feat: BI-6808 add always_deny auth method (#1470)

ovsds · web-flow · commit 222707fe3d16 · 2026-01-26T13:07:53.000+01:00
diff --git a/lib/dl_app_api_base/dl_app_api_base/__init__.py b/lib/dl_app_api_base/dl_app_api_base/__init__.py
@@ -8,8 +8,9 @@
     HttpServerSettings,
 )
 from .auth import (
-    NoAuthChecker,
-    NoAuthResult,
+    AlwaysAllowAuthChecker,
+    AlwaysAllowAuthResult,
+    AlwaysDenyAuthChecker,
     OAuthChecker,
     OAuthCheckerSettings,
     OAuthResult,
@@ -85,8 +86,9 @@
     "RequestAuthCheckerProtocol",
     "OAuthChecker",
     "OAuthResult",
-    "NoAuthChecker",
-    "NoAuthResult",
+    "AlwaysAllowAuthChecker",
+    "AlwaysAllowAuthResult",
+    "AlwaysDenyAuthChecker",
     "RouteMatcher",
     "OAuthCheckerSettings",
 ]
diff --git a/lib/dl_app_api_base/dl_app_api_base/app.py b/lib/dl_app_api_base/dl_app_api_base/app.py
@@ -117,7 +117,7 @@ async def _get_request_auth_checkers(
         self,
     ) -> list[auth.RequestAuthCheckerProtocol]:
         return [
-            auth.NoAuthChecker(
+            auth.AlwaysAllowAuthChecker(
                 route_matchers=[
                     auth.RouteMatcher(
                         path_regex=re.compile(r"^/api/v1/health/.*$"),
diff --git a/lib/dl_app_api_base/dl_app_api_base/auth/__init__.py b/lib/dl_app_api_base/dl_app_api_base/auth/__init__.py
@@ -1,8 +1,9 @@
 from .checkers import (
+    AlwaysAllowAuthChecker,
+    AlwaysAllowAuthResult,
+    AlwaysDenyAuthChecker,
     BaseRequestAuthChecker,
     BaseRequestAuthResult,
-    NoAuthChecker,
-    NoAuthResult,
     OAuthChecker,
     OAuthCheckerSettings,
     OAuthResult,
@@ -25,8 +26,9 @@
     "BaseRequestAuthChecker",
     "RequestAuthCheckerProtocol",
     "BaseRequestAuthResult",
-    "NoAuthChecker",
-    "NoAuthResult",
+    "AlwaysAllowAuthChecker",
+    "AlwaysAllowAuthResult",
+    "AlwaysDenyAuthChecker",
     "OAuthChecker",
     "OAuthCheckerSettings",
     "OAuthResult",
diff --git a/lib/dl_app_api_base/dl_app_api_base/auth/checkers/__init__.py b/lib/dl_app_api_base/dl_app_api_base/auth/checkers/__init__.py
@@ -1,12 +1,13 @@
+from .always_allow import (
+    AlwaysAllowAuthChecker,
+    AlwaysAllowAuthResult,
+)
+from .always_deny import AlwaysDenyAuthChecker
 from .base import (
     BaseRequestAuthChecker,
     BaseRequestAuthResult,
     RequestAuthCheckerProtocol,
 )
-from .no_auth import (
-    NoAuthChecker,
-    NoAuthResult,
-)
 from .oauth import (
     OAuthChecker,
     OAuthCheckerSettings,
@@ -18,9 +19,10 @@
     "BaseRequestAuthChecker",
     "RequestAuthCheckerProtocol",
     "BaseRequestAuthResult",
-    "NoAuthChecker",
-    "NoAuthResult",
+    "AlwaysAllowAuthChecker",
+    "AlwaysAllowAuthResult",
     "OAuthChecker",
     "OAuthCheckerSettings",
     "OAuthResult",
+    "AlwaysDenyAuthChecker",
 ]
diff --git a/lib/dl_app_api_base/dl_app_api_base/auth/checkers/always_allow.py b/lib/dl_app_api_base/dl_app_api_base/auth/checkers/always_allow.py
@@ -0,0 +1,14 @@
+import aiohttp.web
+import attr
+
+import dl_app_api_base.auth.checkers.base as auth_checkers_base
+
+
+class AlwaysAllowAuthResult(auth_checkers_base.BaseRequestAuthResult):
+    ...
+
+
+@attr.define(frozen=True, kw_only=True)
+class AlwaysAllowAuthChecker(auth_checkers_base.BaseRequestAuthChecker):
+    async def check(self, request: aiohttp.web.Request) -> AlwaysAllowAuthResult:
+        return AlwaysAllowAuthResult()
diff --git a/lib/dl_app_api_base/dl_app_api_base/auth/checkers/always_deny.py b/lib/dl_app_api_base/dl_app_api_base/auth/checkers/always_deny.py
@@ -0,0 +1,13 @@
+from typing import NoReturn
+
+import aiohttp.web
+import attr
+
+import dl_app_api_base.auth.checkers.base as auth_checkers_base
+import dl_app_api_base.auth.exc as auth_exc
+
+
+@attr.define(frozen=True, kw_only=True)
+class AlwaysDenyAuthChecker(auth_checkers_base.BaseRequestAuthChecker):
+    async def check(self, request: aiohttp.web.Request) -> NoReturn:
+        raise auth_exc.AuthFailureError("Always deny auth")
diff --git a/lib/dl_app_api_base/dl_app_api_base/auth/checkers/no_auth.py b/lib/dl_app_api_base/dl_app_api_base/auth/checkers/no_auth.py
diff --git a/lib/dl_app_api_base/dl_app_api_base_tests/unit/auth/middleware/test_always_allow.py b/lib/dl_app_api_base/dl_app_api_base_tests/unit/auth/middleware/test_always_allow.py
@@ -9,6 +9,6 @@ async def test_default(
     app_client: aiohttp.ClientSession,
 ) -> None:
     response = await app_client.get(
-        "/api/v1/no_auth/ping",
+        "/api/v1/always_allow/ping",
     )
     assert response.status == http.HTTPStatus.OK
diff --git a/lib/dl_app_api_base/dl_app_api_base_tests/unit/auth/middleware/test_always_deny.py b/lib/dl_app_api_base/dl_app_api_base_tests/unit/auth/middleware/test_always_deny.py
@@ -0,0 +1,14 @@
+import http
+
+import aiohttp
+import pytest
+
+
+@pytest.mark.asyncio
+async def test_default(
+    app_client: aiohttp.ClientSession,
+) -> None:
+    response = await app_client.get(
+        "/api/v1/always_deny/ping",
+    )
+    assert response.status == http.HTTPStatus.UNAUTHORIZED
diff --git a/lib/dl_app_api_base/dl_app_api_base_tests/unit/conftest.py b/lib/dl_app_api_base/dl_app_api_base_tests/unit/conftest.py
@@ -175,7 +175,7 @@ async def _get_request_auth_checkers(
         base_checkers = await super()._get_request_auth_checkers()
 
