Пример #1
0
    def __init__(self, connection=None, loglevel="INFO"):
        #self.connection = connection
        MetaResourceController.__init__(self, connection, loglevel)
        from porper.models.group import Group
        self.group = Group(self.connection, loglevel)
        from porper.models.user import User
        self.user = User(self.connection, loglevel)
        # from porper.controllers.user_group_controller import UserGroupController
        # self.user_group_controller = UserGroupController(self.connection)

        self.permission_name = 'group'
Пример #2
0
    def __init__(self, connection=None, loglevel="INFO"):
        MetaResourceController.__init__(self, connection, loglevel)
        from porper.models.role import Role
        self.role = Role(self.connection, loglevel)
        from porper.models.role_function import RoleFunction
        self.role_function = RoleFunction(self.connection, loglevel)
        # from porper.models.function import Function
        # self.function = Function(self.connection)
        # from porper.controllers.user_group_controller import UserGroupController
        # self.user_group_controller = UserGroupController(self.connection)
        # from porper.controllers.token_controller import TokenController
        # self.token_controller = TokenController(self.connection)
        from porper.models.group import Group
        self.group = Group(self.connection, loglevel)

        self.permission_name = "role"
    def __init__(self, connection=None, loglevel="INFO"):
        MetaResourceController.__init__(self, connection, loglevel)
        from porper.models.permission import Permission
        from porper.models.user_group import UserGroup
        self.permission = Permission(self.connection, loglevel)
        self.user_group = UserGroup(self.connection, loglevel)
        from porper.models.user import User
        from porper.models.group import Group
        self.user = User(self.connection, loglevel)
        self.group = Group(self.connection, loglevel)
        from porper.models.access_token import AccessToken
        self.access_token = AccessToken(self.connection, loglevel)
        # from porper.controllers.token_controller import TokenController
        # self.token_controller = TokenController(self.connection)
        # from porper.controllers.user_group_controller import UserGroupController
        # self.user_group_controller = UserGroupController(self.connection)

        from porper.models.permission import ALL
        self.PERMITTED_TO_ALL = ALL
def lambda_handler(event, context):

    print('Received event:\n{}'.format(event))

    try:
        region = os.environ.get('AWS_DEFAULT_REGION')
        dynamodb = boto3.resource('dynamodb', region_name=region)
        group = Group(dynamodb)

        params = {'id': str(uuid.uuid4()), 'name': 'admin'}
        group.create(params)

        params = {'id': str(uuid.uuid4()), 'name': 'public'}
        group.create(params)

        response = {
            'statusCode': 200
        }
        response['headers'] = {"Access-Control-Allow-Origin": "*"}
        response['body'] = json.dumps("successfully initialized")
        return response
    except Exception as ex:
        traceback.print_exc()
        err_msg = '%s' % ex
        response = {
            'statusCode': 500
        }
        response['headers'] = {"Access-Control-Allow-Origin": "*"}
        response['body'] = json.dumps(err_msg)
        return response
    def __init__(self, connection=None, loglevel="INFO"):

        self.logger = logging.getLogger()
        # loglevel = "INFO"
        logging.basicConfig(level=logging.ERROR)
        aws_lambda_logging.setup(level=loglevel)

        if not connection:
            host = os.environ.get('MYSQL_HOST')
            username = os.environ.get('MYSQL_USER')
            password = os.environ.get('MYSQL_PASSWORD')
            database = os.environ.get('MYSQL_DATABASE')
            self.connection = pymysql.connect(host, user=username, passwd=password, db=database, cursorclass=pymysql.cursors.DictCursor)
            self.logger.debug("@@@@@@@@new connection created")
        else:
            self.connection = connection

        from porper.models.customer import Customer
        self.customer = Customer(self.connection, loglevel)
        from porper.models.group import Group
        self.group = Group(self.connection, loglevel)
        from porper.models.access_token import AccessToken
        self.access_token = AccessToken(self.connection, loglevel)
        from porper.models.permission import Permission
        self.permission = Permission(self.connection, loglevel)
        # from porper.models.user_group import UserGroup
        # self.user_group = UserGroup(self.connection)
        # from porper.controllers.token_controller import TokenController
        # self.token_controller = TokenController(self.connection)

        self.permissions = None
        self.user_id = None
        self.customer_id = None
        self.permission_name = None
        self.is_admin = False
        self.is_customer_admin = False

        self.permission_read = PERMISSION_READ
        self.permission_write = PERMISSION_WRITE
Пример #6
0
    def __init__(self, connection=None, loglevel="INFO"):

        self.logger = logging.getLogger()
        # loglevel = "INFO"
        logging.basicConfig(level=logging.ERROR)
        aws_lambda_logging.setup(level=loglevel)

        if not connection:
            host = os.environ.get('MYSQL_HOST')
            username = os.environ.get('MYSQL_USER')
            password = os.environ.get('MYSQL_PASSWORD')
            database = os.environ.get('MYSQL_DATABASE')
            self.connection = pymysql.connect(
                host,
                user=username,
                passwd=password,
                db=database,
                cursorclass=pymysql.cursors.DictCursor)
            self.logger.debug("@@@@@@@@new connection created")
        else:
            self.connection = connection
        # from porper.controllers.user_controller import UserController
        # self.user_controller = UserController(self.connection)
        # from porper.controllers.invited_user_controller import InvitedUserController
        # self.invited_user_controller = InvitedUserController(self.connection)
        # from porper.controllers.token_controller import TokenController
        # self.token_controller = TokenController(self.connection)
        # from porper.models.access_token import AccessToken
        # self.access_token = AccessToken(self.connection)
        from porper.models.user import User
        self.user = User(self.connection, loglevel)
        from porper.models.user_group import UserGroup
        self.user_group = UserGroup(self.connection, loglevel)
        from porper.models.group import Group
        self.group = Group(self.connection, loglevel)
        from porper.models.invited_user import InvitedUser
        self.invited_user = InvitedUser(self.connection, loglevel)
        from porper.models.access_token import AccessToken
        self.access_token = AccessToken(self.connection, loglevel)
Пример #7
0
    def setup_group(self, team_id, uid):

        is_admin = False

        # create a default group if not exists
        from porper.models.group import Group
        group = Group(self.connection, loglevel)
        group_info = group.find_by_id(team_id)
        if not group_info:
            # if this is the first user in this group, make it as admin
            is_admin = True
            group_info = {"id": team_id, "name": team_id}
            group.create(group_info)

