core/homeassistant/auth/permissions/entities.py

"""Entity permissions."""
from collections import OrderedDict
from typing import Callable, Optional  # noqa: F401

import voluptuous as vol

from .const import SUBCAT_ALL, POLICY_READ, POLICY_CONTROL, POLICY_EDIT
from .models import PermissionLookup
from .types import CategoryType, SubCategoryDict, ValueType
# pylint: disable=unused-import
from .util import SubCatLookupType, lookup_all, compile_policy  # noqa

SINGLE_ENTITY_SCHEMA = vol.Any(True, vol.Schema({
    vol.Optional(POLICY_READ): True,
    vol.Optional(POLICY_CONTROL): True,
    vol.Optional(POLICY_EDIT): True,
}))

ENTITY_DOMAINS = 'domains'
ENTITY_AREAS = 'area_ids'
ENTITY_DEVICE_IDS = 'device_ids'
ENTITY_ENTITY_IDS = 'entity_ids'

ENTITY_VALUES_SCHEMA = vol.Any(True, vol.Schema({
    str: SINGLE_ENTITY_SCHEMA
}))

ENTITY_POLICY_SCHEMA = vol.Any(True, vol.Schema({
    vol.Optional(SUBCAT_ALL): SINGLE_ENTITY_SCHEMA,
    vol.Optional(ENTITY_AREAS): ENTITY_VALUES_SCHEMA,
    vol.Optional(ENTITY_DEVICE_IDS): ENTITY_VALUES_SCHEMA,
    vol.Optional(ENTITY_DOMAINS): ENTITY_VALUES_SCHEMA,
    vol.Optional(ENTITY_ENTITY_IDS): ENTITY_VALUES_SCHEMA,
}))


def _lookup_domain(perm_lookup: PermissionLookup,
                   domains_dict: SubCategoryDict,
                   entity_id: str) -> Optional[ValueType]:
    """Look up entity permissions by domain."""
    return domains_dict.get(entity_id.split(".", 1)[0])


def _lookup_area(perm_lookup: PermissionLookup, area_dict: SubCategoryDict,
                 entity_id: str) -> Optional[ValueType]:
    """Look up entity permissions by area."""
    entity_entry = perm_lookup.entity_registry.async_get(entity_id)

    if entity_entry is None or entity_entry.device_id is None:
        return None

    device_entry = perm_lookup.device_registry.async_get(
        entity_entry.device_id
    )

    if device_entry is None or device_entry.area_id is None:
        return None

    return area_dict.get(device_entry.area_id)


def _lookup_device(perm_lookup: PermissionLookup,
                   devices_dict: SubCategoryDict,
                   entity_id: str) -> Optional[ValueType]:
    """Look up entity permissions by device."""
    entity_entry = perm_lookup.entity_registry.async_get(entity_id)

    if entity_entry is None or entity_entry.device_id is None:
        return None

    return devices_dict.get(entity_entry.device_id)


def _lookup_entity_id(perm_lookup: PermissionLookup,
                      entities_dict: SubCategoryDict,
                      entity_id: str) -> Optional[ValueType]:
    """Look up entity permission by entity id."""
    return entities_dict.get(entity_id)


def compile_entities(policy: CategoryType, perm_lookup: PermissionLookup) \
        -> Callable[[str, str], bool]:
    """Compile policy into a function that tests policy."""
    subcategories = OrderedDict()  # type: SubCatLookupType
    subcategories[ENTITY_ENTITY_IDS] = _lookup_entity_id
    subcategories[ENTITY_DEVICE_IDS] = _lookup_device
    subcategories[ENTITY_AREAS] = _lookup_area
    subcategories[ENTITY_DOMAINS] = _lookup_domain
    subcategories[SUBCAT_ALL] = lookup_all

    return compile_policy(policy, subcategories, perm_lookup)
Permissions improv (#17811) * Break up permissions file. * Granular entity permissions * Add "all" entity permission * Lint * Fix types 2018-10-29 10:28:04 +00:00			`"""Entity permissions."""`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`from collections import OrderedDict`
			`from typing import Callable, Optional # noqa: F401`
Permissions improv (#17811) * Break up permissions file. * Granular entity permissions * Add "all" entity permission * Lint * Fix types 2018-10-29 10:28:04 +00:00
			`import voluptuous as vol`

System groups (#18303) * Add read only and admin policies * Migrate to 2 system groups * Add system groups * Add system groups admin & read only * Dont' mutate parameters * Fix types 2018-11-08 11:57:00 +00:00			`from .const import SUBCAT_ALL, POLICY_READ, POLICY_CONTROL, POLICY_EDIT`
Allow checking entity permissions based on devices (#19007) * Allow checking entity permissions based on devices * Fix tests 2018-12-05 10:41:00 +00:00			`from .models import PermissionLookup`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`from .types import CategoryType, SubCategoryDict, ValueType`
			`# pylint: disable=unused-import`
			`from .util import SubCatLookupType, lookup_all, compile_policy # noqa`
Permissions improv (#17811) * Break up permissions file. * Granular entity permissions * Add "all" entity permission * Lint * Fix types 2018-10-29 10:28:04 +00:00
			`SINGLE_ENTITY_SCHEMA = vol.Any(True, vol.Schema({`
			`vol.Optional(POLICY_READ): True,`
			`vol.Optional(POLICY_CONTROL): True,`
			`vol.Optional(POLICY_EDIT): True,`
			`}))`

