Compare commits
2 Commits
2025.09.21
...
2025.09.22
| Author | SHA1 | Date | |
|---|---|---|---|
| 86ad953ff1 | |||
| d6b7eb9b30 |
@@ -22,5 +22,11 @@ def add_api(collection: _ServiceCollection):
|
||||
|
||||
dependency_error("cpl-auth", e)
|
||||
|
||||
from cpl.api.registry.policy import PolicyRegistry
|
||||
from cpl.api.registry.route import RouteRegistry
|
||||
|
||||
collection.add_singleton(PolicyRegistry)
|
||||
collection.add_singleton(RouteRegistry)
|
||||
|
||||
|
||||
_ServiceCollection.with_module(add_api, __name__)
|
||||
|
||||
0
src/cpl-api/cpl/api/application/__init__.py
Normal file
0
src/cpl-api/cpl/api/application/__init__.py
Normal file
@@ -1,5 +1,6 @@
|
||||
import os
|
||||
from typing import Mapping, Any, Callable
|
||||
from enum import Enum
|
||||
from typing import Mapping, Any, Callable, Self, Union
|
||||
|
||||
import uvicorn
|
||||
from starlette.applications import Starlette
|
||||
@@ -7,24 +8,31 @@ from starlette.middleware import Middleware
|
||||
from starlette.middleware.cors import CORSMiddleware
|
||||
from starlette.requests import Request
|
||||
from starlette.responses import JSONResponse
|
||||
from starlette.routing import Route
|
||||
from starlette.types import ExceptionHandler
|
||||
|
||||
from cpl import api, auth
|
||||
from cpl.api.api_logger import APILogger
|
||||
from cpl.api.api_settings import ApiSettings
|
||||
from cpl.api.error import APIError
|
||||
from cpl.api.logger import APILogger
|
||||
from cpl.api.middleware.authentication import AuthenticationMiddleware
|
||||
from cpl.api.middleware.authorization import AuthorizationMiddleware
|
||||
from cpl.api.middleware.logging import LoggingMiddleware
|
||||
from cpl.api.middleware.request import RequestMiddleware
|
||||
from cpl.api.model.api_route import ApiRoute
|
||||
from cpl.api.model.policy import Policy
|
||||
from cpl.api.model.validation_match import ValidationMatch
|
||||
from cpl.api.registry.policy import PolicyRegistry
|
||||
from cpl.api.registry.route import RouteRegistry
|
||||
from cpl.api.router import Router
|
||||
from cpl.api.typing import HTTPMethods, PartialMiddleware
|
||||
from cpl.api.settings import ApiSettings
|
||||
from cpl.api.typing import HTTPMethods, PartialMiddleware, PolicyResolver
|
||||
from cpl.application.abc.application_abc import ApplicationABC
|
||||
from cpl.core.configuration import Configuration
|
||||
from cpl.dependency.service_provider_abc import ServiceProviderABC
|
||||
|
||||
_logger = APILogger("API")
|
||||
|
||||
PolicyInput = Union[dict[str, PolicyResolver], Policy]
|
||||
|
||||
|
||||
class WebApp(ApplicationABC):
|
||||
def __init__(self, services: ServiceProviderABC):
|
||||
@@ -32,8 +40,9 @@ class WebApp(ApplicationABC):
|
||||
self._app: Starlette | None = None
|
||||
|
||||
self._api_settings = Configuration.get(ApiSettings)
|
||||
self._policies = services.get_service(PolicyRegistry)
|
||||
self._routes = services.get_service(RouteRegistry)
|
||||
|
||||
self._routes: list[Route] = []
|
||||
self._middleware: list[Middleware] = [
|
||||
Middleware(RequestMiddleware),
|
||||
Middleware(LoggingMiddleware),
|
||||
@@ -66,11 +75,12 @@ class WebApp(ApplicationABC):
|
||||
_logger.debug(f"Allowed origins: {origins}")
|
||||
return origins.split(",")
|
||||
|
||||
def with_database(self):
|
||||
def with_database(self) -> Self:
|
||||
self.with_migrations()
|
||||
self.with_seeders()
|
||||
return self
|
||||
|
||||
def with_app(self, app: Starlette):
|
||||
def with_app(self, app: Starlette) -> Self:
|
||||
assert app is not None, "app must not be None"
|
||||
assert isinstance(app, Starlette), "app must be an instance of Starlette"
|
||||
self._app = app
|
||||
@@ -80,7 +90,7 @@ class WebApp(ApplicationABC):
|
||||
if self._app is not None:
|
||||
raise ValueError("App is already set, cannot add routes or middleware")
|
||||
|
||||
def with_routes_directory(self, directory: str) -> "WebApp":
