Merge pull request #147 from CanDIG/feature/self-authorization

Add an endpoint for userse to see their own authorization status
CanDIG · Dec 19, 2024 · 6a1e878 · 6a1e878
2 parents fa08981 + ab21bca
commit 6a1e878
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 5 deletions.
diff --git a/auth.py b/auth.py
@@ -193,6 +193,16 @@ def list_pending_users_in_opa(token):
     return response, status_code
 
 
+def is_self_pending(token):
+    response, status_code = authx.auth.get_service_store_secret("opa", key=f"pending_users")
+    if status_code == 200:
+        user_name = get_user_name(token)
+        response = user_name in response["pending_users"]
+    else:
+        response = False
+    return response, status_code
+
+
 def approve_pending_user_in_opa(user_name, token):
     if not is_site_admin(token):
         return {"error": f"User not authorized to approve pending users"}, 403
@@ -258,6 +268,12 @@ def get_user_in_opa(user_name, token):
     return response, status_code
 
 
+def get_self_in_opa(token):
+    safe_name = urllib.parse.quote_plus(get_user_name(token))
+    response, status_code = authx.auth.get_service_store_secret("opa", key=f"users/{safe_name}")
+    return response, status_code
+
+
 def remove_user_from_opa(user_name, token):
     if not is_site_admin(token):
         return {"error": f"User not authorized to remove users"}, 403

diff --git a/ingest_openapi.yaml b/ingest_openapi.yaml
@@ -324,6 +324,7 @@ paths:
         schema:
           type: string
         required: true
+        description: The user ID to check. If "me", return information about the requesting user
     get:
       summary: List program authorizations
       description: List authorizations for programs for a user

diff --git a/ingest_operations.py b/ingest_operations.py
@@ -362,15 +362,34 @@ def clear_pending_users():
 # DAC authorization for users
 ####
 
+def list_programs_for_self(token):
+    response, status_code = auth.get_self_in_opa(token)
+    if status_code == 404:
+        # We next check if the user is pending
+        response, status_code = auth.is_self_pending(token)
+        # NB: The results is a string if unauthorized or pending, and a list otherwise
+        return "Pending" if response else "Unauthorized", status_code
+    print(response)
+    # NB: The results is a list if authorized, and a string otherwise
+    return list(response["programs"].values()), status_code
+
+
 @app.route('/user/<path:user_id>/authorize')
 def list_programs_for_user(user_id):
     token = connexion.request.headers['Authorization'].split("Bearer ")[1]
-    user_name = urllib.parse.unquote_plus(user_id)
-    response, status_code = auth.get_user_in_opa(user_name, token)
-    if status_code != 200:
-        return response, status_code
+    response = ""
+    status_code = 0
+    if user_id == "me":
+        # Grab the user's own authorization
+        response, status_code = list_programs_for_self(token)
+    else:
+        user_name = urllib.parse.unquote_plus(user_id)
+        response, status_code = auth.get_user_in_opa(user_name, token)
+        if status_code != 200:
+            return response, status_code
+        response = list(response["programs"].values())
     print(response)
-    return {"results": list(response["programs"].values())}, status_code
+    return {"results": response}, status_code
 
 
 @app.route('/user/<path:user_id>/authorize')