kinto 23.2.1__py3-none-any.whl

kinto/views/permissions.py

@@ -0,0 +1,235 @@
+import re
+
+import colander
+from pyramid.settings import aslist
+
+from kinto.authorization import PERMISSIONS_INHERITANCE_TREE
+from kinto.core import resource
+from kinto.core import utils as core_utils
+from kinto.core.storage import Sort
+from kinto.core.storage.memory import extract_object_set
+
+
+def allowed_from_settings(settings, principals):
+    """Returns every permissions allowed from settings for the current user.
+    :param settings dict: app settings
+    :param principals list: list of principals of current user
+    :rtype: dict
+
+    Result example::
+
+        {
+            "bucket": {"write", "collection:create"},
+            "collection": {"read"}
+        }
+
+    XXX: This helper will be useful for Kinto/kinto#894
+    """
+    # Select settings about explicit permissions set on resources
+    # bucket_write_principals = ... --> {("bucket", "write"): ["account:admin"]}
+    perms_settings = {
+        tuple(k.split("_", 3)[:2]): aslist(v)
+        for k, v in settings.items()
+        if re.match("(.+)_(create|write|read)_principals", k)
+    }
+
+    from_settings = {}
+    for (resource_name, permission), allowed_principals in perms_settings.items():
+        # Keep the known permissions only.
+        if resource_name not in PERMISSIONS_INHERITANCE_TREE.keys():
+            continue
+        # Keep the permissions of the current user only.
+        if not bool(set(principals) & set(allowed_principals)):
+            continue
+        # ``collection_create_principals`` means ``collection:create`` in bucket.
+        if permission == "create":
+            permission = f"{resource_name}:{permission}"
+            resource_name = {  # resource parents.
+                "collection": "bucket",
+                "group": "bucket",
+                "record": "collection",
+                "bucket": "root",
+                "account": "root",
+            }.get(resource_name, "")
+        # Store them in a convenient way.
+        from_settings.setdefault(resource_name, set()).add(permission)
+    return from_settings
+
+
+class PermissionsModel:
+    id_field = "id"
+    modified_field = "last_modified"
+    deleted_field = "deleted"
+
+    def __init__(self, request):
+        self.request = request
+
+    def timestamp(self, parent_id=None):
+        return 0
+
+    def get_objects(
+        self,
+        filters=None,
+        sorting=None,
+        pagination_rules=None,
+        limit=None,
+        include_deleted=False,
+        parent_id=None,
+    ):
+        objects, _ = self._get_objects(
+            filters=filters,
+            sorting=sorting,
+            pagination_rules=pagination_rules,
+            limit=limit,
+            include_deleted=include_deleted,
+            parent_id=parent_id,
+        )
+        return objects
+
+    def count_objects(self, filters=None, parent_id=None):
+        _, count = self._get_objects(filters=filters, parent_id=parent_id)
+        return count
+
+    def _get_objects(
+        self,
+        filters=None,
+        sorting=None,
+        pagination_rules=None,
+        limit=None,
+        include_deleted=False,
+        parent_id=None,
+    ):
+        # Invert the permissions inheritance tree.
+        perms_descending_tree = {}
+        for on_resource, tree in PERMISSIONS_INHERITANCE_TREE.items():
+            for obtained_perm, obtained_from in tree.items():
+                for from_resource, perms in obtained_from.items():
+                    for perm in perms:
+                        perms_descending_tree.setdefault(from_resource, {}).setdefault(
+                            perm, {}
+                        ).setdefault(on_resource, set()).add(obtained_perm)
+
+        # Obtain current principals.
+        principals = self.request.prefixed_principals
+
+        # Query every possible permission of the current user from backend.
+        backend = self.request.registry.permission
+        perms_by_object_uri = backend.get_accessible_objects(principals)
+
+        # Check settings for every allowed resources.
+        from_settings = allowed_from_settings(self.request.registry.settings, principals)
+
+        # Add additional resources and permissions defined in settings/plugins
+        for root_perm in from_settings.get("root", []):
+            resource_name, _ = root_perm.split(":")
+            perms_by_object_uri.setdefault("/", set()).add(root_perm)
+            perms_descending_tree.setdefault("root", {}).update({root_perm: {"root": {root_perm}}})
+
+        # Expand permissions obtained from backend with the object URIs that
+        # correspond to permissions allowed from settings.