        # now add this user to its default group
        from porper.models.user_group import UserGroup
        user_group = UserGroup(self.connection, loglevel)
        user_group_info = {
            "user_id": uid,
            "group_id": team_id,
            "is_admin": is_admin
        }
        self.logger.debug(ser_group_info)
        user_group.create(user_group_info)
Пример #8
0
class InvitedUserController(MetaResourceController):
    def __init__(self, connection=None, loglevel="INFO"):
        MetaResourceController.__init__(self, connection, loglevel)
        from porper.models.invited_user import InvitedUser
        self.invited_user = InvitedUser(self.connection, loglevel)
        from porper.models.user_group import UserGroup
        self.user_group = UserGroup(self.connection, loglevel)
        from porper.models.group import Group
        self.group = Group(self.connection, loglevel)
        # from porper.controllers.user_group_controller import UserGroupController
        # self.user_group_controller = UserGroupController(self.connection)

        self.permission_name = "invite"

    def create(self, access_token, params):
        """
        possible attributes in params
            - auth_type, email, group_id, [invited_at, invited_by, is_admin]
        """
        self.find_user_level(access_token)

        if not self.is_permitted(self.permission_name, self.permission_write):
            raise Exception("not permitted")

        if not self.is_member(group_id=params['group_id']):
            raise Exception("not permitted")

        search_params = {
            'email': params['email'],
            'auth_type': params['auth_type']
        }
        items = self.invited_user.find(search_params)
        if items:
            if items[0]['state'] == self.invited_user.REGISTERED:
                raise Exception("Already registered")
            if items[0]['state'] == self.invited_user.INVITED:
                self.logger.info("Already invited")
                return True
            # set the status to 'invited'
            self.invited_user.update_state(params['email'],
                                           params['auth_type'],
                                           self.invited_user.INVITED)
            return True

        return self._save(self.user_id, params)

    def _save(self, user_id, params):
        # invited_users = self.invited_user.find(params)
        # if len(invited_users) > 0:
        #     print('already invited')
        #     return True
        customer_id = None
        if 'customer_id' in params:
            customer_id = params['customer_id']
            del params['customer_id']
        if not params.get('invited_by'):
            params['invited_by'] = user_id
        if not params.get('invited_at'):
            params['invited_at'] = str(datetime.utcnow())
        if not params.get('state'):
            params['state'] = self.invited_user.INVITED
        # if not params.get('is_admin'):
        #     params['is_admin'] = False
        # else:
        #     params['is_admin'] = True
        params = self.invited_user.create(params)
        if customer_id:
            params['customer_id'] = customer_id
        return params

    def update(self, access_token, params):
        """
        attributes in params
            - auth_type, email
        """
        self.find_user_level(access_token)

        if not self.is_permitted(self.permission_name, self.permission_write):
            raise Exception("not permitted")

        items = self.invited_user.find_simple({
            'email': params['email'],
            'auth_type': params['auth_type']
        })
        if not items:
            raise Exception("not permitted")

        if items[0]['state'] == self.invited_user.REGISTERED:
            raise Exception("Already registered")

        ret = self.group.find_by_id(items[0]['group_id'])
        if not ret:
            raise Exception("not permitted")

        if self.is_customer_admin:
            if self.customer_id != ret['customer_id']:
                raise Exception("not permitted")
        elif not self.is_admin:
            if not self.is_member(group_id=items[0]['group_id']):
                raise Exception("not permitted")

        params['state'] = self.invited_user.INVITED
        return self.invited_user.update_state(params['email'],
                                              params['auth_type'],
                                              params['state'])

    def find(self, access_token, params):
        """
        possible attributes in params
            - group_id
            - auth_type, email
            - None
        """

        self.find_user_level(access_token)
        if not self.is_permitted(self.permission_name, self.permission_read):
            raise Exception("not permitted")

        # if the current user is admin, return all fetched invited_users
        if self.is_admin:
            return self.invited_user.find(params)
        elif self.is_customer_admin:
            return self.invited_user.find(params, customer_id=self.customer_id)
        else:
            return self.invited_user.find(params, user_id=self.user_id)

    def delete(self, access_token, params):
        """
        attributes in params
            - auth_type, email
        """
        self.find_user_level(access_token)

        if not self.is_permitted(self.permission_name, self.permission_write):
            raise Exception("not permitted")

        items = self.invited_user.find_simple({
            'email': params['email'],
            'auth_type': params['auth_type']
        })
        if not items:
            raise Exception("not permitted")

        if items[0]['state'] == self.invited_user.REGISTERED:
            raise Exception("Already registered")

        ret = self.group.find_by_id(items[0]['group_id'])
        if not ret:
            raise Exception("not permitted")

        if self.is_customer_admin:
            if self.customer_id != ret['customer_id']:
                raise Exception("not permitted")
        elif not self.is_admin:
            if not self.is_member(group_id=items[0]['group_id']):
                raise Exception("not permitted")

        params['state'] = self.invited_user.CANCELLED
        self.invited_user.update_state(params['email'], params['auth_type'],
                                       params['state'])
        return True
import sys
sys.path.append("..")

