oarepo-runtime 1.5.97__tar.gz → 1.5.100__tar.gz

{oarepo_runtime-1.5.97/oarepo_runtime.egg-info → oarepo_runtime-1.5.100}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: oarepo-runtime
-Version: 1.5.97
+Version: 1.5.100
 Summary: A set of runtime extensions of Invenio repository
 Description-Content-Type: text/markdown
 License-File: LICENSE

{oarepo_runtime-1.5.97 → oarepo_runtime-1.5.100}/oarepo_runtime/cli/__init__.py

@@ -4,6 +4,7 @@ from .check import check
 from .configuration import configuration_command
 from .fixtures import fixtures
 from .index import index
+from .permissions import permissions
 from .validate import validate
 
 __all__ = (
@@ -15,4 +16,5 @@ __all__ = (
     "validate",
     "fixtures",
     "configuration_command",
+    "permissions",
 )

oarepo_runtime-1.5.100/oarepo_runtime/cli/permissions/__init__.py

@@ -0,0 +1,6 @@
+from .base import permissions
+from .evaluate import evaluate_permissions  # noqa
+from .list import list_permissions  # noqa
+from .search import search_permissions  # noqa
+
+__all__ = ["permissions"]

oarepo_runtime-1.5.100/oarepo_runtime/cli/permissions/base.py

@@ -0,0 +1,25 @@
+from flask import current_app
+from flask_principal import Identity, identity_loaded
+from invenio_access.models import User
+
+from ..base import oarepo
+
+
+@oarepo.group()
+def permissions():
+    """Commands for checking and explaining permissions."""
+
+
+def get_user_and_identity(user_id_or_email):
+    try:
+        user_id = int(user_id_or_email)
+        user = User.query.filter_by(id=user_id).one()
+    except ValueError:
+        user = User.query.filter_by(email=user_id_or_email).one()
+
+    identity = Identity(user.id)
+    api_app = current_app.wsgi_app.mounts["/api"]
+    with api_app.app_context():
+        with current_app.test_request_context("/api"):
+            identity_loaded.send(api_app, identity=identity)
+    return user, identity

oarepo_runtime-1.5.100/oarepo_runtime/cli/permissions/evaluate.py

@@ -0,0 +1,63 @@
+import json
+
+import click
+from invenio_records_permissions.policies.records import RecordPermissionPolicy
+from invenio_records_resources.proxies import current_service_registry
+
+from oarepo_runtime.info.permissions.debug import add_debugging
+
+from .base import get_user_and_identity, permissions
+
+
+@permissions.command(name="evaluate")
+@click.argument("user_id_or_email")
+@click.argument("service_name")
+@click.argument("record_id", required=False)
+@click.option("--data", "-d", help="Data to pass to the policy check")
+@click.option("--explain/--no-explain", default=False)
+@click.option("--draft/--published", default=False)
+def evaluate_permissions(
+    user_id_or_email: str,
+    service_name: str,
+    record_id: str | None = None,
+    data: str | None = None,
+    explain: bool = False,
+    draft: bool = False,
+):
+    """Evaluate permissions for a given workflow, community or service."""
+    service = current_service_registry.get(service_name)
+    user, identity = get_user_and_identity(user_id_or_email)
+
+    over = {}
+    if record_id:
+        if draft:
+            over["record"] = service.config.draft_cls.pid.resolve(
+                record_id, registered_only=False
+            )
+        else:
+            over["record"] = service.config.record_cls.pid.resolve(record_id)
+    if data:
+        over["data"] = json.loads(data)
+
+    if explain:
+        over["debug_identity"] = identity
+        add_debugging()
+
+    policy_cls = service.config.permission_policy_cls
+    click.secho(f"Policy: {policy_cls}")
+
+    for action_name in dir(policy_cls):
+        if not action_name.startswith("can_"):
+            continue
+
+        policy: RecordPermissionPolicy = policy_cls(action_name[4:], **over)
+        if explain:
+            click.secho()
+            click.secho(f"## {action_name}")
+        try:
+            if policy.allows(identity):
+                click.secho(f"{action_name}: True", fg="green")
+            else:
+                click.secho(f"{action_name}: False", fg="red")
+        except Exception as e:
+            click.secho(f"{action_name}: {e}", fg="yellow")

