def __init__(self, connection=None, loglevel="INFO"): #self.connection = connection MetaResourceController.__init__(self, connection, loglevel) from porper.models.group import Group self.group = Group(self.connection, loglevel) from porper.models.user import User self.user = User(self.connection, loglevel) # from porper.controllers.user_group_controller import UserGroupController # self.user_group_controller = UserGroupController(self.connection) self.permission_name = 'group'
def __init__(self, connection=None, loglevel="INFO"): MetaResourceController.__init__(self, connection, loglevel) from porper.models.role import Role self.role = Role(self.connection, loglevel) from porper.models.role_function import RoleFunction self.role_function = RoleFunction(self.connection, loglevel) # from porper.models.function import Function # self.function = Function(self.connection) # from porper.controllers.user_group_controller import UserGroupController # self.user_group_controller = UserGroupController(self.connection) # from porper.controllers.token_controller import TokenController # self.token_controller = TokenController(self.connection) from porper.models.group import Group self.group = Group(self.connection, loglevel) self.permission_name = "role"
def __init__(self, connection=None, loglevel="INFO"): MetaResourceController.__init__(self, connection, loglevel) from porper.models.permission import Permission from porper.models.user_group import UserGroup self.permission = Permission(self.connection, loglevel) self.user_group = UserGroup(self.connection, loglevel) from porper.models.user import User from porper.models.group import Group self.user = User(self.connection, loglevel) self.group = Group(self.connection, loglevel) from porper.models.access_token import AccessToken self.access_token = AccessToken(self.connection, loglevel) # from porper.controllers.token_controller import TokenController # self.token_controller = TokenController(self.connection) # from porper.controllers.user_group_controller import UserGroupController # self.user_group_controller = UserGroupController(self.connection) from porper.models.permission import ALL self.PERMITTED_TO_ALL = ALL
def lambda_handler(event, context): print('Received event:\n{}'.format(event)) try: region = os.environ.get('AWS_DEFAULT_REGION') dynamodb = boto3.resource('dynamodb', region_name=region) group = Group(dynamodb) params = {'id': str(uuid.uuid4()), 'name': 'admin'} group.create(params) params = {'id': str(uuid.uuid4()), 'name': 'public'} group.create(params) response = { 'statusCode': 200 } response['headers'] = {"Access-Control-Allow-Origin": "*"} response['body'] = json.dumps("successfully initialized") return response except Exception as ex: traceback.print_exc() err_msg = '%s' % ex response = { 'statusCode': 500 } response['headers'] = {"Access-Control-Allow-Origin": "*"} response['body'] = json.dumps(err_msg) return response
def __init__(self, connection=None, loglevel="INFO"): self.logger = logging.getLogger() # loglevel = "INFO" logging.basicConfig(level=logging.ERROR) aws_lambda_logging.setup(level=loglevel) if not connection: host = os.environ.get('MYSQL_HOST') username = os.environ.get('MYSQL_USER') password = os.environ.get('MYSQL_PASSWORD') database = os.environ.get('MYSQL_DATABASE') self.connection = pymysql.connect(host, user=username, passwd=password, db=database, cursorclass=pymysql.cursors.DictCursor) self.logger.debug("@@@@@@@@new connection created") else: self.connection = connection from porper.models.customer import Customer self.customer = Customer(self.connection, loglevel) from porper.models.group import Group self.group = Group(self.connection, loglevel) from porper.models.access_token import AccessToken self.access_token = AccessToken(self.connection, loglevel) from porper.models.permission import Permission self.permission = Permission(self.connection, loglevel) # from porper.models.user_group import UserGroup # self.user_group = UserGroup(self.connection) # from porper.controllers.token_controller import TokenController # self.token_controller = TokenController(self.connection) self.permissions = None self.user_id = None self.customer_id = None self.permission_name = None self.is_admin = False self.is_customer_admin = False self.permission_read = PERMISSION_READ self.permission_write = PERMISSION_WRITE
def __init__(self, connection=None, loglevel="INFO"): self.logger = logging.getLogger() # loglevel = "INFO" logging.basicConfig(level=logging.ERROR) aws_lambda_logging.setup(level=loglevel) if not connection: host = os.environ.get('MYSQL_HOST') username = os.environ.get('MYSQL_USER') password = os.environ.get('MYSQL_PASSWORD') database = os.environ.get('MYSQL_DATABASE') self.connection = pymysql.connect( host, user=username, passwd=password, db=database, cursorclass=pymysql.cursors.DictCursor) self.logger.debug("@@@@@@@@new connection created") else: self.connection = connection # from porper.controllers.user_controller import UserController # self.user_controller = UserController(self.connection) # from porper.controllers.invited_user_controller import InvitedUserController # self.invited_user_controller = InvitedUserController(self.connection) # from porper.controllers.token_controller import TokenController # self.token_controller = TokenController(self.connection) # from porper.models.access_token import AccessToken # self.access_token = AccessToken(self.connection) from porper.models.user import User self.user = User(self.connection, loglevel) from porper.models.user_group import UserGroup self.user_group = UserGroup(self.connection, loglevel) from porper.models.group import Group self.group = Group(self.connection, loglevel) from porper.models.invited_user import InvitedUser self.invited_user = InvitedUser(self.connection, loglevel) from porper.models.access_token import AccessToken self.access_token = AccessToken(self.connection, loglevel)
