cleanup

Author: pcrespov

api/specs/web-server/_tags_groups.py

@@ -8,7 +8,9 @@
 
 from fastapi import APIRouter, Depends, status
 from models_library.generics import Envelope
+from models_library.rest_error import EnvelopedError
 from simcore_service_webserver._meta import API_VTAG
+from simcore_service_webserver.tags._rest import _TO_HTTP_ERROR_MAP
 from simcore_service_webserver.tags.schemas import (
     TagGet,
     TagGroupCreate,
@@ -23,6 +25,9 @@
         "tags",
         "groups",
     ],
+    responses={
+        i.status_code: {"model": EnvelopedError} for i in _TO_HTTP_ERROR_MAP.values()
+    },
 )
 
 

services/web/server/src/simcore_service_webserver/tags/_rest.py

@@ -8,9 +8,15 @@
     TagNotFoundError,
     TagOperationNotAllowedError,
 )
+from simcore_service_webserver.tags.errors import (
+    InsufficientTagShareAccessError,
+    ShareTagWithEveryoneNotAllowedError,
+    ShareTagWithProductGroupNotAllowedError,
+)
 
 from .._meta import API_VTAG as VTAG
 from ..exception_handling import (
+    ExceptionToHttpErrorMap,
     HttpErrorInfo,
     exception_handling_decorator,
     to_exceptions_handlers_map,
@@ -29,19 +35,32 @@
     TagUpdate,
 )
 
+_TO_HTTP_ERROR_MAP: ExceptionToHttpErrorMap = {
+    TagNotFoundError: HttpErrorInfo(
+        status.HTTP_404_NOT_FOUND,
+        "Tag {tag_id} not found: either no access or does not exists",
+    ),
+    TagOperationNotAllowedError: HttpErrorInfo(
+        status.HTTP_403_FORBIDDEN,
+        "Could not {operation} tag {tag_id}. Not found or insuficient access.",
+    ),
+    ShareTagWithEveryoneNotAllowedError: HttpErrorInfo(
+        status.HTTP_403_FORBIDDEN,
+        "Sharing with everyone is not permitted.",
+    ),
+    ShareTagWithProductGroupNotAllowedError: HttpErrorInfo(
+        status.HTTP_403_FORBIDDEN,
+        "Sharing with all users is only permitted to admin users (e.g. testers, POs, ...).",
+    ),
+    InsufficientTagShareAccessError: HttpErrorInfo(
+        status.HTTP_403_FORBIDDEN,
+        "Insufficient access rightst to share (or unshare) tag {tag_id}.",
+    ),
+}
+
+
 _handle_tags_exceptions = exception_handling_decorator(
-    to_exceptions_handlers_map(
-        {
-            TagNotFoundError: HttpErrorInfo(
-                status.HTTP_404_NOT_FOUND,
-                "Tag {tag_id} not found: either no access or does not exists",
-            ),
-            TagOperationNotAllowedError: HttpErrorInfo(
-                status.HTTP_403_FORBIDDEN,
-                "Could not {operation} tag {tag_id}. Not found or insuficient access.",
-            ),
-        }
-    )
+    to_exceptions_handlers_map(_TO_HTTP_ERROR_MAP)
 )
 
 

services/web/server/src/simcore_service_webserver/tags/_service.py

@@ -3,17 +3,21 @@
 
 from aiohttp import web
 from common_library.groups_dicts import AccessRightsDict
+from common_library.users_enums import UserRole
 from models_library.basic_types import IdInt
-from models_library.groups import GroupID
+from models_library.groups import EVERYONE_GROUP_ID, GroupID
 from models_library.users import UserID
 from servicelib.aiohttp.db_asyncpg_engine import get_async_engine
-from simcore_postgres_database.utils_tags import (
-    TagAccessRightsDict,
-    TagOperationNotAllowedError,
-    TagsRepo,
-)
+from simcore_postgres_database.utils_tags import TagAccessRightsDict, TagsRepo
 from sqlalchemy.ext.asyncio import AsyncEngine
 
+from ..products.api import list_products
+from ..users.api import get_user_role
+from .errors import (
+    InsufficientTagShareAccessError,
+    ShareTagWithEveryoneNotAllowedError,
+    ShareTagWithProductGroupNotAllowedError,
+)
 from .schemas import TagCreate, TagGet, TagUpdate
 
 
@@ -65,6 +69,48 @@ async def delete_tag(app: web.Application, user_id: UserID, tag_id: IdInt):
     await repo.delete(user_id=user_id, tag_id=tag_id)
 