|
||||
def with_routes_directory(self, directory: str) -> Self:
|
||||
self._check_for_app()
|
||||
assert directory is not None, "directory must not be None"
|
||||
|
||||
@@ -94,30 +104,67 @@ class WebApp(ApplicationABC):
|
||||
|
||||
return self
|
||||
|
||||
def with_routes(self, routes: list[Route]) -> "WebApp":
|
||||
def with_routes(
|
||||
self,
|
||||
routes: list[ApiRoute],
|
||||
method: HTTPMethods,
|
||||
authentication: bool = False,
|
||||
roles: list[str | Enum] = None,
|
||||
permissions: list[str | Enum] = None,
|
||||
policies: list[str] = None,
|
||||
match: ValidationMatch = None,
|
||||
) -> Self:
|
||||
self._check_for_app()
|
||||
assert self._routes is not None, "routes must not be None"
|
||||
assert all(isinstance(route, Route) for route in routes), "all routes must be of type starlette.routing.Route"
|
||||
self._routes.extend(routes)
|
||||
assert all(isinstance(route, ApiRoute) for route in routes), "all routes must be of type ApiRoute"
|
||||
for route in routes:
|
||||
self.with_route(
|
||||
route.path,
|
||||
route.fn,
|
||||
method,
|
||||
authentication,
|
||||
roles,
|
||||
permissions,
|
||||
policies,
|
||||
match,
|
||||
)
|
||||
return self
|
||||
|
||||
def with_route(self, path: str, fn: Callable[[Request], Any], method: HTTPMethods, **kwargs) -> "WebApp":
|
||||
def with_route(
|
||||
self,
|
||||
path: str,
|
||||
fn: Callable[[Request], Any],
|
||||
method: HTTPMethods,
|
||||
authentication: bool = False,
|
||||
roles: list[str | Enum] = None,
|
||||
permissions: list[str | Enum] = None,
|
||||
policies: list[str] = None,
|
||||
match: ValidationMatch = None,
|
||||
) -> Self:
|
||||
self._check_for_app()
|
||||
assert path is not None, "path must not be None"
|
||||
assert fn is not None, "fn must not be None"
|
||||
assert method in [
|
||||
"GET",
|
||||
"HEAD",
|
||||
"POST",
|
||||
"PUT",
|
||||
"DELETE",
|
||||
"PATCH",
|
||||
"DELETE",
|
||||
"OPTIONS",
|
||||
"HEAD",
|
||||
], "method must be a valid HTTP method"
|
||||
self._routes.append(Route(path, fn, methods=[method], **kwargs))
|
||||
|
||||
Router.route(path, method, registry=self._routes)(fn)
|
||||
|
||||
if authentication:
|
||||
Router.authenticate()(fn)
|
||||
|
||||
if roles or permissions or policies:
|
||||
Router.authorize(roles, permissions, policies, match)(fn)
|
||||
|
||||
return self
|
||||
|
||||
def with_middleware(self, middleware: PartialMiddleware) -> "WebApp":
|
||||
def with_middleware(self, middleware: PartialMiddleware) -> Self:
|
||||
self._check_for_app()
|
||||
|
||||
if isinstance(middleware, Middleware):
|
||||
@@ -129,25 +176,51 @@ class WebApp(ApplicationABC):
|
||||
|
||||
return self
|
||||
|
||||
def with_authentication(self):
|
||||
def with_authentication(self) -> Self:
|
||||
self.with_middleware(AuthenticationMiddleware)
|
||||
return self
|
||||
|
||||
def with_authorization(self):
|
||||
pass
|
||||
def with_authorization(self, *policies: list[PolicyInput] | PolicyInput) -> Self:
|
||||
if policies:
|
||||
_policies = []
|
||||
|
||||
if not isinstance(policies, list):
|
||||
policies = list(policies)
|
||||
|
||||
for i, policy in enumerate(policies):
|
||||
if isinstance(policy, dict):
|
||||
for name, resolver in policy.items():
|
||||
if not isinstance(name, str):
|
||||
_logger.warning(f"Skipping policy at index {i}, name must be a string")
|
||||
continue
|
||||
|
||||
if not callable(resolver):
|
||||
_logger.warning(f"Skipping policy {name}, resolver must be callable")
|
||||
continue
|
||||
|
||||
_policies.append(Policy(name, resolver))
|
||||
continue
|
||||
|
||||
_policies.append(policy)
|
||||
|
||||
self._policies.extend_policies(_policies)
|
||||
|
||||
self.with_middleware(AuthorizationMiddleware)
|
||||
return self
|
||||
|
||||
def _validate_policies(self):
|
||||
for rule in Router.get_authorization_rules():
|
||||
for policy_name in rule["policies"]:
|
||||
policy = self._policies.get(policy_name)
