147 lines
5.4 KiB
Python
147 lines
5.4 KiB
Python
# #region SeedPermissionsScript [C:5] [TYPE Module] [SEMANTICS rbac, search, auth]
|
|
#
|
|
# @BRIEF Populates the auth database with initial system permissions.
|
|
# @LAYER: Infrastructure
|
|
# @RELATION DEPENDS_ON -> AuthSessionLocal
|
|
# @RELATION DEPENDS_ON -> Permission
|
|
# @RELATION DEPENDS_ON -> Role
|
|
# @RELATION DEPENDS_ON -> AuthRepository
|
|
#
|
|
# @INVARIANT: Safe to run multiple times (idempotent).
|
|
# @SIDE_EFFECT: Writes permissions to database
|
|
# @DATA_CONTRACT: CLIArgs -> SeedSummary
|
|
|
|
import sys
|
|
from pathlib import Path
|
|
|
|
# Add src to path
|
|
sys.path.append(str(Path(__file__).parent.parent.parent))
|
|
|
|
from src.core.auth.repository import AuthRepository
|
|
from src.core.cot_logger import seed_trace_id
|
|
from src.core.database import AuthSessionLocal
|
|
from src.core.logger import belief_scope, logger
|
|
from src.models.auth import Permission, Role
|
|
|
|
# #region INITIAL_PERMISSIONS [C:3] [TYPE Constant]
|
|
# @BRIEF Canonical bootstrap permission tuples seeded into auth storage.
|
|
# @RELATION DEPENDS_ON -> SeedPermissionsScript
|
|
INITIAL_PERMISSIONS = [
|
|
# Admin Permissions
|
|
{"resource": "admin:users", "action": "READ"},
|
|
{"resource": "admin:users", "action": "WRITE"},
|
|
{"resource": "admin:roles", "action": "READ"},
|
|
{"resource": "admin:roles", "action": "WRITE"},
|
|
{"resource": "admin:settings", "action": "READ"},
|
|
{"resource": "admin:settings", "action": "WRITE"},
|
|
{"resource": "environments", "action": "READ"},
|
|
{"resource": "plugins", "action": "READ"},
|
|
{"resource": "tasks", "action": "READ"},
|
|
{"resource": "tasks", "action": "WRITE"},
|
|
# Plugin Permissions
|
|
{"resource": "plugin:backup", "action": "EXECUTE"},
|
|
{"resource": "plugin:migration", "action": "EXECUTE"},
|
|
{"resource": "plugin:mapper", "action": "EXECUTE"},
|
|
{"resource": "plugin:search", "action": "EXECUTE"},
|
|
{"resource": "plugin:git", "action": "EXECUTE"},
|
|
{"resource": "plugin:storage", "action": "EXECUTE"},
|
|
{"resource": "plugin:storage", "action": "READ"},
|
|
{"resource": "plugin:storage", "action": "WRITE"},
|
|
{"resource": "plugin:debug", "action": "EXECUTE"},
|
|
{"resource": "git_config", "action": "READ"},
|
|
# Dataset Review Permissions
|
|
{"resource": "dataset:session", "action": "READ"},
|
|
{"resource": "dataset:session", "action": "MANAGE"},
|
|
{"resource": "dataset:session", "action": "APPROVE"},
|
|
{"resource": "dataset:execution", "action": "PREVIEW"},
|
|
{"resource": "dataset:execution", "action": "LAUNCH"},
|
|
{"resource": "dataset:execution", "action": "LAUNCH_PROD"},
|
|
]
|
|
# #endregion INITIAL_PERMISSIONS
|
|
|
|
|
|
# #region seed_permissions [C:3] [TYPE Function]
|
|
# @BRIEF Inserts missing permissions into the database.
|
|
# @POST: All INITIAL_PERMISSIONS exist in the DB.
|
|
# @RELATION DEPENDS_ON -> AuthSessionLocal
|
|
# @RELATION DEPENDS_ON -> Permission
|
|
# @RELATION DEPENDS_ON -> Role
|
|
# @RELATION DEPENDS_ON -> AuthRepository
|
|
# @RELATION DEPENDS_ON -> INITIAL_PERMISSIONS
|
|
def seed_permissions():
|
|
seed_trace_id()
|
|
with belief_scope("seed_permissions"):
|
|
db = AuthSessionLocal()
|
|
try:
|
|
logger.info("Seeding permissions...")
|
|
count = 0
|
|
for perm_data in INITIAL_PERMISSIONS:
|
|
exists = (
|
|
db.query(Permission)
|
|
.filter(
|
|
Permission.resource == perm_data["resource"],
|
|
Permission.action == perm_data["action"],
|
|
)
|
|
.first()
|
|
)
|
|
|
|
if not exists:
|
|
new_perm = Permission(
|
|
resource=perm_data["resource"], action=perm_data["action"]
|
|
)
|
|
db.add(new_perm)
|
|
count += 1
|
|
|
|
db.commit()
|
|
logger.info(f"Seeding completed. Added {count} new permissions.")
|
|
|
|
# Assign permissions to User role
|
|
repo = AuthRepository(db)
|
|
user_role = repo.get_role_by_name("User")
|
|
if not user_role:
|
|
user_role = Role(
|
|
name="User", description="Standard user with plugin access"
|
|
)
|
|
db.add(user_role)
|
|
db.flush()
|
|
|
|
user_permissions = [
|
|
("plugin:mapper", "EXECUTE"),
|
|
("plugin:migration", "EXECUTE"),
|
|
("plugin:backup", "EXECUTE"),
|
|
("plugin:git", "EXECUTE"),
|
|
("plugin:storage", "READ"),
|
|
("plugin:storage", "WRITE"),
|
|
("environments", "READ"),
|
|
("plugins", "READ"),
|
|
("tasks", "READ"),
|
|
("tasks", "WRITE"),
|
|
("git_config", "READ"),
|
|
("dataset:session", "READ"),
|
|
("dataset:session", "MANAGE"),
|
|
("dataset:execution", "PREVIEW"),
|
|
("dataset:execution", "LAUNCH"),
|
|
]
|
|
|
|
for res, act in user_permissions:
|
|
perm = repo.get_permission_by_resource_action(res, act)
|
|
if perm and perm not in user_role.permissions:
|
|
user_role.permissions.append(perm)
|
|
|
|
db.commit()
|
|
logger.info("User role permissions updated.")
|
|
|
|
except Exception as e:
|
|
logger.error(f"Failed to seed permissions: {e}")
|
|
db.rollback()
|
|
finally:
|
|
db.close()
|
|
|
|
|
|
# #endregion seed_permissions
|
|
|
|
if __name__ == "__main__":
|
|
seed_permissions()
|
|
|
|
# #endregion SeedPermissionsScript
|