Feat/arborist #138

paulineribeyre · 2019-09-11T23:17:29Z

Use Arborist + gen3authz for auth requests
- Use arborist's auth/mapping endpoint to get all the resources the user has access to, and parse the result to get the programs and projects the user has "peregrine read" access to
- Patch run.py so that gen3authz requests are mocked when we run peregrine locally
Unit tests:
- Bump sheepdog to 2.0.0
- Remove project_access from the test user tokens
- Remove the random_user fixture (only keep submitter and admin) since authorization doesn't depend on project access in the token anymore
- Delete unused file tests/auth_mock.py

Breaking Changes

Use Arborist + gen3authz for auth requests

Dependency updates

Add gen3authz dependency for auth requests

Deployment changes

Optional configuration variable ARBORIST (arborist base URL)
Requires Arborist to be deployed

vpsx

🎉 some minor comments + pending integration tests

vpsx · 2019-09-16T19:38:24Z

tests/conftest.py

+    """
+    This fixture returns a function which you call to mock the call to
+    arborist client's methods.
+    Parameter "mapping" lets us specify the response for a call to


auth_mapping

vpsx · 2019-09-16T19:40:52Z

tests/conftest.py

+                mocked_response = MagicMock(requests.Response)
+
+                if function_name == "auth_mapping":
+                    def mocked_items(*args, **kwargs):


unnecessary

vpsx · 2019-09-16T19:43:38Z

tests/conftest.py

+                if function_name == "create_resource":
+                    def mocked_get(*args, **kwargs):
+                        return None
+                    mocked_response.get = mocked_get


mocked_response.get = lambda *args, **kwargs: None ? :D :D

vpsx · 2019-09-16T19:53:43Z

peregrine/auth/__init__.py

+
+def resource_path_to_project_ids(resource_path):
+    parts = resource_path.strip('/').split('/')
+    if resource_path == "/" or (parts and parts[0] == "programs"):


Can we instead make this if not blah: early return, so that the rest of the fn need not be indented --> control flow is easier to read?

Also: I don't think parts will ever be empty, since (1) the separator is specified and (2) resource_path is not None (otherwise previous line will fail). But not a big deal either way

So maybe

if not (parts[0] == "programs" or resource_path == "/"): log bad resource path? return []

yes thank you!!
except it's not a bad resource path, it's just ignored by peregrine (eg /data_upload or /consent/xxx)

paulineribeyre added 2 commits September 11, 2019 17:27

feat(arborist): use arborist auth mapping for authz

2e16f07

feat(arborist): fix unit tests

03b14ca