feat: implement function to get all role assignments within a scope

Author: mariajgrimaldi

openedx_authz/api/permissions.py

@@ -5,13 +5,7 @@
 are not explicitly defined, but are inferred from the policy rules.
 """
 
-from openedx_authz.api.data import (
-    ActionData,
-    PermissionData,
-    PolicyIndex,
-    ScopeData,
-    SubjectData,
-)
+from openedx_authz.api.data import ActionData, PermissionData, PolicyIndex, ScopeData, SubjectData
 from openedx_authz.engine.enforcer import enforcer
 
 __all__ = [

openedx_authz/api/roles.py

@@ -27,6 +27,7 @@
 __all__ = [
     "get_permissions_for_roles",
     "get_all_roles_names",
+    "get_all_roles_in_scope",
     "get_permissions_for_active_roles_in_scope",
     "get_role_definitions_in_scope",
     "assign_role_to_subject_in_scope",
@@ -35,6 +36,7 @@
     "batch_unassign_role_from_subjects_in_scope",
     "get_subject_role_assignments_in_scope",
     "get_subjects_role_assignments_for_role_in_scope",
+    "get_all_subject_role_assignments_in_scope",
     "get_subject_role_assignments",
 ]
 
@@ -170,6 +172,20 @@ def get_all_roles_names() -> list[str]:
     return enforcer.get_all_subjects()
 
 
+def get_all_roles_in_scope(scope: ScopeData) -> list[list[str]]:
+    """Get all the available roles names in a specific scope.
+
+    Args:
+        scope: The scope to filter roles (e.g., 'lib@*' or '*' for global).
+
+    Returns:
+        list[list[str]]: A list of policies in the specified scope.
+    """
+    return enforcer.get_filtered_grouping_policy(
+        GroupingPolicyIndex.SCOPE.value, scope.scope_id
+    )
+
+
 def assign_role_to_subject_in_scope(
     subject: SubjectData, role: RoleData, scope: ScopeData
 ) -> None:
@@ -321,3 +337,34 @@ def get_subjects_role_assignments_for_role_in_scope(
             )
         )
     return role_assignments
+
+
+def get_all_subject_role_assignments_in_scope(
+    scope: ScopeData,
+) -> list[RoleAssignmentData]:
+    """Get all the subjects assigned to any role in a specific scope.
+
+    Args:
+        scope: The scope to filter subjects (e.g., 'library:123' or '*' for global).
+
+    Returns:
+        list[RoleAssignment]: A list of subjects assigned to roles in the specified scope.
+    """
+    role_assignments = []
+    roles_in_scope = get_all_roles_in_scope(scope)
+
+    for policy in roles_in_scope:
+        subject = SubjectData(subject_id=policy[GroupingPolicyIndex.SUBJECT.value])
+        role = RoleData(role_id=policy[GroupingPolicyIndex.ROLE.value])
+        role.permissions = get_permissions_for_roles(role)[role.name][
+            "permissions"
+        ]  # Index by role name for easy lookup
+
+        role_assignments.append(
+            RoleAssignmentData(
+                subject=subject,
+                role=role,
+                scope=scope,
+            )
+        )
+    return role_assignments

openedx_authz/api/users.py

@@ -9,17 +9,12 @@
 (e.g., 'user@john_doe').
 """
 
-from openedx_authz.api.data import (
-    RoleAssignmentData,
-    RoleData,
-    ScopeData,
-    SubjectData,
-    UserData,
-)
+from openedx_authz.api.data import RoleAssignmentData, RoleData, ScopeData, SubjectData, UserData
 from openedx_authz.api.roles import (
     assign_role_to_subject_in_scope,
     batch_assign_role_to_subjects_in_scope,
     batch_unassign_role_from_subjects_in_scope,
+    get_all_subject_role_assignments_in_scope,
     get_subject_role_assignments,
     get_subject_role_assignments_in_scope,
     get_subjects_role_assignments_for_role_in_scope,
@@ -33,6 +28,8 @@
     "batch_unassign_role_from_users",
     "get_user_role_assignments",
     "get_user_role_assignments_in_scope",
+    "get_user_role_assignments_for_role_in_scope",
+    "get_all_user_role_assignments_in_scope",
 ]
 
 
@@ -142,6 +139,7 @@ def get_user_role_assignments_for_role_in_scope(
     # TODO: this SHOULD definitely be managed in a better way by using class inheritance and factories
     # But for now we'll keep it simple and explicit
     user_role_assignments = []
+
     for role_assignment in get_subjects_role_assignments_for_role_in_scope(
         RoleData(name=role_name), ScopeData(name=scope)
     ):
@@ -154,4 +152,29 @@ def get_user_role_assignments_for_role_in_scope(
                 scope=role_assignment.scope,
             )
         )
+
+    return user_role_assignments
+
+
+def get_all_user_role_assignments_in_scope(scope: str) -> list[RoleAssignmentData]:
+    """Get all user role assignments in a specific scope.
+
+    Args:
+        scope (str): Scope in which to retrieve the user role assignments.
+
+    Returns:
+        list[dict]: A list of user role assignments and all their metadata in the specified scope.
+    """
+    user_role_assignments = []
+    role_assignments = get_all_subject_role_assignments_in_scope(ScopeData(name=scope))
+
+    for role_assignment in role_assignments:
+        user_role_assignments.append(
+            RoleAssignmentData(
+                subject=UserData(subject_id=role_assignment.subject.subject_id),
+                role=role_assignment.role,
+                scope=role_assignment.scope,
+            )
+        )
+
     return user_role_assignments

openedx_authz/tests/api/test_data.py

@@ -3,13 +3,7 @@
 from ddt import data, ddt, unpack
 from django.test import TestCase
 