import os
import boto3
region = os.environ.get('AWS_DEFAULT_REGION')
dynamodb = boto3.resource('dynamodb', region_name=region)

#########################################################################################################
# Preparation
# Find the access_token of an admin
#########################################################################################################
from porper.models.group import Group
group = Group(dynamodb)
admin_group = group.find({'name': 'admin'})[0]

from util import find_token
admin_access_token = find_token(admin_group['id'])

# find a group
from porper.controllers.group_controller import GroupController
group_controller = GroupController(dynamodb)
groups = group_controller.find(admin_access_token, {})

### Invite a user
from porper.controllers.invited_user_controller import InvitedUserController
invited_user_controller = InvitedUserController(dynamodb)

email_address = "*****@*****.**"
item = {
    'email': email_address,
class PermissionController(MetaResourceController):

    def __init__(self, connection=None, loglevel="INFO"):
        MetaResourceController.__init__(self, connection, loglevel)
        from porper.models.permission import Permission
        from porper.models.user_group import UserGroup
        self.permission = Permission(self.connection, loglevel)
        self.user_group = UserGroup(self.connection, loglevel)
        from porper.models.user import User
        from porper.models.group import Group
        self.user = User(self.connection, loglevel)
        self.group = Group(self.connection, loglevel)
        from porper.models.access_token import AccessToken
        self.access_token = AccessToken(self.connection, loglevel)
        # from porper.controllers.token_controller import TokenController
        # self.token_controller = TokenController(self.connection)
        # from porper.controllers.user_group_controller import UserGroupController
        # self.user_group_controller = UserGroupController(self.connection)

        from porper.models.permission import ALL
        self.PERMITTED_TO_ALL = ALL



    # def is_admin(self, user_id):
    #     return self.user_group_controller.is_admin(user_id)
    #
    # def is_group_admin(self, user_id, group_id):
    #     return self.user_group_controller.is_group_admin(user_id, group_id)
    #
    # def is_member(self, user_id, group_id):
    #     return self.user_group_controller.is_member(user_id, group_id)
    #
    # def is_permitted(self, access_token, params):
    #     """
    #     possible attributes in params
    #         - None
    #         - [user_id | group_id], action, resource, value
    #     """
    #     current_user_id = self.token_controller.find_user_id(access_token)
    #     if self.is_admin(current_user_id):    return True
    #
    #     #params['all'] = True
    #     rows = self.find(access_token, params)
    #     print("permitted : {}".format(rows))
    #     if len(rows) == 0:  return False
    #     return True

    def find_user_id(self, access_token):
        params = {
            'access_token': access_token
        }
        return self.access_token.find(params)[0]['user_id']


    def add_permissions_to_groups(self, resource_name, resource_id, permissions):
        #permissions:
        #[
        #    {"action": "r"},
        #    ...
        #]

        permission_params = {
            "resource": resource_name,
            "value": resource_id
        }
        for permission in permissions:
            permission_params["group_id"] = permission['id']
            permission_params["action"] = permission['action']
            if permission.get('condition'):
                permission_params['condition'] = permission['condition']
            if permission['state'].lower() == "a":
                self.permission.create(permission_params)
            elif permission['state'].lower() == "u":
                self.permission.update(permission_params)
            elif permission['state'].lower() == "d":
                self.permission.delete(permission_params)


    def add_permissions_to_users(self, resource_name, resource_id, permissions):
        #permissions:
        #[
        #    {"action": "r"},
        #    ...
        #]

        permission_params = {
            "resource": resource_name,
            "value": resource_id
        }
        for permission in permissions:
            permission_params["user_id"] = permission['id']
            permission_params["action"] = permission['action']
            if permission.get('condition'):
                permission_params['condition'] = permission['condition']
            if permission['state'].lower() == "a":
                self.permission.create(permission_params)
            elif permission['state'].lower() == "u":
                self.permission.update(permission_params)
            elif permission['state'].lower() == "d":
                self.permission.delete(permission_params)


    def add_permissions_to_customers(self, resource_name, resource_id, permissions):
        #permissions:
        #[
        #    {"action": "r"},
        #    ...
        #]

        permission_params = {
            "resource": resource_name,
            "value": resource_id
        }
        for permission in permissions:
            permission_params["customer_id"] = permission['id']
            permission_params["action"] = permission['action']
            if permission.get('condition'):
                permission_params['condition'] = permission['condition']
            if permission['state'].lower() == "a":
                self.permission.create(permission_params)
            elif permission['state'].lower() == "u":
                self.permission.update(permission_params)
            elif permission['state'].lower() == "d":
                self.permission.delete(permission_params)


    def create_permissions_to_groups(self, resource_name, resource_id, to_group_ids):
       #permissions:
        #[
        #    {"action": "r"},
        #    ...
        #]

        # current_user_id = self.token_controller.find_user_id(access_token)
        #
        # # if the current is admin, allow it
        # if self.is_admin(current_user_id):
        #     return self.add_permissions_to_group(resource_name, resource_id, permissions, to_group_id)

        if not self.is_admin:
            group_ids = [g['id'] for g in to_group_ids]
            customer_id = None
            user_id = None
            # if self.is_customer_admin:
            #     customer_id = self.customer_id
            # else:
            #     user_id = self.user_id
            # allow all users in the same customer
            customer_id = self.customer_id
            groups = self.group.find_by_ids(group_ids, customer_id= customer_id, user_id=user_id)
            if len(groups) != len(group_ids):
                self.logger.info("len(groups) = {} whereas len(to_group_ids) = {}".format(len(groups), len(group_ids)))
                raise Exception("not permitted")

        return self.add_permissions_to_groups(resource_name, resource_id, to_group_ids)

