9 files changed, 243 insertions, 0 deletions
diff --git a/opendc-web/opendc-web-api/opendc/models/__init__.py b/opendc-web/opendc-web-api/opendc/models/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/opendc-web/opendc-web-api/opendc/models/__init__.py
diff --git a/opendc-web/opendc-web-api/opendc/models/model.py b/opendc-web/opendc-web-api/opendc/models/model.py
new file mode 100644
index 00000000..f9dfc9ad
--- /dev/null
+++ b/opendc-web/opendc-web-api/opendc/models/model.py
@@ -0,0 +1,64 @@
+from bson.objectid import ObjectId
+
+from opendc.util.database import DB
+from opendc.util.exceptions import ClientError
+from opendc.util.rest import Response
+
+
+class Model:
+    """Base class for all models."""
+
+    collection_name = '<specified in subclasses>'
+
+    @classmethod
+    def from_id(cls, _id):
+        """Fetches the document with given ID from the collection."""
+        if isinstance(_id, str) and len(_id) == 24:
+            _id = ObjectId(_id)
+        elif not isinstance(_id, ObjectId):
+            return cls(None)
+
+        return cls(DB.fetch_one({'_id': _id}, cls.collection_name))
+
+    @classmethod
+    def get_all(cls):
+        """Fetches all documents from the collection."""
+        return cls(DB.fetch_all({}, cls.collection_name))
+
+    def __init__(self, obj):
+        self.obj = obj
+
+    def get_id(self):
+        """Returns the ID of the enclosed object."""
+        return self.obj['_id']
+
+    def check_exists(self):
+        """Raises an error if the enclosed object does not exist."""
+        if self.obj is None:
+            raise ClientError(Response(404, 'Not found.'))
+
+    def set_property(self, key, value):
+        """Sets the given property on the enclosed object, with support for simple nested access."""
+        if '.' in key:
+            keys = key.split('.')
+            self.obj[keys[0]][keys[1]] = value
+        else:
+            self.obj[key] = value
+
+    def insert(self):
+        """Inserts the enclosed object and generates a UUID for it."""
+        self.obj['_id'] = ObjectId()
+        DB.insert(self.obj, self.collection_name)
+
+    def update(self):
+        """Updates the enclosed object and updates the internal reference to the newly inserted object."""
+        DB.update(self.get_id(), self.obj, self.collection_name)
+
+    def delete(self):
+        """Deletes the enclosed object in the database, if it existed."""
+        if self.obj is None:
+            return None
+
+        old_object = self.obj.copy()
+        DB.delete_one({'_id': self.get_id()}, self.collection_name)
+        return old_object
diff --git a/opendc-web/opendc-web-api/opendc/models/portfolio.py b/opendc-web/opendc-web-api/opendc/models/portfolio.py
new file mode 100644
index 00000000..32961b63
--- /dev/null
+++ b/opendc-web/opendc-web-api/opendc/models/portfolio.py
@@ -0,0 +1,24 @@
+from opendc.models.model import Model
+from opendc.models.user import User
+from opendc.util.exceptions import ClientError
+from opendc.util.rest import Response
+
+
+class Portfolio(Model):
+    """Model representing a Portfolio."""
+
+    collection_name = 'portfolios'
+
+    def check_user_access(self, google_id, edit_access):
+        """Raises an error if the user with given [google_id] has insufficient access.
+
+        Checks access on the parent project.
+
+        :param google_id: The Google ID of the user.
+        :param edit_access: True when edit access should be checked, otherwise view access.
+        """
+        user = User.from_google_id(google_id)
+        authorizations = list(
+            filter(lambda x: str(x['projectId']) == str(self.obj['projectId']), user.obj['authorizations']))
+        if len(authorizations) == 0 or (edit_access and authorizations[0]['authorizationLevel'] == 'VIEW'):
+            raise ClientError(Response(403, 'Forbidden from retrieving/editing portfolio.'))
diff --git a/opendc-web/opendc-web-api/opendc/models/prefab.py b/opendc-web/opendc-web-api/opendc/models/prefab.py
new file mode 100644
index 00000000..edf1d4c4
--- /dev/null
+++ b/opendc-web/opendc-web-api/opendc/models/prefab.py
@@ -0,0 +1,28 @@
+from opendc.models.model import Model
+from opendc.models.user import User
+from opendc.util.exceptions import ClientError
+from opendc.util.rest import Response
+
+
+class Prefab(Model):
+    """Model representing a Project."""
+
+    collection_name = 'prefabs'
+
+    def check_user_access(self, google_id):
+        """Raises an error if the user with given [google_id] has insufficient access to view this prefab.
+
+        :param google_id: The Google ID of the user.
+        """
+        user = User.from_google_id(google_id)
+
+        # TODO(Jacob) add special handling for OpenDC-provided prefabs
+
+        #try:
+
+        print(self.obj)
+        if self.obj['authorId'] != user.get_id() and self.obj['visibility'] == "private":
+            raise ClientError(Response(403, "Forbidden from retrieving prefab."))
+        #except KeyError:
+            # OpenDC-authored objects don't necessarily have an authorId
+        #    return
diff --git a/opendc-web/opendc-web-api/opendc/models/project.py b/opendc-web/opendc-web-api/opendc/models/project.py
new file mode 100644
index 00000000..b57e9f77
--- /dev/null
+++ b/opendc-web/opendc-web-api/opendc/models/project.py
@@ -0,0 +1,31 @@
+from opendc.models.model import Model
+from opendc.models.user import User
+from opendc.util.database import DB
+from opendc.util.exceptions import ClientError
+from opendc.util.rest import Response
+
+
+class Project(Model):
+    """Model representing a Project."""
