usso 0.28.24__py3-none-any.whl → 0.28.26__py3-none-any.whl

usso/authorization.py

@@ -84,6 +84,7 @@ def is_path_match(
         ("files", "files/transactions", False),
         ("files", "media/files/transactions", False),
         ("media/files", "media/files/transactions", False),
+        ("finance/*/*", "wallet", False),
     ]
     """
     if isinstance(user_path, str):
@@ -100,10 +101,14 @@ def is_path_match(
     else:
         raise ValueError(f"Invalid path type: {type(requested_path)}")
 
+    wildcard_found = False
     # Match resource name (rightmost)
     if not fnmatch.fnmatch(req_parts[-1], user_parts[-1]):
         return False
 
+    if "*" in user_parts[-1]:
+        wildcard_found = True
+
     # Match rest of the path from right to left
     user_path_parts = user_parts[:-1]
     req_path_parts = req_parts[:-1]
@@ -115,6 +120,14 @@ def is_path_match(
     ):
         if r and u and r != "*" and not fnmatch.fnmatch(r, u):
             return False
+        if "*" in u:
+            wildcard_found = True
+
+    offset = len(user_path_parts) - len(req_path_parts)
+    if offset > 0 and wildcard_found:
+        for u in user_path_parts[-offset:]:
+            if u != "*":
+                return False
 
     return True
 
@@ -129,6 +142,73 @@ def is_filter_match(user_filters: dict, requested_filters: dict) -> bool:
     return True
 
 
+def get_scope_filters(
+    action: str,
+    resource: str,
+    user_scopes: list[str],
+) -> list[dict]:
+    """
+    Return filters extracted from user scopes that:
+
+    - Have equal or higher privilege level than the requested action.
+    - Match the requested resource path.
+    """
+    matched_filters: list[dict] = []
+    action_level = PRIVILEGE_LEVELS.get(action, 0)
+    requested_parts = resource.split("/")
+
+    for scope in user_scopes:
+        scope_action, scope_path, scope_filters = parse_scope(scope)
+
+        scope_level = PRIVILEGE_LEVELS.get(scope_action, 0)
+        if scope_level < action_level:
+            continue
+
+        if not is_path_match(scope_path, requested_parts):
+            continue
+
+        matched_filters.append(scope_filters)
+
+    return matched_filters
+
+
+def broadest_scope_filter(filters: list[dict]) -> dict:
+    """
+    Return the broadest scope filter. It is used to select the most
+    restrictive filter from the list of filters. by assigning a score
+    to each filter based on the restriction bits. the filter with the
+    lowest score is the most restrictive.
+
+    filters = [
+        {"tenant_id": "t1"},                           # score = 1
+        {"workspace_id": "w1"},                        # score = 2
+        {"user_id": "u1"},                             # score = 4
+        {"uid": "abc"},                                # score = 8
+        {"tenant_id": "t1", "user_id": "u1"},          # score = 1 + 4 = 5
+        {"workspace_id": "w1", "uid": "abc"},          # score = 2 + 8 = 10
+        {},                                            # score = 0
+    ]
+    """
+    RESTRICTION_BITS = {
+        "tenant_id": 1 << 0,  # 1
+        "workspace_id": 1 << 1,  # 2
+        "user_id": 1 << 2,  # 4
+        "uid": 1 << 3,  # 8
+    }
+
+    DEFAULT_BIT = 1 << 4
+
+    if not filters:
+        return {}
+
+    def restriction_score(f: dict) -> int:
+        if not f:
+            return 0
+        return sum(RESTRICTION_BITS.get(k, DEFAULT_BIT) for k in f)
+
+    return min(filters, key=restriction_score)
+
+
 def is_authorized(
     user_scope: str,
     requested_path: str,

{usso-0.28.24.dist-info → usso-0.28.26.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: usso
-Version: 0.28.24
+Version: 0.28.26
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>

{usso-0.28.24.dist-info → usso-0.28.26.dist-info}/RECORD

@@ -1,6 +1,6 @@
 usso/__init__.py,sha256=ot4Q5ouLGe505DGFAxQP4p4yZLLaBLqbHmCF1OvHG1M,585
 usso/api_key.py,sha256=tL5aqrmNHs9GKhCQ5NdbSchvR0qCjdZYZdkHwNONwno,1236
-usso/authorization.py,sha256=a71VKLfjAZXXGGx1x5eAhNKVdeKQxd-bvOgL-wocgPY,6970
+usso/authorization.py,sha256=c2zAR6UBkDtFQBvxUb7OJxV72WF6win4Nx8kDwYec58,9400
 usso/client.py,sha256=9YTyvro3oz24Pr3i1Dit2R2dpIPsGsuIOol66-8VEyI,2636
 usso/config.py,sha256=7GDAh-yHGYppfkhvrwJykhwJp4HH8P_qPAoGcK8_PZQ,3741
 usso/exceptions.py,sha256=ggYczQ2eGUH9nBxRYVmOk-6IRSwY8NgEKjMPcE0E5YM,1385
@@ -16,9 +16,9 @@ usso/session/base_session.py,sha256=O3tEltMhlwkEz1GGbjE4iXPwSlLaUW2juUt9RDSLrHI,
 usso/session/session.py,sha256=briCgDMoF-b59H6Aie_Lmjy4qnPBBSmKnVhAwef34F0,1637
 usso/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 usso/utils/string_utils.py,sha256=7tziAa2Cwa7xhwM_NF4DSY3BHoqVaWgJ21VuV8LvhrY,253
-usso-0.28.24.dist-info/licenses/LICENSE.txt,sha256=ceC9ZJOV9H6CtQDcYmHOS46NA3dHJ_WD4J9blH513pc,1081
-usso-0.28.24.dist-info/METADATA,sha256=R4DKjgFPdkAEjw7tIu5kCrboOw5B21xBu1WVrMLd9Jg,5061
-usso-0.28.24.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-usso-0.28.24.dist-info/entry_points.txt,sha256=4Zgpm5ELaAWPf0jPGJFz1_X69H7un8ycT3WdGoJ0Vvk,35
-usso-0.28.24.dist-info/top_level.txt,sha256=g9Jf6h1Oyidh0vPiFni7UHInTJjSvu6cUalpLTIvthg,5
-usso-0.28.24.dist-info/RECORD,,
+usso-0.28.26.dist-info/licenses/LICENSE.txt,sha256=ceC9ZJOV9H6CtQDcYmHOS46NA3dHJ_WD4J9blH513pc,1081
+usso-0.28.26.dist-info/METADATA,sha256=K-9Uda3H6dzs1rieU6Idy3tcGJnYVtJsi1zyTDRnT2M,5061
+usso-0.28.26.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+usso-0.28.26.dist-info/entry_points.txt,sha256=4Zgpm5ELaAWPf0jPGJFz1_X69H7un8ycT3WdGoJ0Vvk,35
+usso-0.28.26.dist-info/top_level.txt,sha256=g9Jf6h1Oyidh0vPiFni7UHInTJjSvu6cUalpLTIvthg,5
+usso-0.28.26.dist-info/RECORD,,