Exemplo n.º 1
0
def resolve_user_group_permissions(resource_permission_list):
    # type: (List[ResolvablePermissionType]) -> Iterable[PermissionSet]
    """
    Reduces overlapping user :term:`Inherited Permissions` for corresponding resources/services amongst the given list.

    User :term:`Direct Permissions` have the top-most priority and are therefore selected first if permissions are
    found for corresponding resource. In such case, only one entry is possible (it is invalid to have more than one
    combination of ``(User, Resource, Permission)``, including modifiers, as per validation during their creation).

    Otherwise, for corresponding :term:`Inherited Permissions`, resolve the prioritized permission across every group.
    Similarly to users, :func:`magpie.groups.group_utils.get_similar_group_resource_permission` validate that only one
    combination of ``(Group, Resource, Permission)`` can exist including permission modifiers. Only, cross-group
    memberships for a given resource must then be computed.

    Priority of combined *group-only* permissions follows 3 conditions:
        1. Permissions inherited from special group :py:data:`MAGPIE_ANONYMOUS_GROUP` have lower priority than any
           other more explicit group membership, regardless of permission modifiers applied on it.
        2. Permissions of same group priority with :attr:`Access.DENY` are prioritized over :attr:`Access.ALLOW`.
        3. Permissions of same group priority with :attr:`Scope.RECURSIVE` are prioritized over :attr:`Access.MATCH` as
           they affect a larger range of resources when :term:`Effective Permissions` are eventually requested.

    .. note::
        Resource tree inherited resolution is not considered here (no recursive :term:`Effective Permissions` computed).
        Only same-level scope of every given resource is processed independently. The intended behaviour here is
        therefore to help illustrate in responses *how deep* is a given permission going to have an impact onto
        lower-level resources, making :attr:`Scope.RECURSIVE` more important than specific instance :attr:`Scope.MATCH`.

    .. seealso::
        - Sorting methods of :class:`magpie.permissions.PermissionSet` that orders the permissions with desired result.
        - :func:`magpie.groups.group_utils.get_similar_group_resource_permission`
        - :func:`magpie.users.user_utils.get_similar_user_resource_permission`
    """
    # convert all first to avoid re-doing it each iteration for comparisons
    res_perm_sets = [PermissionSet(perm) for perm in resource_permission_list]

    # quickly return if there are no conflict to resolve
    res_perms = [(perm.perm_tuple.resource.resource_id, perm.name) for perm in res_perm_sets]
    if len(set(res_perms)) == len(res_perms):
        return res_perm_sets

    # combine overlapping resource/permission
    combo_perms = {}
    for perm in res_perm_sets:
        res_id = perm.perm_tuple.resource.resource_id
        perm_key = (res_id, perm.name)
        prev_perm = combo_perms.get(perm_key)
        if not prev_perm:
            combo_perms[perm_key] = perm
            continue
        combo_perms[perm_key] = PermissionSet.resolve(perm, prev_perm)
    return list(combo_perms.values())
Exemplo n.º 2
0
    def effective_permissions(self,
                              user,
                              resource,
                              permissions=None,
                              allow_match=True):
        # type: (models.User, ServiceOrResourceType, Optional[Collection[Permission]], bool) -> List[PermissionSet]
        """
        Obtains the effective permissions the user has over the specified resource.

        Recursively rewinds the resource tree from the specified resource up to the top-most parent service the resource
        resides under (or directly if the resource is the service) and retrieve permissions along the way that should be
        applied to children when using scoped-resource inheritance. Rewinding of the tree can terminate earlier when
        permissions can be immediately resolved such as when more restrictive conditions enforce denied access.

        Both user and group permission inheritance is resolved simultaneously to tree hierarchy with corresponding
        allow and deny conditions. User :term:`Direct Permissions` have priority over all its groups
        :term:`Inherited Permissions`, and denied permissions have priority over allowed access ones.

        All applicable permissions on the resource (as defined by :meth:`allowed_permissions`) will have their
        resolution (Allow/Deny) provided as output, unless a specific subset of permissions is requested using
        :paramref:`permissions`. Other permissions are ignored in this case to only resolve requested ones.
        For example, this parameter can be used to request only ACL resolution from specific permissions applicable
        for a given request, as obtained by :meth:`permission_requested`.

        Permissions scoped as `match` can be ignored using :paramref:`allow_match`, such as when the targeted resource
        does not exist.

