cowbird.permissions_synchronizer ================================ .. py:module:: cowbird.permissions_synchronizer Attributes ---------- .. autoapisummary:: cowbird.permissions_synchronizer.TargetResourcePermissions cowbird.permissions_synchronizer.PermissionMapping cowbird.permissions_synchronizer.LOGGER cowbird.permissions_synchronizer.SEGMENT_NAME_REGEX cowbird.permissions_synchronizer.RES_NAMETYPE_SEPARATOR cowbird.permissions_synchronizer.PERMISSION_DEFAULT_ACCESS cowbird.permissions_synchronizer.PERMISSION_DEFAULT_SCOPE Classes ------- .. autoapisummary:: cowbird.permissions_synchronizer.Permission cowbird.permissions_synchronizer.SyncPoint cowbird.permissions_synchronizer.PermissionSynchronizer Module Contents --------------- .. py:data:: TargetResourcePermissions .. py:data:: PermissionMapping .. py:data:: LOGGER .. py:data:: SEGMENT_NAME_REGEX :value: '[\\w:-]+' .. py:data:: RES_NAMETYPE_SEPARATOR :value: '::' .. py:data:: PERMISSION_DEFAULT_ACCESS :value: 'allow' .. py:data:: PERMISSION_DEFAULT_SCOPE :value: 'recursive' .. py:class:: Permission(service_name: str, service_type: str, resource_id: int, resource_full_name: str, name: str, access: str, scope: str, user: str = None, group: str = None, resource_display_name: str = None) Define every property required to set a permission in Magpie. .. py:attribute:: service_name .. py:attribute:: service_type .. py:attribute:: resource_id .. py:attribute:: resource_full_name .. py:attribute:: resource_display_name :value: None .. py:attribute:: name .. py:attribute:: access .. py:attribute:: scope .. py:attribute:: user :value: None .. py:attribute:: group :value: None .. py:method:: __eq__(other: Permission) -> bool .. py:method:: get_full_permission_value() -> str Returns the full permission value, consisting of the name-access-scope values. .. py:class:: SyncPoint(services: cowbird.typedefs.SyncPointServicesType, permissions_mapping_list: cowbird.typedefs.SyncPointMappingType) A sync point contains services sharing resources via multiple APIs. It defines how the same resource is defined in each service and what are the mapping between permission accesses. Init the sync point, holding services with their respective resources root and how access are mapped between them. :param services: Dict containing the resource keys by service type and all the names/types of each segment of those resource keys :param permissions_mapping_list: List of strings representing a permission mapping between two resource keys .. py:attribute:: services :type: cowbird.typedefs.SyncPointServicesType .. py:attribute:: resources .. py:attribute:: permissions_mapping :type: PermissionMapping .. py:method:: _get_explicit_permission(permission: str) -> str :staticmethod: Converts a permission that could use an implicit format ('' or '-match') and converts it to use an explicit format ('--'). .. py:method:: _add_mapping(src_key: str, src_permissions: str, target_key: str, target_permissions: str) -> None Adds a source/target permission mapping to the object's permissions mapping. .. py:method:: _generate_regex_from_segments(res_segments: List[cowbird.typedefs.ConfigSegment]) -> Tuple[str, int] :staticmethod: Generates a regex for a resource_nametype_path (ex.: /name1::type1/name2::type2) from a list of segments. Returns the regex along with the count of segments in the regex that are named. This count excludes tokenized segments. .. py:method:: _generate_nametype_path_from_segments(res_segments: List[cowbird.typedefs.ConfigSegment], src_resource_tree: cowbird.typedefs.ResourceTree) -> str :staticmethod: Generate nametype path (ex.: /name1::type1/name2::type2 where name can be a field found in ResourceSegment). :param res_segments: list of segments :param src_resource_tree: Resource tree associated with the permission to synchronize .. py:method:: _remove_type_from_nametype_path(nametype_path: str) -> str :staticmethod: Removes the type from a nametype path (ex.: /name1::type1/name2::type2 becomes /name1/name2). .. py:method:: _find_matching_res(permission: Permission, src_resource_tree: cowbird.typedefs.ResourceTree) -> Tuple[str, Union[Collection[str], Dict[str, str]]] Finds a resource key that matches the input resource path, in the sync_permissions config. Note that it returns the longest match and only the named segments of the path are included in the length value. Any tokenized segment is ignored in the length. :param permission: Permission of the service associated with the input resource. :param ResourceTree: Resource tree associated with the permission to synchronize .. py:method:: _create_res_data(target_segments: List[cowbird.typedefs.ConfigSegment], input_matched_groups: Union[Collection[str], Dict[str, str]]) -> List[cowbird.typedefs.ResourceSegment] :staticmethod: Creates