gateway/modules/security/rbacHelpers.py

# Copyright (c) 2025 Patrick Motsch
# All rights reserved.
"""
RBAC helper functions for resource access control.
Provides convenient functions for checking permissions in feature modules.
"""

import logging
from typing import Optional
from modules.datamodels.datamodelUam import User, AccessLevel
from modules.datamodels.datamodelRbac import AccessRuleContext
from modules.security.rbac import RbacClass

logger = logging.getLogger(__name__)


def checkResourceAccess(
    RbacInstance: RbacClass,
    currentUser: User,
    resourcePath: str
) -> bool:
    """
    Check if user has access to a resource.
    
    Args:
        RbacInstance: RbacClass instance
        currentUser: Current user object
        resourcePath: Resource path (e.g., "ai.model.anthropic", "ai.action.jira")
        
    Returns:
        True if user has view permission for the resource, False otherwise
    """
    try:
        permissions = RbacInstance.getUserPermissions(
            currentUser,
            AccessRuleContext.RESOURCE,
            resourcePath
        )
        return permissions.view
    except Exception as e:
        logger.error(f"Error checking resource access for {resourcePath}: {e}")
        return False


def checkUiAccess(
    RbacInstance: RbacClass,
    currentUser: User,
    uiPath: str
) -> bool:
    """
    Check if user has access to a UI element.
    
    Args:
        RbacInstance: RbacClass instance
        currentUser: Current user object
        uiPath: UI path (e.g., "playground.voice.settings", "chatbot.search")
        
    Returns:
        True if user has view permission for the UI element, False otherwise
    """
    try:
        permissions = RbacInstance.getUserPermissions(
            currentUser,
            AccessRuleContext.UI,
            uiPath
        )
        return permissions.view
    except Exception as e:
        logger.error(f"Error checking UI access for {uiPath}: {e}")
        return False


def checkDataAccess(
    RbacInstance: RbacClass,
    currentUser: User,
    tableName: str,
    operation: str = "read"
) -> bool:
    """
    Check if user has access to a data table for a specific operation.
    
    Args:
        RbacInstance: RbacClass instance
        currentUser: Current user object
        tableName: Table name (e.g., "UserInDB", "Mandate")
        operation: Operation to check ("read", "create", "update", "delete")
        
    Returns:
        True if user has permission for the operation, False otherwise
    """
    try:
        permissions = RbacInstance.getUserPermissions(
            currentUser,
            AccessRuleContext.DATA,
            tableName
        )
        
        if operation == "read":
            return permissions.read != AccessLevel.NONE
        elif operation == "create":
            return permissions.create != AccessLevel.NONE
        elif operation == "update":
            return permissions.update != AccessLevel.NONE
        elif operation == "delete":
            return permissions.delete != AccessLevel.NONE
        else:
            logger.warning(f"Unknown operation: {operation}")
            return False
    except Exception as e:
        logger.error(f"Error checking data access for {tableName}: {e}")
        return False


def getResourcePermissions(
    RbacInstance: RbacClass,
    currentUser: User,
    resourcePath: str
) -> dict:
    """
    Get full permissions for a resource.
    
    Args:
        RbacInstance: RbacClass instance
        currentUser: Current user object
        resourcePath: Resource path (e.g., "ai.model.anthropic")
        
    Returns:
        Dictionary with permission information
    """
    try:
        permissions = RbacInstance.getUserPermissions(
            currentUser,
            AccessRuleContext.RESOURCE,
            resourcePath
        )
        return {
            "view": permissions.view,
            "hasAccess": permissions.view
        }
    except Exception as e:
        logger.error(f"Error getting resource permissions for {resourcePath}: {e}")
        return {
            "view": False,
            "hasAccess": False
        }


def getUiPermissions(
    RbacInstance: RbacClass,
    currentUser: User,
    uiPath: str
) -> dict:
    """
    Get full permissions for a UI element.
    
    Args:
        RbacInstance: RbacClass instance
        currentUser: Current user object
        uiPath: UI path (e.g., "playground.voice.settings")
        
    Returns:
        Dictionary with permission information
    """
    try:
        permissions = RbacInstance.getUserPermissions(
            currentUser,
            AccessRuleContext.UI,
            uiPath
        )
        return {
            "view": permissions.view,
            "hasAccess": permissions.view
        }
    except Exception as e:
        logger.error(f"Error getting UI permissions for {uiPath}: {e}")
        return {
            "view": False,
            "hasAccess": False
        }