enpaul
/
keyosk
mirror of https://github.com/enpaul/keyosk.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Remove account assignment and domain admin models 

Meta domain administration really made no sense, no point including it
No reason to include explicit account-domain assignment when the ACL table exists
This commit is contained in:
Ethan Paul 2020-02-23 01:46:17 -05:00
parent e475fd4971
commit a21b8dd194
4 changed files with 0 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
keyosk/database/__init__.py
View File

@ -28,22 +28,18 @@ from keyosk import datatypes
from keyosk.database._shared import INTERFACE as interface
from keyosk.database._shared import KeyoskBaseModel
from keyosk.database.account import Account
from keyosk.database.account import AccountAssignment
from keyosk.database.account_acl import AccountACLEntry
from keyosk.database.domain import Domain
from keyosk.database.domain import DomainAccessList
from keyosk.database.domain import DomainPermission
from keyosk.database.domain_admin import DomainAdmin
MODELS: List[Type[KeyoskBaseModel]] = [
Account,
DomainAccessList,
DomainPermission,
DomainAdmin,
Domain,
AccountACLEntry,
AccountAssignment,
]

14
keyosk/database/account.py
View File

@ -90,17 +90,3 @@ class Account(KeyoskBaseModel):
@staticmethod
def dict_keys() -> List[str]:
return ["uuid", "created", "updated", "username", "enabled", "extras"]
class AccountAssignment(KeyoskBaseModel):
"""Many-to-many mapping for assigning accounts to domains
:attribute account: Account to assign to a domain
:attribute domain: Domain to assign an account to
"""
class Meta: # pylint: disable=missing-docstring,too-few-public-methods
table_name = "account_assignment"
account = peewee.ForeignKeyField(Account)
domain = peewee.ForeignKeyField(Domain)

10
keyosk/database/domain.py
View File

@ -63,11 +63,6 @@ class Domain(KeyoskBaseModel):
"""Return the list of permission names from the backref"""
return [item.name for item in self._permissions]
@property
def administration(self):
"""Return administration settings container"""
return self._administration[0]
@staticmethod
def dict_keys() -> List[str]:
return [
@ -87,13 +82,8 @@ class Domain(KeyoskBaseModel):
"lifespan_refresh",
"access_list_names",
"permission_names",
"administration",
]
@staticmethod
def foreign_ref() -> List[str]:
return ["administration"]
class DomainAccessList(KeyoskBaseModel):
"""Access list name model definition

74
keyosk/database/domain_admin.py
View File

@ -1,74 +0,0 @@
"""Authentication domain meta admin settings model definition
The domain administration settings allow access to be granted to accounts assigned to
the domain to manage the domain itself. This allows accounts to manage the parts of
Keyosk that they need to without granting permissions to every domain Keyosk knows
about.
However, to avoid circular foreign key references, the admin settings need their own
relation tabel. If these settings were part of the main :class:`Domain` model then there
would be circular references between it and the :class:`DomainAccessList` and
:class:`DomainPermission` models.
"""
from typing import Generator
from typing import Tuple
import peewee
from keyosk.database._shared import KeyoskBaseModel
from keyosk.database.domain import Domain
from keyosk.database.domain import DomainAccessList
from keyosk.database.domain import DomainPermission
class DomainAdmin(KeyoskBaseModel):
"""Authentication domain meta administration storage model
:attribute access_list: The ACL that an account must have permissions for to manage
the domain settings
:attribute domain_read: Permission granted by the ACL entry that gives the assigned
account read access to the domain settings
:attribute domain_update: Permission granted by the ACL entry that gives the
assigned account update access to the domain settings
:attribute account_create: Permission granted by the ACL entry that gives the
assigned account access to create new accounts assigned
to the domain
:attribute account_read: Permission granted by the ACL entry that gives the
assigned account read access to the accounts assigned to
the domain
:attribute account_delete: Permission granted by the ACL entry that gives the
assigned account access to unassign an account from the
domain
There are two permissions not available via this model that may make sense to
implement in the future: ``account_update`` and ``domain_delete``. The first is not
implemented due to the potential conflicts it causes: an account can be assigned to
multiple domains, so granting permissions on one domain to modify an account may
implicitly grant that same permission on one or more accounts assigned to another
domain; this seemed ill advised. The second is not implemented for no real good
reason, other than it seemed out of the inteneded usage of "domain management".
.. note:: Both the permissions denoted above, as well as other permissions not
enumerated here, are available through the primary Keyosk authentication
domain.
"""
class Meta: # pylint: disable=missing-docstring,too-few-public-methods
table_name = "domain_admin"
domain = peewee.ForeignKeyField(
Domain, unique=True, null=False, backref="_administration"
)
access_list = peewee.ForeignKeyField(DomainAccessList, null=True)
domain_read = peewee.ForeignKeyField(DomainPermission, null=True)
domain_update = peewee.ForeignKeyField(DomainPermission, null=True)
account_create = peewee.ForeignKeyField(DomainPermission, null=True)
account_read = peewee.ForeignKeyField(DomainPermission, null=True)
account_delete = peewee.ForeignKeyField(DomainPermission, null=True)
def __iter__(self) -> Generator[Tuple[str, str], None, None]:
yield "access_list", self.access_list.name
yield "domain_read", self.domain_read.name
yield "account_create", self.account_create.name
yield "account_read", self.account_read.name
yield "account_delete", self.account_delete.name