def setup_group(self, team_id, uid): is_admin = False # create a default group if not exists from porper.models.group import Group group = Group(self.connection, loglevel) group_info = group.find_by_id(team_id) if not group_info: # if this is the first user in this group, make it as admin is_admin = True group_info = {"id": team_id, "name": team_id} group.create(group_info) # now add this user to its default group from porper.models.user_group import UserGroup user_group = UserGroup(self.connection, loglevel) user_group_info = { "user_id": uid, "group_id": team_id, "is_admin": is_admin } self.logger.debug(ser_group_info) user_group.create(user_group_info)
class InvitedUserController(MetaResourceController): def __init__(self, connection=None, loglevel="INFO"): MetaResourceController.__init__(self, connection, loglevel) from porper.models.invited_user import InvitedUser self.invited_user = InvitedUser(self.connection, loglevel) from porper.models.user_group import UserGroup self.user_group = UserGroup(self.connection, loglevel) from porper.models.group import Group self.group = Group(self.connection, loglevel) # from porper.controllers.user_group_controller import UserGroupController # self.user_group_controller = UserGroupController(self.connection) self.permission_name = "invite" def create(self, access_token, params): """ possible attributes in params - auth_type, email, group_id, [invited_at, invited_by, is_admin] """ self.find_user_level(access_token) if not self.is_permitted(self.permission_name, self.permission_write): raise Exception("not permitted") if not self.is_member(group_id=params['group_id']): raise Exception("not permitted") search_params = { 'email': params['email'], 'auth_type': params['auth_type'] } items = self.invited_user.find(search_params) if items: if items[0]['state'] == self.invited_user.REGISTERED: raise Exception("Already registered") if items[0]['state'] == self.invited_user.INVITED: self.logger.info("Already invited") return True # set the status to 'invited' self.invited_user.update_state(params['email'], params['auth_type'], self.invited_user.INVITED) return True return self._save(self.user_id, params) def _save(self, user_id, params): # invited_users = self.invited_user.find(params) # if len(invited_users) > 0: # print('already invited') # return True customer_id = None if 'customer_id' in params: customer_id = params['customer_id'] del params['customer_id'] if not params.get('invited_by'): params['invited_by'] = user_id if not params.get('invited_at'): params['invited_at'] = str(datetime.utcnow()) if not params.get('state'): params['state'] = self.invited_user.INVITED # if not params.get('is_admin'): # params['is_admin'] = False # else: # params['is_admin'] = True params = self.invited_user.create(params) if customer_id: params['customer_id'] = customer_id return params def update(self, access_token, params): """ attributes in params - auth_type, email """ self.find_user_level(access_token) if not self.is_permitted(self.permission_name, self.permission_write): raise Exception("not permitted") items = self.invited_user.find_simple({ 'email': params['email'], 'auth_type': params['auth_type'] }) if not items: raise Exception("not permitted") if items[0]['state'] == self.invited_user.REGISTERED: raise Exception("Already registered") ret = self.group.find_by_id(items[0]['group_id']) if not ret: raise Exception("not permitted") if self.is_customer_admin: if self.customer_id != ret['customer_id']: raise Exception("not permitted") elif not self.is_admin: if not self.is_member(group_id=items[0]['group_id']): raise Exception("not permitted") params['state'] = self.invited_user.INVITED return self.invited_user.update_state(params['email'], params['auth_type'], params['state']) def find(self, access_token, params): """ possible attributes in params - group_id - auth_type, email - None """ self.find_user_level(access_token) if not self.is_permitted(self.permission_name, self.permission_read): raise Exception("not permitted") # if the current user is admin, return all fetched invited_users if self.is_admin: return self.invited_user.find(params) elif self.is_customer_admin: return self.invited_user.find(params, customer_id=self.customer_id) else: return self.invited_user.find(params, user_id=self.user_id) def delete(self, access_token, params): """ attributes in params - auth_type, email """ self.find_user_level(access_token) if not self.is_permitted(self.permission_name, self.permission_write): raise Exception("not permitted") items = self.invited_user.find_simple({ 'email': params['email'], 'auth_type': params['auth_type'] }) if not items: raise Exception("not permitted") if items[0]['state'] == self.invited_user.REGISTERED: raise Exception("Already registered") ret = self.group.find_by_id(items[0]['group_id']) if not ret: raise Exception("not permitted") if self.is_customer_admin: if self.customer_id != ret['customer_id']: raise Exception("not permitted") elif not self.is_admin: if not self.is_member(group_id=items[0]['group_id']): raise Exception("not permitted") params['state'] = self.invited_user.CANCELLED self.invited_user.update_state(params['email'], params['auth_type'], params['state']) return True