         return [
-            dl_app_api_base.NoAuthChecker(
+            dl_app_api_base.AlwaysAllowAuthChecker(
                 route_matchers=[
                     dl_app_api_base.RouteMatcher(
                         path_regex=re.compile(r"^/api/v1/counter"),
@@ -192,10 +192,18 @@ async def _get_request_auth_checkers(
                     )
                 ],
             ),
-            dl_app_api_base.NoAuthChecker(
+            dl_app_api_base.AlwaysAllowAuthChecker(
                 route_matchers=[
                     dl_app_api_base.RouteMatcher(
-                        path_regex=re.compile(r"^/api/v1/no_auth/.*"),
+                        path_regex=re.compile(r"^/api/v1/always_allow/.*"),
+                        methods=frozenset(["GET"]),
+                    ),
+                ],
+            ),
+            dl_app_api_base.AlwaysDenyAuthChecker(
+                route_matchers=[
+                    dl_app_api_base.RouteMatcher(
+                        path_regex=re.compile(r"^/api/v1/always_deny/.*"),
                         methods=frozenset(["GET"]),
                     ),
                 ],
@@ -237,7 +245,12 @@ async def _get_aiohttp_app_routes(
                 ),
                 dl_app_api_base.Route(
                     method="GET",
-                    path="/api/v1/no_auth/ping",
+                    path="/api/v1/always_allow/ping",
+                    handler=PingHandler(),
+                ),
+                dl_app_api_base.Route(
+                    method="GET",
+                    path="/api/v1/always_deny/ping",
                     handler=PingHandler(),
                 ),
             ]
diff --git a/lib/dl_app_api_base/dl_app_api_base_tests/unit/handlers/docs/expected_spec.json b/lib/dl_app_api_base/dl_app_api_base_tests/unit/handlers/docs/expected_spec.json
@@ -253,7 +253,57 @@
         }
       }
     },
-    "/api/v1/no_auth/ping": {
+    "/api/v1/always_allow/ping": {
+      "get": {
+        "tags": [],
+        "summary": "",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "properties": {
+                    "message": {
+                      "title": "Message",
+                      "type": "string"
+                    }
+                  },
+                  "required": [
+                    "message"
+                  ],
+                  "title": "ResponseSchema",
+                  "type": "object"
+                }
+              }
+            }
+          },
+          "400": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "properties": {
+                    "message": {
+                      "default": "Bad request",
+                      "title": "Message",
+                      "type": "string"
+                    },
+                    "code": {
+                      "default": "ERR.API.BAD_REQUEST",
+                      "title": "Code",
+                      "type": "string"
+                    }
+                  },
+                  "title": "BadRequestResponseSchema",
+                  "type": "object"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/always_deny/ping": {
       "get": {
         "tags": [],
         "summary": "",

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,6 @@ async def test_default(`
`9`	`9`	`app_client: aiohttp.ClientSession,`
`10`	`10`	`) -> None:`
`11`	`11`	`response = await app_client.get(`
`12`		`- "/api/v1/no_auth/ping",`
	`12`	`+ "/api/v1/always_allow/ping",`
`13`	`13`	`)`
`14`	`14`	`assert response.status == http.HTTPStatus.OK`