improve rbac

2021-08-17 12:14:26 +03:00 · 2021-08-17 12:14:26 +03:00 · b8b7854c4c
commit b8b7854c4c
parent 9618802c6b
9 changed files with 132 additions and 62 deletions
--- a/auth/authenticate.py
+++ b/auth/authenticate.py
@ -63,6 +63,7 @@ class JWTAuthenticate(AuthenticationBackend):
            return AuthCredentials(scopes=[], error_message=str(exc)), AuthUser(user_id=None)
        scopes = User.get_permission(user_id=payload.user_id)
        print(scopes)
        return AuthCredentials(user_id=payload.user_id, scopes=scopes, logged_in=True), AuthUser(user_id=payload.user_id)
--- a/auth/credentials.py
+++ b/auth/credentials.py
@ -9,7 +9,7 @@ class Permission(BaseModel):
 class AuthCredentials(BaseModel):
    user_id: Optional[int] = None
-    scopes: Optional[set] = {}
+    scopes: Optional[dict] = {}
    logged_in: bool = False
    error_message: str = ""
--- a/create_crt.sh
+++ b/create_crt.sh
--- a/orm/init.py
+++ b/orm/init.py
@ -1,4 +1,4 @@
-from orm.rbac import Operation, Permission, Role
+from orm.rbac import Organization, Operation, Resource, Permission, Role
 from orm.user import User
 from orm.message import Message
 from orm.shout import Shout
@ -7,3 +7,5 @@ from orm.base import Base, engine
 __all__ = ["User", "Role", "Operation", "Permission", "Message", "Shout"]
 Base.metadata.create_all(engine)
 Operation.init_table()
 Resource.init_table()
--- a/orm/rbac.py
+++ b/orm/rbac.py
@ -3,8 +3,9 @@ import warnings
 from typing import Type
 from sqlalchemy import String, Column, ForeignKey, types, UniqueConstraint
 from sqlalchemy.orm import relationship
-from orm.base import Base, REGISTRY, engine
+from orm.base import Base, REGISTRY, engine, local_session
 class ClassType(types.TypeDecorator):
@ -26,22 +27,43 @@ class ClassType(types.TypeDecorator):
 			warnings.warn(f"Can't find class <{value}>,find it yourself 😊", stacklevel=2)
 		return class_
 class Organization(Base):
 	__tablename__ = 'organization'
 	name: str = Column(String, nullable=False, unique=True, comment="Organization Name")
 class Role(Base):
 	__tablename__ = 'role'
 	name: str = Column(String, nullable=False, unique=True, comment="Role Name")
 	org_id: int = Column(ForeignKey("organization.id", ondelete="CASCADE"), nullable=False, comment="Organization")
 	permissions = relationship("Permission")
 class Operation(Base):
 	__tablename__ = 'operation'
 	name: str = Column(String, nullable=False, unique=True, comment="Operation Name")
 	@staticmethod
 	def init_table():
 		with local_session() as session:
 			edit_op = session.query(Operation).filter(Operation.name == "edit").first()
 		if not edit_op:
 			edit_op = Operation.create(name = "edit")
 		Operation.edit_id = edit_op.id
 class Resource(Base):
 	__tablename__ = "resource"
 	resource_class: Type[Base] = Column(ClassType, nullable=False, unique=True, comment="Resource class")
 	name: str = Column(String, nullable=False, unique=True, comment="Resource name")
 	@staticmethod
 	def init_table():
 		with local_session() as session:
 			shout_res = session.query(Resource).filter(Resource.name == "shout").first()
 		if not shout_res:
 			shout_res = Resource.create(name = "shout", resource_class = "shout")
 		Resource.shout_id = shout_res.id
 class Permission(Base):
 	__tablename__ = "permission"
--- a/orm/shout.py
+++ b/orm/shout.py
@ -12,7 +12,7 @@ class Shout(Base):
 	id = None
 	slug: str = Column(String, primary_key=True)
-	org: str = Column(String, nullable=False)
+	org_id: str = Column(ForeignKey("organization.id"), nullable=False)
 	author_id: str = Column(ForeignKey("user.id"), nullable=False, comment="Author")
 	body: str = Column(String, nullable=False, comment="Body")
 	createdAt: str = Column(DateTime, nullable=False, default = datetime.now, comment="Created at")
--- a/orm/user.py
+++ b/orm/user.py
@ -1,11 +1,19 @@
 from typing import List
-from sqlalchemy import Column, Integer, String, ForeignKey #, relationship
+from sqlalchemy import Column, Integer, String, ForeignKey
