Long term fix for scope creep

Author: loganbertram

apps/capabilities/permissions.py

@@ -37,20 +37,15 @@ def has_permission(self, request, view):
                 slug__in=token_scopes
             ).values_list('protected_resources', flat=True).all())
 
-            # this is a shorterm fix to reject all tokens that do not have either
-            # patient/coverage.read or patient/ExplanationOfBenefit.read
-            if ("patient/Coverage.read" in token_scopes) or ("patient/ExplanationOfBenefit.read" in token_scopes):
-                for scope in scopes:
-                    for method, path in json.loads(scope):
-                        if method != request.method:
-                            continue
-                        if path == request.path:
-                            return True
-                        if re.fullmatch(path, request.path) is not None:
-                            return True
-                return False
-            else:
-                return False
+            for scope in scopes:
+                for method, path in json.loads(scope):
+                    if method != request.method:
+                        continue
+                    if path == request.path:
+                        return True
+                    if re.fullmatch(path, request.path) is not None:
+                        return True
+            return False
         else:
             # BB2-237: Replaces ASSERT with exception. We should never reach here.
             mesg = ("TokenHasScope requires the `oauth2_provider.rest_framework.OAuth2Authentication`"

apps/capabilities/tests.py

@@ -1,5 +1,4 @@
 import json
-import unittest
 
 from django.contrib.auth.models import Group
 from django.test import TestCase
@@ -41,7 +40,6 @@ def setUp(self):
             protected_resources=json.dumps([["POST", "/path"]]),
         )
 
-    @unittest.skip("Broke with quick fix")
     def test_request_is_protected(self):
         request = SimpleRequest("scope")
         request.method = "GET"

apps/dot_ext/tests/demographic_scopes_test_cases.py

@@ -181,7 +181,7 @@
         "request_scopes": APPLICATION_SCOPES_FULL,
         # Result:
         "result_has_error": False,
-        "result_token_scopes_granted": APPLICATION_SCOPES_FULL,
+        "result_token_scopes_granted": APPLICATION_SCOPES_NON_DEMOGRAPHIC,
         "result_access_token_count": 1,
         "result_refresh_token_count": 1,
         "result_archived_token_count": 0,
@@ -221,7 +221,7 @@
         "request_scopes": APPLICATION_SCOPES_FULL,
         # Result:
         "result_has_error": False,
-        "result_token_scopes_granted": APPLICATION_SCOPES_FULL,
+        "result_token_scopes_granted": APPLICATION_SCOPES_NON_DEMOGRAPHIC,
         "result_access_token_count": 3,
         "result_refresh_token_count": 3,
         "result_archived_token_count": 1,
@@ -314,7 +314,7 @@
         "request_scopes": SCOPES_JUST_PATIENT_AND_A,
         # Result:
         "result_has_error": False,
-        "result_token_scopes_granted": SCOPES_JUST_PATIENT_AND_A,
+        "result_token_scopes_granted": SCOPES_JUST_A,
         "result_access_token_count": 3,
         "result_refresh_token_count": 3,
         "result_archived_token_count": 8,

apps/dot_ext/tests/test_views.py

@@ -1,6 +1,5 @@
 import json
 import base64
-import unittest
 from datetime import date, timedelta
 
 from django.conf import settings
@@ -163,18 +162,15 @@ def test_post_with_restricted_scopes_issues_token_with_same_scopes(self):
         # and here we test that only the capability-a scope has been issued
         self.assertEqual(content["scope"], "capability-a")
 
-    @unittest.skip("Broke with quick fix")
     def test_post_with_share_demographic_scopes(self):
         # Test with-out new_auth switch
         self.testing_post_with_share_demographic_scopes()
 
-    @unittest.skip("Broke with quick fix")
     @override_switch("new_auth", active=True)
     def test_post_with_share_demographic_scopes_new_auth_switch(self):
         # Test with new_auth switch.
         self.testing_post_with_share_demographic_scopes()
 
-    @unittest.skip("Broke with quick fix")
     @override_switch("require-scopes", active=True)
     def testing_post_with_share_demographic_scopes(self):
         """
@@ -206,6 +202,7 @@ def testing_post_with_share_demographic_scopes(self):
         # Loop through test cases in dictionary
         cases = VIEW_OAUTH2_SCOPES_TEST_CASES
         for case in cases:
+            print(case)
             # Setup request parameters for test case
             request_bene_share_demographic_scopes = cases[case][
                 "request_bene_share_demographic_scopes"

apps/dot_ext/views/authorization.py

@@ -6,6 +6,7 @@
 import waffle
 from waffle import get_waffle_flag_model
 
+from django.conf import settings
 from django.http.response import HttpResponse, HttpResponseBadRequest
 from django.template.response import TemplateResponse
 from django.utils.decorators import method_decorator
@@ -170,8 +171,15 @@ def form_valid(self, form):
         application_available_scopes = CapabilitiesScopes().get_available_scopes(application=application)
 
         # Set scopes to those available to application and beneficiary demographic info choices
-        scopes = ' '.join([s for s in scopes.split(" ")
-                          if s in application_available_scopes])
+        if share_demographic_scopes:
+            scopes = ' '.join(
+                [s for s in scopes.split(" ") if s in application_available_scopes]
+            )
+        else:
+            scopes = ' '.join(
+                [s for s in scopes.split(" ")
+                 if s in application_available_scopes and s not in settings.BENE_PERSONAL_INFO_SCOPES]
+            )
 
         # Init deleted counts
         data_access_grant_delete_cnt = 0