def authorized( # pylint: disable=too-many-return-statements
identifier: str, jwt: JwtManager, action: List[str]) -> bool:
"""Assert that the user is authorized to create filings against the business identifier."""
# if they are registry staff, they are always authorized
if not action or not identifier or not jwt:
return False
if jwt.validate_roles([STAFF_ROLE]) \
or jwt.validate_roles([SYSTEM_ROLE]) \
or jwt.validate_roles([COLIN_SVC_ROLE]):
return True
if jwt.has_one_of_roles([BASIC_USER, PUBLIC_USER]):
# if the action is create_comment or courtOrder/registrarsNotation/registrarsOrder filings
# disallow - only staff are allowed
staff_only_actions = [
'add_comment', 'court_order', 'registrars_notation',
'registrars_order'
]
if any(elem in action for elem in staff_only_actions):
return False
template_url = current_app.config.get('AUTH_SVC_URL')
auth_url = template_url.format(**vars())
token = jwt.get_token_auth_header()
headers = {'Authorization': 'Bearer ' + token}
try:
http = Session()
retries = Retry(total=5,
backoff_factor=0.1,
status_forcelist=[500, 502, 503, 504])
http.mount('http://', HTTPAdapter(max_retries=retries))
rv = http.get(url=auth_url, headers=headers)
if rv.status_code != HTTPStatus.OK \
or not rv.json().get('roles'):
return False
if all(elem.lower() in rv.json().get('roles') for elem in action):
return True
except (
exceptions.ConnectionError, # pylint: disable=broad-except
exceptions.Timeout,
ValueError,
Exception) as err:
current_app.logger.error(
f'template_url {template_url}, svc:{auth_url}')
current_app.logger.error(
f'Authorization connection failure for {identifier}, using svc:{auth_url}',
err)
return False
return False
def authorized(identifier: str, jwt: JwtManager) -> bool: # pylint: disable=too-many-return-statements
"""Verify the user is authorized to submit the request by inspecting the web token.
The gateway has already verified the JWT with the OIDC service.
"""
if not jwt:
return False
# Could call the auth api here to check the token roles (/api/v1/orgs/{account_id}/authorizations),
# but JWTManager.validate_roles does the same thing.
# All users including staff must have the PPR role.
if not jwt.validate_roles([PPR_ROLE]):
return False
# Account ID (idenfifier) is required if not staff.
if identifier and identifier.strip() != '':
return True
# Remove when all staff changes made.
if jwt.validate_roles([STAFF_ROLE]):
return True
# template_url = current_app.config.get('AUTH_SVC_URL')
# auth_url = template_url.format(**vars())
# token = jwt.get_token_auth_header()
# headers = {'Authorization': 'Bearer ' + token}
# try:
# http = Session()
# retries = Retry(total=5,
# backoff_factor=0.1,
# status_forcelist=[500, 502, 503, 504])
# http.mount('http://', HTTPAdapter(max_retries=retries))
# rv = http.get(url=auth_url, headers=headers)
# if rv.status_code != HTTPStatus.OK \
# or not rv.json().get('roles'):
# return False
# if all(elem.lower() in rv.json().get('roles') for elem in action):
# return True
# except (exceptions.ConnectionError, # pylint: disable=broad-except
# exceptions.Timeout,
# ValueError,
# Exception) as err:
# current_app.logger.error(f'template_url {template_url}, svc:{auth_url}')
# current_app.logger.error(f'Authorization connection failure for {identifier}, using svc:{auth_url}', err)
# return False
return False
def authorized(identifier: str, jwt: JwtManager) -> bool:
"""Assert that the user is authorized to create filings against the business identifier."""
