def test_is_user_authorized_exception(mock_geu, users, authorized): """Test that a non-employee that is in the exceptions users is authorized.""" mock_geu.return_value = users app = create_app('estuary.config.TestAuthConfig') app.config['LDAP_EXCEPTIONS_GROUP_DN'] = 'cn=something,dc=domain,dc=local' with app.app_context(): assert is_user_authorized('jlennon', 'Contractor') is authorized
def wrapper(*args, **kwargs): if current_app.config['ENABLE_AUTH']: if 'Authorization' not in request.headers: raise Unauthorized( 'An "Authorization" header wasn\'t provided') token = request.headers['Authorization'].strip() prefix = 'Bearer ' if not token.startswith(prefix): raise Unauthorized( 'The "Authorization" header must start with "{0}"'.format( prefix.rstrip())) token = token[len(prefix):] # Keycloak doesn't return the scopes from its introspection API endpoint. Other # validation is used instead. required_scopes = [] validity = current_app.oidc.validate_token(token, required_scopes) if validity is not True: raise Unauthorized(validity) token_info = current_app.oidc._get_token_info(token) username = token_info.get('username') employee_type = token_info.get('employeeType') if not is_user_authorized(username, employee_type): raise Unauthorized( 'You must be an employee to access this service') return f(*args, **kwargs)
def test_is_user_authorized_with_employee(employeeType, authorized): """Test that only employees are authorized.""" app = create_app('estuary.config.TestAuthConfig') with app.app_context(): assert is_user_authorized('jlennon', employeeType) is authorized