Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

741 permissions refactoring #1114

Merged
merged 14 commits into from
Apr 8, 2024
Merged

741 permissions refactoring #1114

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
33952c0
split all models in different folders by themes. Enums are moved to api
Mar 18, 2024
e830a45
separation of tenant_repository and tenant_service
Mar 19, 2024
a6d6a18
further separation of Services and Repositories
Mar 26, 2024
654c034
further separation of Services and Repositories for GroupPolicy
Mar 26, 2024
675344e
Merge branch 'mda-main' into 741-permissions-refactoring
Mar 26, 2024
9a3a024
fixing outdated import in migrations
Mar 26, 2024
2e34b4d
Review-comments fulfillment and decorators
Mar 27, 2024
f2b268f
Merge branch 'mda-main' into 741-permissions-refactoring
Mar 27, 2024
10e0bdf
ruff format
Mar 27, 2024
7d6746b
ruff format and missing imports
Mar 27, 2024
282bb0c
get explicit import back
Apr 3, 2024
0b84dbc
separate core_permissions.py into several files by theme
Apr 4, 2024
03c1dad
remove additional permissions folder
Apr 4, 2024
30fc2db
Merge branch 'main' into 741-permissions-refactoring
SofiaSazonova Apr 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 7 additions & 8 deletions backend/api_handler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,9 @@
from dataall.base.aws.sqs import SqsQueue
from dataall.base.aws.parameter_store import ParameterStoreManager
from dataall.base.context import set_context, dispose_context, RequestContext
from dataall.core.permissions.db import save_permissions_with_tenant
from dataall.core.permissions.db.tenant_policy_repositories import TenantPolicy
from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService
from dataall.base.db import get_engine
from dataall.core.permissions import permissions
from dataall.core.permissions.services.tenant_permissions import TENANT_ALL
from dataall.base.loader import load_modules, ImportMode

logger = logging.getLogger()
Expand All @@ -38,7 +37,7 @@
ENGINE = get_engine(envname=ENVNAME)
Worker.queue = SqsQueue.send

save_permissions_with_tenant(ENGINE)
TenantPolicyService.save_permissions_with_tenant(ENGINE)


def resolver_adapter(resolver):
Expand Down Expand Up @@ -143,14 +142,14 @@ def handler(event, context):
log.debug('groups are %s', ','.join(groups))
with ENGINE.scoped_session() as session:
for group in groups:
policy = TenantPolicy.find_tenant_policy(session, group, 'dataall')
policy = TenantPolicyService.find_tenant_policy(session, group, TenantPolicyService.TENANT_NAME)
if not policy:
print(f'No policy found for Team {group}. Attaching TENANT_ALL permissions')
TenantPolicy.attach_group_tenant_policy(
TenantPolicyService.attach_group_tenant_policy(
session=session,
group=group,
permissions=permissions.TENANT_ALL,
tenant_name='dataall',
permissions=TENANT_ALL,
tenant_name=TenantPolicyService.TENANT_NAME,
)

except Exception as e:
Expand Down
49 changes: 29 additions & 20 deletions backend/dataall/core/environment/api/resolvers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,19 +16,28 @@
from dataall.core.environment.services.environment_resource_manager import EnvironmentResourceManager
from dataall.core.environment.services.environment_service import EnvironmentService
from dataall.core.environment.api.enums import EnvironmentPermission
from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy
from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService
from dataall.core.stacks.api import stack_helper
from dataall.core.stacks.aws.cloudformation import CloudFormation
from dataall.core.stacks.db.stack_repositories import Stack
from dataall.core.vpc.services.vpc_service import VpcService
from dataall.base.aws.ec2_client import EC2
from dataall.core.permissions import permissions
from dataall.base.feature_toggle_checker import is_feature_enabled
from dataall.base.utils.naming_convention import (
NamingConventionService,
NamingConventionPattern,
)

from dataall.core.organizations.api.resolvers import Context, exceptions, get_organization_simplified
from dataall.core.permissions.services.environment_permissions import (
CREDENTIALS_ENVIRONMENT,
ENABLE_ENVIRONMENT_SUBSCRIPTIONS,
)
from dataall.core.permissions.services.organization_permissions import (
GET_ORGANIZATION,
LINK_ENVIRONMENT,
)


log = logging.getLogger()

Expand Down Expand Up @@ -92,7 +101,7 @@ def check_environment(context: Context, source, account_id, region, data):
def create_environment(context: Context, source, input={}):
if input.get('SamlGroupName') and input.get('SamlGroupName') not in context.groups:
raise exceptions.UnauthorizedOperation(
action=permissions.LINK_ENVIRONMENT,
action=LINK_ENVIRONMENT,
message=f'User: {context.username} is not a member of the group {input["SamlGroupName"]}',
)

Expand Down Expand Up @@ -122,7 +131,7 @@ def create_environment(context: Context, source, input={}):
def update_environment(context: Context, source, environmentUri: str = None, input: dict = None):
if input.get('SamlGroupName') and input.get('SamlGroupName') not in context.groups:
raise exceptions.UnauthorizedOperation(
action=permissions.LINK_ENVIRONMENT,
action=LINK_ENVIRONMENT,
message=f'User: {context.username} is not part of the group {input["SamlGroupName"]}',
)

