add support for service parameter in authz payload

Author: piax93

paasta_tools/api/tweens/auth.py

@@ -16,6 +16,7 @@
 import logging
 import os
 from typing import NamedTuple
+from typing import Optional
 
 import cachetools.func
 import pyramid
@@ -53,7 +54,12 @@ def __call__(self, request: Request) -> Response:
         """
         token = request.headers.get("Authorization", "").strip()
         token = token.split()[-1] if token else ""  # removes "Bearer" prefix
-        auth_outcome = self.is_request_authorized(request.path, token, request.method)
+        auth_outcome = self.is_request_authorized(
+            request.path,
+            token,
+            request.method,
+            request.swagger_data.get("service", None),
+        )
         if self.enforce and not auth_outcome.authorized:
             return HTTPForbidden(
                 body=json.dumps({"reason": auth_outcome.reason}),
@@ -65,7 +71,11 @@ def __call__(self, request: Request) -> Response:
 
     @cachetools.func.ttl_cache(maxsize=AUTH_CACHE_SIZE, ttl=AUTH_CACHE_TTL)
     def is_request_authorized(
-        self, path: str, token: str, method: str
+        self,
+        path: str,
+        token: str,
+        method: str,
+        service: Optional[str],
     ) -> AuthorizationOutcome:
         """Check if API request is authorized
 
@@ -83,6 +93,7 @@ def is_request_authorized(
                         "backend": "paasta",
                         "token": token,
                         "method": method,
+                        "service": service,
                     },
                 },
                 timeout=2,

tests/api/tweens/test_auth.py

@@ -39,11 +39,14 @@ def test_call(mock_auth_tween):
         path="/something",
         method="post",
         headers={"Authorization": "Bearer aaa.bbb.ccc"},
+        swagger_data={"service": "foobar"},
     )
     with patch.object(mock_auth_tween, "is_request_authorized") as mock_is_authorized:
         mock_is_authorized.return_value = auth.AuthorizationOutcome(True, "Ok")
         mock_auth_tween(mock_request)
-        mock_is_authorized.assert_called_once_with("/something", "aaa.bbb.ccc", "post")
+        mock_is_authorized.assert_called_once_with(
+            "/something", "aaa.bbb.ccc", "post", "foobar"
+        )
         mock_auth_tween.handler.assert_called_once_with(mock_request)
 
 
@@ -52,6 +55,7 @@ def test_call_deny(mock_auth_tween):
         path="/something",
         method="post",
         headers={"Authorization": "Bearer aaa.bbb.ccc"},
+        swagger_data={},
     )
     with patch.object(mock_auth_tween, "is_request_authorized") as mock_is_authorized:
         mock_is_authorized.return_value = auth.AuthorizationOutcome(False, "Denied")
@@ -65,7 +69,7 @@ def test_is_request_authorized(mock_auth_tween):
         "result": {"allowed": True, "reason": "User allowed"}
     }
     assert mock_auth_tween.is_request_authorized(
-        "/allowed", "aaa.bbb.ccc", "get"
+        "/allowed", "aaa.bbb.ccc", "get", "foobar"
     ) == auth.AuthorizationOutcome(True, "User allowed")
     mock_auth_tween.session.post.assert_called_once_with(
         url="http://localhost:31337",
@@ -75,6 +79,7 @@ def test_is_request_authorized(mock_auth_tween):
                 "backend": "paasta",
                 "token": "aaa.bbb.ccc",
                 "method": "get",
+                "service": "foobar",
             }
         },
         timeout=2,
@@ -84,12 +89,18 @@ def test_is_request_authorized(mock_auth_tween):
 def test_is_request_authorized_fail(mock_auth_tween):
     mock_auth_tween.session.post.side_effect = Exception
     assert mock_auth_tween.is_request_authorized(
-        "/allowed", "eee.ddd.fff", "get"
+        "/allowed",
+        "eee.ddd.fff",
+        "get",
+        "foobar",
     ) == auth.AuthorizationOutcome(False, "Auth backend error")
 
 
 def test_is_request_authorized_malformed(mock_auth_tween):
     mock_auth_tween.session.post.return_value.json.return_value = {"foo": "bar"}
     assert mock_auth_tween.is_request_authorized(
-        "/allowed", "eee.ddd.fff", "post"
+        "/allowed",
+        "eee.ddd.fff",
+        "post",
+        "foobar",
     ) == auth.AuthorizationOutcome(False, "Malformed auth response")