Merge pull request #40 from permitio/asaf/per-5996-python-fix-sync-sdk

Fix Sync SDK variant

Author: asafc

permit/api/base.py

@@ -1,28 +1,33 @@
 import functools
-from typing import Optional, Type, TypeVar, Union
+from typing import Callable, Optional, Type, TypeVar, Union
 
 import aiohttp
 from loguru import logger
 from pydantic import BaseModel, Extra, Field, parse_obj_as
 
 from ..config import PermitConfig
 from ..exceptions import PermitContextError, handle_api_error, handle_client_error
-from .context import API_ACCESS_LEVELS, ApiKeyLevel
+from .context import API_ACCESS_LEVELS, ApiContextLevel, ApiKeyAccessLevel
 from .models import APIKeyScopeRead
 
+T = TypeVar("T", bound=Callable)
+TModel = TypeVar("TModel", bound=BaseModel)
+TData = TypeVar("TData", bound=BaseModel)
 
-class ClientConfig(BaseModel):
-    class Config:
-        extra = Extra.allow
 
-    base_url: str = Field(
-        ...,
-        description="base url that will prefix the url fragment sent via the client",
-    )
-    headers: dict = Field(..., description="http headers sent to the API server")
+def required_permissions(access_level: ApiKeyAccessLevel):
+    def decorator(func: T) -> T:
+        @functools.wraps(func)
+        async def wrapped(self: BasePermitApi, *args, **kwargs):
+            await self._ensure_access_level(access_level)
+            return await func(self, *args, **kwargs)
+
+        return wrapped
+
+    return decorator
 
 
-def ensure_context(call_level: ApiKeyLevel):
+def required_context(context: ApiContextLevel):
     """
     a decorator that ensures that an API endpoint is called only after the SDK has initialized
     an API context (authorization level) by inferring it from the API key or manually by the user.
@@ -34,10 +39,10 @@ def ensure_context(call_level: ApiKeyLevel):
         PermitContextError: If the API context does not match the required endpoint context.
     """
 
-    def decorator(func):
+    def decorator(func: T) -> T:
         @functools.wraps(func)
         async def wrapped(self: BasePermitApi, *args, **kwargs):
-            await self.ensure_context(call_level)
+            await self._ensure_context(context)
             return await func(self, *args, **kwargs)
 
         return wrapped
@@ -49,8 +54,15 @@ def pagination_params(page: int, per_page: int) -> dict:
     return {"page": page, "per_page": per_page}
 
 
-TModel = TypeVar("TModel", bound=BaseModel)
-TData = TypeVar("TData", bound=BaseModel)
+class ClientConfig(BaseModel):
+    class Config:
+        extra = Extra.allow
+
+    base_url: str = Field(
+        ...,
+        description="base url that will prefix the url fragment sent via the client",
+    )
+    headers: dict = Field(..., description="http headers sent to the API server")
 
 
 class SimpleHttpClient:
@@ -206,76 +218,110 @@ def _build_http_client(self, endpoint_url: str = "", **kwargs):
 
     async def _set_context_from_api_key(self) -> None:
         """
-        Set the API context based on the API key scope.
+        Set the API context and permitted access level based on the API key scope.
         """
+        logger.debug("Fetching api key scope")
         scope = await self.__api_keys.get("/scope", model=APIKeyScopeRead)
 
         if scope.organization_id is not None:
+            # saves the permitted access level by that api key
+            self.config.api_context._save_api_key_accessible_scope(
+                org=str(scope.organization_id),
+                project=(
+                    str(scope.project_id) if scope.project_id is not None else None
+                ),
+                environment=(
+                    str(scope.environment_id)
+                    if scope.environment_id is not None
+                    else None
+                ),
+            )
+
             if scope.project_id is not None:
                 if scope.environment_id is not None:
                     # Set environment level context
                     self.config.api_context.set_environment_level_context(
-                        scope.organization_id, scope.project_id, scope.environment_id
+                        str(scope.organization_id),
+                        str(scope.project_id),
+                        str(scope.environment_id),
                     )
                     return
 
                 # Set project level context
                 self.config.api_context.set_project_level_context(
-                    scope.organization_id, scope.project_id
+                    str(scope.organization_id), str(scope.project_id)
                 )
                 return
 
             # Set org level context
             self.config.api_context.set_organization_level_context(
-                scope.organization_id
+                str(scope.organization_id)
             )
             return
 
         raise PermitContextError("Could not set API context level")
 
-    async def ensure_context(self, call_level: ApiKeyLevel) -> None:
+    async def _ensure_access_level(
+        self, required_access_level: ApiKeyAccessLevel
+    ) -> None:
         """
-        Ensure that the API context matches the required endpoint context.
+        Ensure that the API Key has the necessary permissions to successfully call the API endpoint.
+
+        Note that this check is not full proof, and the API may still throw 401.
 
         Args:
-            call_level: The required API key level for the endpoint.
+            required_access_level: The required API Key Access level for the endpoint.
 
         Raises:
-            PermitContextError: If the API context does not match the required endpoint context.
+            PermitContextError: If the currently set API key access level does not match the required access level.
         """
-        if self.config.api_context.level == ApiKeyLevel.WAIT_FOR_INIT:
+        # should only happen once in the lifetime of the sdk
+        if (
+            self.config.api_context.level == ApiContextLevel.WAIT_FOR_INIT
+            or self.config.api_context.permitted_access_level
+            == ApiKeyAccessLevel.WAIT_FOR_INIT
+        ):
             await self._set_context_from_api_key()
 
-        if call_level != self.config.api_context.level:
-            if API_ACCESS_LEVELS.index(call_level) < API_ACCESS_LEVELS.index(
-                self.config.api_context.level
+        if required_access_level != self.config.api_context.permitted_access_level:
+            if API_ACCESS_LEVELS.index(required_access_level) < API_ACCESS_LEVELS.index(
+                self.config.api_context.permitted_access_level
             ):
                 raise PermitContextError(
-                    f"You're trying to use an SDK method that requires an API Key with level: {call_level}, "
-                    + f"however the SDK is running with an API key with level {self.config.api_context.level}."
+                    f"You're trying to use an SDK method that requires an API Key with access level: {required_access_level}, "
+                    + f"however the SDK is running with an API key with level {self.config.api_context.permitted_access_level}."
                 )
             return
 
         if (
-            call_level == ApiKeyLevel.PROJECT_LEVEL_API_KEY
-            and self.config.api_context.project is None
+            self.config.api_context.permitted_access_level.value
+            < required_access_level.value
         ):
             raise PermitContextError(
-                "You're trying to use an SDK method that's specific to a project, "
-                + "but you haven't set the current project in your client's context yet, "
-                + "or you are using an organization level API key. "
-                + "Please set the context to a specific "
-                + "project using `permit.set_context()` method."
+                f"You're trying to use an SDK method that requires an api context of {required_context.name}, "
+                + f"however the SDK is running in a less specific context level: {self.config.api_context.level}."
             )
 
-        if call_level == ApiKeyLevel.ENVIRONMENT_LEVEL_API_KEY and (
-            self.config.api_context.project is None
-            or self.config.api_context.environment is None
+    async def _ensure_context(self, required_context: ApiContextLevel) -> None:
+        """
+        Ensure that the API context matches the required endpoint context.
+
+        Args:
+            context: The required API context level for the endpoint.
+
+        Raises:
+            PermitContextError: If the currently set API context level does not match the required context level.
+        """
+        # should only happen once in the lifetime of the sdk
+        if (
+            self.config.api_context.level == ApiContextLevel.WAIT_FOR_INIT
+            or self.config.api_context.permitted_access_level
+            == ApiKeyAccessLevel.WAIT_FOR_INIT
         ):
+            await self._set_context_from_api_key()
+
+        if self.config.api_context.level.value < required_context.value:
             raise PermitContextError(
-                "You're trying to use an SDK method that's specific to an environment, "
-                + "but you haven't set the current environment in your client's context yet, "
-                + "or you are using an organization/project level API key. "
-                + "Please set the context to a specific "
-                + "environment using `permit.set_context()` method."
+                f"You're trying to use an SDK method that requires an api context of {required_context.name}, "
+                + f"however the SDK is running in a less specific context level: {self.config.api_context.level}."
             )

permit/api/condition_set_rules.py

@@ -2,8 +2,14 @@
 
 from pydantic import validate_arguments
 
-from .base import BasePermitApi, SimpleHttpClient, ensure_context, pagination_params
-from .context import ApiKeyLevel
+from .base import (
+    BasePermitApi,
+    SimpleHttpClient,
+    pagination_params,
+    required_context,
+    required_permissions,
+)
+from .context import ApiContextLevel, ApiKeyAccessLevel
 from .models import ConditionSetRuleCreate, ConditionSetRuleRead, ConditionSetRuleRemove
 
 
@@ -17,7 +23,8 @@ def __condition_set_rules(self) -> SimpleHttpClient:
             )
         )
 
-    @ensure_context(ApiKeyLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_permissions(ApiKeyAccessLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_context(ApiContextLevel.ENVIRONMENT)
     @validate_arguments
     async def list(
         self,
@@ -58,7 +65,8 @@ async def list(
             params=params,
         )
 
-    @ensure_context(ApiKeyLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_permissions(ApiKeyAccessLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_context(ApiContextLevel.ENVIRONMENT)
     @validate_arguments
     async def create(self, rule: ConditionSetRuleCreate) -> List[ConditionSetRuleRead]:
         """
@@ -78,7 +86,8 @@ async def create(self, rule: ConditionSetRuleCreate) -> List[ConditionSetRuleRea
             "", model=List[ConditionSetRuleRead], json=rule
         )
 