-from openedx_authz.api.data import (
-    ActionData,
-    ContentLibraryData,
-    RoleData,
-    ScopeData,
-    UserData,
-)
+from openedx_authz.api.data import ActionData, ContentLibraryData, RoleData, ScopeData, UserData
 
 
 @ddt

openedx_authz/tests/api/test_roles.py

@@ -11,13 +11,7 @@
 from django.test import TestCase
 
 from openedx_authz.api import *
-from openedx_authz.api.data import (
-    ActionData,
-    PermissionData,
-    RoleData,
-    ScopeData,
-    SubjectData,
-)
+from openedx_authz.api.data import ActionData, PermissionData, RoleData, ScopeData, SubjectData
 from openedx_authz.engine.enforcer import enforcer as global_enforcer
 from openedx_authz.engine.utils import migrate_policy_from_file_to_db
 
@@ -117,6 +111,11 @@ def setUpClass(cls):
                 "role_name": "library_collaborator",
                 "scope_name": "math_advanced",
             },
+            {
+                "subject_name": "Heidi",
+                "role_name": "library_collaborator",
+                "scope_name": "math_advanced",
+            },
             # Hierarchical scope_id assignments - different specificity levels
             {
                 "subject_name": "Ivy",
@@ -971,3 +970,173 @@ def test_unassign_role_from_subject_in_scope(
             )
             role_names = {assignment.role.name for assignment in user_roles}
             self.assertNotIn(role, role_names)
+
+    @ddt_data(
+        (
+            "math_101",
+            [
+                RoleAssignmentData(
+                    subject=SubjectData(name="alice"),
+                    role=RoleData(
+                        name="library_admin",
+                        permissions=[
+                            PermissionData(
+                                action=ActionData(name="delete_library"), effect="allow"
+                            ),
+                            PermissionData(
+                                action=ActionData(name="publish_library"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="manage_library_team"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="manage_library_tags"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="delete_library_content"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="publish_library_content"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="delete_library_collection"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="create_library"), effect="allow"
+                            ),
+                            PermissionData(
+                                action=ActionData(name="create_library_collection"),
+                                effect="allow",
+                            ),
+                        ],
+                    ),
+                    scope=ScopeData(name="math_101"),
+                )
+            ],
+        ),
+        (
+            "history_201",
+            [
+                RoleAssignmentData(
+                    subject=SubjectData(name="bob"),
+                    role=RoleData(
+                        name="library_author",
+                        permissions=[
+                            PermissionData(
+                                action=ActionData(name="delete_library_content"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="publish_library_content"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="edit_library"), effect="allow"
+                            ),
+                            PermissionData(
+                                action=ActionData(name="manage_library_tags"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="create_library_collection"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="edit_library_collection"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="delete_library_collection"),
+                                effect="allow",
+                            ),
+                        ],
+                    ),
+                    scope=ScopeData(name="history_201"),
+                )
+            ],
+        ),
+        (
+            "science_301",
+            [
+                RoleAssignmentData(
+                    subject=SubjectData(name="carol"),
+                    role=RoleData(
+                        name="library_collaborator",
+                        permissions=[
+                            PermissionData(
+                                action=ActionData(name="edit_library"), effect="allow"
+                            ),
+                            PermissionData(
+                                action=ActionData(name="delete_library_content"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="manage_library_tags"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="create_library_collection"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="edit_library_collection"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="delete_library_collection"),
+                                effect="allow",
+                            ),
+                        ],
+                    ),
+                    scope=ScopeData(name="science_301"),
+                )
+            ],
+        ),
+        (
+            "english_101",
+            [
+                RoleAssignmentData(
+                    subject=SubjectData(name="dave"),
+                    role=RoleData(
+                        name="library_user",
+                        permissions=[
+                            PermissionData(
+                                action=ActionData(name="view_library"), effect="allow"
+                            ),
+                            PermissionData(
+                                action=ActionData(name="view_library_team"),
+                                effect="allow",
+                            ),
+                            PermissionData(
+                                action=ActionData(name="reuse_library_content"),
+                                effect="allow",
+                            ),
+                        ],
+                    ),
+                    scope=ScopeData(name="english_101"),
+                )
+            ],
+        ),
+        ("non_existent_scope", []),
+    )
+    @unpack
+    def test_get_all_role_assignments_in_scope(self, scope_name, expected_assignments):
+        """Test retrieving all role assignments in a specific scope.
+
+        Expected result:
+            - All role assignments in the specified scope are correctly retrieved.
+            - Each assignment includes the subject, role, and scope information with permissions.
+        """
+        role_assignments = get_all_subject_role_assignments_in_scope(
+            ScopeData(name=scope_name)
+        )
+
+        self.assertEqual(len(role_assignments), len(expected_assignments))
+        for assignment in role_assignments:
+            self.assertIn(assignment, expected_assignments)