uc-cdis · rudyardrichter · May 9, 2019 · Apr 2, 2019 · Apr 2, 2019 · Apr 3, 2019
diff --git a/bin/fence-create b/bin/fence-create
@@ -5,6 +5,8 @@ import os
 import sys
 import logging
 
+from cdislogging import get_logger
+
 from fence.jwt import keys
 from fence.config import config
 from fence.scripting.fence_create import (
@@ -95,9 +97,7 @@ def parse_arguments():
         default=False,
     )
     client_create.add_argument(
-        "--policies",
-        help="which RBAC policies are granted to this client",
-        nargs="*",
+        "--policies", help="which RBAC policies are granted to this client", nargs="*"
     )
 
     client_modify = subparsers.add_parser("client-modify")
@@ -123,7 +123,7 @@ def parse_arguments():
     client_modify.add_argument(
         "--policies",
         help="which RBAC policies are granted to this client; if given, "
-             "previous policies will be revoked",
+        "previous policies will be revoked",
         nargs="*",
     )
 
@@ -354,7 +354,10 @@ def main():
     )
     arborist = None
     if args.arborist:
-        arborist = ArboristClient(arborist_base_url=args.arborist)
+        arborist = ArboristClient(
+            arborist_base_url=args.arborist,
+            logger=get_logger("user_syncer.arborist_client"),
+        )
 
     if args.action == "create":
         yaml_input = args.__dict__["yaml-input"]

diff --git a/fence/__init__.py b/fence/__init__.py
@@ -16,7 +16,9 @@
 from fence.rbac.client import ArboristClient
 from fence.resources.aws.boto_manager import BotoManager
 from fence.resources.openid.google_oauth2 import GoogleOauth2Client as GoogleClient
-from fence.resources.openid.microsoft_oauth2 import MicrosoftOauth2Client as MicrosoftClient
+from fence.resources.openid.microsoft_oauth2 import (
+    MicrosoftOauth2Client as MicrosoftClient
+)
 from fence.resources.openid.orcid_oauth2 import OrcidOauth2Client as ORCIDClient
 from fence.resources.storage import StorageManager
 from fence.resources.user.user_session import UserSessionInterface
@@ -27,7 +29,6 @@
 import fence.blueprints.data
 import fence.blueprints.login
 import fence.blueprints.oauth2
-import fence.blueprints.rbac
 import fence.blueprints.misc
 import fence.blueprints.storage_creds
 import fence.blueprints.user
@@ -102,9 +103,6 @@ def app_register_blueprints(app):
     google_blueprint = fence.blueprints.google.make_google_blueprint()
     app.register_blueprint(google_blueprint, url_prefix="/google")
 
-    if config.get("ARBORIST"):
-        app.register_blueprint(fence.blueprints.rbac.blueprint, url_prefix="/rbac")
-
     fence.blueprints.misc.register_misc(app)
 
     @app.route("/")

diff --git a/fence/auth.py b/fence/auth.py
@@ -22,6 +22,25 @@
 logger = get_logger(__name__)
 
 
+def get_jwt():
+    """
+    Return the user's JWT from authorization header. Requires flask application context.
+
+    Raises:
+        - Unauthorized, if header is missing or not in the correct format
+    """
+    header = flask.request.headers.get("Authorization")
+    if not header:
+        raise Unauthorized("missing authorization header")
+    try:
+        bearer, token = header.split(" ")
+    except ValueError:
+        raise Unauthorized("authorization header not in expected format")
+    if bearer.lower() != "bearer":
+        raise Unauthorized("expected bearer token in auth header")
+    return token
+
+
 def build_redirect_url(hostname, path):
     """
     Compute a redirect given a hostname and next path where

diff --git a/fence/blueprints/data/indexd.py b/fence/blueprints/data/indexd.py
@@ -11,6 +11,8 @@
 import requests
 
 from fence.auth import (
+    get_jwt,
+    has_oauth,
     current_token,
     login_required,
     set_current_token,
@@ -343,6 +345,18 @@ def set_acls(self):
         else:
             raise Unauthorized("This file is not accessible")
 
+    def check_rbac(self, action):
+        if not self.index_document.get("rbac"):
+            raise ValueError("index record missing `rbac`")
+        request = {
+            "user": {"token": get_jwt()},
+            "request": {
+                "resource": self.index_document["rbac"],
+                "action": {"service": "fence", "method": action},
+            },
+        }
+        return flask.current_app.arborist.auth_request(request)
+
     @cached_property
     def metadata(self):
         return self.index_document.get("metadata", {})
@@ -364,6 +378,17 @@ def check_authorization(self, action):
                 username = flask.g.user.username
             return self.index_document.get("uploader") == username
 
+        try:
+            action_to_method = {"upload": "write-storage", "download": "read-storage"}
+            method = action_to_method[action]
+            # action should be upload or download
+            # return bool for authorization
+            return self.check_rbac(method)
+        except ValueError:
+            # this is ok; we'll default to ACL field (previous behavior)
+            # may want to deprecate in future
+            pass
+
         if flask.g.token is None:
             given_acls = set(filter_auth_ids(action, flask.g.user.project_access))
         else:

diff --git a/fence/blueprints/rbac.py b/fence/blueprints/rbac.py