added the option to return the single resource, or None

Signed-off-by: Daniele Martinoli <86618610+dmartinol@users.noreply.github.com>
dmartinol · Jul 1, 2024 · 73eaecd · 73eaecd
1 parent ac636d4
commit 73eaecd
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 9 deletions.
diff --git a/sdk/python/feast/permissions/enforcer.py b/sdk/python/feast/permissions/enforcer.py
@@ -1,5 +1,5 @@
 import logging
-from typing import Union
+from typing import Optional, Union
 
 from feast.feast_object import FeastObject
 from feast.permissions.decision import DecisionEvaluator
@@ -19,7 +19,7 @@ def enforce_policy(
     resources: Union[list[FeastObject], FeastObject],
     actions: list[AuthzedAction],
     filter_only: bool = False,
-) -> list[FeastObject]:
+) -> Optional[Union[list[FeastObject], FeastObject]]:
     """
     Define the logic to apply the configured permissions when a given action is requested on
     a protected resource.
@@ -34,8 +34,10 @@ def enforce_policy(
         actions: The requested actions to be authorized.
         filter_only: If `True`, it removes unauthorized resources from the returned value, otherwise it raises a `PermissionError` the
         first unauthorized resource. Defaults to `False`.
+
     Returns:
-        list[FeastObject]: A list of the permitted resources (a subset of the input `resources`).
+        Union[list[FeastObject], FeastObject]: A filtered list of the permitted resources or the original `resources`, if permitted
+        (otherwise it's `None`).
 
     Raises:
         PermissionError: If the current user is not authorized to eecute the requested actions on the given resources (and `filter_only` is `False`).
@@ -79,4 +81,10 @@ def enforce_policy(
             _permitted_resources.append(resource)
             message = f"No permissions defined to manage {actions} on {type(resource)}/{resource.name}."
             logger.info(f"**PERMISSION GRANTED**: {message}")
-    return _permitted_resources
+    return (
+        _permitted_resources
+        if isinstance(resources, list)
+        else _permitted_resources[0]
+        if _permitted_resources
+        else None
+    )
diff --git a/sdk/python/feast/permissions/security_manager.py b/sdk/python/feast/permissions/security_manager.py
@@ -61,7 +61,7 @@ def assert_permissions(
         resources: Union[list[FeastObject], FeastObject],
         actions: Union[AuthzedAction, List[AuthzedAction]],
         filter_only: bool = False,
-    ) -> list[FeastObject]:
+    ) -> Optional[Union[list[FeastObject], FeastObject]]:
         """
         Verify if the current user is authorized ro execute the requested actions on the given resources.
 
@@ -73,6 +73,10 @@ def assert_permissions(
             filter_only: If `True`, it removes unauthorized resources from the returned value, otherwise it raises a `PermissionError` the
             first unauthorized resource. Defaults to `False`.
 
+        Returns:
+            Union[list[FeastObject], FeastObject]: A filtered list of the permitted resources or the original `resources`, if permitted
+            (otherwise it's `None`).
+
         Raises:
             PermissionError: If the current user is not authorized to eecute all the requested actions on the given resources.
         """
@@ -90,11 +94,23 @@ def assert_permissions(
     resources: Union[list[FeastObject], FeastObject],
     actions: Union[AuthzedAction, List[AuthzedAction]],
     filter_only: bool = False,
-) -> list[FeastObject]:
+) -> Optional[Union[list[FeastObject], FeastObject]]:
     """
     A utility function to invoke the `assert_permissions` method on the global security manager.
 
     If no global `SecurityManager` is defined, the execution is permitted.
+
+    Args:
+        resources: The resources for which we need to enforce authorized permission.
+        actions: The requested actions to be authorized.
+        filter_only: If `True`, it removes unauthorized resources from the returned value, otherwise it raises a `PermissionError` the
+        first unauthorized resource. Defaults to `False`.
+    Returns:
+        Union[list[FeastObject], FeastObject]: A filtered list of the permitted resources or the original `resources`, if permitted
+        (otherwise it's `None`).
+
+    Raises:
+        PermissionError: If the current user is not authorized to eecute the requested actions on the given resources (and `filter_only` is `False`).
     """
     sm = get_security_manager()
     if sm is None:

diff --git a/sdk/python/tests/unit/permissions/test_security_manager.py b/sdk/python/tests/unit/permissions/test_security_manager.py
@@ -43,7 +43,7 @@ def test_access_SecuredFeatureView_raise_error(
     for i, r in enumerate(resources):
         if allowed_single[i]:
             result = sm.assert_permissions(resources=r, actions=requested_actions)
-            assertpy.assert_that(result).is_equal_to([r])
+            assertpy.assert_that(result).is_equal_to(r)
         else:
             with pytest.raises(PermissionError):
                 sm.assert_permissions(resources=r, actions=requested_actions)
@@ -85,6 +85,6 @@ def test_access_SecuredFeatureView_filter_resources(
             resources=r, actions=requested_actions, filter_only=True
         )
         if allowed_single[i]:
-            assertpy.assert_that(result).is_equal_to([r])
+            assertpy.assert_that(result).is_equal_to(r)
         else:
-            assertpy.assert_that(result).is_equal_to([])
+            assertpy.assert_that(result).is_none()