i

firetail/decorators/response.py

@@ -6,6 +6,7 @@
 import functools
 import logging
 
+import ipdb
 from flask import request
 from jsonschema import ValidationError
 
@@ -84,9 +85,8 @@ def validate_response_authz(self, response_definition, data):
                 "No Authz data returned from our app layer - flask must populate IDs to compare " "in Authz"
             )
         # use spec data to get from the request data.from and compare to the data returned.
-        auth_data = request_authz_data[request_data_lookup]
         resp_obj_data = self.extract_item(data, response_data_loookup)
-        if auth_data == resp_obj_data:
+        if request_authz_data == resp_obj_data:
             return True
         raise AuthzFailed()
 

tests/fakeapi/hello/__init__.py

@@ -553,6 +553,20 @@ def get_user():
     return {"user_id": 7, "name": "max"}
 
 
+def get_user_authz():
+    request.firetail_authz = 7
+    return {"user_id": 7, "name": "max"}
+
+
+def get_user_authz_fails():
+    request.firetail_authz = 8
+    return {"user_id": 7, "name": "max"}
+
+
+def get_user_authz_not_set():
+    return {"user_id": 7, "name": "max"}
+
+
 def get_user_with_password():
     return {"user_id": 7, "name": "max", "password": "5678"}
 

tests/fixtures/json_validation/openapi.yaml

@@ -47,6 +47,47 @@ paths:
       responses:
         200:
           description: Success
+  /authzEnd:
+    get:
+      operationId: fakeapi.hello.get_user_authz
+      responses:
+        200:
+          description: Success
+          x-firetail-authz:
+            authenticated-principal-path: "user_id"
+            resource-authorized-principal-path: "user_id"
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/User'
+  /authzEndFails:
+    get:
+      operationId: fakeapi.hello.get_user_authz_fails
+      responses:
+        200:
+          description: Success
+          x-firetail-authz:
+            authenticated-principal-path: "user_id"
+            resource-authorized-principal-path: "user_id"
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/User'
+
+  /authzEndNotSet:
+    get:
+      operationId: fakeapi.hello.get_user_authz_not_set
+      responses:
+        200:
+          description: Success
+          x-firetail-authz:
+            authenticated-principal-path: "user_id"
+            resource-authorized-principal-path: "user_id"
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/User'
+
 
   /user:
     get:

tests/fixtures/json_validation/swagger.yaml

@@ -59,6 +59,39 @@ paths:
           description: User object
           schema:
             $ref: '#/definitions/User'
+  /authzEnd:
+    get:
+      operationId: fakeapi.hello.get_user_authz
+      responses:
+        200:
+          description: User object
+          x-firetail-authz:
+            authenticated-principal-path: "user_id"
+            resource-authorized-principal-path: "user_id"
+          schema:
+            $ref: '#/definitions/User'
+  /authzEndFails:
+    get:
+      operationId: fakeapi.hello.get_user_authz_fails
+      responses:
+        200:
+          description: User object
+          x-firetail-authz:
+            authenticated-principal-path: "user_id"
+            resource-authorized-principal-path: "user_id"
+          schema:
+            $ref: '#/definitions/User'
+  /authzEndNotSet:
+    get:
+      operationId: fakeapi.hello.get_user_authz_not_set
+      responses:
+        200:
+          description: User object
+          x-firetail-authz:
+            authenticated-principal-path: "user_id"
+            resource-authorized-principal-path: "user_id"
+          schema:
+            $ref: '#/definitions/User'
   /user_with_password:
     get:
       operationId: fakeapi.hello.get_user_with_password

tests/test_json_validation.py

@@ -3,11 +3,12 @@
 
 import pytest
 from conftest import build_app_from_fixture
+from jsonschema.validators import _utils, extend
+
 from firetail import App
 from firetail.decorators.validation import RequestBodyValidator
 from firetail.json_schema import Draft4RequestValidator
 from firetail.spec import Specification
-from jsonschema.validators import _utils, extend
 
 SPECS = ["swagger.yaml", "openapi.yaml"]
 
@@ -46,6 +47,36 @@ def __init__(self, *args, **kwargs):
     assert res.status_code == 400
 
 
+@pytest.mark.parametrize("spec", SPECS)
+def test_validator_map_ft_authz_success(json_validation_spec_dir, spec):
+    app = App(__name__, specification_dir=json_validation_spec_dir)
+    app.add_api(spec, validate_responses=True)
+    app_client = app.app.test_client()
+
+    res = app_client.get("/v1.0/authzEnd")  # type: flask.Response
+    assert res.status_code == 200
+
+
+@pytest.mark.parametrize("spec", SPECS)
+def test_validator_map_ft_authz_fail(json_validation_spec_dir, spec):
+    app = App(__name__, specification_dir=json_validation_spec_dir)
+    app.add_api(spec, validate_responses=True)
+    app_client = app.app.test_client()
+
+    res = app_client.get("/v1.0/authzEndFails")  # type: flask.Response
+    assert res.status_code == 401  # unauthorized because of authz
+
+
+@pytest.mark.parametrize("spec", SPECS)
+def test_validator_map_ft_authz_not_set(json_validation_spec_dir, spec):
+    app = App(__name__, specification_dir=json_validation_spec_dir)
+    app.add_api(spec, validate_responses=True)
+    app_client = app.app.test_client()
+
+    res = app_client.get("/v1.0/authzEndFails")  # type: flask.Response
+    assert res.status_code == 401  # unauthorized because of authz
+
+
 @pytest.mark.parametrize("spec", SPECS)
 def test_readonly(json_validation_spec_dir, spec):
     app = build_app_from_fixture(json_validation_spec_dir, spec, validate_responses=True)