
-            # Count unique users.
-            user_id = request.prefixed_userid
-            if user_id:
-                # Get rid of colons in metric packet (see #1282).
-                user_id = user_id.replace(":", ".")
-                client.count("users", unique=user_id)
-
-            # Count authentication verifications.
-            if hasattr(request, "authn_type"):
-                client.count(f"authn_type.{request.authn_type}")
-
-            # Count view calls.
-            service = request.current_service
-            if service:
-                client.count(f"view.{service.name}.{request.method}")
-
-        config.add_subscriber(on_new_response, NewResponse)
-
-        return client
-
-
 def install_middlewares(app, settings):
     "Install a set of middlewares defined in the ini file on the given app."
     # Setup new-relic.
@@ -421,12 +374,15 @@ def setup_logging(config):
                 message="Invalid URL path.",
             )
 
+        rid = get_or_generate_request_id(headers=request.headers)
+        request_id_context.set(rid)
+
         request.log_context(
             agent=request.headers.get("User-Agent"),
             path=request_path,
             method=request.method,
             lang=request.headers.get("Accept-Language"),
-            rid=request.headers.get("X-Request-Id", token_hex(16)),
+            rid=rid,
             errno=0,
         )
         qs = dict(errors.request_GET(request))
@@ -466,6 +422,122 @@ def setup_logging(config):
     config.add_subscriber(on_new_response, NewResponse)
 
 
+def setup_metrics(config):
+    settings = config.get_settings()
+
+    # Register a no-op metrics service by default.
+    config.registry.registerUtility(metrics.NoOpMetricsService(), metrics.IMetricsService)
+
+    # This does not fully respect the Pyramid/ZCA patterns, but the rest of Kinto uses
+    # `registry.storage`, `registry.cache`, etc. Consistency seems more important.
+    config.registry.__class__.metrics = property(
+        lambda reg: reg.queryUtility(metrics.IMetricsService)
+    )
+
+    def deprecated_registry(self):
+        warnings.warn(
+            "``config.registry.statsd`` is now deprecated. Use ``config.registry.metrics`` instead.",
+            DeprecationWarning,
+        )
+        return self.metrics
+
+    config.registry.__class__.statsd = property(deprecated_registry)
+
+    def on_app_created(event):
+        config = event.app
+        metrics_service = config.registry.metrics
+
+        metrics.watch_execution_time(metrics_service, config.registry.cache, prefix="backend")
+        metrics.watch_execution_time(metrics_service, config.registry.storage, prefix="backend")
+        metrics.watch_execution_time(metrics_service, config.registry.permission, prefix="backend")
+
+        policy = config.registry.queryUtility(IAuthenticationPolicy)
+        if isinstance(policy, MultiAuthenticationPolicy):
+            for name, subpolicy in policy.get_policies():
+                metrics.watch_execution_time(
+                    metrics_service, subpolicy, prefix="authentication", classname=name
+                )
+        else:
+            metrics.watch_execution_time(metrics_service, policy, prefix="authentication")
+
+    config.add_subscriber(on_app_created, ApplicationCreated)
+
+    def on_new_response(event):
+        request = event.request
+        metrics_service = config.registry.metrics
+
+        try:
+            endpoint = utils.strip_uri_prefix(request.path)
+            endpoint = urllib.parse.quote_plus(endpoint, safe="/?&=-_")
+        except UnicodeDecodeError as e:
+            # This `on_new_response` callback is also called when a HTTP 400
+            # is returned because of an invalid UTF-8 path. We still want metrics.
+            endpoint = str(e)
+
+        # Count unique users.
+        user_id = request.prefixed_userid
+        if user_id:
+            # Get rid of colons in metric packet (see #1282).
+            auth, user_id = user_id.split(":")
+            metrics_service.count("users", unique=[("auth", auth), ("userid", user_id)])
+
+        # Add extra labels to metrics, based on fields extracted from the request matchdict.
+        metrics_matchdict_fields = aslist(settings["metrics_matchdict_fields"])
+        # Turn the `id` field of object endpoints into `{resource}_id` (eg. `mushroom_id`, `bucket_id`)
+        enhanced_matchdict = dict(request.matchdict or {})
+        try:
+            enhanced_matchdict[request.current_resource_name + "_id"] = enhanced_matchdict.get(
+                "id", ""
+            )
+        except AttributeError:
+            # Not on a resource.
+            pass
+        metrics_matchdict_labels = [
+            (field, enhanced_matchdict.get(field, "")) for field in metrics_matchdict_fields
+        ]
+
+        # Count served requests.
+        metrics_service.count(
+            "request_summary",
+            unique=[
+                ("method", request.method.lower()),
+                ("endpoint", endpoint),
+                ("status", str(event.response.status_code)),
+            ]
+            + metrics_matchdict_labels,
+        )
+
+        try:
+            current = utils.msec_time()
+            duration = current - request._received_at
+            metrics_service.observe(
+                "request_duration",
+                duration,
+                labels=[("endpoint", endpoint)] + metrics_matchdict_labels,
+            )
+        except AttributeError:  # pragma: no cover
+            # Logging was not setup in this Kinto app (unlikely but possible)
+            pass
+
+        # Observe response size.
+        metrics_service.observe(
+            "request_size",
+            len(event.response.body or b""),
+            labels=[("endpoint", endpoint)] + metrics_matchdict_labels,
+        )
+
+        # Count authentication verifications.
+        if hasattr(request, "authn_type"):
+            metrics_service.count(f"authn_type.{request.authn_type}")
+
+        # Count view calls.
+        service = request.current_service
+        if service:
+            metrics_service.count(f"view.{service.name}.{request.method}")
+
+    config.add_subscriber(on_new_response, NewResponse)
+
+
 class EventActionFilter:
     def __init__(self, actions, config):
         actions = ACTIONS.from_string_list(actions)
@@ -518,11 +590,9 @@ def setup_listeners(config):
             listener_mod = config.maybe_dotted(module_value)
             listener = listener_mod.load_from_config(config, prefix)
 
