Merge pull request uc-cdis#1122 from uc-cdis/fix/authz-does-not-inclu…

…de-open-access-for-some-users

Pull resources from auth_mapping

.secrets.baseline

@@ -259,14 +259,14 @@
         "filename": "tests/conftest.py",
         "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9",
         "is_verified": false,
-        "line_number": 1556
+        "line_number": 1559
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "tests/conftest.py",
         "hashed_secret": "227dea087477346785aefd575f91dd13ab86c108",
         "is_verified": false,
-        "line_number": 1579
+        "line_number": 1582
       }
     ],
     "tests/credentials/google/test_credentials.py": [
@@ -395,5 +395,5 @@
       }
     ]
   },
-  "generated_at": "2023-10-20T20:37:17Z"
+  "generated_at": "2023-11-16T21:15:57Z"
 }

fence/resources/user/__init__.py

@@ -114,10 +114,8 @@ def get_user_info(current_session, username):
 
     if hasattr(flask.current_app, "arborist"):
         try:
-            resources = flask.current_app.arborist.list_resources_for_user(
-                user.username
-            )
             auth_mapping = flask.current_app.arborist.auth_mapping(user.username)
+            resources = list(auth_mapping.keys())
         except ArboristError as exc:
             logger.error(
                 f"request to arborist for user's resources failed; going to list empty. Error: {exc}"

tests/conftest.py

@@ -391,7 +391,10 @@ def mock_arborist_requests(request):
 
     def do_patch(urls_to_responses=None):
         urls_to_responses = urls_to_responses or {}
-        defaults = {"arborist/health": {"GET": ("", 200)}}
+        defaults = {
+            "arborist/health": {"GET": ("", 200)},
+            "arborist/auth/mapping": {"POST": ({}, "200")},
+        }
         defaults.update(urls_to_responses)
         urls_to_responses = defaults
 

tests/oidc/core/user_info/test_userinfo.py

@@ -2,12 +2,13 @@
 import json
 
 import pytest
+from gen3authz.client.arborist.errors import ArboristError
 
 from fence.models import UserGoogleAccount
 
 
 @pytest.fixture(autouse=True)
-def mock_arborist(mock_arborist_requests):
+def mock_arborist(mock_arborist_requests, encoded_creds_jwt):
     mock_arborist_requests()
 
 
@@ -56,3 +57,29 @@ def test_userinfo_extra_claims_get(
     assert resp.json["name"]
     assert resp.json["linked_google_account"]
     assert resp.status_code == 200
+
+
+def test_userinfo_arborist_authz(
+    client, encoded_creds_jwt, mock_arborist_requests, app
+):
+    """
+    Tests that the userinfo endpoint populates authz and resource based on the /auth/mapping from Arborist
+    """
+    expected_authz = {"/open": [{"service": "peregrine", "method": "read"}]}
+    expected_resources = list(expected_authz.keys())
+    mock_arborist_requests(
+        {
+            f"arborist/auth/mapping": {"POST": (expected_authz, 200)},
+        }
+    )
+
+    resp = client.post(
+        "/user",
+        headers={"Authorization": "Bearer " + encoded_creds_jwt["jwt"]},
+    ).json
+
+    actual_authz = resp.get("authz", {})
+    actual_resources = resp.get("resources", [])
+
+    assert actual_authz == expected_authz
+    assert actual_resources == expected_resources

tests/test_logout.py

@@ -1,11 +1,18 @@
 import mock
 import urllib.request, urllib.parse, urllib.error
 
+import pytest
+
 from fence.auth import build_redirect_url
 from fence.config import config
 from fence.resources.storage.cdis_jwt import create_session_token
 
 
+@pytest.fixture(autouse=True)
+def mock_arborist(mock_arborist_requests):
+    mock_arborist_requests()
+
+
 def test_redirect_url():
     assert build_redirect_url("", "/") == "/"
     assert build_redirect_url("host.domain", "/fred") == "https://host.domain/fred"