import sys sys.path.append("..") import os import boto3 region = os.environ.get('AWS_DEFAULT_REGION') dynamodb = boto3.resource('dynamodb', region_name=region) ######################################################################################################### # Preparation # Find the access_token of an admin ######################################################################################################### from porper.models.group import Group group = Group(dynamodb) admin_group = group.find({'name': 'admin'})[0] from util import find_token admin_access_token = find_token(admin_group['id']) # find a group from porper.controllers.group_controller import GroupController group_controller = GroupController(dynamodb) groups = group_controller.find(admin_access_token, {}) ### Invite a user from porper.controllers.invited_user_controller import InvitedUserController invited_user_controller = InvitedUserController(dynamodb) email_address = "*****@*****.**" item = { 'email': email_address,
class PermissionController(MetaResourceController): def __init__(self, connection=None, loglevel="INFO"): MetaResourceController.__init__(self, connection, loglevel) from porper.models.permission import Permission from porper.models.user_group import UserGroup self.permission = Permission(self.connection, loglevel) self.user_group = UserGroup(self.connection, loglevel) from porper.models.user import User from porper.models.group import Group self.user = User(self.connection, loglevel) self.group = Group(self.connection, loglevel) from porper.models.access_token import AccessToken self.access_token = AccessToken(self.connection, loglevel) # from porper.controllers.token_controller import TokenController # self.token_controller = TokenController(self.connection) # from porper.controllers.user_group_controller import UserGroupController # self.user_group_controller = UserGroupController(self.connection) from porper.models.permission import ALL self.PERMITTED_TO_ALL = ALL # def is_admin(self, user_id): # return self.user_group_controller.is_admin(user_id) # # def is_group_admin(self, user_id, group_id): # return self.user_group_controller.is_group_admin(user_id, group_id) # # def is_member(self, user_id, group_id): # return self.user_group_controller.is_member(user_id, group_id) # # def is_permitted(self, access_token, params): # """ # possible attributes in params # - None # - [user_id | group_id], action, resource, value # """ # current_user_id = self.token_controller.find_user_id(access_token) # if self.is_admin(current_user_id): return True # # #params['all'] = True # rows = self.find(access_token, params) # print("permitted : {}".format(rows)) # if len(rows) == 0: return False # return True def find_user_id(self, access_token): params = { 'access_token': access_token } return self.access_token.find(params)[0]['user_id'] def add_permissions_to_groups(self, resource_name, resource_id, permissions): #permissions: #[ # {"action": "r"}, # ... #] permission_params = { "resource": resource_name, "value": resource_id } for permission in permissions: permission_params["group_id"] = permission['id'] permission_params["action"] = permission['action'] if permission.get('condition'): permission_params['condition'] = permission['condition'] if permission['state'].lower() == "a": self.permission.create(permission_params) elif permission['state'].lower() == "u": self.permission.update(permission_params) elif permission['state'].lower() == "d": self.permission.delete(permission_params) def add_permissions_to_users(self, resource_name, resource_id, permissions): #permissions: #[ # {"action": "r"}, # ... #] permission_params = { "resource": resource_name, "value": resource_id } for permission in permissions: permission_params["user_id"] = permission['id'] permission_params["action"] = permission['action'] if permission.get('condition'): permission_params['condition'] = permission['condition'] if permission['state'].lower() == "a": self.permission.create(permission_params) elif permission['state'].lower() == "u": self.permission.update(permission_params) elif permission['state'].lower() == "d": self.permission.delete(permission_params) def add_permissions_to_customers(self, resource_name, resource_id, permissions): #permissions: #[ # {"action": "r"}, # ... #] permission_params = { "resource": resource_name, "value": resource_id } for permission in permissions: permission_params["customer_id"] = permission['id'] permission_params["action"] = permission['action'] if permission.get('condition'): permission_params['condition'] = permission['condition'] if permission['state'].lower() == "a": self.permission.create(permission_params) elif permission['state'].lower() == "u": self.permission.update(permission_params) elif permission['state'].lower() == "d": self.permission.delete(permission_params) def create_permissions_to_groups(self, resource_name, resource_id, to_group_ids): #permissions: #[ # {"action": "r"}, # ... #] # current_user_id = self.token_controller.find_user_id(access_token) # # # if the current is admin, allow it # if self.is_admin(current_user_id): # return self.add_permissions_to_group(resource_name, resource_id, permissions, to_group_id) if not self.is_admin: group_ids = [g['id'] for g in