pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #75 from dod-ccpo/authz-permissions

Browse Source 
Authz permissions
This commit is contained in:
dandds 2018-07-18 09:44:46 -04:00 committed by GitHub
commit 7d3cd04bdd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 89 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
atst/app.py
View File

@ -26,7 +26,7 @@ def make_app(config, deps, **kwargs):
url(
r"/login-redirect",
LoginRedirect,
{"sessions": deps["sessions"], "authnid_client": deps["authnid_client"]},
{"sessions": deps["sessions"], "authnid_client": deps["authnid_client"], "authz_client": deps["authz_client"]},
name="login_redirect",
),
url(r"/home", Main, {"page": "home"}, name="home"),
@ -88,7 +88,7 @@ def make_app(config, deps, **kwargs):
url(
r"/login-dev",
Dev,
{"action": "login", "sessions": deps["sessions"]},
{"action": "login", "sessions": deps["sessions"], "authz_client": deps["authz_client"]},
name="dev-login",
)
]

13
atst/handler.py
View File

@ -6,16 +6,26 @@ helpers = {"assets": environment}
class BaseHandler(tornado.web.RequestHandler):
def get_template_namespace(self):
ns = super(BaseHandler, self).get_template_namespace()
helpers["config"] = self.application.config
ns.update(helpers)
return ns
@tornado.gen.coroutine
def login(self, user):
user["atat_permissions"] = yield self._get_user_permissions(user["id"])
session_id = self.sessions.start_session(user)
self.set_secure_cookie("atat", session_id)
self.redirect("/home")
return self.redirect("/home")
@tornado.gen.coroutine
def _get_user_permissions(self, user_id):
response = yield self.authz_client.post(
"/users", json={"id": user_id, "atat_role": "ccpo"}
)
return response.json["atat_permissions"]
def get_current_user(self):
cookie = self.get_secure_cookie("atat")
@ -25,6 +35,7 @@ class BaseHandler(tornado.web.RequestHandler):
except SessionNotFoundError:
self.clear_cookie("atat")
return None
else:
return None

10
atst/handlers/dev.py
View File

@ -1,15 +1,19 @@
import tornado.gen
from atst.handler import BaseHandler
class Dev(BaseHandler):
def initialize(self, action, sessions):
def initialize(self, action, sessions, authz_client):
self.action = action
self.sessions = sessions
self.authz_client = authz_client
@tornado.gen.coroutine
def get(self):
user = {
"id": "164497f6-c1ea-4f42-a5ef-101da278c012",
"first_name": "Test",
"last_name": "User"
"last_name": "User",
}
self.login(user)
yield self.login(user)

5
atst/handlers/login_redirect.py
View File

@ -3,9 +3,10 @@ from atst.handler import BaseHandler
class LoginRedirect(BaseHandler):
def initialize(self, authnid_client, sessions):
def initialize(self, authnid_client, sessions, authz_client):
self.authnid_client = authnid_client
self.sessions = sessions
self.authz_client = authz_client
@tornado.gen.coroutine
def get(self):
@ -13,7 +14,7 @@ class LoginRedirect(BaseHandler):
if token:
user = yield self._fetch_user_info(token)
if user:
self.login(user)
yield self.login(user)
else:
self.write_error(401)

16
atst/handlers/request.py
View File

@ -27,9 +27,17 @@ class Request(BaseHandler):
@tornado.gen.coroutine
def get(self):
user = self.get_current_user()
response = yield self.requests_client.get(
"/users/{}/requests".format(user["id"])
)
requests = response.json["requests"]
requests = yield self.fetch_requests(user)
mapped_requests = [map_request(user, request) for request in requests]
self.render("requests.html.to", page=self.page, requests=mapped_requests)
@tornado.gen.coroutine
def fetch_requests(self, user):
if "review_and_approve_jedi_workspace_request" in user["atat_permissions"]:
response = yield self.requests_client.get("/requests")
else:
response = yield self.requests_client.get(
"/requests?creator_id={}".format(user["id"])
)
return response.json["requests"]

