From fad6dd14ad8138bab926fc28dad0714040549041 Mon Sep 17 00:00:00 2001
From: Ric Evans <19216225+ric-evans@users.noreply.github.com>
Date: Fri, 1 Sep 2023 16:26:46 -0500
Subject: [PATCH] REST Server Role Auth [patch] (#74)

---
 rest_server/config.py |  3 +--
 rest_server/routes.py | 36 ++++++++++++++++++------------------
 2 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/rest_server/config.py b/rest_server/config.py
index da8e3ca1..c20b219a 100644
--- a/rest_server/config.py
+++ b/rest_server/config.py
@@ -30,8 +30,7 @@ class EnvConfig:
 
 ENV = from_environment_as_dataclass(EnvConfig)
 
-
-AUTH_PREFIX = "mou"
+AUTH_SERVICE_ACCOUNT = "mou-service-account"
 
 EXCLUDE_DBS = [
     "system.indexes",
diff --git a/rest_server/routes.py b/rest_server/routes.py
index be0dbbc8..36826156 100644
--- a/rest_server/routes.py
+++ b/rest_server/routes.py
@@ -11,7 +11,7 @@
 from motor.motor_tornado import MotorClient  # type: ignore
 from rest_tools import server
 
-from .config import AUTH_PREFIX, is_testing
+from .config import AUTH_SERVICE_ACCOUNT, is_testing
 from .data_sources import mou_db, table_config_cache, todays_institutions, wbs
 from .utils import utils
 
@@ -24,9 +24,9 @@
 
 if is_testing():
 
-    def scope_role_auth(**kwargs):  # type: ignore
-        def make_wrapper(method):  # type: ignore[no-untyped-def]
-            async def wrapper(self, *args, **kwargs):  # type: ignore[no-untyped-def]
+    def keycloak_role_auth(**kwargs):  # type: ignore
+        def make_wrapper(method):
+            async def wrapper(self, *args, **kwargs):
                 logging.warning("TESTING: auth disabled")
                 return await method(self, *args, **kwargs)
 
@@ -35,7 +35,7 @@ async def wrapper(self, *args, **kwargs):  # type: ignore[no-untyped-def]
         return make_wrapper
 
 else:
-    scope_role_auth = server.scope_role_auth
+    keycloak_role_auth = server.keycloak_role_auth
 
 # -----------------------------------------------------------------------------
 
@@ -122,7 +122,7 @@ async def _get_clientbound_snapshot_info(
                 "current_snapshot": dc.asdict(curr_snap_info),
             }
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["read", "write", "admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def get(self, wbs_l1: str) -> None:
         """Handle GET."""
         is_admin = self.get_argument(
@@ -191,7 +191,7 @@ async def get(self, wbs_l1: str) -> None:
 
         self.write(clientbound_snapshot_info | {"table": table})
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def post(self, wbs_l1: str) -> None:
         """Handle POST."""
         base64_file = self.get_argument(
@@ -236,7 +236,7 @@ class RecordHandler(BaseMOUHandler):  # pylint: disable=W0223
 
     ROUTE = rf"/record/(?P<wbs_l1>{_WBS_L1_REGEX_VALUES})$"
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["write", "admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def post(self, wbs_l1: str) -> None:
         """Handle POST."""
         record: uut.DBRecord = self.get_argument(
@@ -258,7 +258,7 @@ async def post(self, wbs_l1: str) -> None:
             resp["institution_values"] = dc.asdict(instvals)
         self.write(resp)
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["write", "admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def delete(self, wbs_l1: str) -> None:
         """Handle DELETE."""
         record_id = self.get_argument(
@@ -288,7 +288,7 @@ class TableConfigHandler(BaseMOUHandler):  # pylint: disable=W0223
 
     ROUTE = r"/table/config$"
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["read", "write", "admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def get(self) -> None:
         """Handle GET."""
         await self.tc_cache.refresh()
@@ -329,7 +329,7 @@ class SnapshotsHandler(BaseMOUHandler):  # pylint: disable=W0223
 
     ROUTE = rf"/snapshots/list/(?P<wbs_l1>{_WBS_L1_REGEX_VALUES})$"
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["read", "write", "admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def get(self, wbs_l1: str) -> None:
         """Handle GET."""
         is_admin = self.get_argument(
@@ -358,7 +358,7 @@ class MakeSnapshotHandler(BaseMOUHandler):  # pylint: disable=W0223
 
     ROUTE = rf"/snapshots/make/(?P<wbs_l1>{_WBS_L1_REGEX_VALUES})$"
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["write", "admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def post(self, wbs_l1: str) -> None:
         """Handle POST."""
         name = self.get_argument(
@@ -389,14 +389,14 @@ class InstitutionValuesConfirmationTouchstoneHandler(
 
     ROUTE = rf"/institution/values/confirmation/touchstone/(?P<wbs_l1>{_WBS_L1_REGEX_VALUES})$"
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def post(self, wbs_l1: str) -> None:
         """Handle POST."""
         timestamp = await self.mou_db_client.retouchstone(wbs_l1)
 
         self.write({"touchstone_timestamp": timestamp})
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def get(self, wbs_l1: str) -> None:
         """Handle POST."""
         timestamp = await self.mou_db_client.get_touchstone(wbs_l1)
@@ -412,7 +412,7 @@ class InstitutionValuesConfirmationHandler(BaseMOUHandler):  # pylint: disable=W
 
     ROUTE = rf"/institution/values/confirmation/(?P<wbs_l1>{_WBS_L1_REGEX_VALUES})$"
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["write", "admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def post(self, wbs_l1: str) -> None:
         """Handle POST."""
         institution = self.get_argument(
@@ -451,7 +451,7 @@ class InstitutionValuesHandler(BaseMOUHandler):  # pylint: disable=W0223
 
     ROUTE = rf"/institution/values/(?P<wbs_l1>{_WBS_L1_REGEX_VALUES})$"
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["write", "admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def get(self, wbs_l1: str) -> None:
         """Handle GET."""
         institution = self.get_argument(
@@ -470,7 +470,7 @@ async def get(self, wbs_l1: str) -> None:
 
         self.write(dc.asdict(vals))
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["write", "admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def post(self, wbs_l1: str) -> None:
         """Handle POST."""
         institution = self.get_argument(
@@ -538,7 +538,7 @@ class InstitutionStaticHandler(BaseMOUHandler):  # pylint: disable=W0223
 
     ROUTE = r"/institution/today$"
 
-    @scope_role_auth(prefix=AUTH_PREFIX, roles=["read", "write", "admin"])  # type: ignore
+    @keycloak_role_auth(roles=[AUTH_SERVICE_ACCOUNT])  # type: ignore
     async def get(self) -> None:
         """Handle GET."""
         institutions = await todays_institutions.request_krs_institutions()