From bfe891000c2d6bb2c73bdc635d22640a3e89e729 Mon Sep 17 00:00:00 2001
From: Ernst Widerberg <ernst@sunet.se>
Date: Thu, 13 Jan 2022 18:10:22 +0100
Subject: Add read/write permissions to JWTs based on YAML

- Uses Linus's YAML code, except with password stuff removed since
  auth-server-poc uses htpasswd.
- The collector checks JWT on API endpoints get, get/{key}, and
  delete/{key}, but not on add.
---
 src/main.py | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 55 insertions(+), 8 deletions(-)

(limited to 'src/main.py')

diff --git a/src/main.py b/src/main.py
index f95a09c..9beace0 100755
--- a/src/main.py
+++ b/src/main.py
@@ -116,13 +116,16 @@ async def get(key=None, limit=25, skip=0, ip=None, port=None,
     data = []
     raw_jwt = Authorize.get_raw_jwt()
 
-    if 'domains' not in raw_jwt:
-        return JSONResponse(content={"status": "error",
-                                     "message": "Could not find domains" +
-                                     "claim in JWT token"},
-                            status_code=400)
+    if "read" not in raw_jwt:
+        return JSONResponse(
+            content={
+                "status": "error",
+                "message": "Could not find read claim in JWT token",
+            },
+            status_code=400,
+        )
     else:
-        domains = raw_jwt['domains']
+        domains = raw_jwt["read"]
 
     for domain in domains:
         data.extend(get_data(key, limit, skip, ip, port, asn, domain))
@@ -135,10 +138,30 @@ async def get_key(key=None, Authorize: AuthJWT = Depends()):
 
     Authorize.jwt_required()
 
-    # TODO: Use JWT authz and check e.g. domain here
+    raw_jwt = Authorize.get_raw_jwt()
+
+    if "read" not in raw_jwt:
+        return JSONResponse(
+            content={
+                "status": "error",
+                "message": "Could not find read claim in JWT token",
+            },
+            status_code=400,
+        )
+    else:
+        allowed_domains = raw_jwt["read"]
 
     data = get_data(key)
 
+    if data["domain"] not in allowed_domains:
+        return JSONResponse(
+            content={
+                "status": "error",
+                "message": "User not authorized to view this object",
+            },
+            status_code=400,
+        )
+
     return JSONResponse(content={"status": "success", "docs": data})
 
 
@@ -161,12 +184,36 @@ async def delete(key, Authorize: AuthJWT = Depends()):
 
     Authorize.jwt_required()
 
+    raw_jwt = Authorize.get_raw_jwt()
+
+    if "write" not in raw_jwt:
+        return JSONResponse(
+            content={
+                "status": "error",
+                "message": "Could not find write claim in JWT token",
+            },
+            status_code=400,
+        )
+    else:
+        allowed_domains = raw_jwt["write"]
+
+    data = get_data(key)
+
+    if data["domain"] not in allowed_domains:
+        return JSONResponse(
+            content={
+                "status": "error",
+                "message": "User not authorized to delete this object",
+            },
+            status_code=400,
+        )
+
     if db.delete(key) is None:
         return JSONResponse(content={"status": "error",
                                      "message": "Document not found"},
                             status_code=400)
 
-    return JSONResponse(content={"status": "success", "docs": {}})
+    return JSONResponse(content={"status": "success", "docs": data})
 
 
 def main(standalone=False):
-- 
cgit v1.1


From 18e3990340a5015e118b52aabc530a3536b843a7 Mon Sep 17 00:00:00 2001
From: Ernst Widerberg <ernst@sunet.se>
Date: Fri, 14 Jan 2022 08:40:25 +0100
Subject: Printing bugfix

---
 src/main.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/main.py')

diff --git a/src/main.py b/src/main.py
index 9beace0..3a7a3c8 100755
--- a/src/main.py
+++ b/src/main.py
@@ -37,8 +37,8 @@ for i in range(10):
     try:
         db = DictDB()
     except requests.exceptions.ConnectionError:
-        print(f'Database not responding, will try again soon.' +
-              'Attempt {i + 1} of 10.')
+        print('Database not responding, will try again soon.' +
+              f'Attempt {i + 1} of 10.')
     else:
         break
     time.sleep(10)
-- 
cgit v1.1


From 0b55f7ff7cdd3b78bd9992063208476c1c080a02 Mon Sep 17 00:00:00 2001
From: Ernst Widerberg <ernst@sunet.se>
Date: Fri, 14 Jan 2022 11:52:04 +0100
Subject: Revert "Only retry the database connection if we get an
 ConnectionError exception."

This reverts commit a3b5cde94981b9a98d367004b4c513c81e5870e4.
---
 src/main.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'src/main.py')

diff --git a/src/main.py b/src/main.py
index 3a7a3c8..c3e5ad9 100755
--- a/src/main.py
+++ b/src/main.py
@@ -11,7 +11,6 @@ from pydantic import BaseModel
 from index import CouchIindex
 import time
 from db import DictDB
-import requests
 
 app = FastAPI()
 
@@ -36,9 +35,9 @@ async def mock_x_total_count_header(request: Request, call_next):
 for i in range(10):
     try:
         db = DictDB()
-    except requests.exceptions.ConnectionError:
-        print('Database not responding, will try again soon.' +
-              f'Attempt {i + 1} of 10.')
+    except Exception:
+        print(
+            f'Database not responding, will try again soon. Attempt {i + 1} of 10.')
     else:
         break
     time.sleep(10)
-- 
cgit v1.1