-        # If StatsD is enabled, monitor execution time of listeners.
-        if getattr(config.registry, "statsd", None):
-            statsd_client = config.registry.statsd
-            key = f"listeners.{name}"
-            listener = statsd_client.timer(key)(listener.__call__)
+        wrapped_listener = metrics.listener_with_timer(
+            config, f"listeners.{name}", listener.__call__
+        )
 
         # Optional filter by event action.
         actions_setting = prefix + "actions"
@@ -548,11 +618,11 @@ def setup_listeners(config):
         options = dict(for_actions=actions, for_resources=resource_names)
 
         if ACTIONS.READ in actions:
-            config.add_subscriber(listener, ResourceRead, **options)
+            config.add_subscriber(wrapped_listener, ResourceRead, **options)
             actions = [a for a in actions if a != ACTIONS.READ]
 
         if len(actions) > 0:
-            config.add_subscriber(listener, ResourceChanged, **options)
+            config.add_subscriber(wrapped_listener, ResourceChanged, **options)
 
 
 def load_default_settings(config, default_settings):

kinto/core/metrics.py

@@ -0,0 +1,93 @@
+import types
+
+from zope.interface import Interface, implementer
+
+from kinto.core import utils
+
+
+class IMetricsService(Interface):
+    """
+    An interface that defines the metrics service contract.
+    Any class implementing this must provide all its methods.
+    """
+
+    def timer(key):
+        """
+        Watch execution time.
+        """
+
+    def observe(self, key, value, labels=[]):
+        """
+        Observe a give `value` for the specified `key`.
+        """
+
+    def count(key, count=1, unique=None):
+        """
+        Count occurrences. If `unique` is set, overwrites the counter value
+        on each call.
+
+        `unique` should be of type ``list[tuple[str,str]]``.
+        """
+
+
+class NoOpTimer:
+    def __call__(self, f):
+        @utils.safe_wraps(f)
+        def _wrapped(*args, **kwargs):
+            return f(*args, **kwargs)
+
+        return _wrapped
+
+    def __enter__(self):
+        pass
+
+    def __exit__(self, *args, **kwargs):
+        pass
+
+
+@implementer(IMetricsService)
+class NoOpMetricsService:
+    def timer(self, key):
+        return NoOpTimer()
+
+    def observe(self, key, value, labels=[]):
+        pass
+
+    def count(self, key, count=1, unique=None):
+        pass
+
+
+def watch_execution_time(metrics_service, obj, prefix="", classname=None):
+    """
+    Decorate all methods of an object in order to watch their execution time.
+    Metrics will be named `{prefix}.{classname}.{method}`.
+    """
+    classname = classname or utils.classname(obj)
+    members = dir(obj)
+    for name in members:
+        value = getattr(obj, name)
+        is_method = isinstance(value, types.MethodType)
+        if not name.startswith("_") and is_method:
+            statsd_key = f"{prefix}.{classname}.{name}"
+            decorated_method = metrics_service.timer(statsd_key)(value)
+            setattr(obj, name, decorated_method)
+
+
+def listener_with_timer(config, key, func):
+    """
+    Add a timer with the specified `key` on the specified `func`.
+    This is used to avoid evaluating `config.registry.metrics` during setup time
+    to avoid having to deal with initialization order and configuration committing.
+    """
+
+    def wrapped(*args, **kwargs):
+        metrics_service = config.registry.metrics
+        if not metrics_service:
+            # This only happens if `kinto.core.initialization.setup_metrics` is
+            # not listed in the `initialization_sequence` setting.
+            return func(*args, **kwargs)
+        # If metrics are enabled, monitor execution time of listeners.
+        with metrics_service.timer(key):
+            return func(*args, **kwargs)
+
+    return wrapped

