Permission update

CHANGES.rst

@@ -10,11 +10,11 @@ Changes
 * Add optional key ``field`` and ``regex`` to be used in the ``sync_permissions`` section found in the config.
   This allow to sync permission using a field other than ``resource_full_name`` when creating the nametype path
   from the segment ``ex.: /field1::type1/field2::type2``. This adds the support of using ``resource_display_name``.
-* The ``regex`` is used to extract the desired information from the ``nametype_path`` that should be used to do an
+* The ``regex`` is used to extract the desired information from the ``nametype_path``. It should be used to do an
   exact match. This new search overrides the default way of matching each segment with the ``nametype path``. 
   In the case where a ``regex`` is found in the target segment, the data will be formed using the same ``resource_type``
   for every match in the same segment. Similary, as using ``- name: "**"`` in the config to match multiple segment,
-  it is possible to use a ``regex`` to match multiple directory in the same segment with ``regex: '(?<=:).*\/?(?=\/)' ``
+  it is possible to use a ``regex`` to match multiple directory in the same segment with ``regex: '(?<=:).*\/?(?=\/)'``
 
 `2.1.0 <https://github.com/Ouranosinc/cowbird/tree/2.1.0>`_ (2023-09-18)
 ------------------------------------------------------------------------------------

config/config.example.yml

@@ -183,3 +183,58 @@ sync_permissions:
       - "process_job_status : read -> job_status : read"
       # different permission (match), otherwise all jobs/outputs become available.
       - "process_job_status : read -> process_description : read-match"
+stac_permissions:
+    services:
+      api:
+        stac_collection:
+          - name: stac
+            type: service
+          - name: stac
+            type: route
+          - name: collections
+            type: route
+          - type: route
+            field: resource_display_name # Use the resource_display_name for permission mapping.
+            regex: '[\w]+:[\w\/]+' # This will extract the display name (ex: thredds:birdhouse/testdata/xclim/cmip6).
+        stac_item:
+          - name: stac
+            type: service
+          - name: stac
+            type: route
+          - name: collections
+            type: route
+          - name: "{collectionId}"
+            type: route
+          - name: items
+            type: route
+          - type: route
+            field: resource_display_name # Use the resource_display_name for permission mapping.
+            regex: '[\w]+:[\w\/.-]+' # This will extract the display name (ex: thredds:birdhouse/testdata/xclim/cmip6/sic_SImon_CCCma-CanESM5_ssp245_r13i1p2f1_2020.nc)
+
+      thredds: 
+        thredd_collection:
+          - name: thredds
+            type: service            
+          - type: directory
+            regex: '(?<=:)[\w\/]+' # Match everything after ":" but before last "/" (ex: thredds:birdhouse/testdata/xclim/cmip6 will match to : birdhouse/testdata/xclim/cmip6)
+                                   # It would be equivalent as matching any number of directory using "**"
+        thredd_item:
+          - name: thredds
+            type: service
+          - type: directory
+            regex: '(?<=:).*\/?(?=\/)' # Match everything after ":" but before last "/" example thredds:birdhouse/testdata/xclim/cmip6/sic_SImon_CCCma-CanESM5_ssp245_r13i1p2f1_2020.nc
+                                       # will return birdhouse/testdata/xclim/cmip6. This would create recreate the same hierarchy of directories. 
+          - type: file
+            regex: '[^\/]+$' # Match a file in a leaf directory (ex: sic_SImon_CCCma-CanESM5_ssp245_r13i1p2f1_2020.nc).
+
+    permissions_mapping:
+      # Permission mapping relating to the stac collection mapped to a thredd directory.
+      - "stac_collection : read-match -> thredd_collection : browse-match"
+      - "stac_collection : read-allow-recursive -> thredd_collection : browse-allow-recursive"
+      - "stac_collection : read-deny-match -> thredd_collection : browse-deny-match"
+      - "stac_collection : read-deny-recursive -> thredd_collection : browse-deny-recursive"
+      # Permission mapping relating to the stac item mapped to a thredd file.
+      - "stac_item : read-match -> thredd_item : browse-match"
+      - "stac_item : read-allow-recursive -> thredd_item : browse-allow-recursive"
+      - "stac_item : read-deny-match -> thredd_item : browse-deny-match"
+      - "stac_item : read-deny-recursive -> thredd_item : browse-deny-recursive"

