Authorization backend changes

Author: sumesh-aot

forms-flow-api/entrypoint

@@ -1,2 +1,4 @@
-#!/bin/bash
-python manage.py db upgrade && gunicorn -b :5000 'formsflow_api:create_app()' --timeout 120 --worker-class=gthread --workers=5 --threads=10
+echo 'starting application'
+export FLASK_APP=manage.py
+flask db upgrade
+gunicorn -b :5000 'formsflow_api:create_app()' --timeout 120 --worker-class=gthread --workers=5 --threads=10

forms-flow-api/manage.py

@@ -2,21 +2,19 @@
 
 import logging
 
-from flask_migrate import Migrate, MigrateCommand
-from flask_script import Manager
+from flask_migrate import Migrate
 
 # models included so that migrate can build the database migrations
 from formsflow_api import models  # noqa: F401 # pylint: disable=unused-import
 from formsflow_api import create_app
 from formsflow_api.models import db
-
+from flask.cli import FlaskGroup
 
 APP = create_app()
-MIGRATE = Migrate(APP, db)
-MANAGER = Manager(APP)
+cli = FlaskGroup(APP)
 
-MANAGER.add_command('db', MigrateCommand)
+MIGRATE = Migrate(APP, db)
 
 if __name__ == '__main__':
     logging.log(logging.INFO, 'Running the Manager')
-    MANAGER.run()
+    cli()

forms-flow-api/migrations/versions/ddd2ec3a72f2_authorization.py

@@ -0,0 +1,47 @@
+"""authorization
+
+Revision ID: ddd2ec3a72f2
+Revises: 696557aef580
+Create Date: 2022-08-15 11:15:24.929985
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = 'ddd2ec3a72f2'
+down_revision = '696557aef580'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('authorization',
+    sa.Column('created', sa.DateTime(), nullable=False),
+    sa.Column('modified', sa.DateTime(), nullable=True),
+    sa.Column('created_by', sa.String(), nullable=False),
+    sa.Column('modified_by', sa.String(), nullable=True),
+    sa.Column('id', sa.Integer(), nullable=False, comment='Authorization ID'),
+    sa.Column('tenant', sa.String(), nullable=True, comment='Tenant key'),
+    sa.Column('auth_type', postgresql.ENUM('DASHBOARD', 'FORM', 'FILTER', name='authtype'), nullable=False, comment='Auth Type'),
+    sa.Column('resource_id', sa.String(), nullable=False, comment='Resource identifier'),
+    sa.Column('resource_details', sa.JSON(), nullable=True, comment='Resource details'),
+    sa.Column('roles', postgresql.ARRAY(sa.String()), nullable=True, comment='Applicable roles'),
+    sa.Column('user_name', sa.String(), nullable=True, comment='Applicable user'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_authorization_auth_type'), 'authorization', ['auth_type'], unique=False)
+    op.create_index(op.f('ix_authorization_resource_id'), 'authorization', ['resource_id'], unique=False)
+    op.drop_column('application', 'form_url')
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('application', sa.Column('form_url', sa.VARCHAR(length=500), autoincrement=False, nullable=True))
+    op.drop_index(op.f('ix_authorization_resource_id'), table_name='authorization')
+    op.drop_index(op.f('ix_authorization_auth_type'), table_name='authorization')
+    op.drop_table('authorization')
+    # ### end Alembic commands ###

forms-flow-api/requirements.txt

@@ -1,41 +1,43 @@
-Flask-Caching==1.10.1
-Flask-Migrate==2.5.2
+Flask-Caching==2.0.1
+Flask-Migrate==3.1.0
+Flask-Moment==1.0.4
 Flask-SQLAlchemy==2.5.1
-Flask-Script==2.0.6
-Flask==1.1.4
-Jinja2==2.11.3
-Mako==1.1.6
-MarkupSafe==2.0.1
-SQLAlchemy-Utils==0.38.2
-SQLAlchemy==1.4.31
-Werkzeug==1.0.1
-alembic==1.7.6
+Flask==2.1.3
+Jinja2==3.1.2
+Mako==1.2.1
+MarkupSafe==2.1.1
+PyJWT==2.4.0
+SQLAlchemy-Utils==0.38.3
+SQLAlchemy==1.4.40
+Werkzeug==2.1.2
+alembic==1.8.1
 aniso8601==9.0.1
-attrs==21.4.0
-cachelib==0.6.0
-certifi==2021.10.8
-charset-normalizer==2.0.12
-click==7.1.2
-ecdsa==0.17.0
+attrs==22.1.0
+cachelib==0.9.0
+certifi==2022.6.15
+charset-normalizer==2.1.0
+click==8.1.3
+ecdsa==0.18.0
 flask-jwt-oidc==0.3.0
 flask-marshmallow==0.14.0
 flask-restx==0.5.1
 gunicorn==20.1.0
 idna==3.3
-itsdangerous==1.1.0
-jsonschema==4.4.0
-marshmallow-sqlalchemy==0.27.0
-marshmallow==3.14.1
+importlib-metadata==4.12.0
+itsdangerous==2.1.2
+jsonschema==4.9.1
+marshmallow-sqlalchemy==0.28.1
+marshmallow==3.17.0
+packaging==21.3
 psycopg2-binary==2.9.3
 pyasn1==0.4.8
+pyparsing==3.0.9
 pyrsistent==0.18.1
-python-dotenv==0.19.2
+python-dotenv==0.20.0
 python-jose==3.3.0
-pytz==2021.3
-requests==2.27.1
-rsa==4.8
+pytz==2022.2.1
+requests==2.28.1
+rsa==4.9
 six==1.16.0
-urllib3==1.26.8
-PyJWT==2.4.0
-selenium==3.141.0
-selenium-wire==3.0.0
+urllib3==1.26.11
+zipp==3.8.1

