def test_service_in_account(mocker):
# If we aren't scoping, this should pass
assert authnz.service_in_account(None) is True
g_mock = mocker.patch('confidant.authnz.g')
g_mock.account = 'confidant-unitttest'
assert authnz.service_in_account('bad-service') is False
assert authnz.service_in_account('confidant-unitttest') is True
def get_service(id):
'''
Get service metadata and all credentials for this service. This endpoint
allows basic authentication.
'''
#_init_.py에 정의된 user_is_user_type함수를 통해 service값이라면 제어문 안으로
if authnz.user_is_user_type('service'):
#_init_.py에 정의된 user_is_service함수를 통해 함수의 파라메터 값으로 받아온 id가 아니라면 로그에 'Authz failed for service {0}.', 'Authenticated user is not authorized.'라는 메시지와 함께 401error를 띄운다
if not authnz.user_is_service(id):
logging.warning('Authz failed for service {0}.'.format(id))
msg = 'Authenticated user is not authorized.'
return jsonify({'error': msg}), 401
try:
#service라는 변수에 id값 대입
service = Service.get(id)
#_init_.py에 정의된 service_in_account함수를 통해 account값이 일치하지 않는다면 제어문 안으로
if not authnz.service_in_account(service.account):
#아래와 같은 로그를 남긴다
logging.warning(
'Authz failed for service {0} (wrong account).'.format(id)
)
#msg에 아래와 같은 문자 대입
msg = 'Authenticated user is not authorized.'
#401error를 msg에 대입된 문자열과 함께 jsonify시켜 리턴
return jsonify({'error': msg}), 401
#위 try문의 코드에 error발생 시 예외처리
except DoesNotExist:
return jsonify({}), 404
if (service.data_type != 'service' and
service.data_type != 'archive-service'):
return jsonify({}), 404
logging.debug('Authz succeeded for service {0}.'.format(id))
try:
#credential을 가져온다
credentials = _get_credentials(service.credentials)
except KeyError:
#error발생 시 500error발생
logging.exception('KeyError occurred in getting credentials')
return jsonify({'error': 'Decryption error.'}), 500
blind_credentials = _get_blind_credentials(service.blind_credentials)
return jsonify({
'id': service.id,
'account': service.account,
'credentials': credentials,
'blind_credentials': blind_credentials,
'enabled': service.enabled,
'revision': service.revision,
'modified_date': service.modified_date,
'modified_by': service.modified_by
})
def get_service(id):
'''
Get service metadata and all credentials for this service. This endpoint
allows basic authentication.
'''
if authnz.user_is_user_type('service'):
if not authnz.user_is_service(id):
logging.warning('Authz failed for service {0}.'.format(id))
msg = 'Authenticated user is not authorized.'
return jsonify({'error': msg}), 401
try:
service = Service.get(id)
if not authnz.service_in_account(service.account):
logging.warning(
'Authz failed for service {0} (wrong account).'.format(id)
)
msg = 'Authenticated user is not authorized.'
return jsonify({'error': msg}), 401
except DoesNotExist:
return jsonify({}), 404
if (service.data_type != 'service' and
service.data_type != 'archive-service'):
return jsonify({}), 404
logging.debug('Authz succeeded for service {0}.'.format(id))
try:
credentials = _get_credentials(service.credentials)
except KeyError:
logging.exception('KeyError occurred in getting credentials')
return jsonify({'error': 'Decryption error.'}), 500
blind_credentials = _get_blind_credentials(service.blind_credentials)
return jsonify({
'id': service.id,
'account': service.account,
'credentials': credentials,
'blind_credentials': blind_credentials,
'enabled': service.enabled,
'revision': service.revision,
'modified_date': service.modified_date,
'modified_by': service.modified_by
})
def get_service(id):
'''
Get service metadata and all credentials for this service. This endpoint
allows basic authentication.
'''
if authnz.user_is_user_type('service'):
if not authnz.user_is_service(id):
logging.warning('Authz failed for service {0}.'.format(id))
msg = 'Authenticated user is not authorized.'
return jsonify({'error': msg}), 401
try:
service = Service.get(id)
if not authnz.service_in_account(service.account):
logging.warning(
'Authz failed for service {0} (wrong account).'.format(id)
)
msg = 'Authenticated user is not authorized.'
return jsonify({'error': msg}), 401
except Service.DoesNotExist:
return jsonify({}), 404
if (service.data_type != 'service' and
service.data_type != 'archive-service'):
return jsonify({}), 404
logging.debug('Authz succeeded for service {0}.'.format(id))
try:
credentials = _get_credentials(service.credentials)
except KeyError:
return jsonify({'error': 'Decryption error.'}), 500
blind_credentials = _get_blind_credentials(service.blind_credentials)
return jsonify({
'id': service.id,
'account': service.account,
'credentials': credentials,
'blind_credentials': blind_credentials,
'enabled': service.enabled,
'revision': service.revision,
'modified_date': service.modified_date,
'modified_by': service.modified_by
})
def get_service(id):
'''
Get a service object from the provided service ID.
.. :quickref: Service; Get a service object from the provided service ID.
**Example request**:
.. sourcecode:: http
GET /v1/services/example-development
:param id: The service ID to get.
:type id: str
:query boolean metadata_only: If true, only fetch metadata for this
service, and do not respond with decrypted credential pairs in the
credential responses.