        """
        # if the current user is NOT group admin of the given group, don't allow it
        if not self.is_group_admin(user_id, to_group_id):
            raise Exception("not permitted")
        # if 'create' is NOT in permissions to give
        # and the current user has 'create' permission in the speicified resource, allow it
        # if the specified group has a permission to 'create' on the specified resource, allow it
        if self.PERMISSION_TO_CREATE not in permissions:
            params = {
                'action': 'create',
                'resource': resource_name,
                'value': resource_id
            }
            if self.is_permitted(access_token, params):
                return self.add_permissions_to_group(resource_name, resource_id, permissions, to_group_id)
        """

        #raise Exception("not permitted")


    def create_permissions_to_users(self, resource_name, resource_id, to_user_ids):
        #permissions:
        #[
        #    {"action": "r"},
        #    ...
        #]

        if not self.is_admin:
            user_ids = [u['id'] for u in to_user_ids]
            customer_id = None
            user_id = None
            # if self.is_customer_admin:
            #     customer_id = self.customer_id
            # else:
            #     user_id = self.user_id
            # allow all users in the same customer
            customer_id = self.customer_id
            users = self.user.find_by_ids(user_ids, customer_id=customer_id, user_id=user_id)
            # get the unique users
            users = list(dict.fromkeys([u['id'] for u in users]))
            if len(users) != len(user_ids):
                self.logger.info("len(users) = {} whereas len(to_user_ids) = {}".format(len(users), len(user_ids)))
                raise Exception("not permitted")

        return self.add_permissions_to_users(resource_name, resource_id, to_user_ids)

        """
        # if 'create' is NOT in permissions to give
        # and the current user has 'create' permission in the speicified resource, allow it
        # if the specified group has a permission to 'create' on the specified resource, allow it
        if self.PERMISSION_TO_CREATE not in permissions:
            params = {
                'action': 'create',
                'resource': resource_name,
                'value': resource_id
            }
            if self.is_permitted(access_token, params):
                return self.add_permissions_to_group(resource_name, resource_id, permissions, to_group_id)
        """

        #raise Exception("not permitted")


    def create_permissions_to_customer(self, resource_name, resource_id, to_customer_ids):
        #permissions:
        #[
        #    {"action": "r"},
        #    ...
        #]

        if not self.is_admin:
            # check if this user is in the same customer with the customer to give access
            for customer_id in [c['id'] for c in to_customer_ids]:
                if self.customer_id != customer_id:
                    raise Exception("not permitted")

        return self.add_permissions_to_customers(resource_name, resource_id, to_customer_ids)


    def create(self, access_token, params):
        # {
        #     "owner_id": "35925", "res_name": "meta", "res_id": "d392909c-d15f-43ff-98b4-9fd7e3ca80e9",
        #     "to_user_ids": [{"id": "*****@*****.**", "action": "w", "state": "A"},
        #                     {"id": "*****@*****.**", "action": "r", "state, "state": "A"}],
        #     "to_group_ids": [{"id": "group_id1", "action": "w", "state": "A"},
        #                     {"id": "group_id2", "action": "r", "state": "A"}],
        #     "to_customer_ids": [{"id": "customer_id1", "action": "w", "state": "A"}
        #                     {"id": "customer_id1", "action": "r", "state": "A"}]
        # }

        owner_id = params.get('owner_id')

        self.find_user_level(access_token)
        if self.user_id != owner_id:
            raise Exception("not permitted")

        if params.get('to_group_ids'):
            self.create_permissions_to_groups(params['res_name'], params['res_id'], params['to_group_ids'])
        if params.get('to_user_ids'):
            self.create_permissions_to_users(params['res_name'], params['res_id'], params['to_user_ids'])
        if params.get('to_customer_ids'):
            self.create_permissions_to_customer(params['res_name'], params['res_id'], params['to_customer_ids'])

        return True


    def update(self, access_token, params):
        user_id = self.find_user_id(access_token)
        raise Exception("not supported")


    # This is to remove all permissions of given resource
    def delete(self, access_token, params):
        user_id = self.find_user_id(access_token)

        owner_id = params.get('owner_id')

        self.find_user_level(access_token)
        if self.user_id != owner_id:
            raise Exception("not permitted")

        if 'res_name' not in params or 'res_id' not in params:
            raise Exception("resource name and id are not provided")

        params['value'] = params['res_id']
        del params['res_id']
        return self.permission.delete(params)


    # def _filter_conditions(self, user_id, rows):
    #
    #     filtered = [ row for row in rows if not row.get('condition') ]
    #     if len(filtered) == len(filtered):
    #         # there is no row with a condition
    #         return rows
    #
    #     permissions = [ row for row in rows if row.get('condition') ]
    #     for permission in permissions:
    #         condition = json.loads(permission['condition'])
    #         # check when the condition is 'is_admin' and it is satisified, add it to the return list if so
    #         if 'is_admin' in condition:
    #             if not user_id \
    #             or not condition['is_admin'] \
    #             or ( permission.get('group_id') and self.is_group_admin(user_id, permission['group_id']) ):
    #                 filtered.append(permission)
    #
    #     return filtered


    def find(self, access_token, params):
        """
        possible attributes in params
            - None
            - [user_id | group_id], action, resource, [value]
        """

        search_params = {}
        if params:
            if 'res_name' in params:
                search_params['res_name'] = params['res_name']
            if 'action' in params:
                search_params['action'] = params['action']
            if 'res_id' in params:
                search_params['value'] = params['res_id']

        self.find_user_level(access_token)
        owner_id = params.get('owner_id')