kinto/core/openapi.py

@@ -1,6 +1,5 @@
-from cornice_swagger import CorniceSwagger
-from cornice_swagger.converters.schema import TypeConverter
-
+from kinto.core.cornice_swagger import CorniceSwagger
+from kinto.core.cornice_swagger.converters.schema import TypeConverter
 from kinto.core.schema import Any
 
 

kinto/core/permission/memory.py

@@ -98,8 +98,9 @@ class Permission(PermissionBase):
         candidates = []
         if bound_permissions is None:
             for key, value in self._store.items():
-                _, object_id, permission = key.split(":", 2)
-                candidates.append((object_id, permission, value))
+                if key.startswith("permission:"):
+                    _, object_id, permission = key.split(":", 2)
+                    candidates.append((object_id, permission, value))
         else:
             for pattern, perm in bound_permissions:
                 id_match = ".*" if with_children else "[^/]+"

kinto/core/permission/postgresql/__init__.py

@@ -246,7 +246,7 @@ class Permission(PermissionBase, MigratorMixin):
 
         query = f"""
         WITH required_perms AS (
-          VALUES {','.join(perm_values)}
+          VALUES {",".join(perm_values)}
         )
         SELECT principal
           FROM required_perms JOIN access_control_entries
@@ -292,14 +292,14 @@ class Permission(PermissionBase, MigratorMixin):
                 object_id_condition = "object_id LIKE pattern"
             else:
                 object_id_condition = (
-                    "object_id LIKE pattern " "AND object_id NOT LIKE pattern || '/%'"
+                    "object_id LIKE pattern AND object_id NOT LIKE pattern || '/%'"
                 )
             query = f"""
             WITH required_perms AS (
-              VALUES {','.join(perm_values)}
+              VALUES {",".join(perm_values)}
             ),
             user_principals AS (
-              VALUES {','.join(principals_values)}
+              VALUES {",".join(principals_values)}
             ),
             potential_objects AS (
               SELECT object_id, permission, required_perms.column1 AS pattern
@@ -341,7 +341,7 @@ class Permission(PermissionBase, MigratorMixin):
 
         query = f"""
         WITH required_perms AS (
-          VALUES {','.join(perms_values)}
+          VALUES {",".join(perms_values)}
         ),
         allowed_principals AS (
           SELECT principal
@@ -349,7 +349,7 @@ class Permission(PermissionBase, MigratorMixin):
               ON (object_id = column1 AND permission = column2)
         ),
         required_principals AS (
-          VALUES {','.join(principals_values)}
+          VALUES {",".join(principals_values)}
         )
         SELECT COUNT(*) AS matched
           FROM required_principals JOIN allowed_principals
@@ -412,7 +412,7 @@ class Permission(PermissionBase, MigratorMixin):
         if not new_aces:
             query = f"""
             WITH specified_perms AS (
-              VALUES {','.join(specified_perms)}
+              VALUES {",".join(specified_perms)}
             )
             DELETE FROM access_control_entries
              USING specified_perms
@@ -422,7 +422,7 @@ class Permission(PermissionBase, MigratorMixin):
         else:
             query = f"""
             WITH specified_perms AS (
-              VALUES {','.join(specified_perms)}
+              VALUES {",".join(specified_perms)}
             ),
             delete_specified AS (
               DELETE FROM access_control_entries
@@ -435,7 +435,7 @@ class Permission(PermissionBase, MigratorMixin):
               UNION SELECT :object_id
             ),
             new_aces AS (
-              VALUES {','.join(new_aces)}
+              VALUES {",".join(new_aces)}
             )
             INSERT INTO access_control_entries(object_id, permission, principal)
               SELECT DISTINCT d.object_id, n.column1, n.column2