Interim; testing an idea.

Author: jadudm

apps/authorization/permissions.py

@@ -9,6 +9,7 @@ class DataAccessGrantPermission(permissions.BasePermission):
     """
     Permission check for a Grant related to the token used.
     """
+
     def has_permission(self, request, view) -> bool:  # type: ignore
         dag = None
         try:

apps/capabilities/permissions.py

@@ -8,6 +8,10 @@
 
 from .models import ProtectedCapability
 
+import apps.logging.request_logger as logging
+
+logger = logging.getLogger(logging.DEBUG_GENERAL)
+
 
 class BBCapabilitiesPermissionTokenScopeMissingException(APIException):
     # BB2-237 custom exception
@@ -17,6 +21,7 @@ class BBCapabilitiesPermissionTokenScopeMissingException(APIException):
 class TokenHasProtectedCapability(permissions.BasePermission):
 
     def has_permission(self, request, view) -> bool:  # type: ignore
+        logger.warning({"has_permission": "start"})
         token = request.auth
         access_token_query_param = request.GET.get("access_token", None)
 
@@ -27,9 +32,11 @@ def has_permission(self, request, view) -> bool:  # type: ignore
             )
 
         if not token:
+            logger.warning("has_permission: not token")
             return False
 
         if not switch_is_active("require-scopes"):
+            logger.warning("has_permission: switch_is_active('require-scopes')")
             return True
 
         if hasattr(token, "scope"):  # OAuth 2
@@ -43,17 +50,33 @@ def has_permission(self, request, view) -> bool:  # type: ignore
                 slug__in=token_scopes
             ).values_list('protected_resources', flat=True).all())
 
+            logger.warning({"token_scopes": token_scopes, "scopes": scopes})
+
             for scope in scopes:
                 for method, path in json.loads(scope):
+                    logger.warning({"scope in scopes": scope,
+                                    "method": method,
+                                    "path": path,
+                                    "request.method": request.method,
+                                    "request.path": request.path})
                     if method != request.method:
+                        logger.warning({"A": 1})
+                        logger.warning({"request_method": request.method})
                         continue
                     if path == request.path:
+                        logger.warning({"A": 2})
+                        logger.warning({"path == request.path": (path == request.path)})
                         return True
                     if re.fullmatch(path, request.path) is not None:
+                        logger.warning({"A": 3})
                         return True
+                    logger.warning({"end-of-scope-in-scopes loop": "here"})
+
+            logger.warning("has_permission: scope not matched/found")
             return False
         else:
             # BB2-237: Replaces ASSERT with exception. We should never reach here.
             mesg = ("TokenHasScope requires the `oauth2_provider.rest_framework.OAuth2Authentication`"
                     " authentication class to be used.")
+            logger.warning("has_permission: end of line scope missing exception")
             raise BBCapabilitiesPermissionTokenScopeMissingException(mesg)

apps/fhir/bluebutton/views/insurancecard.py

@@ -3,11 +3,14 @@
                                               ResourcePermission,
                                               ApplicationActivePermission)
 from apps.authorization.permissions import DataAccessGrantPermission
-from apps.capabilities.permissions import TokenHasProtectedCapability
+# FIXME: removed for local testing
+# from apps.capabilities.permissions import TokenHasProtectedCapability
 from django.http import JsonResponse
 
 from rest_framework import permissions  # pyright: ignore[reportMissingImports]
 
+from apps.versions import noisy_has_permission
+
 
 def _is_not_empty(s: set) -> bool:
     if len(s) > 0:
@@ -56,12 +59,12 @@ class DigitalInsuranceCardView(FhirDataView):
 
     permission_classes = [
         permissions.IsAuthenticated,
-        ApplicationActivePermission,
-        ResourcePermission,
-        SearchCrosswalkPermission,
-        DataAccessGrantPermission,
-        TokenHasProtectedCapability,
-        HasDigitalInsuranceCardScope,
+        noisy_has_permission(ApplicationActivePermission),
+        noisy_has_permission(ResourcePermission),
+        noisy_has_permission(SearchCrosswalkPermission),
+        noisy_has_permission(DataAccessGrantPermission),
+        # noisy_has_permission(TokenHasProtectedCapability),
+        noisy_has_permission(HasDigitalInsuranceCardScope),
     ]
 
     # FIXME: Are these required here? Or, can I put them in the permission class?
@@ -103,11 +106,13 @@ def has_permission(self, request, view):
         # if required_scopes is None:
         #     return False
         # return request.user.is_authenticated and hasattr(request.user, 'crosswalk')
+        print("HAS_PERMISSION IN DIGITALINSURANCECARD")
         return True
 
     def build_parameters(self, request):
+        print("BUILD_PARAMETERS IN DIGITALINSURANCECARD")
         return {
-            '_format': 'application/json'
+            '_format': 'application/fhir+json'
         }
 
     def build_url(self, fhir_settings, resource_type, resource_id=None, *args, **kwargs):

apps/logging/request_logger.py

@@ -28,6 +28,7 @@
 AUDIT_CREDS_REQUEST_LOGGER = "audit.creds.request"
 AUDIT_APPLICATION_TYPE_CHANGE = "audit.application.type.change"
 PERFORMANCE_LOGGER = 'performance'
+DEBUG_GENERAL = "debug.general_logger"
 
 LOGGER_NAMES = [
     AUDIT_BASIC_LOGGER,

apps/versions.py

@@ -2,6 +2,18 @@
 # we should use this class as opposed to interned strings.
 # e.g. A use of 'v1' should become Versions.V1.
 
+def noisy_has_permission(original_class):
+    orig_has_perm = original_class.has_permission
+
+    def has_permission(self, request, view):
+        class_obj = self.__class__
+        class_name = class_obj.__name__
+        print(f" --> has_permission: {class_name} <--")
+        return orig_has_perm(self, request, view)
+
+    original_class.has_permission = has_permission
+    return original_class
+
 
 class VersionNotMatched(Exception):
     """