atst/atat/domain/permission_sets.py
2020-03-04 11:51:15 -05:00

242 lines
7.7 KiB
Python

from sqlalchemy.orm.exc import NoResultFound
from atat.database import db
from atat.models.permissions import Permissions
from atat.models.permission_set import PermissionSet
from .exceptions import NotFoundError
class PermissionSets(object):
VIEW_PORTFOLIO = "view_portfolio"
VIEW_PORTFOLIO_APPLICATION_MANAGEMENT = "view_portfolio_application_management"
VIEW_PORTFOLIO_FUNDING = "view_portfolio_funding"
VIEW_PORTFOLIO_REPORTS = "view_portfolio_reports"
VIEW_PORTFOLIO_ADMIN = "view_portfolio_admin"
EDIT_PORTFOLIO_APPLICATION_MANAGEMENT = "edit_portfolio_application_management"
EDIT_PORTFOLIO_FUNDING = "edit_portfolio_funding"
EDIT_PORTFOLIO_REPORTS = "edit_portfolio_reports"
EDIT_PORTFOLIO_ADMIN = "edit_portfolio_admin"
PORTFOLIO_POC = "portfolio_poc"
VIEW_AUDIT_LOG = "view_audit_log"
MANAGE_CCPO_USERS = "manage_ccpo_users"
VIEW_APPLICATION = "view_application"
EDIT_APPLICATION_ENVIRONMENTS = "edit_application_environments"
EDIT_APPLICATION_TEAM = "edit_application_team"
DELETE_APPLICATION_ENVIRONMENTS = "delete_application_environments"
@classmethod
def get(cls, perms_set_name):
try:
role = db.session.query(PermissionSet).filter_by(name=perms_set_name).one()
except NoResultFound:
raise NotFoundError("permission_set")
return role
@classmethod
def get_all(cls):
return db.session.query(PermissionSet).all()
@classmethod
def get_many(cls, perms_set_names):
permission_sets = (
db.session.query(PermissionSet)
.filter(PermissionSet.name.in_(perms_set_names))
.all()
)
if len(permission_sets) != len(perms_set_names):
raise NotFoundError("permission_set")
return permission_sets
ATAT_PERMISSION_SETS = [
{
"name": PermissionSets.VIEW_AUDIT_LOG,
"display_name": "View Audit Log",
"description": "",
"permissions": [Permissions.VIEW_AUDIT_LOG],
},
{
"name": PermissionSets.MANAGE_CCPO_USERS,
"display_name": "View Audit Log",
"description": "",
"permissions": [
Permissions.VIEW_CCPO_USER,
Permissions.CREATE_CCPO_USER,
Permissions.EDIT_CCPO_USER,
Permissions.DELETE_CCPO_USER,
],
},
]
_PORTFOLIO_BASIC_PERMISSION_SETS = [
{
"name": PermissionSets.VIEW_PORTFOLIO,
"description": "View basic portfolio info",
"display_name": "View Portfolio",
"permissions": [Permissions.VIEW_PORTFOLIO],
}
]
_PORTFOLIO_APP_MGMT_PERMISSION_SETS = [
{
"name": PermissionSets.VIEW_PORTFOLIO_APPLICATION_MANAGEMENT,
"description": "View applications and related resources",
"display_name": "Application Management",
"permissions": [
Permissions.VIEW_APPLICATION,
Permissions.VIEW_APPLICATION_MEMBER,
Permissions.VIEW_ENVIRONMENT,
],
},
{
"name": PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT,
"description": "Edit applications and related resources",
"display_name": "Application Management",
"permissions": [
Permissions.EDIT_APPLICATION,
Permissions.CREATE_APPLICATION,
Permissions.DELETE_APPLICATION,
Permissions.EDIT_APPLICATION_MEMBER,
Permissions.DELETE_APPLICATION_MEMBER,
Permissions.CREATE_APPLICATION_MEMBER,
Permissions.EDIT_ENVIRONMENT,
Permissions.CREATE_ENVIRONMENT,
Permissions.DELETE_ENVIRONMENT,
Permissions.ASSIGN_ENVIRONMENT_MEMBER,
],
},
]
_PORTFOLIO_FUNDING_PERMISSION_SETS = [
{
"name": PermissionSets.VIEW_PORTFOLIO_FUNDING,
"description": "View a portfolio's task orders",
"display_name": "Funding",
"permissions": [
