From ee516ab3dd60de0ad5d11fca9837f0ab25efd684 Mon Sep 17 00:00:00 2001
From: Matt Odden <mathewrodden@gmail.com>
Date: Thu, 9 Sep 2021 17:41:46 +0000
Subject: [PATCH] Apply fixes from integration testing

---
 example.py            |  6 +++---
 ibmcloud_iam/pdp.py   |  6 +++---
 ibmcloud_iam/token.py | 12 ++++++++----
 setup.py              |  2 +-
 4 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/example.py b/example.py
index 2170805..16debd8 100644
--- a/example.py
+++ b/example.py
@@ -16,7 +16,7 @@
 import os
 
 from ibmcloud_iam import pdp as pdpapi
-from ibmcloud_iam.token import TokenManager
+import ibmcloud_iam.token
 
 
 def main():
@@ -26,8 +26,8 @@ def main():
     # this gets a user token for our example to be complete,
     # normally 'user_token' is sent by a client to your service
     # inside the client requests (HTTP Authorization Header)
-    tm = TokenManager(api_key, iam_endpoint=endpoint)
     api_key = os.environ.get("IBMCLOUD_API_KEY")
+    tm = ibmcloud_iam.token.TokenManager(api_key, iam_endpoint=endpoint)
     user_token = tm.get_token()
 
     # validate the user token, it also returns the validated claims
@@ -73,7 +73,7 @@ def main():
     # print the full body response from PDP
     # the "permitted" field on the response is a boolean indicating
     # if the request is authorized or not
-    print(json.dumps(resp), indent=4, sort_keys=True)
+    print(json.dumps(resp, indent=4, sort_keys=True))
 
 
 if __name__ == "__main__":
diff --git a/ibmcloud_iam/pdp.py b/ibmcloud_iam/pdp.py
index fd10678..a651700 100644
--- a/ibmcloud_iam/pdp.py
+++ b/ibmcloud_iam/pdp.py
@@ -83,10 +83,10 @@ def is_authorized(self, subject, action, resource):
         """
         resp = self._is_authorized(subject, action, resource)
         resp.raise_for_status()
-        return resp.json()
+        return resp.json()["responses"][0]["authorizationDecision"]
 
     def subject_as_attributes(self, token: str):
-        claims = tapi.validate_token(token, self._endpoint + "/identity/keys")
+        claims = tapi.validate_token(token, self._endpoint)
 
         if "iam_id" not in claims:
             raise ValueError("Token missing 'iam_id' claim.")
@@ -98,6 +98,6 @@ def subject_as_attributes(self, token: str):
 
     def subject_as_token_body(self, token: str):
         # this method is simpler but doesn't match up with the responses that we are caching
-        _ = tapi.validate_token(token, self._endpoint + "/identity/keys")
+        _ = tapi.validate_token(token, self._endpoint)
         _, body, _ = token.split(".")
         return {"accessTokenBody": body}
diff --git a/ibmcloud_iam/token.py b/ibmcloud_iam/token.py
index 77f6089..0856488 100644
--- a/ibmcloud_iam/token.py
+++ b/ibmcloud_iam/token.py
@@ -20,13 +20,17 @@
 from redstone.auth import TokenManager  # noqa: F401
 
 
-DEFAULT_IAM_KEY_URL = "https://iam.cloud.ibm.com/identity/keys"
+DEFAULT_IAM_ENDPOINT = "https://iam.cloud.ibm.com"
 EXPIRE_LEEWAY = 5  # seconds
 
 
-def validate_token(token: str, iam_key_url: Optional[str] = None) -> Dict:
-    if iam_key_url is None:
-        iam_key_url = DEFAULT_IAM_KEY_URL
+def validate_token(token: str, iam_endpoint: Optional[str] = None) -> Dict:
+    _key_path = "/identity/keys"
+
+    if iam_endpoint is None:
+        iam_endpoint = DEFAULT_IAM_ENDPOINT
+
+    iam_key_url = iam_endpoint + _key_path
 
     kc = jwt.PyJWKClient(iam_key_url)
 
diff --git a/setup.py b/setup.py
index 1fa1aaf..ef7cde4 100644
--- a/setup.py
+++ b/setup.py
@@ -19,7 +19,7 @@
 
 setup(
     name="ibmcloud-iam",
-    version="0.1.1",
+    version="0.1.2",
     author="Mathew Odden",
     author_email="mrodden@us.ibm.com",
     url="https://github.com/mrodden/ibmcloud-iam-python-client",