diff --git a/fence/auth.py b/fence/auth.py index 113459a5d..e7c1a1fb8 100644 --- a/fence/auth.py +++ b/fence/auth.py @@ -19,6 +19,7 @@ from fence.user import get_current_user from fence.utils import clear_cookies from fence.config import config +from fence.authz.auth import check_arborist_auth logger = get_logger(__name__) @@ -275,25 +276,9 @@ def get_user_from_claims(claims): ) -def admin_required(f): - """ - Require user to be an admin user. - """ - - @wraps(f) - def wrapper(*args, **kwargs): - if not flask.g.user: - raise Unauthorized("Require login") - if flask.g.user.is_admin is not True: - raise Unauthorized("Require admin user") - return f(*args, **kwargs) - - return wrapper - - def admin_login_required(function): - """Compose the login required and admin required decorators.""" - return login_required({"admin"})(admin_required(function)) + """Use the check_arborist_auth decorator checking on admin authorization.""" + return check_arborist_auth(["/services/fence/admin"], "*")(function) def _update_users_email(user, email): diff --git a/tests/admin/test_admin_users_endpoints.py b/tests/admin/test_admin_users_endpoints.py index 5a6d3a746..8416fb9d0 100644 --- a/tests/admin/test_admin_users_endpoints.py +++ b/tests/admin/test_admin_users_endpoints.py @@ -27,7 +27,7 @@ @pytest.fixture(autouse=True) def mock_arborist(mock_arborist_requests): - mock_arborist_requests() + mock_arborist_requests({"arborist/auth/request": {"POST": ({"auth": True}, 200)}}) # TODO: Not yet tested: PUT,DELETE /users//projects @@ -186,6 +186,18 @@ def test_get_user_username( assert r.json["username"] == "test_a" +def test_get_user_username_no_admin_auth( + client, encoded_admin_jwt, mock_arborist_requests +): + """GET /users/: [get_user]: rainy path where arborist authorization check fails""" + mock_arborist_requests({"arborist/auth/request": {"POST": ({"auth": False}, 200)}}) + r = client.get( + "/admin/users/test_a", headers={"Authorization": "Bearer " + encoded_admin_jwt} + ) + assert r.status_code == 403 + assert "user does not have privileges to access this endpoint" in r.text + + def test_get_user_long_username( client, admin_user, encoded_admin_jwt, db_session, test_user_long ):