Partially completed backend development of permissions management

api/lib/perm/acl/__init__.py

@@ -0,0 +1 @@
+# -*- coding:utf-8 -*-

api/lib/perm/acl/cache.py

@@ -0,0 +1,91 @@
+# -*- coding:utf-8 -*-
+
+from api.extensions import cache
+from api.models.acl import Role
+
+
+class RoleCache(object):
+    PREFIX_ID = "Role::id::{0}"
+    PREFIX_NAME = "Role::app_id::{0}::name::{1}"
+
+    @classmethod
+    def get_by_name(cls, app_id, name):
+        role = cache.get(cls.PREFIX_NAME.format(app_id, name))
+        if role is None:
+            role = Role.get_by(app_id=app_id, name=name, first=True, to_dict=False)
+            if role is not None:
+                cache.set(cls.PREFIX_NAME.format(app_id, name), role)
+
+        return role
+
+    @classmethod
+    def get(cls, rid):
+        role = cache.get(cls.PREFIX_ID.format(rid))
+        if role is None:
+            role = Role.get_by_id(rid)
+            if role is not None:
+                cache.set(cls.PREFIX_ID.format(rid), role)
+
+        return role
+
+    @classmethod
+    def clean(cls, rid):
+        cache.delete(cls.PREFIX_ID.format(rid))
+
+    @classmethod
+    def clean_by_name(cls, app_id, name):
+        cache.delete(cls.PREFIX_NAME.format(app_id, name))
+
+
+class RoleRelationCache(object):
+    PREFIX_PARENT = "RoleRelationParent::id::{0}"
+    PREFIX_CHILDREN = "RoleRelationChildren::id::{0}"
+    PREFIX_RESOURCES = "RoleRelationResources::id::{0}"
+
+    @classmethod
+    def get_parent_ids(cls, rid):
+        parent_ids = cache.get(cls.PREFIX_PARENT.format(rid))
+        if not parent_ids:
+            from api.lib.perm.acl.role import RoleCRUD
+            parent_ids = RoleCRUD.get_parent_ids(rid)
+            cache.set(cls.PREFIX_PARENT.format(rid), parent_ids, timeout=0)
+
+        return parent_ids
+
+    @classmethod
+    def get_child_ids(cls, rid):
+        child_ids = cache.get(cls.PREFIX_CHILDREN.format(rid))
+        if not child_ids:
+            from api.lib.perm.acl.role import RoleCRUD
+            child_ids = RoleCRUD.get_child_ids(rid)
+            cache.set(cls.PREFIX_CHILDREN.format(rid), child_ids, timeout=0)
+
+        return child_ids
+
+    @classmethod
+    def get_resources(cls, rid):
+        """
+        :param rid: 
+        :return: {id2perms: {resource_id: [perm,]}, group2perms: {group_id: [perm, ]}}
+        """
+        resources = cache.get(cls.PREFIX_RESOURCES.format(rid))
+        if not resources:
+            from api.lib.perm.acl.role import RoleCRUD
+            resources = RoleCRUD.get_resources(rid)
+            cache.set(cls.PREFIX_RESOURCES.format(rid), resources, timeout=0)
+
+        return resources or {}
+
+    @classmethod
+    def rebuild(cls, rid):
+        cls.clean(rid)
+
+        cls.get_parent_ids(rid)
+        cls.get_child_ids(rid)
+        cls.get_resources(rid)
+
+    @classmethod
+    def clean(cls, rid):
+        cache.delete(cls.PREFIX_PARENT.format(rid))
+        cache.delete(cls.PREFIX_CHILDREN.format(rid))
+        cache.delete(cls.PREFIX_RESOURCES.format(rid))

api/lib/perm/acl/const.py

@@ -0,0 +1,4 @@
+# -*- coding:utf-8 -*-
+
+
+ACL_QUEUE = "acl_async"

