diff --git a/.secrets.baseline b/.secrets.baseline index 469ed8bfc..8078c23c4 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -259,14 +259,14 @@ "filename": "tests/conftest.py", "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9", "is_verified": false, - "line_number": 1556 + "line_number": 1559 }, { "type": "Base64 High Entropy String", "filename": "tests/conftest.py", "hashed_secret": "227dea087477346785aefd575f91dd13ab86c108", "is_verified": false, - "line_number": 1579 + "line_number": 1582 } ], "tests/credentials/google/test_credentials.py": [ @@ -395,5 +395,5 @@ } ] }, - "generated_at": "2023-10-20T20:37:17Z" + "generated_at": "2023-11-16T21:15:57Z" } diff --git a/fence/resources/user/__init__.py b/fence/resources/user/__init__.py index c4c1647aa..3543f875f 100644 --- a/fence/resources/user/__init__.py +++ b/fence/resources/user/__init__.py @@ -114,10 +114,8 @@ def get_user_info(current_session, username): if hasattr(flask.current_app, "arborist"): try: - resources = flask.current_app.arborist.list_resources_for_user( - user.username - ) auth_mapping = flask.current_app.arborist.auth_mapping(user.username) + resources = list(auth_mapping.keys()) except ArboristError as exc: logger.error( f"request to arborist for user's resources failed; going to list empty. Error: {exc}" diff --git a/tests/conftest.py b/tests/conftest.py index 4d64df3a8..06edd3d37 100755 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -391,7 +391,10 @@ def mock_arborist_requests(request): def do_patch(urls_to_responses=None): urls_to_responses = urls_to_responses or {} - defaults = {"arborist/health": {"GET": ("", 200)}} + defaults = { + "arborist/health": {"GET": ("", 200)}, + "arborist/auth/mapping": {"POST": ({}, "200")}, + } defaults.update(urls_to_responses) urls_to_responses = defaults diff --git a/tests/oidc/core/user_info/test_userinfo.py b/tests/oidc/core/user_info/test_userinfo.py index 3216ce640..f62746670 100644 --- a/tests/oidc/core/user_info/test_userinfo.py +++ b/tests/oidc/core/user_info/test_userinfo.py @@ -2,12 +2,13 @@ import json import pytest +from gen3authz.client.arborist.errors import ArboristError from fence.models import UserGoogleAccount @pytest.fixture(autouse=True) -def mock_arborist(mock_arborist_requests): +def mock_arborist(mock_arborist_requests, encoded_creds_jwt): mock_arborist_requests() @@ -56,3 +57,29 @@ def test_userinfo_extra_claims_get( assert resp.json["name"] assert resp.json["linked_google_account"] assert resp.status_code == 200 + + +def test_userinfo_arborist_authz( + client, encoded_creds_jwt, mock_arborist_requests, app +): + """ + Tests that the userinfo endpoint populates authz and resource based on the /auth/mapping from Arborist + """ + expected_authz = {"/open": [{"service": "peregrine", "method": "read"}]} + expected_resources = list(expected_authz.keys()) + mock_arborist_requests( + { + f"arborist/auth/mapping": {"POST": (expected_authz, 200)}, + } + ) + + resp = client.post( + "/user", + headers={"Authorization": "Bearer " + encoded_creds_jwt["jwt"]}, + ).json + + actual_authz = resp.get("authz", {}) + actual_resources = resp.get("resources", []) + + assert actual_authz == expected_authz + assert actual_resources == expected_resources diff --git a/tests/test_logout.py b/tests/test_logout.py index 172c353eb..49df98c6a 100644 --- a/tests/test_logout.py +++ b/tests/test_logout.py @@ -1,11 +1,18 @@ import mock import urllib.request, urllib.parse, urllib.error +import pytest + from fence.auth import build_redirect_url from fence.config import config from fence.resources.storage.cdis_jwt import create_session_token +@pytest.fixture(autouse=True) +def mock_arborist(mock_arborist_requests): + mock_arborist_requests() + + def test_redirect_url(): assert build_redirect_url("", "/") == "/" assert build_redirect_url("host.domain", "/fred") == "https://host.domain/fred"