oarepo_runtime-1.5.100/oarepo_runtime/cli/permissions/list.py

@@ -0,0 +1,239 @@
+from typing import get_type_hints
+
+import click
+
+from oarepo_runtime.info.permissions.debug import add_debugging
+
+from .base import permissions
+
+
+@permissions.command(name="list")
+@click.option("--workflow", "-w", help="Workflow name")
+@click.option("--community", "-c", help="Community name")
+@click.option("--service", "-s", help="Service name")
+def list_permissions(workflow, community, service):
+    """List all permissions for a given workflow, community or service."""
+    # intentionally import here to enable oarepo-runtime to be used
+    # without oarepo-workflows and oarepo-communities
+    from invenio_communities.communities.records.api import Community
+    from invenio_communities.communities.records.models import CommunityMetadata
+    from oarepo_workflows.proxies import current_oarepo_workflows
+
+    if workflow:
+        wf = current_oarepo_workflows.record_workflows[workflow]
+        permission_policy = wf.permission_policy_cls
+    elif community:
+        community_db = CommunityMetadata.query.filter_by(slug=community).one()
+        community_obj = Community(community_db.data, model=community_db)
+        workflow = community_obj["custom_fields"].get("workflow", "default")
+        wf = current_oarepo_workflows.record_workflows[workflow]
+        permission_policy = wf.permission_policy_cls
+    elif service:
+        from invenio_records_resources.proxies import current_service_registry
+
+        swc = current_service_registry.get(service)
+        permission_policy = swc.config.permission_policy_cls
+    else:
+        raise click.UsageError(
+            "You must specify either --workflow, --community or --service."
+        )
+
+    add_debugging()
+
+    p = permission_policy("read")
+
+    for action_name in dir(permission_policy):
+        if not action_name.startswith("can_"):
+            continue
+        action_permission_generators = getattr(p, action_name)
+        debugs = []
+        for x in action_permission_generators:
+            debugs.append(x.to_debug_dict())
+
+        print("")
+        print(f"## {action_name}")
+        print(get_permission_documentation(permission_policy, action_name))
+        for perm in debugs:
+            print_permission_markdown(perm)
+
+
+def is_simple_dict(d):
+    return all(isinstance(v, (str, int, float, bool)) for v in d.values())
+
+
+def format_simple_dict_values(d):
+    # returns k=v, k=v, ...
+    return ", ".join(f"{k}={v}" for k, v in d.items())
+
+
+def print_permission_markdown(p, level=0):
+    for k, v in p.items():
+        prologue = "  " * level + f"- {k}"
+        if v is None or v == {} or v == []:
+            print(prologue)
+            continue
+        elif isinstance(v, dict):
+            if is_simple_dict(v):
+                print(f"{prologue}: {format_simple_dict_values(v)}")
+            else:
+                print(prologue)
+                print_permission_markdown(v, level + 1)
+        elif isinstance(v, list):
+            print(prologue)
+            for x in v:
+                print_permission_markdown(x, level + 1)
+        else:
+            print("  " * (level + 1) + f"{v}")
+
+
+def get_permission_documentation(policy, permission_can_name):
+    type_hints = get_type_hints(policy, include_extras=True)
+    annotation = type_hints.get(permission_can_name)
+    if annotation:
+        for md in annotation.__metadata__:
+            if isinstance(md, str):
+                return md
+    ret = default_permissions_documentation.get(permission_can_name, "")
+    return "\n".join(x.strip() for x in ret.split("\n"))
+
+
+default_permissions_documentation = {
+    # records
+    "can_create": """
+        Grants users the ability to create new records in the 
+        repository, often assigned to roles like submitters, owners, or curators.
+        The result of this action is typically a draft record.
+    """,
+    "can_read": """
+        Allows users to view or access records, with access 
+        possibly dependent on the record's state (e.g., draft or published) and the 
+        user's role.
+    """,
+    "can_read_deleted": """
+        Permission to view or access records, including soft-deleted ones. This 
+        permission is used to filter search results. It should include an 
+        `IfRecordDeleted` permission generator, which grants access to deleted 
+        records to a subset of users (e.g., owners, curators, etc.). For 
+        `service.read`, this permission is applied when record is deleted and 
+        `include_deleted` is passed; otherwise, a `RecordDeletedException` is raised.
+    """,
+    "can_search": """
+        Grants users the ability to search for records within the 
+        repository, typically available to all users. The search results are
+        filtered based on the can_read_deleted permission for published records (/api/datasets)
+        and the can_read_draft permission for draft records (/api/user/datasets).
+    """,
+    "can_update": """