Expand Down Expand Up @@ -442,12 +451,12 @@ def get_environment_assume_role_url(
groupUri: str = None,
):
with context.engine.scoped_session() as session:
ResourcePolicy.check_user_resource_permission(
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=environmentUri,
permission_name=permissions.CREDENTIALS_ENVIRONMENT,
permission_name=CREDENTIALS_ENVIRONMENT,
)
environment = EnvironmentService.get_environment_by_uri(session, environmentUri)
url = SessionHelper.get_console_access_url(
Expand All @@ -466,12 +475,12 @@ def get_environment_assume_role_url(
@is_feature_enabled('core.features.env_aws_actions')
def generate_environment_access_token(context, source, environmentUri: str = None, groupUri: str = None):
with context.engine.scoped_session() as session:
ResourcePolicy.check_user_resource_permission(
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=environmentUri,
permission_name=permissions.CREDENTIALS_ENVIRONMENT,
permission_name=CREDENTIALS_ENVIRONMENT,
)
environment = EnvironmentService.get_environment_by_uri(session, environmentUri)
c = _get_environment_group_aws_session(
Expand Down Expand Up @@ -514,12 +523,12 @@ def delete_environment(context: Context, source, environmentUri: str = None, del

def enable_subscriptions(context: Context, source, environmentUri: str = None, input: dict = None):
with context.engine.scoped_session() as session:
ResourcePolicy.check_user_resource_permission(
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=environmentUri,
permission_name=permissions.ENABLE_ENVIRONMENT_SUBSCRIPTIONS,
permission_name=ENABLE_ENVIRONMENT_SUBSCRIPTIONS,
)
environment = EnvironmentService.get_environment_by_uri(session, environmentUri)
if input.get('producersTopicArn'):
Expand Down Expand Up @@ -549,12 +558,12 @@ def enable_subscriptions(context: Context, source, environmentUri: str = None, i

def disable_subscriptions(context: Context, source, environmentUri: str = None):
with context.engine.scoped_session() as session:
ResourcePolicy.check_user_resource_permission(
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=environmentUri,
permission_name=permissions.ENABLE_ENVIRONMENT_SUBSCRIPTIONS,
permission_name=ENABLE_ENVIRONMENT_SUBSCRIPTIONS,
)
environment = EnvironmentService.get_environment_by_uri(session, environmentUri)

Expand All @@ -572,12 +581,12 @@ def get_pivot_role_template(context: Context, source, organizationUri=None):
from dataall.base.utils import Parameter

with context.engine.scoped_session() as session:
ResourcePolicy.check_user_resource_permission(
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=organizationUri,
permission_name=permissions.GET_ORGANIZATION,
permission_name=GET_ORGANIZATION,
)
pivot_role_bucket = Parameter().get_parameter(
env=os.getenv('envname', 'local'), path='s3/resources_bucket_name'
Expand Down Expand Up @@ -612,12 +621,12 @@ def get_pivot_role_template(context: Context, source, organizationUri=None):

def get_cdk_exec_policy_template(context: Context, source, organizationUri=None):
with context.engine.scoped_session() as session:
ResourcePolicy.check_user_resource_permission(
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=organizationUri,
permission_name=permissions.GET_ORGANIZATION,
permission_name=GET_ORGANIZATION,
)
cdk_exec_policy_bucket = Parameter().get_parameter(
env=os.getenv('envname', 'local'), path='s3/resources_bucket_name'
Expand Down Expand Up @@ -652,12 +661,12 @@ def get_cdk_exec_policy_template(context: Context, source, organizationUri=None)

def get_external_id(context: Context, source, organizationUri=None):
with context.engine.scoped_session() as session:
ResourcePolicy.check_user_resource_permission(
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=organizationUri,
permission_name=permissions.GET_ORGANIZATION,
permission_name=GET_ORGANIZATION,
)
external_id = SessionHelper.get_external_id_secret()
if not external_id:
Expand All @@ -670,12 +679,12 @@ def get_external_id(context: Context, source, organizationUri=None):

def get_pivot_role_name(context: Context, source, organizationUri=None):
with context.engine.scoped_session() as session:
ResourcePolicy.check_user_resource_permission(
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=organizationUri,
permission_name=permissions.GET_ORGANIZATION,
permission_name=GET_ORGANIZATION,
)
pivot_role_name = SessionHelper.get_delegation_role_name()
if not pivot_role_name:
Expand Down
4 changes: 2 additions & 2 deletions backend/dataall/core/environment/env_permission_checker.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
from dataall.base.context import get_context, RequestContext
from dataall.core.permissions.db.group_policy_repositories import GroupPolicy
from dataall.base.utils.decorator_utls import process_func
from dataall.core.permissions.services.group_policy_service import GroupPolicyService


def _check_group_environment_permission(session, permission, uri, admin_group):
context: RequestContext = get_context()
GroupPolicy.check_group_environment_permission(
GroupPolicyService.check_group_environment_permission(
session=session,
username=context.username,
groups=context.groups,
Expand Down
Loading
Loading