CSCMETAX-393: [ADD] Add permission class ServicePermissions, which reads app_config and controls general read and write access for services per each api

Author: Hannu Kamarainen

src/metax_api/api/rest/base/views/api_error_view.py

@@ -1,4 +1,5 @@
 import logging
+
 from django.http import Http404
 from rest_framework.decorators import list_route
 from rest_framework.response import Response
@@ -23,9 +24,6 @@
 
 class ApiErrorViewSet(CommonViewSet):
 
-    authentication_classes = ()
-    permission_classes = ()
-
     def initial(self, request, *args, **kwargs):
         if request.user.username != 'metax':
             raise Http403

src/metax_api/api/rest/base/views/common_view.py

@@ -3,11 +3,13 @@
 
 from django.http import Http404
 from rest_framework import status
+from rest_framework.exceptions import PermissionDenied, MethodNotAllowed
 from rest_framework.generics import get_object_or_404
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 
 from metax_api.exceptions import Http403
+from metax_api.permissions import ServicePermissions
 from metax_api.services import CommonService as CS, ApiErrorService
 from metax_api.utils import RedisSentinelCache
 
@@ -22,6 +24,9 @@ class CommonViewSet(ModelViewSet):
     which include fields like modified and created timestamps, uuid, active flags etc.
     """
 
+    authentication_classes = ()
+    permission_classes = (ServicePermissions,)
+
     lookup_field_internal = None
     cache = RedisSentinelCache()
 
@@ -49,7 +54,7 @@ def handle_exception(self, exc):
         Store request and response data to disk for later inspection
         """
         response = super(CommonViewSet, self).handle_exception(exc)
-        if type(exc) not in (Http403, Http404):
+        if type(exc) not in (Http403, Http404, PermissionDenied, MethodNotAllowed):
             ApiErrorService.store_error_details(self.request, response, exc)
         return response
 
@@ -225,3 +230,12 @@ def _check_and_store_bulk_error(self, request, response):
         """
         if 'failed' in response.data and len(response.data['failed']):
             ApiErrorService.store_error_details(request, response, other={ 'bulk_request': True })
+
+    def get_api_name(self):
+        """
+        Return api name, example: DatasetViewSet -> datasets.
+        Some views where the below formula does not produce a sensible result
+        (for example, directories-api), will inherit this and return a customized
+        result.
+        """
+        return '%ss' % self.__class__.__name__.split('ViewSet')[0].lower()

src/metax_api/api/rest/base/views/contract_view.py

@@ -1,5 +1,3 @@
-import logging
-
 from rest_framework import status
 from rest_framework.decorators import detail_route
 from rest_framework.response import Response
@@ -9,15 +7,9 @@
 from .common_view import CommonViewSet
 from ..serializers import ContractSerializer, CatalogRecordSerializer
 
-_logger = logging.getLogger(__name__)
-d = logging.getLogger(__name__).debug
-
 
 class ContractViewSet(CommonViewSet):
 
-    authentication_classes = ()
-    permission_classes = ()
-
     serializer_class = ContractSerializer
     object = Contract
 

src/metax_api/api/rest/base/views/data_catalog_view.py

@@ -1,23 +1,14 @@
-import logging
-
 from django.http import Http404
 
 from metax_api.models import DataCatalog
 from .common_view import CommonViewSet
 from ..serializers import DataCatalogSerializer
 
-_logger = logging.getLogger(__name__)
-d = logging.getLogger(__name__).debug
-
 
 class DataCatalogViewSet(CommonViewSet):
 
-    authentication_classes = ()
-    permission_classes = ()
-
     serializer_class = DataCatalogSerializer
     object = DataCatalog
-
     lookup_field = 'pk'
 
     def __init__(self, *args, **kwargs):

src/metax_api/api/rest/base/views/dataset_view.py

@@ -16,14 +16,11 @@
 from ..serializers import CatalogRecordSerializer, FileSerializer
 