 
+def _is_product_group(app: web.Application, group_id: GroupID):
+    products = list_products(app)
+    return any(group_id == p.group_id for p in products)
+
+
+async def _validate_tag_sharing_permissions(
+    app: web.Application,
+    repo: TagsRepo,
+    *,
+    caller_user_id: UserID,
+    tag_id: IdInt,
+    group_id: GroupID,
+) -> None:
+    """
+    Raises:
+        ShareTagWithEveryoneNotAllowedError
+        ShareTagWithProductGroupNotAllowedError
+        InsufficientWriteAccessTagError
+    """
+    if group_id == EVERYONE_GROUP_ID:
+        raise ShareTagWithEveryoneNotAllowedError(
+            user_id=caller_user_id, tag_id=tag_id, group_id=group_id
+        )
+
+    if _is_product_group(app, group_id=group_id):
+        user_role: UserRole = await get_user_role(app, user_id=caller_user_id)
+        if user_role < UserRole.TESTER:
+            raise ShareTagWithProductGroupNotAllowedError(
+                user_id=caller_user_id,
+                tag_id=tag_id,
+                group_id=group_id,
+                user_role=user_role,
+            )
+
+    if not await repo.has_access_rights(
+        user_id=caller_user_id, tag_id=tag_id, write=True
+    ):
+        raise InsufficientTagShareAccessError(
+            user_id=caller_user_id, tag_id=tag_id, group_id=group_id
+        )
+
+
 async def share_tag_with_group(
     app: web.Application,
     *,
@@ -75,16 +121,17 @@ async def share_tag_with_group(
 ) -> TagAccessRightsDict:
     """
     Raises:
+        ShareTagWithEveryoneNotAllowedError
+        ShareTagWithProductGroupNotAllowedError
+        InsufficientWriteAccessTagError
         TagOperationNotAllowedError
+        TagsValueError
     """
     repo = TagsRepo(get_async_engine(app))
 
-    if not await repo.has_access_rights(
-        caller_id=caller_user_id, tag_id=tag_id, write=True
-    ):
-        raise TagOperationNotAllowedError(
-            operation="share or update", user_id=caller_user_id, tag_id=tag_id
-        )
+    await _validate_tag_sharing_permissions(
+        app, repo, caller_user_id=caller_user_id, tag_id=tag_id, group_id=group_id
+    )
 
     return await repo.create_or_update_access_rights(
         tag_id=tag_id,
@@ -109,12 +156,9 @@ async def unshare_tag_with_group(
     """
     repo = TagsRepo(get_async_engine(app))
 
-    if not await repo.has_access_rights(
-        caller_id=caller_user_id, tag_id=tag_id, delete=True
-    ):
-        raise TagOperationNotAllowedError(
-            operation="share.delete", user_id=caller_user_id, tag_id=tag_id
-        )
+    await _validate_tag_sharing_permissions(
+        app, repo, caller_user_id=caller_user_id, tag_id=tag_id, group_id=group_id
+    )
 
     deleted: bool = await repo.delete_access_rights(tag_id=tag_id, group_id=group_id)
     return deleted
@@ -130,7 +174,7 @@ async def list_tag_groups(
     repo = TagsRepo(get_async_engine(app))
 
     if not await repo.has_access_rights(
-        caller_id=caller_user_id, tag_id=tag_id, read=True
+        user_id=caller_user_id, tag_id=tag_id, read=True
     ):
         return []
 

services/web/server/src/simcore_service_webserver/tags/errors.py

@@ -0,0 +1,25 @@
+from ..errors import WebServerBaseError
+
+
+class TagsPermissionError(WebServerBaseError, PermissionError):
+    ...
+
+
+class ShareTagWithEveryoneNotAllowedError(TagsPermissionError):
+    msg_template = (
+        "User {user_id} is not allowed to share (or unshare) tag {tag_id} with everyone"
+    )
+
+
+class ShareTagWithProductGroupNotAllowedError(TagsPermissionError):
+    msg_template = (
+        "User {user_id} is not allowed to share  (or unshare) tag {tag_id} with group {group_id}. "
+        "Only {user_role}>=TESTER users are allowed."
+    )
+
+
+class InsufficientTagShareAccessError(TagsPermissionError):
+    msg_template = (
+        "User {user_id} does not have sufficient access rights to share"
+        " (or unshare) or unshare tag {tag_id}."
+    )

services/web/server/tests/unit/with_dbs/03/tags/test_tags.py

@@ -11,7 +11,9 @@
 import sqlalchemy as sa
 from aiohttp.test_utils import TestClient
 from faker import Faker
+from models_library.basic_types import IdInt
 from models_library.groups import EVERYONE_GROUP_ID
+from models_library.products import ProductName
 from models_library.projects_state import (
     ProjectLocked,
     ProjectRunningState,
@@ -28,6 +30,7 @@
 from simcore_postgres_database.models.tags import tags
 from simcore_service_webserver.db.models import UserRole
 from simcore_service_webserver.db.plugin import get_database_engine
+from simcore_service_webserver.products._api import get_product
 from simcore_service_webserver.projects.models import ProjectDict
 
