Expose resource access explanation API
This commit is contained in:
@@ -486,6 +486,15 @@ class AccessScopeExplanationItem(BaseModel):
|
|||||||
sources: list[AccessRoleSourceItem] = Field(default_factory=list)
|
sources: list[AccessRoleSourceItem] = Field(default_factory=list)
|
||||||
|
|
||||||
|
|
||||||
|
class AccessDecisionProvenanceItem(BaseModel):
|
||||||
|
kind: str
|
||||||
|
id: str | None = None
|
||||||
|
label: str | None = None
|
||||||
|
tenant_id: str | None = None
|
||||||
|
source: str | None = None
|
||||||
|
details: dict[str, object] = Field(default_factory=dict)
|
||||||
|
|
||||||
|
|
||||||
class FunctionFactExplanationItem(BaseModel):
|
class FunctionFactExplanationItem(BaseModel):
|
||||||
source_module: str
|
source_module: str
|
||||||
assignment_id: str
|
assignment_id: str
|
||||||
@@ -512,6 +521,14 @@ class UserAccessExplanationResponse(BaseModel):
|
|||||||
function_facts: list[FunctionFactExplanationItem] = Field(default_factory=list)
|
function_facts: list[FunctionFactExplanationItem] = Field(default_factory=list)
|
||||||
|
|
||||||
|
|
||||||
|
class ResourceAccessExplanationResponse(BaseModel):
|
||||||
|
user: UserAdminItem
|
||||||
|
resource_type: str
|
||||||
|
resource_id: str
|
||||||
|
action: str
|
||||||
|
provenance: list[AccessDecisionProvenanceItem] = Field(default_factory=list)
|
||||||
|
|
||||||
|
|
||||||
class UserListResponse(BaseModel):
|
class UserListResponse(BaseModel):
|
||||||
users: list[UserAdminItem]
|
users: list[UserAdminItem]
|
||||||
|
|
||||||
|
|||||||
@@ -110,6 +110,7 @@ from govoplan_access.backend.api.v1.admin_schemas import (
|
|||||||
RoleListResponse,
|
RoleListResponse,
|
||||||
RoleSummary,
|
RoleSummary,
|
||||||
RoleUpdateRequest,
|
RoleUpdateRequest,
|
||||||
|
ResourceAccessExplanationResponse,
|
||||||
SystemAccountCreateRequest,
|
SystemAccountCreateRequest,
|
||||||
SystemAccountCreateResponse,
|
SystemAccountCreateResponse,
|
||||||
SystemAccountItem,
|
SystemAccountItem,
|
||||||
@@ -154,6 +155,7 @@ from govoplan_core.core.configuration_control import (
|
|||||||
record_configuration_change_applied,
|
record_configuration_change_applied,
|
||||||
)
|
)
|
||||||
from govoplan_core.core.configuration_safety import configuration_safety_catalog, plan_configuration_change
|
from govoplan_core.core.configuration_safety import configuration_safety_catalog, plan_configuration_change
|
||||||
|
from govoplan_core.core.access import CAPABILITY_ACCESS_EXPLANATION, AccessExplanationService, AccessDecisionProvenance, PrincipalRef
|
||||||
from govoplan_core.core.idm import CAPABILITY_IDM_DIRECTORY, IdmDirectory, OrganizationFunctionAssignmentRef
|
from govoplan_core.core.idm import CAPABILITY_IDM_DIRECTORY, IdmDirectory, OrganizationFunctionAssignmentRef
|
||||||
from govoplan_core.core.organizations import CAPABILITY_ORGANIZATION_DIRECTORY, ORGANIZATIONS_MODULE_ID, OrganizationDirectory
|
from govoplan_core.core.organizations import CAPABILITY_ORGANIZATION_DIRECTORY, ORGANIZATIONS_MODULE_ID, OrganizationDirectory
|
||||||
from govoplan_core.api.v1.schemas import DeltaDeletedItem
|
from govoplan_core.api.v1.schemas import DeltaDeletedItem
|
||||||
@@ -185,7 +187,8 @@ from govoplan_access.backend.db.models import (
|
|||||||
UserGroupMembership,
|
UserGroupMembership,
|
||||||
UserRoleAssignment,
|
UserRoleAssignment,
|
||||||
)
|
)
|
||||||
from govoplan_access.backend.semantic import identity_id_for_account
|
from govoplan_access.backend.semantic import collect_external_function_roles, collect_function_assignment_ids, collect_function_delegation_ids, identity_id_for_account
|
||||||
|