api/lib/perm/acl/resource.py

@@ -0,0 +1,158 @@
+# -*- coding:utf-8 -*-
+
+
+from flask import abort
+
+from api.extensions import db
+from api.models.acl import Permission
+from api.models.acl import Resource
+from api.models.acl import ResourceGroup
+from api.models.acl import ResourceGroupItems
+from api.models.acl import ResourceType
+
+
+class ResourceTypeCRUD(object):
+    @staticmethod
+    def search(q, app_id, page=1, page_size=None):
+        query = db.session.query(ResourceType).filter(
+            ResourceType.deleted.is_(False)).filter(ResourceType.app_id == app_id)
+        if q:
+            query = query.filter(ResourceType.name.ilike('%{0}%'.format(q)))
+
+        numfound = query.count()
+
+        return numfound, query.offset((page - 1) * page_size).limit(page_size)
+
+    @classmethod
+    def add(cls, app_id, name, perms):
+        ResourceType.get_by(name=name, app_id=app_id) and abort(
+            400, "ResourceType <{0}> is already existed".format(name))
+
+        rt = ResourceType.create(name=name, app_id=app_id)
+
+        cls.update_perms(rt.id, perms, app_id)
+
+        return rt
+
+    @classmethod
+    def update(cls, rt_id, **kwargs):
+        rt = ResourceType.get_by_id(rt_id) or abort(404, "ResourceType <{0}> is not found".format(rt_id))
+        if 'name' in kwargs:
+            other = ResourceType.get_by(name=kwargs['name'], app_id=rt.app_id, to_dict=False, first=True)
+            if other.id != rt_id:
+                return abort(400, "ResourceType <{0}> is duplicated".format(kwargs['name']))
+
+        if 'perms' in kwargs:
+            cls.update_perms(rt_id, kwargs['perms'], rt.app_id)
+
+        return rt.update(**kwargs)
+
+    @classmethod
+    def delete(cls, rt_id):
+        rt = ResourceType.get_by_id(rt_id) or abort(404, "ResourceType <{0}> is not found".format(rt_id))
+
+        cls.update_perms(rt_id, [], rt.app_id)
+
+        rt.soft_delete()
+
+    @classmethod
+    def update_perms(cls, rt_id, perms, app_id):
+        existed = Permission.get_by(resource_type_id=rt_id, to_dict=False)
+        existed_names = [i.name for i in existed]
+
+        for i in existed:
+            if i.name not in perms:
+                i.soft_delete()
+
+        for i in perms:
+            if i not in existed_names:
+                Permission.create(resource_type_id=rt_id,
+                                  name=i,
+                                  app_id=app_id)
+
+
+class ResourceGroupCRUD(object):
+    @staticmethod
+    def search(q, app_id, page=1, page_size=None):
+        query = db.session.query(ResourceGroup).filter(
+            ResourceGroup.deleted.is_(False)).filter(ResourceGroup.app_id == app_id)
+
+        if q:
+            query = query.filter(ResourceGroup.name.ilike("%{0}%".format(q)))
+
+        numfound = query.count()
+
+        return numfound, query.offset((page - 1) * page_size).limit(page_size)
+
+    @staticmethod
+    def get_items(rg_id):
+        items = ResourceGroupItems.get_by(group_id=rg_id, to_dict=False)
+
+        return [i.resource.to_dict() for i in items]
+
+    @staticmethod
+    def add(name, type_id, app_id):
+        ResourceGroup.get(name=name, resource_type_id=type_id, app_id=app_id) and abort(
+            400, "ResourceGroup <{0}> is already existed".format(name))
+
+        return ResourceGroup.create(name=name, resource_type_id=type_id, app_id=app_id)
+
+    @staticmethod
+    def update(rg_id, items):
+        existed = ResourceGroupItems.get_by(group_id=rg_id, to_dict=False)
+        existed_ids = [i.resource_id for i in existed]
+
+        for i in existed:
+            if i.resource_id not in items:
+                i.soft_delete()
+
+        for _id in items:
+            if _id not in existed_ids:
+                ResourceGroupItems.create(group_id=rg_id, resource_id=_id)
+
+    @staticmethod
+    def delete(rg_id):
+        rg = ResourceGroup.get_by_id(rg_id) or abort(404, "ResourceGroup <{0}> is not found".format(rg_id))
+
+        rg.soft_delete()
+
+        items = ResourceGroupItems.get_by(group_id=rg_id, to_dict=False)
+        for item in items:
+            item.soft_delete()
+
+
+class ResourceCRUD(object):
+    @staticmethod
+    def search(q, app_id, page=1, page_size=None):
+        query = db.session.query(Resource).filter(
+            Resource.deleted.is_(False)).filter(Resource.app_id == app_id)
+
+        if q:
+            query = query.filter(Resource.name.ilike("%{0}%".format(q)))
+
+        numfound = query.count()
+
+        return numfound, query.offset((page - 1) * page_size).limit(page_size)
+
+    @staticmethod
+    def add(name, type_id, app_id):
+        Resource.get(name=name, resource_type_id=type_id, app_id=app_id) and abort(
+            400, "Resource <{0}> is already existed".format(name))
+
+        return Resource.create(name=name, resource_type_id=type_id, app_id=app_id)
+
+    @staticmethod
+    def update(_id, name):
+        resource = Resource.get_by_id(_id) or abort(404, "Resource <{0}> is not found".format(_id))
+
+        other = Resource.get_by(name=name, resource_type_id=resource.resource_type_id, to_dict=False, first=True)
+        if other.id != _id:
+            return abort(400, "Resource <{0}> is duplicated".format(name))
+
+        return resource.update(name=name)
+
+    @staticmethod
+    def delete(_id):
+        resource = Resource.get_by_id(_id) or abort(404, "Resource <{0}> is not found".format(_id))
+
+        resource.soft_delete()