 
@@ -259,11 +262,12 @@ async def test_create_tags_with_order_index(
     assert got == expected_tags[::-1]
 
     # (3) new tag without priority should get last (because is last created)
+    url = client.app.router["create_tag"].url_for()
     resp = await client.post(
         f"{url}",
         json={"name": "New", "color": "#f00", "description": "w/o priority"},
     )
-    last_created, _ = await assert_status(resp, status.HTTP_200_OK)
+    last_created, _ = await assert_status(resp, status.HTTP_201_CREATED)
 
     url = client.app.router["list_tags"].url_for()
     resp = await client.get(f"{url}")
@@ -358,30 +362,36 @@ async def test_share_tags_by_creating_associated_groups(
         )
         await assert_status(resp, status.HTTP_204_NO_CONTENT)
 
-        # test can do nothing
+
+@pytest.fixture
+async def user_tag_id(client: TestClient) -> IdInt:
+    assert client.app
+
+    url = client.app.router["create_tag"].url_for()
+    resp = await client.post(
+        f"{url}",
+        json={"name": "shared", "color": "#fff"},
+    )
+    tag, _ = await assert_status(resp, status.HTTP_201_CREATED)
+    return tag["id"]
 
 
-@pytest.mark.xfail(reason="Under dev")
+@pytest.mark.parametrize(
+    "user_role", [role for role in UserRole if role >= UserRole.USER]
+)
 async def test_cannot_share_tag_with_everyone(
     client: TestClient,
     logged_user: UserInfoDict,
     user_role: UserRole,
+    user_tag_id: IdInt,
     _clean_tags_table: None,
 ):
     assert client.app
     assert UserRole(logged_user["role"]) == user_role
 
-    url = client.app.router["create_tag"].url_for()
-    resp = await client.post(
-        f"{url}",
-        json={"name": "shared", "color": "#fff"},
-    )
-    tag, _ = await assert_status(resp, status.HTTP_201_CREATED)
-    tag_id: int = tag["id"]
-
     # cannot SHARE with everyone group
     url = client.app.router["create_tag_group"].url_for(
-        tag_id=f"{tag_id}", group_id=f"{EVERYONE_GROUP_ID}"
+        tag_id=f"{user_tag_id}", group_id=f"{EVERYONE_GROUP_ID}"
     )
     resp = await client.post(
         f"{url}",
@@ -392,7 +402,7 @@ async def test_cannot_share_tag_with_everyone(
 
     # cannot REPLACE with everyone group
     url = client.app.router["replace_tag_group"].url_for(
-        tag_id=f"{tag_id}", group_id=f"{EVERYONE_GROUP_ID}"
+        tag_id=f"{user_tag_id}", group_id=f"{EVERYONE_GROUP_ID}"
     )
     resp = await client.put(
         f"{url}",
@@ -403,11 +413,52 @@ async def test_cannot_share_tag_with_everyone(
 
     # cannot DELETE with everyone group
     url = client.app.router["delete_tag_group"].url_for(
-        tag_id=f"{tag_id}", group_id=f"{EVERYONE_GROUP_ID}"
+        tag_id=f"{user_tag_id}", group_id=f"{EVERYONE_GROUP_ID}"
     )
     resp = await client.delete(
         f"{url}",
         json={"read": True, "write": True, "delete": True},
     )
     _, error = await assert_status(resp, status.HTTP_403_FORBIDDEN)
     assert error
+
+
+@pytest.fixture
+def product_name() -> str:
+    return "osparc"
+
+
+@pytest.mark.parametrize(
+    "user_role,expected_status",
+    [
+        (
+            role,
+            status.HTTP_403_FORBIDDEN if role < UserRole.TESTER else status.HTTP_200_OK,
+        )
+        for role in UserRole
+        if role >= UserRole.USER
+    ],
+)
+async def test_can_share_tag_with_product_group_if_granted_by_role(
+    client: TestClient,
+    logged_user: UserInfoDict,
+    user_role: UserRole,
+    user_tag_id: IdInt,
+    expected_status: int,
+    _clean_tags_table: None,
+    product_name: ProductName,
+):
+    assert client.app
+    assert UserRole(logged_user["role"]) == user_role
+
+    product_group_id = get_product(client.app, product_name=product_name).group_id
+
+    # cannot SHARE with everyone group
+    url = client.app.router["create_tag_group"].url_for(
+        tag_id=f"{user_tag_id}", group_id=f"{product_group_id}"
+    )
+    resp = await client.post(
+        f"{url}",
+        json={"read": True, "write": True, "delete": True},
+    )
+    await assert_status(resp, expected_status)