|
||||
if not policy:
|
||||
_logger.fatal(f"Authorization policy '{policy_name}' not found")
|
||||
|
||||
async def main(self):
|
||||
_logger.debug(f"Preparing API")
|
||||
self._validate_policies()
|
||||
|
||||
if self._app is None:
|
||||
routes = [
|
||||
Route(
|
||||
path=route.path,
|
||||
endpoint=self._services.inject(route.endpoint),
|
||||
methods=route.methods,
|
||||
name=route.name,
|
||||
)
|
||||
for route in self._routes + Router.get_routes()
|
||||
]
|
||||
routes = [route.to_starlette(self._services.inject) for route in self._routes.all()]
|
||||
|
||||
app = Starlette(
|
||||
routes=routes,
|
||||
@@ -166,13 +239,6 @@ class WebApp(ApplicationABC):
|
||||
app = self._app
|
||||
|
||||
_logger.info(f"Start API on {self._api_settings.host}:{self._api_settings.port}")
|
||||
# uvicorn.run(
|
||||
# app,
|
||||
# host=self._api_settings.host,
|
||||
# port=self._api_settings.port,
|
||||
# log_config=None,
|
||||
# loop="asyncio"
|
||||
# )
|
||||
|
||||
config = uvicorn.Config(
|
||||
app, host=self._api_settings.host, port=self._api_settings.port, log_config=None, loop="asyncio"
|
||||
@@ -7,14 +7,23 @@ from starlette.types import Scope, Receive, Send
|
||||
class APIError(HTTPException):
|
||||
status_code = 500
|
||||
|
||||
@classmethod
|
||||
async def asgi_response(cls, scope: Scope, receive: Receive, send: Send):
|
||||
r = JSONResponse({"error": cls.__name__}, status_code=cls.status_code)
|
||||
def __init__(self, message: str = ""):
|
||||
super().__init__(self.status_code, message)
|
||||
self._message = message
|
||||
|
||||
@property
|
||||
def error_message(self) -> str:
|
||||
if self._message:
|
||||
return f"{type(self).__name__}: {self._message}"
|
||||
|
||||
return f"{type(self).__name__}"
|
||||
|
||||
async def asgi_response(self, scope: Scope, receive: Receive, send: Send):
|
||||
r = JSONResponse({"error": self.error_message}, status_code=self.status_code)
|
||||
return await r(scope, receive, send)
|
||||
|
||||
@classmethod
|
||||
def response(cls):
|
||||
return JSONResponse({"error": cls.__name__}, status_code=cls.status_code)
|
||||
def response(self):
|
||||
return JSONResponse({"error": self.error_message}, status_code=self.status_code)
|
||||
|
||||
|
||||
class Unauthorized(APIError):
|
||||
|
||||
@@ -2,12 +2,13 @@ from keycloak import KeycloakAuthenticationError
|
||||
from starlette.types import Scope, Receive, Send
|
||||
|
||||
from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
|
||||
from cpl.api.api_logger import APILogger
|
||||
from cpl.api.logger import APILogger
|
||||
from cpl.api.error import Unauthorized
|
||||
from cpl.api.middleware.request import get_request
|
||||
from cpl.api.router import Router
|
||||
from cpl.auth.keycloak import KeycloakClient
|
||||
from cpl.auth.schema import AuthUserDao, AuthUser
|
||||
from cpl.core.ctx import set_user
|
||||
from cpl.dependency import ServiceProviderABC
|
||||
|
||||
_logger = APILogger(__name__)
|
||||
@@ -53,6 +54,9 @@ class AuthenticationMiddleware(ASGIMiddleware):
|
||||
_logger.debug(f"Unauthorized access to {url}, user is deleted")
|
||||
return await Unauthorized("User is deleted").asgi_response(scope, receive, send)
|
||||
|
||||
request.state.user = user
|
||||
set_user(user)
|
||||
|
||||
return await self._call_next(scope, receive, send)
|
||||
|
||||
async def _get_or_crate_user(self, keycloak_id: str) -> AuthUser:
|
||||
|
||||
73
src/cpl-api/cpl/api/middleware/authorization.py
Normal file
73
src/cpl-api/cpl/api/middleware/authorization.py
Normal file
@@ -0,0 +1,73 @@
|
||||
from starlette.types import Scope, Receive, Send
|
||||
|
||||
from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
|
||||
from cpl.api.error import Unauthorized, Forbidden
|
||||
from cpl.api.logger import APILogger
|
||||
from cpl.api.middleware.request import get_request
|
||||
from cpl.api.model.validation_match import ValidationMatch
