U Ef@sUddlZddlZddlZddlZddlmZmZddlmZm Z m Z m Z m Z m Z ddlZddlTddlZddlZddlmZejGdddZejGdd d ZejGd d d Zeaiae eefed <dd ddZedddhZGddde Z!Gdddej"j#j$Z$dS)N) OrderedDict defaultdict)TupleDictOptionalListSetType)*) CmfEntityc@sFeZdZUdZeeed<dZeed<dZeeed<dZ eed<dS)AccessRuleDataNsubjects object_model object_fields access_level) __name__ __module__ __qualname__r rstr__annotations__rrrrr./cmf/models/cmf_access_list.pyr s  r c@szeZdZUdZeed<dZeed<dZeed<dZ eed<dZ eed<e j e dZeeed<e j e dZeeed <dS) AccessListDataNdisabledidcodeinherit_acl_idobject_owner_iddefault_factory custom_rules auto_rules)rrrrboolrrrrrr dataclassesfieldlistr rr r!rrrrrs      rc@seZdZUejedZeee fe d<ejdddZ eee efe d<eje dZeee d<ejedZeeeejjfe d<ejedZeeefe d<d S) AclDataraclcCsttSN)rr%rrrr&zAclData.acl_inherit_by used_fieldsstatic_access_control_modelscacheN)rrrr#r$dictr'rrrrr+rsetr,rr-r cmfmodels BaseModelr.rrrrrr&#s $$r&_acl_cache_granted_tuplesd)defaultreadonlyZprivatefullwritereadc@s eZdZdS)_AclStopN)rrrrrrrr<>sr<cseZdZUdZdZdZeed<dZddZ e dd Z e d d Z e dAe ee ee ee ee ee ee ejje ee ee ed d dZedBddZe dCddZedDddZeddZe ddZe ddZe ddZedd Zeed!d"dEd#d$Ze dFd%d&Z fd'd(Z!ed)d*Z"fd+d,Z#d-d.Z$fd/d0Z%d1d2Z&d3d4Z'd5d6Z(d7d8Z)dGfd9d: Z*d;d<Z+d=d>Z,e dHd?d@Z-Z.S)I CmfAccessListTN _ACL_DATAicCs6dd|jgdddgg}tjj|dD] }|q$dS)N parent_id=sys_typeautofilter)rr2 CmfAccessRuler%delete)selfZ acl_filterZacl_itemrrrclear_auto_aclHszCmfAccessList.clear_auto_aclc Cs4tdtdt}dddddh}|jdd d gd }|D]R}t|j|j|j|j |j d }||j |j<||j |j<|j r>|j |j  |jq>tjjd dddgdddggddddddgd}|D]}|jr|j|krtdtd|d|jd|jd qdd|jD}|jr0dd|jDnd} | rF|j| t||jo\t|j| t|jd} |j |j}|stdtd|d |jd|jd q|jd!kr|j | q|j | qtjj D]} | j!d"kr| |j"| j#<q|t$_%tdtd#t&|d$t&|d%dS)&u TODO: что делаем, если загрузка acl падает??? Всё разрешаем или всё запрещаем? zload_acl_data(pid z): startr9r;r:deny denyWriterrrfields)rrrrrORrANFr@rBrrr rrErMz): skip z due to empty subjects(z) or invalid access_level()cSsh|]}t|jqSr)sysinternr).0subjectrrr nsz.CmfAccessList.load_acl_data..cSsh|]}t|qSr)rQrR)rSZ field_namerrrrUps)r rrrz due to absent access_list(rCZstaticz ): loaded z acl, z rules)'printosgetpidr&slistrrrrrrr'r+appendr2rFr rrr,updater rrQrRgetr@rBr!r r1r3iter_subclassesZacl_typer- class_namer=r?len) clsacl_dataZvalid_access_levelsZ access_listsZ access_listZaccess_list_dataZ access_rulesZ access_ruleZ subjects_dataZobject_fields_dataZaccess_rule_datamodelrrr load_acl_dataMsj   $  $  zCmfAccessList.load_acl_datacCs|j}|o|jS)uНабор полей, по которым существуют правила, чтобы не проверять всё подряд.)r?r,)r`rarrrr,szCmfAccessList.used_fields) initial_acl_keyr object_fieldrr object_idobject_instance object_dictobject_parent_idis_newcs"d1 fdd  f dd fdd}dtkrftt_tjd krd D]}|d qxd d 7<d} }| r| d g| jj| jtj j | dd| tj krtj }|jjnNtj}|r|jj|jnddtjtjs.tjrBdd 7<t}|dkr,ttdr,| sp r, dr,tjs,tjs,d}| r| dr| } r dr }|r,| }tj|d}|dkrtjjdd| ddsti}titj|<n dtj|<n|dkr(n|}|dkr| rd}| rV| drV| }tj| |}|dkrpn|dkrtdh}nti}|dkr| rr| sttdd}|dkrddtj j!ddgdd d!gd"d#gggd$Dt_"tj"}| |krt}|dkrz|}WqWntt#k r}zT|j$d }t%j&'|}|dkr^|tj(krlt)d%|t*+d W5d}~XYnXq|r||krd}|s| rt,d&tj-d'| d(d)|d*d+ d, d-|d.d/otj.d0t/ ||S)2u Проверка/получение прав доступа к объекту или его полю. Возвращает