Add Roles' method has_permissions.

jfrancoa · jfrancoa · commit 6cc9c2f0f038 · 2024-11-29T10:48:21.000+01:00
This commit adds a new method has_permissions, which
returns true or false if the permissions passed in
the method's argument are present in the role. Otherwise
it will return false.
diff --git a/integration/test_rbac.py b/integration/test_rbac.py
@@ -1,5 +1,6 @@
+from typing import Generator, List, Callable
 import pytest
-
+import weaviate
 from integration.conftest import ClientFactory
 from weaviate.auth import Auth
 from weaviate.rbac.models import (
@@ -12,8 +13,10 @@
     NodesPermission,
 )
 
-RBAC_PORTS = (8092, 50063)
-RBAC_AUTH_CREDS = Auth.api_key("existing-key")
+# RBAC_PORTS = (8092, 50063)
+# RBAC_AUTH_CREDS = Auth.api_key("existing-key")
+RBAC_PORTS = (8080, 50051)
+RBAC_AUTH_CREDS = Auth.api_key("admin-key")
 
 
 @pytest.mark.parametrize(
@@ -241,3 +244,182 @@ def test_downsert_permissions(client_factory: ClientFactory) -> None:
             assert role is None
         finally:
             client.roles.delete(role_name)
+
+
+@pytest.fixture
+def test_has_permissions_setup(client_factory: ClientFactory) -> Generator[Callable, None, None]:
+    created_roles = set()
+
+    def _setup(role_name: str, permissions: List[RBAC.permissions]) -> weaviate.WeaviateClient:
+        client = client_factory(ports=RBAC_PORTS, auth_credentials=RBAC_AUTH_CREDS).__enter__()
+        if client._connection._weaviate_version.is_lower_than(1, 28, 0):
+            pytest.skip("This test requires Weaviate 1.28.0 or higher")
+        client.roles.create(name=role_name, permissions=permissions)
+        created_roles.add(role_name)
+        return client
+
+    yield _setup
+
+    # Cleanup after all tests
+    client = client_factory(ports=RBAC_PORTS, auth_credentials=RBAC_AUTH_CREDS)
+    try:
+        for role_name in created_roles:
+            try:
+                client.roles.delete(role_name)
+            except Exception as e:
+                print(f"Warning: Failed to cleanup role {role_name}: {str(e)}")
+    finally:
+        client.close()
+
+
+@pytest.mark.parametrize(
+    "role_name,permissions,expected",
+    [
+        # Data permissions test
+        (
+            "data_role",
+            [
+                RBAC.permissions.data.read(collection="TestCollection"),
+                RBAC.permissions.data.update(collection="TestCollection"),
+            ],
+            [
+                (RBAC.permissions.data.read(collection="TestCollection"), True),
+                (RBAC.permissions.data.update(collection="TestCollection"), True),
+                (RBAC.permissions.data.delete(collection="TestCollection"), False),
+                (RBAC.permissions.data.read(collection="OtherCollection"), False),
+            ],
+        ),
+        # Config permissions test
+        (
+            "config_role",
+            [
+                RBAC.permissions.config.update(collection="TestCollection"),
+            ],
+            [
+                (RBAC.permissions.config.update(collection="TestCollection"), True),
+                (RBAC.permissions.config.update(collection="OtherCollection"), False),
+            ],
+        ),
+        # Cluster permissions test
+        (
+            "cluster_role",
+            [
+                RBAC.permissions.cluster.read(),
+            ],
+            [
+                (RBAC.permissions.cluster.read(), True),
+                (RBAC.permissions.config.update(collection="OtherCollection"), False),
+            ],
+        ),
+        # Nodes permissions test
+        (
+            "nodes_role",
+            [
+                RBAC.permissions.nodes.read(collection="TestCollection", verbosity="verbose"),
+            ],
+            [
+                (
+                    RBAC.permissions.nodes.read(collection="TestCollection", verbosity="verbose"),
+                    True,
+                ),
+                (
+                    RBAC.permissions.nodes.read(collection="OtherCollection", verbosity="minimal"),
+                    False,
+                ),
+                (
+                    RBAC.permissions.nodes.read(collection="TestCollection", verbosity="minimal"),
+                    False,
+                ),
+            ],
+        ),
+        # Users permissions test with wildcard
+        (
+            "users_role",
+            [
+                RBAC.permissions.users.manage(user="*"),
+            ],
+            [
+                (RBAC.permissions.users.manage(user="*"), True),
+                (RBAC.permissions.users.manage(user="specific_user"), False),
+            ],
+        ),
+        # Roles permissions test
+        (
+            "roles_role",
+            [
+                RBAC.permissions.roles.manage(role="newrole"),
+            ],
+            [
+                (RBAC.permissions.roles.manage(role="newrole"), True),
+                (RBAC.permissions.roles.manage(role="otherrole"), False),
+            ],
+        ),
+        # Backups permissions test
+        (
+            "backups_role",
+            [
+                RBAC.permissions.backups.manage(collection="testcollection"),
+            ],
+            [
+                (RBAC.permissions.backups.manage(collection="testcollection"), True),
+                (RBAC.permissions.backups.manage(collection="othercollection"), False),
+            ],
+        ),
+        # Multiple permission types test
+        (
+            "mixed_role",
+            [
+                RBAC.permissions.data.read(collection="TestCollection"),
+                RBAC.permissions.config.update(collection="TestCollection"),
+                RBAC.permissions.cluster.read(),
+                RBAC.permissions.nodes.read(collection="TestCollection", verbosity="verbose"),
+            ],
+            [
+                (RBAC.permissions.data.read(collection="TestCollection"), True),
+                (RBAC.permissions.config.update(collection="TestCollection"), True),
+                (RBAC.permissions.cluster.read(), True),
+                (
+                    RBAC.permissions.nodes.read(collection="TestCollection", verbosity="verbose"),
+                    True,
+                ),
+                (RBAC.permissions.nodes.read(verbosity="verbose"), False),
+                (RBAC.permissions.data.update(collection="TestCollection"), False),
+                (
+                    [
+                        RBAC.permissions.data.read(collection="TestCollection"),
+                        RBAC.permissions.config.update(collection="TestCollection"),
+                        RBAC.permissions.cluster.read(),
+                    ],
+                    True,
+                ),
+                (
+                    [
+                        RBAC.permissions.data.read(collection="TestCollection"),
+                        RBAC.permissions.data.delete(collection="TestCollection"),
+                    ],
+                    False,
+                ),
+            ],
+        ),
+    ],
+)
+def test_has_permissions(
+    test_has_permissions_setup: weaviate.WeaviateClient, role_name, permissions, expected
+):
+    """Test has_permissions with different permission combinations.
+
+    Args:
+        client: The Weaviate client
+        role_name: Name of the role to create
+        permissions: List of permissions to assign to the role
+        expected: List of (permission, expected_result) tuples to test
+    """
+    # Create role with permissions
+    client = test_has_permissions_setup(role_name, permissions)
+    # Test each permission combination
+    for permission, expected_result in expected:
+        result = client.roles.has_permissions(
+            permissions=permission,
+            role=role_name,
+        )
+        assert result == expected_result, f"Permission check failed for {permission}"
diff --git a/weaviate/rbac/roles.py b/weaviate/rbac/roles.py
@@ -10,6 +10,13 @@
     User,
     WeaviatePermission,
     WeaviateRole,
+    ClusterAction,
+    UsersAction,
+    ConfigAction,
+    RolesAction,
+    DataAction,
+    BackupsAction,
+    NodesAction,
 )
 
 
@@ -256,3 +263,66 @@ async def remove_permissions(self, *, permissions: Permissions, role: str) -> No
         await self._remove_permissions(
             [permission._to_weaviate() for permission in permissions], role
         )
+
+    async def has_permissions(self, *, permissions: Permissions, role: str) -> bool:
+        """Check if a role has specific permissions.
+
+        Args:
+            permissions: The permissions to check for.
+            role: The role to check the permissions of.
+
+        Returns:
+            True if the role has all the specified permissions, False otherwise.
+        """
+        if isinstance(permissions, _Permission):
+            permissions = [permissions]
+
+        role_obj = await self._get_role(role)
+        if role_obj is None:
+            return False
+
+        def normalize_permission(perm: WeaviatePermission) -> dict:
+            """Extract only the relevant fields for comparison based on action type."""
+            action = perm["action"]
+
+            if action in ClusterAction.values():
+                return {"action": action}
+            elif action in UsersAction.values():
+                return {"action": action, "user": perm["user"]}
+            elif action in ConfigAction.values():
+                return {
+                    "action": action,
+                    "collection": perm["collection"],
+                    "tenant": perm.get("tenant", "*"),
+                }
+            elif action in RolesAction.values():
+                return {"action": action, "role": perm["role"]}
+            elif action in DataAction.values():
+                return {"action": action, "collection": perm["collection"]}
+            elif action in BackupsAction.values():
+                return {"action": action, "backup": {"collection": perm["backup"]["collection"]}}
+            elif action in NodesAction.values():
+                return {
+                    "action": action,
+                    "nodes": {
+                        "collection": perm["nodes"].get("collection", "*"),
+                        "verbosity": perm["nodes"]["verbosity"],
+                    },
+                }
+            # Default case: return a dict with all fields from the permission
+            return dict(perm)
+
+        # Convert input permissions to normalized format
+        check_perms = {
+            json.dumps(normalize_permission(perm._to_weaviate()), sort_keys=True)
+            for perm in permissions
+        }
+
+        # Convert role permissions to normalized format
+        role_perms = {
+            json.dumps(normalize_permission(perm), sort_keys=True)
+            for perm in role_obj["permissions"]
+        }
+
+        # Check if all normalized input permissions exist in normalized role permissions
+        return check_perms.issubset(role_perms)