        search_cid = None
        search_gids = None
        search_uids = None
        if not self.is_admin and ('res_id' not in params or owner_id != self.user_id):
            customer_id = None
            user_id = None
            # Allow customer admin to see only its and shared graphs like normal users
            # if self.is_customer_admin:
            #     customer_id = self.customer_id
            # else:
            #     user_id = self.user_id
            user_id = self.user_id
            groups = self.group.find({}, customer_id= customer_id, user_id=user_id)
            # do not allow users in the same groups with this user
            # users = self.user.find({}, customer_id= customer_id, user_id=user_id)

            search_cid = self.customer_id
            search_gids = [g['id'] for g in groups]
            # search_uids = [u['id'] for u in users]
            search_uids = [user_id]

        ret = self.permission.find_resource_permissions(search_params, search_cid, search_gids, search_uids)
        if params.get("value_only"):
            ret = self.get_values(ret)

        return ret


    def get_values(self, permissions):
        ret = []
        for permission in permissions:
            if permission['value'] not in ret:
                ret.append(permission['value'])
        return ret
Пример #11
0
class GroupController(MetaResourceController):
    def __init__(self, connection=None, loglevel="INFO"):
        #self.connection = connection
        MetaResourceController.__init__(self, connection, loglevel)
        from porper.models.group import Group
        self.group = Group(self.connection, loglevel)
        from porper.models.user import User
        self.user = User(self.connection, loglevel)
        # from porper.controllers.user_group_controller import UserGroupController
        # self.user_group_controller = UserGroupController(self.connection)

        self.permission_name = 'group'

    # only the admin can create a group
    def create(self, access_token, params):
        """
        possible attributes in params
            - [id], name
        """
        self.logger.info(f"params={params}")
        self.logger.info(f"access_token={access_token}")
        # self.logger.info(f"paths={paths}")

        self.find_user_level(access_token)
        if not self.is_permitted(self.permission_name, self.permission_write):
            raise Exception("not permitted")

        if "customer_id" not in params or not self.is_member(
                customer_id=params['customer_id']):
            raise Exception("not permitted")

        return self.group.create(params)

    def update(self, access_token, params):
        """
        possible attributes in params
            - id, name
        """
        self.logger.info(f'group_controller_update-params={params}')
        self.logger.info(
            f'group_controller_update-access_token={access_token}')

        self.find_user_level(access_token)
        if not self.is_permitted(self.permission_name, self.permission_write):
            raise Exception("not permitted")

        item = self.group.find_by_id(params['id'])
        if not item or not self.is_member(customer_id=item['customer_id']):
            raise Exception("not permitted")

        if params.get('customer_id'):
            raise Exception('You cannot update the group customer')

        if 'name' in params:
            ret = self.group.find({'name': params['name']})
            if ret and ret[0]['id'] != params['id']:
                raise Exception("the group name already exists")

        return self.group.update(params)

    def delete(self, access_token, params):
        """
        possible attributes in params
            - id
        """

        self.find_user_level(access_token)
        if not self.is_permitted(self.permission_name, self.permission_write):
            raise Exception("not permitted")

        item = self.group.find_by_id(params['id'])
        if not item or not self.is_member(customer_id=item['customer_id']):
            raise Exception("not permitted")

        # cannot remove it when it has users
        users = self.user.find({'group_id': params['id']})
        if len(users) > 0:
            raise Exception(
                "You must remove all users before removing this group")

        return self.group.delete(params['id'])

    def find(self, access_token, params):
        """
        possible attributes in params
            - user_id: find all groups where this given user belongs
            - id: find a specific group
            - ids: find specific groups
            - None: No condition
            - name
        """

        self.find_user_level(access_token)

        if 'closed' in params:
            if not self.is_permitted(self.permission_name,
                                     self.permission_read):
                raise Exception("not permitted")

        customer_id = None
        user_id = None
        if 'closed' in params:
            # allow users/groups of the groups only this user belongs
            if self.is_customer_admin:
                customer_id = self.customer_id
            elif not self.is_admin:
                user_id = self.user_id
            del params['closed']
        else:
            # allow all users/groups of the customer this user belongs
            if not self.is_admin:
                customer_id = self.customer_id

        if 'ids' in params:
            groups = self.group.find_by_ids(params['ids'],
                                            customer_id=customer_id,
                                            user_id=user_id)
            return groups

        else:
            groups = self.group.find(params,
                                     customer_id=customer_id,
                                     user_id=user_id)
            if groups and 'id' in params:
                return groups[0]
            return groups
Пример #12
0
import sys

sys.path.append('..')

import os

region = os.environ.get('AWS_DEFAULT_REGION')

import boto3

dynamodb = boto3.resource('dynamodb', region_name=region)

from porper.models.group import Group

group = Group(dynamodb)

params = {'id': 'ffffffff-ffff-ffff-ffff-ffffffffffff', 'name': 'admin'}
group.create(params)

params = {'id': '435a6417-6c1f-4d7c-87dd-e8f6c0effc7a', 'name': 'public'}
group.create(params)
class MetaResourceController:

    def __init__(self, connection=None, loglevel="INFO"):

        self.logger = logging.getLogger()
        # loglevel = "INFO"
        logging.basicConfig(level=logging.ERROR)
        aws_lambda_logging.setup(level=loglevel)

        if not connection:
            host = os.environ.get('MYSQL_HOST')
            username = os.environ.get('MYSQL_USER')
            password = os.environ.get('MYSQL_PASSWORD')
            database = os.environ.get('MYSQL_DATABASE')
            self.connection = pymysql.connect(host, user=username, passwd=password, db=database, cursorclass=pymysql.cursors.DictCursor)
            self.logger.debug("@@@@@@@@new connection created")
        else:
            self.connection = connection

        from porper.models.customer import Customer
        self.customer = Customer(self.connection, loglevel)
        from porper.models.group import Group
        self.group = Group(self.connection, loglevel)
        from porper.models.access_token import AccessToken
        self.access_token = AccessToken(self.connection, loglevel)
        from porper.models.permission import Permission
        self.permission = Permission(self.connection, loglevel)
        # from porper.models.user_group import UserGroup
        # self.user_group = UserGroup(self.connection)
        # from porper.controllers.token_controller import TokenController
        # self.token_controller = TokenController(self.connection)

        self.permissions = None
        self.user_id = None
        self.customer_id = None
        self.permission_name = None
        self.is_admin = False
        self.is_customer_admin = False

        self.permission_read = PERMISSION_READ
        self.permission_write = PERMISSION_WRITE