+        allowed_resources = {"bucket", "collection", "group"} & set(from_settings.keys())
+        if allowed_resources:
+            storage = self.request.registry.storage
+            every_bucket = storage.list_all(parent_id="", resource_name="bucket")
+            for bucket in every_bucket:
+                bucket_uri = "/buckets/{id}".format_map(bucket)
+                for res in allowed_resources:
+                    resource_perms = from_settings[res]
+                    # Bucket is always fetched.
+                    if res == "bucket":
+                        perms_by_object_uri.setdefault(bucket_uri, set()).update(resource_perms)
+                        continue
+                    # Fetch bucket collections and groups.
+                    # XXX: wrong approach: query in a loop!
+                    every_subobjects = storage.list_all(parent_id=bucket_uri, resource_name=res)
+                    for subobject in every_subobjects:
+                        subobj_uri = bucket_uri + f"/{res}s/{subobject['id']}"
+                        perms_by_object_uri.setdefault(subobj_uri, set()).update(resource_perms)
+
+        entries = []
+        for object_uri, perms in perms_by_object_uri.items():
+            try:
+                # Obtain associated res from object URI
+                resource_name, matchdict = core_utils.view_lookup(self.request, object_uri)
+            except ValueError:
+                # Skip permissions entries that are not linked to an object URI
+                continue
+
+            # For consistency with event payloads, if resource has an id,
+            # prefix it with its resource name
+            if "id" in matchdict:
+                matchdict[resource_name + "_id"] = matchdict["id"]
+
+            # The imaginary "root" resource gets mapped to the hello
+            # view. Handle it explicitly.
+            if resource_name == "hello":
+                resource_name = "root"
+
+            # Expand implicit permissions using descending tree.
+            permissions = set(perms)
+            for perm in perms:
+                obtained = perms_descending_tree[resource_name][perm]
+                # Related to same resource only and not every sub-objects.
+                # (e.g "bucket:write" gives "bucket:read" but not "group:read")
+                permissions |= obtained[resource_name]
+
+            entry = dict(
+                uri=object_uri,
+                resource_name=resource_name,
+                permissions=list(permissions),
+                **matchdict,
+            )
+            entries.append(entry)
+
+        return extract_object_set(
+            entries,
+            filters=filters,
+            sorting=sorting,
+            id_field="uri",
+            pagination_rules=pagination_rules,
+            limit=limit,
+        )
+
+
+class PermissionsSchema(resource.ResourceSchema):
+    uri = colander.SchemaNode(colander.String())
+    resource_name = colander.SchemaNode(colander.String())
+    permissions = colander.Sequence(colander.SchemaNode(colander.String()))
+    bucket_id = colander.SchemaNode(colander.String())
+    collection_id = colander.SchemaNode(colander.String(), missing=colander.drop)
+    group_id = colander.SchemaNode(colander.String(), missing=colander.drop)
+    record_id = colander.SchemaNode(colander.String(), missing=colander.drop)
+
+    class Options:
+        preserve_unknown = False
+
+
+@resource.register(
+    name="permissions",
+    description="List of user permissions",
+    plural_path="/permissions",
+    object_path=None,
+    plural_methods=("HEAD", "GET"),
+)
+class Permissions(resource.Resource):
+    schema = PermissionsSchema
+
+    def __init__(self, request, context=None):
+        super().__init__(request, context)
+        self.model = PermissionsModel(request)
+
+    def _extract_sorting(self, limit):
+        # Permissions entries are not stored with timestamp, so do not
+        # force it.
+        result = super()._extract_sorting(limit)
+        without_last_modified = [s for s in result if s.field != self.model.modified_field]
+        # For pagination, there must be at least one sort criteria.
+        # We use ``uri`` because its values are unique.
