def filter_meta_by_allow

def filter_meta_by_allow_priority()

in modular_api/web_service/iam.py [0:0]
65 lines of code
16 McCabe index (conditional complexity)

def filter_meta_by_allow_priority(policy: list, all_meta: dict) -> dict:
    """
    Check user permissions by "Allow" rules:
    1. Check if module allowed
    2. Check if command in module allowed
    3. Check if group allowed
    4. Check if command in group allowed
    5. Check if subgroup allowed
    6. Check if command in subgroup allowed
    """
    bd = 'body'
    user_commands = copy.deepcopy(all_meta)

    for module, module_content in all_meta.items():

        allow_entire_module = check_permission(policy=policy, module=module,
                                               atype='entire_module')
        if allow_entire_module:
            continue

        allow_in_module = check_permission(policy=policy, module=module,
                                           atype='module')
        if not allow_in_module:
            del user_commands[module]
            continue

        for item, item_content in module_content[bd].items():
            if item_content.get('type') == 'group':
                group = item
                allow_entire_group = check_permission(
                    policy=policy, module=module, group=group, atype='entire_group')
                if allow_entire_group:
                    continue
                allow_in_group = check_permission(
                    policy=policy, module=module, group=group, atype='group')
                if not allow_in_group:
                    del user_commands[module][bd][group]
                    continue

                for group_item, group_content in item_content[bd].items():
                    if group_content.get('type') == 'group':
                        subgroup = group_item
                        allow_entire_subgroup = check_permission(
                            policy=policy, module=module,
                            group=group, subgroup=subgroup, atype='entire_subgroup')
                        if allow_entire_subgroup:
                            continue
                        allow_in_subgroup = check_permission(
                            policy=policy, module=module,
                            group=group, subgroup=subgroup, atype='subgroup')
                        if not allow_in_subgroup:
                            del user_commands[module][bd][group][bd][subgroup]
                            continue

                        for subgroup_item, subgroup_content in group_content[
                            bd].items():
                            subgroup = group_item
                            cmd = subgroup_item
                            allow_sub_command = check_permission(
                                policy=policy, module=module,
                                group=group, subgroup=subgroup, command=cmd,
                                atype='subgroup_command')
                            if not allow_sub_command:
                                del user_commands[module][bd][group][bd][subgroup][bd][cmd]
                                continue
                    else:
                        cmd = group_item
                        allow_group_command = check_permission(
                            policy=policy, module=module, group=group,
                            command=cmd, atype='group_command')
                        if not allow_group_command:
                            del user_commands[module][bd][group][bd][cmd]
            else:
                cmd = item
                allow_module_command = check_permission(
                    policy=policy, module=module, command=cmd,
                    atype='root_command')
                if not allow_module_command:
                    del user_commands[module][bd][cmd]

    return user_commands