diff --git a/src/fides/api/api/v1/endpoints/user_endpoints.py b/src/fides/api/api/v1/endpoints/user_endpoints.py index 78dc45b5273..35143795b00 100644 --- a/src/fides/api/api/v1/endpoints/user_endpoints.py +++ b/src/fides/api/api/v1/endpoints/user_endpoints.py @@ -116,7 +116,7 @@ def _validate_current_user(user_id: str, user_from_token: FidesUser) -> None: status_code=HTTP_200_OK, response_model=UserResponse, ) -async def update_user( +def update_user( *, db: Session = Depends(deps.get_db), authorization: str = Security(oauth2_scheme), @@ -136,7 +136,7 @@ async def update_user( is_this_user = user.id == current_user.id if not is_this_user: - await verify_oauth_client( + verify_oauth_client( security_scopes=Security(verify_oauth_client, scopes=[USER_UPDATE]), authorization=authorization, db=db, @@ -317,7 +317,7 @@ def update_managed_systems( urls.SYSTEM_MANAGER, response_model=List[SystemSchema], ) -async def get_managed_systems( +def get_managed_systems( *, db: Session = Depends(deps.get_db), authorization: str = Security(oauth2_scheme), @@ -337,7 +337,7 @@ async def get_managed_systems( # User must have a specific scope to be able to read another user's systems user = validate_user_id(db, user_id) - await verify_oauth_client( + verify_oauth_client( security_scopes=Security(verify_oauth_client, scopes=[SYSTEM_MANAGER_READ]), authorization=authorization, db=db, @@ -350,7 +350,7 @@ async def get_managed_systems( urls.SYSTEM_MANAGER_DETAIL, response_model=SystemSchema, ) -async def get_managed_system_details( +def get_managed_system_details( *, authorization: str = Security(oauth2_scheme), db: Session = Depends(deps.get_db), @@ -366,7 +366,7 @@ async def get_managed_system_details( if current_user and current_user.id == user_id: user = current_user else: - await verify_oauth_client( + verify_oauth_client( security_scopes=Security(verify_oauth_client, scopes=[SYSTEM_MANAGER_READ]), authorization=authorization, db=db, diff --git a/src/fides/api/api/v1/endpoints/user_permission_endpoints.py b/src/fides/api/api/v1/endpoints/user_permission_endpoints.py index 4a039c4f130..7d091159814 100644 --- a/src/fides/api/api/v1/endpoints/user_permission_endpoints.py +++ b/src/fides/api/api/v1/endpoints/user_permission_endpoints.py @@ -41,14 +41,14 @@ def validate_user_id(db: Session, user_id: str) -> FidesUser: return user -async def owner_role_permission_check( +def owner_role_permission_check( db: Session, roles: List[RoleRegistryEnum], authorization: str ) -> None: """Extra permissions check to assert that the token possesses the USER_PERMISSION_ASSIGN_OWNERS scope if attempting to make another user an owner. """ if OWNER in roles: - await verify_oauth_client( + verify_oauth_client( security_scopes=SecurityScopes([USER_PERMISSION_ASSIGN_OWNERS]), authorization=authorization, db=db, @@ -61,7 +61,7 @@ async def owner_role_permission_check( status_code=HTTP_201_CREATED, response_model=UserPermissionsResponse, ) -async def create_user_permissions( +def create_user_permissions( *, db: Session = Depends(deps.get_db), user_id: str, @@ -76,7 +76,7 @@ async def create_user_permissions( detail="This user already has permissions set.", ) - await owner_role_permission_check(db, permissions.roles, authorization) + owner_role_permission_check(db, permissions.roles, authorization) if user.client: # Just in case - this shouldn't happen in practice. user.client.update(db=db, data=permissions.model_dump(mode="json")) @@ -91,7 +91,7 @@ async def create_user_permissions( dependencies=[Security(verify_oauth_client, scopes=[USER_PERMISSION_UPDATE])], response_model=UserPermissionsResponse, ) -async def update_user_permissions( +def update_user_permissions( *, db: Session = Depends(deps.get_db), user_id: str, @@ -106,7 +106,7 @@ async def update_user_permissions( user = validate_user_id(db, user_id) logger.info("Updated FidesUserPermission record") - await owner_role_permission_check(db, permissions.roles, authorization) + owner_role_permission_check(db, permissions.roles, authorization) if user.client: user.client.update(db=db, data={"roles": permissions.roles}) @@ -132,7 +132,7 @@ async def update_user_permissions( urls.USER_PERMISSIONS, response_model=UserPermissionsResponse, ) -async def get_user_permissions( +def get_user_permissions( *, db: Session = Depends(deps.get_db), authorization: str = Security(oauth2_scheme), @@ -156,7 +156,7 @@ async def get_user_permissions( # To look up the permissions of another user, that user must exist and the current user must # have permission to read users. validate_user_id(db, user_id) - await verify_oauth_client( + verify_oauth_client( security_scopes=SecurityScopes([USER_PERMISSION_READ]), authorization=authorization, db=db, diff --git a/src/fides/api/oauth/system_manager_oauth_util.py b/src/fides/api/oauth/system_manager_oauth_util.py index 63912aded6a..9f50dcc9d32 100644 --- a/src/fides/api/oauth/system_manager_oauth_util.py +++ b/src/fides/api/oauth/system_manager_oauth_util.py @@ -73,7 +73,7 @@ def _get_system_from_fides_key( return resp -async def verify_oauth_client_for_system_from_request_body( +def verify_oauth_client_for_system_from_request_body( security_scopes: SecurityScopes, authorization: str = Security(oauth2_scheme), db: Session = Depends(get_db), diff --git a/src/fides/api/oauth/utils.py b/src/fides/api/oauth/utils.py index b9c937138a6..551d3c4d5bf 100644 --- a/src/fides/api/oauth/utils.py +++ b/src/fides/api/oauth/utils.py @@ -73,13 +73,13 @@ def copy_func(source_function: Callable) -> Callable: return updated_target_function -async def get_current_user( +def get_current_user( security_scopes: SecurityScopes, authorization: str = Security(oauth2_scheme), db: Session = Depends(get_db), ) -> FidesUser: """A wrapper around verify_oauth_client that returns that client's user if one exists.""" - client = await verify_oauth_client( + client = verify_oauth_client( security_scopes=security_scopes, authorization=authorization, db=db, @@ -253,7 +253,7 @@ async def get_root_client( return client -async def verify_oauth_client( +def verify_oauth_client( security_scopes: SecurityScopes, authorization: str = Security(oauth2_scheme), db: Session = Depends(get_db), diff --git a/tests/lib/test_oauth_util.py b/tests/lib/test_oauth_util.py index 212be17919a..01dd0c93096 100644 --- a/tests/lib/test_oauth_util.py +++ b/tests/lib/test_oauth_util.py @@ -70,16 +70,16 @@ def test_is_token_expired(issued_at, token_duration_min, expected): assert is_token_expired(issued_at, token_duration_min) is expected -async def test_verify_oauth_malformed_oauth_client(db): +def test_verify_oauth_malformed_oauth_client(db): with pytest.raises(AuthorizationError): - await verify_oauth_client( + verify_oauth_client( SecurityScopes([USER_READ]), authorization="invalid", db=db, ) -async def test_verify_oauth_client_no_issued_at(db, config, user): +def test_verify_oauth_client_no_issued_at(db, config, user): payload = { JWE_PAYLOAD_SCOPES: [USER_READ], JWE_PAYLOAD_CLIENT_ID: user.client.id, @@ -91,14 +91,14 @@ async def test_verify_oauth_client_no_issued_at(db, config, user): config.security.app_encryption_key, ) with pytest.raises(AuthorizationError): - await verify_oauth_client( + verify_oauth_client( SecurityScopes([USER_READ]), token, db=db, ) -async def test_verify_oauth_client_expired(db, config, user): +def test_verify_oauth_client_expired(db, config, user): scope = [USER_READ] payload = { JWE_PAYLOAD_SCOPES: scope, @@ -111,14 +111,14 @@ async def test_verify_oauth_client_expired(db, config, user): config.security.app_encryption_key, ) with pytest.raises(AuthorizationError): - await verify_oauth_client( + verify_oauth_client( SecurityScopes(scope), token, db=db, ) -async def test_verify_oauth_client_no_client_id(db, config): +def test_verify_oauth_client_no_client_id(db, config): scope = [USER_READ] payload = { JWE_PAYLOAD_SCOPES: scope, @@ -131,14 +131,14 @@ async def test_verify_oauth_client_no_client_id(db, config): config.security.app_encryption_key, ) with pytest.raises(AuthorizationError): - await verify_oauth_client( + verify_oauth_client( SecurityScopes(scope), token, db=db, ) -async def test_verify_oauth_client_no_client(db, config, user): +def test_verify_oauth_client_no_client(db, config, user): scopes = [USER_READ] payload = { JWE_PAYLOAD_SCOPES: scopes, @@ -153,14 +153,14 @@ async def test_verify_oauth_client_no_client(db, config, user): user.client.delete(db) assert user.client is None with pytest.raises(AuthorizationError): - await verify_oauth_client( + verify_oauth_client( SecurityScopes(scopes), token, db=db, ) -async def test_verify_oauth_client_wrong_security_scope(db, config, user): +def test_verify_oauth_client_wrong_security_scope(db, config, user): payload = { JWE_PAYLOAD_SCOPES: [USER_DELETE], JWE_PAYLOAD_CLIENT_ID: user.client.id, @@ -172,14 +172,14 @@ async def test_verify_oauth_client_wrong_security_scope(db, config, user): config.security.app_encryption_key, ) with pytest.raises(AuthorizationError): - await verify_oauth_client( + verify_oauth_client( SecurityScopes([USER_READ]), token, db=db, ) -async def test_verify_oauth_client_wrong_client_scope(db, config, user): +def test_verify_oauth_client_wrong_client_scope(db, config, user): scopes = [USER_READ] payload = { JWE_PAYLOAD_SCOPES: scopes, @@ -193,7 +193,7 @@ async def test_verify_oauth_client_wrong_client_scope(db, config, user): ) user.client.scopes = [USER_DELETE] with pytest.raises(AuthorizationError): - await verify_oauth_client( + verify_oauth_client( SecurityScopes(scopes), token, db=db, @@ -201,7 +201,7 @@ async def test_verify_oauth_client_wrong_client_scope(db, config, user): class TestVerifyOauthClientRoles: - async def test_token_does_not_have_roles(self, db, config): + def test_token_does_not_have_roles(self, db, config): """Test that roles aren't required to be on the token - scopes can still be assigned directly""" client, _ = ClientDetail.create_client_and_secret( db, @@ -220,14 +220,14 @@ async def test_token_does_not_have_roles(self, db, config): json.dumps(payload), config.security.app_encryption_key, ) - verified_client = await verify_oauth_client( + verified_client = verify_oauth_client( SecurityScopes([PRIVACY_REQUEST_REVIEW]), token, db=db, ) assert client == verified_client - async def test_verify_oauth_client_roles(self, db, config, owner_user): + def test_verify_oauth_client_roles(self, db, config, owner_user): """Test token has a valid role and the client also has the matching role Scopes aren't directly assigned but the user inherits the USER_READ scope via the OWNER role. @@ -241,14 +241,14 @@ async def test_verify_oauth_client_roles(self, db, config, owner_user): json.dumps(payload), config.security.app_encryption_key, ) - client = await verify_oauth_client( + client = verify_oauth_client( SecurityScopes([PRIVACY_REQUEST_REVIEW]), token, db=db, ) assert client == owner_user.client - async def test_no_roles_on_client(self, db, config, user): + def test_no_roles_on_client(self, db, config, user): """Test token has a role with the correct scopes but that role is not on the client""" payload = { JWE_PAYLOAD_ROLES: [OWNER], @@ -260,13 +260,13 @@ async def test_no_roles_on_client(self, db, config, user): config.security.app_encryption_key, ) with pytest.raises(AuthorizationError): - await verify_oauth_client( + verify_oauth_client( SecurityScopes([PRIVACY_REQUEST_REVIEW]), token, db=db, ) - async def test_no_roles_on_client_but_has_scopes_coverage(self, db, config, user): + def test_no_roles_on_client_but_has_scopes_coverage(self, db, config, user): """Test roles on token are outdated but token still has scopes coverage""" user.client.scopes = [PRIVACY_REQUEST_REVIEW] user.client.save(db) @@ -280,16 +280,14 @@ async def test_no_roles_on_client_but_has_scopes_coverage(self, db, config, user json.dumps(payload), config.security.app_encryption_key, ) - client = await verify_oauth_client( + client = verify_oauth_client( SecurityScopes([PRIVACY_REQUEST_REVIEW]), token, db=db, ) assert client == user.client - async def test_token_does_not_have_role_with_coverage( - self, db, config, viewer_user - ): + def test_token_does_not_have_role_with_coverage(self, db, config, viewer_user): """Test token only has a viewer role, which is not enough to view the particular endpoint as it is missing DATASET_CREATE_OR_UPDATE scopes """ @@ -305,7 +303,7 @@ async def test_token_does_not_have_role_with_coverage( ) with pytest.raises(AuthorizationError): - await verify_oauth_client( + verify_oauth_client( SecurityScopes([DATASET_CREATE_OR_UPDATE]), token, db=db, diff --git a/tests/lib/test_system_oauth_util.py b/tests/lib/test_system_oauth_util.py index db741769a8b..34c94b4b074 100644 --- a/tests/lib/test_system_oauth_util.py +++ b/tests/lib/test_system_oauth_util.py @@ -36,7 +36,7 @@ class TestHasSystemPermissions: as well. As long as you have the right scope, you can work with the given resource. """ - async def test_owner_role_can_always_update_system(self, owner_user, db, system): + def test_owner_role_can_always_update_system(self, owner_user, db, system): payload = { JWE_PAYLOAD_ROLES: [OWNER], JWE_PAYLOAD_CLIENT_ID: owner_user.client.id, @@ -47,7 +47,7 @@ async def