forms-flow-api/requirements/dev.txt

@@ -1,11 +1,11 @@
 -r prod.txt
 autopep8
-black==21.12b0
+black
 flake8
 flake8-blind-except
 flake8-debugger
 flake8-docstrings
-flake8-isort==4.1.1
+flake8-isort
 flake8-polyfill
 flake8-quotes
 lovely-pytest-docker

forms-flow-api/requirements/prod.txt

@@ -1,8 +1,8 @@
 gunicorn
-Flask<2
+Flask
 Flask-Caching
-Flask-Migrate==2.5.2
-Flask-Script<3
+Flask-Migrate
+Flask-Moment
 Flask-SQLAlchemy
 flask-restx
 flask-marshmallow
@@ -11,7 +11,7 @@ python-dotenv
 psycopg2-binary
 marshmallow-sqlalchemy
 requests
-Werkzeug
+Werkzeug==2.1.2 # Watch out updates on https://github.com/python-restx/flask-restx/issues/460
 sqlalchemy_utils
-markupsafe==2.0.1
-PyJWT==2.4.0
+markupsafe
+PyJWT

forms-flow-api/src/formsflow_api/models/__init__.py

@@ -2,6 +2,7 @@
 
 from .application import Application
 from .application_history import ApplicationHistory
+from .authorization import Authorization, AuthType
 from .base_model import BaseModel
 from .db import db, ma
 from .draft import Draft
@@ -15,4 +16,6 @@
     "BaseModel",
     "FormProcessMapper",
     "Draft",
+    "AuthType",
+    "Authorization",
 ]

forms-flow-api/src/formsflow_api/models/authorization.py

@@ -0,0 +1,120 @@
+"""This manages Authorization Data."""
+
+from __future__ import annotations
+
+from enum import Enum, unique
+from typing import List, Optional
+
+from sqlalchemy import JSON, or_
+from sqlalchemy.dialects.postgresql import ARRAY, ENUM
+
+from .audit_mixin import AuditDateTimeMixin, AuditUserMixin
+from .base_model import BaseModel
+from .db import db
+
+
+@unique
+class AuthType(Enum):
+    """Admin type enum."""
+
+    DASHBOARD = "DASHBOARD"
+    FORM = "FORM"
+    FILTER = "FILTER"
+
+    def __str__(self):
+        """To string value."""
+        return self.value
+
+
+class Authorization(AuditDateTimeMixin, AuditUserMixin, BaseModel, db.Model):
+    """This class manages authorization."""
+
+    id = db.Column(db.Integer, primary_key=True, comment="Authorization ID")
+    tenant = db.Column(db.String, nullable=True, comment="Tenant key")
+    auth_type = db.Column(
+        ENUM(AuthType), nullable=False, index=True, comment="Auth Type"
+    )
+    resource_id = db.Column(
+        db.String, nullable=False, index=True, comment="Resource identifier"
+    )
+    resource_details = db.Column(JSON, nullable=True, comment="Resource details")
+    roles = db.Column(ARRAY(db.String), nullable=True, comment="Applicable roles")
+    user_name = db.Column(db.String, nullable=True, comment="Applicable user")
+
+    @classmethod
+    def find_user_authorizations(
+        cls,
+        auth_type: AuthType,
+        roles: List[str] = None,
+        user_name: str = None,
+        tenant: str = None,
+    ) -> List[Authorization]:
+        """Find authorizations."""
+        query = cls._auth_query(auth_type, roles, tenant, user_name)
+        return query.all()
+
+    @classmethod
+    def find_all_authorizations(
+        cls, auth_type: AuthType, tenant: str = None
+    ) -> List[Authorization]:
+        """Find authorizations."""
+        query = cls.query.filter(Authorization.auth_type == auth_type)
+
+        if tenant:
+            query = query.filter(Authorization.tenant == tenant)
+        return query.all()
+
+    @classmethod
+    def _auth_query(cls, auth_type, roles, tenant, user_name):
+        role_condition = [Authorization.roles.contains([role]) for role in roles]
+        query = (
+            cls.query.filter(Authorization.auth_type == auth_type)
+            .filter(or_(*role_condition))
+            .filter(
+                or_(
+                    Authorization.user_name.is_(None),
+                    Authorization.user_name == user_name,
+                )
+            )
+        )
+
+        if tenant:
+            query = query.filter(Authorization.tenant == tenant)
+        return query
+
+    @classmethod
+    def find_resource_authorization(  # pylint: disable=too-many-arguments
+        cls,
+        auth_type: AuthType,
+        resource_id: str,
+        roles: List[str] = None,
+        user_name: str = None,
+        tenant: str = None,
+    ) -> List[Authorization]:
+        """Find resource authorization."""
+        query = cls._auth_query(auth_type, roles, tenant, user_name)
+        query = query.filter(Authorization.resource_id == str(resource_id))
+        return query.all()
+
+    @classmethod
+    def find_resource_by_id(
+        cls,
+        auth_type: AuthType,
+        resource_id: str,
+        user_name: str = None,
+        tenant: str = None,
+    ) -> Optional[Authorization]:
+        """Find resource authorization by id."""
+        query = (
+            cls.query.filter(Authorization.resource_id == str(resource_id))
+            .filter(Authorization.auth_type == auth_type)
+            .filter(
+                or_(
+                    Authorization.user_name.is_(None),
+                    Authorization.user_name == user_name,
+                )
+            )
+        )
+        if tenant:
+            query = query.filter(Authorization.tenant == tenant)
+        return query.one_or_none()