 _logger = logging.getLogger(__name__)
-d = logging.getLogger(__name__).debug
+d = _logger.debug
 
 
 class DatasetViewSet(CommonViewSet):
 
-    authentication_classes = ()
-    permission_classes = ()
-
     serializer_class = CatalogRecordSerializer
     object = CatalogRecord
     select_related = ['data_catalog', 'contract']

src/metax_api/api/rest/base/views/directory_view.py

@@ -1,5 +1,4 @@
 from collections import defaultdict
-import logging
 
 from rest_framework.decorators import detail_route, list_route
 from rest_framework.response import Response
@@ -10,21 +9,20 @@
 from metax_api.services import CommonService, FileService
 from .common_view import CommonViewSet
 
-_logger = logging.getLogger(__name__)
-d = logging.getLogger(__name__).debug
-
 
 class DirectoryViewSet(CommonViewSet):
 
-    authentication_classes = ()
-    permission_classes = ()
-
     serializer_class = DirectorySerializer
     object = Directory
     select_related = ['parent_directory']
-
     lookup_field_other = 'identifier'
 
+    def get_api_name(self):
+        """
+        Overrided due to not being able to follow common plural pattern...
+        """
+        return 'directories'
+
     def list(self, request, *args, **kwargs):
         raise Http501()
 

src/metax_api/api/rest/base/views/file_storage_view.py

@@ -10,12 +10,8 @@
 
 class FileStorageViewSet(CommonViewSet):
 
-    authentication_classes = ()
-    permission_classes = ()
-
     serializer_class = FileStorageSerializer
     object = FileStorage
-
     lookup_field = 'pk'
 
     def __init__(self, *args, **kwargs):

src/metax_api/api/rest/base/views/file_view.py

@@ -18,16 +18,12 @@
 from ..serializers import FileSerializer, XmlMetadataSerializer
 
 _logger = logging.getLogger(__name__)
-d = logging.getLogger(__name__).debug
 
 
 # none of the methods in this class use atomic requests by default! see method dispatch()
 @transaction.non_atomic_requests
 class FileViewSet(CommonViewSet):
 
-    authentication_classes = ()
-    permission_classes = ()
-
     serializer_class = FileSerializer
     object = File
     select_related = ['file_storage', 'parent_directory']

src/metax_api/api/rest/base/views/schema_view.py

@@ -1,17 +1,13 @@
-import logging
-
 from rest_framework import viewsets
-from metax_api.services import SchemaService
-
 
-_logger = logging.getLogger(__name__)
-d = logging.getLogger(__name__).debug
+from metax_api.permissions import ServicePermissions
+from metax_api.services import SchemaService
 
 
 class SchemaViewSet(viewsets.ReadOnlyModelViewSet):
 
     authentication_classes = ()
-    permission_classes = ()
+    permission_classes = (ServicePermissions,)
 
     def list(self, request, *args, **kwargs):
         return SchemaService.get_all_schemas()
@@ -21,3 +17,9 @@ def retrieve(self, request, *args, **kwargs):
 
     def get_queryset(self):
         return self.list(None)
+
+    def get_api_name(self):
+        """
+        Does not inherit from common...
+        """
+        return 'schemas'

src/metax_api/middleware/identifyapicaller.py

@@ -128,7 +128,4 @@ def _identify_api_caller(self, request):
 class _IdentifyApiCallerDummy(_IdentifyApiCaller):
 
     def _get_api_users(self):
-        return [
-            django_settings.API_METAX_USER,
-            django_settings.API_TEST_USER,
-        ]
+        return django_settings.API_TEST_USERS

