2015-05-31 23:18:10 +02:00
|
|
|
import contextlib
|
2022-01-31 20:52:46 +01:00
|
|
|
import datetime
|
2015-05-31 23:18:10 +02:00
|
|
|
import threading
|
|
|
|
|
2016-06-24 12:58:00 +02:00
|
|
|
from django.contrib.auth import get_user_model
|
2015-05-08 10:04:45 +02:00
|
|
|
from django.contrib.contenttypes.models import ContentType
|
2022-01-31 22:26:19 +01:00
|
|
|
from django.db import connection, models
|
2015-05-08 10:04:45 +02:00
|
|
|
from django.db.models import query
|
2016-06-24 12:58:00 +02:00
|
|
|
from django.db.models.query import Prefetch, Q
|
2022-01-31 22:26:19 +01:00
|
|
|
from django.db.transaction import atomic
|
2015-05-08 10:04:45 +02:00
|
|
|
|
2022-10-06 18:35:23 +02:00
|
|
|
from authentic2.a2_rbac import signals
|
|
|
|
|
|
|
|
from . import utils
|
2015-05-08 10:04:45 +02:00
|
|
|
|
2015-05-31 23:18:10 +02:00
|
|
|
|
2015-05-08 10:04:45 +02:00
|
|
|
class AbstractBaseManager(models.Manager):
|
|
|
|
def get_by_natural_key(self, uuid):
|
|
|
|
return self.get(uuid=uuid)
|
|
|
|
|
2016-06-24 12:58:00 +02:00
|
|
|
|
2015-05-08 10:04:45 +02:00
|
|
|
class OperationManager(models.Manager):
|
|
|
|
def get_by_natural_key(self, slug):
|
|
|
|
return self.get(slug=slug)
|
|
|
|
|
|
|
|
def has_perm(self, user, operation_slug, object_or_model, ou=None):
|
|
|
|
"""Test if an user can do the operation given by operation_slug
|
|
|
|
on the given object_or_model eventually scoped by an organizational
|
|
|
|
unit given by ou.
|
|
|
|
|
|
|
|
Returns True or False.
|
2021-03-30 10:15:50 +02:00
|
|
|
"""
|
2015-05-08 10:04:45 +02:00
|
|
|
ou_query = query.Q(ou__isnull=True)
|
|
|
|
if ou:
|
|
|
|
ou_query |= query.Q(ou=ou.as_scope())
|
|
|
|
ct = ContentType.objects.get_for_model(object_or_model)
|
2016-06-24 12:58:00 +02:00
|
|
|
target_query = query.Q(target_ct=ContentType.objects.get_for_model(ContentType), target_id=ct.pk)
|
2015-05-08 10:04:45 +02:00
|
|
|
if isinstance(object_or_model, models.Model):
|
2016-06-24 12:58:00 +02:00
|
|
|
target_query |= query.Q(target_ct=ct, target_id=object.pk)
|
2015-05-08 10:04:45 +02:00
|
|
|
Permission = utils.get_permission_model()
|
|
|
|
qs = Permission.objects.for_user(user)
|
|
|
|
qs = qs.filter(operation__slug=operation_slug)
|
|
|
|
qs = qs.filter(ou_query & target_query)
|
|
|
|
return qs.exists()
|
|
|
|
|
2016-06-24 11:55:35 +02:00
|
|
|
|
2015-05-08 10:04:45 +02:00
|
|
|
class PermissionManagerBase(models.Manager):
|
2016-06-24 11:55:35 +02:00
|
|
|
def get_by_natural_key(self, operation_slug, ou_nk, target_ct, target_nk):
|
|
|
|
qs = self.filter(operation__slug=operation_slug)
|
2015-05-08 10:04:45 +02:00
|
|
|
if ou_nk:
|
|
|
|
OrganizationalUnit = utils.get_ou_model()
|
|
|
|
try:
|
|
|
|
ou = OrganizationalUnit.objects.get_by_natural_key(*ou_nk)
|
|
|
|
except OrganizationalUnit.DoesNotExist:
|
|
|
|
raise self.model.DoesNotExist
|
|
|
|
qs = qs.filter(ou=ou)
|
2016-06-24 11:55:35 +02:00
|
|
|
else:
|
|
|
|
qs = qs.filter(ou__isnull=True)
|
2015-05-08 10:04:45 +02:00
|
|
|
try:
|
|
|
|
target_ct = ContentType.objects.get_by_natural_key(*target_ct)
|
|
|
|
except ContentType.DoesNotExist:
|
|
|
|
raise self.model.DoesNotExist
|
|
|
|
target_model = target_ct.model_class()
|
|
|
|
try:
|
2016-06-24 11:55:35 +02:00
|
|
|
target = target_model.objects.get_by_natural_key(*target_nk)
|
2015-05-08 10:04:45 +02:00
|
|
|
except target_model.DoesNotExist:
|
|
|
|
raise self.model.DoesNotExist
|
2016-06-24 11:55:35 +02:00
|
|
|
return qs.get(target_ct=ContentType.objects.get_for_model(target), target_id=target.pk)
|
|
|
|
|
2015-05-08 10:04:45 +02:00
|
|
|
|
|
|
|
class PermissionQueryset(query.QuerySet):
|
|
|
|
def by_target_ct(self, target):
|
|
|
|
"""Filter permission whose target content-type matches the content
|
|
|
|
type of the target argument
|
2021-03-30 10:15:50 +02:00
|
|
|
"""
|
2015-05-08 10:04:45 +02:00
|
|
|
target_ct = ContentType.objects.get_for_model(target)
|
|
|
|
return self.filter(target_ct=target_ct)
|
|
|
|
|
|
|
|
def by_target(self, target):
|
|
|
|
'''Filter permission whose target matches target'''
|
|
|
|
return self.by_target_ct(target).filter(target_id=target.pk)
|
|
|
|
|
|
|
|
def for_user(self, user):
|
|
|
|
"""Retrieve all permissions hold by an user through its role and
|
|
|
|
inherited roles.
