From 60b85e6ad576de010cb54f3e17f6c3caf07b6d05 Mon Sep 17 00:00:00 2001 From: Unix Date: Wed, 31 Mar 2021 13:54:25 +0200 Subject: [PATCH] global: repo cleanup --- .github/workflows/tests.yml | 47 ++++++++++++++++--- invenio_config_tugraz/base_permissions.py | 54 ++++++++++----------- invenio_config_tugraz/config.py | 13 ++---- invenio_config_tugraz/generators.py | 21 +-------- invenio_config_tugraz/rdm_permissions.py | 57 +++++++---------------- setup.py | 28 +++++++---- tests/test_generators.py | 13 +----- 7 files changed, 110 insertions(+), 123 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index dc2eccb..16586e9 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -20,9 +20,42 @@ jobs: runs-on: ubuntu-20.04 strategy: matrix: - python-version: [3.6, 3.7, 3.8] + python-version: [3.6, 3.7, 3.8, 3.9] requirements-level: [min, pypi] + db-service: [postgresql12] + search-service: [elasticsearch7] + exclude: + - python-version: 3.6 + requirements-level: pypi + - python-version: 3.7 + requirements-level: min + + - python-version: 3.8 + requirements-level: min + + - python-version: 3.9 + requirements-level: min + + - db-service: postgresql12 + requirements-level: min + + - search-service: elasticsearch7 + requirements-level: min + + include: + + - db-service: postgresql12 + DB_EXTRAS: "postgresql" + + + - search-service: elasticsearch7 + SEARCH_EXTRAS: "elasticsearch7" + + env: + DB: ${{ matrix.db-service }} + SEARCH: ${{ matrix.search-service }} + EXTRAS: all,${{ matrix.DB_EXTRAS }},${{ matrix.SEARCH_EXTRAS }} steps: - name: Checkout uses: actions/checkout@v2 @@ -35,8 +68,7 @@ jobs: - name: Generate dependencies run: | python -m pip install --upgrade pip setuptools py wheel requirements-builder - requirements-builder -e all --level=${{ matrix.requirements-level }} setup.py > .${{ matrix.requirements-level }}-${{ matrix.python-version }}-requirements.txt - + requirements-builder -e "$EXTRAS" --level=${{ matrix.requirements-level }} setup.py > .${{ matrix.requirements-level }}-${{ matrix.python-version }}-requirements.txt - name: Cache pip uses: actions/cache@v2 with: @@ -45,10 +77,11 @@ jobs: - name: Install dependencies run: | - pip install -r .${{matrix.requirements-level}}-${{ matrix.python-version }}-requirements.txt - pip install .[all] + pip install -r .${{ matrix.requirements-level }}-${{ matrix.python-version }}-requirements.txt + pip install ".[$EXTRAS]" pip freeze - + docker --version + docker-compose --version - name: Run tests run: | - ./run-tests.sh \ No newline at end of file + ./run-tests.sh diff --git a/invenio_config_tugraz/base_permissions.py b/invenio_config_tugraz/base_permissions.py index c16bea2..9511c41 100644 --- a/invenio_config_tugraz/base_permissions.py +++ b/invenio_config_tugraz/base_permissions.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- # -# Copyright (C) 2020 Graz University of Technology. +# Copyright (C) 2020-2021 Graz University of Technology. # # invenio-config-tugraz is free software; you can redistribute it and/or # modify it under the terms of the MIT License; see LICENSE file for more @@ -49,40 +49,40 @@ Using Custom Generator for a policy: Permissions for Invenio records. """ -from invenio_records_permissions.generators import ( - Admin, - AnyUser, - AnyUserIfPublic, - RecordOwners, -) -from invenio_records_permissions.policies.base import BasePermissionPolicy +# from invenio_records_permissions.generators import ( +# Admin, +# AnyUser, +# AnyUserIfPublic, +# RecordOwners, +# ) +# from invenio_records_permissions.policies.base import BasePermissionPolicy -from .generators import RecordIp +# from .generators import RecordIp -class TUGRAZPermissionPolicy(BasePermissionPolicy): - """Access control configuration for records. +# class TUGRAZPermissionPolicy(BasePermissionPolicy): +# """Access control configuration for records. - This overrides the /api/records endpoint. +# This overrides the /api/records endpoint. - """ +# """ - # Read access to API given to everyone. - can_search = [AnyUser(), RecordIp()] +# # Read access to API given to everyone. +# can_search = [AnyUser(), RecordIp()] - # Read access given to everyone if public record/files and owners always. - can_read = [AnyUserIfPublic(), RecordOwners(), RecordIp()] +# # Read access given to everyone if public record/files and owners always. +# can_read = [AnyUserIfPublic(), RecordOwners(), RecordIp()] - # Create action given to no one (Not even superusers) bc Deposits should - # be used. - can_create = [AnyUser()] +# # Create action given to no one (Not even