+
+    collection_name = 'projects'
+
+    def check_user_access(self, google_id, edit_access):
+        """Raises an error if the user with given [google_id] has insufficient access.
+
+        :param google_id: The Google ID of the user.
+        :param edit_access: True when edit access should be checked, otherwise view access.
+        """
+        user = User.from_google_id(google_id)
+        authorizations = list(filter(lambda x: str(x['projectId']) == str(self.get_id()),
+                                     user.obj['authorizations']))
+        if len(authorizations) == 0 or (edit_access and authorizations[0]['authorizationLevel'] == 'VIEW'):
+            raise ClientError(Response(403, "Forbidden from retrieving project."))
+
+    def get_all_authorizations(self):
+        """Get all user IDs having access to this project."""
+        return [
+            str(user['_id']) for user in DB.fetch_all({'authorizations': {
+                'projectId': self.obj['_id']
+            }}, User.collection_name)
+        ]
diff --git a/opendc-web/opendc-web-api/opendc/models/scenario.py b/opendc-web/opendc-web-api/opendc/models/scenario.py
new file mode 100644
index 00000000..8d53e408
--- /dev/null
+++ b/opendc-web/opendc-web-api/opendc/models/scenario.py
@@ -0,0 +1,26 @@
+from opendc.models.model import Model
+from opendc.models.portfolio import Portfolio
+from opendc.models.user import User
+from opendc.util.exceptions import ClientError
+from opendc.util.rest import Response
+
+
+class Scenario(Model):
+    """Model representing a Scenario."""
+
+    collection_name = 'scenarios'
+
+    def check_user_access(self, google_id, edit_access):
+        """Raises an error if the user with given [google_id] has insufficient access.
+
+        Checks access on the parent project.
+
+        :param google_id: The Google ID of the user.
+        :param edit_access: True when edit access should be checked, otherwise view access.
+        """
+        portfolio = Portfolio.from_id(self.obj['portfolioId'])
+        user = User.from_google_id(google_id)
+        authorizations = list(
+            filter(lambda x: str(x['projectId']) == str(portfolio.obj['projectId']), user.obj['authorizations']))
+        if len(authorizations) == 0 or (edit_access and authorizations[0]['authorizationLevel'] == 'VIEW'):
+            raise ClientError(Response(403, 'Forbidden from retrieving/editing scenario.'))
diff --git a/opendc-web/opendc-web-api/opendc/models/topology.py b/opendc-web/opendc-web-api/opendc/models/topology.py
new file mode 100644
index 00000000..cb4c4bab
--- /dev/null
+++ b/opendc-web/opendc-web-api/opendc/models/topology.py
@@ -0,0 +1,27 @@
+from opendc.models.model import Model
+from opendc.models.user import User
+from opendc.util.exceptions import ClientError
+from opendc.util.rest import Response
+
+
+class Topology(Model):
+    """Model representing a Project."""
+
+    collection_name = 'topologies'
+
+    def check_user_access(self, google_id, edit_access):
+        """Raises an error if the user with given [google_id] has insufficient access.
+
+        Checks access on the parent project.
+
+        :param google_id: The Google ID of the user.
+        :param edit_access: True when edit access should be checked, otherwise view access.
+        """
+        user = User.from_google_id(google_id)
+        if 'projectId' not in self.obj:
+            raise ClientError(Response(400, 'Missing projectId in topology.'))
+
+        authorizations = list(
+            filter(lambda x: str(x['projectId']) == str(self.obj['projectId']), user.obj['authorizations']))
+        if len(authorizations) == 0 or (edit_access and authorizations[0]['authorizationLevel'] == 'VIEW'):
+            raise ClientError(Response(403, 'Forbidden from retrieving topology.'))
diff --git a/opendc-web/opendc-web-api/opendc/models/trace.py b/opendc-web/opendc-web-api/opendc/models/trace.py
new file mode 100644
index 00000000..2f6e4926
--- /dev/null
+++ b/opendc-web/opendc-web-api/opendc/models/trace.py
@@ -0,0 +1,7 @@
+from opendc.models.model import Model
+
+
+class Trace(Model):
+    """Model representing a Trace."""
+
+    collection_name = 'traces'
diff --git a/opendc-web/opendc-web-api/opendc/models/user.py b/opendc-web/opendc-web-api/opendc/models/user.py
new file mode 100644
index 00000000..8e8ff945
--- /dev/null
+++ b/opendc-web/opendc-web-api/opendc/models/user.py
@@ -0,0 +1,36 @@
+from opendc.models.model import Model
+from opendc.util.database import DB
+from opendc.util.exceptions import ClientError
+from opendc.util.rest import Response
+
+
+class User(Model):
+    """Model representing a User."""
+
+    collection_name = 'users'
+
+    @classmethod
+    def from_email(cls, email):
+        """Fetches the user with given email from the collection."""
+        return User(DB.fetch_one({'email': email}, User.collection_name))
+
+    @classmethod
+    def from_google_id(cls, google_id):
+        """Fetches the user with given Google ID from the collection."""
+        return User(DB.fetch_one({'googleId': google_id}, User.collection_name))
+
+    def check_correct_user(self, request_google_id):
+        """Raises an error if a user tries to modify another user.
+
+        :param request_google_id:
+        """
+        if request_google_id is not None and self.obj['googleId'] != request_google_id:
+            raise ClientError(Response(403, f'Forbidden from editing user with ID {self.obj["_id"]}.'))
+
+    def check_already_exists(self):
+        """Checks if the user already exists in the database."""
+
+        existing_user = DB.fetch_one({'googleId': self.obj['googleId']}, self.collection_name)
+
+        if existing_user is not None:
+            raise ClientError(Response(409, 'User already exists.'))