def assert_authorized(user, actions, resources, context_entries=None): """ Asserts a user has permission to perform actions on resources. :param user: :param actions: :param resources: :param context_entries: :return: """ u = User(user) context_entries = context_entries if context_entries else [] try: authz_params = u.get_authz_params() except AuthorizationException: raise FusilladeForbiddenException(detail="User must be enabled to make authenticated requests.") else: context_entries.extend(restricted_context_entries(authz_params)) if not evaluate_policy( user, actions, resources, authz_params['IAMPolicy'], context_entries=context_entries)['result']: logger.info(dict(message="User not authorized.", user=u._path_name, action=actions, resources=resources)) raise FusilladeForbiddenException() else: logger.info(dict(message="User authorized.", user=u._path_name, action=actions, resources=resources))
def test_get_user_policy(self): name = "*****@*****.**" user = User(name) with self.subTest( "new user is automatically provisioned on demand with default settings when " "lookup_policy is called for a new user."): self.assertJSONListEqual([ p['policy_document'] for p in user.get_authz_params()['IAMPolicy'] ], self.default_user_policies) with self.subTest( "error is returned when provision_user is called for an existing user" ): self.assertRaises(FusilladeHTTPException, user.provision_user, name) with self.subTest( "an existing users info is retrieved when instantiating User class for an existing user" ): user = User(name) self.assertJSONListEqual([ p['policy_document'] for p in user.get_authz_params()['IAMPolicy'] ], self.default_user_policies)