список доступных прав. Если raise_error == True, то генерирует стандартную ошибку о недостаточности прав доступа. Если текущий пользователь админ, или владелец объекта, или проверка прав отключена, то выдаём полные права. :param object_parent_id: TODO: object_instance может быть без филдов при sget и is_web_public :param object_instance: :param is_new: :param object_id: :param object_dict: :param initial_acl_key: id/code - списка доступа, по которому начинанать поиск. :param object_model: имя модели объекта, если пременимо :param object_field: поле объекта, если применимо :param access_level: если указан, то проверяется наличие конкретного уровня доступа. :param object_owner_id: владелец объекта, параметр для удобства, если указан и совпадает с текущим пользователем, то получаем полные права. :param raise_error: определяет: return False или raise CmfPermissionError :param checking_person - если указан, проверяются его права, а не сессионный g.current_person :param perm_security_level_allowed_ids - ? :param checked_policy - объект проверен бизнес логикой и нужно использовать указанную политику :return: Set[str]/False/raise CmfPermissionError Ncs^fdd fddfddttg z rV d|r|dkrd d d n&|d krd n|d krn td |t r rtt }|j}|dkrn:|dkrd tn$|d krtntd d|d r,d d d Wntk rDYnXt}t ||}|S)Ncs|kr|dSr()add)Z access_level_)deniedgrantedrr add_grantszBCmfAccessList.check_access..calc_access..add_grantcs|jr|jkr|jr |jkr|j@r|jdkrRdddtn^|jdkrbtnN|jdkrddn.|jdkrddn|jdkrddS)Nr9r:r;rJrK)rrr rr<rk)rule)rnrlrerr rr check_rules2        zCCmfAccessList.check_access..calc_access..check_rulecsj|}|s>td|ddttd|||jkrltd|jdtd||jt |j |j D] }|q|j r|j SdS)Nz. !!! CmfAccessList.check_access: acl_key z not found, processed z, pid=uНе загружен ACL z0 !!! CmfAccessList.check_access: recursion z in u+!!! Кольцевые ссылки у ACL )r'r\rVrWrXCmfACLNotFoundErrorrCmfErrorrZ itertoolschainr r!r)Zacl_keyr'ro)ra check_aclrpprocessed_aclsrrrus    zBCmfAccessList.check_access..calc_access..check_aclglobal)r9r:r9r:r;rJz@Invalid policy value checked_policy, allowed: read, write, fulllr7r8zInvalid model acl policy z.acl_default_user_policy(z!), valid: default, readonly, deny) r0 ValueErrorr<getattrr2Zacl_default_user_policyrrtupler4 setdefault)rachecked_policyreZ model_clsZ model_policyZ granted_tuple)current_person__member_ofrd is_local_userr) rarnrurprlrmrervr r calc_accesss^      z/CmfAccessList.check_access..calc_accesscsd}r|jrd}nkr2|jr2|jkr2d}nrkrP|jrP|jkrPd}nTrj|jrj|jkrjd}n:r|tjkrrddrrrjsnjjsd}t |rdddhndh}t ||S)NFT user_localr9r:r;) Zacl_allow_createZacl_static_owner_write_fieldsZacl_static_self_write_fieldsZacl_static_user_write_fieldsr2 CmfPersonr\roldrzr4r{)static_acl_modelZ allow_writeresult_) r}current_person_idr~rjrhrerfrgrrr calc_static.sF   z/CmfAccessList.check_access..calc_staticcs"d}j}|std|j }|rt o:t  oFt  oRt o^tf}|j|}|dk r dd7<n dd7<|}|dkrʈ rʈ krʈ dd7<t}|dkr}|jkrd}}|srd}n rt dd}to*t o8t |oFt||oTt|f}|j|}|dk r dd7<n dd7<|||d }||j|<t |jj krt |jt |jt |}t d t |jd |d d ddt|jj dD|_|S)Nu8Система ACL не инициализированаacl_check_cache_staticacl_check_calc_staticacl_check_owner_skipZ _acl_policyacl_check_cacheacl_check_calc)r|rez!CmfAccessList: shrink cache, len z, size