feat: add rest api for roles and permissions

BryanttV · BryanttV · commit 8401052fa994 · 2025-10-01T19:01:25.000-05:00
diff --git a/openedx_authz/api/data.py b/openedx_authz/api/data.py
@@ -36,7 +36,7 @@ class AuthZData:
     Subclasses are automatically registered by their NAMESPACE for factory pattern.
     """
 
-    SEPARATOR: str = "@"
+    SEPARATOR: str = ":"
     NAMESPACE: str = None
 
     # TODO: Implement factory method to return correct subclass based on NAMESPACE prefix.
diff --git a/openedx_authz/api/permissions.py b/openedx_authz/api/permissions.py
@@ -67,4 +67,5 @@ def has_permission(
     Returns:
         bool: True if the subject has the specified permission in the scope, False otherwise.
     """
+    enforcer.load_policy()
     return enforcer.enforce(subject.subject_id, action.action_id, scope.scope_id)
diff --git a/openedx_authz/api/roles.py b/openedx_authz/api/roles.py
@@ -103,6 +103,7 @@ def get_permissions_for_active_roles_in_scope(
         dict[str, list[PermissionData]]: A dictionary mapping the role name to its
         permissions and scopes.
     """
+    enforcer.load_policy()
     filtered_policy = enforcer.get_filtered_grouping_policy(
         GroupingPolicyIndex.SCOPE.value, scope.scope_id
     )
@@ -134,6 +135,7 @@ def get_role_definitions_in_scope(scope: ScopeData) -> list[RoleData]:
     Returns:
         list[Role]: A list of roles.
     """
+    enforcer.load_policy()
     policy_filtered = enforcer.get_filtered_policy(
         PolicyIndex.SCOPE.value, scope.scope_id
     )
@@ -179,6 +181,7 @@ def assign_role_to_subject_in_scope(
         subject: The ID of the subject.
         role: The role to assign.
     """
+    enforcer.load_policy()
     # TODO: we need to make some uppercase/lowercase decisions in the lookups
     # for now, we assume the caller has done the right thing
     # and passed in the correctly namespaced IDs
@@ -210,6 +213,7 @@ def unassign_role_from_subject_in_scope(
         role: The role to unassign.
         scope: The scope from which to unassign the role.
     """
+    enforcer.load_policy()
     enforcer.delete_roles_for_user_in_domain(
         subject.subject_id, role.role_id, scope.scope_id
     )
@@ -271,6 +275,7 @@ def get_subject_role_assignments_in_scope(
     Returns:
         list[RoleAssignment]: A list of role assignments for the subject in the scope.
     """
+    enforcer.load_policy()
     # TODO: we still need to get the remaining data for the role like email, etc
     role_assignments = []
     for role_id in enforcer.get_roles_for_user_in_domain(
@@ -303,9 +308,10 @@ def get_subjects_role_assignments_for_role_in_scope(
     Returns:
         list[RoleAssignment]: A list of subjects assigned to the specified role in the specified scope.
     """
+    enforcer.load_policy()
     role_assignments = []
     for subject in enforcer.get_users_for_role_in_domain(role.role_id, scope.scope_id):
-        if subject.startswith(f"{RoleData.NAMESPACE}@"):
+        if subject.startswith(f"{RoleData.NAMESPACE}{RoleData.SEPARATOR}"):
             # Skip roles that are also subjects
             continue
         role_assignments.append(
diff --git a/openedx_authz/apps.py b/openedx_authz/apps.py
@@ -17,12 +17,12 @@ class OpenedxAuthzConfig(AppConfig):
         "url_config": {
             "lms.djangoapp": {
                 "namespace": "openedx-authz",
-                "regex": r"^openedx-authz/",
+                "regex": r"^api/",
                 "relative_path": "urls",
             },
             "cms.djangoapp": {
                 "namespace": "openedx-authz",
-                "regex": r"^openedx-authz/",
+                "regex": r"^api/",
                 "relative_path": "urls",
             },
         },
diff --git a/openedx_authz/rest_api/urls.py b/openedx_authz/rest_api/urls.py
@@ -0,0 +1,9 @@
+"""Open edX AuthZ API URLs."""
+
+from django.urls import include, path
+
+from openedx_authz.rest_api.v1 import urls as v1_urls
+
+urlpatterns = [
+    path("v1/", include(v1_urls)),
+]
diff --git a/openedx_authz/rest_api/v1/permissions.py b/openedx_authz/rest_api/v1/permissions.py
@@ -0,0 +1 @@
+"""Custom permissions for the Open edX AuthZ REST API."""
diff --git a/openedx_authz/rest_api/v1/serializers.py b/openedx_authz/rest_api/v1/serializers.py
@@ -0,0 +1,45 @@
+"""Serializers for the Open edX AuthZ REST API."""
+
+from rest_framework import serializers
+
+
+class ScopeMixin(serializers.Serializer):  # pylint: disable=abstract-method
+    """Mixin providing scope field functionality."""
+
+    scope = serializers.CharField(max_length=255)
+
+
+class RoleMixin(serializers.Serializer):  # pylint: disable=abstract-method
+    """Mixin providing role field functionality."""
+
+    role = serializers.CharField(max_length=255)
+
+
+class ActionMixin(serializers.Serializer):  # pylint: disable=abstract-method
+    """Mixin providing action field functionality."""
+
+    action = serializers.CharField(max_length=255)
+
+
+class PermissionValidationSerializer(ActionMixin, ScopeMixin):  # pylint: disable=abstract-method
+    """Serializer for permission validation request."""
+
+
+class AddUserToRoleWithScopeSerializer(RoleMixin, ScopeMixin):  # pylint: disable=abstract-method
+    """Serializer for adding a user to a role with a scope."""
+
+    users = serializers.ListField(child=serializers.CharField(max_length=255))
+
+
+class RemoveUserFromRoleWithScopeSerializer(RoleMixin, ScopeMixin):  # pylint: disable=abstract-method
+    """Serializer for removing a user from a role with a scope."""
+
+    user = serializers.CharField(max_length=255)
+
+
+class ListUsersInRoleWithScopeSerializer(RoleMixin, ScopeMixin):  # pylint: disable=abstract-method
+    """Serializer for listing users in a role with a scope."""
+
+
+class ListRolesWithScopeSerializer(ScopeMixin):  # pylint: disable=abstract-method
+    """Serializer for listing roles with a scope."""
diff --git a/openedx_authz/rest_api/v1/urls.py b/openedx_authz/rest_api/v1/urls.py
@@ -0,0 +1,11 @@
+"""Open edX AuthZ API v1 URLs."""
+
+from django.urls import path
+
+from openedx_authz.rest_api.v1 import views
+
+urlpatterns = [
+    path("permissions/validate/", views.PermissionValidationView.as_view(), name="permission-validate"),
+    path("roles/", views.RoleListView.as_view(), name="role-list"),
+    path("role/users/", views.RoleUserAPIView.as_view(), name="role-users"),
+]
diff --git a/openedx_authz/rest_api/v1/views.py b/openedx_authz/rest_api/v1/views.py
@@ -0,0 +1,167 @@
+"""Views for the Open edX AuthZ REST API."""
+
+import logging
+
+from common.djangoapps.student.models.user import get_user_by_username_or_email
+from django.contrib.auth import get_user_model
+from rest_framework import status
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from openedx_authz.api.data import ActionData, ScopeData, UserData
+from openedx_authz.api.permissions import has_permission
+from openedx_authz.api.roles import get_role_definitions_in_scope
+from openedx_authz.api.users import (
+    assign_role_to_user_in_scope,
+    get_user_role_assignments_for_role_in_scope,
+    unassign_role_from_user,
+)
+from openedx_authz.rest_api.v1.serializers import (
+    AddUserToRoleWithScopeSerializer,
+    ListRolesWithScopeSerializer,
+    ListUsersInRoleWithScopeSerializer,
+    PermissionValidationSerializer,
+    RemoveUserFromRoleWithScopeSerializer,
+)
+
+logger = logging.getLogger(__name__)
+
+User = get_user_model()
+
+
+class PermissionValidationView(APIView):
+    """
+    Validate permissions for the authenticated user.
+    """
+
+    permission_classes = [IsAuthenticated]
+
+    def post(self, request):
+        """Validate permissions for the authenticated user."""
+        serializer = PermissionValidationSerializer(data=request.data, many=True)
+        serializer.is_valid(raise_exception=True)
+
+        username = request.user.username
+        subject = UserData(username=username)
+
+        for perm in serializer.validated_data:
+            try:
+                action = ActionData(name=perm["action"])
+                scope = ScopeData(name=perm["scope"])
+                allowed = has_permission(subject, action, scope)
+                perm["allowed"] = allowed
+            except Exception as e:  # pylint: disable=broad-exception-caught
+                logger.error(f"Error validating permission for user {username}: {e}")
+
+        return Response(serializer.validated_data, status=status.HTTP_200_OK)
+
+
+class RoleUserAPIView(APIView):
+    """
+    APIView for managing users and their roles.
+    Handles GET (list), PUT (add), and DELETE (remove) operations.
+    """
+
+    permission_classes = [IsAuthenticated]
+
+    def get(self, request):
+        """
+        Get list of users in the role.
+        """
+        serializer = ListUsersInRoleWithScopeSerializer(data=request.query_params)
+        serializer.is_valid(raise_exception=True)
+
+        role_name = serializer.validated_data["role"]
+        scope = serializer.validated_data["scope"]
+
+        response_data = []
+        role_assignments = get_user_role_assignments_for_role_in_scope(role_name, scope)
+        for assignment in role_assignments:
+            # TODO: Should we get all users at once instead of one by one?
+            user = get_user_by_username_or_email(assignment.subject.username)
+            response_data.append(
+                {
+                    "username": assignment.subject.username,
+                    "full_name": user.profile.name,
+                    "email": user.email,
+                }
+            )
+
+        return Response(response_data, status=status.HTTP_200_OK)
+
+    def put(self, request):
+        """
+        Add users to the role.
+        """
+        serializer = AddUserToRoleWithScopeSerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+
+        completed, errors = [], []
+        role_name = serializer.validated_data["role"]
+        scope = serializer.validated_data["scope"]
+
+        for user_identifier in serializer.validated_data["users"]:
+            try:
+                user = get_user_by_username_or_email(user_identifier)
+                assign_role_to_user_in_scope(user.username, role_name, scope)
+                completed.append({"user": user_identifier, "status": "role_added"})
+            except User.DoesNotExist:
+                errors.append({"user": user_identifier, "error": "user_not_found"})
+            except Exception as e:  # pylint: disable=broad-exception-caught
+                logger.error(f"Error assigning role to user {user_identifier}: {e}")
+                errors.append({"user": user_identifier, "error": "assignment_failed"})
+
+        response_data = {"completed": completed, "errors": errors}
+        return Response(response_data, status=status.HTTP_207_MULTI_STATUS)
+
+    def delete(self, request):
+        """
+        Remove user role from the role.
+        """
+        serializer = RemoveUserFromRoleWithScopeSerializer(data=request.query_params)
+        serializer.is_valid(raise_exception=True)
+
+        user_identifier = serializer.validated_data["user"]
+        role_name = serializer.validated_data["role"]
+        scope = serializer.validated_data["scope"]
+
+        try:
+            user = get_user_by_username_or_email(user_identifier)
+            unassign_role_from_user(user.username, role_name, scope)
+            return Response({"message": "Role successfully removed from user"}, status=status.HTTP_200_OK)
+        except User.DoesNotExist:
+            return Response({"error": "User not found"}, status=status.HTTP_404_NOT_FOUND)
+        except Exception as e:  # pylint: disable=broad-exception-caught
+            logger.error(f"Error removing role from user {user_identifier}: {e}")
+            return Response({"error": "Internal server error"}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+
+
+class RoleListView(APIView):
+    """
+    Get list of roles with their permissions for a scope.
+    """
+
+    permission_classes = [IsAuthenticated]
+
+    def get(self, request):
+        """Get list of roles with their permissions for a library."""
+        serializer = ListRolesWithScopeSerializer(data=request.query_params)
+        serializer.is_valid(raise_exception=True)
+
+        scope = ScopeData(name=serializer.validated_data["scope"])
+
+        response_data = []
+        roles = get_role_definitions_in_scope(scope)
+
+        for role in roles:
+            response_data.append(
+                {
+                    "role": role.name,
+                    "permissions": [perm.action.name for perm in role.permissions] if role.permissions else [],
+                    # TODO: Get user count using a api function
+                    "user_count": 0,
+                }
+            )
+
+        return Response(response_data, status=status.HTTP_200_OK)
diff --git a/openedx_authz/settings/common.py b/openedx_authz/settings/common.py
@@ -22,9 +22,7 @@ def plugin_settings(settings):
         settings.INSTALLED_APPS.append(casbin_adapter_app)
 
     # Add Casbin configuration
-    settings.CASBIN_MODEL = os.path.join(
-        ROOT_DIRECTORY, "engine", "config", "model.conf"
-    )
+    settings.CASBIN_MODEL = os.path.join(ROOT_DIRECTORY, "engine", "config", "model.conf")
     settings.CASBIN_WATCHER_ENABLED = True
     # TODO: Replace with a more dynamic configuration
     # Redis host and port are temporarily loaded here for the MVP
diff --git a/openedx_authz/urls.py b/openedx_authz/urls.py
@@ -1,11 +1,11 @@
-"""
-URLs for openedx_authz.
-"""
+"""Open edX AuthZ API URLs."""
 
-from django.urls import re_path  # pylint: disable=unused-import
-from django.views.generic import TemplateView  # pylint: disable=unused-import
+from django.urls import include, path
+
+from openedx_authz.rest_api import urls
+
+app_name = "openedx_authz"
 
 urlpatterns = [
-    # TODO: Fill in URL patterns and views here.
-    # re_path(r'', TemplateView.as_view(template_name="openedx_authz/base.html")),
+    path("authz/", include(urls)),
 ]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+"""Custom permissions for the Open edX AuthZ REST API."""`