PowerOn/gateway
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
gateway/modules/shared/rbacHelpers.py
ValueOn AG 54246745a9 refactored uam to rbac
2025-12-07 13:48:39 +01:00

178 lines
4.9 KiB
Python
Raw Blame History

"""
RBAC helper functions for resource access control.
Provides convenient functions for checking permissions in feature modules.
"""
import logging
from typing import Optional
from modules.datamodels.datamodelUam import User, AccessLevel
from modules.datamodels.datamodelRbac import AccessRuleContext
from modules.security.rbac import RbacClass
from modules.connectors.connectorDbPostgre import DatabaseConnector
logger = logging.getLogger(__name__)
def checkResourceAccess(
RbacInstance: RbacClass,
currentUser: User,
resourcePath: str
) -> bool:
"""
Check if user has access to a resource.
Args:
RbacInstance: RbacClass instance
currentUser: Current user object
resourcePath: Resource path (e.g., "ai.model.anthropic", "ai.action.jira")
Returns:
True if user has view permission for the resource, False otherwise
"""
try:
permissions = RbacInstance.getUserPermissions(
currentUser,
AccessRuleContext.RESOURCE,
resourcePath
)
return permissions.view
except Exception as e:
logger.error(f"Error checking resource access for {resourcePath}: {e}")
return False
def checkUiAccess(
RbacInstance: RbacClass,
currentUser: User,
uiPath: str
) -> bool:
"""
Check if user has access to a UI element.
Args:
RbacInstance: RbacClass instance
currentUser: Current user object
uiPath: UI path (e.g., "playground.voice.settings", "chatbot.search")
Returns:
True if user has view permission for the UI element, False otherwise
"""
try:
permissions = RbacInstance.getUserPermissions(
currentUser,
AccessRuleContext.UI,
uiPath
)
return permissions.view
except Exception as e:
logger.error(f"Error checking UI access for {uiPath}: {e}")
return False
def checkDataAccess(
RbacInstance: RbacClass,
currentUser: User,
tableName: str,
operation: str = "read"
) -> bool:
"""
Check if user has access to a data table for a specific operation.
Args:
RbacInstance: RbacClass instance
currentUser: Current user object
tableName: Table name (e.g., "UserInDB", "Mandate")
operation: Operation to check ("read", "create", "update", "delete")
Returns:
True if user has permission for the operation, False otherwise
"""
try:
permissions = RbacInstance.getUserPermissions(
currentUser,
AccessRuleContext.DATA,
tableName
)
if operation == "read":
return permissions.read != AccessLevel.NONE
elif operation == "create":
return permissions.create != AccessLevel.NONE
elif operation == "update":
return permissions.update != AccessLevel.NONE
elif operation == "delete":
return permissions.delete != AccessLevel.NONE
else:
logger.warning(f"Unknown operation: {operation}")
return False
except Exception as e:
logger.error(f"Error checking data access for {tableName}: {e}")
return False
def getResourcePermissions(
RbacInstance: RbacClass,
currentUser: User,
resourcePath: str
) -> dict:
"""
Get full permissions for a resource.
Args:
RbacInstance: RbacClass instance
currentUser: Current user object
resourcePath: Resource path (e.g., "ai.model.anthropic")
Returns:
Dictionary with permission information
"""
try:
permissions = RbacInstance.getUserPermissions(
currentUser,
AccessRuleContext.RESOURCE,
resourcePath
)
return {
"view": permissions.view,
"hasAccess": permissions.view
}
except Exception as e:
logger.error(f"Error getting resource permissions for {resourcePath}: {e}")
return {
"view": False,
"hasAccess": False
}
def getUiPermissions(
RbacInstance: RbacClass,
currentUser: User,
uiPath: str
) -> dict:
"""
Get full permissions for a UI element.
Args:
RbacInstance: RbacClass instance
currentUser: Current user object
uiPath: UI path (e.g., "playground.voice.settings")
Returns:
Dictionary with permission information
"""
try:
permissions = RbacInstance.getUserPermissions(
currentUser,
AccessRuleContext.UI,
uiPath
)
return {
"view": permissions.view,
"hasAccess": permissions.view
}
except Exception as e:
logger.error(f"Error getting UI permissions for {uiPath}: {e}")
return {
"view": False,
"hasAccess": False
}
Reference in a new issue View git blame Copy permalink