Reorganize CapabilitySet

breuleux · breuleux · commit f5f572eaf928 · 2025-11-25T16:19:42.000-05:00
diff --git a/README.md b/README.md
@@ -32,8 +32,8 @@ oauth = OAuthManager(
         "prompt": "select_account",
     }
     # Set of capabilities that can be assigned to users
-    capset=CapabilitySet(
-        capabilities={
+    capabilities=CapabilitySet(
+        graph={
             # Basic capability
             "read": [],
             # write, also implies read
@@ -48,9 +48,9 @@ oauth = OAuthManager(
         },
         # Create the "admin" capability that has every other capability
         auto_admin=True,
+        # File where each user's capability is stored
+        user_file="caps.yaml",
     ),
-    # File where each user's capability is stored
-    capability_file="caps.yaml",
 )
 
 app = FastAPI()
@@ -113,15 +113,15 @@ client_secret: "<CLIENT_SECRET>"
 client_kwargs:
   scope: openid email
   prompt: select_account
-capset:
-  capabilities:
+capabilities:
+  graph:
     read: []
     write: [read]
     moderate: [read, write]
     announce: [read, write]
     user_management: []
   auto_admin: true
-capability_file: caps.yaml
+  user_file: caps.yaml
 ```
 
 And instantiated like this:
diff --git a/src/easy_oauth/cap.py b/src/easy_oauth/cap.py
@@ -1,14 +1,16 @@
-from __future__ import annotations
-
 from dataclasses import dataclass, field
+from functools import cached_property
+from pathlib import Path
 
+from serieux import deserialize
+from serieux.features.filebacked import DefaultFactory, FileBacked
 from serieux.features.registered import Registry
 
 
 @dataclass(eq=False)
 class Capability:
     name: str = None
-    implies: set[Capability] = field(default_factory=set)
+    implies: set["Capability"] = field(default_factory=set)
 
     def __contains__(self, cap):
         return cap is self or any(cap in cap2 for cap2 in self.implies)
@@ -20,17 +22,33 @@ def __str__(self):
 
 
 class CapabilitySet:
-    def __init__(self, capabilities: dict[str, list[str]], auto_admin: bool = True):
+    def __init__(
+        self,
+        graph: dict[str, list[str]],
+        auto_admin: bool = True,
+        user_file: Path = None,
+    ):
         self.registry = Registry()
-        for name in capabilities:
+        for name in graph:
             self.registry.register(name, Capability(name))
-        for name, implies in capabilities.items():
+        for name, implies in graph.items():
             self[name].implies.update(self[n] for n in implies)
         if auto_admin:
             self.registry.register(
                 "admin", Capability("admin", set(self.registry.registry.values()))
             )
         self.captype = Capability @ self.registry
+        self.user_file = user_file
 
     def __getitem__(self, item):
         return self.registry.registry[item]
+
+    @cached_property
+    def db(self):
+        return deserialize(
+            FileBacked[dict[str, set[self.captype]] @ DefaultFactory(dict)],
+            self.user_file,
+        )
+
+    def check(self, email, cap):
+        return cap in Capability(implies=self.db.value.get(email, set()))
diff --git a/src/easy_oauth/manager.py b/src/easy_oauth/manager.py
@@ -1,21 +1,18 @@
 import secrets
 from dataclasses import dataclass, field
 from datetime import datetime, timedelta
-from functools import cached_property
-from pathlib import Path
 
 import httpx
 from authlib.integrations.starlette_client import OAuth
 from itsdangerous import URLSafeSerializer
 from serieux import deserialize, serialize
 from serieux.features.encrypt import Secret
-from serieux.features.filebacked import DefaultFactory, FileBacked
 from starlette.exceptions import HTTPException
 from starlette.middleware.sessions import SessionMiddleware
 from starlette.requests import Request
 from starlette.responses import JSONResponse, PlainTextResponse, RedirectResponse
 
-from .cap import Capability, CapabilitySet
+from .cap import CapabilitySet
 from .structs import OpenIDConfiguration, Payload, UserInfo
 
 
@@ -27,8 +24,7 @@ class OAuthManager:
     client_id: Secret[str] = None
     client_secret: Secret[str] = None
     enable: bool = True
-    capability_file: Path = None
-    capset: CapabilitySet = field(default_factory=lambda: CapabilitySet({}))
+    capabilities: CapabilitySet = field(default_factory=lambda: CapabilitySet({}))
 
     # [serieux: ignore]
     server_metadata: OpenIDConfiguration = None
@@ -39,23 +35,12 @@ class OAuthManager:
     def __post_init__(self):
         self.server_metadata = deserialize(OpenIDConfiguration, self.server_metadata_url)
         self.secrets_serializer = URLSafeSerializer(self.secret_key)
-        self.user_management_capability = self.capset.registry.registry.get(
+        self.user_management_capability = self.capabilities.registry.registry.get(
             "user_management", None
         )
 
-    @cached_property
-    def capability_db(self):
-        return deserialize(
-            FileBacked[dict[str, set[self.capset.captype]] @ DefaultFactory(dict)],
-            self.capability_file,
-        )
-
-    def has_capability(self, email, cap):
-        cd = self.capability_db.value
-        return cap in Capability(implies=cd.get(email, set()))
-
     def ensure_user_manager(self, email):
-        if self.user_management_capability is None or not self.has_capability(
+        if self.user_management_capability is None or not self.capabilities.check(
