pillar/pillar/application/utils/authorization.py

import logging
import functools

from bson import ObjectId
from flask import g
from flask import abort
from flask import current_app
from werkzeug.exceptions import Forbidden

CHECK_PERMISSIONS_IMPLEMENTED_FOR = {'projects', 'nodes'}

log = logging.getLogger(__name__)


def check_permissions(collection_name, resource, method, append_allowed_methods=False,
                      check_node_type=None):
    """Check user permissions to access a node. We look up node permissions from
    world to groups to users and match them with the computed user permissions.
    If there is not match, we raise 403.

    :param collection_name: name of the collection the resource comes from.
    :param resource: resource from MongoDB
    :type resource: dict
    :param method: name of the requested HTTP method
    :param append_allowed_methods: whether to return the list of allowed methods
        in the resource. Only valid when method='GET'.
    :param check_node_type: node type to check. Only valid when collection_name='projects'.
    :type check_node_type: str
    """

    if not has_permissions(collection_name, resource, method, append_allowed_methods,
                           check_node_type):
        abort(403)


def has_permissions(collection_name, resource, method, append_allowed_methods=False,
                      check_node_type=None):
    """Check user permissions to access a node. We look up node permissions from
    world to groups to users and match them with the computed user permissions.

    :param collection_name: name of the collection the resource comes from.
    :param resource: resource from MongoDB
    :type resource: dict
    :param method: name of the requested HTTP method
    :param append_allowed_methods: whether to return the list of allowed methods
        in the resource. Only valid when method='GET'.
    :param check_node_type: node type to check. Only valid when collection_name='projects'.
    :type check_node_type: str
    :returns: True if the user has access, False otherwise.
    :rtype: bool
    """

    # Check some input values.
    if collection_name not in CHECK_PERMISSIONS_IMPLEMENTED_FOR:
        raise ValueError('check_permission only implemented for %s, not for %s',
                         CHECK_PERMISSIONS_IMPLEMENTED_FOR, collection_name)

    if append_allowed_methods and method != 'GET':
        raise ValueError("append_allowed_methods only allowed with 'GET' method")

    if check_node_type is not None and collection_name != 'projects':
        raise ValueError('check_node_type parameter is only valid for checking projects.')

    computed_permissions = compute_aggr_permissions(collection_name, resource, check_node_type)

    if not computed_permissions:
        log.info('No permissions available to compute for %s on resource %r',
                 method, resource.get('node_type', resource))
        return False

    # Accumulate allowed methods from the user, group and world level.
    allowed_methods = set()

    current_user = g.current_user
    if current_user:
        # If the user is authenticated, proceed to compare the group permissions
        for permission in computed_permissions.get('groups', ()):
            if permission['group'] in current_user['groups']:
                allowed_methods.update(permission['methods'])

        for permission in computed_permissions.get('users', ()):
            if current_user['user_id'] == permission['user']:
                allowed_methods.update(permission['methods'])

    # Check if the node is public or private. This must be set for non logged
    # in users to see the content. For most BI projects this is on by default,
    # while for private project this will not be set at all.
    if 'world' in computed_permissions:
        allowed_methods.update(computed_permissions['world'])

    permission_granted = method in allowed_methods
    if permission_granted:
        if append_allowed_methods:
            # TODO: rename this field _allowed_methods
            if check_node_type:
                node_type = next((node_type for node_type in resource['node_types']
                                  if node_type['name'] == check_node_type))
                assign_to = node_type
            else:
                assign_to = resource
            assign_to['allowed_methods'] = list(set(allowed_methods))
        return True

    return False


def compute_aggr_permissions(collection_name, resource, check_node_type):
    """Returns a permissions dict."""

    projects_collection = current_app.data.driver.db['projects']