+        Grants users the ability to update or modify published records.
+        In NRP repositories, this is normally disabled as updates are performed
+        on draft records, which are then published.
+    """,
+    "can_delete": """
+        Grants users the ability to delete records, often restricted 
+        to owners, curators, or specific roles, and dependent on the record's 
+        state (e.g., draft). For published records, the deletion is performed
+        via a specialized request, not directly.
+    """,
+    "can_new_version": """
+        Allows users to create a new version of a record. In NRP,
+        this is not used directly but always via a request, which is mostly
+        auto-approved.
+    """,
+    "can_edit": """
+        Grants users the ability to modify the metadata of a record. In NRP, this
+        is not used directly but always via a request, which is mostly auto-approved.
+    """,
+    "can_manage": """
+        Grants users the ability to manage records. Currently it is used just
+        for reindexing records with latest version first (reindex_latest_first)
+        service call, not mapped to REST API.
+    """,
+    "can_manage_record_access": """
+        Grants users the ability to manage record access.
+    """,
+    # draft records
+    "can_read_draft": """
+        Enables users to view or access draft records, typically equivalent to 
+        the general 'can_read' permission but specific to drafts.
+    """,
+    "can_delete_draft": """
+        Allows users to delete draft records, typically equivalent to the general 
+        'can_delete' permission but specific to drafts.
+    """,
+    "can_update_draft": """
+        Allows users to update draft records. It is typically granted to record
+        owner, but can be restricted by the record status (such as records submitted
+        to review being locked).
+    """,
+    "can_publish": """
+        Grants users the ability to publish records, making them publicly 
+        available or finalizing their state. In NRP repositories, this is
+        not used directly but always via a request.
+    """,
+    # files
+    "can_read_files": """
+        Grants users the ability to view or access file metadata associated with records, 
+        with access dependent on the record's state and the user's role.
+    """,
+    "can_create_files": """
+        Enables users to create new files within published records in the repository.
+        Normally disabled as files are created in draft records and then published.
+    """,
+    "can_delete_files": """
+        Enables users to delete files associated with published records in the repository.
+        Normally disabled as files can not be deleted from published records.
+    """,
+    "can_update_files": """
+        Enables users to update or modify files within published records in the repository.
+        Normally disabled as files are updated in draft records and then published.
+    """,
+    "can_commit_files": """
+        Allows users to finalize file upload to published records in the repository.
+        Normally disabled as files are uploaded to draft records and then published.
+    """,
+    "can_get_content_files": """
+        Allows users to access or retrieve the content of files on records published 
+        in the repository, with access depending on the record's state and the user's role.
+    """,
+    "can_manage_files": """
+        Grants users the ability to manage files (that is, change if the files are
+        required on the record or not).
+    """,
+    "can_read_deleted_files": """
+        Allows users to view or access files associated with deleted records, 
+        often restricted to specific conditions.
+    """,
+    "can_set_content_files": """
+        Enables users to upload files to published records. Normally disabled as files
+        are uploaded to draft records and then published.
+    """,
+    # draft files
+    "can_draft_read_files": """
+        Allows users to view or access file metadata associated with draft records,
+        typically equivalent to the general 'can_read_files' permission but specific
+        to drafts.
+    """,
+    "can_draft_create_files": """
+        Allows users to create files specifically for draft records.
+    """,
+    "can_draft_get_content_files": """
+        Allows users to access or retrieve the content of files on draft records.
+    """,
+    "can_draft_set_content_files": """
+        Allows users to upload files to draft records.
+    """,
+    "can_draft_commit_files": """
+        Allows users to finalize file upload to draft records.
+    """,
+    "can_draft_update_files": """
+        Allows users to update or modify files within draft records.
+    """,
+    "can_draft_delete_files": """
+        Allows users to delete files associated with draft records.
+    """,
+    # misc
+    "can_create_or_update_many": """
+        Allows bulk creation or updating of multiple records or files.
+        Not used at the moment.
+    """,
+}