iz KbcSsi|]\}}||qSrr)rSkvrrr szKCmfAccessList.check_access..check_with_acl_data..)r?ZCmfACLNotInitializedErrorr-r\rQrRr. _full_accessr,ryr__CACHE_MAX_SIZE getsizeofrVrsisliceitems)rrarZ cache_keyZ object_field_Zchecked_policy_Z cache_size)rrr|r`rrdrjrhrerfrgrrstatrrcheck_with_acl_dataGsj               z7CmfAccessList.check_access..check_with_acl_data profiler_data acl_check)racl_check_skiprrrrrrrrTid_onlyFrCmfProjectPermSchemez CmfProject:.z PPP-PR-BROWSE)Zproject_id_simplecheckZobj_dict_simplecheckobj raise_errorr9r8r;acl_owned_projectscSsh|] }|jqSrr)rSZprojectrrrrUsz-CmfAccessList.check_access..--rrN cmf_owner_idrAZcmf_owner_assistantsINrMrEz2CmfAccessList.check_access(): waiting for loading z !!! ACL access denied for z(or z)(z ), request z , to acl=z, model=z, field=z (requsted z), object_owner_id=(rP)NN)0grrr{Z load_fieldsrvaluerr2r=subject_full_group_listZsharelink_anonymous_userCmfPersonGroupsharelink_grouprkZ current_userr}disable_permissionsacl_admin_moderhasattr startswithZcurrent_user_is_anonymousZ#current_user_is_sharelink_anonymousZproject_perm_browse_cacher\rZcheck_project_role_accessrzZCmfSecurityLevelZcheck_perm_security_levelryZ CmfProjectrYrrqargsREDIS_DBredis _new_acl_key request_iddebugtimesleeprVcurrent_personrCmfPermissionError)r`rdrrerrrfrgrhrirjrZchecking_personZperm_security_level_allowed_idsr|rZstat_keyresultZrequested_object_fieldr_userZ project_idZ ppp_cache_keyZppp_resZsec_resZ_acl_owned_projectseacl_idrr)rrr|r`r}rrdr~rjrhrerfrgrrrr check_accesss)n&I                        P zCmfAccessList.check_accessFc sz|s|r|jj}tjjj}dd|gdd|gg}ddtjj|dgdD}|t ||rb|Sfd d|D}|S) NZchild_idrAZ parent_modelrcSsh|]}|jrt|jqSr)r@rQrR)rSZrelationrrrrU5sz8CmfAccessList.subject_full_group_list..r@rOcs"h|]}tj|drqS)rL)cmfutilZ get_obj_by_id)rSZgroup_idrMrrrrU=s) rrr2rFr Z RelationCacherYrkrQrR)rT subject_idrrM_kwargsZgroup_model_namesZrelation_filterrrrrr.s z%CmfAccessList.subject_full_group_listc Ks\|j||dd}tjjdgddt|gd}|s4g}|dddd |Dgg}|j|||d S) NT)rTrrr@r rrrcSsg|] }|jqSr)r@)rSrorrr Gsz2CmfAccessList.subject_list_acl..)rMrEorder_by)rr2rFrYr%) r`rTrrMrErrZ member_ofZ related_rulesrrrsubject_list_acl@s zCmfAccessList.subject_list_aclcheck_admin_modecCs tjs tjrdS|rt|dS)NTF)rrrr)messagerrrrrJs  zCmfAccessList.check_admin_modecCs:tjjtjjjddkr*tjs*t ddt_ dt_ dS)NTractivate_admin_mode) r2rZ admin_grouprrrZ rg_member_ofZ all_parentsZ is_supportrrrrrrrrSs z!CmfAccessList.activate_admin_modecCsdt_dt_dt_dS)uПервоначальная инициализация контекста, чтобы работали g.current_person, в т.ч. создание пользователей.TN)rrr}r)r`rrr init_context[szCmfAccessList.init_contextcCsttddt_tjr*tjs*dt_tt_n"tjtjkt_t j j tjddt_tjrXdt_tj r~tj r~t j}tj|jjdS)u\Сейчас уже должны быть рабочие g.current_person и g.system_personrNTr)ryZAPPrrZ system_personrr0r}rr2r=rZsharelink_access_requestZsharelink_access_grantedrrrkrr)r`rrrr setup_contextbs    zCmfAccessList.setup_contextcCst}t}|D]}||jt|ddq|j}|s.process_acl_listz8process_changed_acl(): acl_id is None, drop_all_cache!!!rwz(process_changed_acl(): drop_all_cache!!!z#process_changed_acl(): changed_acl=z, affected_acl=cSs t|tSr() issubclassr )mrrrr)r*z4CmfAccessList.proccess_chanded_acl..cSsh|] }|jqSrr)rSrrrrrUsz5CmfAccessList.proccess_chanded_acl..rrperm_effective_acl_idrre)rMrEslicez3acl::proccess_chanded_acl run invalidate_ids model=z len=r5z>acl::proccess_chanded_acl too many, flush all cache for model=zacl::proccess_chanded_acl end)rrr2r=rcrrr0rrWrXr?r'r\rrZ iter_modelsZ CMF_CACHEZinvalidate_idsr^rYr%r_)ZidsZdrop_all_cacherr'rbZobj_idsrrrproccess_chanded_aclsJ        z"CmfAccessList.proccess_chanded_aclCmfAccessList:changed)ZchannelcKshdd}td|rPd|kr,t|dqZd|krDt|dqZtdn tdt|dS)Nc SsXtdtdtrLtdt}tatjtj |W5QRXntddS)Nzacl::reload handler spawnedzacl::reload handler do reloadzacl::reload handler skip) rVrr_acl_changed_idsr0r1ZappZ cmf_contextr2r=r)Z changed_aclrrrhandlers  z,CmfAccessList.on_acl_change..handlerzacl::reload spawn handlerraccess_list_id)rVrr[rkgeventZspawn)datarrrrr on_acl_changes   zCmfAccessList.on_acl_changecCsNtd|dk r(tdddd|Di|r@tddt|in tdddS)Nzacl::reload triggerrrcSsg|] }t|qSr)r)rSrrrrrsz0CmfAccessList.trigger_reload..r)rVZcmf_emit_server_eventr)r`rrrrrrszCmfAccessList.trigger_reloadcstdddgS)NrZpolicyparent)supersave_preload_fieldsrH __class__rrrsz!CmfAccessList.save_preload_fieldscCs d|S)NzCmfAccessList::created:r)rrrrrszCmfAccessList._new_acl_keyc s<||j|jr.tjj||jtjddt j f|S)N )ex) rrrjrrr0rrrrsave)rHkwargsrrrrs zCmfAccessList.savec Ksg}tjjD]F}||jdddddddgddd |jgdd |jgdd |jggd q||jddddddgd d |jgd |S) NrrrnamerZperm_inherit_acl_idZ perm_acl_idrNrArr)r1r2r r]extendrYr)rHrrrbrrrfind_acl_usage s     zCmfAccessList.find_acl_usagec sL|}|r2td|dt|d|dd||jtjf|S)Nu)Не возможно удалить acl u,, т.к. на него существует u ссылок, r)rZCmfOrmIntegrityErrorr_rrrrG)rHrusagerrrrGs  zCmfAccessList.deletecCsdSr(rrrrr_calc_perm_parent%szCmfAccessList._calc_perm_parentcCsdSr(rrrrr_calc_perm_has_acl(sz CmfAccessList._calc_perm_has_aclcKsdSr(r)rHrrrr_calc_perm_acl+szCmfAccessList._calc_perm_aclcCsdSr(rrrrr_calc_perm_effective_acl.sz&CmfAccessList._calc_perm_effective_aclcs|s tjg}tj|dS)N) spread_models)r2rFr_acl_spread_inheritance)rHrrrrr1sz%CmfAccessList._acl_spread_inheritancecCs2||jr d|_|jddtj|jdS)NFTZ only_data) save_preparerrr2r=rr)rHZ_rulerrrsave_rule_hook6s  zCmfAccessList.save_rule_hookcCsR||js@tjjdd|gdd|jggds@d|_|jddtj|jdS)NrrArz!=rDTr) rrr2rFrYrrr=r)rHrorrrdelete_rule_hook=s  zCmfAccessList.delete_rule_hookcCs|jddrdSdd|jddD}|s.dStj }|sBtd|r`|jr`tj|_tj|_dS|rp|t |8}|j j tjj kr|r|t |8}|j tj kr|r|t |8}|sdS|jd|d |d d S) z)deprecated method, due not API integratedF)rTcSsh|]}|js|jqSr)Zno_aclr^)rSr$rrrrUNsz:CmfAccessList.subject_model_check_write..)Z is_changedzAccess Prohibitedztry change fields z on )rN)rrrZ public_accessrrjrZ cmf_ownerZ cmf_authorr0rrrr})r`rTZ allow_createZallow_user_fieldsZallow_owner_fieldsZallow_self_fieldsZchanged_fieldsZis_userrrrsubject_model_check_writeFs.      z'CmfAccessList.subject_model_check_write)NNNNNNNNNNTNNN)NNFN)NNNNN)rT)N)NN)N)FNNN)/rrr__doc__ZTEXKOM_no_cacher?r&rrrI classmethodrcr,rrr1r2r3r/r"r staticmethodrrrrrrrrZon_server_eventrrrrrrrGrrrrrrrr __classcell__rrrrr=Bs   C          @     r=)%r#rsrQr collectionsrrtypingrrrrrr rZ cmf.includeZcmf.appr1Zcmf.fields.cmf_access_listZ cmf.modelsr Z dataclassr rr&r0rr4rZ_policy_prioritiesrzr Exceptionr<rMZcmf_access_listr=rrrrs4