# Developing ACL AuthZ method using pyCasbin

1. Register 3 Users
  - Owner: manages organization
  - Member: manages datasets, software, and computations
  - Guest: has no access granted
  
2. Create Organization, as the Owner persona

3. Owner Persona adds the Member to the Organization

4. Member creates a Project

5. Member then creates one of each digital Object

6. Owner validates they can access each of the digital objects

7. Guest tries to access the following and is rejected

- List Operations
    - GET /organization/...
    - GET /projects/....
    - GET /
- Detail View
- Download Datasets
- Download Software
- 


In [98]:
import json
import requests
import base64
import casbin
import pymongo

root_url = "http://localhost:8000/"

In [99]:
def pprint(passed_json):
    print(json.dumps(passed_json, indent=4))

In [100]:
from mds.database.mongo import GetConfig

In [101]:
# create users
user1_data = {
	"@id": "ark:99999/test-user1",
	"name": "Test User1",
	"type": "Person",
	"email": "testuser1@example.org",
	"password": "test1",
	"organizations": [],
	"projects": [],
	"datasets": [],
	"software": [],
	"computations": [],
	"evidencegraphs": []
	}
user2_data = {
	"@id": "ark:99999/test-user2",
	"name": "Test User2",
	"type": "Person",
	"email": "testuser2@example.org",
	"password": "test2",
	"organizations": [],
	"projects": [],
	"datasets": [],
	"software": [],
	"computations": [],
	"evidencegraphs": []
	}
user3_data = {
	"@id": "ark:99999/test-user3",
	"name": "Test User3",
	"type": "Person",
	"email": "testuser3@example.org",
	"password": "test3",
	"organizations": [],
	"projects": [],
	"datasets": [],
	"software": [],
	"computations": [],
	"evidencegraphs": []
	}

# create user1
create_user1 = requests.post(root_url + "user", data=json.dumps(user1_data))
print(json.dumps(create_user1.json(), indent=4) + "\n")

# create user2
create_user2 = requests.post(root_url + "user", data=json.dumps(user2_data))
print(json.dumps(create_user2.json(), indent=4) + "\n")

# create user2
create_user3 = requests.post(root_url + "user", data=json.dumps(user3_data))
print(json.dumps(create_user3.json(), indent=4) + "\n")

{
    "created": {
        "@id": "ark:99999/test-user1",
        "@type": "Person",
        "name": "Test User1"
    }
}

{
    "created": {
        "@id": "ark:99999/test-user2",
        "@type": "Person",
        "name": "Test User2"
    }
}

{
    "created": {
        "@id": "ark:99999/test-user3",
        "@type": "Person",
        "name": "Test User3"
    }
}



### Creating Organization with AuthZ

- Basic Auth is Passed through

In [102]:
# user creates organization
cama_organization = {
  "@id": "ark:99999/CAMA",
  "@type": "Organization",
  "name": "Center for Advanced Medical Analytics",
  "@context": {
    "@vocab": "https://schema.org/",
    "evi": "https://w3id.org/EVI#"
  }
}

In [103]:
encoded_credentials = base64.b64encode(
    bytes(f"{user1_data.get('email')}:{user1_data.get('password')}", "utf-8"))

owner_headers = {"Authorization" : f"Basic {str(encoded_credentials, 'utf-8')}" }

create_org = requests.post(
    root_url + "organization", 
    data=json.dumps(cama_organization), 
    headers=owner_headers
    )

pprint(create_org.json())

## Reading Organization as Owner

In [107]:
read_org_owner = requests.get(
    root_url + "organization/" + cama_organization.get("@id"),
    headers=owner_headers
    )

pprint(read_org_owner.json())

{
    "@id": "ark:99999/CAMA",
    "@type": "Organization",
    "owner": {
        "@id": "ark:99999/test-user1",
        "@type": "Person",
        "name": "Test User1",
        "email": "testuser1@example.org"
    },
    "members": null,
    "projects": null,
    "@context": {
        "@vocab": "https://schema.org/",
        "evi": "https://w3id.org/EVI#"
    },
    "name": "Center for Advanced Medical Analytics"
}


## Reading Organization as Guest

In [110]:
guest_encoded_credentials = base64.b64encode(
    bytes(f"{user3_data.get('email')}:{user3_data.get('password')}", "utf-8"))

guest_headers = {"Authorization" : f"Basic {str(guest_encoded_credentials, 'utf-8')}" }

read_org_guest = requests.get(
    root_url + "organization/" + cama_organization.get("@id"),
    headers=guest_headers
    )

pprint(read_org_guest.json())

{
    "@id": "ark:99999/CAMA",
    "error": "access not granted for read organization"
}


### Parse Authorization Header

In [39]:
# parse the basic authentication
authz_header = owner_headers.get("Authorization").strip("Basic ")
email, password = str(base64.b64decode(authz_header), 'utf-8').split(":")

dGVzdHVzZXIxQGV4YW1wbGUub3JnOnRlc3Qx


In [57]:
print(f"email: {email}\tpassword: {password}")

email: testuser1@example.org	password: test1


In [62]:
# get mongo collection
mongo_client = GetConfig()
mongo_db = mongo_client["test"]
mongo_collection = mongo_db["testcol"]

In [65]:
auth_user = mongo_collection.find_one({
    "@type": "Person", 
    "email": email,
    "password": password
    })

if auth_user == None:
    # return 401 error
    pass

In [71]:
from mds.models.compact.user import UserCompactView

In [72]:

owner = UserCompactView(**auth_user)

UserCompactView(id='ark:99999/test-user1', type='Person', name='Test User1', email='testuser1@example.org')

In [None]:
# use passed user to add to metadata for group


In [96]:
create_org = requests.post(
    root_url + "organization", 
    data=json.dumps(cama_organization), 
    headers=owner_headers
    )

In [97]:
pprint(create_org.json())

{
    "created": {
        "@id": "ark:99999/CAMA",
        "@type": "Organization"
    }
}


In [79]:
import casbin
enforcer = casbin.Enforcer("./tests/model.conf", "./tests/policy.csv")
enforcer.load_policy()

In [86]:
import casbin_pymongo_adapter
import casbin
from urllib.parse import quote_plus



In [87]:

adapter = casbin_pymongo_adapter.Adapter(
    f"mongodb://{quote_plus('root')}:{quote_plus('example')}@localhost:27017/", "test")
e = casbin.Enforcer('./tests/model.conf', adapter)

In [88]:
e.load_policy()

In [None]:
added_policy = e.add_policy()