        .. seealso::
            - :meth:`ServiceInterface.resource_requested`
        """
        if not permissions:
            permissions = self.allowed_permissions(resource)
        requested_perms = set(permissions)  # type: Set[Permission]
        effective_perms = dict()  # type: Dict[Permission, PermissionSet]

        # immediately return all permissions if user is an admin
        db_session = self.request.db
        admin_group = get_constant("MAGPIE_ADMIN_GROUP", self.request)
        admin_group = GroupService.by_group_name(admin_group,
                                                 db_session=db_session)
        if admin_group in user.groups:  # noqa
            return [
                PermissionSet(perm,
                              access=Access.ALLOW,
                              scope=Scope.MATCH,
                              typ=PermissionType.EFFECTIVE,
                              reason=PERMISSION_REASON_ADMIN)
                for perm in permissions
            ]

        # level at which last permission was found, -1 if not found
        # employed to resolve with *closest* scope and for applicable 'reason' combination on same level
        effective_level = dict()  # type: Dict[Permission, Optional[int]]
        current_level = 1  # one-based to avoid ``if level:`` check failing with zero
        full_break = False
        # current and parent resource(s) recursive-scope
        while resource is not None and not full_break:  # bottom-up until service is reached

            # include both permissions set in database as well as defined directly on resource
            cur_res_perms = ResourceService.perms_for_user(
                resource, user, db_session=db_session)
            cur_res_perms.extend(permission_to_pyramid_acls(resource.__acl__))

            for perm_name in requested_perms:
                if full_break:
                    break
                for perm_tup in cur_res_perms:
                    perm_set = PermissionSet(perm_tup)

                    # if user is owner (directly or via groups), all permissions are set,
                    # but continue processing this resource until end in case user explicit deny reverts it
                    if perm_tup.perm_name == ALL_PERMISSIONS:
                        # FIXME:
                        #   This block needs to be validated if support of ownership rules are added.
                        #   Conditions must be revised according to wanted behaviour...
                        #   General idea for now is that explict user/group deny should be prioritized over resource
                        #   ownership permissions since these can be attributed to *any user* while explicit deny are
                        #   definitely set by an admin-level user.
                        for perm in requested_perms:
                            if perm_set.access == Access.DENY:
                                all_perm = PermissionSet(
                                    perm, perm_set.access, perm.scope,
                                    PermissionType.OWNED)
                                effective_perms[perm] = all_perm
                            else:
                                all_perm = PermissionSet(
                                    perm, perm_set.access, perm.scope,
                                    PermissionType.OWNED)
                                effective_perms.setdefault(perm, all_perm)
                        full_break = True
                        break
                    # skip if the current permission must not be processed (at all or for the moment until next 'name')
                    if perm_set.name not in requested_perms or perm_set.name != perm_name:
                        continue
                    # only first resource can use match (if even enabled with found one), parents are recursive-only
                    if not allow_match and perm_set.scope == Scope.MATCH:
                        continue
                    # pick the first permission if none was found up to this point
                    prev_perm = effective_perms.get(perm_name)
                    scope_level = effective_level.get(perm_name)
                    if not prev_perm:
                        effective_perms[perm_name] = perm_set
                        effective_level[perm_name] = current_level
                        continue

                    # user direct permissions have priority over inherited ones from groups
                    # if inherited permission was found during previous iteration, override it with direct permission
                    if perm_set.type == PermissionType.DIRECT:
                        # - reset resolution scope of previous permission attributed to group as it takes precedence
                        # - since there can't be more than one user permission-name per resource on a given level,
                        #   scope resolution is done after applying this *closest* permission, ignore higher level ones
                        if prev_perm.type == PermissionType.INHERITED or not scope_level:
                            effective_perms[perm_name] = perm_set
                            effective_level[perm_name] = current_level
                        continue  # final decision for this user, skip any group permissions

                    # resolve prioritized permission according to ALLOW/DENY, scope and group priority
                    # (see 'PermissionSet.resolve' method for extensive details)
                    # skip if last permission is not on group to avoid redundant USER > GROUP check processed before
                    if prev_perm.type == PermissionType.INHERITED:
                        # - If new permission to process is done against the previous permission from *same* tree-level,
                        #   there is a possibility to combine equal priority groups. In such case, reason is 'MULTIPLE'.
                        # - If not of equal priority, the appropriate permission is selected and reason is overridden
                        #   accordingly by the new higher priority permission.
                        # - If no permission was defined at all (first occurrence), also set it using current permission
                        if scope_level in [None, current_level]:
                            resolved_perm = PermissionSet.resolve(
                                perm_set,
                                prev_perm,
                                context=PermissionType.EFFECTIVE)
                            effective_perms[perm_name] = resolved_perm
                            effective_level[perm_name] = current_level
                        # - If new permission is at *different* tree-level, it applies only if the group has higher
                        #   priority than the previous one, to respect the *closest* scope to the target resource.
                        #   Same priorities are ignored as they were already resolved by *closest* scope above.
                        # - Reset scope level with new permission such that another permission of same group priority as
                        #   that could be processed in next iteration can be compared against it, to resolve 'access'
                        #   priority between them.
                        elif perm_set.group_priority > prev_perm.group_priority:
                            effective_perms[perm_name] = perm_set
                            effective_level[perm_name] = current_level

