fixes cyclic import

Author: pcrespov

services/web/server/src/simcore_service_webserver/security/_authz_policy.py

@@ -18,19 +18,15 @@
 from simcore_postgres_database.aiopg_errors import DatabaseError as AiopgDatabaseError
 from sqlalchemy.exc import DatabaseError as SQLAlchemyDatabaseError
 
-from ..groups import api as groups_service
+from . import _authz_repository
 from ._authz_access_model import (
     AuthContextDict,
     OptionalContext,
     RoleBasedAccessModel,
     has_access_by_role,
 )
 from ._authz_access_roles import NAMED_GROUP_PERMISSIONS
-from ._authz_repository import (
-    ActiveUserIdAndRole,
-    get_active_user_or_none,
-    is_user_in_product_name,
-)
+from ._authz_repository import ActiveUserIdAndRole
 from ._constants import MSG_AUTH_NOT_AVAILABLE, PERMISSION_PRODUCT_LOGIN_KEY
 from ._identity_web import IdentityStr
 
@@ -82,7 +78,7 @@ async def _get_authorized_user_or_none(
             web.HTTPServiceUnavailable: if database raises an exception
         """
         with _handle_exceptions_as_503():
-            return await get_active_user_or_none(
+            return await _authz_repository.get_active_user_or_none(
                 get_async_engine(self._app), email=email
             )
 
@@ -99,17 +95,36 @@ async def _has_access_to_product(
             web.HTTPServiceUnavailable: if database raises an exception
         """
         with _handle_exceptions_as_503():
-            return await is_user_in_product_name(
+            return await _authz_repository.is_user_in_product_name(
                 get_async_engine(self._app), user_id=user_id, product_name=product_name
             )
 
+    @cached(
+        ttl=_AUTHZ_BURST_CACHE_TTL,
+        namespace=__name__,
+        key_builder=lambda f, *ag, **kw: f"{f.__name__}/{kw['user_id']}/{kw['group_id']}",
+    )
+    async def _is_user_in_group(self, *, user_id: UserID, group_id: int) -> bool:
+        """
+        Raises:
+            web.HTTPServiceUnavailable: if database raises an exception
+        """
+        with _handle_exceptions_as_503():
+            return await _authz_repository.is_user_in_group(
+                get_async_engine(self._app), user_id=user_id, group_id=group_id
+            )
+
     @property
     def access_model(self) -> RoleBasedAccessModel:
         return self._access_model
 
     async def clear_cache(self):
         # pylint: disable=no-member
-        for fun in (self._get_authorized_user_or_none, self._has_access_to_product):
+        for fun in (
+            self._get_authorized_user_or_none,
+            self._has_access_to_product,
+            self._is_user_in_group,
+        ):
             autz_cache: BaseCache = fun.cache
             await autz_cache.clear()
 
@@ -184,19 +199,13 @@ async def permits(
 
         # GROUP-BASED access policy (only if enabled in context and user is above GUEST role)
         product_support_group_id = context.get("product_support_group_id", None)
-        if (
+        group_allowed = (
             product_support_group_id is not None
             and user_role > UserRole.GUEST
             and permission in NAMED_GROUP_PERMISSIONS.get("PRODUCT_SUPPORT_GROUP", [])
-        ):
-            with contextlib.suppress(
-                Exception
-                # If product or group check fails, continue to deny access
-                # NOTE: Logging omitted to avoid exposing internal errors
-            ):
-                if await groups_service.is_user_in_group(
-                    self._app, user_id=user_id, group_id=product_support_group_id
-                ):
-                    return True
-
-        return False
+            and await self._is_user_in_group(
+                user_id=user_id, group_id=product_support_group_id
+            )
+        )
+
+        return group_allowed  # noqa: RET504

services/web/server/src/simcore_service_webserver/security/_authz_repository.py

@@ -3,6 +3,7 @@
 
 import sqlalchemy as sa
 from models_library.basic_types import IdInt
+from models_library.groups import GroupID
 from models_library.products import ProductName
 from models_library.users import UserID
 from pydantic import TypeAdapter
@@ -65,3 +66,18 @@ async def is_user_in_product_name(
             )
             is not None
         )
+
+
+async def is_user_in_group(
+    engine: AsyncEngine,
+    *,
+    user_id: UserID,
+    group_id: GroupID,
+) -> bool:
+    async with engine.connect() as conn:
+        result = await conn.scalar(
+            sa.select(user_to_groups.c.uid).where(
+                (user_to_groups.c.uid == user_id) & (user_to_groups.c.gid == group_id)
+            )
+        )
+        return result is not None