auth4

omertuc · omertuc · commit b3989af1931a · 2025-08-19T15:39:54.000+02:00
diff --git a/src/app/endpoints/config.py b/src/app/endpoints/config.py
@@ -5,10 +5,9 @@
 
 from fastapi import APIRouter, Request
 
-from models.config import Configuration
-from configuration import configuration
 from authorization.middleware import authorize
-from models.config import Action
+from configuration import configuration
+from models.config import Action, Configuration
 from utils.endpoints import check_configuration_loaded
 
 logger = logging.getLogger(__name__)
diff --git a/src/app/endpoints/conversations.py b/src/app/endpoints/conversations.py
@@ -9,18 +9,18 @@
 
 from client import AsyncLlamaStackClientHolder
 from configuration import configuration
+from app.database import get_session
+from auth import get_auth_dependency
+from authorization.middleware import authorize
+from models.config import Action
+from models.database.conversations import UserConversation
 from models.responses import (
     ConversationResponse,
     ConversationDeleteResponse,
     ConversationsListResponse,
     ConversationDetails,
 )
-from models.database.conversations import UserConversation
-from auth import get_auth_dependency
-from app.database import get_session
 from utils.endpoints import check_configuration_loaded, validate_conversation_ownership
-from authorization.middleware import authorize
-from models.config import Action
 from utils.suid import check_suid
 
 logger = logging.getLogger("app.endpoints.handlers")
diff --git a/src/app/endpoints/feedback.py b/src/app/endpoints/feedback.py
@@ -10,16 +10,16 @@
 from auth import get_auth_dependency
 from auth.interface import AuthTuple
 from authorization.middleware import authorize
-from models.config import Action
 from configuration import configuration
+from models.config import Action
+from models.requests import FeedbackRequest
 from models.responses import (
     ErrorResponse,
     FeedbackResponse,
     StatusResponse,
     UnauthorizedResponse,
     ForbiddenResponse,
 )
-from models.requests import FeedbackRequest
 from utils.suid import get_suid
 
 logger = logging.getLogger(__name__)
diff --git a/src/app/endpoints/models.py b/src/app/endpoints/models.py
@@ -3,9 +3,9 @@
 import logging
 from typing import Any
 
+from fastapi import APIRouter, HTTPException, Request, status
 from fastapi.params import Depends
 from llama_stack_client import APIConnectionError
-from fastapi import APIRouter, HTTPException, Request, status
 
 from client import AsyncLlamaStackClientHolder
 from configuration import configuration
@@ -67,7 +67,6 @@ async def models_endpoint_handler(
     Returns:
         ModelsResponse: An object containing the list of available models.
     """
-
     # Used only by the middleware
     _ = auth
 
diff --git a/src/app/endpoints/query.py b/src/app/endpoints/query.py
@@ -24,18 +24,18 @@
 from configuration import configuration
 from app.database import get_session
 import metrics
+import constants
+from authorization.middleware import authorize
+from models.config import Action
 from models.database.conversations import UserConversation
-from models.responses import QueryResponse, UnauthorizedResponse, ForbiddenResponse
 from models.requests import QueryRequest, Attachment
-import constants
+from models.responses import QueryResponse, UnauthorizedResponse, ForbiddenResponse
 from utils.endpoints import (
     check_configuration_loaded,
     get_agent,
     get_system_prompt,
     validate_conversation_ownership,
 )
-from authorization.middleware import authorize
-from models.config import Action
 from utils.mcp_headers import mcp_headers_dependency, handle_mcp_headers_with_toolgroups
 from utils.suid import get_suid
 
diff --git a/src/app/endpoints/streaming_query.py b/src/app/endpoints/streaming_query.py
@@ -20,10 +20,10 @@
 from auth import get_auth_dependency
 from auth.interface import AuthTuple
 from authorization.middleware import authorize
-from models.config import Action
 from client import AsyncLlamaStackClientHolder
 from configuration import configuration
 import metrics
+from models.config import Action
 from models.requests import QueryRequest
 from models.database.conversations import UserConversation
 from utils.endpoints import check_configuration_loaded, get_agent, get_system_prompt
diff --git a/src/authorization/engine.py b/src/authorization/engine.py
@@ -28,7 +28,7 @@ class NoopAccessResolver(AccessResolver):  # pylint: disable=too-few-public-meth
     """No-op access resolver that does not perform any access checks."""
 
     async def check_access(self, action: Action, user_roles: UserRoles) -> bool:
-        """Always return True, indicating access is granted."""
+        """Return True always, indicating access is granted."""
         _ = action  # Unused
         _ = user_roles  # Unused
         return True
@@ -68,22 +68,19 @@ def __init__(self, role_rules: list[JwtRoleRule]):
 
     async def resolve_roles(self, auth: AuthTuple) -> UserRoles:
         """Extract roles from JWT claims using configured rules."""
-
         jwt_claims = self._get_claims(auth)
         return frozenset(
             role
             for rule in self.role_rules
-            for role in self._evaluate_role_rules(rule, jwt_claims)
+            for role in self.evaluate_role_rules(rule, jwt_claims)
         )
 