|
||||
from cpl.api.registry.policy import PolicyRegistry
|
||||
from cpl.api.router import Router
|
||||
from cpl.auth.schema._administration.auth_user_dao import AuthUserDao
|
||||
from cpl.core.ctx.user_context import get_user
|
||||
from cpl.dependency.service_provider_abc import ServiceProviderABC
|
||||
|
||||
_logger = APILogger(__name__)
|
||||
|
||||
|
||||
class AuthorizationMiddleware(ASGIMiddleware):
|
||||
|
||||
@ServiceProviderABC.inject
|
||||
def __init__(self, app, policies: PolicyRegistry, user_dao: AuthUserDao):
|
||||
ASGIMiddleware.__init__(self, app)
|
||||
|
||||
self._policies = policies
|
||||
self._user_dao = user_dao
|
||||
|
||||
async def __call__(self, scope: Scope, receive: Receive, send: Send):
|
||||
request = get_request()
|
||||
url = request.url.path
|
||||
|
||||
if url not in Router.get_authorization_rules_paths():
|
||||
_logger.trace(f"No authorization required for {url}")
|
||||
return await self._app(scope, receive, send)
|
||||
|
||||
user = get_user()
|
||||
if not user:
|
||||
return await Unauthorized(f"Unknown user").asgi_response(scope, receive, send)
|
||||
|
||||
roles = await user.roles
|
||||
request.state.roles = roles
|
||||
role_names = [r.name for r in roles]
|
||||
|
||||
perms = await user.permissions
|
||||
request.state.permissions = perms
|
||||
perm_names = [p.name for p in perms]
|
||||
|
||||
for rule in Router.get_authorization_rules():
|
||||
match = rule["match"]
|
||||
if rule["roles"]:
|
||||
if match == ValidationMatch.all and not all(r in role_names for r in rule["roles"]):
|
||||
return await Forbidden(f"missing roles: {rule["roles"]}").asgi_response(scope, receive, send)
|
||||
if match == ValidationMatch.any and not any(r in role_names for r in rule["roles"]):
|
||||
return await Forbidden(f"missing roles: {rule["roles"]}").asgi_response(scope, receive, send)
|
||||
|
||||
if rule["permissions"]:
|
||||
if match == ValidationMatch.all and not all(p in perm_names for p in rule["permissions"]):
|
||||
return await Forbidden(f"missing permissions: {rule["permissions"]}").asgi_response(
|
||||
scope, receive, send
|
||||
)
|
||||
if match == ValidationMatch.any and not any(p in perm_names for p in rule["permissions"]):
|
||||
return await Forbidden(f"missing permissions: {rule["permissions"]}").asgi_response(
|
||||
scope, receive, send
|
||||
)
|
||||
|
||||
for policy_name in rule["policies"]:
|
||||
policy = self._policies.get(policy_name)
|
||||
if not policy:
|
||||
_logger.warning(f"Authorization policy '{policy_name}' not found")
|
||||
continue
|
||||
|
||||
if not await policy.resolve(user):
|
||||
return await Forbidden(f"policy {policy.name} failed").asgi_response(scope, receive, send)
|
||||
|
||||
return await self._call_next(scope, receive, send)
|
||||
@@ -4,7 +4,7 @@ from starlette.requests import Request
|
||||
from starlette.types import Receive, Scope, Send
|
||||
|
||||
from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
|
||||
from cpl.api.api_logger import APILogger
|
||||
from cpl.api.logger import APILogger
|
||||
from cpl.api.middleware.request import get_request
|
||||
|
||||
_logger = APILogger(__name__)
|
||||
|
||||
@@ -5,10 +5,9 @@ from uuid import uuid4
|
||||
|
||||
from starlette.requests import Request
|
||||
from starlette.types import Scope, Receive, Send
|
||||
from starlette.websockets import WebSocket
|
||||
|
||||
from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
|
||||
from cpl.api.api_logger import APILogger
|
||||
from cpl.api.logger import APILogger
|
||||
from cpl.api.typing import TRequest
|
||||
|
||||
_request_context: ContextVar[Union[TRequest, None]] = ContextVar("request", default=None)
|
||||
@@ -50,5 +49,5 @@ class RequestMiddleware(ASGIMiddleware):
|
||||
_request_context.reset(self._ctx_token)
|
||||
|
||||
|
||||
def get_request() -> Optional[Union[TRequest, WebSocket]]:
|
||||
def get_request() -> Optional[TRequest]:
