116 lines
4.2 KiB
Python
116 lines
4.2 KiB
Python
# [DEF:backend.src.scripts.seed_permissions:Module]
|
|
#
|
|
# @SEMANTICS: setup, database, auth, permissions, seeding
|
|
# @PURPOSE: Populates the auth database with initial system permissions.
|
|
# @LAYER: Scripts
|
|
# @RELATION: USES -> backend.src.core.database.get_auth_db
|
|
# @RELATION: USES -> backend.src.models.auth.Permission
|
|
#
|
|
# @INVARIANT: Safe to run multiple times (idempotent).
|
|
|
|
# [SECTION: IMPORTS]
|
|
import sys
|
|
from pathlib import Path
|
|
|
|
# Add src to path
|
|
sys.path.append(str(Path(__file__).parent.parent.parent))
|
|
|
|
from src.core.database import AuthSessionLocal
|
|
from src.models.auth import Permission, Role
|
|
from src.core.auth.repository import AuthRepository
|
|
from src.core.logger import logger, belief_scope
|
|
# [/SECTION]
|
|
|
|
# [DEF:INITIAL_PERMISSIONS:Constant]
|
|
INITIAL_PERMISSIONS = [
|
|
# Admin Permissions
|
|
{"resource": "admin:users", "action": "READ"},
|
|
{"resource": "admin:users", "action": "WRITE"},
|
|
{"resource": "admin:roles", "action": "READ"},
|
|
{"resource": "admin:roles", "action": "WRITE"},
|
|
{"resource": "admin:settings", "action": "READ"},
|
|
{"resource": "admin:settings", "action": "WRITE"},
|
|
{"resource": "environments", "action": "READ"},
|
|
{"resource": "plugins", "action": "READ"},
|
|
{"resource": "tasks", "action": "READ"},
|
|
{"resource": "tasks", "action": "WRITE"},
|
|
|
|
# Plugin Permissions
|
|
{"resource": "plugin:backup", "action": "EXECUTE"},
|
|
{"resource": "plugin:migration", "action": "EXECUTE"},
|
|
{"resource": "plugin:mapper", "action": "EXECUTE"},
|
|
{"resource": "plugin:search", "action": "EXECUTE"},
|
|
{"resource": "plugin:git", "action": "EXECUTE"},
|
|
{"resource": "plugin:storage", "action": "EXECUTE"},
|
|
{"resource": "plugin:storage", "action": "READ"},
|
|
{"resource": "plugin:storage", "action": "WRITE"},
|
|
{"resource": "plugin:debug", "action": "EXECUTE"},
|
|
]
|
|
# [/DEF:INITIAL_PERMISSIONS:Constant]
|
|
|
|
# [DEF:seed_permissions:Function]
|
|
# @PURPOSE: Inserts missing permissions into the database.
|
|
# @POST: All INITIAL_PERMISSIONS exist in the DB.
|
|
def seed_permissions():
|
|
with belief_scope("seed_permissions"):
|
|
db = AuthSessionLocal()
|
|
try:
|
|
logger.info("Seeding permissions...")
|
|
count = 0
|
|
for perm_data in INITIAL_PERMISSIONS:
|
|
exists = db.query(Permission).filter(
|
|
Permission.resource == perm_data["resource"],
|
|
Permission.action == perm_data["action"]
|
|
).first()
|
|
|
|
if not exists:
|
|
new_perm = Permission(
|
|
resource=perm_data["resource"],
|
|
action=perm_data["action"]
|
|
)
|
|
db.add(new_perm)
|
|
count += 1
|
|
|
|
db.commit()
|
|
logger.info(f"Seeding completed. Added {count} new permissions.")
|
|
|
|
# Assign permissions to User role
|
|
repo = AuthRepository(db)
|
|
user_role = repo.get_role_by_name("User")
|
|
if not user_role:
|
|
user_role = Role(name="User", description="Standard user with plugin access")
|
|
db.add(user_role)
|
|
db.flush()
|
|
|
|
user_permissions = [
|
|
("plugin:mapper", "EXECUTE"),
|
|
("plugin:migration", "EXECUTE"),
|
|
("plugin:backup", "EXECUTE"),
|
|
("plugin:git", "EXECUTE"),
|
|
("plugin:storage", "READ"),
|
|
("plugin:storage", "WRITE"),
|
|
("environments", "READ"),
|
|
("plugins", "READ"),
|
|
("tasks", "READ"),
|
|
("tasks", "WRITE"),
|
|
]
|
|
|
|
for res, act in user_permissions:
|
|
perm = repo.get_permission_by_resource_action(res, act)
|
|
if perm and perm not in user_role.permissions:
|
|
user_role.permissions.append(perm)
|
|
|
|
db.commit()
|
|
logger.info("User role permissions updated.")
|
|
|
|
except Exception as e:
|
|
logger.error(f"Failed to seed permissions: {e}")
|
|
db.rollback()
|
|
finally:
|
|
db.close()
|
|
# [/DEF:seed_permissions:Function]
|
|
|
|
if __name__ == "__main__":
|
|
seed_permissions()
|
|
|
|
# [/DEF:backend.src.scripts.seed_permissions:Module] |