        # self.USER_LEVEL_ADMIN = 'admin'
        # self.USER_LEVEL_CUSTOMER_ADMIN = 'customer_admin'
        # # self.USER_LEVEL_GROUP_ADMIN = 'group_admin'
        # self.USER_LEVEL_USER = '******'


    @property
    def model_name(self):
        return self.model.__class__.__name__


    # def find_permissions(self, user_id):
    #     sql = """
    #         select p.res_name name, p.action action, p.value value
    #         from User u
    #         inner join Group_User gu on gu.user_id = u.id
    #         inner join `Group` g on g.id = gu.group_id
    #         inner join Role r on g.role_id = r.id
    #         inner join Role_Function rf on rf.role_id = r.id
    #         inner join Function f on rf.function_id = f.id
    #         inner join Function_Permission fp on fp.function_id = f.id
    #         inner join Permission p on fp.permission_id = p.id
    #         where p.group_id is null and p.user_id is null and u.id = '{}'
    #     """
    #     return self.find_by_sql(sql.format(user_id))


    # def find_permissions(self, user_id, name, action, value=None):
    #
    #     sql = """
    #         select f.id function_id, f.name function_name, p.id permission_id,
    #         p.res_name resource_name, p.action action, p.value resource_id
    #         from User u
    #         inner join Group_User gu on gu.user_id = u.id
    #         inner join `Group` g on g.id = gu.group_id
    #         inner join Role r on g.role_id = r.id
    #         inner join Role_Function rf on rf.role_id = r.id
    #         inner join Function f on rf.function_id = f.id
    #         inner join Function_Permission fp on fp.function_id = f.id
    #         inner join Permission p on fp.permission_id = p.id
    #         where u.id = '{}' and p.res_name = '{}' and p.action = '{}'
    #     """
    #     if value:
    #         sql += " and p.value = '{}'".format(value)
    #
    #     return self.find_by_sql(sql.format(user_id))
    #     # if rows:
    #     #     return (True, rows[0]['resource_id'])
    #     # return (False, None)


    def find_current_user(self, access_token):
        return self.access_token.find_user(access_token)


    # def is_admin(self, user_id):
    #     rows = self.find_permissions(user_id, ADMIN_PERMISSION, PERMISSION_WRITE)
    #     if rows:
    #         return True
    #     return False
    #
    #
    # def is_customer_admin(self, user_id, customer_id=None, group_id=None):
    #
    #     if customer_id is None and group_id:
    #         # find the customer_id of this given group
    #         row = self.group.find_by_id(group_id)
    #         if row:
    #             customer_id = row['customer_id']
    #
    #     rows = self.find_permissions(user_id, CUSTOMER_ADMIN_PERMISSION, PERMISSION_WRITE, customer_id)
    #     if rows:
    #         return rows[0]['customer_id']
    #     return None
    #
    #
    # # def is_group_admin(self, user_id, group_id):
    # #     rows = self.user_group.find({'user_id': user_id, 'group_id': group_id})
    # #     if len(rows) > 0 and rows[0]['is_admin']:  return True
    # #     else: return False


    def find_user_level(self, access_token):
        self.user_id = self.find_current_user(access_token)['id']
        self.permissions = self.permission.find({'user_id': self.user_id})
        self.customer_id = self.customer.find({'user_id': self.user_id})[0]['id']

        if [p for p in self.permissions if p['name'] == ADMIN_PERMISSION]:
            self.is_admin = True
        elif [p for p in self.permissions if p['name'] == CUSTOMER_ADMIN_PERMISSION]:
            self.is_customer_admin = True

        # def is_admin(self):
        #     return self.level == USER_LEVEL_ADMIN
        #
        #
        # def is_customer_admin(self):
        #     return self.level == USER_LEVEL_CUSTOMER_ADMIN
        #
        #
        # def is_user(self):
        #     return self.level == USER_LEVEL_USER



    # def find_user_val(self, access_token):
    #     #This is used only for the invite block
    #     user_id = self.token_controller.find_user_id(access_token)
    #     return {"id": user_id}


    def is_permitted(self, name, action, value=None):
        # if self.is_admin():
        #     return True
        # if self.is_customer_admin():
        #     if name in ADMIN_PERMISSIONS and action == PERMISSION_WRITE:
        #         return False
        #     else:
        #         return True
        permitted = [p['value'] for p in self.permissions if p['name'] == name and p['action'] == action]
        if not permitted:
            return False
        if value and value not in permitted:
            return False
        return True


    def is_member(self, customer_id=None, group_id=None):
        if self.is_admin:
            return True
        if customer_id:
            return self.customer_id == customer_id
        else:
            if self.is_customer_admin:
                if self.group.find({'group_id': group_id}, self.customer_id):
                    return True
            else:
                if self.group.find({'group_id': group_id}, self.user_id):
                    return True
        return False


    def commit(self):
        self.connection.commit()


    def rollback(self):
        self.connection.rollback()
Пример #14
0
sys.path.append("..")

