core/homeassistant/auth/permissions/entities.py

"""Entity permissions."""
from collections import OrderedDict
from typing import Callable, Optional  # noqa: F401

import voluptuous as vol

from .const import SUBCAT_ALL, POLICY_READ, POLICY_CONTROL, POLICY_EDIT
from .models import PermissionLookup
from .types import CategoryType, SubCategoryDict, ValueType

# pylint: disable=unused-import
from .util import SubCatLookupType, lookup_all, compile_policy  # noqa

SINGLE_ENTITY_SCHEMA = vol.Any(
    True,
    vol.Schema(
        {
            vol.Optional(POLICY_READ): True,
            vol.Optional(POLICY_CONTROL): True,
            vol.Optional(POLICY_EDIT): True,
        }
    ),
)

ENTITY_DOMAINS = "domains"
ENTITY_AREAS = "area_ids"
ENTITY_DEVICE_IDS = "device_ids"
ENTITY_ENTITY_IDS = "entity_ids"

ENTITY_VALUES_SCHEMA = vol.Any(True, vol.Schema({str: SINGLE_ENTITY_SCHEMA}))

ENTITY_POLICY_SCHEMA = vol.Any(
    True,
    vol.Schema(
        {
            vol.Optional(SUBCAT_ALL): SINGLE_ENTITY_SCHEMA,
            vol.Optional(ENTITY_AREAS): ENTITY_VALUES_SCHEMA,
            vol.Optional(ENTITY_DEVICE_IDS): ENTITY_VALUES_SCHEMA,
            vol.Optional(ENTITY_DOMAINS): ENTITY_VALUES_SCHEMA,
            vol.Optional(ENTITY_ENTITY_IDS): ENTITY_VALUES_SCHEMA,
        }
    ),
)


def _lookup_domain(
    perm_lookup: PermissionLookup, domains_dict: SubCategoryDict, entity_id: str
) -> Optional[ValueType]:
    """Look up entity permissions by domain."""
    return domains_dict.get(entity_id.split(".", 1)[0])


def _lookup_area(
    perm_lookup: PermissionLookup, area_dict: SubCategoryDict, entity_id: str
) -> Optional[ValueType]:
    """Look up entity permissions by area."""
    entity_entry = perm_lookup.entity_registry.async_get(entity_id)

    if entity_entry is None or entity_entry.device_id is None:
        return None

    device_entry = perm_lookup.device_registry.async_get(entity_entry.device_id)

    if device_entry is None or device_entry.area_id is None:
        return None

    return area_dict.get(device_entry.area_id)


def _lookup_device(
    perm_lookup: PermissionLookup, devices_dict: SubCategoryDict, entity_id: str
) -> Optional[ValueType]:
    """Look up entity permissions by device."""
    entity_entry = perm_lookup.entity_registry.async_get(entity_id)

    if entity_entry is None or entity_entry.device_id is None:
        return None

    return devices_dict.get(entity_entry.device_id)


def _lookup_entity_id(
    perm_lookup: PermissionLookup, entities_dict: SubCategoryDict, entity_id: str
) -> Optional[ValueType]:
    """Look up entity permission by entity id."""
    return entities_dict.get(entity_id)


def compile_entities(
    policy: CategoryType, perm_lookup: PermissionLookup
) -> Callable[[str, str], bool]:
    """Compile policy into a function that tests policy."""
    subcategories = OrderedDict()  # type: SubCatLookupType
    subcategories[ENTITY_ENTITY_IDS] = _lookup_entity_id
    subcategories[ENTITY_DEVICE_IDS] = _lookup_device
    subcategories[ENTITY_AREAS] = _lookup_area
    subcategories[ENTITY_DOMAINS] = _lookup_domain
    subcategories[SUBCAT_ALL] = lookup_all

    return compile_policy(policy, subcategories, perm_lookup)
Permissions improv (#17811) * Break up permissions file. * Granular entity permissions * Add "all" entity permission * Lint * Fix types 2018-10-29 10:28:04 +00:00			`"""Entity permissions."""`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`from collections import OrderedDict`
			`from typing import Callable, Optional # noqa: F401`
Permissions improv (#17811) * Break up permissions file. * Granular entity permissions * Add "all" entity permission * Lint * Fix types 2018-10-29 10:28:04 +00:00
			`import voluptuous as vol`