|
||||
return _request_context.get()
|
||||
|
||||
0
src/cpl-api/cpl/api/model/__init__.py
Normal file
0
src/cpl-api/cpl/api/model/__init__.py
Normal file
43
src/cpl-api/cpl/api/model/api_route.py
Normal file
43
src/cpl-api/cpl/api/model/api_route.py
Normal file
@@ -0,0 +1,43 @@
|
||||
from typing import Callable
|
||||
|
||||
from starlette.routing import Route
|
||||
|
||||
from cpl.api.typing import HTTPMethods
|
||||
|
||||
|
||||
class ApiRoute:
|
||||
|
||||
def __init__(self, path: str, fn: Callable, method: HTTPMethods, **kwargs):
|
||||
self._path = path
|
||||
self._fn = fn
|
||||
self._method = method
|
||||
|
||||
self._kwargs = kwargs
|
||||
|
||||
@property
|
||||
def name(self) -> str:
|
||||
return self._fn.__name__
|
||||
|
||||
@property
|
||||
def fn(self) -> Callable:
|
||||
return self._fn
|
||||
|
||||
@property
|
||||
def path(self) -> str:
|
||||
return self._path
|
||||
|
||||
@property
|
||||
def method(self) -> HTTPMethods:
|
||||
return self._method
|
||||
|
||||
@property
|
||||
def kwargs(self) -> dict:
|
||||
return self._kwargs
|
||||
|
||||
def to_starlette(self, wrap_endpoint: Callable = None) -> Route:
|
||||
return Route(
|
||||
self._path,
|
||||
self._fn if not wrap_endpoint else wrap_endpoint(self._fn),
|
||||
methods=[self._method],
|
||||
**self._kwargs,
|
||||
)
|
||||
34
src/cpl-api/cpl/api/model/policy.py
Normal file
34
src/cpl-api/cpl/api/model/policy.py
Normal file
@@ -0,0 +1,34 @@
|
||||
from asyncio import iscoroutinefunction
|
||||
from typing import Optional, Any, Coroutine, Awaitable
|
||||
|
||||
from cpl.api.typing import PolicyResolver
|
||||
from cpl.core.ctx import get_user
|
||||
|
||||
|
||||
class Policy:
|
||||
def __init__(
|
||||
self,
|
||||
name: str,
|
||||
resolver: PolicyResolver = None,
|
||||
):
|
||||
self._name = name
|
||||
self._resolver: Optional[PolicyResolver] = resolver
|
||||
|
||||
@property
|
||||
def name(self) -> str:
|
||||
return self._name
|
||||
|
||||
@property
|
||||
def resolvers(self) -> PolicyResolver:
|
||||
return self._resolver
|
||||
|
||||
async def resolve(self, *args, **kwargs) -> bool:
|
||||
if not self._resolver:
|
||||
return True
|
||||
|
||||
if callable(self._resolver):
|
||||
if iscoroutinefunction(self._resolver):
|
||||
return await self._resolver(get_user())
|
||||
|
||||
return self._resolver(get_user())
|
||||
return False
|
||||
6
src/cpl-api/cpl/api/model/validation_match.py
Normal file
6
src/cpl-api/cpl/api/model/validation_match.py
Normal file
@@ -0,0 +1,6 @@
|
||||
from enum import Enum
|
||||
|
||||
|
||||
class ValidationMatch(Enum):
|
||||
any = "any"
|
||||
all = "all"
|
||||
0
src/cpl-api/cpl/api/registry/__init__.py
Normal file
0
src/cpl-api/cpl/api/registry/__init__.py
Normal file
28
src/cpl-api/cpl/api/registry/policy.py
Normal file
28
src/cpl-api/cpl/api/registry/policy.py
Normal file
@@ -0,0 +1,28 @@
|
||||
from typing import Optional
|
||||
|
||||
from cpl.api.model.policy import Policy
|
||||
from cpl.core.abc.registry_abc import RegistryABC
|
||||
|
||||
|
||||
class PolicyRegistry(RegistryABC):
|
||||
|
||||
def __init__(self):
|
||||
RegistryABC.__init__(self)
|
||||
|
||||
def extend(self, items: list[Policy]):
|
||||
for policy in items:
|
||||
self.add(policy)
|
||||
|
||||
def add(self, item: Policy):
|
||||
assert isinstance(item, Policy), "policy must be an instance of Policy"
|
||||
|
||||
if item.name in self._items:
|
||||
raise ValueError(f"Policy {item.name} is already registered")
|
||||
|
||||
self._items[item.name] = item
|
||||
|
||||
def get(self, key: str) -> Optional[Policy]:
|
||||
return self._items.get(key)
|
||||
|
||||
def all(self) -> list[Policy]:
|
||||
return list(self._items.values())
|
||||
33
src/cpl-api/cpl/api/registry/route.py
Normal file
33
src/cpl-api/cpl/api/registry/route.py
Normal file
@@ -0,0 +1,33 @@
|
||||
from typing import Optional
|
||||
|
||||
from cpl.api.model.policy import Policy