import os
import boto3
region = os.environ.get('AWS_DEFAULT_REGION')
dynamodb = boto3.resource('dynamodb', region_name=region)

#########################################################################################################
# Preparation
#########################################################################################################

###### Find non-admin groups

# find all groups
from porper.models.group import Group
group = Group(dynamodb)
groups = group.find({})
group_ids = [g['id'] for g in groups]
role_ids = list(set([g['role_id'] for g in groups if 'role_id' in g]))

# find all roles
from porper.models.role import Role
role = Role(dynamodb)
roles = role.find_by_ids(role_ids)

# find non admin roles
ADMIN_FUNCTION_IDS = [
    "883b3842-35bb-4070-917f-a501e87bd695",
    "85af95c8-a6f5-4e14-9cf9-11bbced53255"
]
for r in roles:
Пример #15
0
class AuthController():
    def __init__(self, connection=None, loglevel="INFO"):

        self.logger = logging.getLogger()
        # loglevel = "INFO"
        logging.basicConfig(level=logging.ERROR)
        aws_lambda_logging.setup(level=loglevel)

        if not connection:
            host = os.environ.get('MYSQL_HOST')
            username = os.environ.get('MYSQL_USER')
            password = os.environ.get('MYSQL_PASSWORD')
            database = os.environ.get('MYSQL_DATABASE')
            self.connection = pymysql.connect(
                host,
                user=username,
                passwd=password,
                db=database,
                cursorclass=pymysql.cursors.DictCursor)
            self.logger.debug("@@@@@@@@new connection created")
        else:
            self.connection = connection
        # from porper.controllers.user_controller import UserController
        # self.user_controller = UserController(self.connection)
        # from porper.controllers.invited_user_controller import InvitedUserController
        # self.invited_user_controller = InvitedUserController(self.connection)
        # from porper.controllers.token_controller import TokenController
        # self.token_controller = TokenController(self.connection)
        # from porper.models.access_token import AccessToken
        # self.access_token = AccessToken(self.connection)
        from porper.models.user import User
        self.user = User(self.connection, loglevel)
        from porper.models.user_group import UserGroup
        self.user_group = UserGroup(self.connection, loglevel)
        from porper.models.group import Group
        self.group = Group(self.connection, loglevel)
        from porper.models.invited_user import InvitedUser
        self.invited_user = InvitedUser(self.connection, loglevel)
        from porper.models.access_token import AccessToken
        self.access_token = AccessToken(self.connection, loglevel)

    def authenticate(self, params):

        user_id = params['user_id']
        email = params.get('email')
        family_name = params.get('family_name')
        given_name = params.get('given_name')
        name = params.get('name')
        customer_id = params.get('customer_id')
        auth_type = params['auth_type']
        access_token = params['access_token']
        refresh_token = params['refresh_token']
        # print("Before invite")
        # items = self.invited_user.find({'email': params['email'], 'auth_type': params['auth_type']})
        # if items and auth_type == "sso":
        #    customer_id=items[0]['customer_id']
        #    print(customer_id)
        #if not invited_user:
        #   print("Invited user not found")
        #else:
        #   print("Printing invited user")
        #   print(invited_user)
        user = self.user.find_by_id(user_id)
        if not user:
            # create this user
            params = {'id': user_id, 'auth_type': auth_type}
            if name:
                params['name'] = name
            if family_name:
                params['family_name'] = family_name
            if given_name:
                params['given_name'] = given_name
            if customer_id:
                params['customer_id'] = customer_id
            if email:
                params['email'] = email.lower()

            # # find admin user's access_token to replace this user's access_token to create a user
            # users = self.user.find({})
            # if not users:
            #     # this is the first user, so no need to set access_token
            #     admin_access_token = None
            # else:
            #     admin_access_token = self.access_token.find_admin_token()
            # user_id = self.user_controller.create(admin_access_token, params)
            user_id = self.add_user(params)

        # now save the tokens
        # return self.token_controller.save(access_token, refresh_token, user_id)
        params = {
            "access_token": access_token,
            "refresh_token": refresh_token,
            "user_id": user_id
        }
        self.access_token.create(params)

        user_info = self.user.find_by_id(user_id)
        user_info['user_id'] = user_info['id']
        user_info['access_token'] = access_token
        user_info['groups'] = self.group.find({"user_id": user_id})
        user_info['customer_id'] = user_info['groups'][0]['customer_id']

        return user_info

    def add_user(self, params):

        # if this is the first user, save it as an admin
        users = self.user.find({})
        if len(users) == 0:
            # set this user to the admin
            self.user.create(params)
            admin_groups = self.group.find_admin_groups()
            if not admin_groups:
                raise Exception("No admin group found")
            self.user_group.create({
                'user_id': params['id'],
                'group_id': admin_groups[0]['id']
            })
            return params['id']

        # # add the given user to the specified group
        # if params.get("group_id"):
        #     return self.user_group.create(
        #         {
        #             "user_id": params['id'],
        #             "group_id": params["group_id"]
        #         }
        #     )
        #
        # # find if the given user already exists
        # rows = self.user.find({"email": params['email'], "auth_type": params['auth_type']})
        # if len(rows) > 0:
        #     print('already exists')
        #     return rows[0]['id']

        # find if the given user is already invited
        invited_users = self.invited_user.find({
            'email': params['email'],
            'auth_type': params['auth_type']
        })
        if len(invited_users) == 0:
            raise Exception("Please invite this user first")

        # add user_group_rel first to check the permission
        # if the current user is not admin and group admin, it will fail

        # check if the current user is the admin of the invited user's group
        #if current_user['level'] != self.USER_LEVEL_ADMIN and not self.is_group_admin(current_user['user_id'], invited_users[0]['group_id']):
        #    raise Exception("Not permitted")