     @staticmethod
-    def _evaluate_role_rules(
-        rule: JwtRoleRule, jwt_claims: dict[str, Any]
-    ) -> UserRoles:
-        """Get roles from a JWT role rule if it matches the claims"""
+    def evaluate_role_rules(rule: JwtRoleRule, jwt_claims: dict[str, Any]) -> UserRoles:
+        """Get roles from a JWT role rule if it matches the claims."""
         return (
             frozenset(rule.roles)
-            if __class__._evaluate_operator(
+            if JwtRolesResolver._evaluate_operator(
                 rule.negate,
                 [match.value for match in parse(rule.jsonpath).find(jwt_claims)],
                 rule.operator,
@@ -147,6 +144,7 @@ def __init__(self, access_rules: list[AccessRule]):
             self._access_lookup[rule.role].update(rule.actions)
 
     async def check_access(self, action: Action, user_roles: UserRoles) -> bool:
+        """Check if the user has access to the specified action based on their roles."""
         if action != Action.ADMIN and self.check_access(action.ADMIN, user_roles):
             # Recurse to check if the roles allow the user to perform the admin action,
             # if they do, then we allow any action
diff --git a/src/authorization/middleware.py b/src/authorization/middleware.py
@@ -83,11 +83,11 @@ async def _perform_authorization_check(action: Action, kwargs: dict[str, Any]) -
 
 
 def authorize(action: Action) -> Callable:
-    """Decorator to check authorization for an endpoint (async version)."""
+    """Check authorization for an endpoint (async version)."""
 
     def decorator(func: Callable) -> Callable:
         @wraps(func)
-        async def wrapper(*args, **kwargs):
+        async def wrapper(*args: Any, **kwargs: Any) -> Any:
             await _perform_authorization_check(action, kwargs)
             return await func(*args, **kwargs)
 
diff --git a/src/authorization/models.py b/src/authorization/models.py
@@ -0,0 +1 @@
+"""Authorization models and data structures."""
diff --git a/src/models/config.py b/src/models/config.py
@@ -215,9 +215,7 @@ class JwtRoleRule(BaseModel):
 
     @model_validator(mode="after")
     def check_jsonpath(self) -> Self:
-        """
-        Verify that the JSONPath expression is valid.
-        """
+        """Verify that the JSONPath expression is valid."""
         try:
             jsonpath_ng.parse(self.jsonpath)
             return self
@@ -228,9 +226,7 @@ def check_jsonpath(self) -> Self:
 
     @model_validator(mode="after")
     def check_roles(self) -> Self:
-        """
-        Ensure that at least one role is specified.
-        """
+        """Ensure that at least one role is specified."""
         if not self.roles:
             raise ValueError("At least one role must be specified in the rule")
 
diff --git a/tests/unit/app/endpoints/test_health.py b/tests/unit/app/endpoints/test_health.py
@@ -26,10 +26,11 @@ async def test_readiness_probe_fails_due_to_unhealthy_providers(mocker):
         )
     ]
 
-    # Mock the Response object
+    # Mock the Response object and auth
     mock_response = Mock()
+    auth = ("test_user", "token", {})
 
-    response = await readiness_probe_get_method(mock_response)
+    response = await readiness_probe_get_method(auth=auth, response=mock_response)
 
     assert response.ready is False
     assert "test_provider" in response.reason
@@ -56,10 +57,11 @@ async def test_readiness_probe_success_when_all_providers_healthy(mocker):
         ),
     ]
 
-    # Mock the Response object
+    # Mock the Response object and auth
     mock_response = Mock()
+    auth = ("test_user", "token", {})
 
-    response = await readiness_probe_get_method(mock_response)
+    response = await readiness_probe_get_method(auth=auth, response=mock_response)
     assert response is not None
     assert isinstance(response, ReadinessResponse)
     assert response.ready is True
@@ -70,7 +72,8 @@ async def test_readiness_probe_success_when_all_providers_healthy(mocker):
 
 def test_liveness_probe():
     """Test the liveness endpoint handler."""
-    response = liveness_probe_get_method()
+    auth = ("test_user", "token", {})
+    response = liveness_probe_get_method(auth=auth)
     assert response is not None
     assert response.alive is True
 
diff --git a/tests/unit/app/endpoints/test_info.py b/tests/unit/app/endpoints/test_info.py
@@ -35,7 +35,8 @@ def test_info_endpoint():
             "type": "http",
         }
     )
-    response = info_endpoint_handler(request)
+    auth = ("test_user", "token", {})
+    response = info_endpoint_handler(auth, request)
     assert response is not None
     assert response.name is not None
     assert response.version is not None
diff --git a/tests/unit/app/endpoints/test_root.py b/tests/unit/app/endpoints/test_root.py
@@ -7,10 +7,11 @@
 
 def test_root_endpoint():
     """Test the root endpoint handler."""
+    auth = ("test_user", "token", {})
     request = Request(
         scope={
             "type": "http",
         }
     )
-    response = root_endpoint_handler(request)
+    response = root_endpoint_handler(auth, request)
     assert response is not None
diff --git a/tests/unit/authorization/test_engine.py b/tests/unit/authorization/test_engine.py

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+"""Authorization models and data structures."""`