def test_non_aarc_entitlement(self, actual_group):
required_group = "urn:geant:h-df.de:group:aai-admin"
req_entitlement = Aarc_g002_entitlement(required_group, strict=False)
act_entitlement = Aarc_g002_entitlement(actual_group,
strict=False,
force=False)
assert not req_entitlement.is_contained_in(act_entitlement)
def test_equality(self):
required_group = "urn:geant:h-df.de:group:aai-admin:role = member#unity.helmholtz-data-federation.de"
actual_group = "urn:geant:h-df.de:group:aai-admin:role = member#unity.helmholtz-data-federation.de"
req_entitlement = Aarc_g002_entitlement(required_group)
act_entitlement = Aarc_g002_entitlement(actual_group)
assert act_entitlement == req_entitlement
assert req_entitlement.is_contained_in(act_entitlement)
def test_order_of_subgroups_out_of_bounds_equality(self):
required_group = "urn:geant:h-df.de:group:aai-admin:subgroup1:subgroup2:subgroup3:role=member#unity.helmholtz-data-federation.de"
actual_group = "urn:geant:h-df.de:group:aai-admin:subgroup1:subgroup2:role=member#unity.helmholtz-data-federation.de"
req_entitlement = Aarc_g002_entitlement(required_group)
act_entitlement = Aarc_g002_entitlement(actual_group)
assert act_entitlement != req_entitlement
assert not req_entitlement.is_contained_in(act_entitlement)
def test_subgroup_required(self):
required_group = "urn:geant:h-df.de:group:aai-admin:special-admins#unity.helmholtz-data-federation.de"
actual_group = (
"urn:geant:h-df.de:group:aai-admin#backupserver.used.for.developmt.de"
)
req_entitlement = Aarc_g002_entitlement(required_group)
act_entitlement = Aarc_g002_entitlement(actual_group)
assert not req_entitlement.is_contained_in(act_entitlement)
def e_expander(es):
"""Helper function to catch exceptions in list comprehension"""
try:
return Aarc_g002_entitlement(es, strict=False)
except ValueError:
return None
except Aarc_g002_entitlement_ParseError:
return None
except Aarc_g002_entitlement_Error:
return None
def test_failure_incomplete_invalid_entitlement(self):
required_group = "urn:geant:h-df.de"
with pytest.raises(ValueError):
Aarc_g002_entitlement(required_group)
def test_failure_incomplete_but_valid_entitlement(self, required_group):
Aarc_g002_entitlement(required_group, strict=False)
def test_foreign_entitlement(self, required_group, actual_group):
actual_group = "urn:geant:kit.edu:group:bwUniCluster"
req_entitlement = Aarc_g002_entitlement(required_group, strict=False)
act_entitlement = Aarc_g002_entitlement(actual_group, strict=False)
assert not req_entitlement.is_contained_in(act_entitlement)
def test_user_in_subgroup(self):
required_group = "urn:geant:h-df.de:group:aai-admin"
actual_group = "urn:geant:h-df.de:group:aai-admin:special-admins#backupserver.used.for.developmt.de"
req_entitlement = Aarc_g002_entitlement(required_group, strict=False)
act_entitlement = Aarc_g002_entitlement(actual_group)
assert req_entitlement.is_contained_in(act_entitlement)
def test_role_not_required(self):
required_group = "urn:geant:h-df.de:group:aai-admin#unity.helmholtz-data-federation.de"
actual_group = "urn:geant:h-df.de:group:aai-admin:role=member#backupserver.used.for.developmt.de"
req_entitlement = Aarc_g002_entitlement(required_group)
act_entitlement = Aarc_g002_entitlement(actual_group)
assert req_entitlement.is_contained_in(act_entitlement)
def test_subgroup_required_and_available(self):
required_group = "urn:geant:h-df.de:group:m-team:feudal-developers"
actual_group = "urn:geant:h-df.de:group:m-team:feudal-developers#login.helmholtz.de"
req_entitlement = Aarc_g002_entitlement(required_group, strict=False)
act_entitlement = Aarc_g002_entitlement(actual_group, strict=False)
assert req_entitlement.is_contained_in(act_entitlement)
def test_intentional_authority_mismatch_2(self):
required_group = "urn:geant:h-df.de:group:aai-admin"
actual_group = "urn:geant:h-df.de:group:aai-admin#totally_different_authority"
req_entitlement = Aarc_g002_entitlement(required_group, strict=False)
act_entitlement = Aarc_g002_entitlement(actual_group, strict=False)
assert req_entitlement.is_contained_in(act_entitlement)
def test_failure_incomplete_invalid_entitlement(self):
required_group = "urn:geant:h-df.de"
with pytest.raises(Aarc_g002_entitlement_ParseError):
Aarc_g002_entitlement(required_group, raise_error_if_unparseable=True)
def test_non_aarc_entitlement(self, actual_group):
with pytest.raises(Aarc_g002_entitlement_ParseError):
Aarc_g002_entitlement(actual_group, strict=False, raise_error_if_unparseable=False)
def wrapper(*args, **kwargs):
# get request from wrapped function params
request = kwargs.get("request", None)
if request is None:
self.set_last_error("No request object found.")