        # create a user and add it to the specified group
        self.user.create({
            'id': params['id'],
            'email': params['email'],
            'auth_type': params['auth_type'],
            'name': params['name'],
            'family_name': params['family_name'],
            'given_name': params['given_name'],
            #'customer_id': params['customer_id']
        })
        self.user_group.create({
            'user_id': params['id'],
            'group_id': invited_users[0]['group_id']
        })
        self.invited_user.update_state(params['email'], params['auth_type'],
                                       self.invited_user.REGISTERED)

        self.commit()

        return params['id']

    # def find_groups(self, user_id):
    #     from porper.models.user_group import UserGroup
    #     user_group = UserGroup(self.connection)
    #     user_groups = user_group.find({'user_id': user_id})
    #     return user_groups

    def commit(self):
        self.connection.commit()

    def rollback(self):
        self.connection.rollback()
Пример #16
0
class RoleController(MetaResourceController):
    def __init__(self, connection=None, loglevel="INFO"):
        MetaResourceController.__init__(self, connection, loglevel)
        from porper.models.role import Role
        self.role = Role(self.connection, loglevel)
        from porper.models.role_function import RoleFunction
        self.role_function = RoleFunction(self.connection, loglevel)
        # from porper.models.function import Function
        # self.function = Function(self.connection)
        # from porper.controllers.user_group_controller import UserGroupController
        # self.user_group_controller = UserGroupController(self.connection)
        # from porper.controllers.token_controller import TokenController
        # self.token_controller = TokenController(self.connection)
        from porper.models.group import Group
        self.group = Group(self.connection, loglevel)

        self.permission_name = "role"

    def create(self, access_token, params):
        """
        possible attributes in params
            - name, list of functions
            {"name": "Role name", "functions": [id1, id2, id3.....]}
        """

        self.find_user_level(access_token)
        if not self.is_permitted(self.permission_name, self.permission_write):
            raise Exception("not permitted")

        # find if the given role already exists
        rows = self.role.find({"name": params['name']})
        if len(rows) > 0:
            self.logger.info('already exists')
            return rows[0]['id']

        # create a role
        role_params = {'name': params['name']}
        if 'id' in params:
            role_params['id'] = params['id']
        ret = self.role.create(role_params)

        if 'functions' in params:
            for function in params['functions']:
                self.role_function.create({
                    'role_id': ret['id'],
                    'function_id': function
                })

        return ret

    def delete(self, access_token, params):
        """
        possible attributes in params
            - id
        """

        self.find_user_level(access_token)
        if not self.is_permitted(self.permission_name, self.permission_write):
            raise Exception("not permitted")

        if not params.get('id'):
            raise Exception("id must be provided")

        # check if there is any group with this role
        ret = self.group.find_simple({'role_id': params['id']})
        if len(ret):
            raise Exception(
                "You cannot remove this role because it is used in group(s)")

        self.role_function.delete(role_id=params['id'])

        # remove this role
        return self.role.delete(params['id'])

    def update(self, access_token, params):
        """
        possible attributes in params
            - id, name, function list
            {"id": "Role id", "name": "Role name", "functions": [id1, id2, id3.....]}
        """

        self.find_user_level(access_token)
        if not self.is_permitted(self.permission_name, self.permission_write):
            raise Exception("not permitted")

        if not params.get('id'):
            raise Exception("id must be provided")

        functions = [
            rf['function_id']
            for rf in self.role_function.find_simple({'role_id': params['id']})
        ]
        for nf in params['functions']:
            if nf not in functions:
                self.role_function.create({
                    "role_id": params['id'],
                    'function_id': nf
                })
        for of in functions:
            if of not in params['functions']:
                self.role_function.delete(role_id=params['id'], function_id=of)

        # update this role
        self.role.update({'id': params['id'], 'name': params['name']})

        return params

    def find(self, access_token, params):
        """
        possible attributes in params
            - id: find a specific role
            - None: No condition
        """

        self.find_user_level(access_token)
        if not self.is_permitted(self.permission_name, self.permission_read):
            raise Exception("not permitted")

        if self.is_admin:
            ret = self.role.find(params)
        elif self.is_customer_admin:
            ret = self.role.find(params, customer_id=self.customer_id)
        else:
            ret = self.role.find(params, user_id=self.user_id)

        # build permissions by function
        f_permission = {}
        for r in ret:
            function_id = r['function_id']
            if function_id:
                if function_id not in f_permission:
                    f_permission[function_id] = [{
                        'resource': r['resource_name'],
                        'action': r['action']
                    }]
                else:
                    found = False
                    for p in f_permission[function_id]:
                        if p['resource'] == r['resource_name'] and p[
                                'action'] == r['action']:
                            found = True
                            break
                    if not found:
                        f_permission[function_id].append({
                            'resource':
                            r['resource_name'],
                            'action':
                            r['action']
                        })

        # now build functions by role
        role = {}
        for r in ret:
            role_id = r['role_id']
            function_id = r['function_id']
            if role_id not in role:
                role[role_id] = {'id': role_id, 'name': r['role_name']}
                if function_id:
                    role[role_id]['functions'] = [{
                        'id':
                        function_id,
                        'name':
                        r['function_name'],
                        'permissions':
                        f_permission.get(function_id)
                    }]
                else:
                    role[role_id]['functions'] = []
            else:
                if function_id:
                    found = False
                    for f in role[role_id]['functions']:
                        if f['id'] == function_id:
                            found = True
                            break
                    if not found:
                        role[role_id]['functions'].append({
                            'id':
                            function_id,
                            'name':
                            r['function_name'],
                            'permissions':
                            f_permission.get(function_id)
                        })

        ret = list(role.values())

        if ret and 'id' in params:
            return ret[0]

        return ret