+        if "uri" not in [s.field for s in without_last_modified]:
+            without_last_modified.append(Sort("uri", -1))
+        return without_last_modified
+
+    def _extract_filters(self):
+        result = super()._extract_filters()
+        without_last_modified = [s for s in result if s.field != self.model.modified_field]
+        return without_last_modified

kinto/views/records.py

@@ -0,0 +1,133 @@
+from pyramid.authorization import Authenticated
+from pyramid.settings import asbool
+
+from kinto.core import resource, utils
+from kinto.core.errors import raise_invalid
+from kinto.schema_validation import (
+    RefResolutionError,
+    ValidationError,
+    validate_from_bucket_schema_or_400,
+    validate_schema,
+)
+from kinto.views import object_exists_or_404
+
+
+_parent_path = "/buckets/{{bucket_id}}/collections/{{collection_id}}"
+
+
+@resource.register(
+    name="record",
+    plural_path=_parent_path + "/records",
+    object_path=_parent_path + "/records/{{id}}",
+)
+class Record(resource.Resource):
+    schema_field = "schema"
+
+    def __init__(self, request, **kwargs):
+        # Before all, first check that the parent collection exists.
+        # Check if already fetched before (in batch).
+        collections = request.bound_data.setdefault("collections", {})
+        collection_uri = self.get_parent_id(request)
+        if collection_uri not in collections:
+            # Unknown yet, fetch from storage.
+            bucket_uri = utils.instance_uri(request, "bucket", id=self.bucket_id)
+            collection = object_exists_or_404(
+                request,
+                resource_name="collection",
+                parent_id=bucket_uri,
+                object_id=self.collection_id,
+            )
+            collections[collection_uri] = collection
+        self._collection = collections[collection_uri]
+
+        super().__init__(request, **kwargs)
+
+    def get_parent_id(self, request):
+        self.bucket_id = request.matchdict["bucket_id"]
+        self.collection_id = request.matchdict["collection_id"]
+        return utils.instance_uri(
+            request, "collection", bucket_id=self.bucket_id, id=self.collection_id
+        )
+
+    def process_object(self, new, old=None):
+        """Validate records against collection or bucket schema, if any."""
+        new = super().process_object(new, old)
+
+        # Is schema validation enabled?
+        settings = self.request.registry.settings
+        schema_validation = "experimental_collection_schema_validation"
+        if not asbool(settings.get(schema_validation)):
+            return new
+
+        # Remove internal and auto-assigned fields from schemas and record.
+        ignored_fields = (
+            self.model.modified_field,
+            self.schema_field,
+            self.model.permissions_field,
+        )
+
+        # The schema defined on the collection will be validated first.
+        if "schema" in self._collection:
+            schema = self._collection["schema"]
+            try:
+                validate_schema(
+                    new, schema, ignore_fields=ignored_fields, id_field=self.model.id_field
+                )
+            except ValidationError as e:
+                raise_invalid(self.request, name=e.field, description=e.message)
+            except RefResolutionError as e:
+                raise_invalid(self.request, name="schema", description=str(e))
+
+            # Assign the schema version to the record.
+            schema_timestamp = self._collection[self.model.modified_field]
+            new[self.schema_field] = schema_timestamp
+
+        # Validate also from the record:schema field defined on the bucket.
+        validate_from_bucket_schema_or_400(
+            new,
+            resource_name="record",
+            request=self.request,
+            ignore_fields=ignored_fields,
+            id_field=self.model.id_field,
+        )
+
+        return new
+
+    def plural_get(self):
+        result = super().plural_get()
+        self._handle_cache_expires(self.request.response)
+        return result
+
+    def get(self):
+        result = super().get()
+        self._handle_cache_expires(self.request.response)
+        return result
+
+    def _handle_cache_expires(self, response):
+        """If the parent collection defines a ``cache_expires`` attribute,
+        then cache-control response headers are sent.
+
+        .. note::
+
+            Those headers are also sent if the
+            ``kinto.record_cache_expires_seconds`` setting is defined.
