refactor get_user_perms

2023-08-15 10:38:39 +02:00 · 2023-08-15 10:38:39 +02:00 · f5f8e6c6a2
commit f5f8e6c6a2
parent e1ea85f184
6 changed files with 85 additions and 58 deletions
--- a/kojihub/auth.py
+++ b/kojihub/auth.py
@ -782,29 +782,61 @@ def get_user_groups(user_id):
    return groups


-def get_user_perms(user_id, with_groups=True):
+def get_user_perms(user_id, with_groups=True, inheritance_data=False):
+    """
+    :param int user_id: User ID
+    :param bool with_groups: Add also permissions from all groups and their inheritance chain
+    :param bool inheritance_data: Return extended data about permissions sources
+    :returns list[str]: in case of inheritance_data=False
+    :returns dict[str, list[str]]: in case of inheritance_data=True - keys are permissions' names,
+                                   values list of groups which are in inheritance and provides
+                                   given permission.
+    """
+    if inheritance_data and not with_groups:
+        raise koji.ParameterError("inheritance option implies with_groups")
+
    # individual permissions
+    perms = {}
    query = QueryProcessor(tables=['user_perms'], columns=['name'],
                           clauses=['active IS TRUE', 'user_id=%(user_id)s'],
                           joins=['permissions ON perm_id = permissions.id'],
                           values={'user_id': user_id})
-    result = query.execute()
-    perms = {r['name'] for r in result}
+    for perm in query.execute():
+        perms[perm['name']] = [None]

-    # inherited group permissions
    if with_groups:
-        query = QueryProcessor(tables=['user_groups'], columns=['name'],
+        columns = ['permissions.name']
+        aliases = ['name']
+        joins = [
+            'user_perms ON user_perms.user_id = user_groups.group_id',
+            'permissions ON perm_id = permissions.id',
+        ]
+        if inheritance_data:
+            # inheritance data adds one more join and as function
+            # can be called relatively often (e.g. in hub policy tests)
+            # it is a bit faster to ignore this join for "default" code path
+            columns.append('users.name')
+            aliases.append('group')
+            joins.append('users ON user_groups.group_id = users.id')
+        query = QueryProcessor(tables=['user_groups'],
+                               columns=columns,
+                               aliases=aliases,
                               clauses=[
                                   'user_groups.active IS TRUE',
                                   'user_perms.active IS TRUE',
                                   'user_groups.user_id=%(user_id)s'],
-                               joins=[
-                                   'user_perms ON user_perms.user_id = user_groups.group_id',
-                                   'permissions ON perm_id = permissions.id'],
+                               joins=joins,
                               values={'user_id': user_id})
-        result = query.execute()
-        perms |= {r['name'] for r in result}
-    return list(perms)
+        for row in query.execute():
+            if inheritance_data:
+                perms.setdefault(row['name'], []).append(row['group'])
+            else:
+                # group name wouldn't be used in this case
+                perms.setdefault(row['name'], [])
+    if inheritance_data:
+        return perms
+    else:
+        return list(perms.keys())


 def get_user_data(user_id):