datasette/datasette/default_permissions.py

from datasette import hookimpl
from datasette.utils import actor_matches_allow
import click
import itsdangerous
import json
import time


@hookimpl(tryfirst=True)
def permission_allowed(datasette, actor, action, resource):
    async def inner():
        if action in ("permissions-debug", "debug-menu", "insert-row"):
            if actor and actor.get("id") == "root":
                return True
        elif action == "view-instance":
            allow = datasette.metadata("allow")
            if allow is not None:
                return actor_matches_allow(actor, allow)
        elif action == "view-database":
            if resource == "_internal" and (actor is None or actor.get("id") != "root"):
                return False
            database_allow = datasette.metadata("allow", database=resource)
            if database_allow is None:
                return None
            return actor_matches_allow(actor, database_allow)
        elif action == "view-table":
            database, table = resource
            tables = datasette.metadata("tables", database=database) or {}
            table_allow = (tables.get(table) or {}).get("allow")
            if table_allow is None:
                return None
            return actor_matches_allow(actor, table_allow)
        elif action == "view-query":
            # Check if this query has a "allow" block in metadata
            database, query_name = resource
            query = await datasette.get_canned_query(database, query_name, actor)
            assert query is not None
            allow = query.get("allow")
            if allow is None:
                return None
            return actor_matches_allow(actor, allow)
        elif action == "execute-sql":
            # Use allow_sql block from database block, or from top-level
            database_allow_sql = datasette.metadata("allow_sql", database=resource)
            if database_allow_sql is None:
                database_allow_sql = datasette.metadata("allow_sql")
            if database_allow_sql is None:
                return None
            return actor_matches_allow(actor, database_allow_sql)

    return inner


@hookimpl
def actor_from_request(datasette, request):
    prefix = "dstok_"
    if not datasette.setting("allow_signed_tokens"):
        return None
    max_signed_tokens_ttl = datasette.setting("max_signed_tokens_ttl")
    authorization = request.headers.get("authorization")
    if not authorization:
        return None
    if not authorization.startswith("Bearer "):
        return None
    token = authorization[len("Bearer ") :]
    if not token.startswith(prefix):
        return None
    token = token[len(prefix) :]
    try:
        decoded = datasette.unsign(token, namespace="token")
    except itsdangerous.BadSignature:
        return None
    if "t" not in decoded:
        # Missing timestamp
        return None
    created = decoded["t"]
    if not isinstance(created, int):
        # Invalid timestamp
        return None
    duration = decoded.get("d")
    if duration is not None and not isinstance(duration, int):
        # Invalid duration
        return None
    if (duration is None and max_signed_tokens_ttl) or (
        duration is not None
        and max_signed_tokens_ttl
        and duration > max_signed_tokens_ttl
    ):
        duration = max_signed_tokens_ttl
    if duration:
        if time.time() - created > duration:
            # Expired
            return None
    actor = {"id": decoded["a"], "token": "dstok"}
    if duration:
        actor["token_expires"] = created + duration
    return actor


@hookimpl
def register_commands(cli):
    from datasette.app import Datasette

    @cli.command()
    @click.argument("id")
    @click.option(
        "--secret",
        help="Secret used for signing the API tokens",
        envvar="DATASETTE_SECRET",
        required=True,
    )
    @click.option(
        "-e",
        "--expires-after",
        help="Token should expire after this many seconds",
        type=int,
    )
    @click.option(
        "--debug",
        help="Show decoded token",
        is_flag=True,
    )
    def create_token(id, secret, expires_after, debug):
        "Create a signed API token for the specified actor ID"
        ds = Datasette(secret=secret)
        bits = {"a": id, "token": "dstok", "t": int(time.time())}
        if expires_after:
            bits["d"] = expires_after
        token = ds.sign(bits, namespace="token")
        click.echo("dstok_{}".format(token))
        if debug:
            click.echo("\nDecoded:\n")
            click.echo(json.dumps(ds.unsign(token, namespace="token"), indent=2))
Added /-/permissions debug tool, closes #788 Also started the authentication.rst docs page, refs #786. Part of authentication work, refs #699. 2020-06-01 05:00:36 +00:00			`from datasette import hookimpl`
Test + default impl for view-query permission, refs #811 2020-06-07 21:23:16 +00:00			`from datasette.utils import actor_matches_allow`
datasette create-token command, refs #1859 2022-10-26 04:26:12 +00:00			`import click`
actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00			`import itsdangerous`
datasette create-token command, refs #1859 2022-10-26 04:26:12 +00:00			`import json`
actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00			`import time`
Added /-/permissions debug tool, closes #788 Also started the authentication.rst docs page, refs #786. Part of authentication work, refs #699. 2020-06-01 05:00:36 +00:00