api/lib/perm/acl/role.py

@@ -0,0 +1,168 @@
+# -*- coding:utf-8 -*-
+
+
+from flask import abort
+
+from api.extensions import db
+from api.lib.perm.acl.cache import RoleCache
+from api.lib.perm.acl.cache import RoleRelationCache
+from api.lib.perm.acl.const import ACL_QUEUE
+from api.models.acl import Resource
+from api.models.acl import ResourceGroupItems
+from api.models.acl import Role
+from api.models.acl import RolePermission
+from api.models.acl import RoleRelation
+from api.tasks.acl import role_rebuild
+
+
+class RoleRelationCRUD(object):
+    pass
+
+
+class RoleCRUD(object):
+    @staticmethod
+    def search(q, app_id, page=1, page_size=None):
+        query = db.session.query(Role).filter(Role.deleted.is_(False)).filter(
+            Role.app_id == app_id).filter(Role.uid.is_(None))
+        if q:
+            query = query.filter(Role.name.ilike('%{0}%'.format(q)))
+
+        numfound = query.count()
+
+        return numfound, query.offset((page - 1) * page_size).limit(page_size)
+
+    @staticmethod
+    def add_role(name, app_id, is_app_admin=False, uid=None):
+        Role.get_by(name=name, app_id=app_id) and abort(400, "Role <{0}> is already existed".format(name))
+
+        return Role.create(name=name,
+                           app_id=app_id,
+                           is_app_admin=is_app_admin,
+                           uid=uid)
+
+    @staticmethod
+    def update_role(rid, **kwargs):
+        role = Role.get_by_id(rid) or abort(404, "Role <{0}> does not exist".format(rid))
+
+        RoleCache.clean(rid)
+
+        return role.update(**kwargs)
+
+    @classmethod
+    def delete_role(cls, rid):
+        role = Role.get_by_id(rid) or abort(404, "Role <{0}> does not exist".format(rid))
+
+        parent_ids = cls.get_parent_ids(rid)
+        child_ids = cls.get_child_ids(rid)
+
+        for i in RoleRelation.get_by(parent_id=rid, to_dict=False):
+            i.soft_delete()
+        for i in RoleRelation.get_by(child_id=rid, to_dict=False):
+            i.soft_delete()
+
+        for i in RolePermission.get_by(rid=rid, to_dict=False):
+            i.soft_delete()
+
+        role_rebuild.apply_async(args=(parent_ids + child_ids,), queue=ACL_QUEUE)
+
+        RoleCache.clean(rid)
+        RoleRelationCache.clean(rid)
+
+        role.soft_delete()
+
+    @staticmethod
+    def get_resources(rid):
+        res = RolePermission.get_by(rid=rid, to_dict=False)
+        id2perms = dict(id2perms={}, group2perms={})
+        for i in res:
+            if i.resource_id:
+                id2perms['id2perms'].setdefault(i.resource_id, []).append(i.perm.name)
+            elif i.group_id:
+                id2perms['group2perms'].setdefault(i.group_id, []).append(i.perm.name)
+