+        """
+        is_anonymous = Authenticated not in self.request.effective_principals
+        if not is_anonymous:
+            return
+
+        cache_expires = self._collection.get("cache_expires")
+        if cache_expires is None:
+            by_collection = f"{self.bucket_id}.{self.collection_id}.record_cache_expires_seconds"
+            by_bucket = f"{self.bucket_id}.record_cache_expires_seconds"
+            by_collection_legacy = (
+                f"{self.bucket_id}_{self.collection_id}_record_cache_expires_seconds"
+            )
+            by_bucket_legacy = f"{self.bucket_id}_record_cache_expires_seconds"
+            settings = self.request.registry.settings
+            for s in (by_collection, by_bucket, by_collection_legacy, by_bucket_legacy):
+                cache_expires = settings.get(s)
+                if cache_expires is not None:
+                    break
+        if cache_expires is not None:
+            response.cache_expires(seconds=int(cache_expires))

kinto-23.2.1.dist-info/METADATA

@@ -0,0 +1,232 @@
+Metadata-Version: 2.4
+Name: kinto
+Version: 23.2.1
+Summary: Kinto Web Service - Store, Sync, Share, and Self-Host.
+Author-email: Mozilla Services <developers@kinto-storage.org>
+License: Copyright 2012 - Mozilla Foundation
+        
+        Licensed under the Apache License, Version 2.0 (the "License");
+        you may not use this file except in compliance with the License.
+        You may obtain a copy of the License at
+        
+            http://www.apache.org/licenses/LICENSE-2.0
+        
+        Unless required by applicable law or agreed to in writing, software
+        distributed under the License is distributed on an "AS IS" BASIS,
+        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+        See the License for the specific language governing permissions and
+        limitations under the License.
+        
+Project-URL: Repository, https://github.com/Kinto/kinto
+Keywords: web,sync,json,storage,services
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: Implementation :: CPython
+Classifier: Topic :: Internet :: WWW/HTTP
+Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
+Classifier: License :: OSI Approved :: Apache Software License
+Description-Content-Type: text/x-rst
+License-File: LICENSE
+Requires-Dist: bcrypt
+Requires-Dist: colander
+Requires-Dist: dockerflow
+Requires-Dist: jsonschema
+Requires-Dist: jsonpatch
+Requires-Dist: logging-color-formatter
+Requires-Dist: python-dateutil
+Requires-Dist: pyramid
+Requires-Dist: pyramid_multiauth
+Requires-Dist: transaction
+Requires-Dist: pyramid_tm
+Requires-Dist: requests
+Requires-Dist: waitress
+Requires-Dist: python-rapidjson
+Provides-Extra: redis
+Requires-Dist: kinto_redis; extra == "redis"
+Provides-Extra: memcached
+Requires-Dist: python-memcached; extra == "memcached"
+Provides-Extra: postgresql
+Requires-Dist: SQLAlchemy<3; extra == "postgresql"
+Requires-Dist: psycopg2-binary; extra == "postgresql"
+Requires-Dist: zope.sqlalchemy; extra == "postgresql"
+Provides-Extra: monitoring
+Requires-Dist: newrelic; extra == "monitoring"
+Requires-Dist: sentry-sdk[sqlalchemy]; extra == "monitoring"
+Requires-Dist: statsd; extra == "monitoring"
+Requires-Dist: werkzeug; extra == "monitoring"
+Requires-Dist: prometheus-client; extra == "monitoring"
+Provides-Extra: test
+Requires-Dist: bravado; extra == "test"
+Requires-Dist: pytest; extra == "test"
+Requires-Dist: pytest-cache; extra == "test"
+Requires-Dist: pytest-cov; extra == "test"
+Requires-Dist: playwright; extra == "test"
+Requires-Dist: webtest; extra == "test"
+Provides-Extra: dev
+Requires-Dist: build; extra == "dev"
+Requires-Dist: ruff; extra == "dev"
+Requires-Dist: twine; extra == "dev"
+Requires-Dist: uwsgi; extra == "dev"
+Dynamic: license-file
+
+Kinto
+=====
+
+|coc| |gitter| |readthedocs| |pypi| |ci| |main-coverage|
+
+.. |coc| image:: https://img.shields.io/badge/%E2%9D%A4-code%20of%20conduct-blue.svg
+    :target: https://github.com/Kinto/kinto/blob/main/.github/CODE_OF_CONDUCT.md
+    :alt: Code of conduct
+
+.. |gitter| image:: https://badges.gitter.im/Kinto/kinto.svg
+    :target: https://gitter.im/Kinto/kinto
+
+.. |ci| image:: https://github.com/Kinto/kinto/actions/workflows/test.yml/badge.svg
+    :target: https://github.com/Kinto/kinto/actions
+
+.. |readthedocs| image:: https://readthedocs.org/projects/kinto/badge/?version=latest
+    :target: https://kinto.readthedocs.io/en/latest/
+    :alt: Documentation Status
+
+.. |main-coverage| image::
+    https://coveralls.io/repos/Kinto/kinto/badge.svg?branch=main
+    :alt: Coverage
+    :target: https://coveralls.io/r/Kinto/kinto
+
+.. |pypi| image:: https://img.shields.io/pypi/v/kinto.svg
+    :target: https://pypi.python.org/pypi/kinto
+
+
+Kinto is a minimalist JSON storage service with synchronisation and sharing abilities.