             email, self.user_management_capability
         ):
             raise HTTPException(
@@ -94,7 +79,7 @@ async def ensure_email(self, request: Request):
 
     def get_email_capability(self, cap=None, redirect=False):
         if isinstance(cap, str):
-            cap = deserialize(self.capset.captype, cap)
+            cap = deserialize(self.capabilities.captype, cap)
 
         async def get(request: Request):
             if redirect:
@@ -103,7 +88,7 @@ async def get(request: Request):
                 email = await self.get_email(request)
             if email is None:
                 raise HTTPException(status_code=401, detail="Authentication required")
-            elif cap is None or self.has_capability(email, cap):
+            elif cap is None or self.capabilities.check(email, cap):
                 yield email
             else:
                 raise HTTPException(status_code=403, detail=f"{cap} capability required")
@@ -145,6 +130,10 @@ async def assimilate_payload(self, request):
             request.session["access_token"] = payload.access_token
             request.session["refresh_token"] = payload.refresh_token
 
+    ##########
+    # Routes #
+    ##########
+
     async def route_login(self, request):
         red = request.session.get("redirect_after_login", "/")
         request.session.clear()
@@ -183,13 +172,19 @@ async def route_logout(self, request):
         request.session.clear()
         return RedirectResponse(url="/")
 
+    ##########################
+    # User management routes #
+    ##########################
+
     def _manage_cap_response(self, email):
-        db = self.capability_db
+        db = self.capabilities.db
         return JSONResponse(
             {
                 "status": "ok",
                 "email": email,
-                "capabilities": serialize(set[self.capset.captype], db.value.get(email, set())),
+                "capabilities": serialize(
+                    set[self.capabilities.captype], db.value.get(email, set())
+                ),
             }
         )
 
@@ -199,7 +194,7 @@ async def _manage_generic(self, request, reqcls):
 
         req = deserialize(reqcls, await request.json())
 
-        db = self.capability_db
+        db = self.capabilities.db
         req.apply(db.value)
         db.save()
 
@@ -209,7 +204,7 @@ async def route_manage_capabilities_add(self, request):
         @dataclass
         class AddRequest:
             email: str
-            capability: self.capset.captype
+            capability: self.capabilities.captype
 
             def apply(self, caps):
                 caps.setdefault(self.email, set()).add(self.capability)
@@ -220,7 +215,7 @@ async def route_manage_capabilities_remove(self, request):
         @dataclass
         class RemoveRequest:
             email: str
-            capability: self.capset.captype
+            capability: self.capabilities.captype
 
             def apply(self, caps):
                 caps.setdefault(self.email, set()).discard(self.capability)
@@ -231,7 +226,7 @@ async def route_manage_capabilities_set(self, request):
         @dataclass
         class SetRequest:
             email: str
-            capabilities: set[self.capset.captype]
+            capabilities: set[self.capabilities.captype]
 
             def apply(self, caps):
                 caps[self.email] = self.capabilities
@@ -252,6 +247,10 @@ class ListRequest:
 
         return self._manage_cap_response(req.email)
 
+    ##################
+    # Install to app #
+    ##################
+
     def install(self, app):
         if not self.enable:  # pragma: no cover
             return
diff --git a/tests/app.py b/tests/app.py
@@ -3,7 +3,7 @@
 
 from fastapi import Depends, FastAPI
 from fastapi.responses import JSONResponse, PlainTextResponse
-from serieux import Sources, deserialize
+from serieux import deserialize
 from starlette.requests import Request
 
 from easy_oauth.manager import OAuthManager
@@ -14,28 +14,12 @@
 def make_app(tmpdir: Path = None):
     app = FastAPI()
 
-    capgraph = {
-        "user_management": [],
-        "villager": [],
-        "mafia": ["villager"],
-        "police": ["villager"],
-        "mayor": ["villager", "police"],
-        "baker": ["villager"],
-    }
-
-    oauth = deserialize(
-        OAuthManager,
-        Sources(
-            Path(here / "appconfig.yaml"),
-            {
-                "capset": {"capabilities": capgraph},
-            },
-        ),
-    )
+    oauth = deserialize(OAuthManager, Path(here / "appconfig.yaml"))
+
     if tmpdir is not None:
-        dest_cap_file = Path(tmpdir) / oauth.capability_file.name
-        shutil.copy(oauth.capability_file, dest_cap_file)
-        oauth.capability_file = dest_cap_file
+        dest_cap_file = Path(tmpdir) / oauth.capabilities.user_file.name
+        shutil.copy(oauth.capabilities.user_file, dest_cap_file)
+        oauth.capabilities.user_file = dest_cap_file
 
     oauth.install(app)
 
diff --git a/tests/appconfig.yaml b/tests/appconfig.yaml
@@ -5,4 +5,18 @@ client_secret: "dHPf4JQhK9VutnlJlcln"
 client_kwargs:
   scope: openid email
   prompt: select_account
-capability_file: caps.yaml
+capabilities:
+  auto_admin: true
+  user_file: caps.yaml
+  graph:
+    user_management: []
+    villager: []
+    mafia:
+      - villager
+    police:
+      - villager
+    mayor:
+      - villager
+      - police
+    baker:
+      - villager
