Initial rule rework

Mathias BIGAIGNON · Mathias BIGAIGNON · commit a49e412dc509 · 2025-03-03T18:04:37.000+01:00
diff --git a/entitled/client.py b/entitled/client.py
@@ -18,34 +18,34 @@ def __init__(self, base_path: str | None = None):
             self._load_path = pathlib.Path(base_path)
             self.load_policies_from_path(self._load_path)
 
-    def authorize(
+    async def authorize(
         self,
         action: str,
         actor: Any,
         resource: Any,
         context: dict[str, Any] | None = None,
     ) -> bool:
         policy = self._policy_lookup(resource)
-        return policy.authorize(action, actor, resource, context)
+        return await policy.authorize(action, actor, resource, context)
 
-    def allows(
+    async def allows(
         self,
         action: str,
         actor: Any,
         resource: Any,
         context: dict[str, Any] | None = None,
     ) -> bool:
         policy = self._policy_lookup(resource)
-        return policy.allows(action, actor, resource, context)
+        return await policy.allows(action, actor, resource, context)
 
-    def grants(
+    async def grants(
         self,
         actor: Any,
         resource: Any,
         context: dict[str, Any] | None = None,
     ) -> dict[str, bool]:
         policy = self._policy_lookup(resource)
-        return policy.grants(actor, resource, context)
+        return await policy.grants(actor, resource, context)
 
     def register(self, policy: policies.Policy[Any]):
         if hasattr(policy, "__orig_class__"):
diff --git a/entitled/policies.py b/entitled/policies.py
@@ -1,5 +1,7 @@
 """Grouping of authorization rules around a particular resource type"""
 
+import asyncio
+
 from typing import Any, Callable, Generic, TypeVar
 
 from entitled import exceptions
@@ -43,27 +45,27 @@ def __register(self, action: str, *rules: Rule[T]):
         if action not in self._registry:
             self._registry[action] = [*rules]
 
-    def grants(
+    async def grants(
         self, actor: Any, resource: T | type[T], context: dict[str, Any] | None = None
     ) -> dict[str, bool]:
         return {
-            action: self.allows(action, actor, resource, context)
+            action: await self.allows(action, actor, resource, context)
             for action in self._registry
         }
 
-    def allows(
+    async def allows(
         self,
         action: str,
         actor: Any,
         resource: T | type[T],
         context: dict[str, Any] | None = None,
     ) -> bool:
         try:
-            return self.authorize(action, actor, resource, context)
+            return await self.authorize(action, actor, resource, context)
         except exceptions.AuthorizationException:
             return False
 
-    def authorize(
+    async def authorize(
         self,
         action: str,
         actor: Any,
@@ -75,7 +77,13 @@ def authorize(
                 f"Action <{action}> undefined for this policy"
             )
 
-        if not any(rule(actor, resource, context) for rule in self._registry[action]):
+        if not any(
+            (
+                await asyncio.gather(
+                    *(rule(actor, resource, context) for rule in self._registry[action])
+                )
+            )
+        ):
             raise exceptions.AuthorizationException("Unauthorized")
 
         return True
diff --git a/entitled/rules.py b/entitled/rules.py
@@ -7,14 +7,15 @@
 Actors represents any entity that, in an application, can act upon a resource.
 """
 
-from typing import Any, Callable, ClassVar, Generic, Protocol, TypeVar
+import inspect
+from typing import Any, Callable, ClassVar, Generic, Protocol, TypeVar, cast
 
 from entitled import exceptions
 
 Resource = TypeVar("Resource", contravariant=True)
 
 
-class RuleProtocol(Protocol[Resource]):
+class SyncRule(Protocol[Resource]):
     """Defines valid functions for rules"""
 
     def __call__(
@@ -25,6 +26,34 @@ def __call__(
     ) -> bool: ...
 
 
+class AsyncRule(Protocol[Resource]):
+    """Defines valid functions for rules"""
+
+    async def __call__(
+        self,
+        actor: Any,
+        resource: Resource | type[Resource],
+        context: dict[str, Any] | None = None,
+    ) -> bool: ...
+
+
+RuleProtocol = SyncRule[Resource] | AsyncRule[Resource]
+
+
+async def handle_rule(
+    func: AsyncRule[Resource] | SyncRule[Resource],
+    actor: Any,
+    resource: Resource | type[Resource],
+    context: dict[str, Any] | None = None,
+):
+    if inspect.iscoroutinefunction(func):
+        fn = cast(AsyncRule[Resource], func)
+        return await fn(actor, resource, context)
+    else:
+        fn = cast(SyncRule[Resource], func)
+        return fn(actor, resource, context)
+
+
 class Rule(Generic[Resource]):
     """Base class for rules
 