Permissions.VIEW_PORTFOLIO_FUNDING,
Permissions.VIEW_TASK_ORDER_DETAILS,
],
},
{
"name": PermissionSets.EDIT_PORTFOLIO_FUNDING,
"description": "Edit a portfolio's task orders and add new ones",
"display_name": "Funding",
"permissions": [
Permissions.CREATE_TASK_ORDER,
Permissions.EDIT_TASK_ORDER_DETAILS,
],
},
]
_PORTFOLIO_REPORTS_PERMISSION_SETS = [
{
"name": PermissionSets.VIEW_PORTFOLIO_REPORTS,
"description": "View a portfolio's reports",
"display_name": "Reporting",
"permissions": [Permissions.VIEW_PORTFOLIO_REPORTS],
},
{
"name": PermissionSets.EDIT_PORTFOLIO_REPORTS,
"description": "Edit a portfolio's reports (no-op)",
"display_name": "Reporting",
"permissions": [],
},
]
_PORTFOLIO_ADMIN_PERMISSION_SETS = [
{
"name": PermissionSets.VIEW_PORTFOLIO_ADMIN,
"description": "View a portfolio's admin options",
"display_name": "Portfolio Administration",
"permissions": [
Permissions.VIEW_PORTFOLIO_ADMIN,
Permissions.VIEW_PORTFOLIO_NAME,
Permissions.VIEW_PORTFOLIO_USERS,
Permissions.VIEW_PORTFOLIO_ACTIVITY_LOG,
Permissions.VIEW_PORTFOLIO_POC,
],
},
{
"name": PermissionSets.EDIT_PORTFOLIO_ADMIN,
"description": "Edit a portfolio's admin options",
"display_name": "Portfolio Administration",
"permissions": [
Permissions.EDIT_PORTFOLIO_NAME,
Permissions.EDIT_PORTFOLIO_USERS,
Permissions.CREATE_PORTFOLIO_USERS,
],
},
]
_PORTFOLIO_POC_PERMISSION_SETS = [
{
"name": "portfolio_poc",
"description": "Permissions belonging to the Portfolio POC",
"display_name": "Portfolio Point of Contact",
"permissions": [Permissions.EDIT_PORTFOLIO_POC, Permissions.ARCHIVE_PORTFOLIO],
}
]
PORTFOLIO_PERMISSION_SETS = (
_PORTFOLIO_BASIC_PERMISSION_SETS
+ _PORTFOLIO_APP_MGMT_PERMISSION_SETS
+ _PORTFOLIO_FUNDING_PERMISSION_SETS
+ _PORTFOLIO_REPORTS_PERMISSION_SETS
+ _PORTFOLIO_ADMIN_PERMISSION_SETS
+ _PORTFOLIO_POC_PERMISSION_SETS
)
_APPLICATION_BASIC_PERMISSION_SET = {
"name": PermissionSets.VIEW_APPLICATION,
"description": "View application data",
"display_name": "View applications",
"permissions": [
Permissions.VIEW_APPLICATION,
Permissions.VIEW_APPLICATION_MEMBER,
Permissions.VIEW_ENVIRONMENT,
],
}
# need perm to assign and unassign users to environments
_APPLICATION_ENVIRONMENTS_PERMISSION_SET = {
"name": PermissionSets.EDIT_APPLICATION_ENVIRONMENTS,
"description": "Manage environments for an application",
"display_name": "Manage environments",
"permissions": [
Permissions.EDIT_ENVIRONMENT,
Permissions.CREATE_ENVIRONMENT,
Permissions.ASSIGN_ENVIRONMENT_MEMBER,
],
}
_APPLICATION_TEAM_PERMISSION_SET = {
"name": PermissionSets.EDIT_APPLICATION_TEAM,
"description": "Manage team members for an application",
"display_name": "Manage team",
"permissions": [
Permissions.EDIT_APPLICATION_MEMBER,
Permissions.DELETE_APPLICATION_MEMBER,
Permissions.CREATE_APPLICATION_MEMBER,
Permissions.ASSIGN_ENVIRONMENT_MEMBER,
Permissions.VIEW_APPLICATION_ACTIVITY_LOG,
],
}
_APPLICATION_ENVIRONMENT_DELETE_PERMISSION_SET = {
"name": PermissionSets.DELETE_APPLICATION_ENVIRONMENTS,
"description": "Delete environments within an application",
"display_name": "Delete environments",
"permissions": [Permissions.DELETE_ENVIRONMENT],
}
APPLICATION_PERMISSION_SETS = [
_APPLICATION_BASIC_PERMISSION_SET,
_APPLICATION_TEAM_PERMISSION_SET,
_APPLICATION_ENVIRONMENTS_PERMISSION_SET,
_APPLICATION_ENVIRONMENT_DELETE_PERMISSION_SET,
]