refactor product-support logic to product and group plugins

Author: pcrespov

services/web/server/src/simcore_service_webserver/groups/_groups_repository.py

@@ -731,6 +731,22 @@ async def is_user_by_email_in_group(
         return user_id is not None
 
 
+async def is_user_in_group(
+    app: web.Application,
+    connection: AsyncConnection | None = None,
+    *,
+    user_id: UserID,
+    group_id: GroupID,
+) -> bool:
+    async with pass_or_acquire_connection(get_asyncpg_engine(app), connection) as conn:
+        result = await conn.scalar(
+            sa.select(user_to_groups.c.uid).where(
+                (user_to_groups.c.uid == user_id) & (user_to_groups.c.gid == group_id)
+            )
+        )
+        return result is not None
+
+
 async def add_new_user_in_group(
     app: web.Application,
     connection: AsyncConnection | None = None,

services/web/server/src/simcore_service_webserver/groups/_groups_service.py

@@ -261,6 +261,14 @@ async def is_user_by_email_in_group(
     )
 
 
+async def is_user_in_group(
+    app: web.Application, *, user_id: UserID, group_id: GroupID
+) -> bool:
+    return await _groups_repository.is_user_in_group(
+        app, user_id=user_id, group_id=group_id
+    )
+
+
 async def auto_add_user_to_groups(app: web.Application, user_id: UserID) -> None:
     user: dict = await users_service.get_user(app, user_id)
     return await _groups_repository.auto_add_user_to_groups(app, user=user)

services/web/server/src/simcore_service_webserver/groups/api.py

@@ -9,6 +9,7 @@
     get_product_group_for_user,
     get_user_profile_groups,
     is_user_by_email_in_group,
+    is_user_in_group,
     list_all_user_groups_ids,
     list_group_members,
     list_user_groups_ids_with_read_access,
@@ -23,6 +24,7 @@
     "get_product_group_for_user",
     "get_user_profile_groups",
     "is_user_by_email_in_group",
+    "is_user_in_group",
     "list_all_user_groups_ids",
     "list_group_members",
     "list_user_groups_ids_with_read_access",

services/web/server/src/simcore_service_webserver/products/_web_helpers.py

@@ -4,10 +4,12 @@
 import aiofiles
 from aiohttp import web
 from models_library.products import ProductName
+from models_library.users import UserID
 from simcore_postgres_database.utils_products_prices import ProductPriceInfo
 
 from .._resources import webserver_resources
 from ..constants import RQ_PRODUCT_KEY
+from ..groups import api as groups_service
 from . import _service
 from ._web_events import APP_PRODUCTS_TEMPLATES_DIR_KEY
 from .errors import (
@@ -38,6 +40,22 @@ def get_current_product(request: web.Request) -> Product:
     return current_product
 
 
+async def is_user_in_product_support_group(
+    request: web.Request, *, user_id: UserID
+) -> bool:
+    """Checks if the user belongs to the support group of the given product.
+    If the product does not have a support group, returns False.
+    """
+    product = get_current_product(request)
+    if product.support_standard_group_id is None:
+        return False
+    return await groups_service.is_user_in_group(
+        app=request.app,
+        user_id=user_id,
+        group_id=product.support_standard_group_id,
+    )
+
+
 def _get_current_product_or_none(request: web.Request) -> Product | None:
     with contextlib.suppress(ProductNotFoundError, UnknownProductError):
         product: Product = get_current_product(request)

services/web/server/src/simcore_service_webserver/products/products_web.py

@@ -3,12 +3,14 @@
     get_current_product_credit_price_info,
     get_product_name,
     get_product_template_path,
+    is_user_in_product_support_group,
 )
 
 __all__: tuple[str, ...] = (
     "get_current_product",
     "get_current_product_credit_price_info",
     "get_product_name",
     "get_product_template_path",
+    "is_user_in_product_support_group",
 )
 # nopycln: file

services/web/server/src/simcore_service_webserver/security/_authz_repository.py

@@ -3,7 +3,6 @@
 
 import sqlalchemy as sa
 from models_library.basic_types import IdInt
-from models_library.groups import GroupID
 from models_library.products import ProductName
 from models_library.users import UserID
 from pydantic import TypeAdapter
@@ -66,19 +65,3 @@ async def is_user_in_product_name(
             )
             is not None
         )
-
-
-async def is_user_in_group(
-    engine: AsyncEngine, *, user_id: UserID, group_id: GroupID
-) -> bool:
-    async with engine.connect() as conn:
-        return (
-            await conn.scalar(
-                sa.select(users.c.id)
-                .select_from(
-                    users.join(user_to_groups, user_to_groups.c.uid == users.c.id)
-                )
-                .where((users.c.id == user_id) & (user_to_groups.c.gid == group_id))
-            )
-            is not None
-        )

services/web/server/src/simcore_service_webserver/security/_authz_service.py

@@ -4,11 +4,7 @@
 import aiohttp_security.api  # type: ignore[import-untyped]
 import passlib.hash
 from aiohttp import web
-from models_library.users import UserID
-from simcore_service_webserver.products._models import Product
 
-from ..db.plugin import get_asyncpg_engine
-from . import _authz_repository
 from ._authz_access_model import RoleBasedAccessModel
 from ._authz_policy import AuthorizationPolicy
 from ._constants import PERMISSION_PRODUCT_LOGIN_KEY
@@ -26,21 +22,6 @@ async def clean_auth_policy_cache(app: web.Application) -> None:
     await autz_policy.clear_cache()
 
 
-async def is_user_in_product_support_group(
-    app: web.Application, *, product: Product, user_id: UserID
-) -> bool:
-    """Checks if the user belongs to the support group of the given product.
-    If the product does not have a support group, returns False.
-    """
-    if product.support_standard_group_id is None:
-        return False
-    return await _authz_repository.is_user_in_group(
-        get_asyncpg_engine(app),
-        user_id=user_id,
-        group_id=product.support_standard_group_id,
-    )
-
-
 #
 # utils (i.e. independent from setup)
 #

services/web/server/src/simcore_service_webserver/security/decorators.py

@@ -4,9 +4,6 @@
 import aiohttp_security.api  # type: ignore[import-untyped]
 from aiohttp import web
 from servicelib.aiohttp.typing_extension import Handler
-from simcore_service_webserver.security._authz_service import (
-    is_user_in_product_support_group,
-)
 
 from ..products import products_web
 from ._authz_access_model import AuthContextDict
@@ -67,9 +64,8 @@ async def _wrapped(request: web.Request):
             ):
                 if permission in NAMED_GROUP_PERMISSIONS.get(
                     "PRODUCT_SUPPORT_GROUP", []
-                ) and await is_user_in_product_support_group(
-                    request.app,
-                    product=products_web.get_current_product(request),
+                ) and await products_web.is_user_in_product_support_group(
+                    request,
                     user_id=user_id,
                 ):
                     return await handler(request)