[FC-0099] feat: add rest api for roles and permissions

[BryanttV]

Description

This PR introduces the REST API for Open edX AuthZ.

How To Test

We create the following endpoints:

• Validate Permissions (POST)
• List Users in Role (GET)
• Add Users to Role (PUT)
• Delete User from Role (DELETE)
• List Roles by Scope (GET)

You can download this open-edx-authz.postman_collection.json or go to {lms_domain}/api-docs/#/authz to test all endpoints.

[openedx-webhooks]

Thanks for the pull request, @BryanttV!

This repository is currently maintained by @openedx/committers-openedx-authz.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[mariajgrimaldi]

Makes total sense for this view to live here. Now, I'm conflicted by this permission class which depends entirely in library definitions and as is, we couldn't reuse this view for other kind of resources like courses. I initially hardcoded ContentLibraryData classes in the users API, but now we abstracted scopes so they can be extended later on with other resources like courses. Do you think we could do something like it here? Maybe not for the MVP, but i'd like for us to add a note that this doesn't belong here long-term.

[mariajgrimaldi]

Maybe we can adopt the configuration setting DRF uses for permission classes: https://www.django-rest-framework.org/api-guide/permissions/#setting-the-permission-policy

[bmtcril]

I think the only thing that makes HasLibraryPermission non-generic is the names of the permissions being checked. A couple of options for this might be adding the equivalent names of those 2 permissions to the registry classes for each type, if we think the logic of "one permission to view, one permission to manage" will be enough. Alternatively we could stipulate that if a permission type needs a management interface it can inherit from this one and add a custom permission class.

I suspect we'll need more flexibility in the way permissions are managed eventually, so even if we went with the first option we would still want a way to disable this view for certain types (maybe both permission names default to None which causes this view to fail auth and return an error?).

[mariajgrimaldi]

I wonder what would be the difference between: manage_library_team on a library scope and manage_course_team on a course scope. Maybe they both could be named manage_team, view_team? Or are those too general?

The registry with the namespace would also be a good option as well.

[BryanttV]

Hi @mariajgrimaldi and @bmtcril, thank you for all your suggestions!

I implemented a new class to dynamically evaluate permissions, highly inspired by the current approach to scope and subject data. What do you think of this approach?

45c238c

[mariajgrimaldi]

Looks good to me!

This could be our way to offer flexibility and dynamism when handling different domains that behave differently depending on the type of namespace, such as scope and subject types, permission enforcement, and other domain-specific behaviors. It'd be nice to centralize all of them, but we can look at this down the road. As Ty mentioned, I imagine these classes will live alongside the content library code and later extend to courses and other areas, keeping the core flexible enough to support them all. :)

[bmtcril]

This is looking great, I think there are 1-2 more thorny issues to work out but it's close.

[bmtcril]

I think the only thing that makes HasLibraryPermission non-generic is the names of the permissions being checked. A couple of options for this might be adding the equivalent names of those 2 permissions to the registry classes for each type, if we think the logic of "one permission to view, one permission to manage" will be enough. Alternatively we could stipulate that if a permission type needs a management interface it can inherit from this one and add a custom permission class.

I suspect we'll need more flexibility in the way permissions are managed eventually, so even if we went with the first option we would still want a way to disable this view for certain types (maybe both permission names default to None which causes this view to fail auth and return an error?).

[bmtcril]

I think we have to if the api doesn't error on it. Otherwise it may be a vector for credential stuffing attacks? Similarly we should make sure that the scope matches whatever we're authenticating for in permission class (ex: we're checking library permissions in the permission class now, but not checking that the scope they're modifying here is a library scope).

[BryanttV]

Yes, I agree with you. I added a validation method in the serializer that checks whether the scope exists. For example, if my scope is a Library ID (lib:OpenedX:CSPROB), it will validate using the exists() method to ensure that this library actually exists in the database. After that, it validates that the role exists within the roles defined in the general scope (namespace). If any of these validations fail, it will return an error. What do you think?

[bmtcril]

Similar comment to above, we should make sure that the scope we're deleting matches the permissions we're checking in the permission class.

[bmtcril]

Can any authenticated user make this call for any scope?

[BryanttV]

I don't think so, I'm just not sure which permission we should validate in this case, considering that it's a general endpoint for all scopes.

cc @mariajgrimaldi

[mariajgrimaldi]

I believe it's this one: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/4840095745/Library+Roles+and+Permissions#Manage-Library-Team (which also considers view). This ties back to our earlier discussion about HasLibraryPermission as well. For now, it's limited to that specific library perm, but once we add support for other scopes, it would apply to the course admin, and so on.

Tagging @MaferMazu since she has been working on the final authz.policy.

[bmtcril]

This is looking really good, I appreciate the changes to add BaseScopePermission! 👍

[BryanttV]

@bmtcril @mariajgrimaldi

I just bumped to version 0.3.0.

For now, the endpoint to get roles and permissions by namespace has been added so that only an admin user can use it. It should be usable by any user with the manage_library_team permission, but since only the namespace is sent, it's challenging to do the evaluation with the enforcer correctly.

If you agree, we can merge the PR, and I will work on a way to fix it in another PR.

[mariajgrimaldi]

@BryanttV: I'll merge this with that note in mind, we can address it in a different PR. Thank you all for all the work!