def wrap(request, *args, **kwargs): # Check for current user if not request.user or not request.user.is_authenticated: return unauthorized_response(request) # Get the payload payload = authn.get_jwt_payload(request, verify=False) # Check claims in the JWT first, as it is least costly. if authz.jwt_has_authz(payload, authz.JWT_AUTHZ_GROUPS, dbmi_settings.AUTHZ_ADMIN_GROUP): return view(request, *args, **kwargs) # Get their email address email = authn.get_jwt_email(request, verify=False) # Now consult the AuthZ server if authz.has_permission(request, email, dbmi_settings.CLIENT, dbmi_settings.AUTHZ_ADMIN_PERMISSION): return view(request, *args, **kwargs) # Possibly store these elsewhere for records # TODO: Figure out a better way to flag failed access attempts logger.warning("{} Failed {} permission on {}".format( email, dbmi_settings.AUTHZ_ADMIN_PERMISSION, dbmi_settings.CLIENT)) raise PermissionDenied
def test_authz_no_response(self): # Build the request request = self.build_request("/some/page/") # Build the response handler responses.add(responses.GET, self.authz_url_pattern, json={"error": "not found"}, status=404) # Build the call has_authz = authz.has_permission(request, self.user.email, "item", "admin", check_parents=True) # Check it self.assertGreaterEqual(len(responses.calls), 1) self.assertFalse(has_authz)
def test_authz_no_perm(self): # Build the request request = self.build_request("/some/page/") # Build the response handler responses.add( responses.GET, self.authz_url_pattern, json={"results": [{"item": "someitem", "permission": "admin", "email": self.user.email}]}, status=200, ) # Build the call has_authz = authz.has_permission(request, self.user.email, "item", "admin", check_parents=True) # Check it self.assertGreaterEqual(len(responses.calls), 1) self.assertFalse(has_authz)
def wrap(request, *args, **kwargs): # Check for current user if not request.user or not request.user.is_authenticated: return unauthorized_response(request) # Get their email address email = authn.get_jwt_email(request, verify=False) # Check permission if authz.has_permission(request, email, item, permission): return view(request, *args, **kwargs) # Possibly store these elsewhere for records # TODO: Figure out a better way to flag failed access attempts logger.warning("{} Failed {} permission on {}".format( email, permission, dbmi_settings.CLIENT)) # Forbid if nothing else raise PermissionDenied