def resolve_user_group_permissions(resource_permission_list): # type: (List[ResolvablePermissionType]) -> Iterable[PermissionSet] """ Reduces overlapping user :term:`Inherited Permissions` for corresponding resources/services amongst the given list. User :term:`Direct Permissions` have the top-most priority and are therefore selected first if permissions are found for corresponding resource. In such case, only one entry is possible (it is invalid to have more than one combination of ``(User, Resource, Permission)``, including modifiers, as per validation during their creation). Otherwise, for corresponding :term:`Inherited Permissions`, resolve the prioritized permission across every group. Similarly to users, :func:`magpie.groups.group_utils.get_similar_group_resource_permission` validate that only one combination of ``(Group, Resource, Permission)`` can exist including permission modifiers. Only, cross-group memberships for a given resource must then be computed. Priority of combined *group-only* permissions follows 3 conditions: 1. Permissions inherited from special group :py:data:`MAGPIE_ANONYMOUS_GROUP` have lower priority than any other more explicit group membership, regardless of permission modifiers applied on it. 2. Permissions of same group priority with :attr:`Access.DENY` are prioritized over :attr:`Access.ALLOW`. 3. Permissions of same group priority with :attr:`Scope.RECURSIVE` are prioritized over :attr:`Access.MATCH` as they affect a larger range of resources when :term:`Effective Permissions` are eventually requested. .. note:: Resource tree inherited resolution is not considered here (no recursive :term:`Effective Permissions` computed). Only same-level scope of every given resource is processed independently. The intended behaviour here is therefore to help illustrate in responses *how deep* is a given permission going to have an impact onto lower-level resources, making :attr:`Scope.RECURSIVE` more important than specific instance :attr:`Scope.MATCH`. .. seealso:: - Sorting methods of :class:`magpie.permissions.PermissionSet` that orders the permissions with desired result. - :func:`magpie.groups.group_utils.get_similar_group_resource_permission` - :func:`magpie.users.user_utils.get_similar_user_resource_permission` """ # convert all first to avoid re-doing it each iteration for comparisons res_perm_sets = [PermissionSet(perm) for perm in resource_permission_list] # quickly return if there are no conflict to resolve res_perms = [(perm.perm_tuple.resource.resource_id, perm.name) for perm in res_perm_sets] if len(set(res_perms)) == len(res_perms): return res_perm_sets # combine overlapping resource/permission combo_perms = {} for perm in res_perm_sets: res_id = perm.perm_tuple.resource.resource_id perm_key = (res_id, perm.name) prev_perm = combo_perms.get(perm_key) if not prev_perm: combo_perms[perm_key] = perm continue combo_perms[perm_key] = PermissionSet.resolve(perm, prev_perm) return list(combo_perms.values())
def effective_permissions(self, user, resource, permissions=None, allow_match=True): # type: (models.User, ServiceOrResourceType, Optional[Collection[Permission]], bool) -> List[PermissionSet] """ Obtains the effective permissions the user has over the specified resource. Recursively rewinds the resource tree from the specified resource up to the top-most parent service the resource resides under (or directly if the resource is the service) and retrieve permissions along the way that should be applied to children when using scoped-resource inheritance. Rewinding of the tree can terminate earlier when permissions can be immediately resolved such as when more restrictive conditions enforce denied access. Both user and group permission inheritance is resolved simultaneously to tree hierarchy with corresponding allow and deny conditions. User :term:`Direct Permissions` have priority over all its groups :term:`Inherited Permissions`, and denied permissions have priority over allowed access ones. All applicable permissions on the resource (as defined by :meth:`allowed_permissions`) will have their resolution (Allow/Deny) provided as output, unless a specific subset of permissions is requested using :paramref:`permissions`. Other permissions are ignored in this case to only resolve requested ones. For example, this parameter can be used to request only ACL resolution from specific permissions applicable for a given request, as obtained by :meth:`permission_requested`. Permissions scoped as `match` can be ignored using :paramref:`allow_match`, such as when the targeted resource does not exist. .. seealso:: - :meth:`ServiceInterface.resource_requested` """ if not permissions: permissions = self.allowed_permissions(resource) requested_perms = set(permissions) # type: Set[Permission] effective_perms = dict() # type: Dict[Permission, PermissionSet] # immediately return all permissions if user is an admin db_session = self.request.db admin_group = get_constant("MAGPIE_ADMIN_GROUP", self.request) admin_group = GroupService.by_group_name(admin_group, db_session=db_session) if admin_group in user.groups: # noqa return [ PermissionSet(perm, access=Access.ALLOW, scope=Scope.MATCH, typ=PermissionType.EFFECTIVE, reason=PERMISSION_REASON_ADMIN) for perm in permissions ] # level at which last permission was found, -1 if not found # employed to resolve with *closest* scope and for applicable 'reason' combination on same level effective_level = dict() # type: Dict[Permission, Optional[int]] current_level = 1 # one-based to avoid ``if level:`` check failing with zero full_break = False # current and parent resource(s) recursive-scope while resource is not None and not full_break: # bottom-up until service is reached # include both permissions set in database as well as defined directly on resource cur_res_perms = ResourceService.perms_for_user( resource, user, db_session=db_session) cur_res_perms.extend(permission_to_pyramid_acls(resource.__acl__)) for perm_name in requested_perms: if full_break: break for perm_tup in cur_res_perms: perm_set = PermissionSet(perm_tup) # if user is owner (directly or via groups), all permissions are set, # but continue processing this resource until end in case user explicit deny reverts it if perm_tup.perm_name == ALL_PERMISSIONS: # FIXME: # This block needs to be validated if support of ownership rules are added. # Conditions must be revised according to wanted behaviour... # General idea for now is that explict user/group deny should be prioritized over resource # ownership permissions since these can be attributed to *any user* while explicit deny are # definitely set by an admin-level user. for perm in requested_perms: if perm_set.access == Access.DENY: all_perm = PermissionSet( perm, perm_set.access, perm.scope, PermissionType.OWNED) effective_perms[perm] = all_perm else: all_perm = PermissionSet( perm, perm_set.access, perm.scope, PermissionType.OWNED) effective_perms.setdefault(perm, all_perm) full_break = True break # skip if the current permission must not be processed (at all or for the moment until next 'name') if perm_set.name not in requested_perms or perm_set.name != perm_name: continue # only first resource can use match (if even enabled with found one), parents are recursive-only if not allow_match and perm_set.scope == Scope.MATCH: continue # pick the first permission if none was found up to this point prev_perm = effective_perms.get(perm_name) scope_level = effective_level.get(perm_name) if not prev_perm: effective_perms[perm_name] = perm_set effective_level[perm_name] = current_level continue # user direct permissions have priority over inherited ones from groups # if inherited permission was found during previous iteration, override it with direct permission if perm_set.type == PermissionType.DIRECT: # - reset resolution scope of previous permission attributed to group as it takes precedence # - since there can't be more than one user permission-name per resource on a given level, # scope resolution is done after applying this *closest* permission, ignore higher level ones if prev_perm.type == PermissionType.INHERITED or not scope_level: effective_perms[perm_name] = perm_set effective_level[perm_name] = current_level continue # final decision for this user, skip any group permissions # resolve prioritized permission according to ALLOW/DENY, scope and group priority # (see 'PermissionSet.resolve' method for extensive details) # skip if last permission is not on group to avoid redundant USER > GROUP check processed before if prev_perm.type == PermissionType.INHERITED: # - If new permission to process is done against the previous permission from *same* tree-level, # there is a possibility to combine equal priority groups. In such case, reason is 'MULTIPLE'. # - If not of equal priority, the appropriate permission is selected and reason is overridden # accordingly by the new higher priority permission. # - If no permission was defined at all (first occurrence), also set it using current permission if scope_level in [None, current_level]: resolved_perm = PermissionSet.resolve( perm_set, prev_perm, context=PermissionType.EFFECTIVE) effective_perms[perm_name] = resolved_perm effective_level[perm_name] = current_level # - If new permission is at *different* tree-level, it applies only if