|
||||
from cpl.api.model.api_route import ApiRoute
|
||||
from cpl.core.abc.registry_abc import RegistryABC
|
||||
|
||||
|
||||
class RouteRegistry(RegistryABC):
|
||||
|
||||
def __init__(self):
|
||||
RegistryABC.__init__(self)
|
||||
|
||||
def extend(self, items: list[ApiRoute]):
|
||||
for policy in items:
|
||||
self.add(policy)
|
||||
|
||||
def add(self, item: ApiRoute):
|
||||
assert isinstance(item, ApiRoute), "route must be an instance of ApiRoute"
|
||||
|
||||
if item.path in self._items:
|
||||
raise ValueError(f"ApiRoute {item.path} is already registered")
|
||||
|
||||
self._items[item.path] = item
|
||||
|
||||
def set(self, item: ApiRoute):
|
||||
assert isinstance(item, ApiRoute), "route must be an instance of ApiRoute"
|
||||
self._items[item.path] = item
|
||||
|
||||
def get(self, key: str) -> Optional[ApiRoute]:
|
||||
return self._items.get(key)
|
||||
|
||||
def all(self) -> list[ApiRoute]:
|
||||
return list(self._items.values())
|
||||
@@ -1,18 +1,26 @@
|
||||
from starlette.routing import Route
|
||||
from enum import Enum
|
||||
|
||||
from cpl.api.model.validation_match import ValidationMatch
|
||||
from cpl.api.registry.route import RouteRegistry
|
||||
from cpl.api.typing import HTTPMethods
|
||||
|
||||
|
||||
class Router:
|
||||
_registered_routes: list[Route] = []
|
||||
_auth_required: list[str] = []
|
||||
|
||||
@classmethod
|
||||
def get_routes(cls) -> list[Route]:
|
||||
return cls._registered_routes
|
||||
_authorization_rules: dict[str, dict] = {}
|
||||
|
||||
@classmethod
|
||||
def get_auth_required_routes(cls) -> list[str]:
|
||||
return cls._auth_required
|
||||
|
||||
@classmethod
|
||||
def get_authorization_rules_paths(cls) -> list[str]:
|
||||
return list(cls._authorization_rules.keys())
|
||||
|
||||
@classmethod
|
||||
def get_authorization_rules(cls) -> list[dict]:
|
||||
return list(cls._authorization_rules.values())
|
||||
|
||||
@classmethod
|
||||
def authenticate(cls):
|
||||
"""
|
||||
@@ -33,33 +41,95 @@ class Router:
|
||||
return inner
|
||||
|
||||
@classmethod
|
||||
def route(cls, path=None, **kwargs):
|
||||
def authorize(
|
||||
cls,
|
||||
roles: list[str | Enum] = None,
|
||||
permissions: list[str | Enum] = None,
|
||||
policies: list[str] = None,
|
||||
match: ValidationMatch = None,
|
||||
):
|
||||
"""
|
||||
Decorator to mark a route as requiring authorization.
|
||||
Usage:
|
||||
@Route.authorize()
|
||||
@Route.get("/example")
|
||||
async def example_endpoint(request: TRequest):
|
||||
...
|
||||
"""
|
||||
assert roles is None or isinstance(roles, list), "roles must be a list of strings"
|
||||
assert permissions is None or isinstance(permissions, list), "permissions must be a list of strings"
|
||||
assert policies is None or isinstance(policies, list), "policies must be a list of strings"
|
||||
assert match is None or isinstance(match, ValidationMatch), "match must be an instance of ValidationMatch"
|
||||
|
||||
if roles is not None:
|
||||
for role in roles:
|
||||
if isinstance(role, Enum):
|
||||
roles[roles.index(role)] = role.value
|
||||
|
||||
if permissions is not None:
|
||||
for perm in permissions:
|
||||
if isinstance(perm, Enum):
|
||||
permissions[permissions.index(perm)] = perm.value
|
||||
|
||||
def inner(fn):
|
||||
cls._registered_routes.append(Route(path, fn, **kwargs))
|
||||
path = getattr(fn, "_route_path", None)
|
||||
if not path:
|
||||
return fn
|
||||
|
||||
if path in cls._authorization_rules:
|
||||
raise ValueError(f"Route {path} is already registered for authorization")
|
||||
|
||||
cls._authorization_rules[path] = {
|
||||
"roles": roles or [],
|
||||
"permissions": permissions or [],
|
||||
"policies": policies or [],
|
||||
"match": match or ValidationMatch.all,
|
||||
}
|
||||
|
||||
return fn
|
||||
|
||||
return inner
|
||||
|
||||
@classmethod
|
||||
def route(cls, path: str, method: HTTPMethods, registry: RouteRegistry = None, **kwargs):