resource data, by replacing any tokens found in the segment names to their actual corresponding values. This data includes the name and type of each segments of a full resource path. In the case where a regex is found in the target segment, the data will be formed using the same resource_type for every match in the current segment. :param target_segments: List containing the name and type info of each segment of the target resource path. :param input_matched_groups: .. py:method:: _get_resource_full_name_and_type(res_key: str, matched_groups: Union[Collection[str], Dict[str, str]]) -> Tuple[str, List[cowbird.typedefs.ResourceSegment]] Finds the resource data from the config by using the resource key. Returns the formatted resource data along with the related service name. .. py:method:: _get_src_permissions() -> Iterator[Tuple[str, str]] Yields all source resource/permissions found in the mappings. .. py:method:: _is_in_permissions(target_permission: str, svc_name: str, src_res_data: List[cowbird.typedefs.ResourceSegment], permissions: cowbird.typedefs.JSON) -> bool :staticmethod: Checks if a target permission is found in a permissions dict. The check is done by looking for the target permission's resource path in the permissions dict. .. py:method:: _filter_used_targets(target_res_and_permissions: TargetResourcePermissions, input_src_res_key: str, src_matched_groups: Union[Collection[str], Dict[str, str]], input_permission: Permission) -> Tuple[Dict[str, List[str]], Dict[str, List[str]]] Filters a dictionary of target resource/permissions, keeping only the permissions which should actually be removed. This is used for the `deleted` webhook event, where all target permissions should not necessarily be synced. Any target permission that is also a target permission in another mapping and where the source permission of that other mapping still exists, should not be synced yet, since it would destroy that other mapping. Ex.: .. code-block:: text A -> C B -> C or [A,B] -> C If the `A -> C` mapping was triggered for a `deleted` webhook event, the `C` target permission should only be synced if both `A` and `B` permissions don't exist. .. py:method:: _get_permission_data(user_targets: Dict[str, List[str]], group_targets: Dict[str, List[str]], src_matched_groups: Union[Collection[str], Dict[str, str]], input_permission: Permission) -> cowbird.typedefs.PermissionData Formats permissions data to send to Magpie. Output contains, for each target resource key, the resource path (with the name of each segment and its corresponding type), and all the permissions to sync, defining for each permission, if it is on a user, a group, or both. Output dict format : .. code-block:: json { "": { "res_path": [""], "permissions": { "": [{"user": "...", "group": "..."}] } } } .. py:method:: _prepare_permissions_to_remove(target_res_and_permissions: TargetResourcePermissions, input_permission: Permission, input_src_res_key: str, src_matched_groups: Union[Collection[str], Dict[str, str]]) -> cowbird.typedefs.PermissionData Removes every source resource found in the mappings that has an existing permission that is synced to one of the input target permissions. Used in the case of a `deleted` webhook event. .. py:method:: _find_permissions_to_sync(src_res_key: str, src_matched_groups: Union[Collection[str], Dict[str, str]], input_permission: Permission, perm_operation: Callable[[List[cowbird.typedefs.PermissionConfigItemType]], None]) -> cowbird.typedefs.PermissionData Finds all permissions that should be synchronised with the source resource. .. py:method:: sync(perm_operation: Callable[[List[cowbird.typedefs.PermissionConfigItemType]], None], permission: Permission, src_resource_tree: cowbird.typedefs.ResourceTree) -> None Create or delete target permissions, that are mapped to the source resource that triggered the event. :param perm_operation: Magpie create_permission or delete_permission function :param permission: Permission to synchronize with others services :param src_resource_tree: Resource tree associated with the permission to synchronize .. py:class:: PermissionSynchronizer(magpie_inst: cowbird.handlers.impl.magpie.Magpie) Bases: :py:obj:`object` Keep service-shared resources in sync when permissions are updated for one of them. .. todo:: At some point we will need a consistency function that goes through all permissions of all services and make sure that linked services have the same permissions. .. py:attribute:: sync_point :value: [] .. py:attribute:: magpie_inst .. py:method:: create_permission(permission: Permission) -> None Create the same permission on each service sharing the same resource. .. py:method:: delete_permission(permission: Permission) -> None Delete the same permission on each service sharing the same resource.