to_group_ids] customer_id = None user_id = None # if self.is_customer_admin: # customer_id = self.customer_id # else: # user_id = self.user_id # allow all users in the same customer customer_id = self.customer_id groups = self.group.find_by_ids(group_ids, customer_id= customer_id, user_id=user_id) if len(groups) != len(group_ids): self.logger.info("len(groups) = {} whereas len(to_group_ids) = {}".format(len(groups), len(group_ids))) raise Exception("not permitted") return self.add_permissions_to_groups(resource_name, resource_id, to_group_ids) """ # if the current user is NOT group admin of the given group, don't allow it if not self.is_group_admin(user_id, to_group_id): raise Exception("not permitted") # if 'create' is NOT in permissions to give # and the current user has 'create' permission in the speicified resource, allow it # if the specified group has a permission to 'create' on the specified resource, allow it if self.PERMISSION_TO_CREATE not in permissions: params = { 'action': 'create', 'resource': resource_name, 'value': resource_id } if self.is_permitted(access_token, params): return self.add_permissions_to_group(resource_name, resource_id, permissions, to_group_id) """ #raise Exception("not permitted") def create_permissions_to_users(self, resource_name, resource_id, to_user_ids): #permissions: #[ # {"action": "r"}, # ... #] if not self.is_admin: user_ids = [u['id'] for u in to_user_ids] customer_id = None user_id = None # if self.is_customer_admin: # customer_id = self.customer_id # else: # user_id = self.user_id # allow all users in the same customer customer_id = self.customer_id users = self.user.find_by_ids(user_ids, customer_id=customer_id, user_id=user_id) # get the unique users users = list(dict.fromkeys([u['id'] for u in users])) if len(users) != len(user_ids): self.logger.info("len(users) = {} whereas len(to_user_ids) = {}".format(len(users), len(user_ids))) raise Exception("not permitted") return self.add_permissions_to_users(resource_name, resource_id, to_user_ids) """ # if 'create' is NOT in permissions to give # and the current user has 'create' permission in the speicified resource, allow it # if the specified group has a permission to 'create' on the specified resource, allow it if self.PERMISSION_TO_CREATE not in permissions: params = { 'action': 'create', 'resource': resource_name, 'value': resource_id } if self.is_permitted(access_token, params): return self.add_permissions_to_group(resource_name, resource_id, permissions, to_group_id) """ #raise Exception("not permitted") def create_permissions_to_customer(self, resource_name, resource_id, to_customer_ids): #permissions: #[ # {"action": "r"}, # ... #] if not self.is_admin: # check if this user is in the same customer with the customer to give access for customer_id in [c['id'] for c in to_customer_ids]: if self.customer_id != customer_id: raise Exception("not permitted") return self.add_permissions_to_customers(resource_name, resource_id, to_customer_ids) def create(self, access_token, params): # { # "owner_id": "35925", "res_name": "meta", "res_id": "d392909c-d15f-43ff-98b4-9fd7e3ca80e9", # "to_user_ids": [{"id": "*****@*****.**", "action": "w", "state": "A"}, # {"id": "*****@*****.**", "action": "r", "state, "state": "A"}], # "to_group_ids": [{"id": "group_id1", "action": "w", "state": "A"}, # {"id": "group_id2", "action": "r", "state": "A"}], # "to_customer_ids": [{"id": "customer_id1", "action": "w", "state": "A"} # {"id": "customer_id1", "action": "r", "state": "A"}] # } owner_id = params.get('owner_id') self.find_user_level(access_token) if self.user_id != owner_id: raise Exception("not permitted") if params.get('to_group_ids'): self.create_permissions_to_groups(params['res_name'], params['res_id'], params['to_group_ids']) if params.get('to_user_ids'): self.create_permissions_to_users(params['res_name'], params['res_id'], params['to_user_ids']) if params.get('to_customer_ids'): self.create_permissions_to_customer(params['res_name'], params['res_id'], params['to_customer_ids']) return True def update(self, access_token, params): user_id = self.find_user_id(access_token) raise Exception("not supported") # This is to remove all permissions of given resource def delete(self, access_token, params): user_id = self.find_user_id(access_token) owner_id = params.get('owner_id') self.find_user_level(access_token) if self.user_id != owner_id: raise Exception("not permitted") if 'res_name' not in params or 'res_id' not in params: raise Exception("resource name and id are not provided") params['value'] = params['res_id'] del params['res_id'] return self.permission.delete(params) # def _filter_conditions(self, user_id, rows): # # filtered = [ row for row in rows if not row.get('condition') ] # if len(filtered) == len(filtered): # # there is no row with a condition # return rows # # permissions = [ row for row in rows if row.get('condition') ] # for permission in permissions: # condition = json.loads(permission['condition']) # # check when the condition is 'is_admin' and it is satisified, add it to the return list if so # if 'is_admin' in condition: # if not user_id \ # or not condition['is_admin'] \ # or ( permission.get('group_id') and self.is_group_admin(user_id, permission['group_id']) ): # filtered.append(permission) # # return filtered def find(self, access_token, params): """ possible attributes in params - None - [user_id | group_id], action, resource, [value] """ search_params = {} if params: if 