src/metax_api/permissions/__init__.py

@@ -0,0 +1 @@
+from .permissions import *

src/metax_api/permissions/permissions.py

@@ -0,0 +1,74 @@
+import logging
+
+from django.conf import settings
+from rest_framework.exceptions import MethodNotAllowed
+from rest_framework.permissions import BasePermission
+
+
+_logger = logging.getLogger(__name__)
+READ_METHODS = ('GET', 'HEAD', 'OPTIONS')
+WRITE_METHODS = ('POST', 'PUT', 'PATCH', 'DELETE')
+
+
+class ServicePermissions(BasePermission):
+
+    """
+    Permission-object to control api-resource-wide read and write access for each
+    service, such as /datasets or /files. If access to individual view method (url)
+    needs to be restricted, add additional checks directly inside that view method.
+
+    The source of service permissions is the app_config file.
+    """
+
+    perms = {}
+
+    def __init__(self, *args, **kwargs):
+        self.set_perms()
+
+    def set_perms(self):
+        """
+        self.perms dict looks like:
+        {
+            'datasets': {
+                'read': ['service1', 'service2'],
+                'write': ['service1', 'service3']
+            }
+            'files': {
+                ...
+            },
+            ...
+        }
+        """
+        self.perms = settings.API_ACCESS
+
+    def has_permission(self, request, view):
+        """
+        Return `True` if permission is granted, `False` otherwise.
+        """
+        api_name = view.get_api_name()
+
+        if api_name not in self.perms: # pragma: no cover
+            _logger.info(
+                'api_name %s not specified in self.perms - forbidding. this probably should not happen' % api_name
+            )
+            return False
+
+        elif request.method in READ_METHODS:
+            if 'all' in self.perms[api_name]['read']:
+                return True
+            return request.user.username in self.perms[api_name]['read']
+
+        elif request.method in WRITE_METHODS:
+            return request.user.username in self.perms[api_name]['write']
+
+        else:
+            raise MethodNotAllowed
+
+        return False
+
+    def has_object_permission(self, request, view, obj):
+        """
+        Return `True` if permission is granted, `False` otherwise.
+        """
+        # default
+        return True

src/metax_api/settings.py

@@ -26,7 +26,6 @@
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
-
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/1.11/howto/deployment/checklist/
 
@@ -46,13 +45,36 @@
         'username': 'metax',
         'password': 'metaxpassword'
     }
+    API_AUTH_TEST_USER = {
+        'username': 'api_auth_user',
+        'password': 'assword'
+    }
 
+    API_TEST_USERS = [
+        API_TEST_USER,
+        API_METAX_USER,
+        API_AUTH_TEST_USER,
+    ]
+
+    API_ACCESS = {
+        "apierrors":    { "read":  ["testuser", "metax"], "write": ["testuser", "metax"] },
+        "contracts":    { "read":  ["testuser", "metax"], "write": ["testuser", "metax"] },
+        "datacatalogs": { "read":  ["all"], "write": ["testuser", "metax"] },
+        "datasets":     { "read":  ["all"], "write": ["testuser", "metax", "api_auth_user"] },
+        "directories":  { "read":  ["testuser", "metax"], "write": ["testuser", "metax"] },
+        "files":        { "read":  ["testuser", "metax", "api_auth_user"], "write": ["testuser", "metax"] },
+        "filestorages": { "read":  ["testuser", "metax"], "write": ["testuser", "metax"] },
+        "schemas":      { "read":  ["all"], "write": ["testuser", "metax"] }
+    }
+else:
+    API_ACCESS = app_config_dict['API_ACCESS']
+
+if executing_test_case() or executing_in_travis:
     ERROR_FILES_PATH = '/tmp/metax-api-tests/errors'
 else:
     # location to store information about exceptions occurred during api requests
     ERROR_FILES_PATH = '/var/log/metax-api/errors'
 
-
 # Consider enabling these
 #CSRF_COOKIE_SECURE = True
 #SECURE_SSL_REDIRECT = True

src/metax_api/tests/api/rest/base/views/common/__init__.py

@@ -1,2 +1,3 @@
+from .auth import *
 from .read import *
 from .write import *