superusers) bc Deposits should +# # be used. +# can_create = [AnyUser()] - # Update access given to record owners. - can_update = [RecordOwners()] +# # Update access given to record owners. +# can_update = [RecordOwners()] - # Delete access given to admins only. - can_delete = [Admin()] +# # Delete access given to admins only. +# can_delete = [Admin()] - # Associated files permissions (which are really bucket permissions) - can_read_files = [AnyUserIfPublic(), RecordOwners()] - can_update_files = [RecordOwners()] +# # Associated files permissions (which are really bucket permissions) +# can_read_files = [AnyUserIfPublic(), RecordOwners()] +# can_update_files = [RecordOwners()] diff --git a/invenio_config_tugraz/config.py b/invenio_config_tugraz/config.py index e2ad456..da192a0 100644 --- a/invenio_config_tugraz/config.py +++ b/invenio_config_tugraz/config.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- # -# Copyright (C) 2020 Graz University of Technology. +# Copyright (C) 2020-2021 Graz University of Technology. # # invenio-config-tugraz is free software; you can redistribute it and/or # modify it under the terms of the MIT License; see LICENSE file for more @@ -198,16 +198,9 @@ RECAPTCHA_PRIVATE_KEY = None # ======= # See: # https://invenio-records-permissions.readthedocs.io/en/latest/configuration.html -# -# Uncomment these to enable overriding Base permissions - (NOT RECOMMANDED) -# RECORDS_PERMISSIONS_RECORD_POLICY = ( -# 'invenio_config_tugraz.base_permissions.TUGRAZPermissionPolicy' -# ) -# # Uncomment these to enable overriding RDM permissions -# RDM_RECORDS_BIBLIOGRAPHIC_SERVICE_CONFIG = ( -# 'invenio_config_tugraz.rdm_permissions.TUGRAZBibliographicRecordServiceConfig' -# ) +# from .rdm_permissions import TUGRAZRDMRecordServiceConfig +# RDM_RECORDS_BIBLIOGRAPHIC_SERVICE_CONFIG = TUGRAZRDMRecordServiceConfig """Access control configuration for records.""" # invenio-rdm-records diff --git a/invenio_config_tugraz/generators.py b/invenio_config_tugraz/generators.py index 39eef42..2faec0b 100644 --- a/invenio_config_tugraz/generators.py +++ b/invenio_config_tugraz/generators.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- # -# Copyright (C) 2020 Mojib Wali. +# Copyright (C) 2020-2021 Graz University of Technology. # # invenio-config-tugraz is free software; you can redistribute it and/or # modify it under the terms of the MIT License; see LICENSE file for more @@ -153,7 +153,7 @@ The succinct encoding of the permissions for your instance gives you from elasticsearch_dsl.query import Q from flask import current_app, request -from invenio_access.permissions import any_user, authenticated_user, superuser_access +from invenio_access.permissions import any_user, superuser_access from invenio_records_permissions.generators import Generator @@ -221,20 +221,3 @@ class RecordIp(Generator): if user_ip in current_app.config["INVENIO_CONFIG_TUGRAZ_SINGLE_IP"]: return True return False - - -class AuthenticatedUser(Generator): - """Allows authenticated users.""" - - def __init__(self): - """Constructor.""" - super(AuthenticatedUser, self).__init__() - - def needs(self, **kwargs): - """Enabling Needs.""" - return [authenticated_user] - - def query_filter(self, **kwargs): - """Filters for current identity as super user.""" - # TODO: Implement with new permissions metadata - return [] diff --git a/invenio_config_tugraz/rdm_permissions.py b/invenio_config_tugraz/rdm_permissions.py index 34e3f1d..d15e2cb 100644 --- a/invenio_config_tugraz/rdm_permissions.py +++ b/invenio_config_tugraz/rdm_permissions.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- # -# Copyright (C) 2020 Graz University of Technology. +# Copyright (C) 2020-2021 Graz University of Technology. # # invenio-config-tugraz is free software; you can redistribute it and/or # modify it under the terms of the MIT License; see LICENSE file for more @@ -53,59 +53,34 @@ Using Custom Generator for a policy: Permissions for Invenio (RDM) Records. """ -from invenio_rdm_records.services import ( - BibliographicRecordServiceConfig, - RDMRecordPermissionPolicy, -) +from invenio_rdm_records.services import RDMRecordPermissionPolicy +from invenio_rdm_records.services.config import RDMRecordServiceConfig +from invenio_rdm_records.services.generators import IfDraft, IfRestricted, RecordOwners from invenio_records_permissions.generators import ( Admin, AnyUser, - RecordOwners, + AuthenticatedUser, + Disable, SuperUser, + SystemProcess, ) -from .generators import AuthenticatedUser, RecordIp - class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy): """Access control configuration for rdm records. This overrides the origin: https://github.com/inveniosoftware/invenio-rdm-records/blob/master/invenio_rdm_records/services/permissions.py. - + Access control configuration for records. + Note that even if the array is empty, the invenio_access Permission class + always adds the ``superuser-access``, so admins will always be allowed. + - Create action given to everyone for now. + - Read access given to everyone if public record and given to owners + always. (inherited) + - Update access given to record owners. (inherited) + - Delete access given to admins only. (inherited) """ - # Read access given to: - # TODO: - # AnyUserIfPublic : grant access if record is public - # RecordIp: grant access for single_ip - # RecordOwners: owner of records, enable once the deposit is allowed only for loged-in users. - # CURRENT: - # RecordIp: grant access for single_ip - can_read = [RecordIp()] # RecordOwners() - # Search access given to: - # AnyUser : grant access anyUser - # RecordIp: grant access for single_ip - can_search = [AnyUser(), RecordIp()] - - # Update access given to record owners. - can_update = [RecordOwners()] - - # Delete access given to admins only. - can_delete = [Admin()] - - # Create action given to AuthenticatedUser - # UI - if user is loged in - # API - if user has Access token (Bearer API-TOKEN) - can_create = [AuthenticatedUser()] - - # Associated files permissions (which are really bucket permissions) - # can_read_files = [AnyUserIfPublic(), RecordOwners()] - # can_update_files = [RecordOwners()] - - -class TUGRAZBibliographicRecordServiceConfig(BibliographicRecordServiceConfig): +class TUGRAZRDMRecordServiceConfig(RDMRecordServiceConfig): """Overriding BibliographicRecordServiceConfig.""" - - permission_policy_cls = TUGRAZPermissionPolicy diff --git a/setup.py b/setup.py index dcc2121..a075d1a 100644 --- a/setup.py +++ b/setup.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- # -# Copyright (C) 2020 Mojib Wali. +# Copyright (C) 2020-2021 Graz University of Technology. # # invenio-config-tugraz is free software; you can redistribute it and/or # modify it under the terms of the MIT License; see LICENSE file for more @@ -17,13 +17,18 @@ history = open("CHANGES.rst").read() tests_require = [ "pytest-invenio>=1.4.0", - "SQLAlchemy-Utils>=0.33.1,<0.36", - "invenio-rdm-records~=0.20.8", - "invenio-search[elasticsearch7]>=1.4.0", - "psycopg2-binary>=2.8.6", + "invenio-app>=1.3.0,<2.0.0", ] +# Should follow invenio-app-rdm +invenio_search_version = ">=1.4.0,<1.5.0" +invenio_db_version = ">=1.0.9,<1.1.0" + extras_require = { + "elasticsearch7": [f"invenio-search[elasticsearch7]{invenio_search_version}"], + "mysql": [f"invenio-db[mysql,versioning]{invenio_db_version}"], + "postgresql": [f"invenio-db[postgresql,versioning]{invenio_db_version}"], + "sqlite": [f"invenio-db[versioning]{invenio_db_version}"], "docs": [ "Sphinx>=3", ], @@ -31,7 +36,14 @@ extras_require = { } extras_require["all"] = [] -for reqs in extras_require.values(): +for name, reqs in extras_require.items(): + if name[0] == ":" or name in ( + "elasticsearch7", + "mysql", + "postgresql", + "sqlite", + ): + continue extras_require["all"].extend(reqs) setup_requires = [ @@ -41,8 +53,8 @@ setup_requires = [ install_requires = [ "Flask-BabelEx>=0.9.4", - "elasticsearch_dsl>=7.2.1", - "sqlalchemy-continuum>=1.3.11", + # keep this in sync with invenioRDM release + "invenio_rdm_records>=0.28.0,<0.29.0", ] packages = find_packages() diff --git a/tests/test_generators.py b/tests/test_generators.py index 4eb4dcd..6060075 100644 --- a/tests/test_generators.py +++ b/tests/test_generators.py @@ -8,9 +8,9 @@ """Test Generators.""" -from invenio_access.permissions import any_user, authenticated_user +from invenio_access.permissions import any_user -from invenio_config_tugraz.generators import AuthenticatedUser, RecordIp +from invenio_config_tugraz.generators import RecordIp def test_recordip(create_app, open_record, singleip_record): @@ -27,12 +27,3 @@ def test_recordip(create_app, open_record, singleip_record): assert generator.excludes(record=open_record) == [] assert generator.query_filter().to_dict() == {'bool': {'must_not': [{'match': {'access.access_right': 'singleip'}}]}} - - -def test_authenticateduser(): - """Test Generator AuthenticatedUser.""" - generator = AuthenticatedUser() - - assert generator.needs() == [authenticated_user] - assert generator.excludes() == [] - assert generator.query_filter() == []