12
atst/handlers/request_new.py
View File

@ -53,9 +53,7 @@ class RequestNew(BaseHandler):
if request_id:
response = yield self.requests_client.get(
"/users/{}/requests/{}".format(
self.get_current_user()["id"], request_id
),
"/requests/{}".format(request_id),
raise_error=False,
)
if response.ok:
@ -77,14 +75,6 @@ class RequestNew(BaseHandler):
can_submit=jedi_flow.can_submit
)
@tornado.gen.coroutine
def get_request(self, request_id):
request = yield self.requests_client.get(
"/users/{}/requests/{}".format(self.get_current_user()["id"], request_id),
raise_error=False,
)
return request
class JEDIRequestFlow(object):
def __init__(

2
config/base.ini
View File

@ -2,7 +2,7 @@
PORT=8000
ENVIRONMENT = dev
DEBUG = true
AUTHZ_BASE_URL = http://localhost
AUTHZ_BASE_URL = http://localhost:8002
AUTHNID_BASE_URL= https://localhost:8001
COOKIE_SECRET = some-secret-please-replace
SECRET = change_me_into_something_secret

4
tests/conftest.py
View File

@ -1,14 +1,14 @@
import pytest
from atst.app import make_app, make_deps, make_config
from tests.mocks import MockApiClient, MockRequestsClient
from tests.mocks import MockApiClient, MockRequestsClient, MockAuthzClient
from atst.sessions import DictSessions
@pytest.fixture
def app():
TEST_DEPS = {
"authz_client": MockApiClient("authz"),
"authz_client": MockAuthzClient("authz"),
"requests_client": MockRequestsClient("requests"),
"authnid_client": MockApiClient("authnid"),
"sessions": DictSessions(),

46
tests/mocks.py
View File

@ -49,7 +49,7 @@ class MockRequestsClient(MockApiClient):
"id": "66b8ef71-86d3-48ef-abc2-51bfa1732b6b",
"creator": "49903ae7-da4a-49bf-a6dc-9dff5d004238",
"body": {},
"status": "incomplete"
"status": "incomplete",
}
return self._get_response("GET", path, 200, json=json)
@ -61,3 +61,47 @@ class MockRequestsClient(MockApiClient):
"body": {},
}
return self._get_response("POST", path, 202, json=json)
class MockAuthzClient(MockApiClient):
@tornado.gen.coroutine
def post(self, path, **kwargs):
json = {
"atat_permissions": [
"view_original_jedi_request",
"review_and_approve_jedi_workspace_request",
"modify_atat_role_permissions",
"create_csp_role",
"delete_csp_role",
"deactivate_csp_role",
"modify_csp_role_permissions",
"view_usage_report",
"view_usage_dollars",
"add_and_assign_csp_roles",
"remove_csp_roles",
"request_new_csp_role",
"assign_and_unassign_atat_role",
"view_assigned_atat_role_configurations",
"view_assigned_csp_role_configurations",
"deactivate_workspace",
"view_atat_permissions",
"transfer_ownership_of_workspace",
"add_application_in_workspace",
"delete_application_in_workspace",
"deactivate_application_in_workspace",
"view_application_in_workspace",
"rename_application_in_workspace",
"add_environment_in_application",
"delete_environment_in_application",
"deactivate_environment_in_application",
"view_environment_in_application",
"rename_environment_in_application",
"add_tag_to_workspace",
"remove_tag_from_workspace",
],
"atat_role": "ccpo",
"id": "164497f6-c1ea-4f42-a5ef-101da278c012",
"username": None,
"workspace_roles": [],
}
return self._get_response("POST", path, 200, json=json)

5
tests/test_auth.py
View File

@ -3,7 +3,7 @@ import pytest
import tornado.web
import tornado.gen
MOCK_USER = {"user": {"id": "438567dd-25fa-4d83-a8cc-8aa8366cb24a"}}
MOCK_USER = {"id": "438567dd-25fa-4d83-a8cc-8aa8366cb24a"}
@tornado.gen.coroutine
def _fetch_user_info(c, t):
return MOCK_USER
@ -76,3 +76,6 @@ def test_valid_login_creates_session(app, monkeypatch, http_client, base_url):
raise_error=False,
)
assert len(app.sessions.sessions) == 1
session = list(app.sessions.sessions.values())[0]
assert "atat_permissions" in session["user"]
assert isinstance(session["user"]["atat_permissions"], list)