def test_non_aarc_entitlement(self, actual_group): required_group = "urn:geant:h-df.de:group:aai-admin" req_entitlement = Aarc_g002_entitlement(required_group, strict=False) act_entitlement = Aarc_g002_entitlement(actual_group, strict=False, force=False) assert not req_entitlement.is_contained_in(act_entitlement)
def test_equality(self): required_group = "urn:geant:h-df.de:group:aai-admin:role = member#unity.helmholtz-data-federation.de" actual_group = "urn:geant:h-df.de:group:aai-admin:role = member#unity.helmholtz-data-federation.de" req_entitlement = Aarc_g002_entitlement(required_group) act_entitlement = Aarc_g002_entitlement(actual_group) assert act_entitlement == req_entitlement assert req_entitlement.is_contained_in(act_entitlement)
def test_order_of_subgroups_out_of_bounds_equality(self): required_group = "urn:geant:h-df.de:group:aai-admin:subgroup1:subgroup2:subgroup3:role=member#unity.helmholtz-data-federation.de" actual_group = "urn:geant:h-df.de:group:aai-admin:subgroup1:subgroup2:role=member#unity.helmholtz-data-federation.de" req_entitlement = Aarc_g002_entitlement(required_group) act_entitlement = Aarc_g002_entitlement(actual_group) assert act_entitlement != req_entitlement assert not req_entitlement.is_contained_in(act_entitlement)
def test_subgroup_required(self): required_group = "urn:geant:h-df.de:group:aai-admin:special-admins#unity.helmholtz-data-federation.de" actual_group = ( "urn:geant:h-df.de:group:aai-admin#backupserver.used.for.developmt.de" ) req_entitlement = Aarc_g002_entitlement(required_group) act_entitlement = Aarc_g002_entitlement(actual_group) assert not req_entitlement.is_contained_in(act_entitlement)
def e_expander(es): """Helper function to catch exceptions in list comprehension""" try: return Aarc_g002_entitlement(es, strict=False) except ValueError: return None except Aarc_g002_entitlement_ParseError: return None except Aarc_g002_entitlement_Error: return None
def test_failure_incomplete_invalid_entitlement(self): required_group = "urn:geant:h-df.de" with pytest.raises(ValueError): Aarc_g002_entitlement(required_group)
def test_failure_incomplete_but_valid_entitlement(self, required_group): Aarc_g002_entitlement(required_group, strict=False)
def test_foreign_entitlement(self, required_group, actual_group): actual_group = "urn:geant:kit.edu:group:bwUniCluster" req_entitlement = Aarc_g002_entitlement(required_group, strict=False) act_entitlement = Aarc_g002_entitlement(actual_group, strict=False) assert not req_entitlement.is_contained_in(act_entitlement)
def test_user_in_subgroup(self): required_group = "urn:geant:h-df.de:group:aai-admin" actual_group = "urn:geant:h-df.de:group:aai-admin:special-admins#backupserver.used.for.developmt.de" req_entitlement = Aarc_g002_entitlement(required_group, strict=False) act_entitlement = Aarc_g002_entitlement(actual_group) assert req_entitlement.is_contained_in(act_entitlement)
def test_role_not_required(self): required_group = "urn:geant:h-df.de:group:aai-admin#unity.helmholtz-data-federation.de" actual_group = "urn:geant:h-df.de:group:aai-admin:role=member#backupserver.used.for.developmt.de" req_entitlement = Aarc_g002_entitlement(required_group) act_entitlement = Aarc_g002_entitlement(actual_group) assert req_entitlement.is_contained_in(act_entitlement)
def test_subgroup_required_and_available(self): required_group = "urn:geant:h-df.de:group:m-team:feudal-developers" actual_group = "urn:geant:h-df.de:group:m-team:feudal-developers#login.helmholtz.de" req_entitlement = Aarc_g002_entitlement(required_group, strict=False) act_entitlement = Aarc_g002_entitlement(actual_group, strict=False) assert req_entitlement.is_contained_in(act_entitlement)
def test_intentional_authority_mismatch_2(self): required_group = "urn:geant:h-df.de:group:aai-admin" actual_group = "urn:geant:h-df.de:group:aai-admin#totally_different_authority" req_entitlement = Aarc_g002_entitlement(required_group, strict=False) act_entitlement = Aarc_g002_entitlement(actual_group, strict=False) assert req_entitlement.is_contained_in(act_entitlement)
def test_failure_incomplete_invalid_entitlement(self): required_group = "urn:geant:h-df.de" with pytest.raises(Aarc_g002_entitlement_ParseError): Aarc_g002_entitlement(required_group, raise_error_if_unparseable=True)
def test_non_aarc_entitlement(self, actual_group): with pytest.raises(Aarc_g002_entitlement_ParseError): Aarc_g002_entitlement(actual_group, strict=False, raise_error_if_unparseable=False)
def wrapper(*args, **kwargs): # get request from wrapped function params request = kwargs.get("request", None) if request is None: self.set_last_error("No request object found.") logging.getLogger(__name__).error(f"{self.get_last_error()}") return self._return_formatter_wf(f"{self.get_last_error()}", 400) # get OP from request op_url = self.get_iss_from_request(request) if op_url is None: logging.getLogger(__name__).error(self.get_last_error()) return self._return_formatter_wf( f"No issuer found in AT: {self.get_last_error()}", 401) # get authorisation info for this OP op_authz = self.__authorisation.get(canonical_url(op_url), None) # if OP not supported: if op_authz is None: msg = f"The token issuer is not supported on this service: {op_url}" logging.getLogger(__name__).info(msg) return self._return_formatter_wf(msg, 403) # if all users from this OP are authorised, # it is sufficient to require login, which validates the token # at the userinfo endpoint if to_bool(op_authz.get('authorise_all', 'False')): logging.getLogger(__name__).warning( f"Authorising all users from {op_url}." "We recommend setting the authorised_vos field in motley_cue.conf." ) @self.login_required() async def tmp(*args, **kwargs): return await func(*args, **kwargs) return tmp(*args, **kwargs) # if this user is specifically authorised, # it is sufficient to require login, which validates the token # at the userinfo endpoint authorised_users = to_list(op_authz.get('authorised_users', '[]')) sub = self.get_sub_from_request(request) if len(authorised_users) > 0: if sub is None: logging.getLogger(__name__).error(self.get_last_error()) return self._return_formatter_wf( f"No sub found in AT: {self.get_last_error()}", 401) if sub in authorised_users: logging.getLogger(__name__).debug( f"User {sub} is individually authorised by sub.") @self.login_required() async def tmp(*args, **kwargs): return await func(*args, **kwargs) return tmp(*args, **kwargs) logging.getLogger(__name__).debug( f"User {sub} is not individually authorised by sub.") else: logging.getLogger(__name__).debug( "No individual users authorised by sub.") # if authorised VOs are specified, try to authorise based on VOs # this depends on the type of VO: AARC-G002 compatible or not # HACKY: if at least on of the provided groups is not compatible with AARC-G002, # treat them all as normal groups # possible FIX: flaat should deal with it and provide a uniform interface to check # VO membership for mixed lists of VOs authorised_vos = to_list(op_authz.get('authorised_vos', '[]')) if len(authorised_vos) > 0: try: logging.getLogger(__name__).debug( f"Trying VO-based authorisation for user {sub}; list of authorised VOs: {authorised_vos}." ) _ = [ Aarc_g002_entitlement(vo, strict=False) for vo in authorised_vos ] @self.aarc_g002_entitlement_required( entitlement=authorised_vos, claim=op_authz['vo_claim'], match=op_authz['vo_match']) async def tmp(*args, **kwargs): return await func(*args, **kwargs) return tmp(*args, **kwargs) except Aarc_g002_entitlement_Error: logging.getLogger(__name__).warning( "The provided VOs are not compatible with AARC G002.") @self.group_required(group=authorised_vos, claim=op_authz['vo_claim'], match=op_authz['vo_match']) async def tmp(*args, **kwargs): return await func(*args, **kwargs) return tmp(*args, **kwargs) else: logging.getLogger(__name__).debug( "No authorised VOs specified.") # user not authorised logging.getLogger(__name__).info( f"User {sub} from {op_url} was not authorised to access the service." ) return self._return_formatter_wf( "Forbidden: you are not authorised to access this service", 403)