3 files changed, 145 insertions, 14 deletions

diff --git a/auth-server-poc/src/app.py b/auth-server-poc/src/app.py
index 443eded..c7ba0d1 100644
--- a/auth-server-poc/src/app.py
+++ b/auth-server-poc/src/app.py
@@ -3,40 +3,51 @@ from flask_restful import Api, Resource
 from flask_jwt_extended import create_access_token, JWTManager
 from flask_cors import CORS
 
+import authn
+
 app = Flask(__name__)
 cors = CORS(
     app,
     resources={r"/api/*": {"origins": "*"}},
     expose_headers=["Content-Type", "Authorization", "X-Total-Count"],
 )
-api = Api(app, prefix='/api/v1.0')
+api = Api(app, prefix="/api/v1.0")
 jwt = JWTManager(app)
 
-PEM_PRIVATE = '/opt/auth-server-poc/cert/private.pem'
-PEM_PUBLIC = '/opt/auth-server-poc/cert/public.pem'
+PEM_PRIVATE = "/opt/auth-server-poc/cert/private.pem"
+PEM_PUBLIC = "/opt/auth-server-poc/cert/public.pem"
 
-app.config['JWT_PRIVATE_KEY'] = open(PEM_PRIVATE).read()
-app.config['JWT_PUBLIC_KEY'] = open(PEM_PUBLIC).read()
-app.config['JWT_ALGORITHM'] = 'ES256'
-app.config['JWT_IDENTITY_CLAIM'] = 'sub'
-app.config['JWT_ACCESS_TOKEN_EXPIRES'] = False
+app.config["JWT_PRIVATE_KEY"] = open(PEM_PRIVATE).read()
+app.config["JWT_PUBLIC_KEY"] = open(PEM_PUBLIC).read()
+app.config["JWT_ALGORITHM"] = "ES256"
+app.config["JWT_IDENTITY_CLAIM"] = "sub"
+app.config["JWT_ACCESS_TOKEN_EXPIRES"] = False
 
 
 class AuthApi(Resource):
     def post(self):
-        additional_claims = {"type": "access", "domains": ["sunet.se"]}
+
+        identity = request.environ.get("REMOTE_USER")
+        db = authn.UserDB("userdb.yaml")
+        additional_claims = {
+            "type": "access",
+            "read": db.read_perms(identity),
+            "write": db.write_perms(identity),
+        }
+
         access_token = create_access_token(
-            identity=request.environ.get('REMOTE_USER'),
+            identity=identity,
             additional_claims=additional_claims,
         )
-        return {'access_token': access_token}, 200
+
+        return {"access_token": access_token}, 200
 
 
-@app.route('/')
+@app.route("/")
 def index():
     return "<p>Username: {}</p><p>Auth type: {}</p>".format(
-        request.environ.get('REMOTE_USER'), request.environ.get('AUTH_TYPE')
+        request.environ.get("REMOTE_USER"), request.environ.get("AUTH_TYPE")
     )
 
 
-api.add_resource(AuthApi, '/auth')
+api.add_resource(AuthApi, "/auth")
diff --git a/auth-server-poc/src/authn.py b/auth-server-poc/src/authn.py
new file mode 100755
index 0000000..8b32cdc
--- /dev/null
+++ b/auth-server-poc/src/authn.py
@@ -0,0 +1,97 @@
+#! /usr/bin/env python3
+
+import yaml
+
+
+class Authz:
+    def __init__(self, org, perms):
+        self._org = org
+        self._perms = perms
+
+    def dump(self):
+        return "{}: {}".format(self._org, self._perms)
+
+    def read_p(self):
+        return "r" in self._perms
+
+    def write_p(self):
+        return "w" in self._perms
+
+
+class User:
+    def __init__(self, username, authz):
+        self._username = username
+        self._authz = {}
+        for org, perms in authz.items():
+            self._authz[org] = Authz(org, perms)
+
+    def dump(self):
+        return [
+            "{}: {}".format(self._username, auth.dump())
+            for auth in self._authz.values()
+        ]
+
+    def orgnames(self):
+        return [x for x in self._authz.keys()]
+
+    def read_perms(self):
+        acc = []
+        for k, v in self._authz.items():
+            if v.read_p():
+                acc.append(k)
+        return acc
+
+    def write_perms(self):
+        acc = []
+        for k, v in self._authz.items():
+            if v.write_p():
+                acc.append(k)
+        return acc
+
+
+class UserDB:
+    def __init__(self, yamlfile):
+        self._users = {}
+        for u, d in yaml.safe_load(open(yamlfile)).items():
+            self._users[u] = User(u, d["authz"])
+
+    def dump(self):
+        return [u.dump() for u in self._users.values()]
+
+    def orgs_for_user(self, username):
+        return self._users.get(username).orgnames()
+
+    def read_perms(self, username):
+        user = self._users.get(username)
+        if not user:
+            return None
+        return user.read_perms()
+
+    def write_perms(self, username):
+        user = self._users.get(username)
+        if not user:
+            return None
+        return user.write_perms()
+
+
+def self_test():
+    db = UserDB("userdb.yaml")
+    print(db.dump())
+
+    orgs = db.orgs_for_user("user3")
+    assert "sunet.se" in orgs
+    assert "su.se" in orgs
+    assert len(orgs) == 2
+
+    rp = db.read_perms("user3", "pw3")
+    assert len(rp) == 2
+    assert "sunet.se" in rp
+    assert "su.se" in rp
+
+    wp = db.write_perms("user3", "pw3")
+    assert len(wp) == 1
+    assert "sunet.se" in wp
+
+
+if __name__ == "__main__":
+    self_test()
diff --git a/auth-server-poc/src/userdb.yaml b/auth-server-poc/src/userdb.yaml
new file mode 100644
index 0000000..c55773b
--- /dev/null
+++ b/auth-server-poc/src/userdb.yaml
@@ -0,0 +1,23 @@
+user1:
+  authz:
+    sunet.se: r
+    su.se: r
+    kth.se: r
+
+user2:
+  authz:
+    sunet.se: w
+    su.se: w
+    kth.se: w
+
+user3:
+  authz:
+    sunet.se: rw
+    su.se: rw
+    kth.se: rw
+
+user4:
+  authz:
+    sunet.se: rw
+    su.se: r
+    kth.se: w