-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refact: factor out count-related helpers to authz submodule
- Loading branch information
1 parent
2508752
commit 01b9b17
Showing
5 changed files
with
95 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
__all__ = [ | ||
"RESOURCE_EVERYTHING", | ||
"PERMISSION_QUERY_DATA", | ||
"PERMISSION_DELETE_DATA", | ||
"PERMISSION_QUERY_DATASET_LEVEL_COUNTS", | ||
"PERMISSION_QUERY_PROJECT_LEVEL_COUNTS", | ||
] | ||
|
||
# TODO: this should be a shared module in bento_lib | ||
|
||
RESOURCE_EVERYTHING = {"everything": True} | ||
PERMISSION_QUERY_DATA = "query:data" | ||
PERMISSION_DELETE_DATA = "delete:data" | ||
|
||
PERMISSION_QUERY_DATASET_LEVEL_COUNTS = "query:dataset_level_counts" | ||
PERMISSION_QUERY_PROJECT_LEVEL_COUNTS = "query:project_level_counts" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
from django.http import HttpRequest | ||
|
||
from .constants import ( | ||
PERMISSION_QUERY_DATA, | ||
PERMISSION_QUERY_PROJECT_LEVEL_COUNTS, | ||
PERMISSION_QUERY_DATASET_LEVEL_COUNTS, | ||
) | ||
from .middleware import authz_middleware | ||
from .utils import create_resource | ||
|
||
|
||
__all__ = [ | ||
"get_counts_permission", | ||
"can_see_counts", | ||
"has_counts_permission_for_data_types", | ||
] | ||
|
||
|
||
def get_counts_permission(dataset_level: bool) -> str: | ||
if dataset_level: | ||
return PERMISSION_QUERY_DATASET_LEVEL_COUNTS | ||
return PERMISSION_QUERY_PROJECT_LEVEL_COUNTS # We don't have a node-level counts permission | ||
|
||
|
||
async def can_see_counts(request: HttpRequest, resource: dict) -> bool: | ||
return await authz_middleware.async_authz_post(request, "/policy/evaluate", { | ||
"requested_resource": resource, | ||
"required_permissions": [get_counts_permission(resource.get("dataset") is not None)], | ||
})["result"] or ( | ||
# If we don't have a count permission, we may still have a query:data permission (no cascade) | ||
await authz_middleware.async_authz_post(request, "/policy/evaluate", { | ||
"requested_resource": resource, | ||
"required_permissions": [PERMISSION_QUERY_DATA], | ||
})["result"] | ||
) | ||
|
||
|
||
async def has_counts_permission_for_data_types( | ||
request: HttpRequest, project: str, dataset: str, data_types: list[str] | ||
) -> list[bool]: | ||
has_permission: bool = await can_see_counts(request, create_resource(project, dataset, None)) | ||
|
||
return [ | ||
# Either we have permission for all (saves many calls) or we have for a specific data type | ||
has_permission or (await can_see_counts(request, create_resource(project, dataset, dt_id))) | ||
for dt_id in data_types | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
from .constants import RESOURCE_EVERYTHING | ||
|
||
|
||
__all__ = [ | ||
"create_resource", | ||
] | ||
|
||
|
||
def create_resource(project: str | None, dataset: str | None, data_type: str | None) -> dict: | ||
resource = RESOURCE_EVERYTHING | ||
if project: | ||
resource = {"project": project} | ||
if dataset: | ||
resource["dataset"] = dataset | ||
if data_type: | ||
resource["data_type"] = data_type | ||
return resource |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters