From 6c7a5dc7f4902423022446dc5bfde99a06fd9f84 Mon Sep 17 00:00:00 2001
From: pieterlukasse <pieterlukasse@gmail.com>
Date: Thu, 17 Oct 2024 15:19:02 +0200
Subject: [PATCH 1/3] feat: udpate admin_login_required decorator

---
 fence/auth.py | 21 +++------------------
 1 file changed, 3 insertions(+), 18 deletions(-)

diff --git a/fence/auth.py b/fence/auth.py
index 113459a5d..e7c1a1fb8 100644
--- a/fence/auth.py
+++ b/fence/auth.py
@@ -19,6 +19,7 @@
 from fence.user import get_current_user
 from fence.utils import clear_cookies
 from fence.config import config
+from fence.authz.auth import check_arborist_auth
 
 logger = get_logger(__name__)
 
@@ -275,25 +276,9 @@ def get_user_from_claims(claims):
     )
 
 
-def admin_required(f):
-    """
-    Require user to be an admin user.
-    """
-
-    @wraps(f)
-    def wrapper(*args, **kwargs):
-        if not flask.g.user:
-            raise Unauthorized("Require login")
-        if flask.g.user.is_admin is not True:
-            raise Unauthorized("Require admin user")
-        return f(*args, **kwargs)
-
-    return wrapper
-
-
 def admin_login_required(function):
-    """Compose the login required and admin required decorators."""
-    return login_required({"admin"})(admin_required(function))
+    """Use the check_arborist_auth decorator checking on admin authorization."""
+    return check_arborist_auth(["/services/fence/admin"], "*")(function)
 
 
 def _update_users_email(user, email):

From db5c0e29eb759b7270f0f2a5bf0970e9dbe3bc81 Mon Sep 17 00:00:00 2001
From: pieterlukasse <pieterlukasse@gmail.com>
Date: Tue, 5 Nov 2024 20:07:47 +0100
Subject: [PATCH 2/3] fix: update /admin/user tests to mock arborist call

---
 tests/admin/test_admin_users_endpoints.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/admin/test_admin_users_endpoints.py b/tests/admin/test_admin_users_endpoints.py
index 5a6d3a746..81f578673 100644
--- a/tests/admin/test_admin_users_endpoints.py
+++ b/tests/admin/test_admin_users_endpoints.py
@@ -27,7 +27,7 @@
 
 @pytest.fixture(autouse=True)
 def mock_arborist(mock_arborist_requests):
-    mock_arborist_requests()
+    mock_arborist_requests({"arborist/auth/request": {"POST": ({"auth": True}, 200)}})
 
 
 # TODO: Not yet tested: PUT,DELETE /users/<username>/projects

From b583a70fa5b7caed748f7e4dd9199e11143cb718 Mon Sep 17 00:00:00 2001
From: pieterlukasse <pieterlukasse@gmail.com>
Date: Tue, 5 Nov 2024 22:11:38 +0100
Subject: [PATCH 3/3] feat: add rainy path test for when arborist check fails

---
 tests/admin/test_admin_users_endpoints.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tests/admin/test_admin_users_endpoints.py b/tests/admin/test_admin_users_endpoints.py
index 81f578673..8416fb9d0 100644
--- a/tests/admin/test_admin_users_endpoints.py
+++ b/tests/admin/test_admin_users_endpoints.py
@@ -186,6 +186,18 @@ def test_get_user_username(
     assert r.json["username"] == "test_a"
 
 
+def test_get_user_username_no_admin_auth(
+    client, encoded_admin_jwt, mock_arborist_requests
+):
+    """GET /users/<username>: [get_user]: rainy path where arborist authorization check fails"""
+    mock_arborist_requests({"arborist/auth/request": {"POST": ({"auth": False}, 200)}})
+    r = client.get(
+        "/admin/users/test_a", headers={"Authorization": "Bearer " + encoded_admin_jwt}
+    )
+    assert r.status_code == 403
+    assert "user does not have privileges to access this endpoint" in r.text
+
+
 def test_get_user_long_username(
     client, admin_user, encoded_admin_jwt, db_session, test_user_long
 ):