Merge pull request #5 from TaskarCenterAtUW/authorizer_implementation

Authorizer Impementation

Author: sujata-m

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Change log
 
+### 0.0.8
+- Authorization methods included
+- Simulated and Hosted Authorizers implemented
+- Examples written for both
+- Readme updated appropriately.
+
+
 ### 0.0.7
 - Fixed configuration issues
 - Fixed all the review comments

README.md

@@ -188,3 +188,85 @@ test_file = container.create_file('text.txt', 'text/plain')
 test_file.upload(file_like_io.read())
 ```
 
+## Authorization
+
+Core offers a simple way of verifying the authorization of a user and their role.
+
+Checking the permission involves three steps
+1. Preparing a permission request object
+2. Getting an authorizer object from core
+3. Requesting if the permission is valid/true
+
+### Preparing the permission request
+
+```python
+from python_ms_core.core.auth.models.permission_request import PermissionRequest
+
+permission_request = PermissionRequest(
+    user_id='<userID>',
+    org_id='<orgID>',
+    should_satisfy_all=False,
+    permissions=['permission1', 'permission2']
+)
+
+```
+
+In the above example, `should_satisfy_all` helps in figuring out if all the permissions are needed or any one of the permission is sufficient.
+
+### Getting the authorizer from core
+
+Core exposes `get_authorizer` method with 2 parameters
+
+1. `request_params` parameter which is instance of `PermissionRequest` class (Mandatory Parameter).
+2. `config` parameter (Optional)
+
+There are two types of `Authorizer` objects in core. 
+1. HostedAuthorizer: checks the permissions against a hosted API
+2. SimulatedAuthorizer: makes a simulated authorizer used for local/non-hosted environment.
+
+The following code demonstrates getting the simulated and hosted authorizer
+```python
+from python_ms_core import Core
+core = Core()
+# HostedAuthorizer 
+
+hosted_authorizer = core.get_authorizer(config={'provider': 'Hosted', 'api_url': '<AUTH_API_URL>'})
+
+simulated_authorizer = core.get_authorizer(config={'provider': 'Simulated'})
+
+```
+In case `api_url` is not provided for `Hosted` auth provider, the core will pick it up from environment variable `AUTHURL`
+
+#### Requesting if certain permission is valid:
+
+Use the method `has_ermission(request_params)` to know if the permission request is valid/not.
+
+```python
+
+# Complete Example
+from python_ms_core import Core
+from python_ms_core.core.auth.models.permission_request import PermissionRequest
+
+core = Core()
+
+
+permission_request = PermissionRequest(
+    user_id='<userID>',
+    org_id='<orgID>',
+    should_satisfy_all=False,
+    permissions=['permission1', 'permission2']
+)
+
+# With Hosted provider
+auth_provider = core.get_authorizer(config={'provider': 'Hosted', 'api_url': '<AUTH_API_URL>'})
+response = auth_provider.has_permission(request_params=permission_request)
+# Response will be boolean
+
+# With Simulated provider
+auth_provider = core.get_authorizer(config={'provider': 'Simulated'})
+response = auth_provider.has_permission(request_params=permission_request)
+# Response will be boolean
+```
+
+#### How does Simulated authentication work?
+With simulated authentication, the method `has_permission` simply returns the value given in `should_satisfy_all` property in the permission request.

freeze_version.py

@@ -11,7 +11,7 @@
 
 build_date = date.today().strftime('%Y-%m-%d')
 
-version = '0.0.7'
+version = '0.0.8'
 
 with open(version_file_path, 'w+') as version_file:
     version_file.write("version = '{}'\n".format(version))

src/example.py

@@ -9,6 +9,7 @@
 
 from python_ms_core import Core
 from python_ms_core.core.queue.models.queue_message import QueueMessage
+from python_ms_core.core.auth.models.permission_request import PermissionRequest
 
 core = Core(config='Local')
 print('Hello')
@@ -74,6 +75,19 @@ def process(message):
 publish_messages(topic)
 time.sleep(2)
 
-# logger = core.get_logger()
-# logger.record_metric(name='test', value='test')
+permission_params = PermissionRequest(