|
2021-03-30 10:15:50 +02:00
|
|
|
"""
|
2015-05-08 10:04:45 +02:00
|
|
|
Role = utils.get_role_model()
|
|
|
|
roles = Role.objects.for_user(user=user)
|
2018-07-27 15:37:45 +02:00
|
|
|
return self.filter(roles__in=roles)
|
2015-05-08 10:04:45 +02:00
|
|
|
|
2016-06-24 12:58:55 +02:00
|
|
|
def cleanup(self):
|
|
|
|
count = 0
|
|
|
|
for p in self:
|
|
|
|
if not p.target and (p.target_ct_id or p.target_id):
|
|
|
|
p.delete()
|
|
|
|
count += 1
|
|
|
|
return count
|
|
|
|
|
2021-03-30 10:15:50 +02:00
|
|
|
|
2015-05-08 10:04:45 +02:00
|
|
|
PermissionManager = PermissionManagerBase.from_queryset(PermissionQueryset)
|
|
|
|
|
2016-06-24 12:58:00 +02:00
|
|
|
|
2017-08-11 15:15:50 +02:00
|
|
|
class IntCast(models.Func):
|
|
|
|
function = 'int'
|
|
|
|
template = 'CAST((%(expressions)s) AS %(function)s)'
|
|
|
|
|
|
|
|
|
2015-05-08 10:04:45 +02:00
|
|
|
class RoleQuerySet(query.QuerySet):
|
|
|
|
def for_user(self, user):
|
2022-07-07 14:34:45 +02:00
|
|
|
if hasattr(user, 'apiclient_roles'):
|
|
|
|
queryset = self.filter(apiclients=user)
|
|
|
|
else:
|
|
|
|
queryset = self.filter(members=user)
|
|
|
|
return queryset.parents().distinct()
|
2015-05-08 10:04:45 +02:00
|
|
|
|
2022-05-09 16:00:46 +02:00
|
|
|
def parents(self, include_self=True, annotate=False, direct=None):
|
|
|
|
assert annotate is False or direct is not True, 'annotate=True cannot be used with direct=True'
|
|
|
|
if direct is None:
|
|
|
|
qs = self.model.objects.filter(
|
|
|
|
child_relation__deleted__isnull=True,
|
|
|
|
child_relation__child__in=self,
|
|
|
|
)
|
|
|
|
else:
|
|
|
|
qs = self.model.objects.filter(
|
|
|
|
child_relation__deleted__isnull=True,
|
|
|
|
child_relation__child__in=self,
|
|
|
|
child_relation__direct=direct,
|
|
|
|
)
|
2015-05-08 10:04:45 +02:00
|
|
|
if include_self:
|
|
|
|
qs = self | qs
|
|
|
|
qs = qs.distinct()
|
|
|
|
if annotate:
|
2017-08-11 15:15:50 +02:00
|
|
|
qs = qs.annotate(direct=models.Max(IntCast('child_relation__direct')))
|
2015-05-08 10:04:45 +02:00
|
|
|
return qs
|
|
|
|
|
2022-05-09 16:00:46 +02:00
|
|
|
def children(self, include_self=True, annotate=False, direct=None):
|
|
|
|
assert annotate is False or direct is not True, 'annotate=True cannot be used with direct=True'
|
|
|
|
if direct is None:
|
|
|
|
qs = self.model.objects.filter(
|
|
|
|
parent_relation__deleted__isnull=True,
|
|
|
|
parent_relation__parent__in=self,
|
|
|
|
)
|
|
|
|
else:
|
|
|
|
qs = self.model.objects.filter(
|
|
|
|
parent_relation__deleted__isnull=True,
|
|
|
|
parent_relation__parent__in=self,
|
|
|
|
parent_relation__direct=direct,
|
|
|
|
)
|
2015-05-08 10:04:45 +02:00
|
|
|
if include_self:
|
|
|
|
qs = self | qs
|
|
|
|
qs = qs.distinct()
|
|
|
|
if annotate:
|
2017-08-11 15:15:50 +02:00
|
|
|
qs = qs.annotate(direct=models.Max(IntCast('parent_relation__direct')))
|
2015-05-08 10:04:45 +02:00
|
|
|
return qs
|
|
|
|
|
2016-06-24 12:58:00 +02:00
|
|
|
def all_members(self):
|
2015-05-08 10:04:45 +02:00
|
|
|
User = get_user_model()