System groups (#18303) * Add read only and admin policies * Migrate to 2 system groups * Add system groups * Add system groups admin & read only * Dont' mutate parameters * Fix types 2018-11-08 11:57:00 +00:00			`from .const import SUBCAT_ALL, POLICY_READ, POLICY_CONTROL, POLICY_EDIT`
Allow checking entity permissions based on devices (#19007) * Allow checking entity permissions based on devices * Fix tests 2018-12-05 10:41:00 +00:00			`from .models import PermissionLookup`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`from .types import CategoryType, SubCategoryDict, ValueType`
Black 2019-07-31 19:25:30 +00:00
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`# pylint: disable=unused-import`
			`from .util import SubCatLookupType, lookup_all, compile_policy # noqa`
Permissions improv (#17811) * Break up permissions file. * Granular entity permissions * Add "all" entity permission * Lint * Fix types 2018-10-29 10:28:04 +00:00
Black 2019-07-31 19:25:30 +00:00			`SINGLE_ENTITY_SCHEMA = vol.Any(`
			`True,`
			`vol.Schema(`
			`{`
			`vol.Optional(POLICY_READ): True,`
			`vol.Optional(POLICY_CONTROL): True,`
			`vol.Optional(POLICY_EDIT): True,`
			`}`
			`),`
			`)`

			`ENTITY_DOMAINS = "domains"`
			`ENTITY_AREAS = "area_ids"`
			`ENTITY_DEVICE_IDS = "device_ids"`
			`ENTITY_ENTITY_IDS = "entity_ids"`

			`ENTITY_VALUES_SCHEMA = vol.Any(True, vol.Schema({str: SINGLE_ENTITY_SCHEMA}))`

			`ENTITY_POLICY_SCHEMA = vol.Any(`
			`True,`
			`vol.Schema(`
			`{`
			`vol.Optional(SUBCAT_ALL): SINGLE_ENTITY_SCHEMA,`
			`vol.Optional(ENTITY_AREAS): ENTITY_VALUES_SCHEMA,`
			`vol.Optional(ENTITY_DEVICE_IDS): ENTITY_VALUES_SCHEMA,`
			`vol.Optional(ENTITY_DOMAINS): ENTITY_VALUES_SCHEMA,`
			`vol.Optional(ENTITY_ENTITY_IDS): ENTITY_VALUES_SCHEMA,`
			`}`
			`),`
			`)`


			`def _lookup_domain(`
			`perm_lookup: PermissionLookup, domains_dict: SubCategoryDict, entity_id: str`
			`) -> Optional[ValueType]:`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`"""Look up entity permissions by domain."""`
			`return domains_dict.get(entity_id.split(".", 1)[0])`


Black 2019-07-31 19:25:30 +00:00			`def _lookup_area(`
			`perm_lookup: PermissionLookup, area_dict: SubCategoryDict, entity_id: str`
			`) -> Optional[ValueType]:`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`"""Look up entity permissions by area."""`
			`entity_entry = perm_lookup.entity_registry.async_get(entity_id)`

			`if entity_entry is None or entity_entry.device_id is None:`
			`return None`

Black 2019-07-31 19:25:30 +00:00			`device_entry = perm_lookup.device_registry.async_get(entity_entry.device_id)`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00
			`if device_entry is None or device_entry.area_id is None:`
			`return None`

			`return area_dict.get(device_entry.area_id)`


Black 2019-07-31 19:25:30 +00:00			`def _lookup_device(`
			`perm_lookup: PermissionLookup, devices_dict: SubCategoryDict, entity_id: str`
			`) -> Optional[ValueType]:`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`"""Look up entity permissions by device."""`
			`entity_entry = perm_lookup.entity_registry.async_get(entity_id)`

			`if entity_entry is None or entity_entry.device_id is None:`
			`return None`

			`return devices_dict.get(entity_entry.device_id)`


Black 2019-07-31 19:25:30 +00:00			`def _lookup_entity_id(`
			`perm_lookup: PermissionLookup, entities_dict: SubCategoryDict, entity_id: str`
			`) -> Optional[ValueType]:`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`"""Look up entity permission by entity id."""`
			`return entities_dict.get(entity_id)`
Permissions improv (#17811) * Break up permissions file. * Granular entity permissions * Add "all" entity permission * Lint * Fix types 2018-10-29 10:28:04 +00:00

Black 2019-07-31 19:25:30 +00:00			`def compile_entities(`
			`policy: CategoryType, perm_lookup: PermissionLookup`
			`) -> Callable[[str, str], bool]:`
Permissions improv (#17811) * Break up permissions file. * Granular entity permissions * Add "all" entity permission * Lint * Fix types 2018-10-29 10:28:04 +00:00			`"""Compile policy into a function that tests policy."""`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`subcategories = OrderedDict() # type: SubCatLookupType`
			`subcategories[ENTITY_ENTITY_IDS] = _lookup_entity_id`
			`subcategories[ENTITY_DEVICE_IDS] = _lookup_device`
			`subcategories[ENTITY_AREAS] = _lookup_area`
			`subcategories[ENTITY_DOMAINS] = _lookup_domain`
			`subcategories[SUBCAT_ALL] = lookup_all`

			`return compile_policy(policy, subcategories, perm_lookup)`