def check_admin(user_lookup: KBaseUserLookup, token: Optional[str], perm: AdminPermission, method: str, log_fn: Callable[[str], None], as_user: UserID = None, skip_check: bool = False) -> bool: ''' Check whether a user has admin privileges. The request is logged. :param user_lookup: the service to use to look up user information. :param token: the user's token, or None if the user is anonymous. In this case, if skip_check is false, an UnauthorizedError will be thrown. :param perm: the required administration permission. :param method: the method the user is trying to run. This is used in logging and error messages. :param logger: a function that logs information when called with a string. :param as_user: if the admin is impersonating another user, the username of that user. :param skip_check: Skip the administration permission check and return false. :returns: true if the user has the required administration permission, false if skip_check is true. :raises UnauthorizedError: if the user does not have the permission required. :raises InvalidUserError: if any of the user names are invalid. :raises UnauthorizedError: if any of the users names are valid but do not exist in the system. ''' if skip_check: return False if not token: raise _UnauthorizedError( 'Anonymous users may not act as service administrators.') _not_falsy(method, 'method') _not_falsy(log_fn, 'log_fn') if _not_falsy(perm, 'perm') == AdminPermission.NONE: raise ValueError( 'what are you doing calling this method with no permission ' + 'requirement? That totally makes no sense. Get a brain moran') if as_user and perm != AdminPermission.FULL: raise ValueError('as_user is supplied, but permission is not FULL') p, user = _not_falsy(user_lookup, 'user_lookup').is_admin(token) if p < perm: err = (f'User {user} does not have the necessary administration ' + f'privileges to run method {method}') log_fn(err) raise _UnauthorizedError(err) if as_user and user_lookup.invalid_users([as_user ]): # returns list of bad users raise _NoSuchUserError(as_user.id) log_fn( f'User {user} is running method {method} with administration permission {p.name}' + (f' as user {as_user}' if as_user else '')) return True
def build_samples( config: Dict[str, str]) -> Tuple[Samples, KBaseUserLookup, List[str]]: ''' Build the sample service instance from the SDK server provided parameters. :param cfg: The SDK generated configuration. :returns: A samples instance. ''' if not config: raise ValueError('config is empty, cannot start service') arango_url = _check_string_req(config.get('arango-url'), 'config param arango-url') arango_db = _check_string_req(config.get('arango-db'), 'config param arango-db') arango_user = _check_string_req(config.get('arango-user'), 'config param arango-user') arango_pwd = _check_string_req(config.get('arango-pwd'), 'config param arango-pwd') col_sample = _check_string_req(config.get('sample-collection'), 'config param sample-collection') col_version = _check_string_req(config.get('version-collection'), 'config param version-collection') col_ver_edge = _check_string_req(config.get('version-edge-collection'), 'config param version-edge-collection') col_node = _check_string_req(config.get('node-collection'), 'config param node-collection') col_node_edge = _check_string_req(config.get('node-edge-collection'), 'config param node-edge-collection') col_data_link = _check_string_req(config.get('data-link-collection'), 'config param data-link-collection') col_ws_obj_ver = _check_string_req( config.get('workspace-object-version-shadow-collection'), 'config param workspace-object-version-shadow-collection') col_schema = _check_string_req(config.get('schema-collection'), 'config param schema-collection') auth_root_url = _check_string_req(config.get('auth-root-url'), 'config param auth-root-url') auth_token = _check_string_req(config.get('auth-token'), 'config param auth-token') full_roles = split_value(config, 'auth-full-admin-roles') read_roles = split_value(config, 'auth-read-admin-roles') read_exempt_roles = split_value(config, 'auth-read-exempt-roles') ws_url = _check_string_req(config.get('workspace-url'), 'config param workspace-url') ws_token = _check_string_req(config.get('workspace-read-admin-token'), 'config param workspace-read-admin-token') kafka_servers = _check_string(config.get('kafka-bootstrap-servers'), 'config param kafka-bootstrap-servers', optional=True) kafka_topic = None if kafka_servers: # have to start the server twice to test no kafka scenario kafka_topic = _check_string(config.get('kafka-topic'), 'config param kafka-topic') metaval_url = _check_string(config.get('metadata-validator-config-url'), 'config param metadata-validator-config-url', optional=True) # meta params may have info that shouldn't be logged so don't log any for now. # Add code to deal with this later if needed print(f''' Starting server with config: arango-url: {arango_url} arango-db: {arango_db} arango-user: {arango_user} arango-pwd: [REDACTED FOR YOUR SAFETY AND COMFORT] sample-collection: {col_sample} version-collection: {col_version} version-edge-collection: {col_ver_edge} node-collection: {col_node} node-edge-collection: {col_node_edge} data-link-collection: {col_data_link} workspace-object-version-shadow-collection: {col_ws_obj_ver} schema-collection: {col_schema} auth-root-url: {auth_root_url} auth-token: [REDACTED FOR YOUR CONVENIENCE AND ENJOYMENT] auth-full-admin-roles: {', '.join(full_roles)} auth-read-admin-roles: {', '.join(read_roles)} auth-read-exempt-roles: {', '.join(read_exempt_roles)} workspace-url: {ws_url} workspace-read-admin-token: [REDACTED FOR YOUR ULTIMATE PLEASURE] kafka-bootstrap-servers: {kafka_servers} kafka-topic: {kafka_topic} metadata-validators-config-url: {metaval_url} ''') # build the validators before trying to connect to arango metaval = get_validators( metaval_url) if metaval_url else MetadataValidatorSet() arangoclient = _arango.ArangoClient(hosts=arango_url) arango_db = arangoclient.db(arango_db, username=arango_user, password=arango_pwd, verify=True) storage = _ArangoSampleStorage( arango_db, col_sample, col_version, col_ver_edge, col_node, col_node_edge, col_ws_obj_ver, col_data_link, col_schema, ) storage.start_consistency_checker() kafka = _KafkaNotifer(kafka_servers, _cast( str, kafka_topic)) if kafka_servers else None user_lookup = KBaseUserLookup(auth_root_url, auth_token, full_roles, read_roles) ws = _WS(_Workspace(ws_url, token=ws_token)) return Samples(storage, user_lookup, metaval, ws, kafka), user_lookup, read_exempt_roles