from govoplan_access.backend.security.sessions import collect_user_groups, collect_user_roles, collect_user_scopes
|
||||||
from govoplan_core.db.session import get_session
|
from govoplan_core.db.session import get_session
|
||||||
from govoplan_access.backend.permissions.catalog import (
|
from govoplan_access.backend.permissions.catalog import (
|
||||||
normalize_email,
|
normalize_email,
|
||||||
@@ -514,6 +517,21 @@ def _optional_idm_directory() -> IdmDirectory | None:
|
|||||||
return capability
|
return capability
|
||||||
|
|
||||||
|
|
||||||
|
def _access_explanation_service_or_error() -> AccessExplanationService:
|
||||||
|
registry = get_registry()
|
||||||
|
if registry is not None and registry.has_capability(CAPABILITY_ACCESS_EXPLANATION):
|
||||||
|
capability = registry.require_capability(CAPABILITY_ACCESS_EXPLANATION)
|
||||||
|
if not isinstance(capability, AccessExplanationService):
|
||||||
|
raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Invalid capability: {CAPABILITY_ACCESS_EXPLANATION}")
|
||||||
|
return capability
|
||||||
|
from govoplan_access.backend.explanation import SqlAccessExplanationService
|
||||||
|
|
||||||
|
return SqlAccessExplanationService(
|
||||||
|
idm_directory=_optional_idm_directory(),
|
||||||
|
organization_directory=_optional_organization_directory(),
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def _idm_assignments_for_user(
|
def _idm_assignments_for_user(
|
||||||
idm_directory: IdmDirectory | None,
|
idm_directory: IdmDirectory | None,
|
||||||
user: User,
|
user: User,
|
||||||
@@ -523,6 +541,39 @@ def _idm_assignments_for_user(
|
|||||||
return tuple(idm_directory.organization_function_assignments_for_account(user.account_id, tenant_id=user.tenant_id))
|
return tuple(idm_directory.organization_function_assignments_for_account(user.account_id, tenant_id=user.tenant_id))
|
||||||
|
|
||||||
|
|
||||||
|
def _principal_ref_for_user(session: Session, user: User, *, idm_directory: IdmDirectory | None = None) -> PrincipalRef:
|
||||||
|
account = session.get(Account, user.account_id)
|
||||||
|
if account is None:
|
||||||
|
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Account not found")
|
||||||
|
idm_assignments = _idm_assignments_for_user(idm_directory, user)
|
||||||
|
idm_roles = tuple(collect_external_function_roles(session, user, idm_assignments))
|
||||||
|
scopes = set(collect_user_scopes(session, user, include_system=True))
|
||||||
|
for role in idm_roles:
|
||||||
|
scopes.update(role.permissions or [])
|
||||||
|
role_ids = [role.id for role in collect_user_roles(session, user)]
|
||||||
|
role_ids.extend(role.id for role in idm_roles)
|
||||||
|
function_assignment_ids = list(collect_function_assignment_ids(session, user))
|
||||||
|
function_assignment_ids.extend(item.id for item in idm_assignments)
|
||||||
|
return PrincipalRef(
|
||||||
|
account_id=account.id,
|
||||||
|
membership_id=user.id,
|
||||||
|
tenant_id=user.tenant_id,
|
||||||
|
identity_id=identity_id_for_account(session, account.id),
|
||||||
|
scopes=frozenset(sorted(scopes)),
|
||||||
|
group_ids=frozenset(group.id for group in collect_user_groups(session, user)),
|
||||||
|
role_ids=frozenset(sorted(dict.fromkeys(role_ids))),
|
||||||
|
function_assignment_ids=frozenset(sorted(dict.fromkeys(function_assignment_ids))),
|
||||||
|
delegation_ids=frozenset(collect_function_delegation_ids(session, user)),
|
||||||
|
auth_method="session",
|
||||||
|
email=account.email,
|
||||||
|
display_name=account.display_name or user.display_name,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def _provenance_payload(items: Iterable[AccessDecisionProvenance]) -> list[dict[str, object]]:
|
||||||
|
return [item.to_dict() for item in items]