+        return id2perms
+
+    @staticmethod
+    def get_group_ids(resource_id):
+        return [i.group_id for i in ResourceGroupItems.get_by(resource_id, to_dict=False)]
+
+    @staticmethod
+    def get_parent_ids(rid):
+        res = RoleRelation.get_by(child_id=rid, to_dict=False)
+
+        return [i.parent_id for i in res]
+
+    @staticmethod
+    def get_child_ids(rid):
+        res = RoleRelation.get_by(child_id=rid, to_dict=False)
+
+        return [i.parent_id for i in res]
+
+    @classmethod
+    def recursive_parent_ids(cls, rid):
+        all_parent_ids = set()
+
+        def _get_parent(_id):
+            all_parent_ids.add(_id)
+            parent_ids = RoleRelationCache.get_parent_ids(_id)
+            for parent_id in parent_ids:
+                _get_parent(parent_id)
+
+        _get_parent(rid)
+
+        return all_parent_ids
+
+    @classmethod
+    def recursive_child_ids(cls, rid):
+        all_child_ids = set()
+
+        def _get_children(_id):
+            all_child_ids.add(_id)
+            child_ids = RoleRelationCache.get_child_ids(_id)
+            for child_id in child_ids:
+                _get_children(child_id)
+
+        _get_children(rid)
+
+        return all_child_ids
+
+    @classmethod
+    def has_permission(cls, rid, resource_name, perm):
+        resource = Resource.get_by(name=resource_name, first=True, to_dict=False)
+        resource = resource or abort(403, "Resource <{0}> is not in ACL".format(resource_name))
+
+        parent_ids = cls.recursive_parent_ids(rid)
+
+        group_ids = cls.get_group_ids(resource.id)
+
+        for parent_id in parent_ids:
+            id2perms = RoleRelationCache.get_resources(parent_id)
+
+            perms = id2perms['id2perms'].get(resource.id, [])
+            if perms and {perm}.issubset(set(perms)):
+                return True
+
+            for group_id in group_ids:
+                perms = id2perms['group2perms'].get(group_id, [])
+                if perms and {perm}.issubset(set(perms)):
+                    return True
+
+        return False
+
+    @classmethod
+    def get_permissions(cls, rid, resource_name):
+        resource = Resource.get_by(name=resource_name, first=True, to_dict=False)
+        resource = resource or abort(403, "Resource <{0}> is not in ACL".format(resource_name))
+
+        parent_ids = cls.recursive_parent_ids(rid)
+        group_ids = cls.get_group_ids(resource.id)
+
+        perms = []
+        for parent_id in parent_ids:
+            id2perms = RoleRelationCache.get_resources(parent_id)
+            perms += id2perms['id2perms'].get(parent_id, [])
+
+            for group_id in group_ids:
+                perms += id2perms['group2perms'].get(group_id, [])
+
+        return set(perms)