# -*- coding: utf-8 -*- # # The MIT License (MIT) # # Copyright (C) 2017 Marcos Pereira # # Permission is hereby granted, free of charge, to any person obtaining a copy of # this software and associated documentation files (the "Software"), to deal in # the Software without restriction, including without limitation the rights to # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of # the Software, and to permit persons to whom the Software is furnished to do so, # subject to the following conditions: # # The above copyright notice and this permission notice shall be included in all # copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. """User-managed access permissions module.""" from keycloak.exceptions import KeycloakPermissionFormatError, PermissionDefinitionError class UMAPermission: """A class to conveniently assemble permissions. The class itself is callable, and will return the assembled permission. Usage example: >>> r = Resource("Users") >>> s = Scope("delete") >>> permission = r(s) >>> print(permission) 'Users#delete' :param permission: Permission :type permission: UMAPermission :param resource: Resource :type resource: str :param scope: Scope :type scope: str """ def __init__(self, permission=None, resource="", scope=""): """Init method. :param permission: Permission :type permission: UMAPermission :param resource: Resource :type resource: str :param scope: Scope :type scope: str :raises PermissionDefinitionError: In case bad permission definition """ self.resource = resource self.scope = scope if permission: if not isinstance(permission, UMAPermission): raise PermissionDefinitionError( "can't determine if '{}' is a resource or scope".format(permission) ) if permission.resource: self.resource = str(permission.resource) if permission.scope: self.scope = str(permission.scope) def __str__(self): """Str method. :returns: String representation :rtype: str """ scope = self.scope if scope: scope = "#" + scope return "{}{}".format(self.resource, scope) def __eq__(self, __o: object) -> bool: """Eq method. :param __o: The other object :type __o: object :returns: Equality boolean :rtype: bool """ return str(self) == str(__o) def __repr__(self) -> str: """Repr method. :returns: The object representation :rtype: str """ return self.__str__() def __hash__(self) -> int: """Hash method. :returns: Hash of the object :rtype: int """ return hash(str(self)) def __call__(self, permission=None, resource="", scope="") -> "UMAPermission": """Call method. :param permission: Permission :type permission: UMAPermission :param resource: Resource :type resource: str :param scope: Scope :type scope: str :returns: The combined UMA permission :rtype: UMAPermission :raises PermissionDefinitionError: In case bad permission definition """ result_resource = self.resource result_scope = self.scope if resource: result_resource = str(resource) if scope: result_scope = str(scope) if permission: if not isinstance(permission, UMAPermission): raise PermissionDefinitionError( "can't determine if '{}' is a resource or scope".format(permission) ) if permission.resource: result_resource = str(permission.resource) if permission.scope: result_scope = str(permission.scope) return UMAPermission(resource=result_resource, scope=result_scope) class Resource(UMAPermission): """A UMAPermission Resource class to conveniently assemble permissions. The class itself is callable, and will return the assembled permission. :param resource: Resource :type resource: str """ def __init__(self, resource): """Init method. :param resource: Resource :type resource: str """ super().__init__(resource=resource) class Scope(UMAPermission): """A UMAPermission Scope class to conveniently assemble permissions. The class itself is callable, and will return the assembled permission. :param scope: Scope :type scope: str """ def __init__(self, scope): """Init method. :param scope: Scope :type scope: str """ super().__init__(scope=scope) class AuthStatus: """A class that represents the authorization/login status of a user associated with a token. This has to evaluate to True if and only if the user is properly authorized for the requested resource. :param is_logged_in: Is logged in indicator :type is_logged_in: bool :param is_authorized: Is authorized indicator :type is_authorized: bool :param missing_permissions: Missing permissions :type missing_permissions: set """ def __init__(self, is_logged_in, is_authorized, missing_permissions): """Init method. :param is_logged_in: Is logged in indicator :type is_logged_in: bool :param is_authorized: Is authorized indicator :type is_authorized: bool :param missing_permissions: Missing permissions :type missing_permissions: set """ self.is_logged_in = is_logged_in self.is_authorized = is_authorized self.missing_permissions = missing_permissions def __bool__(self): """Bool method. :returns: Boolean representation :rtype: bool """ return self.is_authorized def __repr__(self): """Repr method. :returns: The object representation :rtype: str """ return ( f"AuthStatus(" f"is_authorized={self.is_authorized}, " f"is_logged_in={self.is_logged_in}, " f"missing_permissions={self.missing_permissions})" ) def build_permission_param(permissions): """Transform permissions to a set, so they are usable for requests. :param permissions: Permissions :type permissions: str | Iterable[str] | dict[str, str] | dict[str, Iterabble[str]] :returns: Permission parameters :rtype: set :raises KeycloakPermissionFormatError: In case of bad permission format """ if permissions is None or permissions == "": return set() if isinstance(permissions, str): return set((permissions,)) if isinstance(permissions, UMAPermission): return set((str(permissions),)) try: # treat as dictionary of permissions result = set() for resource, scopes in permissions.items(): if scopes is None: result.add(resource) elif isinstance(scopes, str): result.add("{}#{}".format(resource, scopes)) else: try: for scope in scopes: if not isinstance(scope, str): raise KeycloakPermissionFormatError( "misbuilt permission {}".format(permissions) ) result.add("{}#{}".format(resource, scope)) except TypeError: raise KeycloakPermissionFormatError( "misbuilt permission {}".format(permissions) ) return result except AttributeError: pass result = set() for permission in permissions: if not isinstance(permission, (str, UMAPermission)): raise KeycloakPermissionFormatError("misbuilt permission {}".format(permissions)) result.add(str(permission)) return result