From 79518822f7a2a9dc67b6064e02bc7e4dd23dfa90 Mon Sep 17 00:00:00 2001 From: "robin.hruska@teskalabs.com" Date: Mon, 9 Dec 2024 12:58:18 +0100 Subject: [PATCH] rename authorized_resources and make private --- asab/web/auth/authorization.py | 44 ++++++++++++---------------- asab/web/auth/service.py | 2 +- test/test_auth/test_authorization.py | 12 ++++---- 3 files changed, 25 insertions(+), 33 deletions(-) diff --git a/asab/web/auth/authorization.py b/asab/web/auth/authorization.py index 47836358..6cc78c6b 100644 --- a/asab/web/auth/authorization.py +++ b/asab/web/auth/authorization.py @@ -188,32 +188,6 @@ def require_tenant_access(self): raise AccessDeniedError() - def authorized_resources(self) -> typing.Optional[typing.Set[str]]: - """ - DEPRECATED. Return the set of authorized resources. - - Use these methods instead: - - has_resource_access(resource_id) - - has_superuser_access() - - has_tenant_access() - - require_resource_access(resource_id) - - require_superuser_access() - - require_tenant_access() - - Returns: - set: Authorized resources. - """ - self.require_valid() - - resources = _authorized_resources(self._Resources, Tenant.get(None)) - - if self.has_superuser_access(): - # Ensure superuser resource is present no matter the tenant - resources.add(SUPERUSER_RESOURCE_ID) - - return resources - - def user_info(self) -> typing.Dict[str, typing.Any]: """ Return OpenID Connect UserInfo claims (or JWToken claims). @@ -242,6 +216,24 @@ def get_claim(self, key: str) -> typing.Any: return self._Claims.get(key) + def _resources(self) -> typing.Optional[typing.Set[str]]: + """ + Return the set of authorized resources. + + Returns: + set: Authorized resources. + """ + self.require_valid() + + resources = _authorized_resources(self._Resources, Tenant.get(None)) + + if self.has_superuser_access(): + # Ensure superuser resource is present no matter the tenant + resources.add(SUPERUSER_RESOURCE_ID) + + return resources + + def is_superuser(resources_claim: typing.Mapping) -> bool: """ Check if the superuser resource is present in the authorized resource list. diff --git a/asab/web/auth/service.py b/asab/web/auth/service.py index 604e3d6d..587a0105 100644 --- a/asab/web/auth/service.py +++ b/asab/web/auth/service.py @@ -649,5 +649,5 @@ def _pass_resources(handler): @functools.wraps(handler) async def wrapper(*args, **kwargs): authz = Authz.get(None) - return await handler(*args, resources=authz.authorized_resources() if authz is not None else None, **kwargs) + return await handler(*args, resources=authz._resources() if authz is not None else None, **kwargs) return wrapper diff --git a/test/test_auth/test_authorization.py b/test/test_auth/test_authorization.py index 6bedb34b..bc461208 100644 --- a/test/test_auth/test_authorization.py +++ b/test/test_auth/test_authorization.py @@ -99,7 +99,7 @@ def test_superuser_access(self): def test_authorized_resources(self): with self.assertRaises(asab.exceptions.NotAuthenticatedError): - self.Authz.authorized_resources() + self.Authz._resources() def test_get_claim(self): with self.assertRaises(asab.exceptions.NotAuthenticatedError): @@ -186,7 +186,7 @@ def test_superuser_access(self): def test_authorized_resources(self): self.assertEqual( - self.Authz.authorized_resources(), + self.Authz._resources(), {RESOURCE_1, RESOURCE_2}, "Entity is authorized to access RESOURCE_1, RESOURCE_2 in TENANT_1.", ) @@ -259,7 +259,7 @@ def test_superuser_access(self): def test_authorized_resources(self): self.assertEqual( - self.Authz.authorized_resources(), + self.Authz._resources(), set(), "Entity is authorized to access RESOURCE_1, RESOURCE_2 in TENANT_1.", ) @@ -341,7 +341,7 @@ def test_superuser_access(self): def test_authorized_resources(self): self.assertEqual( - self.Authz.authorized_resources(), + self.Authz._resources(), {RESOURCE_1}, "Entity is globally authorized to access RESOURCE_1.", ) @@ -426,7 +426,7 @@ def test_superuser_access(self): def test_authorized_resources(self): self.assertEqual( - self.Authz.authorized_resources(), + self.Authz._resources(), {RESOURCE_SUPERUSER}, ) @@ -510,6 +510,6 @@ def test_superuser_access(self): def test_authorized_resources(self): self.assertEqual( - self.Authz.authorized_resources(), + self.Authz._resources(), {RESOURCE_SUPERUSER}, ) \ No newline at end of file