From 7ed16628456d3c9946e4288bacda7a4195b61730 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sat, 27 Oct 2018 10:34:43 +0300
Subject: Change: check for required scopes

---
 muck/authz.py       | 23 ++++++++++++++++++++---
 muck/authz_tests.py | 27 +++++++++++++++++++++------
 2 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/muck/authz.py b/muck/authz.py
index e9336b8..c48294c 100644
--- a/muck/authz.py
+++ b/muck/authz.py
@@ -13,10 +13,27 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 
-# import muck
+import muck
 
 
 class AuthorizationChecker:
 
-    def request_is_allowed(self, r):
-        return False and r
+    def __init__(self, signing_key_text):
+        self._tc = muck.TokenChecker(signing_key_text.strip().encode('ascii'))
+
+    def request_is_allowed(self, r, required_scopes):
+        token = self._get_token(r)
+        if token is None:
+            return False
+
+        scope = token.get('scope', '')
+        scopes = set(scope.split())
+        required_scopes = set(required_scopes)
+        return scopes.intersection(required_scopes) == required_scopes
+
+    def _get_token(self, r):
+        authz = r.get_authorization()
+        try:
+            return self._tc.parse_header(authz)
+        except muck.Error:
+            return None
diff --git a/muck/authz_tests.py b/muck/authz_tests.py
index 7e16cbe..0128c6b 100644
--- a/muck/authz_tests.py
+++ b/muck/authz_tests.py
@@ -20,16 +20,31 @@ import muck
 
 class AuthorizationCheckerTests(unittest.TestCase):
 
-    def test_denies_if_token_parsing_fails(self):
+    def setUp(self):
+        self.ac = muck.AuthorizationChecker(muck.test_key_text)
+
+    def create_token(self, scopes):
         claims = {
-            'foo': 'bar',
+            'scope': ' '.join(scopes),
         }
-        token = muck.create_token(claims, muck.test_key_text)
+        return muck.create_token(claims, muck.test_key_text)
 
+    def create_request(self, scopes):
+        token = self.create_token(scopes)
         r = muck.Request(method='GET')
         r.add_headers({
-            'Authorization': 'Bearer {}'.format(token)
+            'Authorization': 'Bearer {}'.format(token),
         })
+        return r
+
+    def test_denies_if_token_parsing_fails(self):
+        r = muck.Request(method='GET')
+        self.assertFalse(self.ac.request_is_allowed(r, []))
+
+    def test_denies_if_token_lacks_required_scope(self):
+        r = self.create_request([])
+        self.assertFalse(self.ac.request_is_allowed(r, ['foo']))
 
-        ac = muck.AuthorizationChecker()
-        self.assertFalse(ac.request_is_allowed(r))
+    def test_allows_for_acceptable_request(self):
+        r = self.create_request(['foo'])
+        self.assertTrue(self.ac.request_is_allowed(r, ['foo']))
-- 
cgit v1.2.1