oarepo_runtime-1.5.100/oarepo_runtime/cli/permissions/search.py

@@ -0,0 +1,121 @@
+import json
+import sys
+
+import click
+import yaml
+from invenio_records_resources.proxies import current_service_registry
+
+from oarepo_runtime.info.permissions.debug import add_debugging, merge_communities
+
+from .base import get_user_and_identity, permissions
+
+
+@permissions.command(name="search")
+@click.argument("user_id_or_email")
+@click.argument("service_name")
+@click.option("--explain/--no-explain", default=False)
+@click.option("--user/--published", "user_call", default=False)
+@click.option("--full-query/--query-filters", default=False)
+@click.option("--merge-communities", "do_merge_communities", is_flag=True)
+@click.option("--json/--yaml", "as_json", default=False)
+def search_permissions(
+    user_id_or_email,
+    service_name,
+    explain,
+    user_call,
+    full_query,
+    do_merge_communities,
+    as_json,
+):
+    """Get search parameters for a given service."""
+    try:
+        service = current_service_registry.get(service_name)
+    except KeyError:
+        raise click.UsageError(
+            f"Service {service_name} not found in {current_service_registry._services.keys()}"
+        )
+    user, identity = get_user_and_identity(user_id_or_email)
+
+    permission_policy = service.config.permission_policy_cls
+
+    add_debugging(print_search=explain, print_needs=False, print_excludes=False)
+
+    if full_query:
+        previous_search = service._search
+
+        class NoExecute:
+            def __init__(self, query):
+                self.query = query
+
+            def execute(self):
+                return self.query
+
+        def _patched_search(*args, **kwargs):
+            ret = previous_search(*args, **kwargs)
+            return NoExecute(ret)
+
+        def _patched_result_list(self, identity, results, params, **kwargs):
+            return results
+
+        service._search = _patched_search
+        service.result_list = _patched_result_list
+
+        if user_call:
+            ret = service.search_drafts(identity)
+        else:
+            ret = service.search(identity)
+        ret = ret.to_dict()
+        if do_merge_communities:
+            ret = merge_communities(ret)
+        ret = {
+            "query": ret["query"],
+        }
+        dump_dict(ret, as_json)
+    else:
+
+        over = {}
+        if explain:
+            over["debug_identity"] = identity
+            print("## Explaining search:")
+
+        if user_call:
+            p = permission_policy("read_draft", identity=identity, **over)
+        else:
+            p = permission_policy("read_deleted", identity=identity, **over)
+        query_filters = p.query_filters
+
+        print()
+        print("## Query filters:")
+        for qf in query_filters:
+            dict_qf = qf.to_dict()
+            if explain:
+                dict_qf = merge_communities(dict_qf)
+            dump_dict(dict_qf, as_json)
+            print(json.dumps(dict_qf, indent=2))
+
+
+def merge_name(d):
+    if isinstance(d, list):
+        return [merge_name(x) for x in d]
+    if isinstance(d, dict):
+        ret = {}
+        for k, v in d.items():
+            v = merge_name(v)
+            if isinstance(v, dict) and "_name" in v:
+                _name = v.pop("_name")
+                _name = _name.split("@")[0].strip()
+                k = f"{k}[{_name}]"
+            ret[k] = v
+        return ret
+    return d
+
+
+def dump_dict(d, as_json=False):
+    if as_json:
+        print(json.dumps(d, indent=2))
+    else:
+        yaml.safe_dump(
+            merge_name(json.loads(json.dumps(d))),
+            sys.stdout,
+            default_flow_style=False,
+        )

