From bd4c7451f8a0147ec488b9b1374c800d854440c7 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Oct 03 2017 15:13:21 +0000
Subject: Merge #94 `Do not try accessing g.oidc_scopes when not running with 'openidc' auth_backend.`


---

diff --git a/server/odcs/server/auth.py b/server/odcs/server/auth.py
index c879cd8..9fae62e 100644
--- a/server/odcs/server/auth.py
+++ b/server/odcs/server/auth.py
@@ -142,7 +142,7 @@ def validate_scopes(scope):
 def require_oidc_scope(scope):
     """Check if required scopes is in OIDC scopes within request"""
     full_scope = '{0}{1}'.format(conf.oidc_base_namespace, scope)
-    if full_scope not in g.oidc_scopes:
+    if conf.auth_backend == "openidc" and full_scope not in g.oidc_scopes:
         message = 'Request does not have required scope %s' % scope
         log.error(message)
         raise Forbidden(message)
diff --git a/server/tests/test_auth.py b/server/tests/test_auth.py
index 85ee25a..83e6a15 100644
--- a/server/tests/test_auth.py
+++ b/server/tests/test_auth.py
@@ -263,6 +263,7 @@ class TestDecoratorRequireScopes(unittest.TestCase):
     """Test decorator require_scopes"""
 
     @patch.object(conf, 'oidc_base_namespace', new='http://example.com/')
+    @patch.object(conf, 'auth_backend', new='openidc')
     def test_function_is_called(self):
         with app.test_request_context():
             flask.g.oidc_scopes = ['http://example.com/renew-compose']
@@ -275,6 +276,7 @@ class TestDecoratorRequireScopes(unittest.TestCase):
         mock_func.assert_called_once_with(1, 2, 3)
 
     @patch.object(conf, 'oidc_base_namespace', new='http://example.com/')
+    @patch.object(conf, 'auth_backend', new='openidc')
     def test_function_is_not_called_if_scope_is_not_present(self):
         with app.test_request_context():
             flask.g.oidc_scopes = ['http://example.com/new-compose',
@@ -284,3 +286,16 @@ class TestDecoratorRequireScopes(unittest.TestCase):
             mock_func.__name__ = 'real_function'
             decorated_func = require_scopes('delete-compose')(mock_func)
             self.assertRaises(Forbidden, decorated_func, 1, 2, 3)
+
+    @patch.object(conf, 'oidc_base_namespace', new='http://example.com/')
+    @patch.object(conf, 'auth_backend', new='kerberos')
+    def test_function_is_called_for_non_openidc_backend(self):
+        with app.test_request_context():
+            flask.g.oidc_scopes = ['http://example.com/new-compose',
+                                   'http://example.com/renew-compose']
+
+            mock_func = Mock()
+            mock_func.__name__ = 'real_function'
+            decorated_func = require_scopes('delete-compose')(mock_func)
+            decorated_func(1, 2, 3)
+            mock_func.assert_called_once_with(1, 2, 3)