Adding role permissions to HFI (#1947)

Permissions functional for the following roles
- Role for editing fire starts
- Role for selecting stations
- Role for change fuel type

.github/workflows/deployment.yml

@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - main
+      - roles
 
 jobs:
   prepare-dev-database:

.github/workflows/integration.yml

@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - main
+      - roles
 jobs:
   lint-and-test-api:
     name: Python - Lint, Test with coverage

.github/workflows/pr_description.yml

@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - main
+      - roles
 
 jobs:
   set-description:

CHANGELOG.md

@@ -1,3 +1,9 @@
+## 2022-05-11 HFI Calc [#1869](https://github.com/bcgov/wps/issues/1869),[#1871](https://github.com/bcgov/wps/issues/1871),[#1869](https://github.com/bcgov/wps/issues/1869)
+
+### Features
+
+- **hfi calculator:** Introduce role permission for editing HFI prep fire starts, fuel types and station selection.
+
 ## 2022-05-10 FBA Calculator
 
 ### Bug
@@ -10,10 +16,6 @@
 
 ## 2022-04-28 Fire Behaviour Calc - 422 bug caused by missing station
 
-### Bug
-
-- Fixed [#1964](https://github.com/bcgov/wps/issues/1964): Request failed with status code 422" due to missing station
-
 ## 2022-04-28 HFI Calc - Refactor + Grass Cure Display Bug
 
 ### Bug

api/app/auth.py

@@ -55,3 +55,29 @@ async def authentication_required(token=Depends(authenticate)):
             headers={'WWW-Authenticate': 'Bearer'}
         )
     return token
+
+
+async def check_token_for_role(role: str, token):
+    """ Return token if role exists in roles, 401 exception otherwise """
+    roles = token.get('resource_access', {}).get('wps-web', {}).get('roles', {})
+    if role not in roles:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            headers={'WWW-Authenticate': 'Bearer'}
+        )
+    return token
+
+
+async def auth_with_set_fire_starts_role_required(token=Depends(authentication_required)):
+    """ Only return requests that have set fire starts permission """
+    return await check_token_for_role('hfi_set_fire_starts', token)
+
+
+async def auth_with_select_station_role_required(token=Depends(authentication_required)):
+    """ Only return requests that have set fire starts permission """
+    return await check_token_for_role('hfi_select_station', token)
+
+
+async def auth_with_set_fuel_type_role_required(token=Depends(authentication_required)):
+    """ Only return requests that have set fuel type permission """
+    return await check_token_for_role('hfi_set_fuel_type', token)

api/app/routers/hfi_calc.py

@@ -19,8 +19,12 @@
                                   FireStartRange,
                                   StationInfo,
                                   DateRange, FuelTypesResponse, HFIWeatherStationsResponse)
+from app.auth import (auth_with_select_station_role_required,
+                      auth_with_set_fire_starts_role_required,
+                      auth_with_set_fuel_type_role_required,
+                      authentication_required,
+                      audit)
 from app.schemas.shared import (FuelType)
-from app.auth import authentication_required, audit
 from app.db.crud.hfi_calc import (get_fuel_type_by_id, get_most_recent_updated_hfi_request,
                                   get_most_recent_updated_hfi_request_for_current_date,
                                   store_hfi_request,
@@ -173,7 +177,7 @@ async def set_planning_area_station(
     planning_area_id: int, station_code: int,
     enable: bool,
     response: Response,
-    token=Depends(authentication_required)
+    token=Depends(auth_with_select_station_role_required)
 ):
     """ Enable / disable a station withing a planning area """
     logger.info('/fire_centre/%s/%s/%s/planning_area/%s/station/%s/selected/%s',
@@ -214,7 +218,7 @@ async def set_planning_area_station_fuel_type(
     station_code: int,
     fuel_type_id: int,
     response: Response,
-    token=Depends(authentication_required)  # pylint: disable=unused-argument
+    token=Depends(auth_with_set_fuel_type_role_required)
 ):
     """ Set the fuel type for a station in a planning area. """
     logger.info("/fire_centre/%s/%s/%s/planning_area/%s/station/%s/fuel_type/%s",
@@ -258,7 +262,7 @@ async def set_fire_start_range(fire_centre_id: int,
                                prep_day_date: date,
                                fire_start_range_id: int,
                                response: Response,
-                               token=Depends(authentication_required)):
+                               token=Depends(auth_with_set_fire_starts_role_required)):
     """ Set the fire start range, by id."""
     logger.info("/fire_centre/%s/%s/%s/planning_area/%s"
                 "/fire_starts/%s/fire_start_range/%s",

