Use polymorphic principals #10
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
It seems like this failed to build because the patch depends upon Python 3.8's "/" as a positional-only parameter feature from PEP 457. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements polymorphic principals using dataclasses instead of colon-delimited strings, resolving #6. This offers the advantage of more clear semantic separation between the method and value of a principal, whilst still permitting the user to define their own principals.
The implementation is mostly backwards-compatible, except where outlined. A version number bump will be required on the subsequent release if this PR is merged.
Introduces a new
Principalbase class, from which the new default principals ofUserPrincipal,RolePrincipal, andActionPrincipalare defined. These denote the semantics of "is the user x", "has the role x", and "can do action x" respectively.Slightly changes the behaviour of
list_permissions: instead of having a reserved magic string (permissions:*) to denote the default value in the returned dict, it instead returns aPermissionSet. ThePermissionSetis a subclass of dict, which exposes adefaultattribute to specify what the default permission is, for the given user and resource. Any logic that previously depended on thepermissions:*string will need to be rewritten to check the value of thedefaultattribute instead, making this a (slightly) breaking change.Since the principals are no longer strings, the example app's
show_itemsroute (/items/) will return json objects containing the "method" and "value" fields for permissionsslightly, instead of the previous string representation. This is due to pydantic's clever handling of dataclasses. Note in particular that thepermissions:*magic string will not be returned, and so additional logic would need to be implemented for anyone who depends upon this string being returned.Also adds some additional tests for the subtle case in which a "deny all" entry in the ACL precedes an "allow all".