search

indigo-dc / flaat

FLAsk with Access Tokens - FLAAT
MIT License
11 stars 6 forks source link

Exception during entitlement checking with non-conforming entitlements #63

Closed dianagudu closed 1 year ago

dianagudu commented 2 years ago

Improper exception handling when I have an entitlement that does not conform with the AARC G069 guideline.

My userinfo contains the following entitlements:

    "eduperson_entitlement": [
        "urn:geant:helmholtz.de:group:KIT#login-dev.helmholtz.de",
        ...
        "urn:mace:dir:entitlement:common-lib-terms"
    ]

The "urn:mace:dir:entitlement:common-lib-terms" entitlement does not contain any group authority, so parsing it using the aarc_entitlement lib fails, as expected:

import aarc_entitlement
norm_ent = aarc_entitlement.G069("urn:mace:dir:entitlement:common-lib-terms")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "python/3.10.5/lib/python3.10/site-packages/aarc_entitlement/__init__.py", line 417, in __init__
    super().__init__(entitlement)
  File "python/3.10.5/lib/python3.10/site-packages/aarc_entitlement/__init__.py", line 204, in __init__
    self._parse(self._preprocess(entitlement))
  File "python/3.10.5/lib/python3.10/site-packages/aarc_entitlement/__init__.py", line 141, in _parse
    raise ParseError(
aarc_entitlement.ParseError: Entitlement does not conform to specification (need_group_authority=False): urn:mace:dir:entitlement:common-lib-terms

Flaat does catch this exception: https://github.com/indigo-dc/flaat/blob/44b4c7c0cdc077014ae8c4741d600aa6a3b84039/flaat/requirements.py#L315-L317 but raises another exception due to not checking for a None parse result:

...
  File "/usr/lib/motley-cue/lib/python3.9/site-packages/flaat/__init__.py", line 526, in async_wrapper
    ((args, kwargs), error_response) = self._run_work_flow_safe(*args, **kwargs)
  File "/usr/lib/motley-cue/lib/python3.9/site-packages/flaat/__init__.py", line 507, in _run_work_flow_safe
    return (self._run_work_flow(*args, **kwargs), None)
  File "/usr/lib/motley-cue/lib/python3.9/site-packages/flaat/__init__.py", line 495, in _run_work_flow
    self.check_user_authorization(user_infos)
  File "/usr/lib/motley-cue/lib/python3.9/site-packages/flaat/__init__.py", line 406, in check_user_authorization
    check_result = req.is_satisfied_by(user_infos)
  File "/usr/lib/motley-cue/lib/python3.9/site-packages/motley_cue/mapper/authorisation.py", line 54, in is_satisfied_by
    return op_authz.get_user_requirement().is_satisfied_by(user_infos)
  File "/usr/lib/motley-cue/lib/python3.9/site-packages/flaat/requirements.py", line 135, in is_satisfied_by
    check_result = req.is_satisfied_by(user_infos)
  File "/usr/lib/motley-cue/lib/python3.9/site-packages/flaat/requirements.py", line 163, in is_satisfied_by
    check_result = req.is_satisfied_by(user_infos)
  File "/usr/lib/motley-cue/lib/python3.9/site-packages/flaat/requirements.py", line 135, in is_satisfied_by
    check_result = req.is_satisfied_by(user_infos)
  File "/usr/lib/motley-cue/lib/python3.9/site-packages/flaat/requirements.py", line 249, in is_satisfied_by
    if self.matches(self.value, self.parse(val)):
  File "/usr/lib/motley-cue/lib/python3.9/site-packages/flaat/requirements.py", line 284, in matches
    return self._matches(required, available)
  File "/usr/lib/motley-cue/lib/python3.9/site-packages/flaat/requirements.py", line 322, in _matches
    return available.satisfies(required)
AttributeError: 'NoneType' object has no attribute 'satisfies'

For reference, I use get_vo_requirement with the following list of required VOs:

[
    "urn:geant:h-df.de:group:test-vo#login-dev.helmholtz.de",
    "urn:geant:helmholtz.de:group:Helmholtz-member#login-dev.helmholtz.de",
]