'res_name' in params: search_params['res_name'] = params['res_name'] if 'action' in params: search_params['action'] = params['action'] if 'res_id' in params: search_params['value'] = params['res_id'] self.find_user_level(access_token) owner_id = params.get('owner_id') search_cid = None search_gids = None search_uids = None if not self.is_admin and ('res_id' not in params or owner_id != self.user_id): customer_id = None user_id = None # Allow customer admin to see only its and shared graphs like normal users # if self.is_customer_admin: # customer_id = self.customer_id # else: # user_id = self.user_id user_id = self.user_id groups = self.group.find({}, customer_id= customer_id, user_id=user_id) # do not allow users in the same groups with this user # users = self.user.find({}, customer_id= customer_id, user_id=user_id) search_cid = self.customer_id search_gids = [g['id'] for g in groups] # search_uids = [u['id'] for u in users] search_uids = [user_id] ret = self.permission.find_resource_permissions(search_params, search_cid, search_gids, search_uids) if params.get("value_only"): ret = self.get_values(ret) return ret def get_values(self, permissions): ret = [] for permission in permissions: if permission['value'] not in ret: ret.append(permission['value']) return ret
class GroupController(MetaResourceController): def __init__(self, connection=None, loglevel="INFO"): #self.connection = connection MetaResourceController.__init__(self, connection, loglevel) from porper.models.group import Group self.group = Group(self.connection, loglevel) from porper.models.user import User self.user = User(self.connection, loglevel) # from porper.controllers.user_group_controller import UserGroupController # self.user_group_controller = UserGroupController(self.connection) self.permission_name = 'group' # only the admin can create a group def create(self, access_token, params): """ possible attributes in params - [id], name """ self.logger.info(f"params={params}") self.logger.info(f"access_token={access_token}") # self.logger.info(f"paths={paths}") self.find_user_level(access_token) if not self.is_permitted(self.permission_name, self.permission_write): raise Exception("not permitted") if "customer_id" not in params or not self.is_member( customer_id=params['customer_id']): raise Exception("not permitted") return self.group.create(params) def update(self, access_token, params): """ possible attributes in params - id, name """ self.logger.info(f'group_controller_update-params={params}') self.logger.info( f'group_controller_update-access_token={access_token}') self.find_user_level(access_token) if not self.is_permitted(self.permission_name, self.permission_write): raise Exception("not permitted") item = self.group.find_by_id(params['id']) if not item or not self.is_member(customer_id=item['customer_id']): raise Exception("not permitted") if params.get('customer_id'): raise Exception('You cannot update the group customer') if 'name' in params: ret = self.group.find({'name': params['name']}) if ret and ret[0]['id'] != params['id']: raise Exception("the group name already exists") return self.group.update(params) def delete(self, access_token, params): """ possible attributes in params - id """ self.find_user_level(access_token) if not self.is_permitted(self.permission_name, self.permission_write): raise Exception("not permitted") item = self.group.find_by_id(params['id']) if not item or not self.is_member(customer_id=item['customer_id']): raise Exception("not permitted") # cannot remove it when it has users users = self.user.find({'group_id': params['id']}) if len(users) > 0: raise Exception( "You must remove all users before removing this group") return self.group.delete(params['id']) def find(self, access_token, params): """ possible attributes in params - user_id: find all groups where this given user belongs - id: find a specific group - ids: find specific groups - None: No condition - name """ self.find_user_level(access_token) if 'closed' in params: if not self.is_permitted(self.permission_name, self.permission_read): raise Exception("not permitted") customer_id = None user_id = None if 'closed' in params: # allow users/groups of the groups only this user belongs if self.is_customer_admin: customer_id = self.customer_id elif not self.is_admin: user_id = self.user_id del params['closed'] else: # allow all users/groups of the customer this user belongs if not self.is_admin: customer_id = self.customer_id if 'ids' in params: groups = self.group.find_by_ids(params['ids'], customer_id=customer_id, user_id=user_id) return groups else: groups = self.group.find(params, customer_id=customer_id, user_id=user_id) if groups and 'id' in params: return groups[0] return groups
import sys sys.path.append('..') import os region = os.environ.get('AWS_DEFAULT_REGION') import boto3 dynamodb = boto3.resource('dynamodb', region_name=region) from porper.models.group import Group group = Group(dynamodb) params = {'id': 'ffffffff-ffff-ffff-ffff-ffffffffffff', 'name': 'admin'} group.create(params) params = {'id': '435a6417-6c1f-4d7c-87dd-e8f6c0effc7a', 'name': 'public'} group.create(params)
