a few more changes ; added logs ;created constant (#2088)

met-api/src/met_api/services/authorization.py

@@ -4,6 +4,7 @@
 """
 from http import HTTPStatus
 
+from flask import current_app
 from flask_restx import abort
 
 from met_api.constants.membership_type import MembershipType
@@ -44,6 +45,10 @@ def _validate_tenant(eng_id, tenant_id):
         return
     engagement_tenant_id = EngagementModel.find_tenant_id_by_id(eng_id)
     if engagement_tenant_id and tenant_id != engagement_tenant_id:
+        current_app.logger.debug(f'Aborting . Tenant Id on Engagement and user context Mismatch'
+                                 f'engagement_tenant_id:{engagement_tenant_id} '
+                                 f'tenant_id: {tenant_id}')
+
         abort(HTTPStatus.FORBIDDEN)
 
 
@@ -65,6 +70,9 @@ def _has_team_membership(kwargs, user_from_context, team_permitted_roles) -> boo
 
     # check tenant matching
     if membership.tenant_id and membership.tenant_id != user_from_context.tenant_id:
+        current_app.logger.debug(f'Aborting . Tenant Id on membership and user context Mismatch'
+                                 f'membership.tenant_id:{membership.tenant_id} '
+                                 f'user_from_context.tenant_id: {user_from_context.tenant_id}')
         abort(HTTPStatus.FORBIDDEN)
 
     return membership.type.name in team_permitted_roles

met-api/src/met_api/utils/constants.py

@@ -36,3 +36,5 @@ def get_name_by_value(value):
 TENANT_ID_HEADER = 'tenant-id'
 
 GROUP_NAME_MAPPING = {group.name: group.value for group in Groups}
+
+TENANT_ID_JWT_CLAIM = 'tenant_id'

met-api/src/met_api/utils/tenant_validator.py

@@ -20,9 +20,10 @@
 from http import HTTPStatus
 from typing import Dict
 
-from flask import abort, g
+from flask import abort, current_app, g
 
 from met_api.auth import jwt as _jwt
+from met_api.utils.constants import TENANT_ID_JWT_CLAIM
 
 
 def require_role(role):
@@ -34,8 +35,10 @@ def decorator(func):
         def wrapper(*args, **kwargs):
             # Get the tenant information from the JWT payload or any global context
             token_info: Dict = _get_token_info() or {}
-            tenant_id = token_info.get('tenant_id', None)
-            if str(g.tenant_id) == str(tenant_id):
+            tenant_id = token_info.get(TENANT_ID_JWT_CLAIM, None)
+            current_app.logger.debug(f'Tenant Id From JWT Claim {tenant_id}')
+            current_app.logger.debug(f'Tenant Id From g {g.tenant_id}')
+            if g.tenant_id and str(g.tenant_id) == str(tenant_id):
                 return func(*args, **kwargs)
             else:
                 abort(HTTPStatus.FORBIDDEN,

met-api/src/met_api/utils/user_context.py

@@ -18,6 +18,7 @@
 
 from flask import g, request
 
+from met_api.utils.constants import TENANT_ID_JWT_CLAIM
 from met_api.utils.roles import Role
 
 
@@ -36,7 +37,7 @@ def __init__(self):
         self._user_name: str = token_info.get('username', token_info.get('preferred_username', None))
         self._first_name: str = token_info.get('firstname', None)
         self._last_name: str = token_info.get('lastname', None)
-        self._tenant_id: str = token_info.get('tenant_id', None)
+        self._tenant_id: str = token_info.get(TENANT_ID_JWT_CLAIM, None)
         self._bearer_token: str = _get_token()
         self._roles: list = token_info.get('realm_access', None).get('roles', []) if 'realm_access' in token_info \
             else []