Beispiel #1
0
def test_authorization_allows_updates_with_locked_false_claim(
        app_context, api_client, valid_organization, valid_dataset):
    organization_id, organization_node_id = valid_organization
    dataset_id, dataset_node_id = valid_dataset

    api_client.get_dataset_response = api.Dataset(id=dataset_node_id,
                                                  int_id=dataset_id.id,
                                                  name="foo")

    claim = Claim.from_claim_type(
        UserClaim(
            id=DEFAULT_USER_ID,
            node_id=DEFAULT_USER_NODE_ID,
            roles=[
                OrganizationRole(
                    id=organization_id,
                    node_id=organization_node_id,
                    role=RoleType.OWNER,
                ),
                DatasetRole(id=dataset_id, role=RoleType.EDITOR, locked=False),
            ],
        ),
        TOKEN_EXPIRATION_S,
    )

    sample_update_route(
        dataset_id=str(dataset_id.id),
        token_info=claim,
        organization_id=str(organization_id.id),
        body={"k": 1},
    )
Beispiel #2
0
def test_authorization_requires_integer_organization_id(
        app_context, valid_organization, valid_dataset):
    organization_id, organization_node_id = valid_organization
    dataset_id, dataset_node_id = valid_dataset

    claim = Claim.from_claim_type(
        UserClaim(
            id=DEFAULT_USER_ID,
            node_id=DEFAULT_USER_NODE_ID,
            roles=[
                OrganizationRole(
                    id=organization_id,
                    node_id=organization_node_id,
                    role=RoleType.OWNER,
                ),
                DatasetRole(id=dataset_id,
                            node_id=dataset_node_id,
                            role=RoleType.OWNER),
            ],
        ),
        TOKEN_EXPIRATION_S,
    )

    with pytest.raises(OAuthProblem):
        sample_update_route(
            dataset_id=str(dataset_id.id),
            token_info=claim,
            organization_id=str(organization_node_id),
            body={"k": 1},
        )(organization_id.id, dataset_id.id)
Beispiel #3
0
def test_permission_required_to_a_access_specific_dataset(
        app_context, valid_organization, valid_dataset, other_valid_dataset):
    organization_id, organization_node_id = valid_organization
    dataset_id_1, _ = valid_dataset
    dataset_id_2, dataset_node_id_2 = other_valid_dataset

    claim = Claim.from_claim_type(
        UserClaim(
            id=DEFAULT_USER_ID,
            node_id=DEFAULT_USER_NODE_ID,
            roles=[
                OrganizationRole(
                    id=organization_id,
                    node_id=organization_node_id,
                    role=RoleType.OWNER,
                ),
                DatasetRole(id=dataset_id_2,
                            node_id=dataset_node_id_2,
                            role=RoleType.OWNER),
            ],
        ),
        TOKEN_EXPIRATION_S,
    )

    with pytest.raises(Forbidden):
        sample_update_route(
            dataset_id=str(dataset_id_1.id),
            token_info=claim,
            organization_id=str(organization_id.id),
            body={"k": 1},
        )
Beispiel #4
0
def test_permission_required_raises_forbidden_when_dataset_role_is_too_low(
        app_context, valid_organization, valid_dataset):
    organization_id, organization_node_id = valid_organization
    dataset_id, dataset_node_id = valid_dataset

    claim = Claim.from_claim_type(
        UserClaim(
            id=DEFAULT_USER_ID,
            node_id=DEFAULT_USER_NODE_ID,
            roles=[
                OrganizationRole(
                    id=organization_id,
                    node_id=organization_node_id,
                    role=RoleType.OWNER,
                ),
                DatasetRole(id=dataset_id,
                            node_id=dataset_node_id,
                            role=RoleType.VIEWER),
            ],
        ),
        TOKEN_EXPIRATION_S,
    )

