Some comments, prevent v3/userinfo from returning successfully if the flag is not enabled for that app

Author: JamesDemeryNava

apps/accounts/views/oauth2_profile.py

@@ -1,8 +1,12 @@
 from collections import OrderedDict
+from django.conf import settings
+from django.contrib.auth import get_user_model
 from django.http import JsonResponse
 from oauth2_provider.contrib.rest_framework import OAuth2Authentication
 from oauth2_provider.decorators import protected_resource
+from oauth2_provider.models import get_access_token_model, get_application_model
 from rest_framework.decorators import api_view, permission_classes, authentication_classes
+from waffle import get_waffle_flag_model
 
 from apps.authorization.permissions import DataAccessGrantPermission
 from apps.capabilities.permissions import TokenHasProtectedCapability
@@ -45,6 +49,19 @@ def _get_userinfo(user, version=Versions.NOT_AN_API_VERSION):
 @protected_resource()  # Django OAuth Toolkit -> resource_owner = AccessToken
 def _openidconnect_userinfo(request, version=Versions.NOT_AN_API_VERSION):
     # NOTE: The **kwargs are not used anywhere down the callchain, and are being ignored.
+    # 4250: Handling to ensure this only returns successfully if the flag is enabled for the application
+    # associated with the user making the call
+    if version == Versions.V3:
+        user = get_user_model().objects.get(username=request.resource_owner)
+        access_token = get_access_token_model().objects.get(user_id=user.id)
+        application = get_application_model().objects.get(id=access_token.application_id)
+        application_user = get_user_model().objects.get(id=application.user_id)
+        flag = get_waffle_flag_model().get('v3_early_adopter')
+        if flag.id is None or not flag.is_active_for_user(application_user):
+            return JsonResponse(
+                {'status_code': 403, 'message': settings.APPLICATION_DOES_NOT_HAVE_V3_ENABLED_YET.format(application.name)},
+                status=403,
+            )
 
     return JsonResponse(_get_userinfo(request.resource_owner, version))
 
@@ -58,6 +75,8 @@ def openidconnect_userinfo_v2(request):
 
 
 def openidconnect_userinfo_v3(request):
+    print("openidconnect_userinfo_v3 request: ", request.__dict__)
+    print("openidconnect_userinfo_v3 user: ", request.user.__dict__)
     return _openidconnect_userinfo(request, version=Versions.V3)
 
 

apps/dot_ext/views/authorization.py

@@ -150,19 +150,6 @@ def _has_param(self, request, key):
     def _check_for_required_params(self, request):
         missing_params = []
         v3 = True if request.path.startswith('/v3/o/authorize') else False
-        flag = get_waffle_flag_model().get("v3_early_adopter")
-        req_meta = request.META
-        url_query = parse_qs(req_meta.get('QUERY_STRING'))
-        client_id = url_query.get('client_id', [None])
-        try:
-            app = get_application_model().objects.get(client_id=client_id[0])
-            application_user = get_user_model().objects.get(id=app.user_id)
-            if flag.id is not None and flag.is_active_for_user(application_user):
-                print("flag is active for this user")
-            else:
-                print("flag is not active for this user")
-        except ObjectDoesNotExist:
-            print("object not found")
 
         if switch_is_active('require_pkce'):
             if not request.GET.get('code_challenge', None):
@@ -177,6 +164,8 @@ def _check_for_required_params(self, request):
                 error_message = "State parameter should have a minimum of 16 characters"
                 return JsonResponse({"status_code": 400, "message": error_message}, status=400)
 
+        # BB2-4250: This code will not execute if the application is not in the v3_early_adopter flag
+        # so it will not be modified as part of BB2-4250
         if switch_is_active('v3_endpoints') and v3:
             if 'scope' not in request.GET:
                 missing_params.append("scope")
@@ -452,8 +441,8 @@ def dispatch(self, request, uuid, *args, **kwargs):
         return result
 
 
+# @method_decorator(check_v3_endpoint_access, name="dispatch")
 @method_decorator(csrf_exempt, name="dispatch")
-@method_decorator(check_v3_endpoint_access, name="dispatch")
 class TokenView(DotTokenView):
 
     def validate_token_endpoint_request_body(self, request):

apps/fhir/bluebutton/views/search.py

@@ -186,6 +186,8 @@ def filter_parameters(self, request):
 
         query_schema = getattr(self, "QUERY_SCHEMA", {})
 
+        # BB2-4250: Does not seem that this code will execute given the new permission class
+        # so leaving it as is
         if waffle.switch_is_active('v3_endpoints'):
             query_schema['_tag'] = self.validate_tag()
             # _tag if presents, is a string value