Fixed permissions and referrers
This commit is contained in:
82
app/lib.py
82
app/lib.py
@ -2,7 +2,7 @@ import os
|
||||
import functools
|
||||
|
||||
from flask import request, abort, current_app
|
||||
from flask import session as flask_session
|
||||
from flask import session as flask_session, jsonify
|
||||
from flask_pyoidc import OIDCAuthentication as _OIDCAuth
|
||||
from flask_pyoidc.user_session import UserSession
|
||||
from flask_pyoidc.provider_configuration import ProviderConfiguration, ClientMetadata
|
||||
@ -21,19 +21,6 @@ def remote_ip() -> str:
|
||||
return str(request.environ.get('REMOTE_ADDR'))
|
||||
|
||||
|
||||
def username() -> str:
|
||||
userinfo = flask_session['userinfo']
|
||||
return userinfo['email'].split('@')[0]
|
||||
|
||||
|
||||
def login_name() -> str:
|
||||
userinfo = flask_session['userinfo']
|
||||
if 'preferred_username' in userinfo:
|
||||
return userinfo['preferred_username']
|
||||
else:
|
||||
return username()
|
||||
|
||||
|
||||
def webMode() -> bool:
|
||||
is_gunicorn = "gunicorn" in os.environ.get('SERVER_SOFTWARE', '')
|
||||
is_werkzeug = os.environ.get('WERKZEUG_RUN_MAIN', False) == "true"
|
||||
@ -64,6 +51,53 @@ class OIDCAuthentication(_OIDCAuth):
|
||||
super().init_app(app)
|
||||
app.auth = self
|
||||
|
||||
@property
|
||||
def username(self) -> str:
|
||||
userinfo = flask_session['userinfo']
|
||||
return userinfo['email'].split('@')[0]
|
||||
|
||||
@property
|
||||
def login_name(self) -> str:
|
||||
userinfo = flask_session['userinfo']
|
||||
return userinfo.get('preferred_username', self.username)
|
||||
|
||||
@property
|
||||
def isAdmin(self) -> bool:
|
||||
userinfo = flask_session['userinfo']
|
||||
user_groups = userinfo.get('groups', [])
|
||||
with current_app.app_context():
|
||||
admin_groups = current_app.config.get('ADMIN_GROUPS', [])
|
||||
admin_users = current_app.config.get('ADMIN_USERS', [])
|
||||
|
||||
authorized_groups = set(admin_groups).intersection(user_groups)
|
||||
|
||||
if len(authorized_groups):
|
||||
log.debug(f"'{self.username}' is a member of {
|
||||
authorized_groups}")
|
||||
return True
|
||||
|
||||
if self.username in admin_users:
|
||||
log.debug(f"'{self.username}' is an admin user")
|
||||
return True
|
||||
return False
|
||||
|
||||
@property
|
||||
def unathorized(self):
|
||||
response = jsonify(
|
||||
{'message': f"not authorized",
|
||||
'comment': 'nice try, info logged',
|
||||
'logged': f"'{self.username}@{remote_ip()}",
|
||||
'result': 'GO AWAY!'})
|
||||
log.warning(
|
||||
f"user '{self.username}' attempted denied operation from {remote_ip()}")
|
||||
return response, 403
|
||||
|
||||
def userOrAdmin(self, username: str):
|
||||
"""
|
||||
Check is the current user is an admin OR the username passed as argument
|
||||
"""
|
||||
return self.isAdmin or self.username == username
|
||||
|
||||
def authorize(self, provider_name: str, authz_fn: Callable, **kwargs):
|
||||
if provider_name not in self._provider_configurations:
|
||||
raise ValueError(
|
||||
@ -76,7 +110,7 @@ class OIDCAuthentication(_OIDCAuth):
|
||||
|
||||
# Decorator
|
||||
def oidc_decorator(view_func):
|
||||
@ functools.wraps(view_func)
|
||||
@functools.wraps(view_func)
|
||||
def wrapper(*args, **kwargs):
|
||||
# Retrieve session and client
|
||||
session = UserSession(flask_session, provider_name)
|
||||
@ -165,23 +199,7 @@ class OIDCAuthentication(_OIDCAuth):
|
||||
"""
|
||||
|
||||
def _authz_fn(session) -> bool:
|
||||
user_groups = session.userinfo.get('groups', [])
|
||||
username = session.userinfo.get('preferred_username', "")
|
||||
with current_app.app_context():
|
||||
admin_groups = current_app.config.get('ADMIN_GROUPS', [])
|
||||
admin_users = current_app.config.get('ADMIN_USERS', [])
|
||||
|
||||
authorized_groups = set(admin_groups).intersection(user_groups)
|
||||
|
||||
if len(authorized_groups):
|
||||
log.debug(f"'{username}' is a member of {
|
||||
authorized_groups}")
|
||||
return True
|
||||
|
||||
if username in admin_users:
|
||||
log.debug(f"'{username}' is an admin user")
|
||||
return True
|
||||
return False
|
||||
return self.isAdmin
|
||||
|
||||
return self.authorize(provider_name,
|
||||
authz_fn=_authz_fn)
|
||||
|
||||
Reference in New Issue
Block a user