def test_is_user_authorized_exception(mock_geu, users, authorized):
"""Test that a non-employee that is in the exceptions users is authorized."""
mock_geu.return_value = users
app = create_app('estuary.config.TestAuthConfig')
app.config['LDAP_EXCEPTIONS_GROUP_DN'] = 'cn=something,dc=domain,dc=local'
with app.app_context():
assert is_user_authorized('jlennon', 'Contractor') is authorized
def wrapper(*args, **kwargs):
if current_app.config['ENABLE_AUTH']:
if 'Authorization' not in request.headers:
raise Unauthorized(
'An "Authorization" header wasn\'t provided')
token = request.headers['Authorization'].strip()
prefix = 'Bearer '
if not token.startswith(prefix):
raise Unauthorized(
'The "Authorization" header must start with "{0}"'.format(
prefix.rstrip()))
token = token[len(prefix):]
# Keycloak doesn't return the scopes from its introspection API endpoint. Other
# validation is used instead.
required_scopes = []
validity = current_app.oidc.validate_token(token, required_scopes)
if validity is not True:
raise Unauthorized(validity)
token_info = current_app.oidc._get_token_info(token)
username = token_info.get('username')
employee_type = token_info.get('employeeType')
if not is_user_authorized(username, employee_type):
raise Unauthorized(
'You must be an employee to access this service')
return f(*args, **kwargs)
def test_is_user_authorized_with_employee(employeeType, authorized):
"""Test that only employees are authorized."""
app = create_app('estuary.config.TestAuthConfig')
with app.app_context():
assert is_user_authorized('jlennon', employeeType) is authorized