cowbird/api/webhooks/views.py

@@ -108,13 +108,13 @@ def post_permission_webhook_view(request: Request) -> AnyResponseType:
                     msg_on_fail=s.PermissionWebhook_POST_BadRequestResponseSchema.description)
     # Use raw value for service name, to avoid errors with `None` values
     # when the permission is not applied to a `service` type resource.
-    resource_display_name = ar.get_multiformat_body(request, "resource_display_name", check_type=(str, type(None)))
     service_name = ar.get_multiformat_body(request, "service_name", check_type=(str, type(None)))
     service_type = ar.get_multiformat_body(request, "service_type")
     resource_id = ar.get_multiformat_body(request, "resource_id", check_type=int)
     param_regex_with_slashes = r"^/?[A-Za-z0-9]+(?:[\s_\-\./:][A-Za-z0-9]+)*$"
     resource_full_name = ar.get_multiformat_body(request, "resource_full_name",
                                                  pattern=param_regex_with_slashes)
+    resource_display_name = ar.get_multiformat_body(request, "resource_display_name", check_type=(str, type(None)))
     name = ar.get_multiformat_body(request, "name")
     access = ar.get_multiformat_body(request, "access")
     scope = ar.get_multiformat_body(request, "scope")

cowbird/config.py

@@ -4,7 +4,7 @@
 from typing import Any, Dict, List, Literal, Tuple, Union, cast, overload
 
 import yaml
-from schema import And, Optional, Regex, Schema
+from schema import And, Optional, Or, Regex, Schema
 
 from cowbird.typedefs import (
     ConfigDict,
@@ -191,7 +191,7 @@ def validate_sync_perm_config_schema(sync_cfg: SyncPointConfig) -> None:
             "services": {
                 str: {  # Service type, must correspond to an actual Magpie service type
                     str: [  # Resource key, used to identify the resource here and in the permissions_mapping
-                        {"name": str, "type": str, Optional("field"): str, Optional("regex"): str}
+                        {Or("name", "regex", only_one=True): str, "type": str, Optional("field"): str}
                     ]
                 }
             },
@@ -213,21 +213,23 @@ def validate_and_get_resource_info(res_key: str, segments: List[ConfigSegment])
     named_tokens = set()
     has_multi_token = False
     for seg in segments:
-        if seg["name"] == MULTI_TOKEN:
-            if has_multi_token:
-                raise ConfigErrorInvalidTokens(f"Invalid config value for resource key {res_key}. Only one "
-                                               f"`{MULTI_TOKEN}` token is permitted per resource.")
-            has_multi_token = True
-        else:
-            matched_groups = re.match(NAMED_TOKEN_REGEX, seg["name"])
-            if matched_groups:
-                # Save the first group as a named token, since there's only 1 matching group in the regex.
-                if matched_groups.groups()[0] in named_tokens:
-                    raise ConfigErrorInvalidTokens(f"Invalid config value for resource key {res_key}. Named token "
-                                                   f"{matched_groups.groups()[0]} was found in multiple segments of "
-                                                   "the resource path. Each named token should only be used once in a "
-                                                   "resource path.")
-                named_tokens.add(matched_groups.groups()[0])
+        if "name" in seg:
+            if seg["name"] == MULTI_TOKEN:
+                if has_multi_token:
+                    raise ConfigErrorInvalidTokens(f"Invalid config value for resource key {res_key}. Only one "
+                                                   f"`{MULTI_TOKEN}` token is permitted per resource.")
+                has_multi_token = True
+            else:
+                matched_groups = re.match(NAMED_TOKEN_REGEX, seg["name"])
+                if matched_groups:
+                    # Save the first group as a named token, since there's only 1 matching group in the regex.
+                    if matched_groups.groups()[0] in named_tokens:
+                        raise ConfigErrorInvalidTokens(
+                            f"Invalid config value for resource key {res_key}. Named token "
+                            f"{matched_groups.groups()[0]} was found in multiple segments of "
+                            "the resource path. Each named token should only be used once in a "
+                            "resource path.")
+                    named_tokens.add(matched_groups.groups()[0])
 
     return {"has_multi_token": has_multi_token, "named_tokens": named_tokens}
 

cowbird/handlers/impl/magpie.py

@@ -431,13 +431,14 @@ def delete_permission(self, permissions_data: List[Dict[str, str]]) -> None:
         else:
             LOGGER.warning("Empty permission data, no permissions to remove.")
 
-    def create_resource(self, resource_name: str, resource_type: str, parent_id: Optional[int]) -> int:
+    def create_resource(self, resource_name: str, resource_type: str, parent_id: Optional[int],
+                        resource_display_name: Optional[str] = None) -> int:
         """
         Creates the specified resource in Magpie and returns the created resource id if successful.
         """
         resource_data = {
             "resource_name": resource_name,
-            "resource_display_name": resource_name,
+            "resource_display_name": resource_display_name,
             "resource_type": resource_type,
             "parent_id": parent_id
         }