Use common base type for all access policy types

tpoliaw · danielballan · commit ceaa08bb2834 · 2025-10-07T16:00:35.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,12 +4,16 @@ Write the date in place of the "Unreleased" in the case a new version is release
 # Changelog
 
 
-## Unreleased
+## v0.2.0 (Unreleased)
 
 ### Fixed
 
 - Column names in `TableStructure` are explicitly converted to strings.
 
+### Refactored
+
+- Use common base type for all access policy types
+
 
 ## v0.1.6 (2025-09-29)
 
diff --git a/tiled/access_control/access_policies.py b/tiled/access_control/access_policies.py
@@ -3,6 +3,7 @@
 
 from ..queries import AccessBlobFilter
 from ..utils import Sentinel, import_object
+from .protocols import AccessPolicy
 from .scopes import ALL_SCOPES, PUBLIC_SCOPES
 
 ALL_ACCESS = Sentinel("ALL_ACCESS")
@@ -20,7 +21,7 @@
     logger.setLevel(log_level.upper())
 
 
-class DummyAccessPolicy:
+class DummyAccessPolicy(AccessPolicy):
     "Impose no access restrictions."
 
     async def allowed_scopes(self, node, principal, authn_access_tags, authn_scopes):
@@ -30,7 +31,7 @@ async def filters(self, node, principal, authn_access_tags, authn_scopes, scopes
         return []
 
 
-class TagBasedAccessPolicy:
+class TagBasedAccessPolicy(AccessPolicy):
     def __init__(
         self,
         *,
diff --git a/tiled/access_control/protocols.py b/tiled/access_control/protocols.py
@@ -0,0 +1,38 @@
+from abc import ABC, abstractmethod
+from typing import Any, Optional, Set
+
+from ..adapters.protocols import BaseAdapter
+from ..server.schemas import Principal
+from ..type_aliases import Filters, Scopes
+
+
+class AccessPolicy(ABC):
+    @abstractmethod
+    async def allowed_scopes(
+        self,
+        node: BaseAdapter,
+        principal: Principal,
+        authn_access_tags: Optional[Set[str]],
+        authn_scopes: Scopes,
+    ) -> Scopes:
+        pass
+
+    @abstractmethod
+    async def filters(
+        self,
+        node: BaseAdapter,
+        principal: Principal,
+        authn_access_tags: Optional[Set[str]],
+        authn_scopes: Scopes,
+        scopes: Scopes,
+    ) -> Filters:
+        pass
+
+    async def modify_node(
+        self,
+        node: BaseAdapter,
+        principal: Principal,
+        authn_scopes: Scopes,
+        access_blob: Optional[dict[str, Any]],
+    ) -> tuple[bool, Optional[dict[str, Any]]]:
+        return (False, access_blob)
diff --git a/tiled/adapters/protocols.py b/tiled/adapters/protocols.py
@@ -8,14 +8,13 @@
 from numpy.typing import NDArray
 
 from ..ndslice import NDSlice
-from ..server.schemas import Principal
 from ..storage import Storage
 from ..structures.array import ArrayStructure
 from ..structures.awkward import AwkwardStructure
 from ..structures.core import Spec, StructureFamily
 from ..structures.sparse import SparseStructure
 from ..structures.table import TableStructure
-from ..type_aliases import JSON, Filters, Scopes
+from ..type_aliases import JSON
 from .awkward_directory_container import DirectoryContainer
 
 
@@ -130,26 +129,3 @@ def __getitem__(self, key: str) -> ArrayAdapter:
 AnyAdapter = Union[
     ArrayAdapter, AwkwardAdapter, ContainerAdapter, SparseAdapter, TableAdapter
 ]
-
-
-class AccessPolicy(Protocol):
-    @abstractmethod
-    async def allowed_scopes(
-        self,
-        node: BaseAdapter,
-        principal: Principal,
-        authn_access_tags: Optional[Set[str]],
-        authn_scopes: Scopes,
-    ) -> Scopes:
-        pass
-
-    @abstractmethod
-    async def filters(
-        self,
-        node: BaseAdapter,
-        principal: Principal,
-        authn_access_tags: Optional[Set[str]],
-        authn_scopes: Scopes,
-        scopes: Scopes,
-    ) -> Filters:
-        pass
diff --git a/tiled/server/app.py b/tiled/server/app.py
@@ -36,10 +36,7 @@
     HTTP_500_INTERNAL_SERVER_ERROR,
 )
 
