Rename reviewer role to review_aiod_resources, make alias configurable (#487)

PGijsbers · web-flow · commit 05e8855e3d50 · 2025-03-18T10:11:24.000+02:00
diff --git a/.env b/.env
@@ -17,6 +17,7 @@ KEYCLOAK_CLIENT_SECRET="QJiOGn09eCEfnqAmcPP2l4vMU8grlmVQ"
 REDIRECT_URIS=http://${HOSTNAME}/docs/oauth2-redirect
 POST_LOGOUT_REDIRECT_URIS=http://${HOSTNAME}/aiod-auth/realms/aiod/protocol/openid-connect/logout
 AIOD_KEYCLOAK_PORT=8080
+REVIEWER_ROLE_NAME=review_aiod_resources
 
 EGICHECKINALIAS=
 
diff --git a/data/keycloak/data/import/aiod-realm.json b/data/keycloak/data/import/aiod-realm.json
@@ -53,14 +53,6 @@
       "clientRole" : false,
       "containerId" : "3df7e07d-ebbd-41c4-bc0c-1ba0e1a40ac5",
       "attributes" : { }
-    }, {
-      "id" : "ae367056-af48-4b9b-bec9-bfc57f91d218",
-      "name" : "reviewer",
-      "description" : "Allows reviewing of metadata assets",
-      "composite" : false,
-      "clientRole" : false,
-      "containerId" : "3df7e07d-ebbd-41c4-bc0c-1ba0e1a40ac5",
-      "attributes" : { }
     }, {
       "id" : "427c7161-bcf0-4f2d-a6fd-291dbad3db1a",
       "name" : "default-roles-aiod",
@@ -91,6 +83,14 @@
       "clientRole" : false,
       "containerId" : "3df7e07d-ebbd-41c4-bc0c-1ba0e1a40ac5",
       "attributes" : { }
+    }, {
+      "id" : "2acb73ad-574d-4b77-b5dc-0fa9fd2ec8d7",
+      "name" : "${REVIEWER_ROLE_NAME}",
+      "description" : "Can review submitted AIoD resources",
+      "composite" : false,
+      "clientRole" : false,
+      "containerId" : "3df7e07d-ebbd-41c4-bc0c-1ba0e1a40ac5",
+      "attributes" : { }
     } ],
     "client" : {
       "realm-management" : [ {
@@ -1232,7 +1232,7 @@
       "subType" : "authenticated",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "saml-role-list-mapper" ]
+        "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-address-mapper" ]
       }
     }, {
       "id" : "10f8b9b2-1038-4c98-b7a5-a9ac88fed69e",
@@ -1274,7 +1274,7 @@
       "subType" : "anonymous",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-usermodel-property-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "saml-role-list-mapper", "oidc-address-mapper" ]
+        "allowed-protocol-mapper-types" : [ "oidc-usermodel-property-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper" ]
       }
     }, {
       "id" : "1d21f027-e0ae-4b80-b95e-f21d9426f115",
diff --git a/data/keycloak/data/import/aiod-users-0.json b/data/keycloak/data/import/aiod-users-0.json
@@ -17,7 +17,7 @@
     } ],
     "disableableCredentialTypes" : [ ],
     "requiredActions" : [ ],
-    "realmRoles" : [ "reviewer", "default-roles-aiod" ],
+    "realmRoles" : [ "default-roles-aiod", "review_aiod_resources" ],
     "notBefore" : 0,
     "groups" : [ ]
   }, {
@@ -51,8 +51,8 @@
       "type" : "password",
       "userLabel" : "My password",
       "createdDate" : 1689685345632,
-      "secretData" : "{\"value\":\"VB2FW3ylhoLKfwSDNKgg3UR0RVtEDdilsVNmcmN8uQc=\",\"salt\":\"T/PRFYHhKbI1wyKGcQFwOw==\",\"additionalParameters\":{}}",
-      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+      "secretData" : "{\"value\":\"fT1UBmMhrRt/Z/0DL5YdyFM/9yAP5YyE4DQOhHsD8DyEp66qo+ZQ5tGiMhCeBMTVFHoG4wOP3LakEXOCvtBADA==\",\"salt\":\"FL4nLEZy2MRRMb5rH8ylHA==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":210000,\"algorithm\":\"pbkdf2-sha512\",\"additionalParameters\":{}}"
     } ],
     "disableableCredentialTypes" : [ ],
     "requiredActions" : [ ],
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -9,6 +9,7 @@ services:
       - ./src/config.override.toml:/app/config.override.toml:ro
     environment:
       - KEYCLOAK_CLIENT_SECRET=$KEYCLOAK_CLIENT_SECRET
+      - REVIEWER_ROLE_NAME=$REVIEWER_ROLE_NAME
       - ES_USER=$ES_USER
       - ES_PASSWORD=$ES_PASSWORD
     ports:
@@ -149,6 +150,7 @@ services:
     environment:
       - REDIRECT_URIS=$REDIRECT_URIS
       - POST_LOGOUT_REDIRECT_URIS=$POST_LOGOUT_REDIRECT_URIS
+      - REVIEWER_ROLE_NAME=$REVIEWER_ROLE_NAME
     ports:
       - ${AIOD_KEYCLOAK_PORT}:8080
     volumes:
diff --git a/src/authentication.py b/src/authentication.py
@@ -43,6 +43,7 @@
     realm_name=KEYCLOAK_CONFIG.get("realm"),
     verify=True,
 )
+_REVIEWER_ROLE = os.getenv("REVIEWER_ROLE_NAME")
 
