datasette/datasette/default_permissions.py

from datasette import hookimpl
from datasette.utils import actor_matches_allow
import click
import itsdangerous
import json
import time


@hookimpl(tryfirst=True, specname="permission_allowed")
def permission_allowed_default(datasette, actor, action, resource):
    async def inner():
        if action in (
            "permissions-debug",
            "debug-menu",
            "insert-row",
            "create-table",
            "drop-table",
            "delete-row",
            "update-row",
        ):
            if actor and actor.get("id") == "root":
                return True
        elif action == "view-instance":
            allow = datasette.metadata("allow")
            if allow is not None:
                return actor_matches_allow(actor, allow)
        elif action == "view-database":
            if resource == "_internal" and (actor is None or actor.get("id") != "root"):
                return False
            database_allow = datasette.metadata("allow", database=resource)
            if database_allow is None:
                return None
            return actor_matches_allow(actor, database_allow)
        elif action == "view-table":
            database, table = resource
            tables = datasette.metadata("tables", database=database) or {}
            table_allow = (tables.get(table) or {}).get("allow")
            if table_allow is None:
                return None
            return actor_matches_allow(actor, table_allow)
        elif action == "view-query":
            # Check if this query has a "allow" block in metadata
            database, query_name = resource
            query = await datasette.get_canned_query(database, query_name, actor)
            assert query is not None
            allow = query.get("allow")
            if allow is None:
                return None
            return actor_matches_allow(actor, allow)
        elif action == "execute-sql":
            # Use allow_sql block from database block, or from top-level
            database_allow_sql = datasette.metadata("allow_sql", database=resource)
            if database_allow_sql is None:
                database_allow_sql = datasette.metadata("allow_sql")
            if database_allow_sql is None:
                return None
            return actor_matches_allow(actor, database_allow_sql)

    return inner


@hookimpl(specname="permission_allowed")
def permission_allowed_actor_restrictions(actor, action, resource):
    if actor is None:
        return None
    if "_r" not in actor:
        # No restrictions, so we have no opinion
        return None
    _r = actor.get("_r")
    action_initials = "".join([word[0] for word in action.split("-")])
    # If _r is defined then we use those to further restrict the actor
    # Crucially, we only use this to say NO (return False) - we never
    # use it to return YES (True) because that might over-ride other
    # restrictions placed on this actor
    all_allowed = _r.get("a")
    if all_allowed is not None:
        assert isinstance(all_allowed, list)
        if action_initials in all_allowed:
            return None
    # How about for the current database?
    if action in ("view-database", "view-database-download", "execute-sql"):
        database_allowed = _r.get("d", {}).get(resource)
        if database_allowed is not None:
            assert isinstance(database_allowed, list)
            if action_initials in database_allowed:
                return None
    # Or the current table? That's any time the resource is (database, table)
    if resource is not None and not isinstance(resource, str) and len(resource) == 2:
        database, table = resource
        table_allowed = _r.get("t", {}).get(database, {}).get(table)
        # TODO: What should this do for canned queries?
        if table_allowed is not None:
            assert isinstance(table_allowed, list)
            if action_initials in table_allowed:
                return None
    # This action is not specifically allowed, so reject it
    return False


@hookimpl
def actor_from_request(datasette, request):
    prefix = "dstok_"
    if not datasette.setting("allow_signed_tokens"):
        return None
    max_signed_tokens_ttl = datasette.setting("max_signed_tokens_ttl")
    authorization = request.headers.get("authorization")
    if not authorization:
        return None
    if not authorization.startswith("Bearer "):
        return None
    token = authorization[len("Bearer ") :]
    if not token.startswith(prefix):
        return None
    token = token[len(prefix) :]
    try:
        decoded = datasette.unsign(token, namespace="token")
    except itsdangerous.BadSignature:
        return None
    if "t" not in decoded:
        # Missing timestamp
        return None
    created = decoded["t"]
    if not isinstance(created, int):
        # Invalid timestamp
        return None
    duration = decoded.get("d")
    if duration is not None and not isinstance(duration, int):
        # Invalid duration
        return None
    if (duration is None and max_signed_tokens_ttl) or (
        duration is not None
        and max_signed_tokens_ttl
        and duration > max_signed_tokens_ttl
    ):
        duration = max_signed_tokens_ttl
    if duration:
        if time.time() - created > duration:
            # Expired
            return None
    actor = {"id": decoded["a"], "token": "dstok"}
    if "_r" in decoded:
        actor["_r"] = decoded["_r"]
    if duration:
        actor["token_expires"] = created + duration
    return actor


