From d7ba6a4a47e51fabfd0b5d4df400f49aab0b5439 Mon Sep 17 00:00:00 2001
From: Tim Pillinger <26465611+wxtim@users.noreply.github.com>
Date: Thu, 1 Oct 2020 13:39:43 +0100
Subject: [PATCH] remove Priv object

---
 cylc/flow/cfgspec/globalcfg.py     | 32 -----------------
 cylc/flow/network/authorisation.py | 56 +-----------------------------
 cylc/flow/network/server.py        | 12 +++----
 3 files changed, 7 insertions(+), 93 deletions(-)

diff --git a/cylc/flow/cfgspec/globalcfg.py b/cylc/flow/cfgspec/globalcfg.py
index 01b21bf915e..74fde0e4002 100644
--- a/cylc/flow/cfgspec/globalcfg.py
+++ b/cylc/flow/cfgspec/globalcfg.py
@@ -21,7 +21,6 @@
 from cylc.flow import LOG
 from cylc.flow import __version__ as CYLC_VERSION
 from cylc.flow.hostuserutil import get_user_home
-from cylc.flow.network.authorisation import Priv
 from cylc.flow.parsec.config import ParsecConfig, ConfigNode as Conf
 from cylc.flow.parsec.exceptions import ParsecError
 from cylc.flow.parsec.upgrade import upgrader
@@ -597,37 +596,6 @@
             host if you have to use the *hardwired* self-identification method.
         ''')
 
-    # suite
-    with Conf('authentication', desc='''
-        Authentication of client programs with suite server programs can be
-        configured here, and overridden in suites if necessary with
-        :cylc:conf:`flow.cylc[cylc][authentication]`.
-
-        The suite-specific passphrase must be installed on a user's account to
-        authorize full control privileges (see
-        :ref:`ConnectionAuthentication`). In the future we plan to move to a
-        more traditional user account model so that each authorized user can
-        have their own password.
-    '''):
-        # Allow owners to grant public shutdown rights at the most, not full
-        # control.
-        Conf(
-            'public',
-            VDR.V_STRING,
-            default=Priv.STATE_TOTALS.name.lower().replace('_', '-'),
-            options=[
-                level.name.lower().replace('_', '-')
-                for level in [
-                    Priv.IDENTITY, Priv.DESCRIPTION,
-                    Priv.STATE_TOTALS, Priv.READ, Priv.SHUTDOWN
-                ]
-            ],
-            desc='''
-                This sets the client privilege level for public access - i.e.
-                no suite passphrase required.
-            '''
-        )
-
     # suite
     with Conf('suite servers', desc='''
         Configure allowed suite hosts and ports for starting up (running or
diff --git a/cylc/flow/network/authorisation.py b/cylc/flow/network/authorisation.py
index ac3917dd20d..7369eb8e2ba 100644
--- a/cylc/flow/network/authorisation.py
+++ b/cylc/flow/network/authorisation.py
@@ -15,60 +15,17 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """Network authorisation layer."""
 
-from enum import IntEnum
 from functools import wraps
 
 from cylc.flow import LOG
 
 
-class Priv(IntEnum):
-    """Cylc privilege levels.
-
-    In Cylc configurations use the lower-case form of each privilege level
-    e.g. ``control`` for ``Priv.CONTROL``.
-
-    These levels are ordered (by the integer associated with each) from 0.
-    Each privilege level grants access to the levels below it.
-
-    """
-
-    CONTROL = 6
-    """Provides full control of a suite."""
-
-    SHUTDOWN = 5  # (Not used yet - for the post-passphrase era.)
-    """Allows issuing of the shutdown command."""
-
-    READ = 4
-    """Permits read access to the suite's state."""
-
-    STATE_TOTALS = 3
-    """Provides access to the count of tasks in each state."""
-
-    DESCRIPTION = 2
-    """Permits reading of suite metadata."""
-
-    IDENTITY = 1
-    """Provides read access to the suite name, owner and Cylc version."""
-
-    NONE = 0
-    """No access."""
-
-    @classmethod
-    def parse(cls, key):
-        """Obtain a privilege enumeration from a string."""
-        return cls.__members__[key.upper().replace('-', '_')]
-
-
-def authorise(req_priv_level):
+def authorise():
     """Add authorisation to an endpoint.
 
