#207: allowed usage of groups in allowed_users and admin_users

Author: bugy

src/auth/authorization.py

@@ -7,22 +7,16 @@
 
 class Authorizer:
     def __init__(self, app_allowed_users, admin_users, groups_provider):
-        self._app_auth_check = self.init_auth_check(app_allowed_users)
-        self._admin_check = self.init_auth_check(admin_users)
+        self._app_allowed_users = app_allowed_users
+        self._admin_users = admin_users
 
         self._groups_provider = groups_provider
 
-    def init_auth_check(self, users):
-        if ANY_USER in users:
-            return AnyUserAuthorizationCheck()
-        else:
-            return ListBasedAuthorizationCheck(users)
-
     def is_allowed_in_app(self, user_id):
-        return self._app_auth_check.is_allowed(user_id)
+        return self.is_allowed(user_id, self._app_allowed_users)
 
     def is_admin(self, user_id):
-        return self._admin_check.is_allowed(user_id)
+        return self.is_allowed(user_id, self._admin_users)
 
     def is_allowed(self, user_id, allowed_users):
         if not allowed_users:
@@ -45,20 +39,6 @@ def is_allowed(self, user_id, allowed_users):
         return False
 
 
-class ListBasedAuthorizationCheck:
-    def __init__(self, allowed_users) -> None:
-        self.allowed_users = set(allowed_users)
-
-    def is_allowed(self, user_id):
-        return user_id in self.allowed_users
-
-
-class AnyUserAuthorizationCheck:
-    @staticmethod
-    def is_allowed(user_id):
-        return True
-
-
 class EmptyGroupProvider:
 
     def get_groups(self, user):
@@ -127,6 +107,7 @@ def get_groups(self, user):
 
 def create_group_provider(user_groups, authenticator, admin_users):
     if admin_users:
+        admin_users = _exclude_unknown_groups_from_admin_users(admin_users, user_groups)
         if user_groups is None:
             user_groups = {ADMIN_GROUP: admin_users}
         elif ADMIN_GROUP not in user_groups:
@@ -142,3 +123,20 @@ def create_group_provider(user_groups, authenticator, admin_users):
         return preconfigured_groups_provider
 
     return CombinedGroupProvider(preconfigured_groups_provider, authenticator)
+
+
+# in case groups will be loaded from ldap
+def _exclude_unknown_groups_from_admin_users(admin_users, known_groups):
+    if not admin_users or not known_groups:
+        return admin_users
+
+    result = []
+    for user in admin_users:
+        if user.startswith(GROUP_PREFIX):
+            group = user[1:]
+            if group not in known_groups.keys():
+                continue
+
+        result.append(user)
+
+    return result

src/tests/authorization_test.py

@@ -78,8 +78,15 @@ def test_any_user_allowed(self):
     def test_any_user_allowed_when_mixed(self):
         self.assertAllowed('user5', ['user1', ANY_USER, 'user2'], True)
 
-    def assertAllowed(self, user, allowed_users, expected_allowed):
-        authorizer = Authorizer(allowed_users, [], EmptyGroupProvider())
+    def test_allowed_user_when_in_group(self):
+        self.assertAllowed('user5', ['user1', 'user2', '@my_group'], True, groups={'my_group': ['user5']})
+
+    def test_not_allowed_user_when_not_in_group(self):
+        self.assertAllowed('user5', ['user1', 'user2', '@my_group'], False, groups={'my_group': ['user3']})
+
+    def assertAllowed(self, user, allowed_users, expected_allowed, groups=None):
+        group_provider = PreconfiguredGroupProvider(groups) if groups else EmptyGroupProvider()
+        authorizer = Authorizer(allowed_users, [], group_provider)
 
         allowed = authorizer.is_allowed_in_app(user)
         if allowed != expected_allowed:
@@ -103,8 +110,15 @@ def test_any_user_is_admin(self):
     def test_any_admin_when_mixed(self):
         self.assertAdmin('admin5', ['admin1', ANY_USER, 'admin2'], True)
 
-    def assertAdmin(self, user, admin_users, expected_allowed):
-        authorizer = Authorizer([], admin_users, EmptyGroupProvider())
+    def test_is_admin_when_in_group(self):
+        self.assertAdmin('admin5', ['admin1', 'admin2', '@my_group'], True, groups={'my_group': ['admin5']})
+
+    def test_not_admin_admin_when_not_in_group(self):
+        self.assertAdmin('admin5', ['admin1', 'admin2', '@my_group'], False, groups={'my_group': ['admin3']})
+
+    def assertAdmin(self, user, admin_users, expected_allowed, groups=None):
+        group_provider = PreconfiguredGroupProvider(groups) if groups else EmptyGroupProvider()
+        authorizer = Authorizer([], admin_users, group_provider)
 
         allowed = authorizer.is_admin(user)
         if allowed != expected_allowed:
@@ -183,6 +197,16 @@ def test_create_from_group_and_admin_users_when_admin_group_exists(self):
         self.assertCountEqual(provider.get_groups('user1'), ['group1'])
         self.assertCountEqual(provider.get_groups('user2'), ['admin_users'])
 
+    def test_create_from_group_and_admin_users_when_admin_group_has_unknown_group(self):
+        provider = create_group_provider({'group1': ['user1']}, None, ['user2', '@some_group'])
+        self.assertCountEqual(provider.get_groups('user1'), ['group1'])
+        self.assertCountEqual(provider.get_groups('user2'), ['admin_users'])
+
+    def test_create_from_group_including_admin_users_when_admin_group_has_unknown_group(self):
+        provider = create_group_provider({'group1': ['user1', '@admin_users']}, None, ['user2', '@some_group'])
+        self.assertCountEqual(provider.get_groups('user1'), ['group1'])
+        self.assertCountEqual(provider.get_groups('user2'), ['admin_users', 'group1'])
+
     def test_create_from_groups_and_empty_authenticator(self):
         auth = self._create_authenticator({})
         provider = create_group_provider({'group1': ['user1']}, auth, None)