Skip to content

Commit

Permalink
enhance policies with logging
Browse files Browse the repository at this point in the history
  • Loading branch information
@eray-inuits
eray-inuits committed May 17, 2024
1 parent 38b9e8b commit 5cfb028
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 37 deletions.
3 changes: 3 additions & 0 deletions src/elody/policies/authentication/base_user_tenant_validation_policy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ def build_user_context_for_authenticated_user(
user_context.bag["tenant_defining_entity_id"] = user_context.x_tenant.id
user_context.bag["tenant_relation_type"] = "isIn"
user_context.bag["user_ids"] = self.user["identifiers"]
user_context.bag["http_method"] = request.method
user_context.bag["requested_endpoint"] = request.endpoint
user_context.bag["full_path"] = request.full_path

@abstractmethod
def build_user_context_for_anonymous_user(
Expand Down
91 changes: 54 additions & 37 deletions src/elody/policies/permission_handler.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,57 +44,74 @@ def __replace_permission_placeholders(data, placeholder_key, placeholder_value):
def handle_single_item_request(
user_context: UserContext, item, permissions, crud, request_body: dict = {}
):
item_in_storage_format, flat_item, object_lists, restrictions_schema = (
__prepare_item_for_permission_check(item, permissions, crud)
)

is_allowed_to_crud_item = (
__is_allowed_to_crud_item(flat_item, restrictions_schema) if flat_item else None
)
if not is_allowed_to_crud_item:
return is_allowed_to_crud_item
try:
item_in_storage_format, flat_item, object_lists, restrictions_schema = (
__prepare_item_for_permission_check(item, permissions, crud)
)

return __is_allowed_to_crud_item_keys(
user_context,
item_in_storage_format,
flat_item,
restrictions_schema,
crud,
object_lists,
flatten_dict(object_lists, request_body),
)
is_allowed_to_crud_item = (
__is_allowed_to_crud_item(flat_item, restrictions_schema)
if flat_item
else None
)
if not is_allowed_to_crud_item:
return is_allowed_to_crud_item

return __is_allowed_to_crud_item_keys(
user_context,
item_in_storage_format,
flat_item,
restrictions_schema,
crud,
object_lists,
flatten_dict(object_lists, request_body),
)
except Exception as exception:
app.log.debug(
f"{exception.__class__.__name__}: {str(exception)}",
item.get("storage_format", item),
)
if crud != "read":
app.log.debug(f"Request body: {request_body}", {})
raise exception


def mask_protected_content_post_request_hook(user_context: UserContext, permissions):
def __post_request_hook(response):
items = response["results"]
for item in items:
(
item_in_storage_format,
flat_item,
object_lists,
restrictions_schema,
) = __prepare_item_for_permission_check(item, permissions, "read")
if not flat_item:
continue

__is_allowed_to_crud_item_keys(
user_context,
item_in_storage_format,
flat_item,
restrictions_schema,
"read",
object_lists,
)
try:
(
item_in_storage_format,
flat_item,
object_lists,
restrictions_schema,
) = __prepare_item_for_permission_check(item, permissions, "read")
if not flat_item:
continue

__is_allowed_to_crud_item_keys(
user_context,
item_in_storage_format,
flat_item,
restrictions_schema,
"read",
object_lists,
)
except Exception as exception:
app.log.debug(
f"{exception.__class__.__name__}: {str(exception)}",
item.get("storage_format", item),
)
raise exception

return response

return __post_request_hook


def __prepare_item_for_permission_check(item, permissions, crud):
if item.get("storage_format"):
item = item["storage_format"]
item = item.get("storage_format", item)
if item["type"] not in permissions[crud].keys():
return item, None, None, None

Expand Down

0 comments on commit 5cfb028

Please sign in to comment.