diff --git a/keyosk/database/__init__.py b/keyosk/database/__init__.py index 92dd6ed..117e8b5 100644 --- a/keyosk/database/__init__.py +++ b/keyosk/database/__init__.py @@ -28,10 +28,10 @@ from keyosk import datatypes from keyosk.database._shared import INTERFACE as interface from keyosk.database._shared import KeyoskBaseModel from keyosk.database.account import KeyoskAccount -from keyosk.database.account import KeyoskAccountScope from keyosk.database.domain import KeyoskDomain -from keyosk.database.domain import KeyoskDomainAccessList -from keyosk.database.domain import KeyoskDomainPermission +from keyosk.database.domain_access_list import KeyoskDomainAccessList +from keyosk.database.domain_permission import KeyoskDomainPermission +from keyosk.database.scope import KeyoskAccountScope from keyosk.database.token import Token diff --git a/keyosk/database/account.py b/keyosk/database/account.py index 3f2999e..3d949e5 100644 --- a/keyosk/database/account.py +++ b/keyosk/database/account.py @@ -5,8 +5,6 @@ import json import peewee from keyosk.database._shared import KeyoskBaseModel -from keyosk.database.domain import KeyoskDomainAccessList -from keyosk.database.domain import KeyoskDomainPermission from keyosk.datatypes import Extras @@ -48,42 +46,3 @@ class KeyoskAccount(KeyoskBaseModel): def __str__(self) -> str: return f"Account '{self.username}' ({self.uuid})" - - -class KeyoskAccountScope(KeyoskBaseModel): - """Access control list entry model definition - - :attribute account: Account the ACL entry applies to - :attribute access_list: The access list the entry is for - :attribute permission: The permission the entry is for - :attribute with_server_secret: Whether the permission should be applied when the - account authenticates with the account's - server-set-secret - :attribute with_client_secret: Whether the permission should be applied when the - account authenticates with the account's - client-set-secret - - .. note:: Since permissions are by definition boolean, there is no need to store a - value parameter with an ACL entry: if an entry exists for a given account - for a given access list with a given permission, then that permission is - granted on that access list to that account; similarly, if one does not - exist then it is not granted. - """ - - class Meta: # pylint: disable=missing-docstring,too-few-public-methods - table_name = "account_scope" - - account = peewee.ForeignKeyField( - KeyoskAccount, null=False, on_delete="CASCADE", backref="scopes" - ) - access_list = peewee.ForeignKeyField( - KeyoskDomainAccessList, null=False, on_delete="CASCADE" - ) - permission = peewee.ForeignKeyField( - KeyoskDomainPermission, null=False, on_delete="CASCADE" - ) - with_server_secret = peewee.BooleanField(null=False) - with_client_secret = peewee.BooleanField(null=False) - - def __str__(self): - return f"ACL {self.permission.name}@{self.access_list.name} (scope:{'+'.join([item for item in ['server' if self.with_server_secret else '', 'client' if self.with_client_secret else ''] if item])})" diff --git a/keyosk/database/domain.py b/keyosk/database/domain.py index 2937649..5ef86e3 100644 --- a/keyosk/database/domain.py +++ b/keyosk/database/domain.py @@ -74,23 +74,3 @@ class KeyoskDomain(KeyoskBaseModel): def __str__(self) -> str: return f"Domain '{self.name}' ({self.uuid})" - - -class KeyoskDomainAccessList(KeyoskBaseModel): - class Meta: # pylint: disable=too-few-public-methods,missing-docstring - table_name = "domain_access_list" - - domain = peewee.ForeignKeyField( - KeyoskDomain, null=False, on_delete="CASCADE", backref="access_lists" - ) - name = peewee.CharField(null=False) - - -class KeyoskDomainPermission(KeyoskBaseModel): - class Meta: # pylint: disable=too-few-public-methods,missing-docstring - table_name = "domain_permission" - - domain = peewee.ForeignKeyField( - KeyoskDomain, null=False, on_delete="CASCADE", backref="permissions" - ) - name = peewee.CharField(null=False) diff --git a/keyosk/database/domain_access_list.py b/keyosk/database/domain_access_list.py new file mode 100644 index 0000000..34d757a --- /dev/null +++ b/keyosk/database/domain_access_list.py @@ -0,0 +1,14 @@ +import peewee + +from keyosk.database._shared import KeyoskBaseModel +from keyosk.database.domain import KeyoskDomain + + +class KeyoskDomainAccessList(KeyoskBaseModel): + class Meta: # pylint: disable=too-few-public-methods,missing-docstring + table_name = "domain_access_list" + + domain = peewee.ForeignKeyField( + KeyoskDomain, null=False, on_delete="CASCADE", backref="access_lists" + ) + name = peewee.CharField(null=False) diff --git a/keyosk/database/domain_permission.py b/keyosk/database/domain_permission.py new file mode 100644 index 0000000..ede7c61 --- /dev/null +++ b/keyosk/database/domain_permission.py @@ -0,0 +1,14 @@ +import peewee + +from keyosk.database._shared import KeyoskBaseModel +from keyosk.database.domain import KeyoskDomain + + +class KeyoskDomainPermission(KeyoskBaseModel): + class Meta: # pylint: disable=too-few-public-methods,missing-docstring + table_name = "domain_permission" + + domain = peewee.ForeignKeyField( + KeyoskDomain, null=False, on_delete="CASCADE", backref="permissions" + ) + name = peewee.CharField(null=False) diff --git a/keyosk/database/scope.py b/keyosk/database/scope.py new file mode 100644 index 0000000..2028f3b --- /dev/null +++ b/keyosk/database/scope.py @@ -0,0 +1,45 @@ +import peewee + +from keyosk.database._shared import KeyoskBaseModel +from keyosk.database.account import KeyoskAccount +from keyosk.database.domain_access_list import KeyoskDomainAccessList +from keyosk.database.domain_permission import KeyoskDomainPermission + + +class KeyoskAccountScope(KeyoskBaseModel): + """Access control list entry model definition + + :attribute account: Account the ACL entry applies to + :attribute access_list: The access list the entry is for + :attribute permission: The permission the entry is for + :attribute with_server_secret: Whether the permission should be applied when the + account authenticates with the account's + server-set-secret + :attribute with_client_secret: Whether the permission should be applied when the + account authenticates with the account's + client-set-secret + + .. note:: Since permissions are by definition boolean, there is no need to store a + value parameter with an ACL entry: if an entry exists for a given account + for a given access list with a given permission, then that permission is + granted on that access list to that account; similarly, if one does not + exist then it is not granted. + """ + + class Meta: # pylint: disable=missing-docstring,too-few-public-methods + table_name = "account_scope" + + account = peewee.ForeignKeyField( + KeyoskAccount, null=False, on_delete="CASCADE", backref="scopes" + ) + access_list = peewee.ForeignKeyField( + KeyoskDomainAccessList, null=False, on_delete="CASCADE" + ) + permission = peewee.ForeignKeyField( + KeyoskDomainPermission, null=False, on_delete="CASCADE" + ) + with_server_secret = peewee.BooleanField(null=False) + with_client_secret = peewee.BooleanField(null=False) + + def __str__(self): + return f"ACL {self.permission.name}@{self.access_list.name} (scope:{'+'.join([item for item in ['server' if self.with_server_secret else '', 'client' if self.with_client_secret else ''] if item])})"