|
2016-06-24 12:58:00 +02:00
|
|
|
prefetch = Prefetch('roles', queryset=self, to_attr='direct')
|
2018-08-01 15:37:28 +02:00
|
|
|
return (
|
2022-01-31 20:52:46 +01:00
|
|
|
User.objects.filter(
|
|
|
|
Q(roles__in=self)
|
|
|
|
| Q(roles__parent_relation__parent__in=self, roles__parent_relation__deleted__isnull=True)
|
|
|
|
)
|
2016-06-24 12:58:00 +02:00
|
|
|
.distinct()
|
|
|
|
.prefetch_related(prefetch)
|
2021-03-30 10:15:50 +02:00
|
|
|
)
|
2015-05-08 10:04:45 +02:00
|
|
|
|
|
|
|
def by_admin_scope_ct(self, admin_scope):
|
|
|
|
admin_scope_ct = ContentType.objects.get_for_model(admin_scope)
|
|
|
|
return self.filter(admin_scope_ct=admin_scope_ct)
|
|
|
|
|
2016-06-24 12:58:55 +02:00
|
|
|
def cleanup(self):
|
|
|
|
count = 0
|
|
|
|
for r in self.filter(Q(admin_scope_ct_id__isnull=False) | Q(admin_scope_id__isnull=False)):
|
|
|
|
if not r.admin_scope:
|
|
|
|
r.delete()
|
|
|
|
count += 1
|
|
|
|
return count
|
|
|
|
|
2015-05-08 10:04:45 +02:00
|
|
|
|
|
|
|
RoleManager = AbstractBaseManager.from_queryset(RoleQuerySet)
|
|
|
|
|
2016-06-24 12:58:00 +02:00
|
|
|
|
2015-05-08 10:04:45 +02:00
|
|
|
class RoleParentingManager(models.Manager):
|
2015-05-31 23:18:10 +02:00
|
|
|
class Local(threading.local):
|
|
|
|
DO_UPDATE_CLOSURE = True
|
|
|
|
CLOSURE_UPDATED = False
|
|
|
|
|
|
|
|
tls = Local()
|
|
|
|
|
2015-05-08 10:04:45 +02:00
|
|
|
def get_by_natural_key(self, parent_nk, child_nk, direct):
|
|
|
|
Role = utils.get_role_model()
|
|
|
|
try:
|
|
|
|
parent = Role.objects.get_by_natural_key(*parent_nk)
|
|
|
|
except Role.DoesNotExist:
|
|
|
|
raise self.model.DoesNotExist
|
|
|
|
try:
|
|
|
|
child = Role.objects.get_by_natural_key(*child_nk)
|
|
|
|
except Role.DoesNotExist:
|
|
|
|
raise self.model.DoesNotExist
|
|
|
|
return self.get(parent=parent, child=child, direct=direct)
|
|
|
|
|
2022-01-31 20:52:46 +01:00
|
|
|
def soft_create(self, parent, child):
|
|
|
|
with atomic(savepoint=False):
|
|
|
|
rp, created = self.get_or_create(parent=parent, child=child, direct=True)
|
|
|
|
new = created or rp.deleted
|
|
|
|
if not created and rp.deleted:
|
|
|
|
rp.created = datetime.datetime.now()
|
|
|
|
rp.deleted = None
|
|
|
|
rp.save(update_fields=['created', 'deleted'])
|
|
|
|
if new:
|
|
|
|
signals.post_soft_create.send(sender=self.model, instance=rp)
|
|
|
|
|
|
|
|
def soft_delete(self, parent, child):
|
|
|
|
qs = self.filter(parent=parent, child=child, deleted__isnull=True, direct=True)
|
|
|
|
with atomic(savepoint=False):
|
|
|
|
rp = qs.first()
|
|
|
|
if rp:
|
|
|
|
count = qs.update(deleted=datetime.datetime.now())
|
|
|
|
# read-commited, view of tables can change during transaction
|
|
|
|
if count:
|
|
|
|
signals.post_soft_delete.send(sender=self.model, instance=rp)
|
|
|
|
|
2015-05-08 10:04:45 +02:00
|
|
|
def update_transitive_closure(self):
|
|
|
|
"""Recompute the transitive closure of the inheritance relation
|
|
|
|
from scratch. Add missing indirect relations and delete
|
|
|
|
obsolete indirect relations.
