Merge pull request #416 from TeskaLabs/feature/copy-role

Duplicating roles
TeskaLabs · Sep 5, 2024 · a45bfa6 · a45bfa6
2 parents ac941d5 + aa96b7c
commit a45bfa6
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,16 @@
 # CHANGELOG
 
+## v24.36
+
+### Pre-releases
+- v24.36-alpha1
+
+### Features
+- Duplicating roles (#416, `v24.36-alpha1`)
+
+---
+
+
 ## v24.29
 
 ### Pre-releases

diff --git a/seacatauth/authz/role/handler/role.py b/seacatauth/authz/role/handler/role.py
@@ -138,11 +138,21 @@ async def get(self, request):
 	async def create(self, request, *, tenant, json_data):
 		"""
 		Create a new role
+
+		---
+		parameters:
+		-	name: copy
+			in: query
+			description:
+				Copy resources and description from a specified existing role.
+				Resources non-applicable for the new role will be excluded.
+			schema:
+				type: string
 		"""
 		role_name = request.match_info["role_name"]
 		role_id = "{}/{}".format(tenant, role_name)
 		try:
-			role_id = await self.RoleService.create(role_id, **json_data)
+			role_id = await self.RoleService.create(role_id, from_role=request.query.get("copy"), **json_data)
 		except exceptions.ResourceNotFoundError as e:
 			return asab.web.rest.json_response(request, status=404, data={
 				"result": "ERROR",

diff --git a/seacatauth/authz/role/service.py b/seacatauth/authz/role/service.py
@@ -221,6 +221,7 @@ async def create(
 		description: str = None,
 		resources: typing.Optional[typing.Iterable] = None,
 		propagated: bool = False,
+		from_role: typing.Optional[str] = None,
 		_managed_by_seacat_auth: bool = False,
 	):
 		tenant_id, role_name = self.parse_role_id(role_id)
@@ -241,6 +242,21 @@ async def create(
 		except exceptions.RoleNotFoundError:
 			pass
 
+		if from_role:
+			# Use specified role as a template
+			source_role = await self.get(from_role)
+			if not description:
+				description = source_role.get("description")
+			if not resources:
+				if tenant_id is not None or propagated is True:
+					# Tenant and propagated roles cannot access global-only resources
+					resources = [
+						resource_id for resource_id in source_role.get("resources")
+						if not self.ResourceService.is_global_only_resource(resource_id)
+					]
+				else:
+					resources = source_role.get("resources")
+
 		upsertor = self.StorageService.upsertor(
 			self.RoleCollection,
 			role_id