class MetaResourceController: def __init__(self, connection=None, loglevel="INFO"): self.logger = logging.getLogger() # loglevel = "INFO" logging.basicConfig(level=logging.ERROR) aws_lambda_logging.setup(level=loglevel) if not connection: host = os.environ.get('MYSQL_HOST') username = os.environ.get('MYSQL_USER') password = os.environ.get('MYSQL_PASSWORD') database = os.environ.get('MYSQL_DATABASE') self.connection = pymysql.connect(host, user=username, passwd=password, db=database, cursorclass=pymysql.cursors.DictCursor) self.logger.debug("@@@@@@@@new connection created") else: self.connection = connection from porper.models.customer import Customer self.customer = Customer(self.connection, loglevel) from porper.models.group import Group self.group = Group(self.connection, loglevel) from porper.models.access_token import AccessToken self.access_token = AccessToken(self.connection, loglevel) from porper.models.permission import Permission self.permission = Permission(self.connection, loglevel) # from porper.models.user_group import UserGroup # self.user_group = UserGroup(self.connection) # from porper.controllers.token_controller import TokenController # self.token_controller = TokenController(self.connection) self.permissions = None self.user_id = None self.customer_id = None self.permission_name = None self.is_admin = False self.is_customer_admin = False self.permission_read = PERMISSION_READ self.permission_write = PERMISSION_WRITE # self.USER_LEVEL_ADMIN = 'admin' # self.USER_LEVEL_CUSTOMER_ADMIN = 'customer_admin' # # self.USER_LEVEL_GROUP_ADMIN = 'group_admin' # self.USER_LEVEL_USER = '******' @property def model_name(self): return self.model.__class__.__name__ # def find_permissions(self, user_id): # sql = """ # select p.res_name name, p.action action, p.value value # from User u # inner join Group_User gu on gu.user_id = u.id # inner join `Group` g on g.id = gu.group_id # inner join Role r on g.role_id = r.id # inner join Role_Function rf on rf.role_id = r.id # inner join Function f on rf.function_id = f.id # inner join Function_Permission fp on fp.function_id = f.id # inner join Permission p on fp.permission_id = p.id # where p.group_id is null and p.user_id is null and u.id = '{}' # """ # return self.find_by_sql(sql.format(user_id)) # def find_permissions(self, user_id, name, action, value=None): # # sql = """ # select f.id function_id, f.name function_name, p.id permission_id, # p.res_name resource_name, p.action action, p.value resource_id # from User u # inner join Group_User gu on gu.user_id = u.id # inner join `Group` g on g.id = gu.group_id # inner join Role r on g.role_id = r.id # inner join Role_Function rf on rf.role_id = r.id # inner join Function f on rf.function_id = f.id # inner join Function_Permission fp on fp.function_id = f.id # inner join Permission p on fp.permission_id = p.id # where u.id = '{}' and p.res_name = '{}' and p.action = '{}' # """ # if value: # sql += " and p.value = '{}'".format(value) # # return self.find_by_sql(sql.format(user_id)) # # if rows: # # return (True, rows[0]['resource_id']) # # return (False, None) def find_current_user(self, access_token): return self.access_token.find_user(access_token) # def is_admin(self, user_id): # rows = self.find_permissions(user_id, ADMIN_PERMISSION, PERMISSION_WRITE) # if rows: # return True # return False # # # def is_customer_admin(self, user_id, customer_id=None, group_id=None): # # if customer_id is None and group_id: # # find the customer_id of this given group # row = self.group.find_by_id(group_id) # if row: # customer_id = row['customer_id'] # # rows = self.find_permissions(user_id, CUSTOMER_ADMIN_PERMISSION, PERMISSION_WRITE, customer_id) # if rows: # return rows[0]['customer_id'] # return None # # # # def is_group_admin(self, user_id, group_id): # # rows = self.user_group.find({'user_id': user_id, 'group_id': group_id}) # # if len(rows) > 0 and rows[0]['is_admin']: return True # # else: return False def find_user_level(self, access_token): self.user_id = self.find_current_user(access_token)['id'] self.permissions = self.permission.find({'user_id': self.user_id}) self.customer_id = self.customer.find({'user_id': self.user_id})[0]['id'] if [p for p in self.permissions if p['name'] == ADMIN_PERMISSION]: self.is_admin = True elif [p for p in self.permissions if p['name'] == CUSTOMER_ADMIN_PERMISSION]: self.is_customer_admin = True # def is_admin(self): # return self.level == USER_LEVEL_ADMIN # # # def is_customer_admin(self): # return self.level == USER_LEVEL_CUSTOMER_ADMIN # # # def is_user(self): # return self.level == USER_LEVEL_USER # def find_user_val(self, access_token): # #This is used only for the invite block # user_id = self.token_controller.find_user_id(access_token) # return {"id": user_id} def is_permitted(self, name, action, value=None): # if self.is_admin(): # return True # if self.is_customer_admin(): # if name in ADMIN_PERMISSIONS and action == PERMISSION_WRITE: # return False # else: # return True permitted = [p['value'] for p in self.permissions if p['name'] == name and p['action'] == action] if not permitted: return False if value and value not in permitted: return False return True def is_member(self, customer_id=None, group_id=None): if self.is_admin: return True if customer_id: return self.customer_id == customer_id else: if self.is_customer_admin: if self.group.find({'group_id': group_id}, self.customer_id): return True else: if self.group.find({'group_id': group_id}, self.user_id): return True return False def commit(self): self.connection.commit() def rollback(self): self.connection.rollback()