|
||||||
|
|
||||||
|
|
||||||
def _validate_external_function_source(*, tenant_id: str, source_module: str, function_id: str) -> None:
|
def _validate_external_function_source(*, tenant_id: str, source_module: str, function_id: str) -> None:
|
||||||
if source_module != ORGANIZATIONS_MODULE_ID:
|
if source_module != ORGANIZATIONS_MODULE_ID:
|
||||||
raise HTTPException(
|
raise HTTPException(
|
||||||
@@ -1988,6 +2039,37 @@ def get_user_access_explanation(
|
|||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@router.get("/access/resource-explanation", response_model=ResourceAccessExplanationResponse)
|
||||||
|
def get_resource_access_explanation(
|
||||||
|
user_id: str = Query(...),
|
||||||
|
resource_type: str = Query(..., min_length=1, max_length=100),
|
||||||
|
resource_id: str = Query(..., min_length=1, max_length=2048),
|
||||||
|
action: str = Query(..., min_length=1, max_length=255),
|
||||||
|
tenant_id: str | None = Query(default=None),
|
||||||
|
session: Session = Depends(get_session),
|
||||||
|
principal: ApiPrincipal = Depends(require_any_scope("admin:users:read", "admin:roles:read", "access:membership:read", "access:role:read")),
|
||||||
|
):
|
||||||
|
tenant = _resolve_tenant(session, principal, tenant_id)
|
||||||
|
user = session.query(User).filter(User.id == user_id, User.tenant_id == tenant.id).one_or_none()
|
||||||
|
if user is None:
|
||||||
|
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
|
||||||
|
idm_directory = _optional_idm_directory()
|
||||||
|
target_principal = _principal_ref_for_user(session, user, idm_directory=idm_directory)
|
||||||
|
provenance = _access_explanation_service_or_error().explain_resource_provenance(
|
||||||
|
target_principal,
|
||||||
|
resource_type=resource_type,
|
||||||
|
resource_id=resource_id,
|
||||||
|
action=action,
|
||||||
|
)
|
||||||
|
return ResourceAccessExplanationResponse(
|
||||||
|
user=_user_item_for_response(session, user, idm_directory=idm_directory),
|
||||||
|
resource_type=resource_type,
|
||||||
|
resource_id=resource_id,
|
||||||
|
action=action,
|
||||||
|
provenance=_provenance_payload(provenance),
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
@router.post("/users", response_model=UserCreateResponse, status_code=status.HTTP_201_CREATED)
|
@router.post("/users", response_model=UserCreateResponse, status_code=status.HTTP_201_CREATED)
|
||||||
def create_user(
|
def create_user(
|
||||||
payload: UserCreateRequest,
|
payload: UserCreateRequest,
|
||||||
|
|||||||
@@ -26,7 +26,7 @@ from govoplan_access.backend.semantic import (
|
|||||||
active_function_delegations_for_account,
|
active_function_delegations_for_account,
|
||||||
identity_id_for_account,
|
identity_id_for_account,
|
||||||
)
|
)
|
||||||
from govoplan_core.core.access import AccessDecisionProvenance, AccessExplanationService, PrincipalRef
|
from govoplan_core.core.access import AccessDecisionProvenance, AccessExplanationService, PrincipalRef, ResourceAccessExplanationProvider
|
||||||
from govoplan_core.core.idm import IdmDirectory, OrganizationFunctionAssignmentRef
|
from govoplan_core.core.idm import IdmDirectory, OrganizationFunctionAssignmentRef
|
||||||
from govoplan_core.core.organizations import OrganizationDirectory
|
from govoplan_core.core.organizations import OrganizationDirectory
|
||||||
from govoplan_core.db.session import get_database
|
from govoplan_core.db.session import get_database
|
||||||
@@ -161,9 +161,11 @@ class SqlAccessExplanationService(AccessExplanationService):
|
|||||||
*,
|
*,
|
||||||
idm_directory: IdmDirectory | None = None,
|
idm_directory: IdmDirectory | None = None,
|
||||||
