def create(actor,
alias_key=None,
alias_id=None,
user_id=None,
user_key=None,
user=None,
group_id=None,
group_key=None,
group=None,
**kwargs):
permission_verify(actor, "alias", "create")
user_key = user_key or build_user_key(user or user_id)
group_key = group_key or build_group_key(group or group_id)
if not user_key and not group_key:
raise IllegalError("Aliases must specify either a user or a group")
if user_key and group_key:
raise IllegalError("Aliases must specify either a user or a group")
alias_key = alias_key or key(alias_id)
alias = Alias(key=alias_key)
alias.alias = users.User(alias_key.id())
alias.user = user_key
alias.group = group_key
alias.created_by = build_user_key(actor)
alias.put()
return alias
def permission_revoke(viewer, type, action, target=None, user=None, group=None):
permission_verify(viewer, "permissions", "revoke")
key = permission_get(type, action, target, user, [group] if group else None)
if key:
key.delete()
log.debug("Permission Revoked: %s - %s.%s (%s)" % (build_user_key(user) or build_group_key(group), type, action, target))
if user:
memcache.delete(build_user_key(user).id())
else:
memcache.flush_all()
else:
log.debug("Permission wasn't granted")
def members_add(actor, group_id=None, group_key=None, group=None, user_id=None, user_key=None, user=None):
permission_verify(actor, "member", "update")
user_key = user_key or build_user_key( user_id ) or user.key
group_key = group_key or build_group_key(group_id) or group.key
user = user or user_key.get()
group = group or group_key.get()
if not group.users:
group.users = [ user_key ]
else:
users = set(group.users)
users.add(user_key)
group.users = users
group.put()
if user:
if not user.groups:
user.groups = [ group.key ]
else:
groups = set(user.groups)
groups.add(group.key)
user.groups = groups
user.put()
def members_add(actor,
group_id=None,
group_key=None,
group=None,
user_id=None,
user_key=None,
user=None):
permission_verify(actor, "member", "update")
user_key = user_key or build_user_key(user_id) or user.key
group_key = group_key or build_group_key(group_id) or group.key
user = user or user_key.get()
group = group or group_key.get()
if not group.users:
group.users = [user_key]
else:
users = set(group.users)
users.add(user_key)
group.users = users
group.put()
if user:
if not user.groups:
user.groups = [group.key]
else:
groups = set(user.groups)
groups.add(group.key)
user.groups = groups
user.put()
def permission_lookup(user, type, action, target=None, keys_only=True):
if not isinstance(user, ndb.Model):
user = build_user_key(user).get()
if not user:
return None
return permission_get(type, action, target, user, user.groups, keys_only=keys_only)
def create(actor, group_id=None, group_key=None, active=True, **kwargs):
permission_verify(actor, "group", "create")
group_key = group_key or key(group_id)
group = Group(key=group_key)
group.group = users.User(group_key.id())
group.created_by = build_user_key(actor)
return set(actor, group, active=True, **kwargs)
def permission_is_root(user):
if build_user_key(user).id() == "cron":
return True
if users.is_current_user_admin():
return True
if permission_lookup(user, "root", "root"):
return True
else:
return False
def permission_is_root(user):
if build_user_key(user).id() == "cron":
return True
if users.is_current_user_admin():
return True
if permission_lookup(user, "root", "root"):
return True
else:
return False
def create(actor, group_id=None, group_key=None, active=True, **kwargs):
permission_verify(actor, "group", "create")
group_key = group_key or key(group_id)
group = Group(key=group_key)
group.group = users.User(group_key.id())
group.created_by = build_user_key(actor)
return set(actor, group, active=True, **kwargs)
def permission_get(type, action, target, user, groups, keys_only=True):
if user and groups:
return Permission.query().filter( \
ndb.AND(Permission.type == type,
Permission.action == action,
Permission.target == target,
ndb.OR(Permission.user == build_user_key(user),
Permission.group.IN([build_group_key(group) for group in groups])))).get(keys_only=keys_only)
elif user:
return Permission.query(ancestor=build_user_key(user)).filter( \
ndb.AND(Permission.type == type,
Permission.action == action,
Permission.target == target)).get(keys_only=keys_only)
elif groups:
return Permission.query().filter( \
ndb.AND(Permission.type == type,
Permission.action == action,
Permission.target == target,
Permission.group.IN([build_group_key(group) for group in groups]))).get(keys_only=keys_only)
def permission_get(type, action, target, user, groups, keys_only=True):
if user and groups:
return Permission.query().filter( \
ndb.AND(Permission.type == type,
Permission.action == action,
Permission.target == target,
ndb.OR(Permission.user == build_user_key(user),
Permission.group.IN([build_group_key(group) for group in groups])))).get(keys_only=keys_only)
elif user:
return Permission.query(ancestor=build_user_key(user)).filter( \
ndb.AND(Permission.type == type,
Permission.action == action,
Permission.target == target)).get(keys_only=keys_only)
elif groups:
return Permission.query().filter( \
ndb.AND(Permission.type == type,
Permission.action == action,
Permission.target == target,
Permission.group.IN([build_group_key(group) for group in groups]))).get(keys_only=keys_only)
def permission_grant(viewer, type, action, target=None, user=None, group=None):
permission_verify(viewer, "permissions", "grant")
if not permission_get(type, action, target, user, [group] if group else None):
user = build_user_key(user)
group = build_group_key(group)
permission = Permission(parent=user or group)
permission.user = user
permission.group = group
permission.type = type or target.kind()
permission.action = action
permission.target = target
permission.granted_by = build_user_key(viewer)
permission.put()
log.debug("Permission Granted: %s - %s.%s (%s)" % (user or group, type, action, target))
else:
log.warn("Permission already granted")
def permission_list(viewer, user):
permission_verify(viewer, "permissions", "view")
result = []
for permission in Permission.query(ancestor=build_user_key(user)).fetch():
result.append({ 'user' : permission.user.email(),
'type' : permission.type,
'id' : permission.id,
'action' : permission.action,
'target' : permission.target })
return result
def permission_revoke(viewer,
type,
action,
target=None,
user=None,
group=None):
permission_verify(viewer, "permissions", "revoke")
key = permission_get(type, action, target, user,
[group] if group else None)
if key:
key.delete()
log.debug("Permission Revoked: %s - %s.%s (%s)" %
(build_user_key(user)
or build_group_key(group), type, action, target))
if user:
memcache.delete(build_user_key(user).id())
else:
memcache.flush_all()
else:
log.debug("Permission wasn't granted")
def permission_grant(viewer, type, action, target=None, user=None, group=None):
permission_verify(viewer, "permissions", "grant")
if not permission_get(type, action, target, user,
[group] if group else None):
user = build_user_key(user)
group = build_group_key(group)
permission = Permission(parent=user or group)
permission.user = user
permission.group = group
permission.type = type or target.kind()
permission.action = action
permission.target = target
permission.granted_by = build_user_key(viewer)
permission.put()
log.debug("Permission Granted: %s - %s.%s (%s)" %
(user or group, type, action, target))
else:
log.warn("Permission already granted")
def permission_list(viewer, user):
permission_verify(viewer, "permissions", "view")
result = []
for permission in Permission.query(ancestor=build_user_key(user)).fetch():
result.append({
'user': permission.user.email(),
'type': permission.type,
'id': permission.id,
'action': permission.action,
'target': permission.target
})
return result
def permission_lookup(user, type, action, target=None, keys_only=True):
if not isinstance(user, ndb.Model):
user = build_user_key(user).get()
if not user:
return None
return permission_get(type,
action,
target,
user,
user.groups,
keys_only=keys_only)
def members_remove(actor, group_id=None, group_key=None, group=None, user_id=None, user_key=None, user=None):
permission_verify(actor, "member", "update")
user_key = user_key or build_user_key( user_id ) or user.key
group_key = group_key or build_group_key(group_id) or group.key
user = user or user_key.get()
group = group or group_key.get()
if group.users: group.users.remove(user_key)
if user and user.groups: user.groups.remove(group_key)
group.put()
user.put()
def set(actor, group, name=undefined, active=undefined, notes=undefined, **ignored):
if is_defined(name):
group.name = name
if is_defined(active):
group.active = active
if is_defined(notes):
group.notes = notes
group.updated_by = build_user_key(actor)
group.put()
return group
def permission_verify(user, type, action, target=None, root_ok=True):
original_user = user
user_key = build_user_key(user)
if not isinstance(user, ndb.Model):
user = user_key.get()
tuple = (type, action, target)
cached = memcache.get(user_key.id(), namespace="permissions") or []
if not user:
if str(original_user) != 'cron':
log.warn("User '%s' not recognized", original_user)
else:
if tuple in cached:
