Exemplo n.º 1
0
    def wrap(request, *args, **kwargs):

        # Check for current user
        if not request.user or not request.user.is_authenticated:
            return unauthorized_response(request)

        # Get the payload
        payload = authn.get_jwt_payload(request, verify=False)

        # Check claims in the JWT first, as it is least costly.
        if authz.jwt_has_authz(payload, authz.JWT_AUTHZ_GROUPS,
                               dbmi_settings.AUTHZ_ADMIN_GROUP):
            return view(request, *args, **kwargs)

        # Get their email address
        email = authn.get_jwt_email(request, verify=False)

        # Now consult the AuthZ server
        if authz.has_permission(request, email, dbmi_settings.CLIENT,
                                dbmi_settings.AUTHZ_ADMIN_PERMISSION):
            return view(request, *args, **kwargs)

        # Possibly store these elsewhere for records
        # TODO: Figure out a better way to flag failed access attempts
        logger.warning("{} Failed {} permission on {}".format(
            email, dbmi_settings.AUTHZ_ADMIN_PERMISSION, dbmi_settings.CLIENT))

        raise PermissionDenied
Exemplo n.º 2
0
    def test_authz_no_response(self):

        # Build the request
        request = self.build_request("/some/page/")

        # Build the response handler
        responses.add(responses.GET, self.authz_url_pattern, json={"error": "not found"}, status=404)

        # Build the call
        has_authz = authz.has_permission(request, self.user.email, "item", "admin", check_parents=True)

        # Check it
        self.assertGreaterEqual(len(responses.calls), 1)
        self.assertFalse(has_authz)
Exemplo n.º 3
0
    def test_authz_no_perm(self):

        # Build the request
        request = self.build_request("/some/page/")

        # Build the response handler
        responses.add(
            responses.GET,
            self.authz_url_pattern,
            json={"results": [{"item": "someitem", "permission": "admin", "email": self.user.email}]},
            status=200,
        )

        # Build the call
        has_authz = authz.has_permission(request, self.user.email, "item", "admin", check_parents=True)

        # Check it
        self.assertGreaterEqual(len(responses.calls), 1)
        self.assertFalse(has_authz)
Exemplo n.º 4
0
        def wrap(request, *args, **kwargs):

            # Check for current user
            if not request.user or not request.user.is_authenticated:
                return unauthorized_response(request)

            # Get their email address
            email = authn.get_jwt_email(request, verify=False)

            # Check permission
            if authz.has_permission(request, email, item, permission):
                return view(request, *args, **kwargs)

            # Possibly store these elsewhere for records
            # TODO: Figure out a better way to flag failed access attempts
            logger.warning("{} Failed {} permission on {}".format(
                email, permission, dbmi_settings.CLIENT))

            # Forbid if nothing else
            raise PermissionDenied