openedx
diff --git a/‎openedx_authz/api/__init__.py‎
Lines changed: 4 additions & 5 deletions b/‎openedx_authz/api/__init__.py‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎openedx_authz/api/data.py‎
Lines changed: 86 additions & 0 deletions b/‎openedx_authz/api/data.py‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎openedx_authz/api/permissions.py‎
Lines changed: 32 additions & 6 deletions b/‎openedx_authz/api/permissions.py‎
Lines changed: 32 additions & 6 deletions
diff --git a/‎openedx_authz/api/policy.py‎
Lines changed: 0 additions & 42 deletions b/‎openedx_authz/api/policy.py‎
Lines changed: 0 additions & 42 deletions
@@ -5,8 +5,7 @@
 provide a simpler interface for other services in the Open edX ecosystem.
 """
 
-# from openedx_authz.api.roles import create_role
-# from openedx_authz.api.permissions import create_permission
-# from openedx_authz.api.policy import create_policy
-
-# __all__ = ["create_role", "create_permission", "create_policy"]
+from openedx_authz.api.data import *
+from openedx_authz.api.permissions import *
+from openedx_authz.api.roles import *
+from openedx_authz.api.users import *
@@ -0,0 +1,86 @@
+"""Data classes and enums for representing roles, permissions, and policies."""
+
+from enum import Enum
+from typing import Literal
+
+from attrs import define
+
+
+class GroupingPolicyIndex(Enum):
+    """Index of fields in a grouping policy."""
+
+    SUBJECT = 0
+    ROLE = 1
+    SCOPE = 2
+    # The rest of the fields are optional and can be ignored for now
+
+
+class PolicyIndex(Enum):
+    """Index of fields in a policy."""
+
+    ROLE = 0
+    ACT = 1
+    SCOPE = 2
+    EFFECT = 3
+    # The rest of the fields are optional and can be ignored for now
+
+
+@define
+class Permission:  # TODO: change to policy?
+    """A permission is an action that can be performed under certain conditions.
+
+    Attributes:
+        name: The name of the permission.
+    """
+
+    # TODO: what other attributes should a permission have?
+    name: str
+    effect: Literal["allow", "deny"] = "allow"
+
+
+@define
+class RoleMetadata:
+    """Metadata for a role.
+
+    Attributes:
+        description: A description of the role.
+        created_at: The date and time the role was created.
+        created_by: The ID of the subject who created the role.
+    """
+
+    description: str = None
+    created_at: str = None
+    created_by: str = None
+
+
+@define
+class Role:
+    """A role is a named group of permissions.
+
+    Attributes:
+        name: The name of the role.
+        permissions: A list of permissions assigned to the role.
+        scopes: A list of scopes assigned to the role.
+        metadata: A dictionary of metadata assigned to the role. This can include
+            information such as the description of the role, creation date, etc.
+    """
+
+    name: str
+    scopes: list[str]
+    permissions: list[Permission] = None
+    metadata: RoleMetadata = None
+
+
+@define
+class RoleAssignment:
+    """A role assignment is the assignment of a role to a subject in a specific scope.
+
+    Attributes:
+        subject: The ID of the user namespaced (e.g., 'user:john_doe').
+        email: The email of the user.
+        role_name: The name of the role.
+        scope: The scope in which the role is assigned.
+    """
+
+    subject: str  # TODO: I think here it makes sense to sanitize the subject so it's the username?
+    role: Role
@@ -5,13 +5,39 @@
 are not explicitly defined, but are inferred from the policy rules.
 """
 
+from typing import Literal
 
-def has_permission(user: str, resource: str, action: str, scope: str = None) -> bool:
-    """Check if a user has a specific permission.
+from openedx_authz.api.data import Permission, PolicyIndex
+from openedx_authz.engine.enforcer import enforcer
+
+__all__ = ["get_permission_from_policy", "get_all_permissions_in_scope"]
+
+
+def get_permission_from_policy(policy: list[str]) -> Permission:
+    """Convert a Casbin policy list to a Permission object.
 
     Args:
-        user: The user to check.
-        resource: The resource to check.
-        action: The action to check.
-        scope: The scope to check (optional).
+        policy: A list representing a Casbin policy.
+
+    Returns:
+        Permission: The corresponding Permission object or an empty Permission if the policy is invalid.
+    """
+    if len(policy) < 4:  # Do not count ptype
+        return Permission(name="", effect="")
+
+    return Permission(
+        name=policy[PolicyIndex.ACT.value], effect=policy[PolicyIndex.EFFECT.value]
+    )
+
+
+def get_all_permissions_in_scope(scope: str) -> list[Permission]:
+    """Retrieve all permissions associated with a specific scope.
+
+    Args:
+        scope: The scope to filter permissions by.
+
+    Returns:
+        list of Permission: A list of Permission objects associated with the given scope.
     """
+    actions = enforcer.get_filtered_policy(PolicyIndex.SCOPE.value, scope)
+    return [get_permission_from_policy(action) for action in actions]