organization_directory: OrganizationDirectory | None = None,
|
organization_directory: OrganizationDirectory | None = None,
|
||||||
|
resource_explanation_providers: Iterable[ResourceAccessExplanationProvider] = (),
|
||||||
) -> None:
|
) -> None:
|
||||||
self._idm_directory = idm_directory
|
self._idm_directory = idm_directory
|
||||||
self._organization_directory = organization_directory
|
self._organization_directory = organization_directory
|
||||||
|
self._resource_explanation_providers = tuple(resource_explanation_providers)
|
||||||
|
|
||||||
def explain_scope_provenance(
|
def explain_scope_provenance(
|
||||||
self,
|
self,
|
||||||
@@ -189,8 +191,28 @@ class SqlAccessExplanationService(AccessExplanationService):
|
|||||||
resource_id: str,
|
resource_id: str,
|
||||||
action: str,
|
action: str,
|
||||||
) -> tuple[AccessDecisionProvenance, ...]:
|
) -> tuple[AccessDecisionProvenance, ...]:
|
||||||
del resource_type, resource_id
|
with get_database().session() as session:
|
||||||
return self.explain_scope_provenance(principal, action)
|
items = _scope_provenance(
|
||||||
|
session,
|
||||||
|
principal,
|
||||||
|
action,
|
||||||
|
idm_directory=self._idm_directory,
|
||||||
|
organization_directory=self._organization_directory,
|
||||||
|
)
|
||||||
|
for provider in self._resource_explanation_providers:
|
||||||
|
provider_items = tuple(
|
||||||
|
provider.explain_resource_provenance(
|
||||||
|
session,
|
||||||
|
principal,
|
||||||
|
resource_type=resource_type,
|
||||||
|
resource_id=resource_id,
|
||||||
|
action=action,
|
||||||
|
)
|
||||||
|
)
|
||||||
|
if provider_items:
|
||||||
|
items.extend(provider_items)
|
||||||
|
break
|
||||||
|
return tuple(_dedupe_provenance(items))
|
||||||
|
|
||||||
|
|
||||||
def build_user_access_explanation(
|
def build_user_access_explanation(
|
||||||
|
|||||||
@@ -17,7 +17,10 @@ from govoplan_core.core.access import (
|
|||||||
CAPABILITY_AUTH_PERMISSION_EVALUATOR,
|
CAPABILITY_AUTH_PERMISSION_EVALUATOR,
|
||||||
CAPABILITY_AUTH_PRINCIPAL_RESOLVER,
|
CAPABILITY_AUTH_PRINCIPAL_RESOLVER,
|
||||||
CAPABILITY_AUTH_TENANT_CONTEXT_SWITCHER,
|
CAPABILITY_AUTH_TENANT_CONTEXT_SWITCHER,
|
||||||
|
ResourceAccessExplanationProvider,
|
||||||
)
|
)
|
||||||
|
from govoplan_core.core.campaigns import CAPABILITY_CAMPAIGNS_ACCESS
|
||||||
|
from govoplan_core.core.files import CAPABILITY_FILES_ACCESS
|
||||||
from govoplan_core.core.idm import CAPABILITY_IDM_DIRECTORY, IdmDirectory
|
from govoplan_core.core.idm import CAPABILITY_IDM_DIRECTORY, IdmDirectory
|
||||||
from govoplan_core.core.organizations import CAPABILITY_ORGANIZATION_DIRECTORY, OrganizationDirectory
|
from govoplan_core.core.organizations import CAPABILITY_ORGANIZATION_DIRECTORY, OrganizationDirectory
|
||||||
from govoplan_core.core.module_guards import persistent_table_uninstall_guard
|
from govoplan_core.core.module_guards import persistent_table_uninstall_guard
|
||||||
@@ -507,12 +510,24 @@ def _optional_organization_directory(context: ModuleContext) -> OrganizationDire
|
|||||||
return capability
|
return capability
|
||||||
|
|
||||||
|
|
||||||
|
def _resource_explanation_providers(context: ModuleContext) -> tuple[ResourceAccessExplanationProvider, ...]:
|
||||||
|
providers: list[ResourceAccessExplanationProvider] = []
|
||||||
|
for capability_name in (CAPABILITY_FILES_ACCESS, CAPABILITY_CAMPAIGNS_ACCESS):
|
||||||
|
if not context.registry.has_capability(capability_name):
|
||||||
|
continue
|
||||||
|
capability = context.registry.require_capability(capability_name)
|
||||||
|
if isinstance(capability, ResourceAccessExplanationProvider):
|
||||||
|
providers.append(capability)
|
||||||
|
return tuple(providers)