api/app/tests/common.py

@@ -21,7 +21,7 @@ def __getitem__(self, key):
 
     def get(self, key, _):
         "Returns the mock decoded token"
-        return self.decoded_token[key]
+        return self.decoded_token.get(key, {})
 
     def decode(self):
         "Returns the mock decoded token"

api/app/tests/hfi/test_hfi_endpoint_request.feature

@@ -1,33 +1,67 @@
 Feature: /hfi/
 
-    Scenario: HFI - request
+    Scenario: HFI - GET request
         Given I have a stored request <stored_request_json>
         And I spy on store_hfi_request
-        And I received a hfi-calc <url> with <verb>
+        And I received a GET request for hfi-calc <url>
         Then the response status code is <status_code>
         And the response is <response_json>
         And the response isn't cached
         And request == saved = <request_saved>
 
         Examples:
-            | url                                                                                                         | verb | status_code | response_json                                            | request_saved | stored_request_json                   |
-            | /api/hfi-calc/fire_centre/1                                                                                 | get  | 200         | hfi/test_hfi_endpoint_load_response.json                 | False         | None                                  |
-            | /api/hfi-calc/fire_centre/1                                                                                 | get  | 200         | hfi/test_hfi_endpoint_load_response.json                 | False         | test_hfi_endpoint_stored_request.json |
-            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25                                                           | get  | 200         | hfi/test_hfi_endpoint_load_response.json                 | False         | None                                  |
-            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25                                                           | get  | 200         | hfi/test_hfi_endpoint_load_response.json                 | False         | test_hfi_endpoint_stored_request.json |
-            # Test set fire start range
-            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/fire_starts/2020-05-21/fire_start_range/2 | post | 200         | hfi/test_hfi_endpoint_response_set_fire_start_range.json | True          | None                                  |
-            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/fire_starts/2020-05-21/fire_start_range/2 | post | 200         | hfi/test_hfi_endpoint_response_set_fire_start_range.json | True          | test_hfi_endpoint_stored_request.json |
-            # Test the station selection.
-            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/false                | post | 200         | hfi/test_hfi_endpoint_response_deselect_station.json     | True          | None                                  |
-            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/false                | post | 200         | hfi/test_hfi_endpoint_response_deselect_station.json     | True          | test_hfi_endpoint_stored_request.json |
-            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/true                 | post | 200         | hfi/test_hfi_endpoint_response_select_station.json       | True          | None                                  |
-            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/true                 | post | 200         | hfi/test_hfi_endpoint_response_select_station.json       | True          | test_hfi_endpoint_stored_request.json |
-            # Test set the station fuel type.
-            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/fuel_type/2                   | post | 200         | hfi/test_hfi_endpoint_response_set_fuel_type.json        | True          | None                                  |
-            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/fuel_type/2                   | post | 200         | hfi/test_hfi_endpoint_response_set_fuel_type.json        | True          | test_hfi_endpoint_stored_request.json |
-            # Invalid fuel type should return 500 error, and not be saved.
-            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/fuel_type/-1                  | post | 500         | None                                                     | False         | None                                  |
+            | url                                               | status_code | response_json                            | request_saved | stored_request_json                   |
+            | /api/hfi-calc/fire_centre/1                       | 200         | hfi/test_hfi_endpoint_load_response.json | False         | None                                  |
+            | /api/hfi-calc/fire_centre/1                       | 200         | hfi/test_hfi_endpoint_load_response.json | False         | test_hfi_endpoint_stored_request.json |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25 | 200         | hfi/test_hfi_endpoint_load_response.json | False         | None                                  |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25 | 200         | hfi/test_hfi_endpoint_load_response.json | False         | test_hfi_endpoint_stored_request.json |
+
+
             # pdf
-            | api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/pdf                                                        | get  | 200         | None                                                     | False         | None                                  |
-            | api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/pdf                                                        | get  | 200         | None                                                     | False         | test_hfi_endpoint_stored_request.json |
+            | api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/pdf | 200 | None | False | None                                  |
+            | api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/pdf | 200 | None | False | test_hfi_endpoint_stored_request.json |
+
+
+    Scenario: HFI - POST request
+        Given I have a stored request <stored_request_json>
+        And I spy on store_hfi_request
+        And I received a POST request for hfi-calc <url> with <role>
+        Then the response status code is <status_code>