Better example plugin for permission_allowed Also fixed it so default permission checks run after plugin permission checks, refs #818 2020-06-08 22:09:57 +00:00			`@hookimpl(tryfirst=True)`
Renamed resource_identifier to resource, refs #817 2020-06-08 18:59:11 +00:00			`def permission_allowed(datasette, actor, action, resource):`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`async def inner():`
First draft of insert row write API, refs #1851 2022-10-27 03:57:02 +00:00			`if action in ("permissions-debug", "debug-menu", "insert-row"):`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`if actor and actor.get("id") == "root":`
			`return True`
			`elif action == "view-instance":`
			`allow = datasette.metadata("allow")`
			`if allow is not None:`
			`return actor_matches_allow(actor, allow)`
			`elif action == "view-database":`
Rename _schemas to _internal, closes #1156 2020-12-21 19:48:06 +00:00			`if resource == "_internal" and (actor is None or actor.get("id") != "root"):`
In-memory _schemas database tracking schemas of attached tables, closes #1150 2020-12-18 22:34:05 +00:00			`return False`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`database_allow = datasette.metadata("allow", database=resource)`
			`if database_allow is None:`
Express no opinion if allow block is missing Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832 2020-06-30 22:49:06 +00:00			`return None`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`return actor_matches_allow(actor, database_allow)`
			`elif action == "view-table":`
			`database, table = resource`
			`tables = datasette.metadata("tables", database=database) or {}`
			`table_allow = (tables.get(table) or {}).get("allow")`
			`if table_allow is None:`
Express no opinion if allow block is missing Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832 2020-06-30 22:49:06 +00:00			`return None`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`return actor_matches_allow(actor, table_allow)`
			`elif action == "view-query":`
			`# Check if this query has a "allow" block in metadata`
			`database, query_name = resource`
			`query = await datasette.get_canned_query(database, query_name, actor)`
			`assert query is not None`
			`allow = query.get("allow")`
			`if allow is None:`
Express no opinion if allow block is missing Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832 2020-06-30 22:49:06 +00:00			`return None`
Implemented view-instance permission, refs #811 2020-06-07 21:30:39 +00:00			`return actor_matches_allow(actor, allow)`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`elif action == "execute-sql":`
			`# Use allow_sql block from database block, or from top-level`
			`database_allow_sql = datasette.metadata("allow_sql", database=resource)`
			`if database_allow_sql is None:`
			`database_allow_sql = datasette.metadata("allow_sql")`
			`if database_allow_sql is None:`
Express no opinion if allow block is missing Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832 2020-06-30 22:49:06 +00:00			`return None`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`return actor_matches_allow(actor, database_allow_sql)`

			`return inner`
actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00

			`@hookimpl`
			`def actor_from_request(datasette, request):`
			`prefix = "dstok_"`
allow_signed_tokens setting, closes #1856 2022-10-26 02:55:47 +00:00			`if not datasette.setting("allow_signed_tokens"):`
			`return None`
max_signed_tokens_ttl setting, closes #1858 Also redesigned token format to include creation time and optional duration. 2022-10-26 21:13:31 +00:00			`max_signed_tokens_ttl = datasette.setting("max_signed_tokens_ttl")`
actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00			`authorization = request.headers.get("authorization")`
			`if not authorization:`
			`return None`
			`if not authorization.startswith("Bearer "):`
			`return None`
			`token = authorization[len("Bearer ") :]`
			`if not token.startswith(prefix):`
			`return None`
			`token = token[len(prefix) :]`
			`try:`
			`decoded = datasette.unsign(token, namespace="token")`
			`except itsdangerous.BadSignature:`
			`return None`
max_signed_tokens_ttl setting, closes #1858 Also redesigned token format to include creation time and optional duration. 2022-10-26 21:13:31 +00:00			`if "t" not in decoded:`
			`# Missing timestamp`
			`return None`
			`created = decoded["t"]`
			`if not isinstance(created, int):`
			`# Invalid timestamp`
			`return None`
			`duration = decoded.get("d")`
			`if duration is not None and not isinstance(duration, int):`
			`# Invalid duration`
			`return None`
			`if (duration is None and max_signed_tokens_ttl) or (`
			`duration is not None`
			`and max_signed_tokens_ttl`
			`and duration > max_signed_tokens_ttl`
			`):`
			`duration = max_signed_tokens_ttl`
			`if duration:`
			`if time.time() - created > duration:`
			`# Expired`
actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00			`return None`
max_signed_tokens_ttl setting, closes #1858 Also redesigned token format to include creation time and optional duration. 2022-10-26 21:13:31 +00:00			`actor = {"id": decoded["a"], "token": "dstok"}`
			`if duration:`
			`actor["token_expires"] = created + duration`
			`return actor`
datasette create-token command, refs #1859 2022-10-26 04:26:12 +00:00

			`@hookimpl`
			`def register_commands(cli):`
			`from datasette.app import Datasette`

			`@cli.command()`
			`@click.argument("id")`
			`@click.option(`
			`"--secret",`
			`help="Secret used for signing the API tokens",`
			`envvar="DATASETTE_SECRET",`
			`required=True,`
			`)`
			`@click.option(`
			`"-e",`
			`"--expires-after",`
			`help="Token should expire after this many seconds",`
			`type=int,`
			`)`
			`@click.option(`
			`"--debug",`
			`help="Show decoded token",`
			`is_flag=True,`
			`)`
			`def create_token(id, secret, expires_after, debug):`
			`"Create a signed API token for the specified actor ID"`
			`ds = Datasette(secret=secret)`
max_signed_tokens_ttl setting, closes #1858 Also redesigned token format to include creation time and optional duration. 2022-10-26 21:13:31 +00:00			`bits = {"a": id, "token": "dstok", "t": int(time.time())}`
datasette create-token command, refs #1859 2022-10-26 04:26:12 +00:00			`if expires_after:`
max_signed_tokens_ttl setting, closes #1858 Also redesigned token format to include creation time and optional duration. 2022-10-26 21:13:31 +00:00			`bits["d"] = expires_after`
datasette create-token command, refs #1859 2022-10-26 04:26:12 +00:00			`token = ds.sign(bits, namespace="token")`
			`click.echo("dstok_{}".format(token))`
			`if debug:`
			`click.echo("\nDecoded:\n")`
			`click.echo(json.dumps(ds.unsign(token, namespace="token"), indent=2))`