            # don't bother moving to parent if everything is resolved already
            #   can only assume nothing left to resolve if all permissions are direct on user (highest priority)
            #   if any found permission is group inherited, higher level user permission could still override it
            if (len(effective_perms) == len(requested_perms)
                    and all(perm.type == PermissionType.DIRECT
                            for perm in effective_perms.values())):
                break
            # otherwise, move to parent if any available, since we are not done rewinding the resource tree
            allow_match = False  # reset match not applicable anymore for following parent resources
            current_level += 1
            if resource.parent_id:
                resource = ResourceService.by_resource_id(
                    resource.parent_id, db_session=db_session)
            else:
                resource = None

        # set deny for all still unresolved permissions from requested ones
        resolved_perms = set(effective_perms)
        missing_perms = set(permissions) - resolved_perms
        final_perms = set(effective_perms.values())  # type: Set[PermissionSet]
        for perm_name in missing_perms:
            perm = PermissionSet(perm_name,
                                 access=Access.DENY,
                                 scope=Scope.MATCH,
                                 typ=PermissionType.EFFECTIVE,
                                 reason=PERMISSION_REASON_DEFAULT)
            final_perms.add(perm)
        # enforce type and scope (use MATCH to make it explicit that it applies specifically for this resource)
        for perm in final_perms:
            perm.type = PermissionType.EFFECTIVE
            perm.scope = Scope.MATCH
        return list(final_perms)
Exemplo n.º 3
0
    def test_permission_resolve_raised_invalid(self):
        """
        Ensure that resolution with completely invalid/impossible cases are raised instead of failing silently.
        """
        perm_r = PermissionSet(Permission.READ, Access.ALLOW, Scope.RECURSIVE,
                               PermissionType.DIRECT)
        res1 = MockObject(resource_name="mock-resource1", resource_id=987)
        res2 = MockObject(resource_name="mock-resource2", resource_id=101)
        usr = MockObject(user_name="mock-user", user_id=123)
        grp = MockObject(group_name="mock-group", user_id=456)
        usr_tup = PermissionTuple(usr, perm_r.explicit_permission, "user",
                                  None, res1, False, True)
        usr_perm = PermissionSet(usr_tup)

        # two same user permissions of identical name cannot exist
        utils.check_raises(
            lambda: PermissionSet.resolve(usr_perm, usr_perm),
            ValueError,
            msg=
            "Should raise permissions corresponding by name and user, cannot exist simultaneously."
        )

        # various values that are valid to create 'PermissionSet', but insufficient for resolution
        valid_only_for_repr = [
            Permission.READ.value,
            Permission.READ.value + "-" + Scope.MATCH.value,
            Permission.READ.value + "-" + Access.ALLOW.value + "-" +
            Scope.MATCH.value,
            {
                "name": Permission.READ,
                "access": Access.DENY,
                "scope": Scope.MATCH
            },
            PermissionSet(Permission.READ.value, Access.ALLOW.value,
                          Scope.MATCH.value)  # missing 'perm_tuple'
        ]
        for perm1, perm2 in itertools.permutations(valid_only_for_repr, 2):
            utils.check_raises(
                lambda: PermissionSet.resolve(perm1, perm2),
                ValueError,
                msg=
                "Permission that do not provide comparison elements for resolution must be raised, "
                "although they are normally valid for simple permission representation."
            )

        # valid user and group tuples (both provide tuples, point to same resource, and don't refer to same user-perm)
        # but mismatching permission names
        perm_w = PermissionSet(Permission.WRITE, Access.ALLOW, Scope.RECURSIVE,
                               PermissionType.DIRECT)
        grp_tup = PermissionTuple(usr, perm_w.explicit_permission, "group",
                                  grp, res1, False, True)
        grp_perm = PermissionSet(grp_tup)
        utils.check_raises(
            lambda: PermissionSet.resolve(usr_perm, grp_perm),
            ValueError,
            msg=
            "Mismatching permission names should be raised as they cannot be resolved together."
        )

        # same perm name (read), both tuple provided, not both user-perms, but not referring to same resource
        grp_tup = PermissionTuple(usr, perm_r.explicit_permission, "group",
                                  grp, res2, False, True)
        grp_perm = PermissionSet(grp_tup)
        utils.check_raises(
            lambda: PermissionSet.resolve(usr_perm, grp_perm),
            ValueError,
            msg=
            "Mismatching resources should be raised as they cannot be resolved together."
        )
        utils.check_no_raise(
            lambda: PermissionSet.resolve(
                usr_perm, grp_perm, context=PermissionType.EFFECTIVE),
            msg=
            "Mismatching resources should resolved when requested explicitly (effective)."
        )