    # sample_route requires EDITOR permissions, which are higher than VIEWER:
    with pytest.raises(Forbidden):
        sample_update_route(
            dataset_id=str(dataset_id.id),
            token_info=claim,
            organization_id=str(organization_id.id),
            body={"k": 1},
        )
Beispiel #5
0
def test_authorization_rejects_nonexistent_dataset_integer_id(
        valid_organization, valid_dataset):
    organization_id, organization_node_id = valid_organization
    dataset_id, dataset_node_id = valid_dataset

    claim = Claim.from_claim_type(
        UserClaim(
            id=DEFAULT_USER_ID,
            node_id=DEFAULT_USER_NODE_ID,
            roles=[
                OrganizationRole(
                    id=organization_id,
                    node_id=organization_node_id,
                    role=RoleType.OWNER,
                ),
                DatasetRole(id=dataset_id,
                            node_id=dataset_node_id,
                            role=RoleType.OWNER),
            ],
        ),
        TOKEN_EXPIRATION_S,
    )

    with pytest.raises(Forbidden):
        sample_update_route(
            dataset_id=9999,
            token_info=claim,
            organization_id=str(organization_id.id),
            body={"k": 1},
        )(organization_id.id, dataset_id.id)
Beispiel #6
0
def test_permission_required_decorator(app_context, valid_organization,
                                       valid_dataset):
    organization_id, organization_node_id = valid_organization
    dataset_id, dataset_node_id = valid_dataset

    claim = Claim.from_claim_type(
        UserClaim(
            id=DEFAULT_USER_ID,
            node_id=DEFAULT_USER_NODE_ID,
            roles=[
                OrganizationRole(
                    id=organization_id,
                    node_id=organization_node_id,
                    role=RoleType.OWNER,
                ),
                DatasetRole(
                    id=dataset_id,
                    node_id=dataset_node_id,
                    role=RoleType.OWNER,
                    locked=False,
                ),
            ],
        ),
        TOKEN_EXPIRATION_S,
    )

    sample_update_route(
        dataset_id=str(dataset_id.id),
        token_info=claim,
        organization_id=str(organization_id.id),
        body={"k": 1},
    )(organization_id.id, dataset_id.id)
Beispiel #7
0
def test_authorization_resolves_dataset_id_from_api_with_wildcard_claim(
        app_context, api_client, valid_organization, valid_dataset):
    organization_id, organization_node_id = valid_organization
    dataset_id, dataset_node_id = valid_dataset

    api_client.get_dataset_response = api.Dataset(id=dataset_node_id,
                                                  int_id=dataset_id.id,
                                                  name="foo")

    claim = Claim.from_claim_type(
        UserClaim(
            id=DEFAULT_USER_ID,
            node_id=DEFAULT_USER_NODE_ID,
            roles=[
                OrganizationRole(
                    id=organization_id,
                    node_id=organization_node_id,
                    role=RoleType.OWNER,
                ),
                DatasetRole(id=DatasetId("*"), role=RoleType.EDITOR),
            ],
        ),
        TOKEN_EXPIRATION_S,
    )

    sample_view_route(
        dataset_id=dataset_node_id,
        token_info=claim,
        organization_id=str(organization_id.id),
        body={"k": 1},
    )(organization_id.id, dataset_id.id)
Beispiel #8
0
def authorized_service_token(
    config, valid_organization, valid_dataset, other_valid_dataset
):
    organization_id, organization_node_id = valid_organization
    dataset_id_1, dataset_node_id_1 = valid_dataset
    dataset_id_2, dataset_node_id_2 = other_valid_dataset

    data = ServiceClaim(
        roles=[
            OrganizationRole(
                id=organization_id, node_id=organization_node_id, role=RoleType.OWNER
            ),
            DatasetRole(
                id=dataset_id_1,
                node_id=dataset_node_id_1,
                role=RoleType.OWNER,
                locked=False,
            ),
            DatasetRole(
                id=dataset_id_2,
                node_id=dataset_node_id_2,
                role=RoleType.OWNER,
                locked=False,
            ),
        ]
    )

