feat: validate if scope and role exist

Author: BryanttV

openedx_authz/api/data.py

@@ -1,13 +1,19 @@
 """Data classes and enums for representing roles, permissions, and policies."""
 
 import re
+from abc import abstractmethod
 from enum import Enum
 from typing import ClassVar, Literal, Type
 
 from attrs import define
 from opaque_keys import InvalidKeyError
 from opaque_keys.edx.locator import LibraryLocatorV2
 
+try:
+    from openedx.core.djangoapps.content_libraries.models import ContentLibrary
+except ImportError:
+    ContentLibrary = None
+
 __all__ = [
     "UserData",
     "PermissionData",
@@ -302,6 +308,15 @@ def validate_external_key(cls, _: str) -> bool:
         """
         return True
 
+    @abstractmethod
+    def exists(self) -> bool:
+        """Check if the scope exists.
+
+        Returns:
+            bool: True if the scope exists, False otherwise.
+        """
+        raise NotImplementedError("Subclasses must implement exists method.")
+
 
 @define
 class ContentLibraryData(ScopeData):
@@ -356,6 +371,19 @@ def validate_external_key(cls, external_key: str) -> bool:
         except InvalidKeyError:
             return False
 
+    def exists(self) -> bool:
+        """Check if the content library exists.
+
+        Returns:
+            bool: True if the content library exists, False otherwise.
+        """
+        try:
+            library_key = LibraryLocatorV2.from_string(self.library_id)
+            ContentLibrary.objects.get_by_key(library_key=library_key)
+            return True
+        except ContentLibrary.DoesNotExist:
+            return False
+
     def __str__(self):
         """Human readable string representation of the content library."""
         return self.library_id
@@ -365,6 +393,32 @@ def __repr__(self):
         return self.namespaced_key
 
 
+class CourseData(ScopeData):
+    """A course scope for authorization in the Open edX platform.
+
+    This class represents a course scope for authorization in the Open edX platform.
+    """
+
+    NAMESPACE: ClassVar[str] = "course-v1"
+
+    @classmethod
+    def validate_external_key(cls, _: str) -> bool:
+        """Validate the external_key format for CourseData.
+
+        Args:
+            external_key: The external key to validate.
+        """
+        return True
+
+    def exists(self) -> bool:
+        """Check if the course exists.
+
+        Returns:
+            bool: True if the course exists, False otherwise.
+        """
+        return True
+
+
 class SubjectMeta(type):
     """Metaclass for SubjectData to handle dynamic subclass instantiation based on namespace."""
 
@@ -581,7 +635,7 @@ def __repr__(self):
         return f"{self.action.namespaced_key} => {self.effect}"
 
 
-@define
+@define(eq=False)
 class RoleData(AuthZData):
     """A role is a named collection of permissions that can be assigned to subjects.
 
@@ -610,6 +664,12 @@ class RoleData(AuthZData):
     NAMESPACE: ClassVar[str] = "role"
     permissions: list[PermissionData] = []
 
+    def __eq__(self, other):
+        """Compare roles based on their namespaced_key."""
+        if not isinstance(other, RoleData):
+            return False
+        return self.namespaced_key == other.namespaced_key
+
     @property
     def name(self) -> str:
         """The human-readable name of the role (e.g., 'Library Admin', 'Course Instructor').

openedx_authz/rest_api/v1/serializers.py

@@ -3,7 +3,7 @@
 from django.contrib.auth import get_user_model
 from rest_framework import serializers
 
-from openedx_authz.api.data import RoleAssignmentData
+from openedx_authz import api
 from openedx_authz.rest_api.enums import SortField, SortOrder
 from openedx_authz.rest_api.v1.fields import CommaSeparatedListField, LowercaseCharField
 
@@ -38,13 +38,48 @@ class PermissionValidationResponseSerializer(PermissionValidationSerializer):  #
     allowed = serializers.BooleanField()
 
 
-class AddUsersToRoleWithScopeSerializer(RoleMixin, ScopeMixin):  # pylint: disable=abstract-method
+class RoleScopeValidationMixin(serializers.Serializer):  # pylint: disable=abstract-method
+    """Mixin providing role and scope validation logic."""
+
+    def validate(self, attrs):
+        """Validate that role exists in scope."""
+        validated_data = super().validate(attrs)
+        scope_value = validated_data["scope"]
+        role_value = validated_data["role"]
+
+        try:
+            scope = api.ScopeData(external_key=scope_value)
+        except ValueError as exc:
+            raise serializers.ValidationError(exc) from exc
+
+        if not scope.exists():
+            raise serializers.ValidationError(f"Scope '{scope_value}' does not exist")
+
+        role = api.RoleData(external_key=role_value)
+        general_scope = api.ScopeData(namespaced_key=f"{scope.NAMESPACE}{scope.SEPARATOR}*")
+        role_definitions = api.get_role_definitions_in_scope(general_scope)
+
+        if role not in role_definitions:
+            raise serializers.ValidationError(f"Role '{role_value}' does not exist in scope '{scope_value}'")
+
+        return validated_data
+
+
+class AddUsersToRoleWithScopeSerializer(
+    RoleScopeValidationMixin,
+    RoleMixin,
+    ScopeMixin,
+):  # pylint: disable=abstract-method
     """Serializer for adding users to a role with a scope."""
 
     users = serializers.ListField(child=serializers.CharField(max_length=255), allow_empty=False)
 
 
-class RemoveUsersFromRoleWithScopeSerializer(RoleMixin, ScopeMixin):  # pylint: disable=abstract-method
+class RemoveUsersFromRoleWithScopeSerializer(
+    RoleScopeValidationMixin,
+    RoleMixin,
+    ScopeMixin,
+):  # pylint: disable=abstract-method
     """Serializer for removing users from a role with a scope."""
 
     users = CommaSeparatedListField(allow_blank=False)
@@ -100,7 +135,7 @@ def _get_user(self, obj) -> User | None:
         user_map = self.context.get("user_map", {})
         return user_map.get(obj.subject.username)
 
-    def get_username(self, obj: RoleAssignmentData) -> str:
+    def get_username(self, obj: api.RoleAssignmentData) -> str:
         """Get the username for the given role assignment."""
         return obj.subject.username
 
@@ -114,6 +149,6 @@ def get_email(self, obj) -> str:
         user = self._get_user(obj)
         return getattr(user, "email", "") if user else ""
 
-    def get_roles(self, obj: RoleAssignmentData) -> list[str]:
+    def get_roles(self, obj: api.RoleAssignmentData) -> list[str]:
         """Get the roles for the given role assignment."""
         return [role.external_key for role in obj.roles]

openedx_authz/rest_api/v1/views.py

@@ -225,7 +225,6 @@ def put(self, request: HttpRequest) -> Response:
         serializer = AddUsersToRoleWithScopeSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)
 
-        # TODO: Should we validate that the role or scope exists?
         role_name = serializer.validated_data["role"]
         scope = serializer.validated_data["scope"]