diff options
| author | Ernst Widerberg <ernst@sunet.se> | 2022-01-13 18:10:22 +0100 |
|---|---|---|
| committer | Ernst Widerberg <ernst@sunet.se> | 2022-01-13 18:10:22 +0100 |
| commit | bfe891000c2d6bb2c73bdc635d22640a3e89e729 (patch) | |
| tree | 7d56b8af24102823f4976319641d8a977ffdc8ff /auth-server-poc/src/app.py | |
| parent | 386f3bd73383368facd9807f737e26478b0302f3 (diff) | |
Add read/write permissions to JWTs based on YAML
- Uses Linus's YAML code, except with password stuff removed since
auth-server-poc uses htpasswd.
- The collector checks JWT on API endpoints get, get/{key}, and
delete/{key}, but not on add.
Diffstat (limited to 'auth-server-poc/src/app.py')
| -rw-r--r-- | auth-server-poc/src/app.py | 39 |
1 files changed, 25 insertions, 14 deletions
diff --git a/auth-server-poc/src/app.py b/auth-server-poc/src/app.py index 443eded..c7ba0d1 100644 --- a/auth-server-poc/src/app.py +++ b/auth-server-poc/src/app.py @@ -3,40 +3,51 @@ from flask_restful import Api, Resource from flask_jwt_extended import create_access_token, JWTManager from flask_cors import CORS +import authn + app = Flask(__name__) cors = CORS( app, resources={r"/api/*": {"origins": "*"}}, expose_headers=["Content-Type", "Authorization", "X-Total-Count"], ) -api = Api(app, prefix='/api/v1.0') +api = Api(app, prefix="/api/v1.0") jwt = JWTManager(app) -PEM_PRIVATE = '/opt/auth-server-poc/cert/private.pem' -PEM_PUBLIC = '/opt/auth-server-poc/cert/public.pem' +PEM_PRIVATE = "/opt/auth-server-poc/cert/private.pem" +PEM_PUBLIC = "/opt/auth-server-poc/cert/public.pem" -app.config['JWT_PRIVATE_KEY'] = open(PEM_PRIVATE).read() -app.config['JWT_PUBLIC_KEY'] = open(PEM_PUBLIC).read() -app.config['JWT_ALGORITHM'] = 'ES256' -app.config['JWT_IDENTITY_CLAIM'] = 'sub' -app.config['JWT_ACCESS_TOKEN_EXPIRES'] = False +app.config["JWT_PRIVATE_KEY"] = open(PEM_PRIVATE).read() +app.config["JWT_PUBLIC_KEY"] = open(PEM_PUBLIC).read() +app.config["JWT_ALGORITHM"] = "ES256" +app.config["JWT_IDENTITY_CLAIM"] = "sub" +app.config["JWT_ACCESS_TOKEN_EXPIRES"] = False class AuthApi(Resource): def post(self): - additional_claims = {"type": "access", "domains": ["sunet.se"]} + + identity = request.environ.get("REMOTE_USER") + db = authn.UserDB("userdb.yaml") + additional_claims = { + "type": "access", + "read": db.read_perms(identity), + "write": db.write_perms(identity), + } + access_token = create_access_token( - identity=request.environ.get('REMOTE_USER'), + identity=identity, additional_claims=additional_claims, ) - return {'access_token': access_token}, 200 + + return {"access_token": access_token}, 200 -@app.route('/') +@app.route("/") def index(): return "<p>Username: {}</p><p>Auth type: {}</p>".format( - request.environ.get('REMOTE_USER'), request.environ.get('AUTH_TYPE') + request.environ.get("REMOTE_USER"), request.environ.get("AUTH_TYPE") ) -api.add_resource(AuthApi, '/auth') +api.add_resource(AuthApi, "/auth") |