-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add permissions and API for making SQL queries
JIRA: RHELWF-9014, RHELWF-9015
- Loading branch information
Showing
11 changed files
with
484 additions
and
63 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# SPDX-License-Identifier: GPL-2.0+ | ||
"""Helper function for managing raw SQL queries""" | ||
from typing import Any | ||
|
||
from flask import current_app | ||
from sqlalchemy.exc import ResourceClosedError, SQLAlchemyError | ||
from werkzeug.exceptions import BadRequest | ||
|
||
from product_listings_manager.models import db | ||
|
||
DB_QUERY_PARAM_ERROR = ( | ||
'Parameter must have the following format ("params" is optional): ' | ||
'[{"query": QUERY_STRING, "params": {PARAMETER_NAME: PARAMETER_STRING_VALUE}...]' | ||
) | ||
|
||
|
||
def queries_from_user_input(input: Any) -> list[Any]: | ||
if isinstance(input, dict): | ||
return [input] | ||
|
||
if isinstance(input, str): | ||
return [{"query": input}] | ||
|
||
if isinstance(input, list): | ||
return [q if isinstance(q, dict) else {"query": q} for q in input] | ||
|
||
raise BadRequest(DB_QUERY_PARAM_ERROR) | ||
|
||
|
||
def validate_queries(queries: list[dict[Any, Any]]): | ||
if not queries: | ||
raise BadRequest(DB_QUERY_PARAM_ERROR) | ||
|
||
for query in queries: | ||
query_text = query.get("query") | ||
if not query_text or not isinstance(query_text, str): | ||
raise BadRequest(DB_QUERY_PARAM_ERROR) | ||
|
||
params = query.get("params") | ||
if params is not None and not isinstance(params, dict): | ||
raise BadRequest(DB_QUERY_PARAM_ERROR) | ||
|
||
|
||
def execute_queries(queries: list[dict[str, str]]) -> list[list[Any]]: | ||
with db.session.begin(): | ||
for query in queries: | ||
query_text = query.get("query") | ||
params = query.get("params") | ||
try: | ||
result = db.session.execute(db.text(query_text), params=params) | ||
except SQLAlchemyError as e: | ||
current_app.logger.warning("Failed DB query for user %s", e) | ||
raise BadRequest(f"DB query failed: {e}") | ||
|
||
db.session.commit() | ||
|
||
try: | ||
return [list(row) for row in result] | ||
except ResourceClosedError: | ||
return [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# SPDX-License-Identifier: GPL-2.0+ | ||
from fnmatch import fnmatch | ||
from typing import Any | ||
|
||
from product_listings_manager.authorization import LdapConfig, get_user_groups | ||
|
||
|
||
def query_matches(query: str, permission: dict[str, Any]) -> bool: | ||
return any( | ||
fnmatch(query.upper(), pattern.upper()) | ||
for pattern in permission.get("queries", []) | ||
) | ||
|
||
|
||
def has_permission( | ||
user: str, | ||
queries: list[dict[str, str]], | ||
permissions: list[dict[str, Any]], | ||
ldap_config: LdapConfig, | ||
) -> bool: | ||
qs = list(q["query"] for q in queries) | ||
qs = [ | ||
q | ||
for q in qs | ||
if not any( | ||
user in p.get("users", set()) and query_matches(q, p) | ||
for p in permissions | ||
) | ||
] | ||
if not qs: | ||
return True | ||
|
||
# Avoid querying LDAP unnecessarily | ||
if not any(p.get("groups") for p in permissions): | ||
return False | ||
|
||
groups = set(get_user_groups(user, ldap_config)) | ||
qs = [ | ||
q | ||
for q in qs | ||
if not any( | ||
not groups.isdisjoint(p.get("groups", set())) | ||
and query_matches(q, p) | ||
for p in permissions | ||
) | ||
] | ||
return not qs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.