def authorized( # pylint: disable=too-many-return-statements identifier: str, jwt: JwtManager, action: List[str]) -> bool: """Assert that the user is authorized to create filings against the business identifier.""" # if they are registry staff, they are always authorized if not action or not identifier or not jwt: return False if jwt.validate_roles([STAFF_ROLE]) \ or jwt.validate_roles([SYSTEM_ROLE]) \ or jwt.validate_roles([COLIN_SVC_ROLE]): return True if jwt.has_one_of_roles([BASIC_USER, PUBLIC_USER]): # if the action is create_comment or courtOrder/registrarsNotation/registrarsOrder filings # disallow - only staff are allowed staff_only_actions = [ 'add_comment', 'court_order', 'registrars_notation', 'registrars_order' ] if any(elem in action for elem in staff_only_actions): return False template_url = current_app.config.get('AUTH_SVC_URL') auth_url = template_url.format(**vars()) token = jwt.get_token_auth_header() headers = {'Authorization': 'Bearer ' + token} try: http = Session() retries = Retry(total=5, backoff_factor=0.1, status_forcelist=[500, 502, 503, 504]) http.mount('http://', HTTPAdapter(max_retries=retries)) rv = http.get(url=auth_url, headers=headers) if rv.status_code != HTTPStatus.OK \ or not rv.json().get('roles'): return False if all(elem.lower() in rv.json().get('roles') for elem in action): return True except ( exceptions.ConnectionError, # pylint: disable=broad-except exceptions.Timeout, ValueError, Exception) as err: current_app.logger.error( f'template_url {template_url}, svc:{auth_url}') current_app.logger.error( f'Authorization connection failure for {identifier}, using svc:{auth_url}', err) return False return False
def authorized_token( # pylint: disable=too-many-return-statements identifier: str, jwt: JwtManager, action: List[str]) -> bool: """Assert that the user is authorized to submit API requests for a particular action.""" if not action or not identifier or not jwt: return False # All users including staff must have the PPR role. if not jwt.validate_roles([PPR_ROLE]): return False if jwt.has_one_of_roles([BASIC_USER, PRO_DATA_USER]): template_url = current_app.config.get('AUTH_SVC_URL') auth_url = template_url.format(**vars()) token = jwt.get_token_auth_header() headers = {'Authorization': 'Bearer ' + token} try: http = Session() retries = Retry(total=5, backoff_factor=0.1, status_forcelist=[500, 502, 503, 504]) http.mount('http://', HTTPAdapter(max_retries=retries)) rv = http.get(url=auth_url, headers=headers) if rv.status_code != HTTPStatus.OK \ or not rv.json().get('roles'): return False if all(elem.lower() in rv.json().get('roles') for elem in action): return True except ( exceptions.ConnectionError, # pylint: disable=broad-except exceptions.Timeout, ValueError, Exception) as err: current_app.logger.error( f'template_url {template_url}, svc:{auth_url}') current_app.logger.error( f'Authorization connection failure for {identifier}, using svc:{auth_url}', err) return False return False