def get_user_authorizations_for_entity(token_info: Dict, business_identifier: str, expanded: bool = False):
"""Get User authorizations for the entity."""
auth_response = {}
auth = None
token_roles = token_info.get('realm_access').get('roles')
if Role.STAFF.value in token_roles:
if expanded:
# Query Authorization view by business identifier
auth = AuthorizationView.find_user_authorization_by_business_number(business_identifier)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = token_roles
elif Role.SYSTEM.value in token_roles:
# a service account in keycloak should have product_code claim setup.
keycloak_product_code = token_info.get('product_code', None)
if keycloak_product_code:
auth = AuthorizationView.find_user_authorization_by_business_number_and_product(business_identifier,
keycloak_product_code)
if auth:
auth_response = Authorization(auth).as_dict(expanded)
permissions = PermissionsService.get_permissions_for_membership(auth.status_code, 'SYSTEM')
auth_response['roles'] = permissions
else:
keycloak_guid = token_info.get('sub', None)
if business_identifier and keycloak_guid:
auth = AuthorizationView.find_user_authorization_by_business_number(business_identifier, keycloak_guid)
if auth:
permissions = PermissionsService.get_permissions_for_membership(auth.status_code, auth.org_membership)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = permissions
return auth_response
def get_user_authorizations_for_entity(token_info: Dict,
business_identifier: str,
expanded: bool = False):
"""Get User authorizations for the entity."""
auth_response = {}
if 'staff' in token_info.get('realm_access').get('roles'):
auth_response = {'roles': ['edit', 'view']}
elif Role.SYSTEM.value in token_info.get('realm_access').get('roles'):
# a service account in keycloak should have corp_type claim setup.
keycloak_corp_type = token_info.get('corp_type', None)
if keycloak_corp_type:
auth = AuthorizationView.find_user_authorization_by_business_number_and_corp_type(
business_identifier, keycloak_corp_type)
if auth:
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = ['edit', 'view']
else:
keycloak_guid = token_info.get('sub', None)
auth = AuthorizationView.find_user_authorization_by_business_number(
keycloak_guid, business_identifier)
if auth:
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = ['edit', 'view']
return auth_response
def get_user_authorizations_for_entity(token_info: Dict,
business_identifier: str):
"""Get User authorizations for the entity."""
auth_response = {}
if token_info.get('loginSource', None) == 'PASSCODE':
if token_info.get('username',
None).upper() == business_identifier.upper():
auth_response = {
'orgMembership': OWNER,
'roles': ['edit', 'view']
}
elif 'staff' in token_info.get('realm_access').get('roles'):
auth_response = {'roles': ['edit', 'view']}
elif Role.SYSTEM.value in token_info.get('realm_access').get('roles'):
# a service account in keycloak should have corp_type claim setup.
keycloak_corp_type = token_info.get('corp_type', None)
if keycloak_corp_type:
auth = AuthorizationView.find_user_authorization_by_business_number_and_corp_type(
business_identifier, keycloak_corp_type)
if auth:
auth_response = Authorization(auth).as_dict(
exclude=['business_identifier'])
auth_response['roles'] = ['edit', 'view']
else:
keycloak_guid = token_info.get('sub', None)
auth = AuthorizationView.find_user_authorization_by_business_number(
keycloak_guid, business_identifier)
if auth:
auth_response = Authorization(auth).as_dict(
exclude=['business_identifier'])
auth_response['roles'] = ['edit', 'view']
return auth_response
def get_account_authorizations_for_org(token_info: Dict, account_id: str, corp_type_code: Optional[str],
expanded: bool = False):
"""Get User authorizations for the org."""
auth_response = {}
auth = None
token_roles = token_info.get('realm_access').get('roles')
# todo the service account level access has not been defined
if Role.STAFF.value in token_roles:
if expanded:
# Query Authorization view by business identifier
auth = AuthorizationView.find_authorization_for_staff_by_org_id(account_id)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = token_roles
else:
keycloak_guid = token_info.get('sub', None)
# check product based auth auth org based auth
check_product_based_auth = Authorization._is_product_based_auth(corp_type_code)
if check_product_based_auth:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user(
keycloak_guid, account_id, corp_type_code)
else:
if account_id and keycloak_guid:
auth = AuthorizationView.find_user_authorization_by_org_id(keycloak_guid, account_id)
auth_response['roles'] = []
if auth:
permissions = PermissionsService.get_permissions_for_membership(auth.status_code,
auth.org_membership)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = permissions
return auth_response
def test_find_invalid_user_authorization_by_business_number(session): # pylint:disable=unused-argument
"""Test with invalid user id and assert that auth is None."""
user = factory_user_model()
org = factory_org_model()
factory_membership_model(user.id, org.id)
entity = factory_entity_model()
factory_affiliation_model(entity.id, org.id)
authorization = Authorization.find_user_authorization_by_business_number(str(uuid.uuid4()),
entity.business_identifier)
assert authorization is None
# Test with invalid business identifier
authorization = Authorization.find_user_authorization_by_business_number(str(uuid.uuid4()), '')
assert authorization is None
def check_auth(**kwargs):
"""Check if user is authorized to perform action on the service."""
user_from_context: UserContext = kwargs['user_context']
if user_from_context.is_staff():
_check_for_roles(STAFF, kwargs)
elif user_from_context.is_system():
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
product_code_in_jwt = user_from_context.token_info.get('product_code', None)
if product_code_in_jwt is None:
# product code must be present in jwt
abort(403)
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(business_identifier)
elif org_identifier:
auth = Authorization.get_account_authorizations_for_product(org_identifier, product_code_in_jwt)
if auth is None:
abort(403)
return
else:
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None) or user_from_context.account_id
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(business_identifier)
elif org_identifier:
auth_record = AuthorizationView.find_user_authorization_by_org_id(user_from_context.sub, org_identifier)
auth = Authorization(auth_record).as_dict() if auth_record else None
_check_for_roles(auth.get('orgMembership', None) if auth else None, kwargs)
def check_auth(token_info: Dict, **kwargs):
"""Check if user is authorized to perform action on the service."""
if Role.STAFF.value in token_info.get('realm_access').get('roles'):
_check_for_roles(STAFF, kwargs)
elif Role.SYSTEM.value in token_info.get('realm_access').get('roles'):
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
product_code_in_jwt = token_info.get('product_code', None)
if product_code_in_jwt is None:
# product code must be present in jwt
abort(403)
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(token_info, business_identifier)
elif org_identifier:
auth = Authorization.get_account_authorizations_for_product(token_info.get('sub', None),
org_identifier,
product_code_in_jwt)
if auth is None:
abort(403)
return
else:
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(token_info, business_identifier)
elif org_identifier:
auth_record = AuthorizationView.find_user_authorization_by_org_id(token_info.get('sub', None),
org_identifier)
auth = Authorization(auth_record).as_dict() if auth_record else None
_check_for_roles(auth.get('orgMembership', None) if auth else None, kwargs)
def get_account_authorizations_for_org(account_id: str,
corp_type_code: Optional[str],
expanded: bool = False,
**kwargs):
"""Get User authorizations for the org."""
user_from_context: UserContext = kwargs['user_context']
auth_response = {}
auth = None
token_roles = user_from_context.roles
# todo the service account level access has not been defined
if Role.STAFF.value in token_roles:
if expanded:
# Query Authorization view by business identifier
auth = AuthorizationView.find_authorization_for_admin_by_org_id(
account_id)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = token_roles
else:
keycloak_guid = user_from_context.sub
account_id_claim = user_from_context.account_id_claim
# check product based auth auth org based auth
check_product_based_auth = Authorization._is_product_based_auth(
corp_type_code)
if check_product_based_auth:
if account_id_claim:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product(
account_id_claim, corp_type_code)
else:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user(
keycloak_guid, account_id, corp_type_code)
else:
if account_id_claim and account_id == int(account_id_claim):
auth = AuthorizationView.find_authorization_for_admin_by_org_id(
account_id_claim)
elif account_id and keycloak_guid:
auth = AuthorizationView.find_user_authorization_by_org_id(
keycloak_guid, account_id)
auth_response['roles'] = []
if auth:
permissions = PermissionsService.get_permissions_for_membership(
auth.status_code, auth.org_membership)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = permissions
return auth_response
def check_auth(token_info: Dict, **kwargs):
"""Check if user is authorized to perform action on the service."""
if 'staff_admin' in token_info.get('realm_access').get('roles'):
# Staff admin should get all access as of Staff
if STAFF in kwargs.get('one_of_roles',
[]) and STAFF_ADMIN not in kwargs.get(
'one_of_roles', None):
kwargs.get('one_of_roles').append(STAFF_ADMIN)
if kwargs.get('equals_role', None) == STAFF:
kwargs.pop('equals_role', None)
kwargs['one_of_roles'] = (STAFF, STAFF_ADMIN)
_check_for_roles(STAFF_ADMIN, kwargs)
elif 'staff' in token_info.get('realm_access').get('roles'):
_check_for_roles(STAFF, kwargs)
elif Role.SYSTEM.value in token_info.get('realm_access').get('roles') \
and not token_info.get('loginSource', None) == 'PASSCODE':
corp_type_in_jwt = token_info.get('corp_type', None)
if corp_type_in_jwt is None:
# corp type must be present in jwt
abort(403)
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
auth = None
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(
token_info, business_identifier)
elif org_identifier:
auth_record = AuthorizationView.find_user_authorization_by_org_id_and_corp_type(
org_identifier, corp_type_in_jwt)
auth = Authorization(
auth_record).as_dict() if auth_record else None
if auth is None:
abort(403)
else:
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(
token_info, business_identifier)
elif org_identifier:
auth_record = AuthorizationView.find_user_authorization_by_org_id(
token_info.get('sub', None), org_identifier)
auth = Authorization(
auth_record).as_dict() if auth_record else None
_check_for_roles(
auth.get('orgMembership', None) if auth else None, kwargs)
def check_auth(**kwargs):
"""Check if user is authorized to perform action on the service."""
user_from_context: UserContext = kwargs['user_context']
if user_from_context.is_staff():
_check_for_roles(STAFF, kwargs)
elif user_from_context.is_system():
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id', None)
product_code_in_jwt = user_from_context.token_info.get(
'product_code', None)
if product_code_in_jwt is None:
# product code must be present in jwt
abort(403)
if product_code_in_jwt == 'ALL': # Product code for super admin service account (sbc-auth-admin)
return
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(
business_identifier)
elif org_identifier:
auth = Authorization.get_account_authorizations_for_product(
org_identifier, product_code_in_jwt)
if auth is None:
abort(403)
return
else:
business_identifier = kwargs.get('business_identifier', None)
org_identifier = kwargs.get('org_id',
None) or user_from_context.account_id
if business_identifier:
auth = Authorization.get_user_authorizations_for_entity(
business_identifier)
elif org_identifier:
# If the account id is part of claim (api gw users), then no need to lookup using keycloak guid.
if user_from_context.account_id_claim and \
int(user_from_context.account_id_claim) == kwargs.get('org_id', None):
auth_record = AuthorizationView.find_authorization_for_admin_by_org_id(
user_from_context.account_id)
else:
auth_record = AuthorizationView.find_user_authorization_by_org_id(
user_from_context.sub, org_identifier)
auth = Authorization(
auth_record).as_dict() if auth_record else None
_check_for_roles(
auth.get('orgMembership', None) if auth else None, kwargs)
def test_find_user_authorization_by_org_id_and_invalid_corp_type_no_affliation(
session): # pylint:disable=unused-argument # noqa: E501
"""Assert that authorization view is returning correct result for an unclaimed/unaffiliated organization."""
user = factory_user_model()
org = factory_org_model()
factory_membership_model(user.id, org.id)
authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'invalid_corp_type')
assert authorization is not None
def test_find_all_user_authorizations_for_empty(session): # pylint:disable=unused-argument
"""Test with invalid user id and assert that auth is None."""
user = factory_user_model()
org = factory_org_model()
factory_membership_model(user.id, org.id)
authorizations = Authorization.find_all_authorizations_for_user(str(user.keycloak_guid))
assert authorizations is not None
assert authorizations[0].business_identifier is None
def get_user_authorizations(keycloak_guid: str):
"""Get all user authorizations."""
authorizations_response: Dict = {'authorizations': []}
authorizations = AuthorizationView.find_all_authorizations_for_user(keycloak_guid)
if authorizations:
for auth in authorizations:
authorizations_response['authorizations'].append(Authorization(auth).as_dict())
return authorizations_response
def get_user_authorizations_for_entity(business_identifier: str,
expanded: bool = False,
**kwargs):
"""Get User authorizations for the entity."""
user_from_context: UserContext = kwargs['user_context']
auth_response = {}
auth = None
token_roles = user_from_context.roles
current_app.logger.debug(f'check roles=:{token_roles}')
if Role.STAFF.value in token_roles:
if expanded:
# Query Authorization view by business identifier
auth = AuthorizationView.find_user_authorization_by_business_number(
business_identifier, is_staff=True)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = token_roles
elif Role.SYSTEM.value in token_roles:
# a service account in keycloak should have product_code claim setup.
keycloak_product_code = user_from_context.token_info.get(
'product_code', None)
if keycloak_product_code:
auth = AuthorizationView.find_user_authorization_by_business_number_and_product(
business_identifier, keycloak_product_code)
if auth:
auth_response = Authorization(auth).as_dict(expanded)
permissions = PermissionsService.get_permissions_for_membership(
auth.status_code, 'SYSTEM')
auth_response['roles'] = permissions
else:
keycloak_guid = user_from_context.sub
if business_identifier and keycloak_guid:
auth = AuthorizationView.find_user_authorization_by_business_number(
business_identifier=business_identifier,
keycloak_guid=keycloak_guid,
org_id=user_from_context.account_id)
if auth:
permissions = PermissionsService.get_permissions_for_membership(
auth.status_code, auth.org_membership)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = permissions
return auth_response
def get_account_authorizations_for_product(keycloak_guid: str,
account_id: str,
product_code: str):
"""Get account authorizations for the product."""
auth_response: Dict = {'roles': []}
authorization = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user(
keycloak_guid, account_id, product_code)
auth_response['roles'] = authorization.roles.split(
',') if authorization and authorization.roles else []
return auth_response
def get_account_authorizations_for_product(account_id: str, product_code: str, expanded: bool = False, **kwargs):
"""Get account authorizations for the product."""
user_from_context: UserContext = kwargs['user_context']
account_id_claim = user_from_context.account_id
if account_id_claim:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product(
account_id_claim, product_code
)
else:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user(
user_from_context.sub, account_id, product_code
)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = []
if auth:
permissions = PermissionsService.get_permissions_for_membership(auth.status_code, auth.org_membership)
auth_response['roles'] = permissions
return auth_response
def test_find_user_authorization_by_org_id_and_invalid_corp_type(session): # pylint:disable=unused-argument
"""Assert that authorization view is not returning result when invalid corp type is passed."""
user = factory_user_model()
org = factory_org_model()
factory_membership_model(user.id, org.id)
entity = factory_entity_model()
factory_affiliation_model(entity.id, org.id)
authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'invalid_corp_type')
assert authorization is None
def test_find_all_user_authorizations(session): # pylint:disable=unused-argument
"""Test find all user authoirzations."""
user = factory_user_model()
org = factory_org_model()
membership = factory_membership_model(user.id, org.id)
entity = factory_entity_model()
factory_affiliation_model(entity.id, org.id)
authorizations = Authorization.find_all_authorizations_for_user(str(user.keycloak_guid))
assert authorizations is not None
assert authorizations[0].org_membership == membership.membership_type_code
assert authorizations[0].business_identifier == entity.business_identifier
def get_account_authorizations_for_product(token_info: Dict,
account_id: str,
product_code: str,
expanded: bool = False):
"""Get account authorizations for the product."""
account_id_claim = token_info.get('Account-Id', None)
if account_id_claim:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product(
account_id_claim, product_code)
else:
auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user(
token_info.get('sub'), account_id, product_code)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = []
if auth:
permissions = PermissionsService.get_permissions_for_membership(
auth.status_code, auth.org_membership)
auth_response['roles'] = permissions
return auth_response
def get_account_authorizations_for_product(keycloak_guid: str,
account_id: str,
product_code: str,
expanded: bool = False):
"""Get account authorizations for the product."""
authorization = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user(
keycloak_guid, account_id, product_code)
auth_response = Authorization(authorization).as_dict(expanded)
auth_response['roles'] = authorization.roles.split(
',') if authorization and authorization.roles else []
return auth_response
def test_find_user_authorization_by_org_id(session): # pylint:disable=unused-argument
"""Assert that authorization view is returning result."""
user = factory_user_model()
org = factory_org_model()
membership = factory_membership_model(user.id, org.id)
entity = factory_entity_model()
factory_affiliation_model(entity.id, org.id)
authorization = Authorization.find_user_authorization_by_org_id(str(user.keycloak_guid),
org.id)
assert authorization is not None
assert authorization.org_membership == membership.membership_type_code
def get_account_authorizations_for_product(keycloak_guid: str, account_id: str, product_code: str,
expanded: bool = False):
"""Get account authorizations for the product."""
auth = AuthorizationView.find_account_authorization_by_org_id_and_product_for_user(
keycloak_guid, account_id, product_code
)
auth_response = Authorization(auth).as_dict(expanded)
auth_response['roles'] = []
if auth:
permissions = PermissionsService.get_permissions_for_membership(auth.status_code, auth.org_membership)
auth_response['roles'] = permissions
return auth_response
def test_find_user_authorization_by_business_number_product(session): # pylint:disable=unused-argument
"""Assert that authorization view is returning result."""
user = factory_user_model()
org = factory_org_model()
factory_membership_model(user.id, org.id)
factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value)
entity = factory_entity_model()
factory_affiliation_model(entity.id, org.id)
authorization = Authorization.find_user_authorization_by_business_number_and_product(
entity.business_identifier, ProductCode.DIR_SEARCH.value)
assert authorization is not None
assert authorization.product_code == ProductCode.DIR_SEARCH.value
def test_find_user_authorization_by_org_id_and_corp_type(session): # pylint:disable=unused-argument
"""Assert that authorization view returns result when fetched using Corp type instead of jwt.
Service accounts passes corp type instead of jwt.
"""
user = factory_user_model()
org = factory_org_model()
membership = factory_membership_model(user.id, org.id)
entity = factory_entity_model()
factory_affiliation_model(entity.id, org.id)
authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'CP')
assert authorization is not None
assert authorization.org_membership == membership.membership_type_code
def test_find_user_authorization_by_org_id_and_corp_type_multiple_membership(session): # pylint:disable=unused-argument
"""Assert that authorization view returns result when fetched using Corp type instead of jwt.
When multiple membership is present , return the one with Owner access.
"""
user1 = factory_user_model()
user2 = factory_user_model(user_info=TestUserInfo.user2)
org = factory_org_model()
factory_membership_model(user1.id, org.id, member_type='ADMIN')
membership_owner = factory_membership_model(user2.id, org.id)
entity = factory_entity_model()
factory_affiliation_model(entity.id, org.id)
authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'CP')
assert authorization is not None
assert authorization.org_membership == membership_owner.membership_type_code
def get_user_authorizations_for_entity(token_info: Dict,
business_identifier: str):
"""Get User authorizations for the entity."""
auth_response = {}
if token_info.get('loginSource', None) == 'PASSCODE':
if token_info.get('username',
None).upper() == business_identifier.upper():
auth_response = {'role': 'OWNER'}
elif 'staff' in token_info.get('realm_access', []).get('roles', []):
auth_response = {'role': 'STAFF'}
else:
keycloak_guid = token_info.get('sub', None)
auth = AuthorizationView.find_user_authorization_by_business_number(
keycloak_guid, business_identifier)
if auth:
auth_response = Authorization(auth).as_dict(
exclude=['business_identifier'])
return auth_response
