Skip to content

Commit 41ef2ad

Browse files
committed
Create SingleGroupResourceAccessControl
This resource access control returns the first user group setted to the current user on the APIAccess policy
1 parent 5215bf9 commit 41ef2ad

File tree

2 files changed

+60
-9
lines changed

2 files changed

+60
-9
lines changed

bluesky_httpserver/authorization/resource_access.py

Lines changed: 52 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,7 @@ def __init__(self, *, default_group=None):
6161
default_group = default_group or _DEFAULT_RESOURCE_ACCESS_GROUP
6262
self._default_group = default_group
6363

64-
def get_resource_group(self, username):
64+
def get_resource_group(self, username, group):
6565
"""
6666
Returns the name of the user group based on the user name.
6767
@@ -76,3 +76,54 @@ def get_resource_group(self, username):
7676
Name of the user group.
7777
"""
7878
return self._default_group
79+
80+
81+
class SingleGroupResourceAccessControl(DefaultResourceAccessControl):
82+
"""
83+
Single group resource access policy.
84+
The resource access policy associates users with its correspondent first user group. The groups
85+
define the resources, such as plans and devices users can access. The
86+
single group policy assumes that one user belong to a single group or if they are unauthenticated or
87+
have authenticated with a single-user API key, it uses the default user group.
88+
The arguments of the class constructor are the same as the one specified in the DefaultResourceAccessControl configuration
89+
file as shown in the example below.
90+
91+
Parameters
92+
----------
93+
default_group: str
94+
The name of the group returned by the access manager by default.
95+
96+
Examples
97+
--------
98+
Configure ``SingleGroupResourceAccessControl`` policy. The default group name is ``test_user``.
99+
100+
.. code-block::
101+
102+
resource_access:
103+
policy: bluesky_httpserver.authorization:SingleGroupResourceAccessControl
104+
args:
105+
default_group: test_user
106+
"""
107+
108+
def get_resource_group(self, username, group):
109+
"""
110+
Returns the name of the user group based on the user name.
111+
112+
Parameters
113+
----------
114+
username: str
115+
User name.
116+
117+
Returns
118+
-------
119+
str
120+
Name of the user group.
121+
"""
122+
if isinstance(group, list):
123+
if group[0] in ['unauthenticated_public', 'unauthenticated_single_user']:
124+
return self.get_resource_group(username, group)
125+
return group[0]
126+
return group
127+
128+
129+

bluesky_httpserver/routers/core_api.py

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -199,7 +199,7 @@ async def queue_item_add_handler(
199199
principal=principal, settings=settings, api_access_manager=api_access_manager
200200
)[0]
201201
displayed_name = api_access_manager.get_displayed_user_name(username)
202-
user_group = resource_access_manager.get_resource_group(username)
202+
user_group = resource_access_manager.get_resource_group(username, principal.roles)
203203
payload.update({"user": displayed_name, "user_group": user_group})
204204

205205
if "item" not in payload:
@@ -228,7 +228,7 @@ async def queue_item_execute_handler(
228228
principal=principal, settings=settings, api_access_manager=api_access_manager
229229
)[0]
230230
displayed_name = api_access_manager.get_displayed_user_name(username)
231-
user_group = resource_access_manager.get_resource_group(username)
231+
user_group = resource_access_manager.get_resource_group(username, principal.roles)
232232
payload.update({"user": displayed_name, "user_group": user_group})
233233

234234
if "item" not in payload:
@@ -257,7 +257,7 @@ async def queue_item_add_batch_handler(
257257
principal=principal, settings=settings, api_access_manager=api_access_manager
258258
)[0]
259259
displayed_name = api_access_manager.get_displayed_user_name(username)
260-
user_group = resource_access_manager.get_resource_group(username)
260+
user_group = resource_access_manager.get_resource_group(username, principal.roles)
261261
payload.update({"user": displayed_name, "user_group": user_group})
262262

263263
if "items" not in payload:
@@ -330,7 +330,7 @@ async def queue_upload_spreadsheet(
330330
principal=principal, settings=settings, api_access_manager=api_access_manager
331331
)[0]
332332
displayed_name = api_access_manager.get_displayed_user_name(username)
333-
user_group = resource_access_manager.get_resource_group(username)
333+
user_group = resource_access_manager.get_resource_group(username, principal.roles)
334334

335335
if custom_module:
336336
logger.info("Processing spreadsheet using function from external module ...")
@@ -399,7 +399,7 @@ async def queue_item_update_handler(
399399
principal=principal, settings=settings, api_access_manager=api_access_manager
400400
)[0]
401401
displayed_name = api_access_manager.get_displayed_user_name(username)
402-
user_group = resource_access_manager.get_resource_group(username)
402+
user_group = resource_access_manager.get_resource_group(username, principal.roles)
403403
payload.update({"user": displayed_name, "user_group": user_group})
404404

405405
msg = await SR.RM.item_update(**payload)
@@ -719,7 +719,7 @@ async def plans_allowed_handler(
719719
username = get_current_username(
720720
principal=principal, settings=settings, api_access_manager=api_access_manager
721721
)[0]
722-
user_group = resource_access_manager.get_resource_group(username)
722+
user_group = resource_access_manager.get_resource_group(username, principal.roles)
723723

724724
if "reduced" in payload:
725725
reduced = payload["reduced"]
@@ -751,7 +751,7 @@ async def devices_allowed_handler(
751751
username = get_current_username(
752752
principal=principal, settings=settings, api_access_manager=api_access_manager
753753
)[0]
754-
user_group = resource_access_manager.get_resource_group(username)
754+
user_group = resource_access_manager.get_resource_group(username, principal.roles)
755755

756756
payload.update({"user_group": user_group})
757757

@@ -866,7 +866,7 @@ async def function_execute_handler(
866866
principal=principal, settings=settings, api_access_manager=api_access_manager
867867
)[0]
868868
displayed_name = api_access_manager.get_displayed_user_name(username)
869-
user_group = resource_access_manager.get_resource_group(username)
869+
user_group = resource_access_manager.get_resource_group(username, principal.roles)
870870
payload.update({"user": displayed_name, "user_group": user_group})
871871

872872
if "item" not in payload:

0 commit comments

Comments
 (0)