logging.getLogger(__name__).error(f"{self.get_last_error()}")
return self._return_formatter_wf(f"{self.get_last_error()}",
400)
# get OP from request
op_url = self.get_iss_from_request(request)
if op_url is None:
logging.getLogger(__name__).error(self.get_last_error())
return self._return_formatter_wf(
f"No issuer found in AT: {self.get_last_error()}", 401)
# get authorisation info for this OP
op_authz = self.__authorisation.get(canonical_url(op_url), None)
# if OP not supported:
if op_authz is None:
msg = f"The token issuer is not supported on this service: {op_url}"
logging.getLogger(__name__).info(msg)
return self._return_formatter_wf(msg, 403)
# if all users from this OP are authorised,
# it is sufficient to require login, which validates the token
# at the userinfo endpoint
if to_bool(op_authz.get('authorise_all', 'False')):
logging.getLogger(__name__).warning(
f"Authorising all users from {op_url}."
"We recommend setting the authorised_vos field in motley_cue.conf."
)
@self.login_required()
async def tmp(*args, **kwargs):
return await func(*args, **kwargs)
return tmp(*args, **kwargs)
# if this user is specifically authorised,
# it is sufficient to require login, which validates the token
# at the userinfo endpoint
authorised_users = to_list(op_authz.get('authorised_users', '[]'))
sub = self.get_sub_from_request(request)
if len(authorised_users) > 0:
if sub is None:
logging.getLogger(__name__).error(self.get_last_error())
return self._return_formatter_wf(
f"No sub found in AT: {self.get_last_error()}", 401)
if sub in authorised_users:
logging.getLogger(__name__).debug(
f"User {sub} is individually authorised by sub.")
@self.login_required()
async def tmp(*args, **kwargs):
return await func(*args, **kwargs)
return tmp(*args, **kwargs)
logging.getLogger(__name__).debug(
f"User {sub} is not individually authorised by sub.")
else:
logging.getLogger(__name__).debug(
"No individual users authorised by sub.")
# if authorised VOs are specified, try to authorise based on VOs
# this depends on the type of VO: AARC-G002 compatible or not
# HACKY: if at least on of the provided groups is not compatible with AARC-G002,
# treat them all as normal groups
# possible FIX: flaat should deal with it and provide a uniform interface to check
# VO membership for mixed lists of VOs
authorised_vos = to_list(op_authz.get('authorised_vos', '[]'))
if len(authorised_vos) > 0:
try:
logging.getLogger(__name__).debug(
f"Trying VO-based authorisation for user {sub}; list of authorised VOs: {authorised_vos}."
)
_ = [
Aarc_g002_entitlement(vo, strict=False)
for vo in authorised_vos
]
@self.aarc_g002_entitlement_required(
entitlement=authorised_vos,
claim=op_authz['vo_claim'],
match=op_authz['vo_match'])
async def tmp(*args, **kwargs):
return await func(*args, **kwargs)
return tmp(*args, **kwargs)
except Aarc_g002_entitlement_Error:
logging.getLogger(__name__).warning(
"The provided VOs are not compatible with AARC G002.")
@self.group_required(group=authorised_vos,
claim=op_authz['vo_claim'],
match=op_authz['vo_match'])
async def tmp(*args, **kwargs):
return await func(*args, **kwargs)
return tmp(*args, **kwargs)
else:
logging.getLogger(__name__).debug(
"No authorised VOs specified.")
# user not authorised
logging.getLogger(__name__).info(
f"User {sub} from {op_url} was not authorised to access the service."
)
return self._return_formatter_wf(
"Forbidden: you are not authorised to access this service",
403)
