def assert_authorized(user, actions, resources, context_entries=None):
"""
Asserts a user has permission to perform actions on resources.
:param user:
:param actions:
:param resources:
:param context_entries:
:return:
"""
u = User(user)
context_entries = context_entries if context_entries else []
try:
authz_params = u.get_authz_params()
except AuthorizationException:
raise FusilladeForbiddenException(detail="User must be enabled to make authenticated requests.")
else:
context_entries.extend(restricted_context_entries(authz_params))
if not evaluate_policy(
user,
actions,
resources,
authz_params['IAMPolicy'],
context_entries=context_entries)['result']:
logger.info(dict(message="User not authorized.", user=u._path_name, action=actions, resources=resources))
raise FusilladeForbiddenException()
else:
logger.info(dict(message="User authorized.", user=u._path_name, action=actions,
resources=resources))
def test_get_user_policy(self):
name = "*****@*****.**"
user = User(name)
with self.subTest(
"new user is automatically provisioned on demand with default settings when "
"lookup_policy is called for a new user."):
self.assertJSONListEqual([
p['policy_document']
for p in user.get_authz_params()['IAMPolicy']
], self.default_user_policies)
with self.subTest(
"error is returned when provision_user is called for an existing user"
):
self.assertRaises(FusilladeHTTPException, user.provision_user,
name)
with self.subTest(
"an existing users info is retrieved when instantiating User class for an existing user"
):
user = User(name)
self.assertJSONListEqual([
p['policy_document']
for p in user.get_authz_params()['IAMPolicy']
], self.default_user_policies)