def get_account_authorizations_for_org(account_id: str,
corp_type_code: Optional[str],
expanded: bool = False,
**kwargs):
"""Get User authorizations for the org."""
user_from_context: UserContext = kwargs['user_context']
auth_response = {}
auth = None
token_roles = user_from_context.roles
# todo the service account level access has not been defined
if Role.STAFF.value in token_roles:
if expanded:
# Query Authorization view by business identifier
auth = AuthorizationView.find_authorization_for_admin_by_org_id(
account_id)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = token_roles
else:
keycloak_guid = user_from_context.sub
account_id_claim = user_from_context.account_id_claim
# check product based auth auth org based auth
check_product_based_auth = Authorization._is_product_based_auth(
corp_type_code)
if check_product_based_auth:
if account_id_claim:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product(
account_id_claim, corp_type_code)
else:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user(
keycloak_guid, account_id, corp_type_code)
else:
if account_id_claim and account_id == int(account_id_claim):
auth = AuthorizationView.find_authorization_for_admin_by_org_id(
account_id_claim)
elif account_id and keycloak_guid:
auth = AuthorizationView.find_user_authorization_by_org_id(
keycloak_guid, account_id)
auth_response['roles'] = []
if auth:
permissions = PermissionsService.get_permissions_for_membership(
auth.status_code, auth.org_membership)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = permissions
return auth_response
def get_account_authorizations_for_org(token_info: Dict,
account_id: str,
corp_type_code: Optional[str],
expanded: bool = False):
"""Get User authorizations for the org."""
auth_response = {}
auth = None
token_roles = token_info.get('realm_access').get('roles')
# todo the service account level access has not been defined
if Role.STAFF.value in token_roles:
if expanded:
# Query Authorization view by business identifier
auth = AuthorizationView.find_authorization_for_admin_by_org_id(
account_id)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = token_roles
else:
keycloak_guid = token_info.get('sub', None)
account_id_claim = token_info.get('Account-Id', None)
# check product based auth auth org based auth
check_product_based_auth = Authorization._is_product_based_auth(
corp_type_code)
if check_product_based_auth:
if account_id_claim:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product(
account_id_claim, corp_type_code)
else:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user(
keycloak_guid, account_id, corp_type_code)
else:
if account_id_claim:
auth = AuthorizationView.find_authorization_for_admin_by_org_id(
account_id_claim)
elif account_id and keycloak_guid:
auth = AuthorizationView.find_user_authorization_by_org_id(
keycloak_guid, account_id)
auth_response['roles'] = []
if auth:
permissions = PermissionsService.get_permissions_for_membership(
auth.status_code, auth.org_membership)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = permissions
return auth_response
def check_auth(**kwargs):
"""Check if user is authorized to perform action on the service."""
user_from_context: UserContext = kwargs['user_context']
if user_from_context.is_staff():
_check_for_roles(STAFF, kwargs)
elif user_from_context.is_system():
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
product_code_in_jwt = user_from_context.token_info.get(
'product_code', None)
if product_code_in_jwt is None:
# product code must be present in jwt
abort(403)
if product_code_in_jwt == 'ALL': # Product code for super admin service account (sbc-auth-admin)
return
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(
business_identifier)
elif org_identifier:
auth = Authorization.get_account_authorizations_for_product(
org_identifier, product_code_in_jwt)
if auth is None:
abort(403)
return
else:
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id',
None) or user_from_context.account_id
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(
business_identifier)
elif org_identifier:
# If the account id is part of claim (api gw users), then no need to lookup using keycloak guid.
if user_from_context.account_id_claim and \
int(user_from_context.account_id_claim) == kwargs.get('org_id', None):
auth_record = AuthorizationView.find_authorization_for_admin_by_org_id(
user_from_context.account_id)
else:
auth_record = AuthorizationView.find_user_authorization_by_org_id(
user_from_context.sub, org_identifier)
auth = Authorization(
auth_record).as_dict() if auth_record else None
_check_for_roles(
auth.get('orgMembership', None) if auth else None, kwargs)