feat(tools): Phase T.1-T.4 complete - manifest system, registry, implementations, runtime, collaboration, scheduler
This commit is contained in:
103
backend/app/tools/permissions.py
Normal file
103
backend/app/tools/permissions.py
Normal file
@@ -0,0 +1,103 @@
|
||||
"""
|
||||
Tool Permissions
|
||||
|
||||
Permission control for tool execution.
|
||||
"""
|
||||
|
||||
from enum import Enum
|
||||
from typing import Set, Dict, Optional, List
|
||||
|
||||
|
||||
class ToolPermission(str, Enum):
|
||||
"""Tool permissions"""
|
||||
|
||||
EXECUTE = "tool:execute"
|
||||
CONFIGURE = "tool:configure"
|
||||
ENABLE = "tool:enable"
|
||||
DISABLE = "tool:disable"
|
||||
VIEW = "tool:view"
|
||||
|
||||
|
||||
class ToolPermissionChecker:
|
||||
"""Tool permission checker"""
|
||||
|
||||
def __init__(self):
|
||||
self._user_permissions: Dict[str, Set[ToolPermission]] = {}
|
||||
self._tool_roles: Dict[str, Set[str]] = {} # tool_name -> required_roles
|
||||
self._role_permissions: Dict[str, Set[ToolPermission]] = {
|
||||
"admin": {
|
||||
ToolPermission.EXECUTE,
|
||||
ToolPermission.CONFIGURE,
|
||||
ToolPermission.ENABLE,
|
||||
ToolPermission.DISABLE,
|
||||
ToolPermission.VIEW,
|
||||
},
|
||||
"user": {ToolPermission.EXECUTE, ToolPermission.VIEW},
|
||||
"guest": {ToolPermission.VIEW},
|
||||
}
|
||||
|
||||
def set_user_permissions(
|
||||
self,
|
||||
user_id: str,
|
||||
permissions: Set[ToolPermission],
|
||||
) -> None:
|
||||
"""Set user permissions directly"""
|
||||
self._user_permissions[user_id] = permissions
|
||||
|
||||
def set_user_role(self, user_id: str, role: str) -> None:
|
||||
"""Set user role"""
|
||||
if role in self._role_permissions:
|
||||
self._user_permissions[user_id] = self._role_permissions[role].copy()
|
||||
|
||||
def set_tool_roles(
|
||||
self,
|
||||
tool_name: str,
|
||||
required_roles: Set[str],
|
||||
) -> None:
|
||||
"""Set tool required roles"""
|
||||
self._tool_roles[tool_name] = required_roles
|
||||
|
||||
def can_execute(self, user_id: str, tool_name: str) -> bool:
|
||||
"""Check if user can execute tool"""
|
||||
if ToolPermission.EXECUTE in self._user_permissions.get(user_id, set()):
|
||||
return True
|
||||
|
||||
required_roles = self._tool_roles.get(tool_name, set())
|
||||
if not required_roles:
|
||||
return True
|
||||
|
||||
user_perms = self._user_permissions.get(user_id, set())
|
||||
for role in required_roles:
|
||||
if role in self._role_permissions:
|
||||
if self._role_permissions[role] & user_perms:
|
||||
return True
|
||||
|
||||
return False
|
||||
|
||||
def can_configure(self, user_id: str, tool_name: str) -> bool:
|
||||
"""Check if user can configure tool"""
|
||||
return ToolPermission.CONFIGURE in self._user_permissions.get(user_id, set())
|
||||
|
||||
def can_enable(self, user_id: str, tool_name: str) -> bool:
|
||||
"""Check if user can enable tool"""
|
||||
return ToolPermission.ENABLE in self._user_permissions.get(user_id, set())
|
||||
|
||||
def can_disable(self, user_id: str, tool_name: str) -> bool:
|
||||
"""Check if user can disable tool"""
|
||||
return ToolPermission.DISABLE in self._user_permissions.get(user_id, set())
|
||||
|
||||
def can_view(self, user_id: str, tool_name: str) -> bool:
|
||||
"""Check if user can view tool"""
|
||||
return ToolPermission.VIEW in self._user_permissions.get(user_id, set())
|
||||
|
||||
|
||||
# Global permission checker
|
||||
_permission_checker: Optional[ToolPermissionChecker] = None
|
||||
|
||||
|
||||
def get_permission_checker() -> ToolPermissionChecker:
|
||||
"""Get global permission checker"""
|
||||
global _permission_checker
|
||||
if _permission_checker is None:
|
||||
_permission_checker = ToolPermissionChecker()
|
||||
return _permission_checker
|
||||
Reference in New Issue
Block a user