log.debug("Permission Allowed (Cache): %s - %s.%s (%s)" %
(user.user.email(), type, action, target))
return
if permission_lookup(user, type, action, target):
log.debug("Permission Allowed: %s - %s.%s (%s)" %
(user.user.email(), type, action, target))
cached.append(tuple)
memcache.set(user_key.id(), cached, namespace="permissions")
return
else:
log.debug("Permission Not Allowed: %s - %s.%s (%s)" %
(user.user.email(), type, action, target))
if target:
if permission_lookup(user, type, action):
log.debug("Permission Allowed: %s - %s.%s (%s)" %
(user.user.email(), type, action, None))
cached.append(tuple)
memcache.set(user_key.id(), cached, namespace="permissions")
return
else:
log.debug("Permission Not Allowed: %s - %s.%s (%s)" %
(user.user.email(), type, action, None))
if root_ok and permission_is_root(original_user):
cached.append(tuple)
memcache.set(user_key.id(), cached, namespace="permissions")
log.debug("Permission Allowed (Root): %s" % user_key.id())
return
log.error("Permission Denied: %s" % user_key.id())
raise NotAllowedError()
def permission_check(user, type, action, key=None):
if not type:
type = key.kind()
user_key = build_user_key(user)
result = permission_lookup(user_key, type, action, key)
key_str = ""
if key: key_str = ":" + key.urlsafe()
if result:
log.debug("Permission: %s %s%s (%s) - Allowed" % (user_key, type, key_str, action))
else:
log.debug("Permission: %s %s%s (%s) - Not Allowed" % (user_key, type, key_str, action))
if key:
return permission_check(user_key, type, action, key.parent())
return result
def set(actor,
group,
name=undefined,
active=undefined,
notes=undefined,
**ignored):
if is_defined(name):
group.name = name
if is_defined(active):
group.active = active
if is_defined(notes):
group.notes = notes
group.updated_by = build_user_key(actor)
group.put()
return group
def permission_verify(user, type, action, target=None, root_ok=True):
original_user = user
user_key = build_user_key(user)
if not isinstance(user, ndb.Model):
user = user_key.get()
tuple = (type, action, target)
cached = memcache.get(user_key.id(), namespace="permissions") or []
if not user:
if str(original_user) != 'cron':
log.warn("User '%s' not recognized", original_user)
else:
if tuple in cached:
log.debug("Permission Allowed (Cache): %s - %s.%s (%s)" % (user.user.email(), type, action, target))
return
if permission_lookup(user, type, action, target):
log.debug("Permission Allowed: %s - %s.%s (%s)" % (user.user.email(), type, action, target))
cached.append(tuple)
memcache.set(user_key.id(), cached, namespace="permissions")
return
else:
log.debug("Permission Not Allowed: %s - %s.%s (%s)" % (user.user.email(), type, action, target))
if target:
if permission_lookup(user, type, action):
log.debug("Permission Allowed: %s - %s.%s (%s)" % (user.user.email(), type, action, None))
cached.append(tuple)
memcache.set(user_key.id(), cached, namespace="permissions")
return
else:
log.debug("Permission Not Allowed: %s - %s.%s (%s)" % (user.user.email(), type, action, None))
if root_ok and permission_is_root(original_user):
cached.append(tuple)
memcache.set(user_key.id(), cached, namespace="permissions")
log.debug("Permission Allowed (Root): %s" % user_key.id())
return
log.error("Permission Denied: %s" % user_key.id())
raise NotAllowedError()
def members_remove(actor,
group_id=None,
group_key=None,
group=None,
user_id=None,
user_key=None,
user=None):
permission_verify(actor, "member", "update")
user_key = user_key or build_user_key(user_id) or user.key
group_key = group_key or build_group_key(group_id) or group.key
user = user or user_key.get()
group = group or group_key.get()
if group.users: group.users.remove(user_key)
if user and user.groups: user.groups.remove(group_key)
group.put()
user.put()
def permission_check(user, type, action, key=None):
if not type:
type = key.kind()
user_key = build_user_key(user)
result = permission_lookup(user_key, type, action, key)
key_str = ""
if key: key_str = ":" + key.urlsafe()
if result:
log.debug("Permission: %s %s%s (%s) - Allowed" %
(user_key, type, key_str, action))
else:
log.debug("Permission: %s %s%s (%s) - Not Allowed" %
(user_key, type, key_str, action))
if key:
return permission_check(user_key, type, action, key.parent())
return result
def members_group_list(actor, user_id=None, user_key=None, user=None):
user = user or (user_key or build_user_key(user_id)).get()
return [key.get() for key in user.users]
def members_group_list(actor, user_id=None, user_key=None, user=None):
user = user or (user_key or build_user_key(user_id)).get()
return [key.get() for key in user.users]