refactor access_rights

Author: Andrei Neagu

services/storage/src/simcore_service_storage/modules/db/access_layer.py

@@ -262,19 +262,13 @@ async def get_project_access_rights(
         # determine user's access rights by aggregating AR of all groups
         return _aggregate_access_rights(row.access_rights, user_group_ids)
 
-    async def get_file_access_rights(  # pylint:disable=too-many-return-statements # noqa: PLR0911
+    async def _get_access_from_metadata_entry(
         self,
         *,
-        connection: AsyncConnection | None = None,
+        connection: AsyncConnection | None,
         user_id: UserID,
         file_id: StorageFileID,
-    ) -> AccessRights:
-        """
-        Returns access-rights of user (user_id) over data file resource (file_id)
-
-        raises InvalidFileIdentifier
-        """
-
+    ) -> AccessRights | None:
         #
         # 1. file registered in file_meta_data table
         #
@@ -285,67 +279,100 @@ async def get_file_access_rights(  # pylint:disable=too-many-return-statements #
             result = await conn.execute(stmt)
             row = result.one_or_none()
 
-        if row:
-            if int(row.user_id) == user_id:
-                # is owner
+        if not row:
+            return None
+
+        if int(row.user_id) == user_id:
+            # is owner
+            return AccessRights.all()
+
+        if not row.project_id:
+            # not owner and not shared via project
+            return AccessRights.none()
+
+        # has associated project
+        access_rights = await self.get_project_access_rights(
+            user_id=user_id, project_id=row.project_id
+        )
+        if not access_rights:
+            _logger.warning(
+                "File %s references a project %s that does not exists in db. "
+                " TIP: Audit sync between files_meta_data and projects tables",
+                file_id,
+                row.project_id,
+            )
+            return AccessRights.none()
+
+        return access_rights
+
+    async def _get_access_without_metardata_entry(
+        self,
+        *,
+        user_id: UserID,
+        file_id: StorageFileID,
+    ) -> AccessRights:
+        #
+        # 2. file is NOT registered in meta-data table e.g. it is about to be uploaded or it was deleted
+        #    We rely on the assumption that file_id is formatted either as
+        #
+        #       - project's data: {project_id}/{node_id}/{filename/with/possible/folders}
+        #       - API data:       api/{file_id}/{filename/with/possible/folders}
+        #       - Exporter data:  exporter/{user_id}/{filename/with/possible/folders}
+        #
+
+        try:
+            parent, _, _ = file_id.split("/", maxsplit=2)
+
+            if parent == "api":
+                # ownership still not defined, so we assume it is user_id
                 return AccessRights.all()
 
-            if not row.project_id:
-                # not owner and not shared via project
-                return AccessRights.none()
+            if parent == EXPORTS_S3_PREFIX:
+                # ownership still not defined, so we assume it is user_id
+                # NOTE: all permissions are required for: downloading, uploading and aborting
+                return AccessRights.all()
 
-            # has associated project
+            # otherwise assert 'parent' string corresponds to a valid UUID
             access_rights = await self.get_project_access_rights(
-                user_id=user_id, project_id=row.project_id
+                user_id=user_id, project_id=ProjectID(parent)
             )
             if not access_rights:
                 _logger.warning(
-                    "File %s references a project %s that does not exists in db."
-                    "TIP: Audit sync between files_meta_data and projects tables",
+                    "File %s references a project that does not exists in db",
                     file_id,
-                    row.project_id,
                 )
                 return AccessRights.none()
 
-        else:
-            #
-            # 2. file is NOT registered in meta-data table e.g. it is about to be uploaded or it was deleted
-            #    We rely on the assumption that file_id is formatted either as
-            #
-            #       - project's data: {project_id}/{node_id}/{filename/with/possible/folders}
-            #       - API data:       api/{file_id}/{filename/with/possible/folders}
-            #       - Exporter data:  exporter/{user_id}/{filename/with/possible/folders}
-            #
-            try:
-                parent, _, _ = file_id.split("/", maxsplit=2)
-
-                if parent == "api":
-                    # ownership still not defined, so we assume it is user_id
-                    return AccessRights.all()
-
-                if parent == EXPORTS_S3_PREFIX:
-                    # ownership still not defined, so we assume it is user_id
-                    # NOTE: all permissions are required for: downloading, uploading and aborting
-                    return AccessRights.all()
-
-                # otherwise assert 'parent' string corresponds to a valid UUID
-                access_rights = await self.get_project_access_rights(
-                    user_id=user_id, project_id=ProjectID(parent)
-                )
-                if not access_rights:
-                    _logger.warning(
-                        "File %s references a project that does not exists in db",
-                        file_id,
-                    )
-                    return AccessRights.none()
+            return access_rights
 
-            except (ValueError, AttributeError) as err:
-                raise InvalidFileIdentifierError(
-                    identifier=file_id,
-                    details=str(err),
-                ) from err
+        except (ValueError, AttributeError) as err:
+            raise InvalidFileIdentifierError(
+                identifier=file_id,
+                details=str(err),
+            ) from err
 
-        return access_rights
+    async def get_file_access_rights(
+        self,
+        *,
+        connection: AsyncConnection | None = None,
+        user_id: UserID,
+        file_id: StorageFileID,
+    ) -> AccessRights:
+        """
+        Returns access-rights of user (user_id) over data file resource (file_id)
+
+        Raises InvalidFileIdentifierError
+        """
+        access_rights = await self._get_access_from_metadata_entry(
+            connection=connection, user_id=user_id, file_id=file_id
+        )
+
+        if access_rights is not None:
+            return access_rights
+
+        return await self._get_access_without_metardata_entry(
+            user_id=user_id, file_id=file_id
+        )
 
     async def get_readable_project_ids(
         self, *, connection: AsyncConnection | None = None, user_id: UserID

services/storage/tests/unit/test_async_jobs.py

@@ -2,6 +2,7 @@
 # pylint: disable=unused-argument
 
 from dataclasses import dataclass
+from datetime import timedelta
 from typing import Any
 from uuid import UUID
 
@@ -28,7 +29,7 @@
 from pytest_mock import MockerFixture
 from servicelib.rabbitmq import RabbitMQRPCClient
 from servicelib.rabbitmq.rpc_interfaces.async_jobs import async_jobs
-from simcore_service_storage.modules.celery._task import _wrap_exception
+from simcore_service_storage.modules.celery._task import _error_handling
 from simcore_service_storage.modules.celery.client import TaskUUID
 from simcore_service_storage.modules.celery.models import TaskState, TaskStatus
 
@@ -69,7 +70,9 @@ async def get_task_result(self, *args, **kwargs) -> Any:
         _ = kwargs
         assert self.get_task_result_object is not None
         if isinstance(self.get_task_result_object, Exception):
-            return _wrap_exception(self.get_task_result_object)
+            return _error_handling(1, timedelta(seconds=1), tuple())(
+                self.get_task_result_object
+            )
         return self.get_task_result_object
 
     async def get_task_uuids(self, *args, **kwargs) -> set[TaskUUID]: