def check_admin(user_lookup: KBaseUserLookup,
token: Optional[str],
perm: AdminPermission,
method: str,
log_fn: Callable[[str], None],
as_user: UserID = None,
skip_check: bool = False) -> bool:
'''
Check whether a user has admin privileges.
The request is logged.
:param user_lookup: the service to use to look up user information.
:param token: the user's token, or None if the user is anonymous. In this case, if skip_check
is false, an UnauthorizedError will be thrown.
:param perm: the required administration permission.
:param method: the method the user is trying to run. This is used in logging and error
messages.
:param logger: a function that logs information when called with a string.
:param as_user: if the admin is impersonating another user, the username of that user.
:param skip_check: Skip the administration permission check and return false.
:returns: true if the user has the required administration permission, false if skip_check
is true.
:raises UnauthorizedError: if the user does not have the permission required.
:raises InvalidUserError: if any of the user names are invalid.
:raises UnauthorizedError: if any of the users names are valid but do not exist in the system.
'''
if skip_check:
return False
if not token:
raise _UnauthorizedError(
'Anonymous users may not act as service administrators.')
_not_falsy(method, 'method')
_not_falsy(log_fn, 'log_fn')
if _not_falsy(perm, 'perm') == AdminPermission.NONE:
raise ValueError(
'what are you doing calling this method with no permission ' +
'requirement? That totally makes no sense. Get a brain moran')
if as_user and perm != AdminPermission.FULL:
raise ValueError('as_user is supplied, but permission is not FULL')
p, user = _not_falsy(user_lookup, 'user_lookup').is_admin(token)
if p < perm:
err = (f'User {user} does not have the necessary administration ' +
f'privileges to run method {method}')
log_fn(err)
raise _UnauthorizedError(err)
if as_user and user_lookup.invalid_users([as_user
]): # returns list of bad users
raise _NoSuchUserError(as_user.id)
log_fn(
f'User {user} is running method {method} with administration permission {p.name}'
+ (f' as user {as_user}' if as_user else ''))
return True
def build_samples(
config: Dict[str, str]) -> Tuple[Samples, KBaseUserLookup, List[str]]:
'''
Build the sample service instance from the SDK server provided parameters.
:param cfg: The SDK generated configuration.
:returns: A samples instance.
'''
if not config:
raise ValueError('config is empty, cannot start service')
arango_url = _check_string_req(config.get('arango-url'),
'config param arango-url')
arango_db = _check_string_req(config.get('arango-db'),
'config param arango-db')
arango_user = _check_string_req(config.get('arango-user'),
'config param arango-user')
arango_pwd = _check_string_req(config.get('arango-pwd'),
'config param arango-pwd')
col_sample = _check_string_req(config.get('sample-collection'),
'config param sample-collection')
col_version = _check_string_req(config.get('version-collection'),
'config param version-collection')
col_ver_edge = _check_string_req(config.get('version-edge-collection'),
'config param version-edge-collection')
col_node = _check_string_req(config.get('node-collection'),
'config param node-collection')
col_node_edge = _check_string_req(config.get('node-edge-collection'),
'config param node-edge-collection')
col_data_link = _check_string_req(config.get('data-link-collection'),
'config param data-link-collection')
col_ws_obj_ver = _check_string_req(
config.get('workspace-object-version-shadow-collection'),
'config param workspace-object-version-shadow-collection')
col_schema = _check_string_req(config.get('schema-collection'),
'config param schema-collection')
auth_root_url = _check_string_req(config.get('auth-root-url'),
'config param auth-root-url')
auth_token = _check_string_req(config.get('auth-token'),
'config param auth-token')
full_roles = split_value(config, 'auth-full-admin-roles')
read_roles = split_value(config, 'auth-read-admin-roles')
read_exempt_roles = split_value(config, 'auth-read-exempt-roles')
ws_url = _check_string_req(config.get('workspace-url'),
'config param workspace-url')
ws_token = _check_string_req(config.get('workspace-read-admin-token'),
'config param workspace-read-admin-token')
kafka_servers = _check_string(config.get('kafka-bootstrap-servers'),
'config param kafka-bootstrap-servers',
optional=True)
kafka_topic = None
if kafka_servers: # have to start the server twice to test no kafka scenario
kafka_topic = _check_string(config.get('kafka-topic'),
'config param kafka-topic')
metaval_url = _check_string(config.get('metadata-validator-config-url'),
'config param metadata-validator-config-url',
optional=True)
# meta params may have info that shouldn't be logged so don't log any for now.
# Add code to deal with this later if needed
print(f'''
Starting server with config:
arango-url: {arango_url}
arango-db: {arango_db}
arango-user: {arango_user}
arango-pwd: [REDACTED FOR YOUR SAFETY AND COMFORT]
sample-collection: {col_sample}
version-collection: {col_version}
version-edge-collection: {col_ver_edge}
node-collection: {col_node}
node-edge-collection: {col_node_edge}
data-link-collection: {col_data_link}
workspace-object-version-shadow-collection: {col_ws_obj_ver}
schema-collection: {col_schema}
auth-root-url: {auth_root_url}
auth-token: [REDACTED FOR YOUR CONVENIENCE AND ENJOYMENT]
auth-full-admin-roles: {', '.join(full_roles)}
auth-read-admin-roles: {', '.join(read_roles)}
auth-read-exempt-roles: {', '.join(read_exempt_roles)}
workspace-url: {ws_url}
workspace-read-admin-token: [REDACTED FOR YOUR ULTIMATE PLEASURE]
kafka-bootstrap-servers: {kafka_servers}
kafka-topic: {kafka_topic}
metadata-validators-config-url: {metaval_url}
''')
# build the validators before trying to connect to arango
metaval = get_validators(
metaval_url) if metaval_url else MetadataValidatorSet()
arangoclient = _arango.ArangoClient(hosts=arango_url)
arango_db = arangoclient.db(arango_db,
username=arango_user,
password=arango_pwd,
verify=True)
storage = _ArangoSampleStorage(
arango_db,
col_sample,
col_version,
col_ver_edge,
col_node,
col_node_edge,
col_ws_obj_ver,
col_data_link,
col_schema,
)
storage.start_consistency_checker()
kafka = _KafkaNotifer(kafka_servers, _cast(
str, kafka_topic)) if kafka_servers else None
user_lookup = KBaseUserLookup(auth_root_url, auth_token, full_roles,
read_roles)
ws = _WS(_Workspace(ws_url, token=ws_token))
return Samples(storage, user_lookup, metaval, ws,
kafka), user_lookup, read_exempt_roles