oarepo_runtime-1.5.100/oarepo_runtime/info/permissions/debug.py

@@ -0,0 +1,191 @@
+"""Instrumentors for debugging permissions."""
+
+import contextvars
+import inspect
+import json
+import sys
+
+from invenio_records_permissions.generators import ConditionalGenerator, Generator
+
+
+def generator_to_debug_dict(self: Generator):
+    ret = {
+        "name": self.__class__.__name__,
+    }
+    ret = {}
+    for fld in self.__dict__:
+        if fld.startswith("__"):
+            continue
+        if fld in ("then_", "else_"):
+            continue
+        value = self.__dict__[fld]
+        if not isinstance(value, (str, int, float, bool)):
+            value = str(value)
+        ret[fld] = value
+
+    return {self.__class__.__name__: ret}
+
+
+def conditional_generator_to_debug_dict(self: ConditionalGenerator):
+    ret = generator_to_debug_dict(self)
+    r = ret[self.__class__.__name__]
+    if self.then_:
+        r["then"] = [x.to_debug_dict() for x in self.then_]
+    if self.else_:
+        r["else"] = [x.to_debug_dict() for x in self.else_]
+    return ret
+
+
+def get_all_generators():
+    generator_classes = set()
+    queue = [Generator]
+    while queue:
+        gen = queue.pop()
+        generator_classes.add(gen)
+        for cls in gen.__subclasses__():
+            if cls in generator_classes:
+                continue
+            queue.append(cls)
+    return generator_classes
+
+
+debugging_level = contextvars.ContextVar("debugging_level", default=0)
+
+
+def debug_needs_output(clz, method_name):
+    method = getattr(clz, method_name)
+
+    def wrapper(self, *args, **kwargs):
+        dd = json.dumps(self.to_debug_dict())
+        print(f"{'  ' * debugging_level.get()}{dd}.{method_name} ->", file=sys.stderr)
+        reset = debugging_level.set(debugging_level.get() + 1)
+        ret = method(self, *args, **kwargs)
+        debugging_level.reset(reset)
+        if "debug_identity" in kwargs:
+            matched_needs = set(ret) & set(kwargs["debug_identity"].provides)
+            print(
+                f"{'  ' * debugging_level.get()}  -> match: {matched_needs}",
+                file=sys.stderr,
+            )
+        else:
+            print(f"{'  ' * debugging_level.get()}  -> {ret}", file=sys.stderr)
+        return ret
+
+    return wrapper
+
+
+def debug_search_output(clz, method_name, print_search):
+    method = getattr(clz, method_name)
+
+    def wrapper(self, *args, **kwargs):
+        dd = json.dumps(self.to_debug_dict())
+        if print_search:
+            print(f"{'  ' * debugging_level.get()}{dd}.{method_name}:", file=sys.stderr)
+        reset = debugging_level.set(debugging_level.get() + 2)
+        ret = method(self, *args, **kwargs)
+        debugging_level.reset(reset)
+        if isinstance(ret, list):
+            r = merge_communities([x.to_dict() for x in ret])
+        elif ret:
+            r = merge_communities(ret.to_dict())
+        else:
+            r = None
+        if print_search:
+            print(
+                f"{'  ' * debugging_level.get()}{dd}.{method_name} -> {r}",
+                file=sys.stderr,
+            )
+        return ret
+
+    wrapper.__module__ = clz.__module__
+    wrapper.__qualname__ = f"{clz.__qualname__}.{method_name}"
+    wrapper.__name__ = method_name
+    return wrapper
+
+
+def merge_communities(x):
+    if isinstance(x, list):
+        return [merge_communities(y) for y in x]
+    if isinstance(x, dict):