|
||||||
|
|
||||||
|
|
||||||
def _access_explanation_service(context: ModuleContext) -> object:
|
def _access_explanation_service(context: ModuleContext) -> object:
|
||||||
from govoplan_access.backend.explanation import SqlAccessExplanationService
|
from govoplan_access.backend.explanation import SqlAccessExplanationService
|
||||||
|
|
||||||
return SqlAccessExplanationService(
|
return SqlAccessExplanationService(
|
||||||
idm_directory=_optional_idm_directory(context),
|
idm_directory=_optional_idm_directory(context),
|
||||||
organization_directory=_optional_organization_directory(context),
|
organization_directory=_optional_organization_directory(context),
|
||||||
|
resource_explanation_providers=_resource_explanation_providers(context),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -132,6 +132,15 @@ export type AccessScopeExplanationItem = {
|
|||||||
sources: AccessRoleSourceItem[];
|
sources: AccessRoleSourceItem[];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
export type AccessDecisionProvenanceItem = {
|
||||||
|
kind: string;
|
||||||
|
id?: string | null;
|
||||||
|
label?: string | null;
|
||||||
|
tenant_id?: string | null;
|
||||||
|
source?: string | null;
|
||||||
|
details: Record<string, unknown>;
|
||||||
|
};
|
||||||
|
|
||||||
export type FunctionFactExplanationItem = {
|
export type FunctionFactExplanationItem = {
|
||||||
source_module: string;
|
source_module: string;
|
||||||
assignment_id: string;
|
assignment_id: string;
|
||||||
@@ -158,6 +167,14 @@ export type UserAccessExplanationResponse = {
|
|||||||
function_facts: FunctionFactExplanationItem[];
|
function_facts: FunctionFactExplanationItem[];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
export type ResourceAccessExplanationResponse = {
|
||||||
|
user: UserAdminItem;
|
||||||
|
resource_type: string;
|
||||||
|
resource_id: string;
|
||||||
|
action: string;
|
||||||
|
provenance: AccessDecisionProvenanceItem[];
|
||||||
|
};
|
||||||
|
|
||||||
export type SystemAccountItem = {
|
export type SystemAccountItem = {
|
||||||
account_id: string;
|
account_id: string;
|
||||||
email: string;
|
email: string;
|
||||||
@@ -463,6 +480,20 @@ export function fetchUserAccessExplanation(settings: ApiSettings, userId: string
|
|||||||
return apiFetch(settings, `/api/v1/admin/users/${userId}/access-explanation`);
|
return apiFetch(settings, `/api/v1/admin/users/${userId}/access-explanation`);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export function fetchResourceAccessExplanation(
|
||||||
|
settings: ApiSettings,
|
||||||
|
options: { userId: string; resourceType: string; resourceId: string; action: string; tenantId?: string | null }
|
||||||
|
): Promise<ResourceAccessExplanationResponse> {
|
||||||
|
const params = new URLSearchParams({
|
||||||
|
user_id: options.userId,
|
||||||
|
resource_type: options.resourceType,
|
||||||
|
resource_id: options.resourceId,
|
||||||
|
action: options.action
|
||||||
|
});
|
||||||
|
if (options.tenantId) params.set("tenant_id", options.tenantId);
|
||||||
|
return apiFetch(settings, `/api/v1/admin/access/resource-explanation?${params.toString()}`);
|
||||||
|
}
|
||||||
|
|
||||||
export async function fetchGroups(settings: ApiSettings): Promise<GroupSummary[]> {
|
export async function fetchGroups(settings: ApiSettings): Promise<GroupSummary[]> {
|
||||||
const response = await apiFetch<{ groups: GroupSummary[] }>(settings, "/api/v1/admin/groups");
|
const response = await apiFetch<{ groups: GroupSummary[] }>(settings, "/api/v1/admin/groups");
|
||||||
return response.groups;
|
return response.groups;
|
||||||
|
|||||||
Reference in New Issue
Block a user