Skip to content

Commit

Permalink
Performance: fix unneeded set->args->set conversions/unpacking
Browse files Browse the repository at this point in the history
Note this introduces a backwards compatibility issue for any project
which directly accessed has_any_scope() / has_all_scopes() (DSO-API).

Nearly all logic would be calling UserScopes.has_field_access(field).
  • Loading branch information
vdboor committed Jul 4, 2024
1 parent eaddb17 commit 434e243
Showing 1 changed file with 14 additions and 11 deletions.
25 changes: 14 additions & 11 deletions src/schematools/permissions/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -75,21 +75,20 @@ def add_query_params(self, params: list[str]):
self._query_param_names.extend(params)

@methodtools.lru_cache() # type: ignore[misc]
def has_all_scopes(self, *needed_scopes: str) -> bool:
def has_all_scopes(self, needed_scopes: frozenset[str]) -> bool:
"""Check whether the request has all scopes.
This performs an AND check: all scopes should be present.
"""
return self._scopes.issuperset(needed_scopes)

@methodtools.lru_cache() # type: ignore[misc]
def has_any_scope(self, *needed_scopes: str) -> bool:
def has_any_scope(self, needed_scopes: frozenset[str]) -> bool:
"""Check whether the request grants one of the given scopes.
This performs an OR check: having one of the scopes gives access.
"""
needed_scopes = set(needed_scopes)
return any(scope in needed_scopes for scope in self._scopes)
return not self._scopes.isdisjoint(needed_scopes)

def has_dataset_access(self, dataset: DatasetSchema) -> Permission:
"""Tell whether a dataset can be accessed."""
Expand All @@ -106,7 +105,11 @@ def has_table_access(self, table: DatasetTableSchema) -> Permission:

def has_table_fields_access(self, table: DatasetTableSchema) -> bool:
"""Tell whether all fields of a table can be accessed."""
return all(self.has_field_access(field) for field in table.fields)
for field in table.fields:
if not self.has_field_access(field):
return False

return True

def has_field_access(self, field: DatasetFieldSchema) -> Permission:
"""Tell whether a field may be read."""
Expand All @@ -116,14 +119,14 @@ def has_field_access(self, field: DatasetFieldSchema) -> Permission:

def _has_dataset_auth_access(self, dataset: DatasetSchema) -> Permission:
"""Tell whether the 'auth' rules give access to the dataset."""
if self.has_any_scope(*dataset.auth):
if self.has_any_scope(dataset.auth):
return Permission(PermissionLevel.highest, source="dataset.auth")
else:
return Permission.none

def _has_table_auth_access(self, table: DatasetTableSchema) -> Permission:
"""Tell whether the 'auth' rules give access to the table."""
if self.has_any_scope(*table.auth) and self.has_any_scope(*table.dataset.auth):
if self.has_any_scope(table.auth) and self.has_any_scope(table.dataset.auth):
return Permission(
PermissionLevel.highest, source="table.auth" if table.auth else "dataset.auth"
)
Expand All @@ -133,9 +136,9 @@ def _has_table_auth_access(self, table: DatasetTableSchema) -> Permission:
def _has_field_auth_access(self, field: DatasetFieldSchema) -> Permission:
"""Tell whether the 'auth' rules give access to the table."""
if (
self.has_any_scope(*field.auth)
and self.has_any_scope(*field.table.auth)
and self.has_any_scope(*field.table.dataset.auth)
self.has_any_scope(field.auth)
and self.has_any_scope(field.table.auth)
and self.has_any_scope(field.table.dataset.auth)
):
return Permission(
PermissionLevel.highest,
Expand Down Expand Up @@ -253,7 +256,7 @@ def get_active_profile_datasets(self, dataset_id: str) -> list[ProfileDatasetSch
# Profiles are only activated when:
# - ALL scopes are matched
# - dataset is mentioned in the profile
if self.has_all_scopes(*profile.scopes)
if self.has_all_scopes(profile.scopes)
and (profile_dataset := profile.datasets.get(dataset_id)) is not None
]

Expand Down

0 comments on commit 434e243

Please sign in to comment.