sys.path.append("..") import os import boto3 region = os.environ.get('AWS_DEFAULT_REGION') dynamodb = boto3.resource('dynamodb', region_name=region) ######################################################################################################### # Preparation ######################################################################################################### ###### Find non-admin groups # find all groups from porper.models.group import Group group = Group(dynamodb) groups = group.find({}) group_ids = [g['id'] for g in groups] role_ids = list(set([g['role_id'] for g in groups if 'role_id' in g])) # find all roles from porper.models.role import Role role = Role(dynamodb) roles = role.find_by_ids(role_ids) # find non admin roles ADMIN_FUNCTION_IDS = [ "883b3842-35bb-4070-917f-a501e87bd695", "85af95c8-a6f5-4e14-9cf9-11bbced53255" ] for r in roles:
class AuthController(): def __init__(self, connection=None, loglevel="INFO"): self.logger = logging.getLogger() # loglevel = "INFO" logging.basicConfig(level=logging.ERROR) aws_lambda_logging.setup(level=loglevel) if not connection: host = os.environ.get('MYSQL_HOST') username = os.environ.get('MYSQL_USER') password = os.environ.get('MYSQL_PASSWORD') database = os.environ.get('MYSQL_DATABASE') self.connection = pymysql.connect( host, user=username, passwd=password, db=database, cursorclass=pymysql.cursors.DictCursor) self.logger.debug("@@@@@@@@new connection created") else: self.connection = connection # from porper.controllers.user_controller import UserController # self.user_controller = UserController(self.connection) # from porper.controllers.invited_user_controller import InvitedUserController # self.invited_user_controller = InvitedUserController(self.connection) # from porper.controllers.token_controller import TokenController # self.token_controller = TokenController(self.connection) # from porper.models.access_token import AccessToken # self.access_token = AccessToken(self.connection) from porper.models.user import User self.user = User(self.connection, loglevel) from porper.models.user_group import UserGroup self.user_group = UserGroup(self.connection, loglevel) from porper.models.group import Group self.group = Group(self.connection, loglevel) from porper.models.invited_user import InvitedUser self.invited_user = InvitedUser(self.connection, loglevel) from porper.models.access_token import AccessToken self.access_token = AccessToken(self.connection, loglevel) def authenticate(self, params): user_id = params['user_id'] email = params.get('email') family_name = params.get('family_name') given_name = params.get('given_name') name = params.get('name') customer_id = params.get('customer_id') auth_type = params['auth_type'] access_token = params['access_token'] refresh_token = params['refresh_token'] # print("Before invite") # items = self.invited_user.find({'email': params['email'], 'auth_type': params['auth_type']}) # if items and auth_type == "sso": # customer_id=items[0]['customer_id'] # print(customer_id) #if not invited_user: # print("Invited user not found") #else: # print("Printing invited user") # print(invited_user) user = self.user.find_by_id(user_id) if not user: # create this user params = {'id': user_id, 'auth_type': auth_type} if name: params['name'] = name if family_name: params['family_name'] = family_name if given_name: params['given_name'] = given_name if customer_id: params['customer_id'] = customer_id if email: params['email'] = email.lower() # # find admin user's access_token to replace this user's access_token to create a user # users = self.user.find({}) # if not users: # # this is the first user, so no need to set access_token # admin_access_token = None # else: # admin_access_token = self.access_token.find_admin_token() # user_id = self.user_controller.create(admin_access_token, params) user_id = self.add_user(params) # now save the tokens # return self.token_controller.save(access_token, refresh_token, user_id) params = { "access_token": access_token, "refresh_token": refresh_token, "user_id": user_id } self.access_token.create(params) user_info = self.user.find_by_id(user_id) user_info['user_id'] = user_info['id'] user_info['access_token'] = access_token user_info['groups'] = self.group.find({"user_id": user_id}) user_info['customer_id'] = user_info['groups'][0]['customer_id'] return user_info def add_user(self, params): # if this is the first user, save it as an admin users = self.user.find({}) if len(users) == 0: # set this user to the admin self.user.create(params) admin_groups = self.group.find_admin_groups() if not admin_groups: raise Exception("No admin group found") self.user_group.create({ 'user_id': params['id'], 'group_id': admin_groups[0]['id'] }) return params['id'] # # add the given user to the specified group # if params.get("group_id"): # return self.user_group.create( # { # "user_id": params['id'], # "group_id": params["group_id"] # } # ) # # # find if the given user already exists # rows = self.user.find({"email": params['email'], "auth_type": params['auth_type']}) # if len(rows) > 0: # print('already exists') # return rows[0]['id'] # find if the given user is already invited invited_users = self.invited_user.find({ 'email': params['email'], 'auth_type': params['auth_type'] }) if len(invited_users) == 0: raise Exception("Please invite this user first") # add user_group_rel first to check the permission # if the current user is not admin and group admin, it will fail # check if the current user is the admin of the invited user's group #if current_user['level'] != self.USER_LEVEL_ADMIN and not self.is_group_admin(current_user['user_id'], invited_users[0]['group_id']): # raise