code.grnet.gr Git - pithos/blob - snf-pithos-backend/pithos/backends/lib/sqlalchemy/permissions.py

   1 # Copyright 2011-2012 GRNET S.A. All rights reserved.
   2 #
   3 # Redistribution and use in source and binary forms, with or
   4 # without modification, are permitted provided that the following
   5 # conditions are met:
   6 #
   7 #   1. Redistributions of source code must retain the above
   8 #      copyright notice, this list of conditions and the following
   9 #      disclaimer.
  10 #
  11 #   2. Redistributions in binary form must reproduce the above
  12 #      copyright notice, this list of conditions and the following
  13 #      disclaimer in the documentation and/or other materials
  14 #      provided with the distribution.
  15 #
  16 # THIS SOFTWARE IS PROVIDED BY GRNET S.A. ``AS IS'' AND ANY EXPRESS
  17 # OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  18 # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  19 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GRNET S.A OR
  20 # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  21 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  22 # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
  23 # USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
  24 # AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  25 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
  26 # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  27 # POSSIBILITY OF SUCH DAMAGE.
  28 #
  29 # The views and conclusions contained in the software and
  30 # documentation are those of the authors and should not be
  31 # interpreted as representing official policies, either expressed
  32 # or implied, of GRNET S.A.
  33
  34 from sqlalchemy.sql import select, literal
  35 from sqlalchemy.sql.expression import join, union
  36
  37 from xfeatures import XFeatures
  38 from groups import Groups
  39 from public import Public
  40
  41
  42 READ = 0
  43 WRITE = 1
  44
  45
  46 class Permissions(XFeatures, Groups, Public):
  47
  48     def __init__(self, **params):
  49         XFeatures.__init__(self, **params)
  50         Groups.__init__(self, **params)
  51         Public.__init__(self, **params)
  52
  53     def access_grant(self, path, access, members=()):
  54         """Grant members with access to path.
  55            Members can also be '*' (all),
  56            or some group specified as 'owner:group'."""
  57
  58         if not members:
  59             return
  60         feature = self.xfeature_create(path)
  61         self.feature_setmany(feature, access, members)
  62
  63     def access_set(self, path, permissions):
  64         """Set permissions for path. The permissions dict
  65            maps 'read', 'write' keys to member lists."""
  66
  67         r = permissions.get('read', [])
  68         w = permissions.get('write', [])
  69         if not r and not w:
  70             self.xfeature_destroy(path)
  71             return
  72         feature = self.xfeature_create(path)
  73         self.feature_clear(feature, READ)
  74         self.feature_clear(feature, WRITE)
  75         if r:
  76             self.feature_setmany(feature, READ, r)
  77         if w:
  78             self.feature_setmany(feature, WRITE, w)
  79
  80     def access_get(self, path):
  81         """Get permissions for path."""
  82
  83         feature = self.xfeature_get(path)
  84         if not feature:
  85             return {}
  86         permissions = self.feature_dict(feature)
  87         if READ in permissions:
  88             permissions['read'] = permissions[READ]
  89             del(permissions[READ])
  90         if WRITE in permissions:
  91             permissions['write'] = permissions[WRITE]
  92             del(permissions[WRITE])
  93         return permissions
  94
  95     def access_members(self, path):
  96         feature = self.xfeature_get(path)
  97         if not feature:
  98             return []
  99         permissions = self.feature_dict(feature)
 100         members = set()
 101         members.update(permissions.get(READ, []))
 102         members.update(permissions.get(WRITE, []))
 103         for m in set(members):
 104             parts = m.split(':', 1)
 105             if len(parts) != 2:
 106                 continue
 107             user, group = parts
 108             members.remove(m)
 109             members.update(self.group_members(user, group))
 110         return list(members)
 111
 112     def access_clear(self, path):
 113         """Revoke access to path (both permissions and public)."""
 114
 115         self.xfeature_destroy(path)
 116         self.public_unset(path)
 117
 118     def access_clear_bulk(self, paths):
 119         """Revoke access to path (both permissions and public)."""
 120
 121         self.xfeature_destroy_bulk(paths)
 122         self.public_unset_bulk(paths)
 123
 124     def access_check(self, path, access, member):
 125         """Return true if the member has this access to the path."""
 126
 127         feature = self.xfeature_get(path)
 128         if not feature:
 129             return False
 130         members = self.feature_get(feature, access)
 131         if member in members or '*' in members:
 132             return True
 133         for owner, group in self.group_parents(member):
 134             if owner + ':' + group in members:
 135                 return True
 136         return False
 137
 138     def access_inherit(self, path):
 139         """Return the paths influencing the access for path."""
 140
 141 #         r = self.xfeature_inherit(path)
 142 #         if not r:
 143 #             return []
 144 #         # Compute valid.
 145 #         return [x[0] for x in r if x[0] in valid]
 146
 147         # Only keep path components.
 148         parts = path.rstrip('/').split('/')
 149         valid = []
 150         for i in range(1, len(parts)):
 151             subp = '/'.join(parts[:i + 1])
 152             valid.append(subp)
 153             if subp != path:
 154                 valid.append(subp + '/')
 155         return [x for x in valid if self.xfeature_get(x)]
 156
 157     def access_list_paths(self, member, prefix=None):
 158         """Return the list of paths granted to member."""
 159
 160         xfeatures_xfeaturevals =  self.xfeatures.join(self.xfeaturevals)
 161
 162         selectable = (self.groups.c.owner + ':' + self.groups.c.name)
 163         member_groups = select([selectable.label('value')],
 164             self.groups.c.member == member)
 165
 166         members = select([literal(member).label('value')])
 167         any = select([literal('*').label('value')])
 168
 169         u = union(member_groups, members, any).alias()
 170         inner_join = join(xfeatures_xfeaturevals, u,
 171                     self.xfeaturevals.c.value == u.c.value)
 172         s = select([self.xfeatures.c.path], from_obj=[inner_join]).distinct()
 173         if prefix:
 174             s = s.where(self.xfeatures.c.path.like(self.escape_like(prefix) + '%', escape='\\'))
 175         r = self.conn.execute(s)
 176         l = [row[0] for row in r.fetchall()]
 177         r.close()
 178         return l
 179
 180     def access_list_shared(self, prefix=''):
 181         """Return the list of shared paths."""
 182
 183         s = select([self.xfeatures.c.path],
 184             self.xfeatures.c.path.like(self.escape_like(prefix) + '%', escape='\\')).order_by(self.xfeatures.c.path.asc())
 185         r = self.conn.execute(s)
 186         l = [row[0] for row in r.fetchall()]
 187         r.close()
 188         return l