test_owner_role_can_always_update_system(self, owner_user, db, system) CONFIG.security.app_encryption_key, ) # Note token doesn't have system on it, but the user is an owner - response = await verify_oauth_client_for_system_from_request_body( + response = verify_oauth_client_for_system_from_request_body( security_scopes=SecurityScopes(scopes=[SYSTEM_UPDATE]), authorization=token, db=db, @@ -58,9 +58,7 @@ async def test_owner_role_can_always_update_system(self, owner_user, db, system) assert response == system.fides_key - async def test_viewer_role_alone_cannot_update_system( - self, viewer_user, db, system - ): + def test_viewer_role_alone_cannot_update_system(self, viewer_user, db, system): payload = { JWE_PAYLOAD_ROLES: [VIEWER], JWE_PAYLOAD_CLIENT_ID: viewer_user.client.id, @@ -72,7 +70,7 @@ async def test_viewer_role_alone_cannot_update_system( ) # Note token doesn't have system on it, and user is only a viewer with pytest.raises(AuthorizationError): - await verify_oauth_client_for_system_from_request_body( + verify_oauth_client_for_system_from_request_body( security_scopes=SecurityScopes(scopes=[SYSTEM_UPDATE]), authorization=token, db=db, @@ -81,7 +79,7 @@ async def test_viewer_role_alone_cannot_update_system( ), ) - async def test_viewer_is_also_system_manager(self, system_manager, db, system): + def test_viewer_is_also_system_manager(self, system_manager, db, system): payload = { JWE_PAYLOAD_ROLES: [VIEWER], JWE_PAYLOAD_CLIENT_ID: system_manager.client.id, @@ -93,7 +91,7 @@ async def test_viewer_is_also_system_manager(self, system_manager, db, system): CONFIG.security.app_encryption_key, ) - await verify_oauth_client_for_system_from_request_body( + verify_oauth_client_for_system_from_request_body( security_scopes=SecurityScopes(scopes=[SYSTEM_UPDATE]), authorization=token, db=db, @@ -104,7 +102,7 @@ async def test_viewer_is_also_system_manager(self, system_manager, db, system): assert True - async def test_system_manager_no_system_found(self, system_manager, db, system): + def test_system_manager_no_system_found(self, system_manager, db, system): payload = { JWE_PAYLOAD_ROLES: [VIEWER], JWE_PAYLOAD_CLIENT_ID: system_manager.client.id, @@ -117,7 +115,7 @@ async def test_system_manager_no_system_found(self, system_manager, db, system): ) with pytest.raises(AuthorizationError): - await verify_oauth_client_for_system_from_request_body( + verify_oauth_client_for_system_from_request_body( security_scopes=SecurityScopes(scopes=[SYSTEM_UPDATE]), authorization=token, db=db, @@ -126,9 +124,7 @@ async def test_system_manager_no_system_found(self, system_manager, db, system): ), ) - async def test_system_manager_systems_not_on_token( - self, system_manager, db, system - ): + def test_system_manager_systems_not_on_token(self, system_manager, db, system): payload = { JWE_PAYLOAD_ROLES: [VIEWER], JWE_PAYLOAD_CLIENT_ID: system_manager.client.id, @@ -141,7 +137,7 @@ async def test_system_manager_systems_not_on_token( ) with pytest.raises(AuthorizationError): - await verify_oauth_client_for_system_from_request_body( + verify_oauth_client_for_system_from_request_body( security_scopes=SecurityScopes(scopes=[SYSTEM_UPDATE]), authorization=token, db=db, @@ -150,7 +146,7 @@ async def test_system_manager_systems_not_on_token( ), ) - async def test_system_manager_client_cannot_issue_systems( + def test_system_manager_client_cannot_issue_systems( self, system_manager, db, system ): system_manager.client.systems = [] @@ -168,7 +164,7 @@ async def test_system_manager_client_cannot_issue_systems( ) with pytest.raises(AuthorizationError): - await verify_oauth_client_for_system_from_request_body( + verify_oauth_client_for_system_from_request_body( security_scopes=SecurityScopes(scopes=[SYSTEM_UPDATE]), authorization=token, db=db, @@ -177,7 +173,7 @@ async def test_system_manager_client_cannot_issue_systems( ), ) - async def test_system_manager_does_not_have_proper_scope_for_given_endpoint( + def test_system_manager_does_not_have_proper_scope_for_given_endpoint( self, system_manager, db, system ): payload = { @@ -192,7 +188,7 @@ async def test_system_manager_does_not_have_proper_scope_for_given_endpoint( ) with pytest.raises(AuthorizationError): - await verify_oauth_client_for_system_from_request_body( + verify_oauth_client_for_system_from_request_body( security_scopes=SecurityScopes(scopes=[POLICY_CREATE_OR_UPDATE]), authorization=token, db=db,