mirror of
https://github.com/enpaul/keyosk.git
synced 2024-11-24 23:47:49 +00:00
Remove account assignment and domain admin models
Meta domain administration really made no sense, no point including it No reason to include explicit account-domain assignment when the ACL table exists
This commit is contained in:
parent
e475fd4971
commit
a21b8dd194
@ -28,22 +28,18 @@ from keyosk import datatypes
|
|||||||
from keyosk.database._shared import INTERFACE as interface
|
from keyosk.database._shared import INTERFACE as interface
|
||||||
from keyosk.database._shared import KeyoskBaseModel
|
from keyosk.database._shared import KeyoskBaseModel
|
||||||
from keyosk.database.account import Account
|
from keyosk.database.account import Account
|
||||||
from keyosk.database.account import AccountAssignment
|
|
||||||
from keyosk.database.account_acl import AccountACLEntry
|
from keyosk.database.account_acl import AccountACLEntry
|
||||||
from keyosk.database.domain import Domain
|
from keyosk.database.domain import Domain
|
||||||
from keyosk.database.domain import DomainAccessList
|
from keyosk.database.domain import DomainAccessList
|
||||||
from keyosk.database.domain import DomainPermission
|
from keyosk.database.domain import DomainPermission
|
||||||
from keyosk.database.domain_admin import DomainAdmin
|
|
||||||
|
|
||||||
|
|
||||||
MODELS: List[Type[KeyoskBaseModel]] = [
|
MODELS: List[Type[KeyoskBaseModel]] = [
|
||||||
Account,
|
Account,
|
||||||
DomainAccessList,
|
DomainAccessList,
|
||||||
DomainPermission,
|
DomainPermission,
|
||||||
DomainAdmin,
|
|
||||||
Domain,
|
Domain,
|
||||||
AccountACLEntry,
|
AccountACLEntry,
|
||||||
AccountAssignment,
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
@ -90,17 +90,3 @@ class Account(KeyoskBaseModel):
|
|||||||
@staticmethod
|
@staticmethod
|
||||||
def dict_keys() -> List[str]:
|
def dict_keys() -> List[str]:
|
||||||
return ["uuid", "created", "updated", "username", "enabled", "extras"]
|
return ["uuid", "created", "updated", "username", "enabled", "extras"]
|
||||||
|
|
||||||
|
|
||||||
class AccountAssignment(KeyoskBaseModel):
|
|
||||||
"""Many-to-many mapping for assigning accounts to domains
|
|
||||||
|
|
||||||
:attribute account: Account to assign to a domain
|
|
||||||
:attribute domain: Domain to assign an account to
|
|
||||||
"""
|
|
||||||
|
|
||||||
class Meta: # pylint: disable=missing-docstring,too-few-public-methods
|
|
||||||
table_name = "account_assignment"
|
|
||||||
|
|
||||||
account = peewee.ForeignKeyField(Account)
|
|
||||||
domain = peewee.ForeignKeyField(Domain)
|
|
||||||
|
@ -63,11 +63,6 @@ class Domain(KeyoskBaseModel):
|
|||||||
"""Return the list of permission names from the backref"""
|
"""Return the list of permission names from the backref"""
|
||||||
return [item.name for item in self._permissions]
|
return [item.name for item in self._permissions]
|
||||||
|
|
||||||
@property
|
|
||||||
def administration(self):
|
|
||||||
"""Return administration settings container"""
|
|
||||||
return self._administration[0]
|
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def dict_keys() -> List[str]:
|
def dict_keys() -> List[str]:
|
||||||
return [
|
return [
|
||||||
@ -87,13 +82,8 @@ class Domain(KeyoskBaseModel):
|
|||||||
"lifespan_refresh",
|
"lifespan_refresh",
|
||||||
"access_list_names",
|
"access_list_names",
|
||||||
"permission_names",
|
"permission_names",
|
||||||
"administration",
|
|
||||||
]
|
]
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def foreign_ref() -> List[str]:
|
|
||||||
return ["administration"]
|
|
||||||
|
|
||||||
|
|
||||||
class DomainAccessList(KeyoskBaseModel):
|
class DomainAccessList(KeyoskBaseModel):
|
||||||
"""Access list name model definition
|
"""Access list name model definition
|
||||||
|
@ -1,74 +0,0 @@
|
|||||||
"""Authentication domain meta admin settings model definition
|
|
||||||
|
|
||||||
The domain administration settings allow access to be granted to accounts assigned to
|
|
||||||
the domain to manage the domain itself. This allows accounts to manage the parts of
|
|
||||||
Keyosk that they need to without granting permissions to every domain Keyosk knows
|
|
||||||
about.
