feat: allow restricting a list of available repos

DataShades · Nov 25, 2024 · 5209077 · 5209077
1 parent aaf412d
commit 5209077
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 21 deletions.
diff --git a/ckanext/event_audit/config.py b/ckanext/event_audit/config.py
@@ -6,6 +6,7 @@
 
 CONF_ACTIVE_REPO = "ckanext.event_audit.active_repo"
 DEF_ACTIVE_REPO = "redis"
+CONF_RESTRICT_AVAILABLE_REPOS = "ckanext.event_audit.restrict_available_repos"
 
 CONF_CLOUDWATCH_KEY = "ckanext.event_audit.cloudwatch.access_key"
 CONF_CLOUDWATCH_SECRET = "ckanext.event_audit.cloudwatch.secret_key"
@@ -32,6 +33,10 @@ def active_repo() -> str:
     return tk.config.get(CONF_ACTIVE_REPO, DEF_ACTIVE_REPO)
 
 
+def get_list_of_available_repos() -> list[str]:
+    return tk.config[CONF_RESTRICT_AVAILABLE_REPOS]
+
+
 def get_cloudwatch_credentials() -> types.AWSCredentials:
     return types.AWSCredentials(
         aws_access_key_id=tk.config[CONF_CLOUDWATCH_KEY],

diff --git a/ckanext/event_audit/config_declaration.yaml b/ckanext/event_audit/config_declaration.yaml
@@ -8,6 +8,11 @@ groups:
         validators: audit_repo_exists
         editable: true
 
+      - key: ckanext.event_audit.restrict_available_repos
+        description: The available repositories to store the audit logs
+        type: list
+        editable: false
+
       - key: ckanext.event_audit.cloudwatch.access_key
         description: The access key for the AWS account
         default: ''

diff --git a/ckanext/event_audit/tests/test_config.py b/ckanext/event_audit/tests/test_config.py
@@ -4,7 +4,7 @@
 
 from ckan.tests.helpers import call_action
 
-from ckanext.event_audit import config, const, types
+from ckanext.event_audit import config, const, types, utils
 
 
 @pytest.mark.usefixtures("with_plugins")
@@ -68,3 +68,24 @@ def test_ignore_model(self, repo, user):
         events = repo.filter_events(types.Filters())
 
         assert len(events) == 0
+
+
+@pytest.mark.usefixtures("with_plugins")
+class TestRestrictAvailableRepos:
+    def test_not_restricted_by_default(self):
+        assert config.get_list_of_available_repos() == []
+        assert len(utils.get_available_repos()) == 3
+
+    @pytest.mark.ckan_config(config.CONF_RESTRICT_AVAILABLE_REPOS, "cloudwatch")
+    @pytest.mark.ckan_config(config.CONF_ACTIVE_REPO, "cloudwatch")
+    def test_restrict_to_cloudwatch(self):
+        assert config.get_list_of_available_repos() == ["cloudwatch"]
+
+        repos = utils.get_available_repos()
+
+        assert len(repos) == 1
+        assert "cloudwatch" in repos
+        assert utils.get_repo("cloudwatch").get_name() == "cloudwatch"
+
+        with pytest.raises(ValueError, match="Repository redis not found"):
+            utils.get_repo("redis")
diff --git a/ckanext/event_audit/utils.py b/ckanext/event_audit/utils.py
@@ -26,7 +26,16 @@ def get_available_repos() -> dict[str, type[repos.AbstractRepository]]:
     for plugin in reversed(list(p.PluginImplementations(IEventAudit))):
         plugin_repos.update(plugin.register_repository())
 
-    return plugin_repos
+    restrict_repos = config.get_list_of_available_repos()
+
+    if not restrict_repos:
+        return plugin_repos
+
+    return {
+        name: repo
+        for name, repo in plugin_repos.items()
+        if name in config.get_list_of_available_repos()
+    }
 
 
 def get_active_repo() -> repos.AbstractRepository:

diff --git a/docs/configure/active_repo.md b/docs/configure/active_repo.md
diff --git a/docs/configure/repository.md b/docs/configure/repository.md
@@ -0,0 +1,33 @@
+The event audit logs are stored in a configurable storages, we call them repositories. To use an extension, you have to choose one of the available repositories.
+
+The following repositories are available:
+
+1. `redis` - the default repository, stores logs in Redis.
+2. `postgres` - stores logs in a PostgreSQL database.
+3. `cloudwatch` - stores logs in AWS CloudWatch.
+
+???+ note
+    If the `cloudwatch` repository is used, the extension will automatically create a log group in CloudWatch. Also, check the [CloudWatch repository documentation](cloudwatch.md) for additional configuration options.
+
+## Active repository
+
+The default repository is `redis`, but it can be changed to a different one. To do this, we have to set the following configuration options in the CKAN configuration file:
+
+```ini
+ckanext.event_audit.active_repo = postgres
+```
+
+## List of available repositories
+
+You can restrict a list of available repositories by setting the following configuration option in the CKAN configuration file:
+
+```ini
+ckanext.event_audit.active_repo = cloudwatch
+ckanext.event_audit.restrict_available_repos = cloudwatch
+```
+
+???+ note
+    By default, we're not restricting the list of available repositories. It means that all registered repositories are available for use.
+
+This could be useful if you want to limit the available repositories to a specific set of options due to some security concerns.
+This config option won't be available in the admin interface and can't be changed in real time.
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -90,9 +90,9 @@ nav:
   - cli.md
 
   - Configuration:
-    - configure/admin_panel.md
-    - configure/active_repo.md
+    - configure/repository.md
     - configure/cloudwatch.md
+    - configure/admin_panel.md
     - configure/ignore.md
     - configure/tracking.md
     - configure/async.md