[WIP] Access Control Enhancements

.gitignore

@@ -20,6 +20,7 @@ venv1/
 .env*
 .venv/
 .vscode/
+.devcontainer/
 *.code-workspace
 nohup.out
 celerybeat-schedule.db

docker-compose.dev.yml

@@ -16,7 +16,6 @@
 #  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 services:
-
   rabbitmq:
     extends:
       file: docker-compose.base.yml
@@ -43,11 +42,16 @@ services:
     ports:
       - "127.0.0.1:8000:8000"
     volumes:
-      - ./source/app:/iriswebapp/app
+      # - ./source/app:/iriswebapp/app
       - ./ui/dist:/iriswebapp/static
     healthcheck:
       test: curl --head --fail http://localhost:8000 || exit 1
       start_period: 60s
+    develop:
+      watch:
+        - action: sync+restart
+          path: ./source/app
+          target: /iriswebapp/app
 
   worker:
     extends:
@@ -71,7 +75,6 @@ services:
         NGINX_CONF_FILE: nginx.conf
     image: iriswebapp_nginx:develop
 
-
 volumes:
   iris-downloads:
   user_templates:

source/app/__init__.py

@@ -19,6 +19,7 @@
 import json
 import logging as logger
 import os
+import sys
 import urllib.parse
 from flask import Flask
 from flask import session
@@ -111,7 +112,7 @@ def ac_current_user_has_manage_perms():
 lm = LoginManager()  # flask-loginmanager
 lm.init_app(app)  # init the login manager
 
-ma = Marshmallow(app) # Init marshmallow
+ma = Marshmallow(app)  # Init marshmallow
 
 dropzone = Dropzone(app)
 
@@ -139,4 +140,6 @@ def shutdown_session(exception=None):
     db.session.remove()
 
 
-from app import views
+# Only import the remainder of the app if we are actually launching the app
+if ".py" in sys.argv[0]:
+    from app import views

source/app/alembic/env.py

@@ -1,3 +1,5 @@
+from app.configuration import SQLALCHEMY_BASE_ADMIN_URI, PG_DB_
+import os
 from alembic import context
 from logging.config import fileConfig
 from sqlalchemy import engine_from_config
@@ -11,13 +13,12 @@
 # This line sets up loggers basically.
 fileConfig(config.config_file_name)
 
-import os
 os.environ["ALEMBIC"] = "1"
 
-from app.configuration import SQLALCHEMY_BASE_ADMIN_URI, PG_DB_
 
 config.set_main_option('sqlalchemy.url', SQLALCHEMY_BASE_ADMIN_URI + PG_DB_)
 
+
 # add your model's MetaData object here
 # for 'autogenerate' support
 # from myapp import mymodel
@@ -72,7 +73,7 @@ def run_migrations_online():
             connection=connection, target_metadata=target_metadata
         )
 
-        #with context.begin_transaction(): -- Fixes stuck transaction. Need more info on that
+        # with context.begin_transaction(): -- Fixes stuck transaction. Need more info on that
         context.run_migrations()
 
 

source/app/alembic/versions/c7a7606e930c_add_rbac_role_tables.py

@@ -0,0 +1,69 @@
+"""Add RBAC Role tables
+
+Revision ID: c7a7606e930c
+Revises: 11aa5b725b8e
+Create Date: 2024-07-04 12:26:01.299980
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from app.alembic.alembic_utils import _has_table
+
+# revision identifiers, used by Alembic.
+revision = 'c7a7606e930c'
+down_revision = '11aa5b725b8e'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    """Apply this upgrade by creating all the new RBAC tables"""
+
+    bind = op.get_bind()
+
+    # Create `role` table
+    if not _has_table("role"):
+        role_table = sa.Table(
+            'role', sa.MetaData(),
+            sa.Column('role_id', sa.BigInteger, primary_key=True),
+            sa.Column('name', sa.String(64)),
+            sa.Column('description', sa.Text),
+            sa.Column('entitlements', sa.JSON)
+        )
+        role_table.create(bind)
+
+    # Create `organisation_role` table
+    if not _has_table("organisation_role"):
+        organisation_role_table = sa.Table(
+            'organisation_role', sa.MetaData(),
+            sa.Column('role_id', sa.BigInteger, sa.ForeignKey(
+                'role.role_id'), primary_key=True),
+            sa.Column('org_id', sa.BigInteger, sa.ForeignKey(
+                'organisations.org_id'), primary_key=True),
+            sa.UniqueConstraint('role_id', 'org_id')
+        )
+        organisation_role_table.create(bind)
+
+    # Create `case_role` table
+    if not _has_table("case_role"):
+        case_role_table = sa.Table(
+            'case_role', sa.MetaData(),
+            sa.Column('role_id', sa.BigInteger, sa.ForeignKey(
+                'role.role_id'), primary_key=True),
+            sa.Column('case_id', sa.BigInteger, sa.ForeignKey(
+                'cases.case_id'), primary_key=True),
+            sa.UniqueConstraint('role_id', 'case_id')
+        )
+        case_role_table.create(bind)
+
+    bind.commit()
+
+
+def downgrade():
+    """
+    Downgrade this migration by dropping all the newly created tables
+    """
+
+    op.drop_table('role')
+    op.drop_table('organisation_role')
+    op.drop_table('case_role')

source/app/blueprints/authorization/__main__.py

@@ -0,0 +1,5 @@
+class Authorization:
+    """`Authorization` class is responsible for handling permission validation, access checks, and more for blueprints."""
+
+    def __init__(self) -> None:
+        pass

source/app/blueprints/authorization/exceptions.py

@@ -0,0 +1,29 @@
+from typing import Optional
+from flask_login import current_user
+import werkzeug.exceptions
+
+
+class UnauthorizedException(werkzeug.exceptions.Forbidden):
+    """`UnauthorizedException` will be raised when an access control check fails.
+
+    Args:
+        resource (str): The resource type
+        action (str): The type of action performed
+        resource_id (str, optional): The resource ID that was the action attempt was for
+
+    Returns:
+        `UnauthorizedException` with args:
+            0, user_id, optional
+            1, resource
+            2, action
+            3, resource_id, optional
+    """
+
+    def __init__(self, resource, action, resource_id: Optional[str] = None) -> None:
+        # Get current user ID
+        user_id = current_user.id if current_user.is_authenticated else None
+
+        # Set exception args
+        self.args = (user_id, resource, action, resource_id)
+
+        super().__init__()

source/app/blueprints/authorization/resources.schema.json

@@ -0,0 +1,33 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "title": "Resources",
+    "type": "object",
+    "required": [],
+    "additionalProperties": {
+        "type": "object",
+        "$ref": "#/definitions/resource"
+    },
+    "definitions": {
+        "resource": {
+            "type": "object",
+            "properties": {
+                "actions": {
+                    "$comment": "The allowed type of actions to take against a resource, multiple allowed.",
+                    "description": "What actions are allowed to be performed against this resource? Options: create, read, update, delete.",
+                    "type": "array",
+                    "items": {
+                        "type": "string",
+                        "enum": ["create", "read", "update", "delete"]
+                    },
+                    "minItems": 1
+                },
+                "description": {
+                    "$comment": "Friendly description of the resource, used for UI.",
+                    "description": "Describe what this resource is for.",
+                    "type": "string"
+                }
+            },
+            "required": ["actions", "description"]
+        }
+    }
+}