fix: minor backend improvement part2

server/backend/api/app/integration/idim_proxy.py

@@ -1,8 +1,7 @@
 import logging
 
 import requests
-from api.app.requester import Requester
-from api.app.schemas import IdimProxySearchParamIdir
+from api.app.schemas import IdimProxySearchParamIdir, Requester
 from api.config import config
 
 LOGGER = logging.getLogger(__name__)

server/backend/api/app/jwt_validation.py

@@ -2,24 +2,18 @@
 import logging
 from urllib.request import urlopen
 
-from api.app.crud import crud_application
-from fastapi import Depends, HTTPException
-from fastapi.security import OAuth2AuthorizationCodeBearer
-from jose import jwt
-
 from api.app.constants import COGNITO_USERNAME_KEY
-
 # think that just importing config then access through its namespace makes code
 # easier to understand, ie:
 # import config
 # then
 # config.get_aws_region()
-from api.config.config import (
-    get_aws_region,
-    get_user_pool_domain_name,
-    get_user_pool_id,
-    get_oidc_client_id,
-)
+from api.config.config import (get_aws_region, get_oidc_client_id,
+                               get_user_pool_domain_name, get_user_pool_id)
+from fastapi import Depends, HTTPException
+from fastapi.security import OAuth2AuthorizationCodeBearer
+from jose import jwt
+from sqlalchemy.orm import Session
 
 JWT_GROUPS_KEY = "cognito:groups"
 JWT_CLIENT_ID_KEY = "client_id"
@@ -36,7 +30,6 @@
 ERROR_VALIDATION = "validation_failed"
 ERROR_GROUPS_REQUIRED = "authorization_groups_required"
 ERROR_PERMISSION_REQUIRED = "permission_required_for_operation"
-ERROR_INVALID_APPLICATION_ID = "invalid_application_id"
 
 aws_region = get_aws_region()
 user_pool_id = get_user_pool_id()
@@ -52,7 +45,6 @@
 
 _jwks = None
 
-
 def init_jwks():
     global _jwks
 
@@ -207,32 +199,6 @@ def authorize(claims: dict = Depends(validate_token)) -> dict:
     return claims
 
 
-def authorize_by_app_id(application_id, db, claims):
-    application = crud_application.get_application(application_id=application_id, db=db)
-    if not application:
-        raise HTTPException(
-            status_code=403,
-            detail={
-                "code": ERROR_INVALID_APPLICATION_ID,
-                "description": f"Application ID {application_id} not found",
-            },
-            headers={"WWW-Authenticate": "Bearer"},
-        )
-
-    required_role = f"{application.application_name.upper()}_ACCESS_ADMIN"
-    access_roles = get_access_roles(claims)
-
-    if required_role not in access_roles:
-        raise HTTPException(
-            status_code=403,
-            detail={
-                "code": ERROR_PERMISSION_REQUIRED,
-                "description": f"Operation requires role {required_role}",
-            },
-            headers={"WWW-Authenticate": "Bearer"},
-        )
-
-
 def get_access_roles(claims: dict = Depends(authorize)):
     groups = claims[JWT_GROUPS_KEY]
     return groups

server/backend/api/app/routers/router_application.py

@@ -1,11 +1,12 @@
 import logging
-
 from typing import List
+
 from api.app.crud import crud_application
+from api.app.routers.router_guards import authorize_by_app_id
 from fastapi import APIRouter, Depends, Response
 from sqlalchemy.orm import Session
-from .. import database, schemas, jwt_validation
 
+from .. import database, jwt_validation, schemas
 
 LOGGER = logging.getLogger(__name__)
 
@@ -40,21 +41,17 @@ def get_applications(
     "/{application_id}/fam_roles",
     response_model=List[schemas.FamApplicationRole],
     status_code=200,
+    dependencies=[Depends(authorize_by_app_id)] # Enforce application-level security
 )
 def get_fam_application_roles(
     application_id: int,
     db: Session = Depends(database.get_db),
-    token_claims: dict = Depends(jwt_validation.authorize)
 ):
     """gets the roles associated with an application
 
     :param application_id: application id
     :param db: database session, defaults to Depends(database.get_db)
     """
-
-    # Enforce application-level security
-    jwt_validation.authorize_by_app_id(application_id, db, token_claims)
-
     LOGGER.debug(f"Recieved application id: {application_id}")
     app_roles = crud_application.get_application_roles(
         application_id=application_id, db=db
@@ -66,21 +63,17 @@ def get_fam_application_roles(
     "/{application_id}/user_role_assignment",
     response_model=List[schemas.FamApplicationUserRoleAssignmentGet],
     status_code=200,
+    dependencies=[Depends(authorize_by_app_id)] # Enforce application-level security
 )
 def get_fam_application_user_role_assignment(
     application_id: int,
     db: Session = Depends(database.get_db),
-    token_claims: dict = Depends(jwt_validation.authorize)
 ):
     """gets the roles associated with an application
 
     :param application_id: application id
     :param db: database session, defaults to Depends(database.get_db)
     """
-
-    # Enforce application-level security
-    jwt_validation.authorize_by_app_id(application_id, db, token_claims)
-
     LOGGER.debug(f"Loading application role assigments for application_id: {application_id}")
     app_user_role_assignment = crud_application.get_application_role_assignments(
         db=db, application_id=application_id