     This decorator extracts the `user` field from the incoming message to
     determine the client's privilege level.
 
-    Args:
-        req_priv_level (cylc.flow.network.Priv): A privilege level for the
-            method.
-
     Wrapped function args:
         user
             The authenticated user (determined server side)
@@ -88,20 +45,9 @@ def _authorise(self, *args, user='?', meta=None, **kwargs):
 
             # Hardcoded, for new - but much of this functionality can be
             # removed more swingingly.
-            usr_priv_level = Priv.CONTROL
-            if usr_priv_level < req_priv_level:
-                LOG.warn(
-                    "[client-connect] DENIED (privilege '%s' < '%s') %s@%s:%s",
-                    usr_priv_level, req_priv_level, user, host, prog)
-                raise Exception('Authorisation failure')
             LOG.info(
                 '[client-command] %s %s@%s:%s', fcn.__name__, user, host, prog)
             return fcn(self, *args, **kwargs)
 
-        # add authorisation level to docstring
-        _authorise.__doc__ += (
-            f'Authentication:\n{" " * 12}'
-            f':py:obj:`{__loader__.name}.{str(req_priv_level)}`\n'
-        )
         return _authorise
     return wrapper
diff --git a/cylc/flow/network/server.py b/cylc/flow/network/server.py
index 01318d14a61..e446bd4a51a 100644
--- a/cylc/flow/network/server.py
+++ b/cylc/flow/network/server.py
@@ -25,7 +25,7 @@
 
 from cylc.flow import LOG
 from cylc.flow.network import encode_, decode_, ZMQSocketBase
-from cylc.flow.network.authorisation import Priv, authorise
+from cylc.flow.network.authorisation import authorise
 from cylc.flow.network.graphql import (
     CylcGraphQLBackend, IgnoreFieldMiddleware, instantiate_middleware
 )
@@ -259,7 +259,7 @@ def register_endpoints(self):
                           for name, obj in self.__class__.__dict__.items()
                           if hasattr(obj, 'exposed')}
 
-    @authorise(Priv.IDENTITY)
+    @authorise()
     @expose
     def api(self, endpoint=None):
         """Return information about this API.
@@ -292,7 +292,7 @@ def api(self, endpoint=None):
             return '%s\n%s' % (head, tail)
         return 'No method by name "%s"' % endpoint
 
-    @authorise(Priv.READ)
+    @authorise()
     @expose
     def graphql(self, request_string=None, variables=None):
         """Return the GraphQL scheme execution result.
@@ -335,7 +335,7 @@ def graphql(self, request_string=None, variables=None):
             return errors
         return executed.data
 
-    @authorise(Priv.READ)
+    @authorise()
     @expose
     def get_graph_raw(self, start_point_string, stop_point_string,
                       group_nodes=None, ungroup_nodes=None,
@@ -400,7 +400,7 @@ def get_graph_raw(self, start_point_string, stop_point_string,
             ungroup_all=ungroup_all)
 
     # UIServer Data Commands
-    @authorise(Priv.READ)
+    @authorise()
     @expose
     def pb_entire_workflow(self):
         """Send the entire data-store in a single Protobuf message.
@@ -413,7 +413,7 @@ def pb_entire_workflow(self):
         pb_msg = self.schd.data_store_mgr.get_entire_workflow()
         return pb_msg.SerializeToString()
 
-    @authorise(Priv.READ)
+    @authorise()
     @expose
     def pb_data_elements(self, element_type):
         """Send the specified data elements in delta form.