|
||||
if not registry:
|
||||
from cpl.api.model.api_route import ApiRoute
|
||||
from cpl.dependency.service_provider_abc import ServiceProviderABC
|
||||
|
||||
routes = ServiceProviderABC.get_global_service(RouteRegistry)
|
||||
else:
|
||||
routes = registry
|
||||
|
||||
def inner(fn):
|
||||
routes.add(ApiRoute(path, fn, method, **kwargs))
|
||||
setattr(fn, "_route_path", path)
|
||||
return fn
|
||||
|
||||
return inner
|
||||
|
||||
@classmethod
|
||||
def get(cls, path=None, **kwargs):
|
||||
return cls.route(path, methods=["GET"], **kwargs)
|
||||
def get(cls, path: str, **kwargs):
|
||||
return cls.route(path, "GET", **kwargs)
|
||||
|
||||
@classmethod
|
||||
def post(cls, path=None, **kwargs):
|
||||
return cls.route(path, methods=["POST"], **kwargs)
|
||||
def head(cls, path: str, **kwargs):
|
||||
return cls.route(path, "HEAD", **kwargs)
|
||||
|
||||
@classmethod
|
||||
def head(cls, path=None, **kwargs):
|
||||
return cls.route(path, methods=["HEAD"], **kwargs)
|
||||
def post(cls, path: str, **kwargs):
|
||||
return cls.route(path, "POST", **kwargs)
|
||||
|
||||
@classmethod
|
||||
def put(cls, path=None, **kwargs):
|
||||
return cls.route(path, methods=["PUT"], **kwargs)
|
||||
def put(cls, path: str, **kwargs):
|
||||
return cls.route(path, "PUT", **kwargs)
|
||||
|
||||
@classmethod
|
||||
def delete(cls, path=None, **kwargs):
|
||||
return cls.route(path, methods=["DELETE"], **kwargs)
|
||||
def patch(cls, path: str, **kwargs):
|
||||
return cls.route(path, "PATCH", **kwargs)
|
||||
|
||||
@classmethod
|
||||
def delete(cls, path: str, **kwargs):
|
||||
return cls.route(path, "DELETE", **kwargs)
|
||||
|
||||
@classmethod
|
||||
def override(cls):
|
||||
@@ -72,13 +142,22 @@ class Router:
|
||||
...
|
||||
"""
|
||||
|
||||
from cpl.api.model.api_route import ApiRoute
|
||||
from cpl.dependency.service_provider_abc import ServiceProviderABC
|
||||
|
||||
routes = ServiceProviderABC.get_global_service(RouteRegistry)
|
||||
|
||||
def inner(fn):
|
||||
route_path = getattr(fn, "_route_path", None)
|
||||
path = getattr(fn, "_route_path", None)
|
||||
if path is None:
|
||||
raise ValueError("Cannot override a route that has not been registered yet")
|
||||
|
||||
routes = list(filter(lambda x: x.path == route_path, cls._registered_routes))
|
||||
for route in routes[:-1]:
|
||||
cls._registered_routes.remove(route)
|
||||
route = routes.get(path)
|
||||
if route is None:
|
||||
raise ValueError(f"Cannot override a route that does not exist: {path}")
|
||||
|
||||
routes.add(ApiRoute(path, fn, route.method, **route.kwargs))
|
||||
setattr(fn, "_route_path", path)
|
||||
return fn
|
||||
|
||||
return inner
|
||||
|
||||
@@ -1,13 +1,19 @@
|
||||
from typing import Union, Literal, Callable
|
||||
from typing import Union, Literal, Callable, Type, Awaitable
|
||||
from urllib.request import Request
|
||||
|
||||
from starlette.middleware import Middleware
|
||||
from starlette.types import ASGIApp
|
||||
from starlette.websockets import WebSocket
|
||||
|
||||
from cpl.api.abc.asgi_middleware_abc import ASGIMiddleware
|
||||
from cpl.auth.schema import AuthUser
|
||||
|
||||
TRequest = Union[Request, WebSocket]
|
||||
HTTPMethods = Literal["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
|
||||
HTTPMethods = Literal["GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
|
||||
PartialMiddleware = Union[
|
||||
ASGIMiddleware,
|
||||
Type[ASGIMiddleware],
|
||||
Middleware,
|
||||
Callable[[ASGIApp], ASGIApp],
|
||||
]
|
||||
PolicyResolver = Callable[[AuthUser], bool | Awaitable[bool]]
|
||||
|
||||
@@ -43,9 +43,9 @@ class AuthUserDao(DbModelDaoABC[AuthUser]):
|
||||
p = await permission_dao.get_by_name(permission if isinstance(permission, str) else permission.value)
|
||||
result = await self._db.select_map(
|
||||
f"""
|
||||
SELECT COUNT(*)
|
||||
FROM permission.role_users ru
|
||||
