def get_user_authorizations_for_entity(token_info: Dict, business_identifier: str, expanded: bool = False): """Get User authorizations for the entity.""" auth_response = {} auth = None token_roles = token_info.get('realm_access').get('roles') if Role.STAFF.value in token_roles: if expanded: # Query Authorization view by business identifier auth = AuthorizationView.find_user_authorization_by_business_number(business_identifier) auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = token_roles elif Role.SYSTEM.value in token_roles: # a service account in keycloak should have product_code claim setup. keycloak_product_code = token_info.get('product_code', None) if keycloak_product_code: auth = AuthorizationView.find_user_authorization_by_business_number_and_product(business_identifier, keycloak_product_code) if auth: auth_response = Authorization(auth).as_dict(expanded) permissions = PermissionsService.get_permissions_for_membership(auth.status_code, 'SYSTEM') auth_response['roles'] = permissions else: keycloak_guid = token_info.get('sub', None) if business_identifier and keycloak_guid: auth = AuthorizationView.find_user_authorization_by_business_number(business_identifier, keycloak_guid) if auth: permissions = PermissionsService.get_permissions_for_membership(auth.status_code, auth.org_membership) auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = permissions return auth_response
def get_user_authorizations_for_entity(token_info: Dict, business_identifier: str, expanded: bool = False): """Get User authorizations for the entity.""" auth_response = {} if 'staff' in token_info.get('realm_access').get('roles'): auth_response = {'roles': ['edit', 'view']} elif Role.SYSTEM.value in token_info.get('realm_access').get('roles'): # a service account in keycloak should have corp_type claim setup. keycloak_corp_type = token_info.get('corp_type', None) if keycloak_corp_type: auth = AuthorizationView.find_user_authorization_by_business_number_and_corp_type( business_identifier, keycloak_corp_type) if auth: auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = ['edit', 'view'] else: keycloak_guid = token_info.get('sub', None) auth = AuthorizationView.find_user_authorization_by_business_number( keycloak_guid, business_identifier) if auth: auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = ['edit', 'view'] return auth_response
def get_user_authorizations_for_entity(token_info: Dict, business_identifier: str): """Get User authorizations for the entity.""" auth_response = {} if token_info.get('loginSource', None) == 'PASSCODE': if token_info.get('username', None).upper() == business_identifier.upper(): auth_response = { 'orgMembership': OWNER, 'roles': ['edit', 'view'] } elif 'staff' in token_info.get('realm_access').get('roles'): auth_response = {'roles': ['edit', 'view']} elif Role.SYSTEM.value in token_info.get('realm_access').get('roles'): # a service account in keycloak should have corp_type claim setup. keycloak_corp_type = token_info.get('corp_type', None) if keycloak_corp_type: auth = AuthorizationView.find_user_authorization_by_business_number_and_corp_type( business_identifier, keycloak_corp_type) if auth: auth_response = Authorization(auth).as_dict( exclude=['business_identifier']) auth_response['roles'] = ['edit', 'view'] else: keycloak_guid = token_info.get('sub', None) auth = AuthorizationView.find_user_authorization_by_business_number( keycloak_guid, business_identifier) if auth: auth_response = Authorization(auth).as_dict( exclude=['business_identifier']) auth_response['roles'] = ['edit', 'view'] return auth_response
def get_account_authorizations_for_org(token_info: Dict, account_id: str, corp_type_code: Optional[str], expanded: bool = False): """Get User authorizations for the org.""" auth_response = {} auth = None token_roles = token_info.get('realm_access').get('roles') # todo the service account level access has not been defined if Role.STAFF.value in token_roles: if expanded: # Query Authorization view by business identifier auth = AuthorizationView.find_authorization_for_staff_by_org_id(account_id) auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = token_roles else: keycloak_guid = token_info.get('sub', None) # check product based auth auth org based auth check_product_based_auth = Authorization._is_product_based_auth(corp_type_code) if check_product_based_auth: auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user( keycloak_guid, account_id, corp_type_code) else: if account_id and keycloak_guid: auth = AuthorizationView.find_user_authorization_by_org_id(keycloak_guid, account_id) auth_response['roles'] = [] if auth: permissions = PermissionsService.get_permissions_for_membership(auth.status_code, auth.org_membership) auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = permissions return auth_response