    # We always need the know the project.
    if collection_name == 'projects':
        project = resource
        if check_node_type is None:
            return project['permissions']
        node_type_name = check_node_type
    else:
        # Not a project, so it's a node.
        assert 'project' in resource
        assert 'node_type' in resource

        node_type_name = resource['node_type']

        if isinstance(resource['project'], dict):
            # embedded project
            project = resource['project']
        else:
            project = projects_collection.find_one(
                ObjectId(resource['project']),
                {'permissions': 1,
                 'node_types': {'$elemMatch': {'name': node_type_name}},
                 'node_types.name': 1,
                 'node_types.permissions': 1})

    # Every node should have a project.
    if project is None:
        log.warning('Resource %s from "%s" refers to a project that does not exist.',
                    resource['_id'], collection_name)
        raise Forbidden()

    project_permissions = project['permissions']

    # Find the node type from the project.
    node_type = next((node_type for node_type in project['node_types']
                      if node_type['name'] == node_type_name), None)
    if node_type is None:  # This node type is not known, so doesn't give permissions.
        node_type_permissions = {}
    else:
        node_type_permissions = node_type.get('permissions', {})

    # For projects or specific node types in projects, we're done now.
    if collection_name == 'projects':
        return merge_permissions(project_permissions, node_type_permissions)

    node_permissions = resource.get('permissions', {})
    return merge_permissions(project_permissions, node_type_permissions, node_permissions)


def merge_permissions(*args):
    """Merges all given permissions.

    :param args: list of {'user': ..., 'group': ..., 'world': ...} dicts.
    :returns: combined list of permissions.
    """

    if not args:
        return {}

    if len(args) == 1:
        return args[0]

    effective = {}

    # When testing we want stable results, and not be dependent on PYTHONHASH values etc.
    if current_app.config['TESTING']:
        maybe_sorted = sorted
    else:
        def maybe_sorted(arg):
            return arg

    def merge(field_name):
        plural_name = field_name + 's'

        from0 = args[0].get(plural_name, [])
        from1 = args[1].get(plural_name, [])

        asdict0 = {permission[field_name]: permission['methods'] for permission in from0}
        asdict1 = {permission[field_name]: permission['methods'] for permission in from1}

        keys = set(asdict0.keys() + asdict1.keys())
        for key in maybe_sorted(keys):
            methods0 = asdict0.get(key, [])
            methods1 = asdict1.get(key, [])
            methods = maybe_sorted(set(methods0).union(set(methods1)))
            effective.setdefault(plural_name, []).append({field_name: key, u'methods': methods})

    merge(u'user')
    merge(u'group')

    # Gather permissions for world
    world0 = args[0].get('world', [])
    world1 = args[1].get('world', [])
    world_methods = set(world0).union(set(world1))
    if world_methods:
        effective[u'world'] = maybe_sorted(world_methods)

    # Recurse for longer merges
    if len(args) > 2:
        return merge_permissions(effective, *args[2:])

    return effective


def require_login(require_roles=set()):
    """Decorator that enforces users to authenticate.

    Optionally only allows access to users with a certain role./
    """

    if not isinstance(require_roles, set):
        raise TypeError('require_roles param should be a set, but is a %r' % type(require_roles))

    def decorator(func):
        @functools.wraps(func)
        def wrapper(*args, **kwargs):
            current_user = g.get('current_user')

            if current_user is None:
                log.warning('Unauthenticated acces to %s attempted.', func)
                abort(403)

            if require_roles and not require_roles.intersection(set(current_user['roles'])):
                log.warning('User %s is authenticated, but does not have any required role %s to '
                            'access %s', current_user['user_id'], require_roles, func)
                abort(403)

            return func(*args, **kwargs)

        return wrapper

    return decorator


def user_has_role(role, user=None):
    """Returns True iff the user is logged in and has the given role."""

    if user is None:
        user = g.get('current_user')

    if user is None:
        return False

    return role in user['roles']


def is_admin(user):
    """Returns True iff the given user has the admin role."""

    return user_has_role(u'admin', user)