Exception("Not permitted") # create a user and add it to the specified group self.user.create({ 'id': params['id'], 'email': params['email'], 'auth_type': params['auth_type'], 'name': params['name'], 'family_name': params['family_name'], 'given_name': params['given_name'], #'customer_id': params['customer_id'] }) self.user_group.create({ 'user_id': params['id'], 'group_id': invited_users[0]['group_id'] }) self.invited_user.update_state(params['email'], params['auth_type'], self.invited_user.REGISTERED) self.commit() return params['id'] # def find_groups(self, user_id): # from porper.models.user_group import UserGroup # user_group = UserGroup(self.connection) # user_groups = user_group.find({'user_id': user_id}) # return user_groups def commit(self): self.connection.commit() def rollback(self): self.connection.rollback()
class RoleController(MetaResourceController): def __init__(self, connection=None, loglevel="INFO"): MetaResourceController.__init__(self, connection, loglevel) from porper.models.role import Role self.role = Role(self.connection, loglevel) from porper.models.role_function import RoleFunction self.role_function = RoleFunction(self.connection, loglevel) # from porper.models.function import Function # self.function = Function(self.connection) # from porper.controllers.user_group_controller import UserGroupController # self.user_group_controller = UserGroupController(self.connection) # from porper.controllers.token_controller import TokenController # self.token_controller = TokenController(self.connection) from porper.models.group import Group self.group = Group(self.connection, loglevel) self.permission_name = "role" def create(self, access_token, params): """ possible attributes in params - name, list of functions {"name": "Role name", "functions": [id1, id2, id3.....]} """ self.find_user_level(access_token) if not self.is_permitted(self.permission_name, self.permission_write): raise Exception("not permitted") # find if the given role already exists rows = self.role.find({"name": params['name']}) if len(rows) > 0: self.logger.info('already exists') return rows[0]['id'] # create a role role_params = {'name': params['name']} if 'id' in params: role_params['id'] = params['id'] ret = self.role.create(role_params) if 'functions' in params: for function in params['functions']: self.role_function.create({ 'role_id': ret['id'], 'function_id': function }) return ret def delete(self, access_token, params): """ possible attributes in params - id """ self.find_user_level(access_token) if not self.is_permitted(self.permission_name, self.permission_write): raise Exception("not permitted") if not params.get('id'): raise Exception("id must be provided") # check if there is any group with this role ret = self.group.find_simple({'role_id': params['id']}) if len(ret): raise Exception( "You cannot remove this role because it is used in group(s)") self.role_function.delete(role_id=params['id']) # remove this role return self.role.delete(params['id']) def update(self, access_token, params): """ possible attributes in params - id, name, function list {"id": "Role id", "name": "Role name", "functions": [id1, id2, id3.....]} """ self.find_user_level(access_token) if not self.is_permitted(self.permission_name, self.permission_write): raise Exception("not permitted") if not params.get('id'): raise Exception("id must be provided") functions = [ rf['function_id'] for rf in self.role_function.find_simple({'role_id': params['id']}) ] for nf in params['functions']: if nf not in functions: self.role_function.create({ "role_id": params['id'], 'function_id': nf }) for of in functions: if of not in params['functions']: self.role_function.delete(role_id=params['id'], function_id=of) # update this role self.role.update({'id': params['id'], 'name': params['name']}) return params def find(self, access_token, params): """ possible attributes in params - id: find a specific role - None: No condition """ self.find_user_level(access_token) if not self.is_permitted(self.permission_name, self.permission_read): raise Exception("not permitted") if self.is_admin: ret = self.role.find(params) elif self.is_customer_admin: ret = self.role.find(params, customer_id=self.customer_id) else: ret = self.role.find(params, user_id=self.user_id) # build permissions by function f_permission = {} for r in ret: function_id = r['function_id'] if function_id: if function_id not in f_permission: f_permission[function_id] = [{ 'resource': r['resource_name'], 'action': r['action'] }] else: found = False for p in f_permission[function_id]: if p['resource'] == r['resource_name'] and p[ 'action'] == r['action']: found = True break if not found: f_permission[function_id].append({ 'resource': r['resource_name'], 'action': r['action'] }) # now build functions by role role = {} for r in ret: role_id = r['role_id'] function_id = r['function_id'] if role_id not in role: role[role_id] = {'id': role_id, 'name': r['role_name']} if function_id: role[role_id]['functions'] = [{ 'id': function_id, 'name': r['function_name'], 'permissions': f_permission.get(function_id) }] else: role[role_id]['functions'] = [] else: if function_id: found = False for f in role[role_id]['functions']: if f['id'] == function_id: found = True break if not found: role[role_id]['functions'].append({ 'id': function_id, 'name': r['function_name'], 'permissions': f_permission.get(function_id) }) ret = list(role.values()) if ret and 'id' in params: return ret[0] return ret