def test_find_invalid_user_authorization_by_business_number(session): # pylint:disable=unused-argument """Test with invalid user id and assert that auth is None.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_business_number(str(uuid.uuid4()), entity.business_identifier) assert authorization is None # Test with invalid business identifier authorization = Authorization.find_user_authorization_by_business_number(str(uuid.uuid4()), '') assert authorization is None
def check_auth(**kwargs): """Check if user is authorized to perform action on the service.""" user_from_context: UserContext = kwargs['user_context'] if user_from_context.is_staff(): _check_for_roles(STAFF, kwargs) elif user_from_context.is_system(): business_identifier = kwargs.get('business_identifier', None) org_identifier = kwargs.get('org_id', None) product_code_in_jwt = user_from_context.token_info.get('product_code', None) if product_code_in_jwt is None: # product code must be present in jwt abort(403) if business_identifier: auth = Authorization.get_user_authorizations_for_entity(business_identifier) elif org_identifier: auth = Authorization.get_account_authorizations_for_product(org_identifier, product_code_in_jwt) if auth is None: abort(403) return else: business_identifier = kwargs.get('business_identifier', None) org_identifier = kwargs.get('org_id', None) or user_from_context.account_id if business_identifier: auth = Authorization.get_user_authorizations_for_entity(business_identifier) elif org_identifier: auth_record = AuthorizationView.find_user_authorization_by_org_id(user_from_context.sub, org_identifier) auth = Authorization(auth_record).as_dict() if auth_record else None _check_for_roles(auth.get('orgMembership', None) if auth else None, kwargs)
def check_auth(token_info: Dict, **kwargs): """Check if user is authorized to perform action on the service.""" if Role.STAFF.value in token_info.get('realm_access').get('roles'): _check_for_roles(STAFF, kwargs) elif Role.SYSTEM.value in token_info.get('realm_access').get('roles'): business_identifier = kwargs.get('business_identifier', None) org_identifier = kwargs.get('org_id', None) product_code_in_jwt = token_info.get('product_code', None) if product_code_in_jwt is None: # product code must be present in jwt abort(403) if business_identifier: auth = Authorization.get_user_authorizations_for_entity(token_info, business_identifier) elif org_identifier: auth = Authorization.get_account_authorizations_for_product(token_info.get('sub', None), org_identifier, product_code_in_jwt) if auth is None: abort(403) return else: business_identifier = kwargs.get('business_identifier', None) org_identifier = kwargs.get('org_id', None) if business_identifier: auth = Authorization.get_user_authorizations_for_entity(token_info, business_identifier) elif org_identifier: auth_record = AuthorizationView.find_user_authorization_by_org_id(token_info.get('sub', None), org_identifier) auth = Authorization(auth_record).as_dict() if auth_record else None _check_for_roles(auth.get('orgMembership', None) if auth else None, kwargs)
def get_account_authorizations_for_org(account_id: str, corp_type_code: Optional[str], expanded: bool = False, **kwargs): """Get User authorizations for the org.""" user_from_context: UserContext = kwargs['user_context'] auth_response = {} auth = None token_roles = user_from_context.roles # todo the service account level access has not been defined if Role.STAFF.value in token_roles: if expanded: # Query Authorization view by business identifier auth = AuthorizationView.find_authorization_for_admin_by_org_id( account_id) auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = token_roles else: keycloak_guid = user_from_context.sub account_id_claim = user_from_context.account_id_claim # check product based auth auth org based auth check_product_based_auth = Authorization._is_product_based_auth( corp_type_code) if check_product_based_auth: if account_id_claim: auth = AuthorizationView.find_account_authorization_by_org_id_and_product( account_id_claim, corp_type_code) else: auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user( keycloak_guid, account_id, corp_type_code) else: if account_id_claim and account_id == int(account_id_claim): auth = AuthorizationView.find_authorization_for_admin_by_org_id( account_id_claim) elif account_id and keycloak_guid: auth = AuthorizationView.find_user_authorization_by_org_id( keycloak_guid, account_id) auth_response['roles'] = [] if auth: permissions = PermissionsService.get_permissions_for_membership( auth.status_code, auth.org_membership) auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = permissions return auth_response
