code.grnet.gr Git - pithos/blob - snf-pithos-backend/pithos/backends/lib/sqlalchemy/permissions.py

   1 # Copyright 2011-2012 GRNET S.A. All rights reserved.
   2 #
   3 # Redistribution and use in source and binary forms, with or
   4 # without modification, are permitted provided that the following
   5 # conditions are met:
   6 #
   7 #   1. Redistributions of source code must retain the above
   8 #      copyright notice, this list of conditions and the following
   9 #      disclaimer.
  10 #
  11 #   2. Redistributions in binary form must reproduce the above
  12 #      copyright notice, this list of conditions and the following
  13 #      disclaimer in the documentation and/or other materials
  14 #      provided with the distribution.
  15 #
  16 # THIS SOFTWARE IS PROVIDED BY GRNET S.A. ``AS IS'' AND ANY EXPRESS
  17 # OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  18 # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  19 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GRNET S.A OR
  20 # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  21 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  22 # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
  23 # USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
  24 # AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  25 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
  26 # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  27 # POSSIBILITY OF SUCH DAMAGE.
  28 #
  29 # The views and conclusions contained in the software and
  30 # documentation are those of the authors and should not be
  31 # interpreted as representing official policies, either expressed
  32 # or implied, of GRNET S.A.
  33
  34 from sqlalchemy.sql import select, literal
  35 from sqlalchemy.sql.expression import join, union
  36
  37 from xfeatures import XFeatures
  38 from groups import Groups
  39 from public import Public
  40
  41
  42 READ = 0
  43 WRITE = 1
  44
  45
  46 class Permissions(XFeatures, Groups, Public):
  47
  48     def __init__(self, **params):
  49         XFeatures.__init__(self, **params)
  50         Groups.__init__(self, **params)
  51         Public.__init__(self, **params)
  52
  53     def access_grant(self, path, access, members=()):
  54         """Grant members with access to path.
  55            Members can also be '*' (all),
  56            or some group specified as 'owner:group'."""
  57
  58         if not members:
  59             return
  60         feature = self.xfeature_create(path)
  61         self.feature_setmany(feature, access, members)
  62
  63     def access_set(self, path, permissions):
  64         """Set permissions for path. The permissions dict
  65            maps 'read', 'write' keys to member lists."""
  66
  67         r = permissions.get('read', [])
  68         w = permissions.get('write', [])
  69         if not r and not w:
  70             self.xfeature_destroy(path)
  71             return
  72         feature = self.xfeature_create(path)
  73         if r:
  74             self.feature_clear(feature, READ)
  75             self.feature_setmany(feature, READ, r)
  76         if w:
  77             self.feature_clear(feature, WRITE)
  78             self.feature_setmany(feature, WRITE, w)
  79
  80     def access_get(self, path):
  81         """Get permissions for path."""
  82
  83         feature = self.xfeature_get(path)
  84         if not feature:
  85             return {}
  86         permissions = self.feature_dict(feature)
  87         if READ in permissions:
  88             permissions['read'] = permissions[READ]
  89             del(permissions[READ])
  90         if WRITE in permissions:
  91             permissions['write'] = permissions[WRITE]
  92             del(permissions[WRITE])
  93         return permissions
  94
  95     def access_members(self, path):
  96         feature = self.xfeature_get(path)
  97         if not feature:
  98             return []
  99         permissions = self.feature_dict(feature)
 100         members = set()
 101         members.update(permissions.get(READ, []))
 102         members.update(permissions.get(WRITE, []))
 103         for m in set(members):
 104             parts = m.split(':', 1)
 105             if len(parts) != 2:
 106                 continue
 107             user, group = parts
 108             members.remove(m)
 109             members.update(self.group_members(user, group))
 110         return list(members)
 111
 112     def access_clear(self, path):
 113         """Revoke access to path (both permissions and public)."""
 114
 115         self.xfeature_destroy(path)
 116         self.public_unset(path)
 117
 118     def access_check(self, path, access, member):
 119         """Return true if the member has this access to the path."""
 120
 121         feature = self.xfeature_get(path)
 122         if not feature:
 123             return False
 124         members = self.feature_get(feature, access)
 125         if member in members or '*' in members:
 126             return True
 127         for owner, group in self.group_parents(member):
 128             if owner + ':' + group in members:
 129                 return True
 130         return False
 131
 132     def access_inherit(self, path):
 133         """Return the paths influencing the access for path."""
 134
 135 #         r = self.xfeature_inherit(path)
 136 #         if not r:
 137 #             return []
 138 #         # Compute valid.
 139 #         return [x[0] for x in r if x[0] in valid]
 140
 141         # Only keep path components.
 142         parts = path.rstrip('/').split('/')
 143         valid = []
 144         for i in range(1, len(parts)):
 145             subp = '/'.join(parts[:i + 1])
 146             valid.append(subp)
 147             if subp != path:
 148                 valid.append(subp + '/')
 149         return [x for x in valid if self.xfeature_get(x)]
 150
 151     def access_list_paths(self, member, prefix=None):
 152         """Return the list of paths granted to member."""
 153
 154         xfeatures_xfeaturevals =  self.xfeatures.join(self.xfeaturevals)
 155
 156         selectable = (self.groups.c.owner + ':' + self.groups.c.name)
 157         member_groups = select([selectable.label('value')],
 158             self.groups.c.member == member)
 159
 160         members = select([literal(member).label('value')])
 161         any = select([literal('*').label('value')])
 162
 163         u = union(member_groups, members, any).alias()
 164         inner_join = join(xfeatures_xfeaturevals, u,
 165                     self.xfeaturevals.c.value == u.c.value)
 166         s = select([self.xfeatures.c.path], from_obj=[inner_join]).distinct()
 167         if prefix:
 168             s = s.where(self.xfeatures.c.path.like(self.escape_like(prefix) + '%', escape='\\'))
 169         r = self.conn.execute(s)
 170         l = [row[0] for row in r.fetchall()]
 171         r.close()
 172         return l
 173
 174     def access_list_shared(self, prefix=''):
 175         """Return the list of shared paths."""
 176
 177         s = select([self.xfeatures.c.path],
 178             self.xfeatures.c.path.like(self.escape_like(prefix) + '%', escape='\\')).order_by(self.xfeatures.c.path.asc())
 179         r = self.conn.execute(s)
 180         l = [row[0] for row in r.fetchall()]
 181         r.close()
 182         return l