+    user_id='7961d767-a352-464f-95b6-cd1c5189a93c',
+    org_id='5e339544-3b12-40a5-8acd-78c66d1fa981',
+    should_satisfy_all=False,
+    permissions=['poc']
+)
+
+try:
+    auth = core.get_authorizer()
+    resp = auth.has_permission(request_params=permission_params)
+    print(resp)
+except Exception as e:
+    print(f'Request failed with Code: {e.status_code}, Message: {e.message}')
+    print()
+
 os._exit(os.EX_OK)

src/python_ms_core/__init__.py

@@ -5,10 +5,14 @@
 from .core.topic.local_topic import LocalTopic
 from .core.storage.providers.azure.azure_storage_client import AzureStorageClient
 from .core.storage.providers.local.local_storage_client import LocalStorageClient
-from .core.config.config import CoreConfig, LocalConfig
+from .core.auth.provider.hosted.hosted_authorizer import HostedAuthorizer
+from .core.auth.provider.simulated.simulated_authorizer import SimulatedAuthorizer
+from .core.config.config import CoreConfig, LocalConfig, AuthConfig
 
 LOCAL_ENV = 'LOCAL'
 AZURE_ENV = 'AZURE'
+HOSTED_ENV = 'HOSTED'
+SIMULATED_ENV = 'SIMULATED'
 
 
 class Core:
@@ -26,7 +30,7 @@ def get_logger(self):
         elif logger_config.provider.upper() == AZURE_ENV:
             return Logger(config=logger_config)
         else:
-            logging.error(f'Unimplemented initialization for core {logger_config.provider}')
+            logging.error(f'Failed to initialization core.get_logger for provider: {logger_config.provider}')
 
     def get_topic(self, topic_name: str):
         topic_config = self.config.topic()
@@ -35,7 +39,7 @@ def get_topic(self, topic_name: str):
         elif topic_config.provider.upper() == AZURE_ENV:
             return Topic(config=topic_config, topic_name=topic_name)
         else:
-            logging.error(f'Unimplemented initialization for core {topic_config.provider}')
+            logging.error(f'Failed to  initialization core.get_topic for provider: {topic_config.provider}')
 
     def get_storage_client(self):
         storage_config = self.config.storage()
@@ -44,7 +48,21 @@ def get_storage_client(self):
         elif storage_config.provider.upper() == AZURE_ENV:
             return AzureStorageClient(storage_config)
         else:
-            logging.error(f'Unimplemented initialization for core {storage_config.provider}')
+            logging.error(f'Failed to  initialization core.get_storage_client for provider: {storage_config.provider}')
+
+    def get_authorizer(self, config: dict = None):
+        if config is None:
+            auth_config = self.config.auth()
+        else:
+            provider = config.get('provider', None)
+            api_url = config.get('api_url', None)
+            auth_config = AuthConfig(provider=provider, auth_url=api_url)
+        if auth_config.provider.upper() == SIMULATED_ENV:
+            return SimulatedAuthorizer(config=auth_config)
+        elif auth_config.provider.upper() == HOSTED_ENV:
+            return HostedAuthorizer(config=auth_config)
+        else:
+            logging.error(f'Failed to  initialization core.get_authorizer for provider: {auth_config.provider}')
 
     def __check_health(self):
         print('\x1b[32m ------------------------- \x1b[0m')

src/python_ms_core/core/auth/abstracts/authorizer_abstract.py

@@ -0,0 +1,11 @@
+from abc import ABC, abstractmethod
+from ..models.permission_request import PermissionRequest
+
+
+class AuthorizerAbstract(ABC):
+
+    @abstractmethod
+    def __init__(self, config=None): pass
+
+    @abstractmethod
+    def has_permission(self, request_params: PermissionRequest): pass

src/python_ms_core/core/auth/models/permission_request.py

@@ -0,0 +1,60 @@
+from typing import Optional
+from dataclasses import dataclass
+
+
+@dataclass
+class PermissionRequest:
+    user_id: str
+    org_id: str
+    permissions: Optional[str] = None
+    should_satisfy_all: bool = False
+
+    def __init__(self, user_id: str, org_id: str, permissions: Optional[str] = None, should_satisfy_all: bool = False):
+        self._user_id = user_id
+        self._org_id = org_id
