-
Notifications
You must be signed in to change notification settings - Fork 339
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2584 from ohcnetwork/develop
- Loading branch information
Showing
34 changed files
with
588 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,15 @@ | ||
from datetime import timedelta | ||
|
||
from celery import shared_task | ||
from django.conf import settings | ||
from django.utils import timezone | ||
|
||
from care.facility.models.notification import Notification | ||
|
||
|
||
@shared_task | ||
def delete_old_notifications(): | ||
ninety_days_ago = timezone.now() - timedelta(days=90) | ||
Notification.objects.filter(created_date__lte=ninety_days_ago).delete() | ||
retention_days = settings.NOTIFICATION_RETENTION_DAYS | ||
|
||
threshold_date = timezone.now() - timedelta(days=retention_days) | ||
Notification.objects.filter(created_date__lte=threshold_date).delete() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
from django.apps import AppConfig | ||
from django.utils.translation import gettext_lazy as _ | ||
|
||
|
||
class SecurityConfig(AppConfig): | ||
name = "care.security" | ||
verbose_name = _("Security Management") | ||
|
||
def ready(self): | ||
# import care.security.signals # noqa F401 | ||
pass |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
from care.security.permissions.base import PermissionController | ||
|
||
|
||
class PermissionDeniedError(Exception): | ||
pass | ||
|
||
|
||
class AuthorizationHandler: | ||
""" | ||
This is the base class for Authorization Handlers | ||
Authorization handler must define a list of actions that can be performed and define the methods that | ||
actually perform the authorization action. | ||
All Authz methods would be of the signature ( user, obj , **kwargs ) | ||
obj refers to the obj which the user is seeking permission to. obj can also be a string or any datatype as long | ||
as the logic can handle the type. | ||
Queries are actions that return a queryset as the response. | ||
""" | ||
|
||
actions = [] | ||
queries = [] | ||
|
||
def check_permission(self, user, obj): | ||
if not PermissionController.has_permission(user, obj): | ||
raise PermissionDeniedError | ||
|
||
return PermissionController.has_permission(user, obj) | ||
|
||
|
||
class AuthorizationController: | ||
""" | ||
This class abstracts all security related operations in care | ||
This includes Checking if A has access to resource X, | ||
Filtering query-sets for list based operations and so on. | ||
Security Controller implicitly caches all cachable operations and expects it to be invalidated. | ||
SecurityController maintains a list of override Classes, When present, | ||
The override classes are invoked first and then the predefined classes. | ||
The overridden classes can choose to call the next function in the hierarchy if needed. | ||
""" | ||
|
||
override_authz_controllers: list[ | ||
AuthorizationHandler | ||
] = [] # The order is important | ||
# Override Security Controllers will be defined from plugs | ||
internal_authz_controllers: list[AuthorizationHandler] = [] | ||
|
||
cache = {} | ||
|
||
@classmethod | ||
def build_cache(cls): | ||
for controller in ( | ||
cls.internal_authz_controllers + cls.override_authz_controllers | ||
): | ||
for action in controller.actions: | ||
if "actions" not in cls.cache: | ||
cls.cache["actions"] = {} | ||
cls.cache["actions"][action] = [ | ||
*cls.cache["actions"].get(action, []), | ||
controller, | ||
] | ||
|
||
@classmethod | ||
def get_action_controllers(cls, action): | ||
return cls.cache["actions"].get(action, []) | ||
|
||
@classmethod | ||
def check_action_permission(cls, action, user, obj): | ||
""" | ||
TODO: Add Caching and capability to remove cache at both user and obj level | ||
""" | ||
if not cls.cache: | ||
cls.build_cache() | ||
controllers = cls.get_action_controllers(action) | ||
for controller in controllers: | ||
permission_fn = getattr(controller, action) | ||
result, _continue = permission_fn(user, obj) | ||
if not _continue: | ||
return result | ||
if not result: | ||
return result | ||
return True | ||
|
||
@classmethod | ||
def register_internal_controller(cls, controller: AuthorizationHandler): | ||
# TODO : Do some deduplication Logic | ||
cls.internal_authz_controllers.append(controller) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
from care.abdm.utils.api_call import Facility | ||
from care.facility.models import FacilityUser | ||
from care.security.authorization.base import ( | ||
AuthorizationHandler, | ||
PermissionDeniedError, | ||
) | ||
|
||
|
||
class FacilityAccess(AuthorizationHandler): | ||
actions = ["can_read_facility"] | ||
queries = ["allowed_facilities"] | ||
|
||
def can_read_facility(self, user, facility_id): | ||
self.check_permission(user, facility_id) | ||
# Since the old method relied on a facility-user relationship, check that | ||
# This can be removed when the migrations have been completed | ||
if not FacilityUser.objects.filter(facility_id=facility_id, user=user).exists(): | ||
raise PermissionDeniedError | ||
return True, True | ||
|
||
def allowed_facilities(self, user): | ||
return Facility.objects.filter(users__id__exact=user.id) |
Empty file.
