Add an endpoint for the user to check their own authorization

CanDIG · Dec 18, 2024 · 2110bb1 · 2110bb1
1 parent fa08981
commit 2110bb1
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/auth.py b/auth.py
@@ -193,6 +193,16 @@ def list_pending_users_in_opa(token):
     return response, status_code
 
 
+def is_self_pending(token):
+    response, status_code = authx.auth.get_service_store_secret("opa", key=f"pending_users")
+    if status_code == 200:
+        user_name = get_user_name(token)
+        response = user_name in response["pending_users"]
+    else:
+        response = False
+    return response, status_code
+
+
 def approve_pending_user_in_opa(user_name, token):
     if not is_site_admin(token):
         return {"error": f"User not authorized to approve pending users"}, 403
@@ -258,6 +268,12 @@ def get_user_in_opa(user_name, token):
     return response, status_code
 
 
+def get_self_in_opa(token):
+    safe_name = urllib.parse.quote_plus(get_user_name(token))
+    response, status_code = authx.auth.get_service_store_secret("opa", key=f"users/{safe_name}")
+    return response, status_code
+
+
 def remove_user_from_opa(user_name, token):
     if not is_site_admin(token):
         return {"error": f"User not authorized to remove users"}, 403

diff --git a/ingest_openapi.yaml b/ingest_openapi.yaml
@@ -317,6 +317,18 @@ paths:
             application/json:
               schema:
                 type: object
+  /user/self_authorize:
+    get:
+      summary: List program authorizations
+      description: List authorizations for programs for the authenticated user
+      operationId: ingest_operations.is_self_authorized
+      responses:
+        200:
+          description: Success
+          content:
+            application/json:
+              schema:
+                type: object
   /user/{user_id}/authorize:
     parameters:
       - in: path

diff --git a/ingest_operations.py b/ingest_operations.py
@@ -362,6 +362,19 @@ def clear_pending_users():
 # DAC authorization for users
 ####
 
+def is_self_authorized():
+    token = connexion.request.headers['Authorization'].split("Bearer ")[1]
+    response, status_code = auth.get_self_in_opa(token)
+    if status_code == 404:
+        # We next check if the user is pending
+        response, status_code = auth.is_self_pending(token)
+        # NB: The results is a string if unauthorized or pending, and a list otherwise
+        return {"results": "Pending" if response else "Unauthorized"}, status_code
+    print(response)
+    # NB: The results is a list if authorized, and a string otherwise
+    return {"results": list(response["programs"].values())}, status_code
+
+
 @app.route('/user/<path:user_id>/authorize')
 def list_programs_for_user(user_id):
     token = connexion.request.headers['Authorization'].split("Bearer ")[1]