From 9c0243f37a33e137ec327ec3fb98a0bc37cefec9 Mon Sep 17 00:00:00 2001 From: Ignacio Heredia Date: Mon, 23 Sep 2024 11:57:26 +0200 Subject: [PATCH] fix: avoid checking for vo membership in `get_user_info` --- ai4papi/auth.py | 38 +++++++------------------------------- 1 file changed, 7 insertions(+), 31 deletions(-) diff --git a/ai4papi/auth.py b/ai4papi/auth.py index 24562e3..44bc09e 100644 --- a/ai4papi/auth.py +++ b/ai4papi/auth.py @@ -51,41 +51,17 @@ def get_user_info(token): detail="Invalid token", ) - # Check scopes - # Scope can appear if non existent if user doesn't belong to any VO, - # even if scope was requested in token. - # VO do not need to be one of the project's (this is next check), but we can still - # add the project VOs in the project detail. - if user_infos.get('eduperson_entitlement') is None: - raise HTTPException( - status_code=401, - detail="Check that (1) you enabled the `eduperson_entitlement` scope for" \ - "your token, and (2) you belong to at least one Virtual " \ - f"Organization supported by the project: {MAIN_CONF['auth']['VO']}", - ) - - # Parse Virtual Organizations manually from URNs - # If more complexity is need in the future, check https://github.com/oarepo/urnparse + # Retrieve VOs the user belongs to + # VOs can be empty if the user does not belong to any VO, or the + # 'eduperson_entitlement wasn't correctly retrieved from the token vos = [] - for i in user_infos.get('eduperson_entitlement'): + for i in user_infos.get('eduperson_entitlement', []): + # Parse Virtual Organizations manually from URNs + # If more complexity is need in the future, check https://github.com/oarepo/urnparse ent_i = re.search(r"group:(.+?):", i) if ent_i: # your entitlement has indeed a group `tag` vos.append(ent_i.group(1)) - # Filter VOs to keep only the ones relevant to us - vos = set(vos).intersection( - set(MAIN_CONF['auth']['VO']) - ) - vos = sorted(vos) - - # Check if VOs is empty after filtering - if not vos: - raise HTTPException( - status_code=401, - detail="You should belong to at least one of the Virtual Organizations " \ - f"supported by the project: {MAIN_CONF['auth']['VO']}.", - ) - # Generate user info dict for k in ['sub', 'iss', 'name', 'email']: if user_infos.get(k) is None: @@ -114,5 +90,5 @@ def check_vo_membership( if requested_vo not in user_vos: raise HTTPException( status_code=401, - detail=f"The provided Virtual Organization does not match with any of your available VOs: {user_vos}." + detail=f"The requested Virtual Organization ({requested_vo}) does not match with any of your available VOs: {user_vos}." )