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": "example-development",
"revision": 1,
"enabled": true,
"modified_date": "2019-12-16T23:16:11.413299+00:00",
"modified_by": "*****@*****.**",
"account": null,
"credentials": [
{
"id": "abcd12345bf4f1cafe8e722d3860404",
"name": "Example Credential",
"credential_keys": ["test_key"],
"credential_pairs": {
"test_key": "test_value"
},
"metadata": {
"example_metadata_key": "example_value"
},
"revision": 1,
"enabled": true,
"documentation": "Example documentation",
"modified_date": "2019-12-16T23:16:11.413299+00:00",
"modified_by": "*****@*****.**",
"permissions": {}
},
...
],
"blind_credentials": [],
"permissions": {
"metadata": true,
"get": true,
"update": true
}
}
:resheader Content-Type: application/json
:statuscode 200: Success
:statuscode 403: Client does not have permissions to get the service ID
provided.
'''
permissions = {
'metadata': False,
'get': False,
'update': False,
}
metadata_only = misc.get_boolean(request.args.get('metadata_only'))
logged_in_user = authnz.get_logged_in_user()
action = 'metadata' if metadata_only else 'get'
permissions['metadata'] = acl_module_check(
resource_type='service',
action='metadata',
resource_id=id,
)
permissions['get'] = acl_module_check(
resource_type='service',
action='get',
resource_id=id,
)
if not permissions[action]:
msg = "{} does not have access to get service {}".format(
authnz.get_logged_in_user(),
id
)
error_msg = {'error': msg, 'reference': id}
return jsonify(error_msg), 403
logger.info(
'get_service called on id={} by user={} metadata_only={}'.format(
id,
logged_in_user,
metadata_only,
)
)
try:
service = Service.get(id)
if not authnz.service_in_account(service.account):
logger.warning(
'Authz failed for service {0} (wrong account).'.format(id)
)
msg = 'Authenticated user is not authorized.'
return jsonify({'error': msg}), 401
except DoesNotExist:
return jsonify({}), 404
if (service.data_type != 'service' and
service.data_type != 'archive-service'):
return jsonify({}), 404
logger.debug('Authz succeeded for service {0}.'.format(id))
try:
credentials = credentialmanager.get_credentials(service.credentials)
except KeyError:
logger.exception('KeyError occurred in getting credentials')
return jsonify({'error': 'Decryption error.'}), 500
blind_credentials = credentialmanager.get_blind_credentials(
service.blind_credentials,
)
# TODO: this check can be expensive, so we're gating only to user auth.
# We should probably add an argument that opts in for permission hints,
# rather than always checking them.
if authnz.user_is_user_type('user'):
combined_cred_ids = (
list(service.credentials) + list(service.blind_credentials)
)
permissions['update'] = acl_module_check(
resource_type='service',
action='update',
resource_id=id,
kwargs={
'credential_ids': combined_cred_ids,
},
)
service_response = ServiceResponse.from_service_expanded(
service,
credentials=credentials,
blind_credentials=blind_credentials,
metadata_only=metadata_only,
)
service_response.permissions = permissions
return service_expanded_response_schema.dumps(service_response)
def get_service(id):
'''
Get service metadata and all credentials for this service. This endpoint
allows basic authentication.
'''
permissions = {
'metadata': False,
'get': False,
'update': False,
}
metadata_only = request.args.get('metadata_only', default=False, type=bool)
logged_in_user = authnz.get_logged_in_user()
action = 'metadata' if metadata_only else 'get'
permissions['metadata'] = acl_module_check(
resource_type='service',
action='metadata',
resource_id=id,
)
permissions['get'] = acl_module_check(
resource_type='service',
action='get',
resource_id=id,
)
if not permissions[action]:
msg = "{} does not have access to get service {}".format(
authnz.get_logged_in_user(), id)
error_msg = {'error': msg, 'reference': id}
return jsonify(error_msg), 403
logging.info(
'get_service called on id={} by user={} metadata_only={}'.format(
id,
logged_in_user,
metadata_only,
))
try:
service = Service.get(id)
if not authnz.service_in_account(service.account):
logging.warning(
'Authz failed for service {0} (wrong account).'.format(id))
msg = 'Authenticated user is not authorized.'
return jsonify({'error': msg}), 401
except DoesNotExist:
return jsonify({}), 404
if (service.data_type != 'service'
and service.data_type != 'archive-service'):
return jsonify({}), 404
logging.debug('Authz succeeded for service {0}.'.format(id))
try:
credentials = credentialmanager.get_credentials(service.credentials)
except KeyError:
logging.exception('KeyError occurred in getting credentials')
return jsonify({'error': 'Decryption error.'}), 500
blind_credentials = credentialmanager.get_blind_credentials(
service.blind_credentials, )
# TODO: this check can be expensive, so we're gating only to user auth.
# We should probably add an argument that opts in for permission hints,
# rather than always checking them.
if authnz.user_is_user_type('user'):
combined_cred_ids = (list(service.credentials) +
list(service.blind_credentials))
permissions['update'] = acl_module_check(
resource_type='service',
action='update',
resource_id=id,
kwargs={
'credential_ids': combined_cred_ids,
},
)
service_response = ServiceResponse.from_service_expanded(
service,
credentials=credentials,
blind_credentials=blind_credentials,
metadata_only=metadata_only,
)
service_response.permissions = permissions
return service_expanded_response_schema.dumps(service_response)