			`ENTITY_DOMAINS = 'domains'`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`ENTITY_AREAS = 'area_ids'`
Allow checking entity permissions based on devices (#19007) * Allow checking entity permissions based on devices * Fix tests 2018-12-05 10:41:00 +00:00			`ENTITY_DEVICE_IDS = 'device_ids'`
Permissions improv (#17811) * Break up permissions file. * Granular entity permissions * Add "all" entity permission * Lint * Fix types 2018-10-29 10:28:04 +00:00			`ENTITY_ENTITY_IDS = 'entity_ids'`

			`ENTITY_VALUES_SCHEMA = vol.Any(True, vol.Schema({`
			`str: SINGLE_ENTITY_SCHEMA`
			`}))`

			`ENTITY_POLICY_SCHEMA = vol.Any(True, vol.Schema({`
			`vol.Optional(SUBCAT_ALL): SINGLE_ENTITY_SCHEMA,`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`vol.Optional(ENTITY_AREAS): ENTITY_VALUES_SCHEMA,`
Allow checking entity permissions based on devices (#19007) * Allow checking entity permissions based on devices * Fix tests 2018-12-05 10:41:00 +00:00			`vol.Optional(ENTITY_DEVICE_IDS): ENTITY_VALUES_SCHEMA,`
Permissions improv (#17811) * Break up permissions file. * Granular entity permissions * Add "all" entity permission * Lint * Fix types 2018-10-29 10:28:04 +00:00			`vol.Optional(ENTITY_DOMAINS): ENTITY_VALUES_SCHEMA,`
			`vol.Optional(ENTITY_ENTITY_IDS): ENTITY_VALUES_SCHEMA,`
			`}))`


Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`def _lookup_domain(perm_lookup: PermissionLookup,`
			`domains_dict: SubCategoryDict,`
			`entity_id: str) -> Optional[ValueType]:`
			`"""Look up entity permissions by domain."""`
			`return domains_dict.get(entity_id.split(".", 1)[0])`


			`def _lookup_area(perm_lookup: PermissionLookup, area_dict: SubCategoryDict,`
			`entity_id: str) -> Optional[ValueType]:`
			`"""Look up entity permissions by area."""`
			`entity_entry = perm_lookup.entity_registry.async_get(entity_id)`

			`if entity_entry is None or entity_entry.device_id is None:`
			`return None`

			`device_entry = perm_lookup.device_registry.async_get(`
			`entity_entry.device_id`
			`)`

			`if device_entry is None or device_entry.area_id is None:`
			`return None`

			`return area_dict.get(device_entry.area_id)`


			`def _lookup_device(perm_lookup: PermissionLookup,`
			`devices_dict: SubCategoryDict,`
			`entity_id: str) -> Optional[ValueType]:`
			`"""Look up entity permissions by device."""`
			`entity_entry = perm_lookup.entity_registry.async_get(entity_id)`

			`if entity_entry is None or entity_entry.device_id is None:`
			`return None`

			`return devices_dict.get(entity_entry.device_id)`


			`def _lookup_entity_id(perm_lookup: PermissionLookup,`
			`entities_dict: SubCategoryDict,`
			`entity_id: str) -> Optional[ValueType]:`
			`"""Look up entity permission by entity id."""`
			`return entities_dict.get(entity_id)`
Permissions improv (#17811) * Break up permissions file. * Granular entity permissions * Add "all" entity permission * Lint * Fix types 2018-10-29 10:28:04 +00:00

Allow checking entity permissions based on devices (#19007) * Allow checking entity permissions based on devices * Fix tests 2018-12-05 10:41:00 +00:00			`def compile_entities(policy: CategoryType, perm_lookup: PermissionLookup) \`
Add permission checks to Rest API (#18639) * Add permission checks to Rest API * Clean up unnecessary method * Remove all the tuple stuff from entity check * Simplify perms * Correct param name for owner permission * Hass.io make/update user to be admin * Types 2018-11-25 17:04:48 +00:00			`-> Callable[[str, str], bool]:`
Permissions improv (#17811) * Break up permissions file. * Granular entity permissions * Add "all" entity permission * Lint * Fix types 2018-10-29 10:28:04 +00:00			`"""Compile policy into a function that tests policy."""`
Add area permission check (#21835) 2019-03-11 18:02:37 +00:00			`subcategories = OrderedDict() # type: SubCatLookupType`
			`subcategories[ENTITY_ENTITY_IDS] = _lookup_entity_id`
			`subcategories[ENTITY_DEVICE_IDS] = _lookup_device`
			`subcategories[ENTITY_AREAS] = _lookup_area`
			`subcategories[ENTITY_DOMAINS] = _lookup_domain`
			`subcategories[SUBCAT_ALL] = lookup_all`

			`return compile_policy(policy, subcategories, perm_lookup)`