|
|
||||||
|
|
||||||
However, to avoid circular foreign key references, the admin settings need their own
|
|
||||||
relation tabel. If these settings were part of the main :class:`Domain` model then there
|
|
||||||
would be circular references between it and the :class:`DomainAccessList` and
|
|
||||||
:class:`DomainPermission` models.
|
|
||||||
"""
|
|
||||||
from typing import Generator
|
|
||||||
from typing import Tuple
|
|
||||||
|
|
||||||
import peewee
|
|
||||||
|
|
||||||
from keyosk.database._shared import KeyoskBaseModel
|
|
||||||
from keyosk.database.domain import Domain
|
|
||||||
from keyosk.database.domain import DomainAccessList
|
|
||||||
from keyosk.database.domain import DomainPermission
|
|
||||||
|
|
||||||
|
|
||||||
class DomainAdmin(KeyoskBaseModel):
|
|
||||||
"""Authentication domain meta administration storage model
|
|
||||||
|
|
||||||
:attribute access_list: The ACL that an account must have permissions for to manage
|
|
||||||
the domain settings
|
|
||||||
:attribute domain_read: Permission granted by the ACL entry that gives the assigned
|
|
||||||
account read access to the domain settings
|
|
||||||
:attribute domain_update: Permission granted by the ACL entry that gives the
|
|
||||||
assigned account update access to the domain settings
|
|
||||||
:attribute account_create: Permission granted by the ACL entry that gives the
|
|
||||||
assigned account access to create new accounts assigned
|
|
||||||
to the domain
|
|
||||||
:attribute account_read: Permission granted by the ACL entry that gives the
|
|
||||||
assigned account read access to the accounts assigned to
|
|
||||||
the domain
|
|
||||||
:attribute account_delete: Permission granted by the ACL entry that gives the
|
|
||||||
assigned account access to unassign an account from the
|
|
||||||
domain
|
|
||||||
|
|
||||||
There are two permissions not available via this model that may make sense to
|
|
||||||
implement in the future: ``account_update`` and ``domain_delete``. The first is not
|
|
||||||
implemented due to the potential conflicts it causes: an account can be assigned to
|
|
||||||
multiple domains, so granting permissions on one domain to modify an account may
|
|
||||||
implicitly grant that same permission on one or more accounts assigned to another
|
|
||||||
domain; this seemed ill advised. The second is not implemented for no real good
|
|
||||||
reason, other than it seemed out of the inteneded usage of "domain management".
|
|
||||||
|
|
||||||
.. note:: Both the permissions denoted above, as well as other permissions not
|
|
||||||
enumerated here, are available through the primary Keyosk authentication
|
|
||||||
domain.
|
|
||||||
"""
|
|
||||||
|
|
||||||
class Meta: # pylint: disable=missing-docstring,too-few-public-methods
|
|
||||||
table_name = "domain_admin"
|
|
||||||
|
|
||||||
domain = peewee.ForeignKeyField(
|
|
||||||
Domain, unique=True, null=False, backref="_administration"
|
|
||||||
)
|
|
||||||
access_list = peewee.ForeignKeyField(DomainAccessList, null=True)
|
|
||||||
domain_read = peewee.ForeignKeyField(DomainPermission, null=True)
|
|
||||||
domain_update = peewee.ForeignKeyField(DomainPermission, null=True)
|
|
||||||
account_create = peewee.ForeignKeyField(DomainPermission, null=True)
|
|
||||||
account_read = peewee.ForeignKeyField(DomainPermission, null=True)
|
|
||||||
account_delete = peewee.ForeignKeyField(DomainPermission, null=True)
|
|
||||||
|
|
||||||
def __iter__(self) -> Generator[Tuple[str, str], None, None]:
|
|
||||||
yield "access_list", self.access_list.name
|
|
||||||
yield "domain_read", self.domain_read.name
|
|
||||||
yield "account_create", self.account_create.name
|
|
||||||
yield "account_read", self.account_read.name
|
|
||||||
yield "account_delete", self.account_delete.name
|
|
Loading…
Reference in New Issue
Block a user