@hookimpl
def register_commands(cli):
    from datasette.app import Datasette

    @cli.command()
    @click.argument("id")
    @click.option(
        "--secret",
        help="Secret used for signing the API tokens",
        envvar="DATASETTE_SECRET",
        required=True,
    )
    @click.option(
        "-e",
        "--expires-after",
        help="Token should expire after this many seconds",
        type=int,
    )
    @click.option(
        "--debug",
        help="Show decoded token",
        is_flag=True,
    )
    def create_token(id, secret, expires_after, debug):
        "Create a signed API token for the specified actor ID"
        ds = Datasette(secret=secret)
        bits = {"a": id, "token": "dstok", "t": int(time.time())}
        if expires_after:
            bits["d"] = expires_after
        token = ds.sign(bits, namespace="token")
        click.echo("dstok_{}".format(token))
        if debug:
            click.echo("\nDecoded:\n")
            click.echo(json.dumps(ds.unsign(token, namespace="token"), indent=2))


@hookimpl
def skip_csrf(scope):
    # Skip CSRF check for requests with content-type: application/json
    if scope["type"] == "http":
        headers = scope.get("headers") or {}
        if dict(headers).get(b"content-type") == b"application/json":
            return True
Added /-/permissions debug tool, closes #788 Also started the authentication.rst docs page, refs #786. Part of authentication work, refs #699. 2020-06-01 05:00:36 +00:00			`from datasette import hookimpl`
Test + default impl for view-query permission, refs #811 2020-06-07 21:23:16 +00:00			`from datasette.utils import actor_matches_allow`
datasette create-token command, refs #1859 2022-10-26 04:26:12 +00:00			`import click`
actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00			`import itsdangerous`
datasette create-token command, refs #1859 2022-10-26 04:26:12 +00:00			`import json`
actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00			`import time`
Added /-/permissions debug tool, closes #788 Also started the authentication.rst docs page, refs #786. Part of authentication work, refs #699. 2020-06-01 05:00:36 +00:00

Implementation and tests for _r field on actor, refs #1855 New mechanism for restricting permissions further for a given actor. This still needs documentation. It will eventually be used by the mechanism to issue signed API tokens that are only able to perform a subset of actions. This also adds tests that exercise the POST /-/permissions tool, refs #1881 2022-11-04 00:12:23 +00:00			`@hookimpl(tryfirst=True, specname="permission_allowed")`
			`def permission_allowed_default(datasette, actor, action, resource):`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`async def inner():`
Initial attempt at /db/table/row/-/delete, refs #1864 2022-10-30 23:16:00 +00:00			`if action in (`
			`"permissions-debug",`
			`"debug-menu",`
			`"insert-row",`
/db/-/create API endpoint, closes #1882 2022-11-15 05:57:28 +00:00			`"create-table",`
Initial attempt at /db/table/row/-/delete, refs #1864 2022-10-30 23:16:00 +00:00			`"drop-table",`
			`"delete-row",`
/db/table/pk/-/update endpoint, closes #1863 2022-11-29 18:06:19 +00:00			`"update-row",`
Initial attempt at /db/table/row/-/delete, refs #1864 2022-10-30 23:16:00 +00:00			`):`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`if actor and actor.get("id") == "root":`
			`return True`
			`elif action == "view-instance":`
			`allow = datasette.metadata("allow")`
			`if allow is not None:`
			`return actor_matches_allow(actor, allow)`
			`elif action == "view-database":`
Rename _schemas to _internal, closes #1156 2020-12-21 19:48:06 +00:00			`if resource == "_internal" and (actor is None or actor.get("id") != "root"):`
In-memory _schemas database tracking schemas of attached tables, closes #1150 2020-12-18 22:34:05 +00:00			`return False`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`database_allow = datasette.metadata("allow", database=resource)`
			`if database_allow is None:`
Express no opinion if allow block is missing Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832 2020-06-30 22:49:06 +00:00			`return None`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`return actor_matches_allow(actor, database_allow)`
			`elif action == "view-table":`
			`database, table = resource`
			`tables = datasette.metadata("tables", database=database) or {}`
			`table_allow = (tables.get(table) or {}).get("allow")`
			`if table_allow is None:`
Express no opinion if allow block is missing Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832 2020-06-30 22:49:06 +00:00			`return None`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`return actor_matches_allow(actor, table_allow)`
			`elif action == "view-query":`
			`# Check if this query has a "allow" block in metadata`
			`database, query_name = resource`
			`query = await datasette.get_canned_query(database, query_name, actor)`
			`assert query is not None`
			`allow = query.get("allow")`
			`if allow is None:`
Express no opinion if allow block is missing Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832 2020-06-30 22:49:06 +00:00			`return None`
Implemented view-instance permission, refs #811 2020-06-07 21:30:39 +00:00			`return actor_matches_allow(actor, allow)`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`elif action == "execute-sql":`
			`# Use allow_sql block from database block, or from top-level`
			`database_allow_sql = datasette.metadata("allow_sql", database=resource)`
			`if database_allow_sql is None:`
			`database_allow_sql = datasette.metadata("allow_sql")`
			`if database_allow_sql is None:`
Express no opinion if allow block is missing Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832 2020-06-30 22:49:06 +00:00			`return None`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`return actor_matches_allow(actor, database_allow_sql)`