def check_auth(token_info: Dict, **kwargs): """Check if user is authorized to perform action on the service.""" if 'staff_admin' in token_info.get('realm_access').get('roles'): # Staff admin should get all access as of Staff if STAFF in kwargs.get('one_of_roles', []) and STAFF_ADMIN not in kwargs.get( 'one_of_roles', None): kwargs.get('one_of_roles').append(STAFF_ADMIN) if kwargs.get('equals_role', None) == STAFF: kwargs.pop('equals_role', None) kwargs['one_of_roles'] = (STAFF, STAFF_ADMIN) _check_for_roles(STAFF_ADMIN, kwargs) elif 'staff' in token_info.get('realm_access').get('roles'): _check_for_roles(STAFF, kwargs) elif Role.SYSTEM.value in token_info.get('realm_access').get('roles') \ and not token_info.get('loginSource', None) == 'PASSCODE': corp_type_in_jwt = token_info.get('corp_type', None) if corp_type_in_jwt is None: # corp type must be present in jwt abort(403) business_identifier = kwargs.get('business_identifier', None) org_identifier = kwargs.get('org_id', None) auth = None if business_identifier: auth = Authorization.get_user_authorizations_for_entity( token_info, business_identifier) elif org_identifier: auth_record = AuthorizationView.find_user_authorization_by_org_id_and_corp_type( org_identifier, corp_type_in_jwt) auth = Authorization( auth_record).as_dict() if auth_record else None if auth is None: abort(403) else: business_identifier = kwargs.get('business_identifier', None) org_identifier = kwargs.get('org_id', None) if business_identifier: auth = Authorization.get_user_authorizations_for_entity( token_info, business_identifier) elif org_identifier: auth_record = AuthorizationView.find_user_authorization_by_org_id( token_info.get('sub', None), org_identifier) auth = Authorization( auth_record).as_dict() if auth_record else None _check_for_roles( auth.get('orgMembership', None) if auth else None, kwargs)
def check_auth(**kwargs): """Check if user is authorized to perform action on the service.""" user_from_context: UserContext = kwargs['user_context'] if user_from_context.is_staff(): _check_for_roles(STAFF, kwargs) elif user_from_context.is_system(): business_identifier = kwargs.get('business_identifier', None) org_identifier = kwargs.get('org_id', None) product_code_in_jwt = user_from_context.token_info.get( 'product_code', None) if product_code_in_jwt is None: # product code must be present in jwt abort(403) if product_code_in_jwt == 'ALL': # Product code for super admin service account (sbc-auth-admin) return if business_identifier: auth = Authorization.get_user_authorizations_for_entity( business_identifier) elif org_identifier: auth = Authorization.get_account_authorizations_for_product( org_identifier, product_code_in_jwt) if auth is None: abort(403) return else: business_identifier = kwargs.get('business_identifier', None) org_identifier = kwargs.get('org_id', None) or user_from_context.account_id if business_identifier: auth = Authorization.get_user_authorizations_for_entity( business_identifier) elif org_identifier: # If the account id is part of claim (api gw users), then no need to lookup using keycloak guid. if user_from_context.account_id_claim and \ int(user_from_context.account_id_claim) == kwargs.get('org_id', None): auth_record = AuthorizationView.find_authorization_for_admin_by_org_id( user_from_context.account_id) else: auth_record = AuthorizationView.find_user_authorization_by_org_id( user_from_context.sub, org_identifier) auth = Authorization( auth_record).as_dict() if auth_record else None _check_for_roles( auth.get('orgMembership', None) if auth else None, kwargs)
def test_find_user_authorization_by_org_id_and_invalid_corp_type_no_affliation( session): # pylint:disable=unused-argument # noqa: E501 """Assert that authorization view is returning correct result for an unclaimed/unaffiliated organization.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'invalid_corp_type') assert authorization is not None
