summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorErnst Widerberg <ernst@sunet.se>2022-01-13 18:10:22 +0100
committerErnst Widerberg <ernst@sunet.se>2022-01-13 18:10:22 +0100
commitbfe891000c2d6bb2c73bdc635d22640a3e89e729 (patch)
tree7d56b8af24102823f4976319641d8a977ffdc8ff /src
parent386f3bd73383368facd9807f737e26478b0302f3 (diff)
Add read/write permissions to JWTs based on YAML
- Uses Linus's YAML code, except with password stuff removed since auth-server-poc uses htpasswd. - The collector checks JWT on API endpoints get, get/{key}, and delete/{key}, but not on add.
Diffstat (limited to 'src')
-rwxr-xr-xsrc/authn.py112
-rwxr-xr-xsrc/main.py63
2 files changed, 55 insertions, 120 deletions
diff --git a/src/authn.py b/src/authn.py
deleted file mode 100755
index e90118a..0000000
--- a/src/authn.py
+++ /dev/null
@@ -1,112 +0,0 @@
-#! /usr/bin/env python3
-
-import yaml
-
-
-class Authz:
- def __init__(self, org, perms):
- self._org = org
- self._perms = perms
-
- def dump(self):
- return "{}: {}".format(self._org, self._perms)
-
- def read_p(self):
- return 'r' in self._perms
-
- def write_p(self):
- return 'w' in self._perms
-
-
-class User:
- def __init__(self, username, pw, authz):
- self._username = username
- self._password = pw
- self._authz = {}
- for org, perms in authz.items():
- self._authz[org] = Authz(org, perms)
-
- def dump(self):
- return ["{}/{}: {}".format(self._username, self._password, auth.dump())
- for auth in self._authz.values()]
-
- def authn_p(self, pw):
- return pw == self._password
-
- def orgnames(self):
- return [x for x in self._authz.keys()]
-
- def read_perms(self):
- acc = []
- for k, v in self._authz.items():
- if v.read_p():
- acc.append(k)
- return acc
-
- def write_perms(self):
- acc = []
- for k, v in self._authz.items():
- if v.write_p():
- acc.append(k)
- return acc
-
-
-class UserDB:
- def __init__(self, yamlfile):
- self._users = {}
- for u, d in yaml.safe_load(open(yamlfile)).items():
- self._users[u] = User(u, d['pw'], d['authz'])
-
- def dump(self):
- return [u.dump() for u in self._users.values()]
-
- def user_authn_p(self, username, password):
- user = self._users.get(username)
- if not user:
- return False
- return user.authn_p(password)
-
- def orgs_for_user(self, username):
- return self._users.get(username).orgnames()
-
- def read_perms(self, username, password):
- user = self._users.get(username)
- if not user:
- return None
- if not user.authn_p(password):
- return None
- return user.read_perms()
-
- def write_perms(self, username, password):
- user = self._users.get(username)
- if not user:
- return None
- if not user.authn_p(password):
- return None
- return user.write_perms()
-
-
-def self_test():
- db = UserDB('userdb.yaml')
- print(db.dump())
-
- orgs = db.orgs_for_user('user3')
- assert('sunet.se' in orgs)
- assert('su.se' in orgs)
- assert(len(orgs) == 2)
-
- assert(db.user_authn_p('user3', 'pw3') == True)
- assert(db.user_authn_p('user3', 'wrongpw') == False)
-
- rp = db.read_perms('user3', 'pw3')
- assert(len(rp) == 2)
- assert('sunet.se' in rp)
- assert('su.se' in rp)
-
- wp = db.write_perms('user3', 'pw3')
- assert(len(wp) == 1)
- assert('sunet.se' in wp)
-
-
-if __name__ == '__main__':
- self_test()
diff --git a/src/main.py b/src/main.py
index f95a09c..9beace0 100755
--- a/src/main.py
+++ b/src/main.py
@@ -116,13 +116,16 @@ async def get(key=None, limit=25, skip=0, ip=None, port=None,
data = []
raw_jwt = Authorize.get_raw_jwt()
- if 'domains' not in raw_jwt:
- return JSONResponse(content={"status": "error",
- "message": "Could not find domains" +
- "claim in JWT token"},
- status_code=400)
+ if "read" not in raw_jwt:
+ return JSONResponse(
+ content={
+ "status": "error",
+ "message": "Could not find read claim in JWT token",
+ },
+ status_code=400,
+ )
else:
- domains = raw_jwt['domains']
+ domains = raw_jwt["read"]
for domain in domains:
data.extend(get_data(key, limit, skip, ip, port, asn, domain))
@@ -135,10 +138,30 @@ async def get_key(key=None, Authorize: AuthJWT = Depends()):
Authorize.jwt_required()
- # TODO: Use JWT authz and check e.g. domain here
+ raw_jwt = Authorize.get_raw_jwt()
+
+ if "read" not in raw_jwt:
+ return JSONResponse(
+ content={
+ "status": "error",
+ "message": "Could not find read claim in JWT token",
+ },
+ status_code=400,
+ )
+ else:
+ allowed_domains = raw_jwt["read"]
data = get_data(key)
+ if data["domain"] not in allowed_domains:
+ return JSONResponse(
+ content={
+ "status": "error",
+ "message": "User not authorized to view this object",
+ },
+ status_code=400,
+ )
+
return JSONResponse(content={"status": "success", "docs": data})
@@ -161,12 +184,36 @@ async def delete(key, Authorize: AuthJWT = Depends()):
Authorize.jwt_required()
+ raw_jwt = Authorize.get_raw_jwt()
+
+ if "write" not in raw_jwt:
+ return JSONResponse(
+ content={
+ "status": "error",
+ "message": "Could not find write claim in JWT token",
+ },
+ status_code=400,
+ )
+ else:
+ allowed_domains = raw_jwt["write"]
+
+ data = get_data(key)
+
+ if data["domain"] not in allowed_domains:
+ return JSONResponse(
+ content={
+ "status": "error",
+ "message": "User not authorized to delete this object",
+ },
+ status_code=400,
+ )
+
if db.delete(key) is None:
return JSONResponse(content={"status": "error",
"message": "Document not found"},
status_code=400)
- return JSONResponse(content={"status": "success", "docs": {}})
+ return JSONResponse(content={"status": "success", "docs": data})
def main(standalone=False):
generated by cgit v1.1 at 2025-05-20 07:27:41 +0000