Suppoer service principal in SimpleAccessPolicy.

danielballan · Feb 22, 2024 · dd6457f · dd6457f
1 parent c58f7fb
commit dd6457f
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 1 deletion.
diff --git a/tiled/_tests/test_access_control.py b/tiled/_tests/test_access_control.py
@@ -234,3 +234,65 @@ def test_public_access(context):
     public_client["f"].read()
     with pytest.raises(KeyError):
         public_client["a", "A1"]
+
+
+def test_service_principal_access(tmpdir):
+    "Test that a service principal can work with SimpleAccessPolicy."
+    config = {
+        "authentication": {
+            "secret_keys": ["SECRET"],
+            "providers": [
+                {
+                    "provider": "toy",
+                    "authenticator": "tiled.authenticators:DictionaryAuthenticator",
+                    "args": {
+                        "users_to_passwords": {
+                            "admin": "admin",
+                        }
+                    },
+                }
+            ],
+            "tiled_admins": [{"id": "admin", "provider": "toy"}],
+        },
+        "database": {
+            "uri": f"sqlite+aiosqlite:///{tmpdir}/auth.db",
+            "init_if_not_exists": True,
+        },
+        "trees": [
+            {
+                "tree": "catalog",
+                "args": {
+                    "uri": f"sqlite+aiosqlite:///{tmpdir}/catalog.db",
+                    "writable_storage": f"file://localhost{tmpdir}/data",
+                    "init_if_not_exists": True,
+                },
+                "path": "/",
+                "access_control": {
+                    "access_policy": "tiled.access_policies:SimpleAccessPolicy",
+                    "args": {
+                        "access_lists": {},
+                        "provider": "toy",
+                        "admins": ["admin"],
+                    },
+                },
+            }
+        ],
+    }
+    with Context.from_app(build_app_from_config(config)) as context:
+        with enter_password("admin"):
+            admin_client = from_context(context, username="admin")
+        sp = admin_client.context.admin.create_service_principal("user")
+        key_info = admin_client.context.admin.create_api_key(sp["uuid"])
+        admin_client.write_array([1, 2, 3], key="x")
+        admin_client.write_array([4, 5, 6], key="y")
+        admin_client.logout()
+
+    # Drop the admin, no longer needed.
+    config["authentication"].pop("tiled_admins")
+    # Add the service principal to the access_lists.
+    config["trees"][0]["access_control"]["args"]["access_lists"][sp["uuid"]] = ["x"]
+    with Context.from_app(
+        build_app_from_config(config), api_key=key_info["secret"]
+    ) as context:
+        sp_client = from_context(context)
+        list(sp_client) == ["x"]
diff --git a/tiled/access_policies.py b/tiled/access_policies.py
@@ -65,6 +65,8 @@ def allowed_scopes(self, node, principal):
         # If this is being called, filter_access has let us get this far.
         if principal is SpecialUsers.public:
             allowed = PUBLIC_SCOPES
+        elif principal.type == "service":
+            allowed = self.scopes
         elif self._get_id(principal) in self.admins:
             allowed = ALL_SCOPES
         # The simple policy does not provide for different Principals to
@@ -79,7 +81,11 @@ def filters(self, node, principal, scopes):
         if principal is SpecialUsers.public:
             queries.append(KeysFilter(self.public))
         else:
-            id = self._get_id(principal)
+            # Services have no identities; just use the uuid.
+            if principal.type == "service":
+                id = str(principal.uuid)
+            else:
+                id = self._get_id(principal)
             if id in self.admins:
                 return queries
             if not scopes.issubset(self.scopes):