def authorized_service_token(
config, valid_organization, valid_dataset, other_valid_dataset
):
organization_id, organization_node_id = valid_organization
dataset_id_1, dataset_node_id_1 = valid_dataset
dataset_id_2, dataset_node_id_2 = other_valid_dataset
data = ServiceClaim(
roles=[
OrganizationRole(
id=organization_id, node_id=organization_node_id, role=RoleType.OWNER
),
DatasetRole(
id=dataset_id_1,
node_id=dataset_node_id_1,
role=RoleType.OWNER,
locked=False,
),
DatasetRole(
id=dataset_id_2,
node_id=dataset_node_id_2,
role=RoleType.OWNER,
locked=False,
),
]
)
claim = Claim.from_claim_type(data, seconds=JWT_EXPIRATION_SECS)
return to_utf8(claim.encode(config.jwt_config))
def test_authorization_requires_integer_organization_id(
app_context, valid_organization, valid_dataset):
organization_id, organization_node_id = valid_organization
dataset_id, dataset_node_id = valid_dataset
claim = Claim.from_claim_type(
UserClaim(
id=DEFAULT_USER_ID,
node_id=DEFAULT_USER_NODE_ID,
roles=[
OrganizationRole(
id=organization_id,
node_id=organization_node_id,
role=RoleType.OWNER,
),
DatasetRole(id=dataset_id,
node_id=dataset_node_id,
role=RoleType.OWNER),
],
),
TOKEN_EXPIRATION_S,
)
with pytest.raises(OAuthProblem):
sample_update_route(
dataset_id=str(dataset_id.id),
token_info=claim,
organization_id=str(organization_node_id),
body={"k": 1},
)(organization_id.id, dataset_id.id)
def test_authorization_allows_updates_with_locked_false_claim(
app_context, api_client, valid_organization, valid_dataset):
organization_id, organization_node_id = valid_organization
dataset_id, dataset_node_id = valid_dataset
api_client.get_dataset_response = api.Dataset(id=dataset_node_id,
int_id=dataset_id.id,
name="foo")
claim = Claim.from_claim_type(
UserClaim(
id=DEFAULT_USER_ID,
node_id=DEFAULT_USER_NODE_ID,
roles=[
OrganizationRole(
id=organization_id,
node_id=organization_node_id,
role=RoleType.OWNER,
),
DatasetRole(id=dataset_id, role=RoleType.EDITOR, locked=False),
],
),
TOKEN_EXPIRATION_S,
)
sample_update_route(
dataset_id=str(dataset_id.id),
token_info=claim,
organization_id=str(organization_id.id),
body={"k": 1},
)
def test_permission_required_raises_forbidden_when_dataset_role_is_too_low(
app_context, valid_organization, valid_dataset):
organization_id, organization_node_id = valid_organization
dataset_id, dataset_node_id = valid_dataset
claim = Claim.from_claim_type(
UserClaim(
id=DEFAULT_USER_ID,
node_id=DEFAULT_USER_NODE_ID,
roles=[
OrganizationRole(
id=organization_id,
node_id=organization_node_id,
role=RoleType.OWNER,
),
DatasetRole(id=dataset_id,
node_id=dataset_node_id,
role=RoleType.VIEWER),
],
),
TOKEN_EXPIRATION_S,
)
# sample_route requires EDITOR permissions, which are higher than VIEWER:
with pytest.raises(Forbidden):
sample_update_route(
dataset_id=str(dataset_id.id),
token_info=claim,
organization_id=str(organization_id.id),
body={"k": 1},
)
def test_permission_required_to_a_access_specific_dataset(
app_context, valid_organization, valid_dataset, other_valid_dataset):
organization_id, organization_node_id = valid_organization
dataset_id_1, _ = valid_dataset
dataset_id_2, dataset_node_id_2 = other_valid_dataset
claim = Claim.from_claim_type(
UserClaim(
id=DEFAULT_USER_ID,
node_id=DEFAULT_USER_NODE_ID,
roles=[
OrganizationRole(
id=organization_id,
node_id=organization_node_id,
role=RoleType.OWNER,
),
DatasetRole(id=dataset_id_2,
node_id=dataset_node_id_2,
role=RoleType.OWNER),
],
),
TOKEN_EXPIRATION_S,
)
with pytest.raises(Forbidden):
sample_update_route(
dataset_id=str(dataset_id_1.id),
token_info=claim,
organization_id=str(organization_id.id),
body={"k": 1},
)
def test_permission_required_decorator(app_context, valid_organization,
valid_dataset):
organization_id, organization_node_id = valid_organization
dataset_id, dataset_node_id = valid_dataset
claim = Claim.from_claim_type(
UserClaim(
id=DEFAULT_USER_ID,
node_id=DEFAULT_USER_NODE_ID,
roles=[
OrganizationRole(
id=organization_id,
node_id=organization_node_id,
role=RoleType.OWNER,
),
DatasetRole(
id=dataset_id,
node_id=dataset_node_id,
role=RoleType.OWNER,
locked=False,
),
],
),
TOKEN_EXPIRATION_S,
)
sample_update_route(
dataset_id=str(dataset_id.id),
token_info=claim,
organization_id=str(organization_id.id),
body={"k": 1},
)(organization_id.id, dataset_id.id)
def test_permission_requires_an_organization_role_specifier(
app_context, valid_organization, valid_dataset):
organization_id, organization_node_id = valid_organization
dataset_id, dataset_node_id = valid_dataset
claim = Claim.from_claim_type(
UserClaim(
id=DEFAULT_USER_ID,
node_id=DEFAULT_USER_NODE_ID,
roles=[
DatasetRole(id=dataset_id,
node_id=dataset_node_id,
role=RoleType.OWNER)
],
),
TOKEN_EXPIRATION_S,
)
with pytest.raises(Forbidden):
sample_update_route(
dataset_id=str(dataset_id.id),
token_info=claim,
organization_id=str(organization_id.id),
body={"k": 1},
)
def test_authorization_resolves_dataset_id_from_api_with_wildcard_claim(
app_context, api_client, valid_organization, valid_dataset):
organization_id, organization_node_id = valid_organization
dataset_id, dataset_node_id = valid_dataset
api_client.get_dataset_response = api.Dataset(id=dataset_node_id,
int_id=dataset_id.id,
name="foo")
claim = Claim.from_claim_type(
UserClaim(
id=DEFAULT_USER_ID,
node_id=DEFAULT_USER_NODE_ID,
roles=[
OrganizationRole(
id=organization_id,
node_id=organization_node_id,
role=RoleType.OWNER,
),
DatasetRole(id=DatasetId("*"), role=RoleType.EDITOR),
],
),
TOKEN_EXPIRATION_S,
)
sample_view_route(
dataset_id=dataset_node_id,
token_info=claim,
organization_id=str(organization_id.id),
body={"k": 1},
)(organization_id.id, dataset_id.id)
def test_authorization_rejects_nonexistent_dataset_integer_id(
valid_organization, valid_dataset):
organization_id, organization_node_id = valid_organization
dataset_id, dataset_node_id = valid_dataset
claim = Claim.from_claim_type(
UserClaim(
id=DEFAULT_USER_ID,
node_id=DEFAULT_USER_NODE_ID,
roles=[
OrganizationRole(
id=organization_id,
node_id=organization_node_id,
role=RoleType.OWNER,
),
DatasetRole(id=dataset_id,
node_id=dataset_node_id,
role=RoleType.OWNER),
],
),
TOKEN_EXPIRATION_S,
)
with pytest.raises(Forbidden):
sample_update_route(
dataset_id=9999,
token_info=claim,
organization_id=str(organization_id.id),
body={"k": 1},
)(organization_id.id, dataset_id.id)
def service_claim(organization_id, dataset_id, jwt_config: JwtConfig) -> str:
data = ServiceClaim(roles=[
OrganizationRole(id=OrganizationId(organization_id),
role=RoleType.OWNER),
DatasetRole(id=DatasetId(dataset_id), role=RoleType.OWNER),
])
claim = Claim.from_claim_type(data, seconds=30)
return to_utf8(claim.encode(jwt_config))
def expired_user_token(jwt_config, valid_organization, valid_dataset):
organization_id, organization_node_id = valid_organization
dataset_id, dataset_node_id = valid_dataset
data = UserClaim(
id=12345,
roles=[
OrganizationRole(
id=organization_id, node_id=organization_node_id, role=RoleType.OWNER
),
DatasetRole(id=dataset_id, node_id=dataset_node_id, role=RoleType.OWNER),
],
)
claim = Claim.from_claim_type(data, -1)
return to_utf8(claim.encode(jwt_config))
def unauthorized_user_token(jwt_config, invalid_organization, valid_dataset):
organization_id, organization_node_id = invalid_organization
dataset_id, dataset_node_id = valid_dataset
data = UserClaim(
id=12345,
roles=[
OrganizationRole(
id=organization_id, node_id=organization_node_id, role=RoleType.OWNER
),
DatasetRole(id=dataset_id, node_id=dataset_node_id, role=RoleType.OWNER),
],
)
claim = Claim.from_claim_type(data, seconds=JWT_EXPIRATION_SECS)
return to_utf8(claim.encode(jwt_config))
def test_authorization_rejects_nonexistent_dataset_node_ids_with_wildcard_claim(
app_context, api_client, valid_organization, valid_dataset):
organization_id, organization_node_id = valid_organization
dataset_id, dataset_node_id = valid_dataset
api_client.raise_exception(
ExternalRequestError(
status_code=404,
method="GET",
url="/datasets/N:dataset:does-not-exist",
content="Dataset does not exist",
))
claim = Claim.from_claim_type(
UserClaim(
id=DEFAULT_USER_ID,
node_id=DEFAULT_USER_NODE_ID,
roles=[
OrganizationRole(
id=organization_id,
node_id=organization_node_id,
role=RoleType.OWNER,
),
DatasetRole(id="*", role=RoleType.EDITOR),
],
),
TOKEN_EXPIRATION_S,
)
with pytest.raises(OAuthProblem, match="Dataset does not exist"):
sample_update_route(
dataset_id="N:dataset:does-not-exist",
token_info=claim,
organization_id=str(organization_id.id),
body={"k": 1},
)(organization_id.id, dataset_id.id)
"--jwt_key",
type=str,
default=os.environ.get("JWT_SECRET_KEY", "test-key"),
required=False,
)
args = parser.parse_args()
claim = Claim.from_claim_type(
UserClaim(
id=args.user_id,
node_id=args.user_node_id,
roles=[
OrganizationRole(
id=OrganizationId(args.organization_id),
node_id=args.organization_node_id,
role=RoleType.OWNER,
),
DatasetRole(
id=DatasetId(args.dataset_id),
node_id=args.dataset_node_id,
role=RoleType.OWNER,
),
],
),
60 * 60,
)
token = claim.encode(JwtConfig(args.jwt_key))
print(token)