PXP-10358 Support client tokens in list endpoint (#48)

uc-cdis · Oct 17, 2022 · a5078fa · a5078fa
1 parent 1aa2762
commit a5078fa
Show file tree

Hide file tree

Showing 9 changed files with 450 additions and 202 deletions.
diff --git a/gen3authz-2.0.0.tar.gz b/gen3authz-2.0.0.tar.gz
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -16,7 +16,7 @@ alembic = "^1.4.2"
 authutils = "^6.2.1"
 cdislogging = "^1.0.0"
 fastapi = "^0.65.0"
-gen3authz = "^2.0.0"
+gen3authz = { path = "./gen3authz-2.0.0.tar.gz"}
 gen3config = "^1.0.0"
 httpx = ">=0.20.0,<1.0.0"
 jsonschema = "^4.6.0"

diff --git a/src/requestor/routes/query.py b/src/requestor/routes/query.py
@@ -5,6 +5,7 @@
 from starlette.status import (
     HTTP_200_OK,
     HTTP_400_BAD_REQUEST,
+    HTTP_401_UNAUTHORIZED,
     HTTP_403_FORBIDDEN,
     HTTP_404_NOT_FOUND,
 )
@@ -106,10 +107,19 @@ async def list_requests(
 
     # get the resources the current user has access to see
     token_claims = await auth.get_token_claims()
-    # TODO update this endpoint to accept client tokens. We need to get the
-    # auth mapping for the client instead of the user
-    username = token_claims["context"]["user"]["name"]
-    authz_mapping = await api_request.app.arborist_client.auth_mapping(username)
+    username = token_claims.get("context", {}).get("user", {}).get("name")
+    if username:
+        authz_mapping = await api_request.app.arborist_client.auth_mapping(username)
+    else:
+        client_id = token_claims.get("azp")
+        if not client_id:
+            raise HTTPException(
+                HTTP_401_UNAUTHORIZED,
+                "The provided token does not include a username or a client ID",
+            )
+        authz_mapping = await api_request.app.arborist_client.client_auth_mapping(
+            client_id
+        )
     authorized_resource_paths = [
         resource_path
         for resource_path, access in authz_mapping.items()

diff --git a/tests/test_actions.py b/tests/test_actions.py
@@ -227,7 +227,7 @@ def test_backoff_retry(client):
         assert mock_requests.post.call_count == config["DEFAULT_MAX_RETRIES"]
 
 
-def test_create_request_failure_revert(client, access_token_user_only_patcher):
+def test_create_request_failure_revert(client):
     """
     If something goes wrong during an external call, access should not be
     granted, the request should not be created and we should get a 500.

diff --git a/tests/test_manage.py b/tests/test_manage.py
@@ -111,9 +111,7 @@ def test_create_duplicate_request(client):
     assert res.status_code == 201, res.text
 
 
-def test_create_request_without_access(
-    client, mock_arborist_requests, access_token_user_only_patcher
-):
+def test_create_request_without_access(client, mock_arborist_requests):
     fake_jwt = "1.2.3"
     mock_arborist_requests(authorized=False)
 

diff --git a/tests/test_manage_resource_path.py b/tests/test_manage_resource_path.py
@@ -317,7 +317,6 @@ def test_create_request_without_access(
     client,
     mock_arborist_requests,
     list_roles_patcher,
-    access_token_user_only_patcher,
 ):
     fake_jwt = "1.2.3"
     mock_arborist_requests(authorized=False)

diff --git a/tests/test_query.py b/tests/test_query.py
@@ -39,7 +39,7 @@ def test_create_and_get_request(client):
     assert res.json() == request_data
 
 
-def test_create_and_list_request(client, access_token_user_only_patcher):
+def test_create_and_list_request(client):
     fake_jwt = "1.2.3"
 
     # list requests: empty
@@ -123,8 +123,7 @@ def test_get_request_without_access(client, mock_arborist_requests):
     assert not_found_err == unauthorized_err
 
 
-def test_get_filtered_requests(client, access_token_user_only_patcher):
-
+def test_get_filtered_requests(client):
     fake_jwt = "1.2.3"
     filtered_requests = []
 
@@ -368,13 +367,14 @@ def test_get_filtered_user_requests(client, access_token_user_only_patcher):
     assert res.status_code == 400, res.text
 
 
-def test_list_requests_with_access(client, access_token_user_only_patcher):
+def test_list_requests_with_access(client):
     fake_jwt = "1.2.3"
 
     # create requests
     request_data = {}
     for policy_id in ["test-policy", "test-policy-i-cant-access"]:
         data = {
+            "username": "requestor_user",
             "policy_id": policy_id,
             "resource_id": "uniqid",
             "resource_display_name": "My Resource",
@@ -447,6 +447,7 @@ def test_check_user_resource_paths_prefixes(
 
     # create request
     data = {
+        "username": "requestor_user",
         "policy_id": test_data["policy_id"],
         "resource_id": "uniqid",
         "resource_display_name": "My Resource",

diff --git a/tests/test_query_resource_path.py b/tests/test_query_resource_path.py
@@ -10,7 +10,7 @@
 from requestor.config import config
 
 
-def test_create_get_and_list_request(client, access_token_user_only_patcher):
+def test_create_get_and_list_request(client):
     fake_jwt = "1.2.3"
 
     # list requests: empty
@@ -132,13 +132,14 @@ def test_get_user_requests(client, access_token_user_only_patcher):
     assert res.status_code == 401, res.text
 
 
-def test_list_requests_with_access(client, access_token_user_only_patcher):
+def test_list_requests_with_access(client):
     fake_jwt = "1.2.3"
 
     # create requests
     request_data = {}
     for resource_path in ["/my/resource", "something-i-cant-access"]:
         data = {
+            "username": "requestor_user",
             "resource_path": resource_path,
             "resource_id": "uniqid",
             "resource_display_name": "My Resource",