add generic superadmin flag to endpoints (#1038)

* add generic superadmin flag

* complete the logic

* add force_admin flag to endpoints

* fix codegen error

* merge, rename to enable_admin

* fix codegen

* fix codegen

* Added enable_admin to FeedAuthorization.

---------

Co-authored-by: Bing Zhang <[email protected]>
Co-authored-by: Luigi Marini <[email protected]>

Author: 3 people

backend/app/deps/authorization_deps.py

@@ -44,6 +44,7 @@ async def check_public_access(
 async def get_role(
     dataset_id: str,
     current_user=Depends(get_current_username),
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
     admin=Depends(get_admin),
 ) -> RoleType:
@@ -70,6 +71,7 @@ async def get_role(
 async def get_role_by_file(
     file_id: str,
     current_user=Depends(get_current_username),
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
     admin=Depends(get_admin),
 ) -> RoleType:
@@ -107,6 +109,7 @@ async def get_role_by_file(
 async def get_role_by_metadata(
     metadata_id: str,
     current_user=Depends(get_current_username),
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
     admin=Depends(get_admin),
 ) -> RoleType:
@@ -145,6 +148,7 @@ async def get_role_by_metadata(
 async def get_role_by_group(
     group_id: str,
     current_user=Depends(get_current_username),
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
     admin=Depends(get_admin),
 ) -> RoleType:
@@ -209,6 +213,7 @@ async def __call__(
         self,
         dataset_id: str,
         current_user: str = Depends(get_current_username),
+        enable_admin: bool = False,
         admin_mode: bool = Depends(get_admin_mode),
         admin: bool = Depends(get_admin),
         readonly: bool = Depends(get_read_only_user),
@@ -270,6 +275,7 @@ async def __call__(
         self,
         file_id: str,
         current_user: str = Depends(get_current_username),
+        enable_admin: bool = False,
         admin_mode: bool = Depends(get_admin_mode),
         admin: bool = Depends(get_admin),
     ):
@@ -316,6 +322,7 @@ async def __call__(
         self,
         metadata_id: str,
         current_user: str = Depends(get_current_username),
+        enable_admin: bool = False,
         admin_mode: bool = Depends(get_admin_mode),
         admin: bool = Depends(get_admin),
     ):
@@ -385,6 +392,7 @@ async def __call__(
         self,
         group_id: str,
         current_user: str = Depends(get_current_username),
+        enable_admin: bool = False,
         admin_mode: bool = Depends(get_admin_mode),
         admin: bool = Depends(get_admin),
     ):
@@ -422,6 +430,7 @@ async def __call__(
         self,
         listener_id: str,
         current_user: str = Depends(get_current_username),
+        enable_admin: bool = False,
         admin_mode: bool = Depends(get_admin_mode),
         admin: bool = Depends(get_admin),
     ):
@@ -457,6 +466,7 @@ async def __call__(
         self,
         feed_id: str,
         current_user: str = Depends(get_current_username),
+        enable_admin: bool = False,
         admin_mode: bool = Depends(get_admin_mode),
         admin: bool = Depends(get_admin),
     ):
@@ -531,6 +541,7 @@ async def __call__(
 def access(
     user_role: RoleType,
     role_required: RoleType,
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
     admin: bool = Depends(get_admin),
     read_only_user: bool = Depends(get_read_only_user),

backend/app/routers/authentication.py

@@ -1,13 +1,5 @@
 import json
 
-from app.keycloak_auth import (
-    create_user,
-    enable_disable_user,
-    get_current_user,
-    keycloak_openid,
-)
-from app.models.datasets import DatasetDBViewList
-from app.models.users import UserDB, UserIn, UserLogin, UserOut
 from beanie import PydanticObjectId
 from fastapi import APIRouter, Depends, HTTPException
 from keycloak.exceptions import (
@@ -17,6 +9,15 @@
 )
 from passlib.hash import bcrypt
 
+from app.keycloak_auth import (
+    create_user,
+    enable_disable_user,
+    get_current_user,
+    keycloak_openid,
+)
+from app.models.datasets import DatasetDBViewList
+from app.models.users import UserDB, UserIn, UserLogin, UserOut
+
 router = APIRouter()
 