-from tiled.query_registration import QueryRegistry, default_query_registry
-from tiled.server.protocols import ExternalAuthenticator, InternalAuthenticator
-from tiled.type_aliases import AppTask, TaskMap
-
+from ..access_control.protocols import AccessPolicy
 from ..catalog.adapter import WouldDeleteData
 from ..config import (
     Authentication,
@@ -60,8 +57,11 @@
 from ..validation_registration import ValidationRegistry, default_validation_registry
 from .authentication import move_api_key
 from .compression import CompressionMiddleware
+from .query_registration import QueryRegistry, default_query_registry
 from .router import get_metrics_router, get_router
+from .server.protocols import ExternalAuthenticator, InternalAuthenticator
 from .settings import Settings, get_settings
+from .type_aliases import AppTask, TaskMap
 from .utils import API_KEY_COOKIE_NAME, CSRF_COOKIE_NAME, get_root_url, record_timing
 from .zarr import get_zarr_router_v2, get_zarr_router_v3
 
@@ -124,7 +124,7 @@ def build_app(
     validation_registry: Optional[ValidationRegistry] = None,
     tasks: Optional[dict[str, list[AppTask]]] = None,
     scalable=False,
-    access_policy=None,
+    access_policy: Optional[AccessPolicy] = None,
 ):
     """
     Serve a Tree
@@ -136,7 +136,7 @@ def build_app(
         Dict of authentication configuration.
     server_settings: dict, optional
         Dict of other server configuration.
-    access_policy:
+    access_policy: AccessPolicy, optional
         AccessPolicy object encoding rules for which users can see which entries.
     """
     authentication = authentication or Authentication()
diff --git a/tiled/server/dependencies.py b/tiled/server/dependencies.py
@@ -4,13 +4,13 @@
 from fastapi import HTTPException, Query, Request
 from starlette.status import HTTP_403_FORBIDDEN, HTTP_404_NOT_FOUND, HTTP_410_GONE
 
-from tiled.adapters.protocols import AnyAdapter
-from tiled.server.schemas import Principal
-from tiled.structures.core import StructureFamily
-
+from ..access_control.protocols import AccessPolicy
+from ..adapters.protocols import AnyAdapter
+from ..structures.core import StructureFamily
 from ..type_aliases import Scopes
 from ..utils import BrokenLink
 from .core import NoEntry
+from .schemas import Principal
 from .utils import filter_for_access, record_timing
 
 
@@ -28,7 +28,7 @@ async def get_entry(
     session_state: dict,
     metrics: dict,
     structure_families: Optional[set[StructureFamily]] = None,
-    access_policy=None,
+    access_policy: Optional[AccessPolicy] = None,
 ) -> AnyAdapter:
     """
     Obtain a node in the tree from its path.
@@ -40,7 +40,6 @@ async def get_entry(
     """
     path_parts = [segment for segment in path.split("/") if segment]
     entry = root_tree
-    # access_policy = getattr(request.app.state, "access_policy", None)
     # If the entry/adapter can take a session state, pass it in.
     # The entry/adapter may return itself or a different object.
     if hasattr(entry, "with_session_state") and session_state:
diff --git a/tiled/server/router.py b/tiled/server/router.py
@@ -2021,14 +2021,11 @@ async def patch_metadata(
             settings=settings,
         )
 
-        if request.app.state.access_policy is not None and hasattr(
+        if policy := request.app.state.access_policy and hasattr(
             request.app.state.access_policy, "modify_node"
         ):
             try:
-                (
-                    access_blob_modified,
-                    access_blob,
-                ) = await request.app.state.access_policy.modify_node(
+                (access_blob_modified, access_blob) = await policy.modify_node(
                     entry, principal, authn_access_tags, authn_scopes, access_blob
                 )
             except ValueError as e:
@@ -2100,14 +2097,11 @@ async def put_metadata(
             settings=settings,
         )
 
-        if request.app.state.access_policy is not None and hasattr(
+        if policy := request.app.state.access_policy and hasattr(
             request.app.state.access_policy, "modify_node"
         ):
             try:
-                (
-                    access_blob_modified,
-                    access_blob,
-                ) = await request.app.state.access_policy.modify_node(
+                (access_blob_modified, access_blob) = await policy.modify_node(
                     entry, principal, authn_access_tags, authn_scopes, access_blob
                 )
             except ValueError as e:
diff --git a/tiled/server/utils.py b/tiled/server/utils.py
@@ -1,14 +1,14 @@
 import contextlib
 import time
 from collections.abc import Generator
-from typing import Any, Literal, Mapping, Optional, Sequence
+from typing import Any, Literal, Mapping, Optional, Sequence, Set
 
 from fastapi import Request, WebSocket
 from starlette.types import Scope
 
 from ..access_control.access_policies import NO_ACCESS
+from ..access_control.protocols import AccessPolicy
 from ..adapters.mapping import MapAdapter
-from ..adapters.protocols import AccessPolicy
 from ..server.schemas import Principal
 from ..type_aliases import Scopes
 
@@ -89,7 +89,7 @@ async def filter_for_access(
     entry,
     access_policy: Optional[AccessPolicy],
     principal: Principal,
-    authn_access_tags,
+    authn_access_tags: Optional[Set[str]],
     authn_scopes: Scopes,
     scopes: Sequence[str],
     metrics: dict[str, Any],