    claim = Claim.from_claim_type(data, seconds=JWT_EXPIRATION_SECS)
    return to_utf8(claim.encode(config.jwt_config))
Beispiel #9
0
def service_claim(organization_id, dataset_id, jwt_config: JwtConfig) -> str:
    data = ServiceClaim(roles=[
        OrganizationRole(id=OrganizationId(organization_id),
                         role=RoleType.OWNER),
        DatasetRole(id=DatasetId(dataset_id), role=RoleType.OWNER),
    ])
    claim = Claim.from_claim_type(data, seconds=30)
    return to_utf8(claim.encode(jwt_config))
Beispiel #10
0
def expired_user_token(jwt_config, valid_organization, valid_dataset):
    organization_id, organization_node_id = valid_organization
    dataset_id, dataset_node_id = valid_dataset
    data = UserClaim(
        id=12345,
        roles=[
            OrganizationRole(
                id=organization_id, node_id=organization_node_id, role=RoleType.OWNER
            ),
            DatasetRole(id=dataset_id, node_id=dataset_node_id, role=RoleType.OWNER),
        ],
    )
    claim = Claim.from_claim_type(data, -1)
    return to_utf8(claim.encode(jwt_config))
Beispiel #11
0
def unauthorized_user_token(jwt_config, invalid_organization, valid_dataset):
    organization_id, organization_node_id = invalid_organization
    dataset_id, dataset_node_id = valid_dataset
    data = UserClaim(
        id=12345,
        roles=[
            OrganizationRole(
                id=organization_id, node_id=organization_node_id, role=RoleType.OWNER
            ),
            DatasetRole(id=dataset_id, node_id=dataset_node_id, role=RoleType.OWNER),
        ],
    )
    claim = Claim.from_claim_type(data, seconds=JWT_EXPIRATION_SECS)
    return to_utf8(claim.encode(jwt_config))
Beispiel #12
0
def organization_token(config, valid_organization, other_valid_dataset, valid_user):
    organization_id, organization_node_id = valid_organization
    user_id, user_node_id = valid_user

    data = UserClaim(
        id=user_id,
        node_id=user_node_id,
        roles=[
            OrganizationRole(
                id=organization_id, node_id=organization_node_id, role=RoleType.OWNER
            )
        ],
    )
    claim = Claim.from_claim_type(data, seconds=JWT_EXPIRATION_SECS)
    return to_utf8(claim.encode(config.jwt_config))
Beispiel #13
0
def test_authorization_rejects_nonexistent_dataset_node_ids_with_wildcard_claim(
        app_context, api_client, valid_organization, valid_dataset):
    organization_id, organization_node_id = valid_organization
    dataset_id, dataset_node_id = valid_dataset

    api_client.raise_exception(
        ExternalRequestError(
            status_code=404,
            method="GET",
            url="/datasets/N:dataset:does-not-exist",
            content="Dataset does not exist",
        ))

    claim = Claim.from_claim_type(
        UserClaim(
            id=DEFAULT_USER_ID,
            node_id=DEFAULT_USER_NODE_ID,
            roles=[
                OrganizationRole(
                    id=organization_id,
                    node_id=organization_node_id,
                    role=RoleType.OWNER,
                ),
                DatasetRole(id="*", role=RoleType.EDITOR),
            ],
        ),
        TOKEN_EXPIRATION_S,
    )

    with pytest.raises(OAuthProblem, match="Dataset does not exist"):
        sample_update_route(
            dataset_id="N:dataset:does-not-exist",
            token_info=claim,
            organization_id=str(organization_id.id),
            body={"k": 1},
        )(organization_id.id, dataset_id.id)
Beispiel #14
0
        "--jwt_key",
        type=str,
        default=os.environ.get("JWT_SECRET_KEY", "test-key"),
        required=False,
    )

    args = parser.parse_args()

    claim = Claim.from_claim_type(
        UserClaim(
            id=args.user_id,
            node_id=args.user_node_id,
            roles=[
                OrganizationRole(
                    id=OrganizationId(args.organization_id),
                    node_id=args.organization_node_id,
                    role=RoleType.OWNER,
                ),
                DatasetRole(
                    id=DatasetId(args.dataset_id),
                    node_id=args.dataset_node_id,
                    role=RoleType.OWNER,
                ),
            ],
        ),
        60 * 60,
    )
    token = claim.encode(JwtConfig(args.jwt_key))

    print(token)