-    @ensure_context(ApiKeyLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_permissions(ApiKeyAccessLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_context(ApiContextLevel.ENVIRONMENT)
     @validate_arguments
     async def delete(self, rule: ConditionSetRuleRemove) -> None:
         """

permit/api/condition_sets.py

@@ -2,8 +2,14 @@
 
 from pydantic import validate_arguments
 
-from .base import BasePermitApi, SimpleHttpClient, ensure_context, pagination_params
-from .context import ApiKeyLevel
+from .base import (
+    BasePermitApi,
+    SimpleHttpClient,
+    pagination_params,
+    required_context,
+    required_permissions,
+)
+from .context import ApiContextLevel, ApiKeyAccessLevel
 from .models import ConditionSetCreate, ConditionSetRead, ConditionSetUpdate
 
 
@@ -17,7 +23,8 @@ def __condition_sets(self) -> SimpleHttpClient:
             )
         )
 
-    @ensure_context(ApiKeyLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_permissions(ApiKeyAccessLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_context(ApiContextLevel.ENVIRONMENT)
     @validate_arguments
     async def list(self, page: int = 1, per_page: int = 100) -> List[ConditionSetRead]:
         """
@@ -38,7 +45,13 @@ async def list(self, page: int = 1, per_page: int = 100) -> List[ConditionSetRea
             "", model=List[ConditionSetRead], params=pagination_params(page, per_page)
         )
 
-    @ensure_context(ApiKeyLevel.ENVIRONMENT_LEVEL_API_KEY)
+    async def _get(self, condition_set_key: str) -> ConditionSetRead:
+        return await self.__condition_sets.get(
+            f"/{condition_set_key}", model=ConditionSetRead
+        )
+
+    @required_permissions(ApiKeyAccessLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_context(ApiContextLevel.ENVIRONMENT)
     @validate_arguments
     async def get(self, condition_set_key: str) -> ConditionSetRead:
         """
@@ -54,11 +67,10 @@ async def get(self, condition_set_key: str) -> ConditionSetRead:
             PermitApiError: If the API returns an error HTTP status code.
             PermitContextError: If the configured ApiContext does not match the required endpoint context.
         """
-        return await self.__condition_sets.get(
-            f"/{condition_set_key}", model=ConditionSetRead
-        )
+        return await self._get(condition_set_key)
 
-    @ensure_context(ApiKeyLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_permissions(ApiKeyAccessLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_context(ApiContextLevel.ENVIRONMENT)
     @validate_arguments
     async def get_by_key(self, condition_set_key: str) -> ConditionSetRead:
         """
@@ -75,9 +87,10 @@ async def get_by_key(self, condition_set_key: str) -> ConditionSetRead:
             PermitApiError: If the API returns an error HTTP status code.
             PermitContextError: If the configured ApiContext does not match the required endpoint context.
         """
-        return await self.get(condition_set_key)
+        return await self._get(condition_set_key)
 
-    @ensure_context(ApiKeyLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_permissions(ApiKeyAccessLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_context(ApiContextLevel.ENVIRONMENT)
     @validate_arguments
     async def get_by_id(self, condition_set_id: str) -> ConditionSetRead:
         """
@@ -94,9 +107,10 @@ async def get_by_id(self, condition_set_id: str) -> ConditionSetRead:
             PermitApiError: If the API returns an error HTTP status code.
             PermitContextError: If the configured ApiContext does not match the required endpoint context.
         """
-        return await self.get(condition_set_id)
+        return await self._get(condition_set_id)
 
-    @ensure_context(ApiKeyLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_permissions(ApiKeyAccessLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_context(ApiContextLevel.ENVIRONMENT)
     @validate_arguments
     async def create(self, condition_set_data: ConditionSetCreate) -> ConditionSetRead:
         """
@@ -116,7 +130,8 @@ async def create(self, condition_set_data: ConditionSetCreate) -> ConditionSetRe
             "", model=ConditionSetRead, json=condition_set_data
         )
 
-    @ensure_context(ApiKeyLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_permissions(ApiKeyAccessLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_context(ApiContextLevel.ENVIRONMENT)
     @validate_arguments
     async def update(
         self, condition_set_key: str, condition_set_data: ConditionSetUpdate
@@ -141,7 +156,8 @@ async def update(
             json=condition_set_data,
         )
 
-    @ensure_context(ApiKeyLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_permissions(ApiKeyAccessLevel.ENVIRONMENT_LEVEL_API_KEY)
+    @required_context(ApiContextLevel.ENVIRONMENT)
     @validate_arguments
     async def delete(self, condition_set_key: str) -> None:
         """