Empty file.
65 changes: 65 additions & 0 deletions
65
care/security/management/commands/sync_permissions_roles.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
from django.core.management import BaseCommand | ||
from django.db import transaction | ||
|
||
from care.security.models import PermissionModel, RoleModel, RolePermission | ||
from care.security.permissions.base import PermissionController | ||
from care.security.roles.role import RoleController | ||
from care.utils.lock import Lock | ||
|
||
|
||
class Command(BaseCommand): | ||
""" | ||
This command syncs roles, permissions and role-permission mapping to the database. | ||
This command should be run after all deployments and plug changes. | ||
This command is idempotent, multiple instances running the same command is automatically blocked with redis. | ||
""" | ||
|
||
help = "Syncs permissions and roles to database" | ||
|
||
def handle(self, *args, **options): | ||
permissions = PermissionController.get_permissions() | ||
roles = RoleController.get_roles() | ||
with transaction.atomic(), Lock("sync_permissions_roles", 900): | ||
# Create, update permissions and delete old permissions | ||
PermissionModel.objects.all().update(temp_deleted=True) | ||
for permission, metadata in permissions.items(): | ||
permission_obj = PermissionModel.objects.filter(slug=permission).first() | ||
if not permission_obj: | ||
permission_obj = PermissionModel(slug=permission) | ||
permission_obj.name = metadata.name | ||
permission_obj.description = metadata.description | ||
permission_obj.context = metadata.context.value | ||
permission_obj.temp_deleted = False | ||
permission_obj.save() | ||
PermissionModel.objects.filter(temp_deleted=True).delete() | ||
# Create, update roles and delete old roles | ||
RoleModel.objects.all().update(temp_deleted=True) | ||
for role in roles: | ||
role_obj = RoleModel.objects.filter( | ||
name=role.name, context=role.context.value | ||
).first() | ||
if not role_obj: | ||
role_obj = RoleModel(name=role.name, context=role.context.value) | ||
role_obj.description = role.description | ||
role_obj.is_system = True | ||
role_obj.temp_deleted = False | ||
role_obj.save() | ||
RoleModel.objects.filter(temp_deleted=True).delete() | ||
# Sync permissions to role | ||
RolePermission.objects.all().update(temp_deleted=True) | ||
role_cache = {} | ||
for permission, metadata in permissions.items(): | ||
permission_obj = PermissionModel.objects.filter(slug=permission).first() | ||
for role in metadata.roles: | ||
if role.name not in role_cache: | ||
role_cache[role.name] = RoleModel.objects.get(name=role.name) | ||
obj = RolePermission.objects.filter( | ||
role=role_cache[role.name], permission=permission_obj | ||
).first() | ||
if not obj: | ||
obj = RolePermission( | ||
role=role_cache[role.name], permission=permission_obj | ||
) | ||
obj.temp_deleted = False | ||
obj.save() | ||
RolePermission.objects.filter(temp_deleted=True).delete() |
Oops, something went wrong.