uc-cdis · rudyardrichter · May 14, 2019 · May 14, 2019 · May 14, 2019 · May 14, 2019
diff --git a/fence/rbac/client.py b/fence/rbac/client.py
@@ -466,6 +466,27 @@ def create_group(
             self.logger.info("group {} has policies: {}".format(name, list(policies)))
         return data
 
+    @_arborist_retry()
+    def grant_group_policy(self, group_name, policy_id):
+        url = self._group_url + "/{}/policy".format(group_name)
+        request = {"policy": policy_id}
+        response = requests.post(url, json=request)
+        data = _request_get_json(response)
+        if response.status_code != 204:
+            msg = data.get("error", "unhelpful response from arborist")
+            if isinstance(data, dict) and "error" in data:
+                msg = data["error"].get("message", msg)
+            self.logger.error(
+                "could not grant policy `{}` to group `{}`: {}".format(
+                    policy_id, group_name, msg
+                )
+            )
+            return None
+        self.logger.info(
+            "granted policy `{}` to group `{}`".format(policy_id, group_name)
+        )
+        return data
+
     @_arborist_retry()
     def create_user_if_not_exist(self, username):
         self.logger.info("making sure user exists: `{}`".format(username))

diff --git a/fence/resources/user/__init__.py b/fence/resources/user/__init__.py
@@ -92,7 +92,9 @@ def get_user_info(current_session, username):
 
     if hasattr(flask.current_app, "arborist"):
         try:
-            resources = flask.current_app.arborist.list_resources_for_user(user.username)
+            resources = flask.current_app.arborist.list_resources_for_user(
+                user.username
+            )
         except ArboristError:
             logger.error(
                 "request to arborist for user's resources failed; going to list empty"

diff --git a/fence/sync/sync_users.py b/fence/sync/sync_users.py
@@ -1114,4 +1114,12 @@ def _update_arborist(self, session, user_yaml):
             except ArboristError as e:
                 self.logger.info("couldn't create group: {}".format(str(e)))
 
+        # add policies for `anonymous` and `logged-in` groups
+
+        for policy in user_yaml.rbac.get("anonymous_policies", []):
+            self.arborist_client.grant_group_policy("anonymous", policy)
+
+        for policy in user_yaml.rbac.get("all_users_policies", []):
+            self.arborist_client.grant_group_policy("logged-in", policy)
+
         return True
diff --git a/tests/data/test_data.py b/tests/data/test_data.py
@@ -607,8 +607,9 @@ def test_rbac(
     assert response.status_code == 403
 
 
-def test_initialize_multipart_upload(app, client, auth_client, encoded_creds_jwt, user_client):
-
+def test_initialize_multipart_upload(
+    app, client, auth_client, encoded_creds_jwt, user_client
+):
     class MockResponse(object):
         def __init__(self, data, status_code=200):
             self.data = data