Ensure 403s are thrown if an application is not in the v3_early_adopter waffle_flag. Working for read/search v3 calls, v3 auth/token flows (still need to add to some other auth views)

Author: JamesDemeryNava

apps/dot_ext/views/authorization.py

@@ -4,6 +4,7 @@
 from functools import wraps
 from time import strftime
 
+from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.contrib.auth.views import redirect_to_login
 from django.http import JsonResponse
@@ -15,7 +16,8 @@
 from django.views.decorators.debug import sensitive_post_parameters
 from apps.dot_ext.constants import TOKEN_ENDPOINT_V3_KEY
 from oauth2_provider.exceptions import OAuthToolkitError
-from oauth2_provider.views.base import app_authorized, get_access_token_model
+from oauth2_provider.views.base import app_authorized
+from oauth2_provider.models import get_refresh_token_model, get_access_token_model
 from oauth2_provider.views.base import AuthorizationView as DotAuthorizationView
 from oauth2_provider.views.base import TokenView as DotTokenView
 from oauth2_provider.views.base import RevokeTokenView as DotRevokeTokenView
@@ -30,6 +32,7 @@
 import html
 from apps.dot_ext.scopes import CapabilitiesScopes
 import apps.logging.request_logger as bb2logging
+from apps.versions import Versions
 
 from ..signals import beneficiary_authorized_application
 from ..forms import SimpleAllowForm
@@ -43,6 +46,7 @@
 )
 from ..models import Approval
 from ..utils import (
+    get_api_version_number_from_url,
     remove_application_user_pair_tokens_data_access,
     validate_app_is_active,
     json_response_from_oauth2_error,
@@ -75,8 +79,50 @@ def _wrapped(request, *args, **kwargs):
     return _wrapped
 
 
+def check_v3_endpoint_access(view_func):
+    @wraps(view_func)
+    def _wrapped(request, *args, **kwargs):
+        # 4250-TODO how do we not call this so many times?
+        path_info = request.__dict__.get('path_info')
+        version = get_api_version_number_from_url(path_info)
+        if version != Versions.V3:
+            return view_func(request, *args, **kwargs)
+
+        flag = get_waffle_flag_model().get('v3_early_adopter')
+        req_meta = request.META
+        url_query = parse_qs(req_meta.get('QUERY_STRING'))
+        client_id = url_query.get('client_id', [None])
+        try:
+            if client_id[0]:
+                application = get_application_model().objects.get(client_id=client_id[0])
+            else:
+                url_query = parse_qs(request._body.decode('utf-8'))
+                refresh_token_from_request = url_query.get('refresh_token', [None])
+                refresh_token = get_refresh_token_model().objects.get(token=refresh_token_from_request[0])
+                application = get_application_model().objects.get(id=refresh_token.application_id)
+
+            application_user = get_user_model().objects.get(id=application.user_id)
+
+            if flag.id is not None and flag.is_active_for_user(application_user):
+                return view_func(request, *args, **kwargs)
+            else:
+                return JsonResponse(
+                    {'status_code': 403, 'message': settings.APPLICATION_DOES_NOT_HAVE_V3_ENABLED_YET.format(application.name)},
+                    status=403,
+                )
+        except ObjectDoesNotExist:
+            # 4250-TODO Do we need this?
+            return JsonResponse(
+                {'status_code': 500, 'message': 'Error retrieving data'},
+                status=500,
+            )
+
+    return _wrapped
+
+
 @method_decorator(csrf_exempt, name="dispatch")
 @method_decorator(require_post_state_decorator, name="dispatch")
+@method_decorator(check_v3_endpoint_access, name="dispatch")
 class AuthorizationView(DotAuthorizationView):
     """
     Override the base authorization view from dot to
@@ -407,6 +453,7 @@ def dispatch(self, request, uuid, *args, **kwargs):
 