 
 @dataclasses.dataclass
@@ -59,7 +60,8 @@ def has_any_role(self, *roles: str) -> bool:
 
     @property
     def is_reviewer(self):
-        return "reviewer" in self.roles
+        assert _REVIEWER_ROLE is not None, "Must configure role `reviewer` in config.toml file."  # noqa: S101
+        return _REVIEWER_ROLE in self.roles
 
 
 async def _get_user(token) -> KeycloakUser:
diff --git a/src/routers/review_router.py b/src/routers/review_router.py
@@ -143,12 +143,12 @@ def _review_resource(
     if submission is None:
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST,
-            detail=f"No review with identifier {review.submission_identifier} found.",
+            detail=f"No submission with identifier {review.submission_identifier} found.",
         )
     if not submission.is_pending:
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST,
-            detail="Review is no longer pending, no new decision may be made.",
+            detail="Submission is no longer pending review, no new decision may be made.",
         )
     register_user(user, session)
 
diff --git a/src/tests/authorization/test_authorization.py b/src/tests/authorization/test_authorization.py
@@ -1,9 +1,11 @@
 import contextlib
 import json
+import os
 from http import HTTPStatus
 from unittest.mock import Mock
 
 import pytest
+from dotenv import load_dotenv
 from starlette.testclient import TestClient
 
 from authentication import keycloak_openid, KeycloakUser
@@ -18,9 +20,13 @@
 from database.model.knowledge_asset.publication import Publication
 from routers.review_router import ListMode
 
+load_dotenv()
+
 ALICE = KeycloakUser("Alice", {"edit_aiod_resources"}, "alice-sub")
 BOB = KeycloakUser("Bob", {"edit_aiod_resources"}, "bob-sub")
-REVIEWER = KeycloakUser("Reviewer", {"reviewer", "edit_aiod_resources"}, "reviewer-sub")
+review_role = os.getenv("REVIEWER_ROLE_NAME")
+assert review_role, "The REVIEWER_ROLE_NAME environment variable must be set"
+REVIEWER = KeycloakUser("Reviewer", {review_role, "edit_aiod_resources"}, "reviewer-sub")
 
 
 def _register_user_in_db(user: KeycloakUser) -> KeycloakUser:

Original file line number	Diff line number	Diff line change
`@@ -143,12 +143,12 @@ def _review_resource(`
`143`	`143`	`if submission is None:`
`144`	`144`	`raise HTTPException(`
`145`	`145`	`status_code=status.HTTP_400_BAD_REQUEST,`
`146`		`- detail=f"No review with identifier {review.submission_identifier} found.",`
	`146`	`+ detail=f"No submission with identifier {review.submission_identifier} found.",`
`147`	`147`	`)`
`148`	`148`	`if not submission.is_pending:`
`149`	`149`	`raise HTTPException(`
`150`	`150`	`status_code=status.HTTP_400_BAD_REQUEST,`
`151`		`- detail="Review is no longer pending, no new decision may be made.",`
	`151`	`+ detail="Submission is no longer pending review, no new decision may be made.",`
`152`	`152`	`)`
`153`	`153`	`register_user(user, session)`
`154`	`154`