+        ret = {k: merge_communities(v) for k, v in x.items()}
+        if "parent.communities.default" in ret:
+            ret["parent.communities.default"] = "#communities#"
+        if "parent.communities.ids" in ret:
+            ret["parent.communities.ids"] = "#communities#"
+        return ret
+    return x
+
+
+def get_opensearch_caller():
+    # Get the current call stack
+    stack = inspect.stack()
+    # Extract function names from the stack frames
+    function_names = []
+    state = "skipping_to_opensearch"
+    for frame in stack:
+        module_name = frame.frame.f_globals["__name__"]
+        if state == "skipping_to_opensearch":
+            if module_name.startswith("opensearch_dsl.") or module_name.startswith(
+                "oarepo_runtime.info"
+            ):
+                state = "found_opensearch"
+        if state == "found_opensearch":
+            if not module_name.startswith(
+                "opensearch_dsl."
+            ) and not module_name.startswith("oarepo_runtime.info"):
+                state = "outside_opensearch"
+        if state == "outside_opensearch":
+            if frame.function == "<lambda>":
+                continue
+            if "self" in frame.frame.f_locals:
+                self_instance = frame.frame.f_locals["self"]
+                class_name = self_instance.__class__.__name__
+                function_names.append(
+                    f"{class_name}.{frame.function} @ {frame.filename}:{frame.lineno}"
+                )
+            else:
+                function_names.append(
+                    f"{frame.function} @ {frame.filename}:{frame.lineno}"
+                )
+        del frame
+
+    return function_names
+
+
+def add_debugging(print_needs=True, print_excludes=True, print_search=True):
+    for generator in get_all_generators():
+        if issubclass(generator, ConditionalGenerator):
+            generator.to_debug_dict = conditional_generator_to_debug_dict
+        else:
+            generator.to_debug_dict = generator_to_debug_dict
+        if print_needs and not hasattr(generator.needs, "__is_debug_instrumented__"):
+            generator.needs = debug_needs_output(generator, "needs")
+            generator.needs.__is_debug_instrumented__ = True
+        if print_excludes and not hasattr(
+            generator.excludes, "__is_debug_instrumented__"
+        ):
+            generator.excludes = debug_needs_output(generator, "excludes")
+            generator.excludes.__is_debug_instrumented__ = True
+
+        if hasattr(generator, "query_filters"):
+            if not hasattr(generator.query_filters, "__is_debug_instrumented__"):
+                generator.query_filters = debug_search_output(
+                    generator, "query_filters", print_search
+                )
+                generator.query_filters.__is_debug_instrumented__ = True
+        if hasattr(generator, "query_filter"):
+            if not hasattr(generator.query_filter, "__is_debug_instrumented__"):
+                generator.query_filter = debug_search_output(
+                    generator, "query_filter", print_search
+                )
+                generator.query_filter.__is_debug_instrumented__ = True
+    # try to add _name to queries
+    from opensearch_dsl.query import Query
+
+    previous_init = Query.__init__
+
+    def new_init(self, *args, **kwargs):
+        previous_init(self, *args, **kwargs)
+        self._params["_name"] = get_opensearch_caller()[0]
+
+    Query.__init__ = new_init