 
 @method_decorator(csrf_exempt, name="dispatch")
+@method_decorator(check_v3_endpoint_access, name="dispatch")
 class TokenView(DotTokenView):
 
     def validate_token_endpoint_request_body(self, request):

apps/fhir/bluebutton/permissions.py

@@ -2,8 +2,11 @@
 
 from django.conf import settings
 from django.contrib.auth import get_user_model
+from oauth2_provider.views.base import get_access_token_model
+from oauth2_provider.models import get_application_model
 from rest_framework import permissions, exceptions
-from rest_framework.exceptions import AuthenticationFailed
+from rest_framework.exceptions import AuthenticationFailed, PermissionDenied
+from waffle import get_waffle_flag_model
 from .constants import ALLOWED_RESOURCE_TYPES
 from apps.versions import Versions, VersionNotMatched
 
@@ -106,3 +109,25 @@ def has_permission(self, request, view):
             )
 
         return True
+
+
+class V3EarlyAdopterPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        print("IN HAS_PERMISSION OF V3EarlyAdopterPermission")
+        print("V3EarlyAdopterPermission request: ", request.__dict__)
+        print("V3EarlyAdopterPermission view: ", view.__dict__)
+        # if it is not version 3, we do not need to check the waffle switch or flag
+        if view.version < Versions.V3:
+            return True
+
+        token = get_access_token_model().objects.get(token=request._auth)
+        application = get_application_model().objects.get(id=token.application_id)
+        application_user = get_user_model().objects.get(id=application.user_id)
+        flag = get_waffle_flag_model().get('v3_early_adopter')
+
+        if flag.id is not None and flag.is_active_for_user(application_user):
+            return True
+        else:
+            raise PermissionDenied(
+                settings.APPLICATION_DOES_NOT_HAVE_V3_ENABLED_YET.format(application.name)
+            )

apps/fhir/bluebutton/views/read.py

@@ -2,7 +2,12 @@
 
 from apps.authorization.permissions import DataAccessGrantPermission
 from apps.capabilities.permissions import TokenHasProtectedCapability
-from ..permissions import (ReadCrosswalkPermission, ResourcePermission, ApplicationActivePermission)
+from ..permissions import (
+    ReadCrosswalkPermission,
+    ResourcePermission,
+    ApplicationActivePermission,
+    V3EarlyAdopterPermission
+)
 from apps.fhir.bluebutton.views.generic import FhirDataView
 
 
@@ -21,6 +26,7 @@ class ReadView(FhirDataView):
         ReadCrosswalkPermission,
         DataAccessGrantPermission,
         TokenHasProtectedCapability,
+        V3EarlyAdopterPermission,
     ]
 
     def __init__(self, version=1):

apps/fhir/bluebutton/views/search.py

@@ -16,7 +16,12 @@
 from apps.fhir.bluebutton.views.generic import FhirDataView
 from apps.authorization.permissions import DataAccessGrantPermission
 from apps.capabilities.permissions import TokenHasProtectedCapability
-from ..permissions import (SearchCrosswalkPermission, ResourcePermission, ApplicationActivePermission)
+from ..permissions import (
+    SearchCrosswalkPermission,
+    ResourcePermission,
+    ApplicationActivePermission,
+    V3EarlyAdopterPermission
+)
 
 
 class HasSearchScope(permissions.BasePermission):
@@ -42,7 +47,8 @@ class SearchView(FhirDataView):
         SearchCrosswalkPermission,
         DataAccessGrantPermission,
         TokenHasProtectedCapability,
-        HasSearchScope
+        HasSearchScope,
+        V3EarlyAdopterPermission,
     ]
 
     # Regex to match a valid _lastUpdated value that can begin with lt, le, gt and ge operators

hhs_oauth_server/settings/base.py

@@ -610,6 +610,13 @@
     'and consent to share their data.'
 )
 
+APPLICATION_DOES_NOT_HAVE_V3_ENABLED_YET = (
+    'This application, {}, does not yet have access to v3 endpoints.'
+    ' If you are the app maintainer, please contact the Blue Button API team.'
+    ' If you are a Medicare Beneficiary and need assistance, please contact'
+    ' the support team for the application you are trying to access.'
+)
+
 FHIR_CLIENT_CERTSTORE = env(
     "DJANGO_FHIR_CERTSTORE",
     os.path.join(BASE_DIR, os.environ.get("DJANGO_FHIR_CERTSTORE_REL", "../certstore")),