# if they are registry staff, they are always authorized
if jwt.validate_roles([STAFF_ROLE]):
return True
if jwt.validate_roles([COLIN_SVC_ROLE]):
return True
token = g.jwt_oidc_token_info
username = token.get('username', None)
if username and jwt.validate_roles(
[BASIC_USER]) and identifier.upper() == username.upper():
return True
return False
def is_staff(jwt: JwtManager) -> bool: # pylint: disable=too-many-return-statements
"""Return True if the user has the BC Registries staff role."""
if not jwt:
return False
if jwt.validate_roles([STAFF_ROLE]):
return True
return False
def has_roles(jwt: JwtManager, roles: List[str]) -> bool:
"""Assert the users JWT has the required role(s).
Assumes the JWT is already validated.
"""
if jwt.validate_roles(roles):
return True
return False
def _create_invoice(business: Business,
filing: Filing,
filing_types: list,
user_jwt: JwtManager) \
-> Tuple[int, dict, int]:
"""Create the invoice for the filing submission.
Returns: {
int: the paymentToken (id), or None
dict: a dict of errors, or None
int: the HTTPStatus error code, or None
}
"""
payment_svc_url = current_app.config.get('PAYMENT_SVC_URL')
mailing_address = business.mailing_address.one_or_none()
payload = {
'paymentInfo': {'methodOfPayment': 'CC'},
'businessInfo': {
'businessIdentifier': f'{business.identifier}',
'corpType': f'{business.identifier[:-7]}',
'businessName': f'{business.legal_name}',
'contactInfo': {'city': mailing_address.city,
'postalCode': mailing_address.postal_code,
'province': mailing_address.region,
'addressLine1': mailing_address.street,
'country': mailing_address.country}
},
'filingInfo': {
'filingTypes': filing_types
}
}
if user_jwt.validate_roles([STAFF_ROLE]):
routing_slip_number = get_str(filing.filing_json, 'filing/header/routingSlipNumber')
if routing_slip_number:
payload['accountInfo'] = {'routingSlip': routing_slip_number}
try:
token = user_jwt.get_token_auth_header()
headers = {'Authorization': 'Bearer ' + token}
rv = requests.post(url=payment_svc_url,
json=payload,
headers=headers,
timeout=20.0)
except (exceptions.ConnectionError, exceptions.Timeout) as err:
current_app.logger.error(f'Payment connection failure for {business.identifier}: filing:{filing.id}', err)
return {'message': 'unable to create invoice for payment.'}, HTTPStatus.PAYMENT_REQUIRED
if rv.status_code == HTTPStatus.OK or rv.status_code == HTTPStatus.CREATED:
pid = rv.json().get('id')
filing.payment_token = pid
filing.save()
return None, None
return {'message': 'unable to create invoice for payment.'}, HTTPStatus.PAYMENT_REQUIRED
def authorized_token( # pylint: disable=too-many-return-statements
identifier: str, jwt: JwtManager, action: List[str]) -> bool:
"""Assert that the user is authorized to submit API requests for a particular action."""
if not action or not identifier or not jwt:
return False
# All users including staff must have the PPR role.
if not jwt.validate_roles([PPR_ROLE]):
return False
if jwt.has_one_of_roles([BASIC_USER, PRO_DATA_USER]):
template_url = current_app.config.get('AUTH_SVC_URL')
auth_url = template_url.format(**vars())
token = jwt.get_token_auth_header()
headers = {'Authorization': 'Bearer ' + token}
try:
http = Session()
retries = Retry(total=5,
backoff_factor=0.1,
status_forcelist=[500, 502, 503, 504])
http.mount('http://', HTTPAdapter(max_retries=retries))
rv = http.get(url=auth_url, headers=headers)
if rv.status_code != HTTPStatus.OK \
or not rv.json().get('roles'):
return False
if all(elem.lower() in rv.json().get('roles') for elem in action):
return True
except (
exceptions.ConnectionError, # pylint: disable=broad-except
exceptions.Timeout,
ValueError,
Exception) as err:
current_app.logger.error(
f'template_url {template_url}, svc:{auth_url}')
current_app.logger.error(
f'Authorization connection failure for {identifier}, using svc:{auth_url}',
err)
return False
return False
def _create_invoice(business: Business, # pylint: disable=too-many-locals
filing: Filing,
filing_types: list,
user_jwt: JwtManager,
payment_account_id: str = None) \
-> Tuple[int, dict, int]:
"""Create the invoice for the filing submission.