+        And the response is <response_json>
+        And the response isn't cached
+        And request == saved = <request_saved>
+
+        Examples:
+            | url                                                                                                         | role                | status_code | response_json                                            | request_saved | stored_request_json                   |
+            # Test set fire start range with correct role
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/fire_starts/2020-05-21/fire_start_range/2 | hfi_set_fire_starts | 200         | hfi/test_hfi_endpoint_response_set_fire_start_range.json | True          | None                                  |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/fire_starts/2020-05-21/fire_start_range/2 | hfi_set_fire_starts | 200         | hfi/test_hfi_endpoint_response_set_fire_start_range.json | True          | test_hfi_endpoint_stored_request.json |
+            # Test set fire start range without roles
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/fire_starts/2020-05-21/fire_start_range/2 | None                | 401         | None                                                     | False         | None                                  |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/fire_starts/2020-05-21/fire_start_range/2 | None                | 401         | None                                                     | False         | test_hfi_endpoint_stored_request.json |
+            # Test set fire start range without correct role
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/fire_starts/2020-05-21/fire_start_range/2 | hfi_select_station  | 401         | None                                                     | False         | None                                  |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/fire_starts/2020-05-21/fire_start_range/2 | hfi_select_station  | 401         | None                                                     | False         | test_hfi_endpoint_stored_request.json |
+            # Test the station selection with correct role
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/false                | hfi_select_station  | 200         | hfi/test_hfi_endpoint_response_deselect_station.json     | True          | None                                  |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/false                | hfi_select_station  | 200         | hfi/test_hfi_endpoint_response_deselect_station.json     | True          | test_hfi_endpoint_stored_request.json |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/true                 | hfi_select_station  | 200         | hfi/test_hfi_endpoint_response_select_station.json       | True          | None                                  |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/true                 | hfi_select_station  | 200         | hfi/test_hfi_endpoint_response_select_station.json       | True          | test_hfi_endpoint_stored_request.json |
+            # Test the station selection without roles
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/false                | None                | 401         | None                                                     | False         | None                                  |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/false                | None                | 401         | None                                                     | False         | test_hfi_endpoint_stored_request.json |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/true                 | None                | 401         | None                                                     | False         | None                                  |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/true                 | None                | 401         | None                                                     | False         | test_hfi_endpoint_stored_request.json |
+            # Test the station selection without correct role
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/false                | hfi_set_fire_starts | 401         | None                                                     | False         | None                                  |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/false                | hfi_set_fire_starts | 401         | None                                                     | False         | test_hfi_endpoint_stored_request.json |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/true                 | hfi_set_fire_starts | 401         | None                                                     | False         | None                                  |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/selected/true                 | hfi_set_fire_starts | 401         | None                                                     | False         | test_hfi_endpoint_stored_request.json |
+            # Test set the station fuel type with correct role
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/fuel_type/2                   | hfi_set_fuel_type   | 200         | hfi/test_hfi_endpoint_response_set_fuel_type.json        | True          | None                                  |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/fuel_type/2                   | hfi_set_fuel_type   | 200         | hfi/test_hfi_endpoint_response_set_fuel_type.json        | True          | test_hfi_endpoint_stored_request.json |
+            # Test set the station fuel type without correct role
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/fuel_type/2                   | None                | 401         | None                                                     | False         | None                                  |
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/fuel_type/2                   | None                | 401         | None                                                     | False         | test_hfi_endpoint_stored_request.json |
+            # Invalid fuel type should return 500 error, and not be saved.
+            | /api/hfi-calc/fire_centre/1/2020-05-21/2020-05-25/planning_area/1/station/230/fuel_type/-1                  | hfi_set_fuel_type   | 500         | None                                                     | False         | None                                  |