def authorized( # pylint: disable=too-many-return-statements
identifier: str, jwt: JwtManager, action: List[str]) -> bool:
"""Assert that the user is authorized to create filings against the business identifier."""
# if they are registry staff, they are always authorized
if not action or not identifier or not jwt:
return False
if jwt.validate_roles([STAFF_ROLE]) \
or jwt.validate_roles([SYSTEM_ROLE]) \
or jwt.validate_roles([COLIN_SVC_ROLE]):
return True
if jwt.has_one_of_roles([BASIC_USER, PUBLIC_USER]):
# if the action is create_comment or courtOrder/registrarsNotation/registrarsOrder filings
# disallow - only staff are allowed
staff_only_actions = [
'add_comment', 'court_order', 'registrars_notation',
'registrars_order'
]
if any(elem in action for elem in staff_only_actions):
return False
template_url = current_app.config.get('AUTH_SVC_URL')
auth_url = template_url.format(**vars())
token = jwt.get_token_auth_header()
headers = {'Authorization': 'Bearer ' + token}
try:
http = Session()
retries = Retry(total=5,
backoff_factor=0.1,
status_forcelist=[500, 502, 503, 504])
http.mount('http://', HTTPAdapter(max_retries=retries))
rv = http.get(url=auth_url, headers=headers)
if rv.status_code != HTTPStatus.OK \
or not rv.json().get('roles'):
return False
if all(elem.lower() in rv.json().get('roles') for elem in action):
return True
except (
exceptions.ConnectionError, # pylint: disable=broad-except
exceptions.Timeout,
ValueError,
Exception) as err:
current_app.logger.error(
f'template_url {template_url}, svc:{auth_url}')
current_app.logger.error(
f'Authorization connection failure for {identifier}, using svc:{auth_url}',
err)
return False
return False
def authorized_token( # pylint: disable=too-many-return-statements
identifier: str, jwt: JwtManager, action: List[str]) -> bool:
"""Assert that the user is authorized to submit API requests for a particular action."""
if not action or not identifier or not jwt:
return False
# All users including staff must have the PPR role.
if not jwt.validate_roles([PPR_ROLE]):
return False
if jwt.has_one_of_roles([BASIC_USER, PRO_DATA_USER]):
template_url = current_app.config.get('AUTH_SVC_URL')
auth_url = template_url.format(**vars())
token = jwt.get_token_auth_header()
headers = {'Authorization': 'Bearer ' + token}
try:
http = Session()
retries = Retry(total=5,
backoff_factor=0.1,
status_forcelist=[500, 502, 503, 504])
http.mount('http://', HTTPAdapter(max_retries=retries))
rv = http.get(url=auth_url, headers=headers)
if rv.status_code != HTTPStatus.OK \
or not rv.json().get('roles'):
return False
if all(elem.lower() in rv.json().get('roles') for elem in action):
return True
except (
exceptions.ConnectionError, # pylint: disable=broad-except
exceptions.Timeout,
ValueError,
Exception) as err:
current_app.logger.error(
f'template_url {template_url}, svc:{auth_url}')
current_app.logger.error(
f'Authorization connection failure for {identifier}, using svc:{auth_url}',
err)
return False
return False