JOIN permission.role_permissions rp ON ru.roleId = rp.roleId
|
||||
SELECT COUNT(*) as count
|
||||
FROM {TableManager.get("role_users")} ru
|
||||
JOIN {TableManager.get("role_permissions")} rp ON ru.roleId = rp.roleId
|
||||
WHERE ru.userId = {user_id}
|
||||
AND rp.permissionId = {p.id}
|
||||
AND ru.deleted = FALSE
|
||||
@@ -61,9 +61,9 @@ class AuthUserDao(DbModelDaoABC[AuthUser]):
|
||||
result = await self._db.select_map(
|
||||
f"""
|
||||
SELECT p.*
|
||||
FROM permission.permissions p
|
||||
JOIN permission.role_permissions rp ON p.id = rp.permissionId
|
||||
JOIN permission.role_users ru ON rp.roleId = ru.roleId
|
||||
FROM {TableManager.get("permissions")} p
|
||||
JOIN {TableManager.get("role_permissions")} rp ON p.id = rp.permissionId
|
||||
JOIN {TableManager.get("role_users")} ru ON rp.roleId = ru.roleId
|
||||
WHERE ru.userId = {user_id}
|
||||
AND rp.deleted = FALSE
|
||||
AND ru.deleted = FALSE;
|
||||
|
||||
0
src/cpl-core/cpl/core/abc/__init__.py
Normal file
0
src/cpl-core/cpl/core/abc/__init__.py
Normal file
23
src/cpl-core/cpl/core/abc/registry_abc.py
Normal file
23
src/cpl-core/cpl/core/abc/registry_abc.py
Normal file
@@ -0,0 +1,23 @@
|
||||
from abc import abstractmethod, ABC
|
||||
from typing import Generic
|
||||
|
||||
from cpl.core.typing import T
|
||||
|
||||
|
||||
class RegistryABC(ABC, Generic[T]):
|
||||
|
||||
@abstractmethod
|
||||
def __init__(self):
|
||||
self._items: dict[str, T] = {}
|
||||
|
||||
@abstractmethod
|
||||
def extend(self, items: list[T]) -> None: ...
|
||||
|
||||
@abstractmethod
|
||||
def add(self, item: T) -> None: ...
|
||||
|
||||
@abstractmethod
|
||||
def get(self, key: str) -> T | None: ...
|
||||
|
||||
@abstractmethod
|
||||
def all(self) -> list[T]: ...
|
||||
@@ -487,7 +487,7 @@ class DataAccessObjectABC(ABC, Generic[T_DBM]):
|
||||
builder.with_temp_table(self._external_fields[temp])
|
||||
|
||||
if for_count:
|
||||
builder.with_attribute("COUNT(*)", ignore_table_name=True)
|
||||
builder.with_attribute("COUNT(*) as count", ignore_table_name=True)
|
||||
else:
|
||||
builder.with_attribute("*")
|
||||
|
||||
|
||||
@@ -33,7 +33,7 @@ class TableManager:
|
||||
},
|
||||
"role_users": {
|
||||
ServerTypes.POSTGRES: "permission.role_users",
|
||||
ServerTypes.MYSQL: "permission_role_users",
|
||||
ServerTypes.MYSQL: "permission_role_auth_users",
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
from starlette.responses import JSONResponse
|
||||
|
||||
from cpl import api
|
||||
from cpl.api.web_app import WebApp
|
||||
from cpl.api.application.web_app import WebApp
|
||||
from cpl.application import ApplicationBuilder
|
||||
from cpl.auth.permission.permissions import Permissions
|
||||
from cpl.core.configuration import Configuration
|
||||
from cpl.core.environment import Environment
|
||||
from service import PingService
|
||||
@@ -24,7 +25,9 @@ def main():
|
||||
app.with_database()
|
||||
|
||||
app.with_authentication()
|
||||
app.with_route(path="/route1", fn=lambda r: JSONResponse("route1"), method="GET")
|
||||
app.with_authorization()
|
||||
|
||||
app.with_route(path="/route1", fn=lambda r: JSONResponse("route1"), method="GET", authentication=True, permissions=[Permissions.administrator])
|
||||
app.with_routes_directory("routes")
|
||||
|
||||
app.run()
|
||||
|
||||
@@ -3,11 +3,14 @@ from urllib.request import Request
|
||||
from starlette.responses import JSONResponse
|
||||
|
||||
from cpl.api.router import Router
|
||||
from cpl.auth.permission.permissions import Permissions
|
||||
from cpl.core.log import Logger
|
||||
from service import PingService
|
||||
|
||||
|
||||
@Router.authenticate()
|
||||
@Router.authorize(permissions=[Permissions.administrator])
|
||||
# @Router.authorize(policies=["test"])
|
||||
@Router.get(f"/ping")
|
||||
async def ping(r: Request, ping: PingService, logger: Logger):
|
||||
logger.info(f"Ping: {ping}")
|
||||
|
||||
Reference in New Issue
Block a user