preapproved list

CanDIG · Jan 17, 2025 · b80c0e3 · b80c0e3
1 parent 8997a58
commit b80c0e3
Show file tree

Hide file tree

Showing 2 changed files with 141 additions and 0 deletions.
diff --git a/ingest_openapi.yaml b/ingest_openapi.yaml
@@ -261,6 +261,70 @@ paths:
       responses:
         200:
           description: Success
+  /user/preapproved:
+            get:
+              summary: List preapproved users
+              description: List preapproved users for authorization
+              operationId: ingest_operations.list_preapproved_users
+              responses:
+                200:
+                  description: Success
+                  content:
+                    application/json:
+                      schema:
+                        type: array
+                        items:
+                          $ref: "#/components/schemas/UserInfo"
+            post:
+              summary: Add preapproved users
+              description: Add bulk preapproved users for CanDIG access
+              operationId: ingest_operations.add_preapproved_users
+              requestBody:
+                $ref: '#/components/requestBodies/AddPreapprovedUserRequest'
+              responses:
+                200:
+                  description: Success
+            delete:
+              summary: Delete preapproved users
+              description: Clear preapproved users for CanDIG access
+              operationId: ingest_operations.clear_preapproved_users
+              responses:
+                200:
+                  description: Success
+  /user/preapproved/{user_id}:
+    parameters:
+      - in: path
+        name: user_id
+        schema:
+          type: string
+        required: true
+    get:
+      summary: Check preapproved list for user
+      description: Check preapproved list for user
+      operationId: ingest_operations.get_preapproved_user
+      responses:
+        200:
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/UserInfo"
+        404:
+          description: User not found
+    post:
+      summary: Add preapproved user
+      description: Add a preapproved user for CanDIG access
+      operationId: ingest_operations.add_preapproved_user
+      responses:
+        200:
+          description: Success
+    delete:
+      summary: Remove preapproved user
+      description: Remove a preapproved user for CanDIG access
+      operationId: ingest_operations.remove_preapproved_user
+      responses:
+        200:
+          description: Success
   /user/{user_id}:
     parameters:
       - in: path

diff --git a/ingest_operations.py b/ingest_operations.py
@@ -391,6 +391,83 @@ def clear_pending_users():
     return response, status_code
 
 
+####
+# Preapproved users: If a preapproved user requests to be pending, the user will automatically be approved as a CanDIG-authorized user
+####
+
+def list_preapproved_users():
+    token = connexion.request.headers['Authorization'].split("Bearer ")[1]
+    if not auth.is_site_admin(token):
+        return {"error": f"User not authorized to list preapproved users"}, 403
+
+    response, status_code = authx.auth.list_preapproved_users_in_opa()
+    return {"results": response}, status_code
+
+
+async def add_preapproved_users():
+    users = await connexion.request.json()
+    token = connexion.request.headers['Authorization'].split("Bearer ")[1]
+    if not auth.is_site_admin(token):
+        return {"error": f"User not authorized to add preapproved users"}, 403
+
+    rejected = []
+    for user_id in users:
+        response, status_code = authx.auth.add_preapproved_user_in_opa(user_id)
+        if status_code != 200:
+            rejected.append(user_id)
+    if len(rejected) > 0:
+        status_code = 401
+        response = {"message": f"The following requested user IDs could not be added: {rejected}"}
+
+    return response, status_code
+
+
+def clear_preapproved_users():
+    token = connexion.request.headers['Authorization'].split("Bearer ")[1]
+
+    if not auth.is_site_admin(token):
+        return {"error": f"User not authorized to clear preapproved users"}, 403
+
+    response, status_code = authx.auth.clear_preapproved_users_in_opa()
+    return response, status_code
+
+
+@app.route('/user/preapproved/<path:user_id>')
+def get_preapproved_user(user_id):
+    token = connexion.request.headers['Authorization'].split("Bearer ")[1]
+    if not auth.is_site_admin(token):
+        return {"error": f"User not authorized to get preapproved users"}, 403
+
+    user_name = urllib.parse.unquote_plus(user_id)
+
+    response, status_code = authx.auth.get_preapproved_user_in_opa(user_name)
+    return response, status_code
+
+
+@app.route('/user/preapproved/<path:user_id>')
+def add_preapproved_user(user_id):
+    token = connexion.request.headers['Authorization'].split("Bearer ")[1]
+    if not auth.is_site_admin(token):
+        return {"error": f"User not authorized to add preapproved users"}, 403
+
+    user_name = urllib.parse.unquote_plus(user_id)
+
+    response, status_code = authx.auth.add_preapproved_user_in_opa(user_name)
+    return response, status_code
+
+
+@app.route('/user/preapproved/<path:user_id>')
+def remove_preapproved_user(user_id):
+    token = connexion.request.headers['Authorization'].split("Bearer ")[1]
+    if not auth.is_site_admin(token):
+        return {"error": f"User not authorized to remove preapproved users"}, 403
+
+    user_name = urllib.parse.unquote_plus(user_id)
+
+    response, status_code = authx.auth.remove_preapproved_user_in_opa(user_name)
+    return response, status_code
+
+
 ####
 # DAC authorization for users
 ####