+
+* `Online documentation <https://kinto.readthedocs.io/en/latest/>`_
+* `Tutorial <https://kinto.readthedocs.io/en/latest/tutorials/first-steps.html>`_
+* `Issue tracker <https://github.com/Kinto/kinto/issues>`_
+* `Contributing <https://kinto.readthedocs.io/en/latest/community.html#how-to-contribute>`_
+* `Docker Hub <https://hub.docker.com/r/kinto/kinto-server>`_
+
+Requirements
+------------
+
+* **Python**: 3.9+
+* **Backends**: In-memory (development), PostgreSQL 9.5+ (production)
+
+Contributors
+============
+
+* Aaron Egaas <me@aaronegaas.com>
+* Adam Chainz <adam@adamj.eu>
+* Aditya Bhasin <conlini@gmail.com>
+* Aiman Parvaiz <aimanparvaiz@gmail.com>
+* Ajey B. Kulkarni <bkajey@gmail.com>
+* Anh <anh.trinhtrung@gmail.com>
+* Alexander Ryabkov <alexryabkov@gmail.com>
+* Alexis Metaireau <alexis@mozilla.com>
+* Alex Cottner <acottner@mozilla.com>
+* Andy McKay <amckay@mozilla.com>
+* Anthony Garuccio <garuccio124@gmail.com>
+* Aymeric Faivre <miho@miho-stories.com>
+* Ayush Sharma <ayush.aceit@gmail.com>
+* Balthazar Rouberol <br@imap.cc>
+* Boris Feld <lothiraldan@gmail.com>
+* Brady Dufresne <dufresnebrady@gmail.com>
+* Can Berk Güder <cbguder@mozilla.com>
+* Castro
+* Chirag B. Jadwani <chirag.jadwani@gmail.com>
+* Christophe Gragnic <cgragnic@protonmail.com>
+* Clément Villain <choclatefr@gmail.com>
+* Dan Phrawzty <phrawzty+github@gmail.com>
+* David Larlet <david@larlet.fr>
+* Emamurho Ugherughe <emamurho@gmail.com>
+* Enguerran Colson <enguerran@ticabri.com>
+* Eric Bréhault <ebrehault@gmail.com>
+* Eric Le Lay <elelay@macports.org>
+* Éric Lemoine <eric.lemoine@gmail.com>
+* Ethan Glasser-Camp <ethan@betacantrips.com>
+* Étienne <@Étienne>
+* Eugene Kulak <kulak.eugene@gmail.com>
+* Fil <fil@rezo.net>
+* FooBarQuaxx
+* Francisco J. Piedrahita <@fpiedrah>
+* Frank Bertsch <frank@mozilla.com>
+* Greeshma <greeshmabalabadra@gmail.com>
+* Gabriela Surita <gabsurita@gmail.com>
+* George Smith <h3rmit@protonmail.com>
+* Graham Beckley <gbeckley@mozilla.com>
+* Greg Guthe <gguthe@mozilla.com>
+* Haseeb Majid <hmajid2301@gmail.com>
+* Heron Rossi <heron.rossi@hotmail.com>
+* Hiromipaw <silvia@nopressure.co.uk>
+* Indranil Dutta <duttaindranil497@gmail.com>
+* Itai Steinherz <itaisteinherz@gmail.com>
+* Jelmer van der Ploeg <jelmer@woovar.com>
+* Joël Marty <@joelmarty>
+* John Giannelos <johngiannelos@gmail.com>
+* Joshua Bird <joshua.thomas.bird@gmail.com>
+* Julien Bouquillon <contact@revolunet.com>