 
@@ -120,13 +121,20 @@ async def get_admin(
 
 
 @router.get("/users/me/admin_mode")
-async def get_admin_mode(current_username=Depends(get_current_user)) -> bool:
+async def get_admin_mode(
+    enable_admin: bool = False, current_username=Depends(get_current_user)
+) -> bool:
     """Get Admin mode from User Object."""
     if (
         current_user := await UserDB.find_one(UserDB.email == current_username.email)
     ) is not None:
-        if current_user.admin_mode is not None:
-            return current_user.admin_mode
+        if current_user.admin:
+            if enable_admin:
+                return True
+            elif current_user.admin_mode is not None:
+                return current_user.admin_mode
+            else:
+                return False
         else:
             return False
     else:

backend/app/routers/authorization.py

@@ -71,6 +71,7 @@ async def save_authorization(
 async def get_dataset_role(
     dataset_id: str,
     current_user=Depends(get_current_username),
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
     admin=Depends(get_admin),
 ):

backend/app/routers/datasets.py

@@ -224,6 +224,7 @@ async def get_datasets(
     limit: int = 10,
     mine: bool = False,
     admin=Depends(get_admin),
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
 ):
     query = [DatasetDBViewList.frozen == False]  # noqa: E712
@@ -308,6 +309,7 @@ async def get_dataset_files(
     skip: int = 0,
     limit: int = 10,
     admin=Depends(get_admin),
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
     allow: bool = Depends(Authorization("viewer")),
 ):
@@ -753,6 +755,7 @@ async def get_dataset_folders_and_files(
     skip: int = 0,
     limit: int = 10,
     admin=Depends(get_admin),
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
     allow: bool = Depends(Authorization("viewer")),
 ):

backend/app/routers/elasticsearch.py

@@ -52,6 +52,7 @@ async def search(
     query: str,
     username=Depends(get_current_username),
     admin=Depends(get_admin),
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
 ):
     es = await connect_elasticsearch()
@@ -64,6 +65,7 @@ async def msearch(
     request: Request,
     username=Depends(get_current_username),
     admin=Depends(get_admin),
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
 ):
     es = await connect_elasticsearch()

backend/app/routers/feeds.py

@@ -186,6 +186,7 @@ async def associate_listener(
     listener: FeedListener,
     user=Depends(get_current_user),
     admin=Depends(get_admin),
+    enable_admin: bool = False,
     admin_mode=Depends(get_admin_mode),
     allow: bool = Depends(FeedAuthorization()),
 ):

backend/app/routers/groups.py

@@ -1,6 +1,10 @@
 from datetime import datetime
 from typing import Optional
 
+from beanie import PydanticObjectId
+from beanie.operators import Or, Push, RegEx
+from bson.objectid import ObjectId
+from fastapi import APIRouter, Depends, HTTPException
 from app import dependencies
 from app.deps.authorization_deps import AuthorizationDB, GroupAuthorization
 from app.keycloak_auth import get_current_user, get_user
@@ -10,6 +14,7 @@
 from app.models.pages import Paged, _construct_page_metadata, _get_page_query
 from app.models.users import UserDB, UserOut
 from app.routers.authentication import get_admin, get_admin_mode
+
 from app.search.index import index_dataset, index_dataset_files
 from beanie import PydanticObjectId
 from beanie.operators import Or, Push, RegEx
@@ -37,6 +42,7 @@ async def get_groups(
     user_id=Depends(get_user),
     skip: int = 0,
     limit: int = 10,
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
     admin=Depends(get_admin),
 ):
@@ -82,6 +88,7 @@ async def search_group(
     user_id=Depends(get_user),
     skip: int = 0,
     limit: int = 10,
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
     admin=Depends(get_admin),
 ):

backend/app/routers/licenses.py

@@ -65,6 +65,7 @@ async def edit_license(
     license_info: LicenseBase,
     user_id=Depends(get_user),
     admin=Depends(get_admin),
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
 ):
     if (license := await LicenseDB.get(PydanticObjectId(license_id))) is not None:
@@ -105,6 +106,7 @@ async def delete_license(
     license_id: str,
     user_id=Depends(get_user),
     admin=Depends(get_admin),
+    enable_admin: bool = False,
     admin_mode: bool = Depends(get_admin_mode),
 ):
     if (license := await LicenseDB.get(PydanticObjectId(license_id))) is not None:

backend/app/routers/listeners.py

@@ -201,6 +201,7 @@ async def search_listeners(
     user=Depends(get_current_username),
     process: Optional[str] = None,
     admin=Depends(get_admin),
+    enable_admin: bool = False,
     admin_mode=Depends(get_admin_mode),
 ):
     """Search all Event Listeners in the db based on text.
@@ -306,6 +307,7 @@ async def get_listeners(
     process: Optional[str] = None,
     all: Optional[bool] = False,
     admin=Depends(get_admin),
+    enable_admin: bool = False,
     admin_mode=Depends(get_admin_mode),
 ):
     """Get a list of all Event Listeners in the db.