Returns: {
int: the paymentToken (id), or None
dict: a dict of errors, or None
int: the HTTPStatus error code, or None
}
"""
payment_svc_url = current_app.config.get('PAYMENT_SVC_URL')
if filing.filing_type == Filing.FILINGS[
'incorporationApplication'].get('name'):
mailing_address = Address.create_address(
filing.json['filing']['incorporationApplication']['offices']
['registeredOffice']['mailingAddress'])
corp_type = filing.json['filing']['business'].get(
'legalType', Business.LegalTypes.BCOMP.value)
try:
business.legal_name = filing.json['filing'][
'incorporationApplication']['nameRequest']['legalName']
except KeyError:
business.legal_name = business.identifier
else:
mailing_address = business.mailing_address.one_or_none()
corp_type = business.legal_type if business.legal_type else \
filing.json['filing']['business'].get('legalType')
payload = {
'businessInfo': {
'businessIdentifier': f'{business.identifier}',
'corpType': f'{corp_type}',
'businessName': f'{business.legal_name}',
'contactInfo': {
'city': mailing_address.city,
'postalCode': mailing_address.postal_code,
'province': mailing_address.region,
'addressLine1': mailing_address.street,
'country': mailing_address.country
}
},
'filingInfo': {
'filingTypes': filing_types
}
}
folio_number = filing.json['filing']['header'].get('folioNumber', None)
if folio_number:
payload['filingInfo']['folioNumber'] = folio_number
if user_jwt.validate_roles([STAFF_ROLE]) or \
user_jwt.validate_roles([SYSTEM_ROLE]):
account_info = {}
routing_slip_number = get_str(filing.filing_json,
'filing/header/routingSlipNumber')
if routing_slip_number:
account_info['routingSlip'] = routing_slip_number
bcol_account_number = get_str(filing.filing_json,
'filing/header/bcolAccountNumber')
if bcol_account_number:
account_info['bcolAccountNumber'] = bcol_account_number
dat_number = get_str(filing.filing_json, 'filing/header/datNumber')
if dat_number:
account_info['datNumber'] = dat_number
if account_info:
payload['accountInfo'] = account_info
try:
token = user_jwt.get_token_auth_header()
headers = {
'Authorization': 'Bearer ' + token,
'Content-Type': 'application/json'
}
rv = requests.post(url=payment_svc_url,
json=payload,
headers=headers,
timeout=20.0)
except (exceptions.ConnectionError, exceptions.Timeout) as err:
current_app.logger.error(
f'Payment connection failure for {business.identifier}: filing:{filing.id}',
err)
return {
'message': 'unable to create invoice for payment.'
}, HTTPStatus.PAYMENT_REQUIRED
if rv.status_code in (HTTPStatus.OK, HTTPStatus.CREATED):
pid = rv.json().get('id')
filing.payment_token = pid
filing.payment_status_code = rv.json().get('statusCode', '')
filing.payment_account = payment_account_id
filing.save()
return {
'isPaymentActionRequired':
rv.json().get('isPaymentActionRequired', False)
}, HTTPStatus.CREATED
if rv.status_code == HTTPStatus.BAD_REQUEST:
# Set payment error type used to retrieve error messages from pay-api
error_type = rv.json().get('type')
filing.payment_status_code = error_type
filing.save()
return {
'payment_error_type': error_type,
'message': rv.json().get('detail')
}, HTTPStatus.PAYMENT_REQUIRED
return {
'message': 'unable to create invoice for payment.'
}, HTTPStatus.PAYMENT_REQUIRED