Files
ss-tools/backend/src/scripts/seed_permissions.py
2026-05-19 18:36:15 +03:00

147 lines
5.4 KiB
Python

# #region SeedPermissionsScript [C:5] [TYPE Module] [SEMANTICS rbac, search, auth]
#
# @BRIEF Populates the auth database with initial system permissions.
# @LAYER: Infrastructure
# @RELATION DEPENDS_ON -> AuthSessionLocal
# @RELATION DEPENDS_ON -> Permission
# @RELATION DEPENDS_ON -> Role
# @RELATION DEPENDS_ON -> AuthRepository
#
# @INVARIANT: Safe to run multiple times (idempotent).
# @SIDE_EFFECT: Writes permissions to database
# @DATA_CONTRACT: CLIArgs -> SeedSummary
import sys
from pathlib import Path
# Add src to path
sys.path.append(str(Path(__file__).parent.parent.parent))
from src.core.auth.repository import AuthRepository
from src.core.cot_logger import seed_trace_id
from src.core.database import AuthSessionLocal
from src.core.logger import belief_scope, logger
from src.models.auth import Permission, Role
# #region INITIAL_PERMISSIONS [C:3] [TYPE Constant]
# @BRIEF Canonical bootstrap permission tuples seeded into auth storage.
# @RELATION DEPENDS_ON -> SeedPermissionsScript
INITIAL_PERMISSIONS = [
# Admin Permissions
{"resource": "admin:users", "action": "READ"},
{"resource": "admin:users", "action": "WRITE"},
{"resource": "admin:roles", "action": "READ"},
{"resource": "admin:roles", "action": "WRITE"},
{"resource": "admin:settings", "action": "READ"},
{"resource": "admin:settings", "action": "WRITE"},
{"resource": "environments", "action": "READ"},
{"resource": "plugins", "action": "READ"},
{"resource": "tasks", "action": "READ"},
{"resource": "tasks", "action": "WRITE"},
# Plugin Permissions
{"resource": "plugin:backup", "action": "EXECUTE"},
{"resource": "plugin:migration", "action": "EXECUTE"},
{"resource": "plugin:mapper", "action": "EXECUTE"},
{"resource": "plugin:search", "action": "EXECUTE"},
{"resource": "plugin:git", "action": "EXECUTE"},
{"resource": "plugin:storage", "action": "EXECUTE"},
{"resource": "plugin:storage", "action": "READ"},
{"resource": "plugin:storage", "action": "WRITE"},
{"resource": "plugin:debug", "action": "EXECUTE"},
{"resource": "git_config", "action": "READ"},
# Dataset Review Permissions
{"resource": "dataset:session", "action": "READ"},
{"resource": "dataset:session", "action": "MANAGE"},
{"resource": "dataset:session", "action": "APPROVE"},
{"resource": "dataset:execution", "action": "PREVIEW"},
{"resource": "dataset:execution", "action": "LAUNCH"},
{"resource": "dataset:execution", "action": "LAUNCH_PROD"},
]
# #endregion INITIAL_PERMISSIONS
# #region seed_permissions [C:3] [TYPE Function]
# @BRIEF Inserts missing permissions into the database.
# @POST: All INITIAL_PERMISSIONS exist in the DB.
# @RELATION DEPENDS_ON -> AuthSessionLocal
# @RELATION DEPENDS_ON -> Permission
# @RELATION DEPENDS_ON -> Role
# @RELATION DEPENDS_ON -> AuthRepository
# @RELATION DEPENDS_ON -> INITIAL_PERMISSIONS
def seed_permissions():
seed_trace_id()
with belief_scope("seed_permissions"):
db = AuthSessionLocal()
try:
logger.info("Seeding permissions...")
count = 0
for perm_data in INITIAL_PERMISSIONS:
exists = (
db.query(Permission)
.filter(
Permission.resource == perm_data["resource"],
Permission.action == perm_data["action"],
)
.first()
)
if not exists:
new_perm = Permission(
resource=perm_data["resource"], action=perm_data["action"]
)
db.add(new_perm)
count += 1
db.commit()
logger.info(f"Seeding completed. Added {count} new permissions.")
# Assign permissions to User role
repo = AuthRepository(db)
user_role = repo.get_role_by_name("User")
if not user_role:
user_role = Role(
name="User", description="Standard user with plugin access"
)
db.add(user_role)
db.flush()
user_permissions = [
("plugin:mapper", "EXECUTE"),
("plugin:migration", "EXECUTE"),
("plugin:backup", "EXECUTE"),
("plugin:git", "EXECUTE"),
("plugin:storage", "READ"),
("plugin:storage", "WRITE"),
("environments", "READ"),
("plugins", "READ"),
("tasks", "READ"),
("tasks", "WRITE"),
("git_config", "READ"),
("dataset:session", "READ"),
("dataset:session", "MANAGE"),
("dataset:execution", "PREVIEW"),
("dataset:execution", "LAUNCH"),
]
for res, act in user_permissions:
perm = repo.get_permission_by_resource_action(res, act)
if perm and perm not in user_role.permissions:
user_role.permissions.append(perm)
db.commit()
logger.info("User role permissions updated.")
except Exception as e:
logger.error(f"Failed to seed permissions: {e}")
db.rollback()
finally:
db.close()
# #endregion seed_permissions
if __name__ == "__main__":
seed_permissions()
# #endregion SeedPermissionsScript