 from sqlalchemy.orm import relationship
 from orm import Permission
 from orm.base import Base, local_session
 class UserRole(Base):
 	__tablename__ = 'user_role'
 	id = None
 	user_id: int = Column(ForeignKey("user.id"), primary_key = True)
 	role_id: int = Column(ForeignKey("role.id"), primary_key = True)
 class User(Base):
 	__tablename__ = 'user'
@ -13,16 +21,19 @@ class User(Base):
 	username: str = Column(String, nullable=False, comment="Name")
 	password: str = Column(String, nullable=True, comment="Password")
 	role_id: list = Column(ForeignKey("role.id"), nullable=True, comment="Role")
 	# roles = relationship("Role") TODO: one to many, see schema.graphql
 	oauth_id: str = Column(String, nullable=True)
 	roles = relationship("Role", secondary=UserRole.__table__)
 	@classmethod
 	def get_permission(cls, user_id):
 		scope = {}
 		with local_session() as session:
-			perms: List[Permission] = session.query(Permission).join(User, User.role_id == Permission.role_id).filter(
+			user = session.query(User).filter(User.id == user_id).first()
-				User.id == user_id).all()
+			for role in user.roles:
-		return {f"{p.operation_id}-{p.resource_id}" for p in perms}
+				for p in role.permissions:
 					scope[p.resource_id] = p.operation_id
 		return scope
 if __name__ == '__main__':
--- a/resolvers/zine.py
+++ b/resolvers/zine.py
@ -1,4 +1,4 @@
-from orm import Shout, User
+from orm import Shout, User, Organization
 from orm.base import local_session
 from resolvers.base import mutation, query
@ -15,10 +15,10 @@ class GitTask:
 	queue = asyncio.Queue()
-	def __init__(self, input, username, user_email, comment):
+	def __init__(self, input, org, username, user_email, comment):
 		self.slug = input["slug"];
 		self.org = input["org"];
 		self.shout_body = input["body"];
 		self.org = org;
 		self.username = username;
 		self.user_email = user_email;
 		self.comment = comment;
@ -84,12 +84,19 @@ async def create_shout(_, info, input):
 	auth = info.context["request"].auth
 	user_id = auth.user_id
 	org_id = org = input["org_id"]
 	with local_session() as session:
 		user = session.query(User).filter(User.id == user_id).first()
 		org = session.query(Organization).filter(Organization.id == org_id).first()
 	if not org:
 		return {
 			"error" : "invalid organization"
 		}
 	new_shout = Shout.create(
 		slug = input["slug"],
-		org = input["org"],
+		org_id = org_id,
 		author_id = user_id,
 		body = input["body"],
 		replyTo = input.get("replyTo"),
@ -100,6 +107,7 @@ async def create_shout(_, info, input):
 	task = GitTask(
 		input,
 		org.name,
 		user.username,
 		user.email,
 		"new shout %s" % (new_shout.slug)
@ -109,5 +117,30 @@ async def create_shout(_, info, input):
 		"shout" : new_shout
 	}
@mutation.field("updateShout")
@login_required
 async def update_shout(_, info, shout_id, input):
 	auth = info.context["request"].auth
 	user_id = auth.user_id
 	with local_session() as session:
 		user = session.query(User).filter(User.id == user_id).first()
 		shout = session.query(Shout).filter(Shout.id == shout_id).first()
 	if not shout:
 		return {
 			"error" : "shout not found"
 		}
 	if shout.author_id != user_id:
 		scope = info.context["request"].scope
 		if not Resource.shout_id in scope:
 			return {
 				"error" : "access denied"
 			}
 	return {
 		"shout" : shout
 	}
 # TODO: paginate, get, update, delete
--- a/schema.graphql
+++ b/schema.graphql
@ -23,7 +23,7 @@ type MessageResult {
 }
 input ShoutInput {
-	org: String!
+	org_id: Int!
 	slug: String!
 	body: String!
 	replyTo: String # another shout
@ -65,6 +65,7 @@ type Mutation {
  # shout
 	createShout(input: ShoutInput!): ShoutResult!
 	updateShout(input: ShoutInput!): ShoutResult!
 	deleteShout(slug: String!): Result!
 	rateShout(slug: String!, value: Int!): Result!
@ -151,7 +152,7 @@ type Message {
 # is publication
 type Shout {
-  org: String!
+  org_id: Int!
  slug: String!
  author: Int!
  body: String!