+* Julien Lebunetel <julien@lebunetel.com>
+* Kaloneh <kaloneh@gmail.com>
+* Kulshekhar Kabra <@kulshekhar>
+* Lavish Aggarwal <lucky.lavish@gmail.com>
+* Maksym Shalenyi <supamaxy@gmail.com>
+* Manas Mangaonkar <@Pac23>
+* Mansimar Kaur <mansimarkaur.mks@gmail.com>
+* Masataka Takeuchi <masataka.takeuchi@l-is-b.com>
+* Mathieu Agopian <mathieu@agopian.info>
+* Mathieu Leplatre <mathieu@mozilla.com>
+* Matt Boris <mboris@mozilla.com>
+* Maxime Warnier <marmax@gmail.com>
+* Michael Charlton <m.charlton@mac.com>
+* Michiel de Jong <michiel@unhosted.org>
+* Mo Valipour <valipour@gmail.com>
+* Mozillazg
+* Nicolas Hoizey <nicolas@hoizey.com>
+* Nicolas Perriault <nperriault@mozilla.com>
+* Niraj <https://github.com/niraj8>
+* Oron Gola <oron.golar@gmail.com>
+* Palash Nigam <npalash25@gmail.com>
+* Pascal Roessner <roessner.pascal@gmail.com>
+* PeriGK <per.gkolias@gmail.com>
+* Peter Bengtsson <mail@peterbe.com>
+* Peter Rassias <ubcpeter@hotmail.com>
+* realsumit <sumitsarinofficial@gmail.com>
+* Rektide <rektide@voodoowarez.com>
+* Rémy Hubscher <rhubscher@mozilla.com>
+* Renisha Nellums <r.nellums@gmail.com>
+* Ricardo <@rkleine>
+* Rodolphe Quiédeville <rodolphe@quiedeville.org>
+* Sahil Dua <sahildua2305@gmail.com>
+* Sebastian Rodriguez <srodrigu85@gmail.com>
+* Sergey Maranchuk <https://github.com/slav0nic/>
+* Stanisław Wasiutyński <https://github.com/stanley>
+* Stephen Daves <contact@stephendaves.com>
+* Stephen Donner <stephen.donner@gmail.com>
+* Stephen Martin <lockwood@opperline.com>
+* Shweta Oak <oakshweta11@gmail.com>
+* Sofia Utsch <sofia.utsch@gmail.com>
+* Sumit Sarin <sumitsarinofficial@gmail.com>
+* Sunakshi Tejwani <sunakshitejwani@gmail.com>
+* Surya Prashanth <prashantsurya@ymail.com>
+* SwhGo_oN <@swhgoon>
+* Tarek Ziade <tarek@mozilla.com>
+* Taus Brock-Nannestad <taus@semmle.com>
+* Taylor Zane Glaeser <tzglaeser@gmail.com>
+* Thomas Dressler <Thomas.Dressler1@gmail.com>
+* Tiberiu Ichim <@tiberiuichim>
+* Vamsi Sangam <vamsisangam@live.com>
+* Varna Suresh <varna96@gmail.com>
+* Vincent Fretin <@vincentfretin>
+* Vitor Falcao <vitor.falcaor@gmail.com>
+* Wil Clouser <wclouser@mozilla.com>
+* Yann Klis <yann.klis@gmail.com>
+* Jeff Schobelock <jswhatnot15@gmail.com>
+* Shivasheesh Yadav <shivasheeshyadav@gmail.com>
+* Fabian Chong <@feiming>
+* Dan Milgram <danm@intervivo.com>
+* Dex Devlon <@bxff>
+* Varun Koranne <@varun-dhruv>
+* Robin Sharma <robinrythm123@gmail.com>