+        self._permissions = permissions
+        self._should_satisfy_all = should_satisfy_all
+
+    @property
+    def user_id(self):
+        return self._user_id
+
+    @user_id.setter
+    def user_id(self, value):
+        self._user_id = value
+
+    @property
+    def org_id(self):
+        return self._org_id
+
+    @org_id.setter
+    def org_id(self, value):
+        self._org_id = value
+
+    @property
+    def permissions(self):
+        return self._permissions
+
+    @permissions.setter
+    def permissions(self, value):
+        self._permissions = value
+
+    @property
+    def should_satisfy_all(self):
+        return self._should_satisfy_all
+
+    @should_satisfy_all.setter
+    def should_satisfy_all(self, value):
+        self._should_satisfy_all = value
+
+    def get_search_params(self):
+        affirmative = 'true' if self._should_satisfy_all else 'false'
+        params = {
+            'userId': self._user_id,
+            'agencyId': self._org_id,
+            'affirmative': affirmative
+        }
+        if self._permissions and len(self._permissions) > 0:
+            params['roles'] = self._permissions
+        return params
+

src/python_ms_core/core/auth/provider/hosted/hosted_authorizer.py

@@ -0,0 +1,24 @@
+import requests
+from requests.models import PreparedRequest
+from ...abstracts.authorizer_abstract import AuthorizerAbstract
+from ...models.permission_request import PermissionRequest
+from ....resource_errors import ExceptionHandler
+
+
+class HostedAuthorizer(AuthorizerAbstract):
+    def __init__(self, config=None):
+        self.config = config
+
+    @ExceptionHandler.decorated
+    def has_permission(self, request_params: PermissionRequest):
+        if request_params.permissions and len(request_params.permissions) > 0:
+            url = self.config.auth_url or None
+            if url:
+                req = PreparedRequest()
+                req.prepare_url(url, request_params.get_search_params())
+                response = requests.get(req.url)
+                return response.json()
+            else:
+                raise ValueError('No API url provided')
+        else:
+            raise ValueError('No roles provided')

src/python_ms_core/core/auth/provider/simulated/simulated_authorizer.py

@@ -0,0 +1,12 @@
+from ...abstracts.authorizer_abstract import AuthorizerAbstract
+from ...models.permission_request import PermissionRequest
+from ....resource_errors import ExceptionHandler
+
+
+class SimulatedAuthorizer(AuthorizerAbstract):
+    def __init__(self, config=None):
+        self.config = config
+
+    @ExceptionHandler.decorated
+    def has_permission(self, request_params: PermissionRequest):
+        return request_params.should_satisfy_all

src/python_ms_core/core/config/config.py

@@ -30,13 +30,20 @@ def __init__(self, provider: str, con_string: str):
         self.connection_string = con_string
 
 
+class AuthConfig:
+    def __init__(self, provider: str, auth_url: str = None):
+        self.provider = provider
+        self.auth_url = auth_url
+
+
 class CoreConfig:
     def __init__(self):
         self.provider = os.environ.get('PROVIDER', 'Azure')
         self.queue_connection = os.environ.get('QUEUECONNECTION', None)
         self.queue_name = os.environ.get('LOGGERQUEUE', 'tdei-ms-log')
         self.topic_connection = os.environ.get('QUEUECONNECTION', None)
         self.storage_connection = os.environ.get('STORAGECONNECTION', None)
+        self.auth_url = os.environ.get('AUTHURL', None)
 
     def logger(self):
         return LogerConfig(
@@ -64,6 +71,12 @@ def storage(self):
             con_string=self.storage_connection
         )
 
+    def auth(self):
+        return AuthConfig(
+            provider='Hosted',
+            auth_url=self.auth_url
+        )
+
 
 class LocalConfig:
     def __init__(self):
@@ -98,3 +111,8 @@ def storage(self):
             provider=self.provider,
             con_string=self.storage_connection
         )
+
+    def auth(self):
+        return AuthConfig(
+            provider='Simulated'
+        )