Use common base type for all access policy types

Author: tpoliaw

CHANGELOG.md

@@ -19,6 +19,7 @@ Write the date in place of the "Unreleased" in the case a new version is release
   of Closure Table to track ancestors and descendands of the nodes.
 - Shorter string representation of chunks in `ArrayClient`.
 - Refactored internal Zarr version detection
+- Use common base type for all access policy types
 
 ### Fixed
 

tiled/access_policies.py

@@ -4,6 +4,8 @@
 from contextlib import closing
 from functools import partial
 
+from tiled.adapters.protocols import AccessPolicy
+
 from .queries import AccessBlobFilter, In, KeysFilter
 from .scopes import ALL_SCOPES, PUBLIC_SCOPES
 from .utils import Sentinel, SpecialUsers, import_object
@@ -23,7 +25,7 @@
     logger.setLevel(log_level.upper())
 
 
-class DummyAccessPolicy:
+class DummyAccessPolicy(AccessPolicy):
     "Impose no access restrictions."
 
     async def allowed_scopes(self, node, principal, authn_scopes):
@@ -33,7 +35,7 @@ async def filters(self, node, principal, authn_scopes, scopes):
         return []
 
 
-class SimpleAccessPolicy:
+class SimpleAccessPolicy(AccessPolicy):
     """
     A mapping of user names to lists of entries they have access to.
 
@@ -180,7 +182,7 @@ def get_tags_from_scope(self, scope, username):
         return user_scope_tags
 
 
-class TagBasedAccessPolicy:
+class TagBasedAccessPolicy(AccessPolicy):
     def __init__(
         self,
         *,

tiled/adapters/protocols.py

@@ -1,4 +1,4 @@
-from abc import abstractmethod
+from abc import ABC, abstractmethod
 from collections.abc import Mapping
 from typing import Any, Dict, List, Literal, Optional, Protocol, Set, Tuple, Union
 
@@ -132,7 +132,7 @@ def __getitem__(self, key: str) -> ArrayAdapter:
 ]
 
 
-class AccessPolicy(Protocol):
+class AccessPolicy(ABC):
     @abstractmethod
     async def allowed_scopes(
         self,
@@ -151,3 +151,12 @@ async def filters(
         scopes: Scopes,
     ) -> Filters:
         pass
+
+    async def modify_node(
+        self,
+        node: BaseAdapter,
+        principal: Principal,
+        authn_scopes: Scopes,
+        access_blob: Optional[dict[str, Any]],
+    ) -> tuple[bool, Optional[dict[str, Any]]]:
+        return (False, access_blob)

tiled/server/app.py

@@ -36,6 +36,7 @@
     HTTP_500_INTERNAL_SERVER_ERROR,
 )
 
+from tiled.adapters.protocols import AccessPolicy
 from tiled.query_registration import QueryRegistry, default_query_registry
 from tiled.server.authentication import move_api_key
 from tiled.server.protocols import ExternalAuthenticator, InternalAuthenticator
@@ -120,7 +121,7 @@ def build_app(
     validation_registry: Optional[ValidationRegistry] = None,
     tasks: Optional[dict[str, list[AppTask]]] = None,
     scalable=False,
-    access_policy=None,
+    access_policy: Optional[AccessPolicy] = None,
 ):
     """
     Serve a Tree
@@ -134,7 +135,7 @@ def build_app(
         List of authenticator classes (one per support identity provider)
     server_settings: dict, optional
         Dict of other server configuration.
-    access_policy:
+    access_policy: AccessPolicy, optional
         AccessPolicy object encoding rules for which users can see which entries.
     """
     authentication = authentication or {}

tiled/server/dependencies.py

@@ -4,7 +4,7 @@
 from fastapi import HTTPException, Query, Request
 from starlette.status import HTTP_403_FORBIDDEN, HTTP_404_NOT_FOUND, HTTP_410_GONE
 
-from tiled.adapters.protocols import AnyAdapter
+from tiled.adapters.protocols import AccessPolicy, AnyAdapter
 from tiled.server.schemas import Principal
 from tiled.structures.core import StructureFamily
 from tiled.utils import SpecialUsers
@@ -28,7 +28,7 @@ async def get_entry(
     session_state: dict,
     metrics: dict,
     structure_families: Optional[set[StructureFamily]] = None,
-    access_policy=None,
+    access_policy: Optional[AccessPolicy] = None,
 ) -> AnyAdapter:
     """
     Obtain a node in the tree from its path.
@@ -40,7 +40,6 @@ async def get_entry(
     """
     path_parts = [segment for segment in path.split("/") if segment]
     entry = root_tree
-    # access_policy = getattr(request.app.state, "access_policy", None)
     # If the entry/adapter can take a session state, pass it in.
     # The entry/adapter may return itself or a different object.
     if hasattr(entry, "with_session_state") and session_state:

tiled/server/router.py

@@ -1898,14 +1898,9 @@ async def patch_metadata(
             settings=settings,
         )
 
-        if request.app.state.access_policy is not None and hasattr(
-            request.app.state.access_policy, "modify_node"
-        ):
+        if policy := request.app.state.access_policy:
             try:
-                (
-                    access_blob_modified,
-                    access_blob,
-                ) = await request.app.state.access_policy.modify_node(
+                (access_blob_modified, access_blob) = await policy.modify_node(
                     entry, principal, authn_scopes, access_blob
                 )
             except ValueError as e:
@@ -1978,14 +1973,9 @@ async def put_metadata(
             settings=settings,
         )
 
-        if request.app.state.access_policy is not None and hasattr(
-            request.app.state.access_policy, "modify_node"
-        ):
+        if policy := request.app.state.access_policy:
             try:
-                (
-                    access_blob_modified,
-                    access_blob,
-                ) = await request.app.state.access_policy.modify_node(
+                (access_blob_modified, access_blob) = await policy.modify_node(
                     entry, principal, authn_scopes, access_blob
                 )
             except ValueError as e:

tiled/server/utils.py

@@ -1,11 +1,13 @@
 import contextlib
 import time
 from collections.abc import Generator
-from typing import Any, Literal, Mapping
+from typing import Any, Literal, Mapping, Optional
 
 from fastapi import Request
 from starlette.types import Scope
 
+from tiled.adapters.protocols import AccessPolicy
+
 from ..access_policies import NO_ACCESS
 from ..adapters.mapping import MapAdapter
 
@@ -75,7 +77,12 @@ def get_root_url_low_level(request_headers: Mapping[str, str], scope: Scope) ->
 
 
 async def filter_for_access(
-    entry, access_policy, principal, authn_scopes, scopes, metrics
+    entry,
+    access_policy: Optional[AccessPolicy],
+    principal,
+    authn_scopes,
+    scopes,
+    metrics,
 ):
     if access_policy is not None and hasattr(entry, "search"):
         with record_timing(metrics, "acl"):