			`return inner`
actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00

Implementation and tests for _r field on actor, refs #1855 New mechanism for restricting permissions further for a given actor. This still needs documentation. It will eventually be used by the mechanism to issue signed API tokens that are only able to perform a subset of actions. This also adds tests that exercise the POST /-/permissions tool, refs #1881 2022-11-04 00:12:23 +00:00			`@hookimpl(specname="permission_allowed")`
			`def permission_allowed_actor_restrictions(actor, action, resource):`
			`if actor is None:`
			`return None`
			`if "_r" not in actor:`
			`# No restrictions, so we have no opinion`
			`return None`
			`_r = actor.get("_r")`
			`action_initials = "".join([word[0] for word in action.split("-")])`
			`# If _r is defined then we use those to further restrict the actor`
			`# Crucially, we only use this to say NO (return False) - we never`
			`# use it to return YES (True) because that might over-ride other`
			`# restrictions placed on this actor`
			`all_allowed = _r.get("a")`
			`if all_allowed is not None:`
			`assert isinstance(all_allowed, list)`
			`if action_initials in all_allowed:`
			`return None`
			`# How about for the current database?`
			`if action in ("view-database", "view-database-download", "execute-sql"):`
			`database_allowed = _r.get("d", {}).get(resource)`
			`if database_allowed is not None:`
			`assert isinstance(database_allowed, list)`
			`if action_initials in database_allowed:`
			`return None`
			`# Or the current table? That's any time the resource is (database, table)`
/db/table/-/upsert API Close #1878 Also made a few tweaks to how _r works in tokens and actors, refs #1855 - I needed that mechanism for the tests. 2022-12-08 01:12:15 +00:00			`if resource is not None and not isinstance(resource, str) and len(resource) == 2:`
Implementation and tests for _r field on actor, refs #1855 New mechanism for restricting permissions further for a given actor. This still needs documentation. It will eventually be used by the mechanism to issue signed API tokens that are only able to perform a subset of actions. This also adds tests that exercise the POST /-/permissions tool, refs #1881 2022-11-04 00:12:23 +00:00			`database, table = resource`
			`table_allowed = _r.get("t", {}).get(database, {}).get(table)`
			`# TODO: What should this do for canned queries?`
			`if table_allowed is not None:`
			`assert isinstance(table_allowed, list)`
			`if action_initials in table_allowed:`
			`return None`
			`# This action is not specifically allowed, so reject it`
			`return False`


actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00			`@hookimpl`
			`def actor_from_request(datasette, request):`
			`prefix = "dstok_"`
allow_signed_tokens setting, closes #1856 2022-10-26 02:55:47 +00:00			`if not datasette.setting("allow_signed_tokens"):`
			`return None`
max_signed_tokens_ttl setting, closes #1858 Also redesigned token format to include creation time and optional duration. 2022-10-26 21:13:31 +00:00			`max_signed_tokens_ttl = datasette.setting("max_signed_tokens_ttl")`
actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00			`authorization = request.headers.get("authorization")`
			`if not authorization:`
			`return None`
			`if not authorization.startswith("Bearer "):`
			`return None`
			`token = authorization[len("Bearer ") :]`
			`if not token.startswith(prefix):`
			`return None`
			`token = token[len(prefix) :]`
			`try:`
			`decoded = datasette.unsign(token, namespace="token")`
			`except itsdangerous.BadSignature:`
			`return None`
max_signed_tokens_ttl setting, closes #1858 Also redesigned token format to include creation time and optional duration. 2022-10-26 21:13:31 +00:00			`if "t" not in decoded:`
			`# Missing timestamp`
			`return None`
			`created = decoded["t"]`
			`if not isinstance(created, int):`
			`# Invalid timestamp`
			`return None`
			`duration = decoded.get("d")`
			`if duration is not None and not isinstance(duration, int):`
			`# Invalid duration`
			`return None`
			`if (duration is None and max_signed_tokens_ttl) or (`
			`duration is not None`
			`and max_signed_tokens_ttl`
			`and duration > max_signed_tokens_ttl`
			`):`
			`duration = max_signed_tokens_ttl`
			`if duration:`
			`if time.time() - created > duration:`
			`# Expired`
actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00			`return None`
max_signed_tokens_ttl setting, closes #1858 Also redesigned token format to include creation time and optional duration. 2022-10-26 21:13:31 +00:00			`actor = {"id": decoded["a"], "token": "dstok"}`
/db/table/-/upsert API Close #1878 Also made a few tweaks to how _r works in tokens and actors, refs #1855 - I needed that mechanism for the tests. 2022-12-08 01:12:15 +00:00			`if "_r" in decoded:`
			`actor["_r"] = decoded["_r"]`
max_signed_tokens_ttl setting, closes #1858 Also redesigned token format to include creation time and optional duration. 2022-10-26 21:13:31 +00:00			`if duration:`
			`actor["token_expires"] = created + duration`
			`return actor`
datasette create-token command, refs #1859 2022-10-26 04:26:12 +00:00

			`@hookimpl`
			`def register_commands(cli):`
			`from datasette.app import Datasette`

			`@cli.command()`
			`@click.argument("id")`
			`@click.option(`
			`"--secret",`
			`help="Secret used for signing the API tokens",`
			`envvar="DATASETTE_SECRET",`
			`required=True,`
			`)`
			`@click.option(`
			`"-e",`
			`"--expires-after",`
			`help="Token should expire after this many seconds",`
			`type=int,`
			`)`
			`@click.option(`
			`"--debug",`
			`help="Show decoded token",`
			`is_flag=True,`
			`)`
			`def create_token(id, secret, expires_after, debug):`
			`"Create a signed API token for the specified actor ID"`
			`ds = Datasette(secret=secret)`
max_signed_tokens_ttl setting, closes #1858 Also redesigned token format to include creation time and optional duration. 2022-10-26 21:13:31 +00:00			`bits = {"a": id, "token": "dstok", "t": int(time.time())}`
datasette create-token command, refs #1859 2022-10-26 04:26:12 +00:00			`if expires_after:`
max_signed_tokens_ttl setting, closes #1858 Also redesigned token format to include creation time and optional duration. 2022-10-26 21:13:31 +00:00			`bits["d"] = expires_after`
datasette create-token command, refs #1859 2022-10-26 04:26:12 +00:00			`token = ds.sign(bits, namespace="token")`
			`click.echo("dstok_{}".format(token))`
			`if debug:`
			`click.echo("\nDecoded:\n")`
			`click.echo(json.dumps(ds.unsign(token, namespace="token"), indent=2))`
Drop API token requirement from API explorer, refs #1871 2022-10-30 20:09:55 +00:00

			`@hookimpl`
			`def skip_csrf(scope):`
			`# Skip CSRF check for requests with content-type: application/json`
			`if scope["type"] == "http":`
			`headers = scope.get("headers") or {}`
			`if dict(headers).get(b"content-type") == b"application/json":`
			`return True`