def get_account_authorizations_for_org(token_info: Dict, account_id: str, corp_type_code: Optional[str],
expanded: bool = False):
"""Get User authorizations for the org."""
auth_response = {}
auth = None
token_roles = token_info.get('realm_access').get('roles')
# todo the service account level access has not been defined
if Role.STAFF.value in token_roles:
if expanded:
# Query Authorization view by business identifier
auth = AuthorizationView.find_authorization_for_staff_by_org_id(account_id)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = token_roles
else:
keycloak_guid = token_info.get('sub', None)
# check product based auth auth org based auth
check_product_based_auth = Authorization._is_product_based_auth(corp_type_code)
if check_product_based_auth:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user(
keycloak_guid, account_id, corp_type_code)
else:
if account_id and keycloak_guid:
auth = AuthorizationView.find_user_authorization_by_org_id(keycloak_guid, account_id)
auth_response['roles'] = []
if auth:
permissions = PermissionsService.get_permissions_for_membership(auth.status_code,
auth.org_membership)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = permissions
return auth_response
def check_auth(token_info: Dict, **kwargs):
"""Check if user is authorized to perform action on the service."""
if Role.STAFF.value in token_info.get('realm_access').get('roles'):
_check_for_roles(STAFF, kwargs)
elif Role.SYSTEM.value in token_info.get('realm_access').get('roles'):
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
product_code_in_jwt = token_info.get('product_code', None)
if product_code_in_jwt is None:
# product code must be present in jwt
abort(403)
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(token_info, business_identifier)
elif org_identifier:
auth = Authorization.get_account_authorizations_for_product(token_info.get('sub', None),
org_identifier,
product_code_in_jwt)
if auth is None:
abort(403)
return
else:
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(token_info, business_identifier)
elif org_identifier:
auth_record = AuthorizationView.find_user_authorization_by_org_id(token_info.get('sub', None),
org_identifier)
auth = Authorization(auth_record).as_dict() if auth_record else None
_check_for_roles(auth.get('orgMembership', None) if auth else None, kwargs)
def check_auth(**kwargs):
"""Check if user is authorized to perform action on the service."""
user_from_context: UserContext = kwargs['user_context']
if user_from_context.is_staff():
_check_for_roles(STAFF, kwargs)
elif user_from_context.is_system():
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
product_code_in_jwt = user_from_context.token_info.get('product_code', None)
if product_code_in_jwt is None:
# product code must be present in jwt
abort(403)
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(business_identifier)
elif org_identifier:
auth = Authorization.get_account_authorizations_for_product(org_identifier, product_code_in_jwt)
if auth is None:
abort(403)
return
else:
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None) or user_from_context.account_id
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(business_identifier)
elif org_identifier:
auth_record = AuthorizationView.find_user_authorization_by_org_id(user_from_context.sub, org_identifier)
auth = Authorization(auth_record).as_dict() if auth_record else None
_check_for_roles(auth.get('orgMembership', None) if auth else None, kwargs)
def test_find_user_authorization_by_org_id(session): # pylint:disable=unused-argument
"""Assert that authorization view is returning result."""
user = factory_user_model()
org = factory_org_model()
membership = factory_membership_model(user.id, org.id)
entity = factory_entity_model()
factory_affiliation_model(entity.id, org.id)
authorization = Authorization.find_user_authorization_by_org_id(str(user.keycloak_guid),
org.id)
assert authorization is not None
assert authorization.org_membership == membership.membership_type_code
def get_account_authorizations_for_org(account_id: str,
corp_type_code: Optional[str],
expanded: bool = False,
**kwargs):
"""Get User authorizations for the org."""
user_from_context: UserContext = kwargs['user_context']
auth_response = {}
auth = None
token_roles = user_from_context.roles
# todo the service account level access has not been defined
if Role.STAFF.value in token_roles:
if expanded:
# Query Authorization view by business identifier
auth = AuthorizationView.find_authorization_for_admin_by_org_id(
account_id)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = token_roles
else:
keycloak_guid = user_from_context.sub
account_id_claim = user_from_context.account_id_claim
# check product based auth auth org based auth
check_product_based_auth = Authorization._is_product_based_auth(
corp_type_code)
if check_product_based_auth:
if account_id_claim:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product(
account_id_claim, corp_type_code)
else:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user(
keycloak_guid, account_id, corp_type_code)
else:
if account_id_claim and account_id == int(account_id_claim):
auth = AuthorizationView.find_authorization_for_admin_by_org_id(
account_id_claim)
elif account_id and keycloak_guid:
auth = AuthorizationView.find_user_authorization_by_org_id(
keycloak_guid, account_id)
auth_response['roles'] = []
if auth:
permissions = PermissionsService.get_permissions_for_membership(
auth.status_code, auth.org_membership)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = permissions
return auth_response
def check_auth(**kwargs):
"""Check if user is authorized to perform action on the service."""
user_from_context: UserContext = kwargs['user_context']
if user_from_context.is_staff():
_check_for_roles(STAFF, kwargs)
elif user_from_context.is_system():
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
product_code_in_jwt = user_from_context.token_info.get(
'product_code', None)
if product_code_in_jwt is None:
# product code must be present in jwt
abort(403)
if product_code_in_jwt == 'ALL': # Product code for super admin service account (sbc-auth-admin)
return
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(
business_identifier)
elif org_identifier:
auth = Authorization.get_account_authorizations_for_product(
org_identifier, product_code_in_jwt)
if auth is None:
abort(403)
return
else:
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id',
None) or user_from_context.account_id
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(
business_identifier)
elif org_identifier:
# If the account id is part of claim (api gw users), then no need to lookup using keycloak guid.
if user_from_context.account_id_claim and \
int(user_from_context.account_id_claim) == kwargs.get('org_id', None):
auth_record = AuthorizationView.find_authorization_for_admin_by_org_id(
user_from_context.account_id)
else:
auth_record = AuthorizationView.find_user_authorization_by_org_id(
user_from_context.sub, org_identifier)
auth = Authorization(
auth_record).as_dict() if auth_record else None
_check_for_roles(
auth.get('orgMembership', None) if auth else None, kwargs)
def check_auth(token_info: Dict, **kwargs):
"""Check if user is authorized to perform action on the service."""
if 'staff_admin' in token_info.get('realm_access').get('roles'):
# Staff admin should get all access as of Staff
if STAFF in kwargs.get('one_of_roles',
[]) and STAFF_ADMIN not in kwargs.get(
'one_of_roles', None):
kwargs.get('one_of_roles').append(STAFF_ADMIN)
if kwargs.get('equals_role', None) == STAFF:
kwargs.pop('equals_role', None)
kwargs['one_of_roles'] = (STAFF, STAFF_ADMIN)
_check_for_roles(STAFF_ADMIN, kwargs)
elif 'staff' in token_info.get('realm_access').get('roles'):
_check_for_roles(STAFF, kwargs)
elif Role.SYSTEM.value in token_info.get('realm_access').get('roles') \
and not token_info.get('loginSource', None) == 'PASSCODE':
corp_type_in_jwt = token_info.get('corp_type', None)
if corp_type_in_jwt is None:
# corp type must be present in jwt
abort(403)
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
auth = None
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(
token_info, business_identifier)
elif org_identifier:
auth_record = AuthorizationView.find_user_authorization_by_org_id_and_corp_type(
org_identifier, corp_type_in_jwt)
auth = Authorization(
auth_record).as_dict() if auth_record else None
if auth is None:
abort(403)
else:
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(
token_info, business_identifier)
elif org_identifier:
auth_record = AuthorizationView.find_user_authorization_by_org_id(
token_info.get('sub', None), org_identifier)
auth = Authorization(
auth_record).as_dict() if auth_record else None
_check_for_roles(
auth.get('orgMembership', None) if auth else None, kwargs)