def test_find_all_user_authorizations_for_empty(session): # pylint:disable=unused-argument """Test with invalid user id and assert that auth is None.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) authorizations = Authorization.find_all_authorizations_for_user(str(user.keycloak_guid)) assert authorizations is not None assert authorizations[0].business_identifier is None
def get_user_authorizations(keycloak_guid: str): """Get all user authorizations.""" authorizations_response: Dict = {'authorizations': []} authorizations = AuthorizationView.find_all_authorizations_for_user(keycloak_guid) if authorizations: for auth in authorizations: authorizations_response['authorizations'].append(Authorization(auth).as_dict()) return authorizations_response
def get_user_authorizations_for_entity(business_identifier: str, expanded: bool = False, **kwargs): """Get User authorizations for the entity.""" user_from_context: UserContext = kwargs['user_context'] auth_response = {} auth = None token_roles = user_from_context.roles current_app.logger.debug(f'check roles=:{token_roles}') if Role.STAFF.value in token_roles: if expanded: # Query Authorization view by business identifier auth = AuthorizationView.find_user_authorization_by_business_number( business_identifier, is_staff=True) auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = token_roles elif Role.SYSTEM.value in token_roles: # a service account in keycloak should have product_code claim setup. keycloak_product_code = user_from_context.token_info.get( 'product_code', None) if keycloak_product_code: auth = AuthorizationView.find_user_authorization_by_business_number_and_product( business_identifier, keycloak_product_code) if auth: auth_response = Authorization(auth).as_dict(expanded) permissions = PermissionsService.get_permissions_for_membership( auth.status_code, 'SYSTEM') auth_response['roles'] = permissions else: keycloak_guid = user_from_context.sub if business_identifier and keycloak_guid: auth = AuthorizationView.find_user_authorization_by_business_number( business_identifier=business_identifier, keycloak_guid=keycloak_guid, org_id=user_from_context.account_id) if auth: permissions = PermissionsService.get_permissions_for_membership( auth.status_code, auth.org_membership) auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = permissions return auth_response
def get_account_authorizations_for_product(keycloak_guid: str, account_id: str, product_code: str): """Get account authorizations for the product.""" auth_response: Dict = {'roles': []} authorization = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user( keycloak_guid, account_id, product_code) auth_response['roles'] = authorization.roles.split( ',') if authorization and authorization.roles else [] return auth_response
def get_account_authorizations_for_product(account_id: str, product_code: str, expanded: bool = False, **kwargs): """Get account authorizations for the product.""" user_from_context: UserContext = kwargs['user_context'] account_id_claim = user_from_context.account_id if account_id_claim: auth = AuthorizationView.find_account_authorization_by_org_id_and_product( account_id_claim, product_code ) else: auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user( user_from_context.sub, account_id, product_code ) auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = [] if auth: permissions = PermissionsService.get_permissions_for_membership(auth.status_code, auth.org_membership) auth_response['roles'] = permissions return auth_response
def test_find_user_authorization_by_org_id_and_invalid_corp_type(session): # pylint:disable=unused-argument """Assert that authorization view is not returning result when invalid corp type is passed.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'invalid_corp_type') assert authorization is None
def test_find_all_user_authorizations(session): # pylint:disable=unused-argument """Test find all user authoirzations.""" user = factory_user_model() org = factory_org_model() membership = factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorizations = Authorization.find_all_authorizations_for_user(str(user.keycloak_guid)) assert authorizations is not None assert authorizations[0].org_membership == membership.membership_type_code assert authorizations[0].business_identifier == entity.business_identifier