forms-flow-api/src/formsflow_api/models/draft.py

@@ -16,6 +16,7 @@
 )
 from formsflow_api.utils.enums import DraftStatus
 from formsflow_api.utils.user_context import UserContext, user_context
+
 from .application import Application
 from .audit_mixin import AuditDateTimeMixin
 from .base_model import BaseModel

forms-flow-api/src/formsflow_api/resources/__init__.py

@@ -12,6 +12,7 @@
 from formsflow_api.resources.application_history import (
     API as APPLICATION_HISTORY_API,
 )
+from formsflow_api.resources.authorization import API as AUTHORIZATION_API
 from formsflow_api.resources.checkpoint import API as CHECKPOINT_API
 from formsflow_api.resources.dashboards import API as DASHBOARDS_API
 from formsflow_api.resources.draft import API as DRAFT_API
@@ -73,3 +74,4 @@ def handle_auth_error(error: AuthError):
 API.add_namespace(KEYCLOAK_USER_API, path="/user")
 API.add_namespace(DRAFT_API, path="/draft")
 API.add_namespace(FORMIO_API, path="/formio")
+API.add_namespace(AUTHORIZATION_API, path="/authorizations")

forms-flow-api/src/formsflow_api/resources/authorization.py

@@ -0,0 +1,50 @@
+"""Resource to get Dashboard APIs from redash."""
+from http import HTTPStatus
+
+from flask import request
+from flask_restx import Namespace, Resource
+
+from formsflow_api.services import AuthorizationService
+from formsflow_api.utils import auth, cors_preflight, profiletime
+
+API = Namespace("authorization", description="Authorization APIs")
+auth_service = AuthorizationService()
+
+
+@cors_preflight("GET, POST, OPTIONS")
+@API.route("/<string:auth_type>", methods=["GET", "POST", "OPTIONS"])
+class AuthorizationList(Resource):
+    """Resource to fetch Authorization List and cerate authorization."""
+
+    @staticmethod
+    @API.doc("list_authorization")
+    @auth.require
+    @profiletime
+    def get(auth_type: str):
+        """List all authorization."""
+        return auth_service.get_authorizations(auth_type.upper()), HTTPStatus.OK
+
+    @staticmethod
+    @API.doc("list_authorization")
+    @auth.require
+    @profiletime
+    def post(auth_type: str):
+        """Create authorization."""
+        return (
+            auth_service.create_authorization(auth_type.upper(), request.get_json()),
+            HTTPStatus.OK,
+        )
+
+
+@cors_preflight("GET, POST, OPTIONS")
+@API.route("/users/<string:auth_type>", methods=["GET", "POST", "OPTIONS"])
+class UserAuthorizationList(Resource):
+    """Resource to fetch Authorization List for the current user."""
+
+    @staticmethod
+    @API.doc("list_authorization")
+    @auth.require
+    @profiletime
+    def get(auth_type: str):
+        """List all authorization for the current user."""
+        return auth_service.get_user_authorizations(auth_type.upper()), HTTPStatus.OK