use any/all to clarify, allow lists of regexps and add more test

Author: leifj

src/satosa/micro_services/attribute_authorization.py

@@ -16,18 +16,14 @@ def __init__(self, config, *args, **kwargs):
         self.attribute_deny = config.get("attribute_deny", {})
 
     def _check_authz(self, context, attributes, requester, provider):
-        for attribute_name, attribute_filter in _filters(self.attribute_allow, requester, provider):
-            regex = re.compile(attribute_filter)
+        for attribute_name, attribute_filters in _filters(self.attribute_allow, requester, provider):
             if attribute_name in attributes:
-                print(repr(regex))
-                print(list(filter(regex.search, attributes[attribute_name])))
-                if not list(filter(regex.search, attributes[attribute_name])):
+                if not any([any(filter(re.compile(af).search, attributes[attribute_name])) for af in attribute_filters]):
                     raise SATOSAAuthenticationError(context.state, "Permission denied")
 
-        for attribute_name, attribute_filter in _filters(self.attribute_deny, requester, provider):
-            regex = re.compile(attribute_filter)
+        for attribute_name, attribute_filters in _filters(self.attribute_deny, requester, provider):
             if attribute_name in attributes:
-                if len(list(filter(regex.search, attributes[attribute_name]))) != len(attributes[attribute_name]):
+                if any([any(filter(re.compile(af).search, attributes[attribute_name])) for af in attribute_filters]):
                     raise SATOSAAuthenticationError(context.state, "Permission denied")
 
     def process(self, context, data):

tests/satosa/micro_services/test_attribute_authorization.py

@@ -10,9 +10,9 @@ def create_authz_service(self, attribute_allow, attribute_deny):
         authz_service.next = lambda ctx, data: data
         return authz_service
 
-    def test_authz_allow(self):
+    def test_authz_allow_success(self):
         attribute_allow = {
-           "": { "default": {"a0": '.+@.+'} }
+           "": { "default": {"a0": ['.+@.+']} }
         }
         attribute_deny = {}
         authz_service = self.create_authz_service(attribute_allow, attribute_deny)
@@ -27,9 +27,9 @@ def test_authz_allow(self):
         except SATOSAAuthenticationError as ex:
            assert False
 
-    def test_authz_not_allow(self):
+    def test_authz_allow_fail(self):
         attribute_allow = {
-           "": { "default": {"a0": 'foo'} }
+           "": { "default": {"a0": ['foo1','foo2']} }
         }
         attribute_deny = {}
         authz_service = self.create_authz_service(attribute_allow, attribute_deny)
@@ -41,5 +41,58 @@ def test_authz_not_allow(self):
            ctx = Context()
            ctx.state = dict()
            authz_service.process(ctx, resp)
+           assert False
+        except SATOSAAuthenticationError as ex:
+           assert True
+
+    def test_authz_allow_second(self):
+        attribute_allow = {
+           "": { "default": {"a0": ['foo1','foo2']} }
+        }
+        attribute_deny = {}
+        authz_service = self.create_authz_service(attribute_allow, attribute_deny)
+        resp = InternalResponse(AuthenticationInformation(None, None, None))
+        resp.attributes = {
+            "a0": ["foo2","kaka"],
+        }
+        try:
+           ctx = Context()
+           ctx.state = dict()
+           authz_service.process(ctx, resp)
+        except SATOSAAuthenticationError as ex:
+           assert False
+
+    def test_authz_deny_success(self):
+        attribute_deny = {
+           "": { "default": {"a0": ['foo1','foo2']} }
+        }
+        attribute_allow = {}
+        authz_service = self.create_authz_service(attribute_allow, attribute_deny)
+        resp = InternalResponse(AuthenticationInformation(None, None, None))
+        resp.attributes = {
+            "a0": ["foo2"],
+        }
+        try:
+           ctx = Context()
+           ctx.state = dict()
+           authz_service.process(ctx, resp)
+           assert False
         except SATOSAAuthenticationError as ex:
            assert True
+
+    def test_authz_deny_fail(self):
+        attribute_deny = {
+           "": { "default": {"a0": ['foo1','foo2']} }
+        }
+        attribute_allow = {}
+        authz_service = self.create_authz_service(attribute_allow, attribute_deny)
+        resp = InternalResponse(AuthenticationInformation(None, None, None))
+        resp.attributes = {
+            "a0": ["foo3"],
+        }
+        try:
+           ctx = Context()
+           ctx.state = dict()
+           authz_service.process(ctx, resp)
+        except SATOSAAuthenticationError as ex:
+           assert False