sr2/cloud-api
6
0
Fork 1
Code Issues 8 Pull requests 2 Projects Releases Packages Wiki Activity Actions

feat: improved caor request model
All checks were successful
ci / lint_and_test (push) Successful in 14s
Details

Browse source 
Issue: #23
This commit is contained in:
Chris Milne 2026-06-10 09:32:02 +01:00
parent 768a3881ef
commit 939abaefe9
4 changed files with 44 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/iam/router.py
View file

@ -24,7 +24,6 @@ from src.organisation.exceptions import OrgNotFoundException
from src.service.exceptions import ServiceNotFoundException
from src.exceptions import ConflictException
from src.database import db_dependency
from src.schemas import ResourceName
from src.auth.exceptions import UnauthorizedException
from src.auth.service import claims_dependency
from src.auth.dependencies import (
@ -55,10 +54,11 @@ from src.iam.dependencies import (
perm_model_query_dependency,
)
from src.iam.schemas import (
GroupSchema,
IAMCAoRRequest,
IAMGetGroupPermissionsResponse,
IAMGetGroupUsersResponse,
IAMPostGroupRequest,
GroupSchema,
IAMPostGroupResponse,
IAMPutGroupPermissionRequest,
IAMPutGroupPermissionResponse,
@ -87,10 +87,11 @@ async def can_act_on_resource(
valid_key: service_key_dependency,
db: db_dependency,
user_claims: claims_dependency,
rn: ResourceName,
action: str,
request_model: IAMCAoRRequest,
) -> bool:
try:
rn = request_model.rn
action = request_model.action
user_id = user_claims["db_id"]
rn_org = rn.organisation
rn_service = rn.service

6
src/iam/schemas.py
View file

@ -12,6 +12,7 @@ from pydantic import EmailStr, ConfigDict, Field
from src.schemas import (
CustomBaseModel,
ResourceName,
ServiceIDMixin,
OrgIDMixin,
UserIDMixin,
@ -43,6 +44,11 @@ class GroupSchema(CustomBaseModel):
name: str
class IAMCAoRRequest(CustomBaseModel):
action: str
rn: ResourceName
class IAMGetGroupPermissionsResponse(CustomBaseModel):
permissions: list[PermissionSchema]

7
src/iam/service.py
View file

@ -8,9 +8,9 @@ Exports:
from typing import Annotated
from datetime import datetime, timedelta, timezone
from src.iam.schemas import IAMCAoRRequest
from src.service.models import Service
from src.database import db_dependency
from src.schemas import ResourceName
from src.auth.exceptions import UnauthorizedException
from src.utils import send_email, generate_jwt
@ -18,7 +18,10 @@ from src.utils import send_email, generate_jwt
from fastapi import Request, Depends
def valid_service_key(db: db_dependency, request: Request, rn: ResourceName) -> bool:
def valid_service_key(
db: db_dependency, request: Request, request_model: IAMCAoRRequest
) -> bool:
rn = request_model.rn
api_key = request.headers.get("X-API-Key", None)
if not api_key:
raise UnauthorizedException("Missing API key")

39
test/test_iam.py
View file

@ -18,16 +18,20 @@ pytestmark = [
@pytest.mark.anyio
async def test_post_act_on_resource_endpoint_success(default_client: AsyncClient):
body = {
"service": "Test Service",
"organisation": "Test Org",
"resource": "test_resource",
"rn": {
"service": "Test Service",
"organisation": "Test Org",
"resource": "test_resource",
"instance": None,
},
"action": "read",
}
headers = {
"Authorization": "Bearer not_checked_when_auth_is_disabled",
"X-API-Key": "123456789",
}
resp = await default_client.post(
"/iam/can_act_on_resource?action=read", json=body, headers=headers
"/iam/can_act_on_resource", json=body, headers=headers
)
data = resp.json()
@ -43,13 +47,20 @@ async def test_post_act_on_resource_endpoint_success(default_client: AsyncClient
async def test_act_on_resource_wrong_key(
default_client: AsyncClient, db_session, service: str, api_key: str
):
body = {"service": service, "organisation": "Test Org", "resource": "test_resource"}
body = {
"rn": {
"service": service,
"organisation": "Test Org",
"resource": "test_resource",
},
"action": "read",
}
headers = {
"Authorization": "Bearer not_checked_when_auth_is_disabled",
"X-API-Key": api_key,
}
resp = await default_client.post(
"/iam/can_act_on_resource?action=read", json=body, headers=headers
"/iam/can_act_on_resource", json=body, headers=headers
)
data = resp.json()
@ -60,9 +71,12 @@ async def test_act_on_resource_wrong_key(
@pytest.mark.anyio
async def test_act_on_resource_missing_key(default_client: AsyncClient):
body = {
"service": "Test Service",
"organisation": "Test Org",
"resource": "test_resource",
"rn": {
"service": "Test Service",
"organisation": "Test Org",
"resource": "test_resource",
},
"action": "read",
}
headers = {"Authorization": "Bearer not_checked_when_auth_is_disabled"}
resp = await default_client.post(
@ -120,13 +134,16 @@ async def test_act_on_resource_logic(
action,
expected_response: bool,
):
body = {"service": service, "organisation": org, "resource": resource}
body = {
"rn": {"service": service, "organisation": org, "resource": resource},
"action": action,
}
headers = {
"Authorization": "Bearer not_checked_when_auth_is_disabled",
"X-API-Key": "123456789",
}
resp = await default_client.post(
f"/iam/can_act_on_resource?action={action}", json=body, headers=headers
"/iam/can_act_on_resource", json=body, headers=headers
)
data = resp.json()