the group has higher # priority than the previous one, to respect the *closest* scope to the target resource. # Same priorities are ignored as they were already resolved by *closest* scope above. # - Reset scope level with new permission such that another permission of same group priority as # that could be processed in next iteration can be compared against it, to resolve 'access' # priority between them. elif perm_set.group_priority > prev_perm.group_priority: effective_perms[perm_name] = perm_set effective_level[perm_name] = current_level # don't bother moving to parent if everything is resolved already # can only assume nothing left to resolve if all permissions are direct on user (highest priority) # if any found permission is group inherited, higher level user permission could still override it if (len(effective_perms) == len(requested_perms) and all(perm.type == PermissionType.DIRECT for perm in effective_perms.values())): break # otherwise, move to parent if any available, since we are not done rewinding the resource tree allow_match = False # reset match not applicable anymore for following parent resources current_level += 1 if resource.parent_id: resource = ResourceService.by_resource_id( resource.parent_id, db_session=db_session) else: resource = None # set deny for all still unresolved permissions from requested ones resolved_perms = set(effective_perms) missing_perms = set(permissions) - resolved_perms final_perms = set(effective_perms.values()) # type: Set[PermissionSet] for perm_name in missing_perms: perm = PermissionSet(perm_name, access=Access.DENY, scope=Scope.MATCH, typ=PermissionType.EFFECTIVE, reason=PERMISSION_REASON_DEFAULT) final_perms.add(perm) # enforce type and scope (use MATCH to make it explicit that it applies specifically for this resource) for perm in final_perms: perm.type = PermissionType.EFFECTIVE perm.scope = Scope.MATCH return list(final_perms)
def test_permission_resolve_raised_invalid(self): """ Ensure that resolution with completely invalid/impossible cases are raised instead of failing silently. """ perm_r = PermissionSet(Permission.READ, Access.ALLOW, Scope.RECURSIVE, PermissionType.DIRECT) res1 = MockObject(resource_name="mock-resource1", resource_id=987) res2 = MockObject(resource_name="mock-resource2", resource_id=101) usr = MockObject(user_name="mock-user", user_id=123) grp = MockObject(group_name="mock-group", user_id=456) usr_tup = PermissionTuple(usr, perm_r.explicit_permission, "user", None, res1, False, True) usr_perm = PermissionSet(usr_tup) # two same user permissions of identical name cannot exist utils.check_raises( lambda: PermissionSet.resolve(usr_perm, usr_perm), ValueError, msg= "Should raise permissions corresponding by name and user, cannot exist simultaneously." ) # various values that are valid to create 'PermissionSet', but insufficient for resolution valid_only_for_repr = [ Permission.READ.value, Permission.READ.value + "-" + Scope.MATCH.value, Permission.READ.value + "-" + Access.ALLOW.value + "-" + Scope.MATCH.value, { "name": Permission.READ, "access": Access.DENY, "scope": Scope.MATCH }, PermissionSet(Permission.READ.value, Access.ALLOW.value, Scope.MATCH.value) # missing 'perm_tuple' ] for perm1, perm2 in itertools.permutations(valid_only_for_repr, 2): utils.check_raises( lambda: PermissionSet.resolve(perm1, perm2), ValueError, msg= "Permission that do not provide comparison elements for resolution must be raised, " "although they are normally valid for simple permission representation." ) # valid user and group tuples (both provide tuples, point to same resource, and don't refer to same user-perm) # but mismatching permission names perm_w = PermissionSet(Permission.WRITE, Access.ALLOW, Scope.RECURSIVE, PermissionType.DIRECT) grp_tup = PermissionTuple(usr, perm_w.explicit_permission, "group", grp, res1, False, True) grp_perm = PermissionSet(grp_tup) utils.check_raises( lambda: PermissionSet.resolve(usr_perm, grp_perm), ValueError, msg= "Mismatching permission names should be raised as they cannot be resolved together." ) # same perm name (read), both tuple provided, not both user-perms, but not referring to same resource grp_tup = PermissionTuple(usr, perm_r.explicit_permission, "group", grp, res2, False, True) grp_perm = PermissionSet(grp_tup) utils.check_raises( lambda: PermissionSet.resolve(usr_perm, grp_perm), ValueError, msg= "Mismatching resources should be raised as they cannot be resolved together." ) utils.check_no_raise( lambda: PermissionSet.resolve( usr_perm, grp_perm, context=PermissionType.EFFECTIVE), msg= "Mismatching resources should resolved when requested explicitly (effective)." )