-
Notifications
You must be signed in to change notification settings - Fork 302
/
permission.py
71 lines (60 loc) · 2.6 KB
/
permission.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# Copyright European Organization for Nuclear Research (CERN) since 2012
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from copy import deepcopy
from typing import TYPE_CHECKING
from rucio.common.exception import RSENotFound
from rucio.common.types import InternalAccount, InternalScope
from rucio.core import permission
from rucio.core.rse import get_rse_id
from rucio.db.sqla.session import read_session
if TYPE_CHECKING:
from sqlalchemy.orm import Session
@read_session
def has_permission(issuer, action, kwargs, vo='def', *, session: "Session"):
"""
Checks if an account has the specified permission to
execute an action with parameters.
:param issuer: The Account issuer.
:param vo: The VO to check against.
:param action: The action (API call) called by the account.
:param session: The db session to use
:param kwargs: List of arguments for the action.
:returns: True if account is allowed to call the API call, otherwise False
"""
kwargs = deepcopy(kwargs)
if 'rse' in kwargs and 'rse_id' not in kwargs:
try:
rse_id = get_rse_id(rse=kwargs.get('rse'), vo=vo, session=session)
except RSENotFound:
rse_id = None
kwargs.update({'rse_id': rse_id})
if 'scope' in kwargs:
kwargs['scope'] = InternalScope(kwargs['scope'], vo=vo)
if 'attachments' in kwargs:
for a in kwargs['attachments']:
a['scope'] = InternalScope(a['scope'], vo=vo)
if 'account' in kwargs:
kwargs['account'] = InternalAccount(kwargs['account'], vo=vo)
if 'accounts' in kwargs:
kwargs['accounts'] = [InternalAccount(a, vo=vo) for a in kwargs['accounts']]
if 'rules' in kwargs:
for r in kwargs['rules']:
r['account'] = InternalAccount(r['account'], vo=vo)
if 'dids' in kwargs:
for d in kwargs['dids']:
if 'rules' in d:
for r in d['rules']:
r['account'] = InternalAccount(r['account'], vo=vo)
issuer = InternalAccount(issuer, vo=vo)
return permission.has_permission(issuer=issuer, action=action, kwargs=kwargs, session=session)