def get_account_authorizations_for_product(token_info: Dict, account_id: str, product_code: str, expanded: bool = False): """Get account authorizations for the product.""" account_id_claim = token_info.get('Account-Id', None) if account_id_claim: auth = AuthorizationView.find_account_authorization_by_org_id_and_product( account_id_claim, product_code) else: auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user( token_info.get('sub'), account_id, product_code) auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = [] if auth: permissions = PermissionsService.get_permissions_for_membership( auth.status_code, auth.org_membership) auth_response['roles'] = permissions return auth_response
def get_account_authorizations_for_product(keycloak_guid: str, account_id: str, product_code: str, expanded: bool = False): """Get account authorizations for the product.""" authorization = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user( keycloak_guid, account_id, product_code) auth_response = Authorization(authorization).as_dict(expanded) auth_response['roles'] = authorization.roles.split( ',') if authorization and authorization.roles else [] return auth_response
def test_find_user_authorization_by_org_id(session): # pylint:disable=unused-argument """Assert that authorization view is returning result.""" user = factory_user_model() org = factory_org_model() membership = factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_org_id(str(user.keycloak_guid), org.id) assert authorization is not None assert authorization.org_membership == membership.membership_type_code
def get_account_authorizations_for_product(keycloak_guid: str, account_id: str, product_code: str, expanded: bool = False): """Get account authorizations for the product.""" auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user( keycloak_guid, account_id, product_code ) auth_response = Authorization(auth).as_dict(expanded) auth_response['roles'] = [] if auth: permissions = PermissionsService.get_permissions_for_membership(auth.status_code, auth.org_membership) auth_response['roles'] = permissions return auth_response
def test_find_user_authorization_by_business_number_product(session): # pylint:disable=unused-argument """Assert that authorization view is returning result.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_business_number_and_product( entity.business_identifier, ProductCode.DIR_SEARCH.value) assert authorization is not None assert authorization.product_code == ProductCode.DIR_SEARCH.value
def test_find_user_authorization_by_org_id_and_corp_type(session): # pylint:disable=unused-argument """Assert that authorization view returns result when fetched using Corp type instead of jwt. Service accounts passes corp type instead of jwt. """ user = factory_user_model() org = factory_org_model() membership = factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'CP') assert authorization is not None assert authorization.org_membership == membership.membership_type_code
def test_find_user_authorization_by_org_id_and_corp_type_multiple_membership(session): # pylint:disable=unused-argument """Assert that authorization view returns result when fetched using Corp type instead of jwt. When multiple membership is present , return the one with Owner access. """ user1 = factory_user_model() user2 = factory_user_model(user_info=TestUserInfo.user2) org = factory_org_model() factory_membership_model(user1.id, org.id, member_type='ADMIN') membership_owner = factory_membership_model(user2.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'CP') assert authorization is not None assert authorization.org_membership == membership_owner.membership_type_code
def get_user_authorizations_for_entity(token_info: Dict, business_identifier: str): """Get User authorizations for the entity.""" auth_response = {} if token_info.get('loginSource', None) == 'PASSCODE': if token_info.get('username', None).upper() == business_identifier.upper(): auth_response = {'role': 'OWNER'} elif 'staff' in token_info.get('realm_access', []).get('roles', []): auth_response = {'role': 'STAFF'} else: keycloak_guid = token_info.get('sub', None) auth = AuthorizationView.find_user_authorization_by_business_number( keycloak_guid, business_identifier) if auth: auth_response = Authorization(auth).as_dict( exclude=['business_identifier']) return auth_response