@@ -55,33 +84,33 @@ def __register(self) -> None:
 
         Rule._registry[self.name] = self
 
-    def __call__(
+    async def __call__(
         self,
         actor: Any,
         resource: Resource | type[Resource],
         context: dict[str, Any] | None = None,
     ) -> bool:
         if not context:
             context = {}
-        return self.rule(actor, resource, context)
+        return await handle_rule(self.rule, actor, resource, context)
 
-    def authorize(
+    async def authorize(
         self,
         actor: Any,
         resource: Resource | type[Resource],
         context: dict[str, Any] | None = None,
     ) -> bool:
-        if not self(actor, resource, context):
+        if not await self(actor, resource, context):
             raise exceptions.AuthorizationException("Unauthorized")
         return True
 
-    def allows(
+    async def allows(
         self,
         actor: Any,
         resource: Resource | type[Resource],
         context: dict[str, Any] | None = None,
     ) -> bool:
-        return self(actor, resource, context)
+        return await self(actor, resource, context)
 
 
 def rule(name: str) -> Callable[[RuleProtocol[Resource]], RuleProtocol[Resource]]:
diff --git a/entitled/rulesv1.py b/entitled/rulesv1.py
@@ -0,0 +1,64 @@
+from typing import Any, ClassVar, Protocol, TypeVar
+
+
+Actor = TypeVar("Actor", contravariant=True)
+
+
+class RuleProto(Protocol[Actor]):
+    async def __call__(self, actor: Actor, *args: Any, **kwargs: Any) -> bool: ...
+
+
+class Rule[Actor]:
+    _registry: ClassVar[dict[str, RuleProto[Any]]] = {}
+    _before_callback: RuleProto[Any] | None = None
+
+    @classmethod
+    def define(cls, name: str, closure: RuleProto[Actor]) -> None:
+        cls._registry[name] = closure
+
+    @classmethod
+    def before(cls, rule: RuleProto[Actor] | None):
+        cls._before_callback = rule
+
+    @classmethod
+    async def allows(
+        cls,
+        name: str,
+        actor: Actor,
+        *args: Any,
+        **kwargs: Any,
+    ) -> bool:
+        if name in cls._registry:
+            return await cls._registry[name](actor, args, kwargs)
+
+        return False
+
+    @classmethod
+    async def denies(
+        cls,
+        name: str,
+        actor: Actor,
+        *args: Any,
+        **kwargs: Any,
+    ) -> bool:
+        return not await cls.allows(name, actor)
+
+    @classmethod
+    async def any(
+        cls,
+        names: list[str],
+        actor: Actor,
+        *args: Any,
+        **kwargs: Any,
+    ) -> bool:
+        return any([await cls.allows(name, actor, args, kwargs) for name in names])
+
+    @classmethod
+    async def none(
+        cls,
+        names: list[str],
+        actor: Actor,
+        *args: Any,
+        **kwargs: Any,
+    ) -> bool:
+        return not await cls.any(names, actor, args, kwargs)
diff --git a/tests/fixtures/policies.py b/tests/fixtures/policies.py
@@ -1,27 +1,44 @@
+from typing import Any
 from entitled.policies import Policy
 from tests.fixtures.models import Resource, Tenant, User
 
 tenant_policy = Policy[Tenant]("tenant")
 
 
 @tenant_policy.rule("member")
-def is_member(actor: User, resource: Tenant, context: dict | None = None) -> bool:
+def is_member(
+    actor: User,
+    resource: Tenant | type[Tenant],
+    context: dict[str, Any] | None = None,
+) -> bool:
     return actor.tenant == resource
 
 
 @tenant_policy.rule("admin_role")
-def has_admin_role(actor: User, resource: Tenant, context: dict | None = None) -> bool:
+def has_admin_role(
+    actor: User,
+    resource: Tenant | type[Tenant],
+    context: dict[str, Any] | None = None,
+) -> bool:
     return is_member(actor, resource) and "admin" in actor.roles
 
 
 resource_policy = Policy[Resource]("node")
 
 
 @resource_policy.rule("edit")
-def can_edit(actor: User, resource: Resource, context: dict | None = None) -> bool:
-    return resource.owner == actor or has_admin_role(actor, resource.tenant)
+def can_edit(
+    actor: User,
+    resource: Resource | type[Resource],
+    context: dict[str, Any] | None = None,
+) -> bool:
+    return has_admin_role(actor, resource.tenant) or resource.owner == actor
 
 
 @resource_policy.rule("view")
-def can_view(actor: User, resource: Resource, context: dict | None = None) -> bool:
+def can_view(
+    actor: User,
+    resource: Resource | type[Resource],
+    context: dict[str, Any] | None = None,
+) -> bool:
     return is_member(actor, resource.tenant)