|
2021-03-30 10:15:50 +02:00
|
|
|
"""
|
2015-05-31 23:18:10 +02:00
|
|
|
if not self.tls.DO_UPDATE_CLOSURE:
|
|
|
|
self.tls.CLOSURE_UPDATED = True
|
|
|
|
return
|
|
|
|
|
2022-01-31 22:26:19 +01:00
|
|
|
with atomic(savepoint=False):
|
|
|
|
# existing direct paths
|
2022-01-31 20:52:46 +01:00
|
|
|
direct = set(self.filter(direct=True, deleted__isnull=True).values_list('parent_id', 'child_id'))
|
|
|
|
old_indirects = set(
|
|
|
|
self.filter(direct=False, deleted__isnull=True).values_list('parent_id', 'child_id')
|
|
|
|
)
|
2022-01-31 22:26:19 +01:00
|
|
|
indirects = set(direct)
|
|
|
|
|
|
|
|
while True:
|
|
|
|
changed = False
|
|
|
|
for (i, j) in list(indirects):
|
|
|
|
for (k, l) in direct:
|
|
|
|
if j == k and i != l and (i, l) not in indirects:
|
|
|
|
indirects.add((i, l))
|
|
|
|
changed = True
|
|
|
|
if not changed:
|
|
|
|
break
|
|
|
|
|
|
|
|
with connection.cursor() as cur:
|
|
|
|
# Delete old ones
|
|
|
|
obsolete = old_indirects - indirects - direct
|
|
|
|
if obsolete:
|
2022-01-31 20:52:46 +01:00
|
|
|
sql = '''UPDATE "%s" AS relation \
|
|
|
|
SET deleted = now()\
|
|
|
|
FROM (VALUES %s) AS dead(parent_id, child_id) \
|
2022-01-31 22:26:19 +01:00
|
|
|
WHERE relation.direct = 'false' AND relation.parent_id = dead.parent_id \
|
2022-01-31 20:52:46 +01:00
|
|
|
AND relation.child_id = dead.child_id AND deleted IS NULL''' % (
|
2022-01-31 22:26:19 +01:00
|
|
|
self.model._meta.db_table,
|
2022-01-31 20:52:46 +01:00
|
|
|
', '.join('(%s, %s)' % (a, b) for a, b in obsolete),
|
2022-01-31 22:26:19 +01:00
|
|
|
)
|
|
|
|
cur.execute(sql)
|
|
|
|
# Create new indirect relations
|
|
|
|
new = indirects - old_indirects - direct
|
|
|
|
if new:
|
|
|
|
new_values = ', '.join(
|
2022-01-31 20:52:46 +01:00
|
|
|
(
|
|
|
|
"(%s, %s, 'false', now(), NULL)" % (parent_id, child_id)
|
|
|
|
for parent_id, child_id in new
|
|
|
|
)
|
2022-01-31 22:26:19 +01:00
|
|
|
)
|
2022-01-31 20:52:46 +01:00
|
|
|
sql = '''INSERT INTO "%s" (parent_id, child_id, direct, created, deleted) VALUES %s \
|
|
|
|
ON CONFLICT (parent_id, child_id, direct) DO UPDATE SET created = EXCLUDED.created, deleted = NULL''' % (
|
2022-01-31 22:26:19 +01:00
|
|
|
self.model._meta.db_table,
|
|
|
|
new_values,
|
|
|
|
)
|
|
|
|
cur.execute(sql)
|
2015-05-31 23:18:10 +02:00
|
|
|
|
2016-06-24 12:58:00 +02:00
|
|
|
|
2015-05-31 23:18:10 +02:00
|
|
|
@contextlib.contextmanager
|
|
|
|
def defer_update_transitive_closure():
|
|
|
|
from . import utils
|
|
|
|
|
|
|
|
RoleParentingManager.tls.DO_UPDATE_CLOSURE = False
|
|
|
|
try:
|
|
|
|
yield
|
|
|
|
if RoleParentingManager.tls.CLOSURE_UPDATED:
|
|
|
|
utils.get_role_parenting_model().objects.update_transitive_closure()
|
|
|
|
finally:
|
|
|
|
RoleParentingManager.tls.DO_UPDATE_CLOSURE = True
|
|
|
|
RoleParentingManager.tls.CLOSURE_UPDATED = False
|