From 158a33137f087321db07f668e8fe3ee857609ffc Mon Sep 17 00:00:00 2001
From: Adeel Ahmad <adeel.ahmad@geant.org>
Date: Wed, 12 Mar 2025 16:51:04 +0000
Subject: [PATCH] Add optional token based authentication
---
.gitignore | 1 +
docs/source/configuration.rst | 2 +-
inventory_provider/__init__.py | 8 ++++++++
inventory_provider/auth.py | 17 +++++++++++++++++
inventory_provider/config.py | 19 +++++++++++++++++++
requirements.txt | 1 +
6 files changed, 47 insertions(+), 1 deletion(-)
create mode 100644 inventory_provider/auth.py
diff --git a/.gitignore b/.gitignore
index e8bf92ea..33b68146 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,5 +10,6 @@ coverage.xml
htmlcov
dist
venv
+.venv
.vscode
docs/build
diff --git a/docs/source/configuration.rst b/docs/source/configuration.rst
index 3502d074..28b30adf 100644
--- a/docs/source/configuration.rst
+++ b/docs/source/configuration.rst
@@ -54,7 +54,7 @@ This module has been tested in the following execution environments:
.. code-block:: bash
$ export FLASK_APP=app.py
- $ export SETTINGS_FILENAME=settings.cfg
+ $ export FLASK_SETTINGS_FILENAME=settings.cfg
$ flask run
* As an Apache/`mod_wsgi` service.
diff --git a/inventory_provider/__init__.py b/inventory_provider/__init__.py
index 09574fb6..590610d4 100644
--- a/inventory_provider/__init__.py
+++ b/inventory_provider/__init__.py
@@ -7,6 +7,7 @@ from flask import Flask
from flask_cors import CORS
from inventory_provider import environment
+from inventory_provider.auth import auth
def create_app(setup_logging=True):
@@ -48,6 +49,13 @@ def create_app(setup_logging=True):
app.config['INVENTORY_PROVIDER_CONFIG'] = inventory_provider_config
+ # Apply authentication globally to all routes
+ @app.before_request
+ @auth.login_required
+ def secure_before_request():
+ """Enforces authentication for all routes"""
+ pass
+
# IMS based routes
from inventory_provider.routes import lg
diff --git a/inventory_provider/auth.py b/inventory_provider/auth.py
new file mode 100644
index 00000000..1f995033
--- /dev/null
+++ b/inventory_provider/auth.py
@@ -0,0 +1,17 @@
+from flask import Blueprint, current_app
+from flask_httpauth import HTTPTokenAuth
+
+auth = HTTPTokenAuth(scheme="ApiKey")
+
+@auth.verify_token
+def verify_api_key(api_key):
+ config = current_app.config["INVENTORY_PROVIDER_CONFIG"]
+ # This is to enable anonymous access for testing.
+ if not api_key:
+ return "test"
+
+ for service, details in config['api-keys'].items():
+ if details.get('api-key') == api_key:
+ return service
+ return None
+
diff --git a/inventory_provider/config.py b/inventory_provider/config.py
index 3fa03b9d..0df04129 100644
--- a/inventory_provider/config.py
+++ b/inventory_provider/config.py
@@ -10,6 +10,24 @@ CONFIG_SCHEMA = {
'maximum': 60, # sanity
'exclusiveMinimum': 0
},
+ "api-keys-credentials": {
+ "type": "object",
+ "patternProperties": {
+ "^[a-zA-Z0-9-_]+$": {
+ "type": "object",
+ "properties": {
+ "api-key": {
+ "type": "string",
+ # "minLength": 32,
+ # "description": "API key (Base64, UUID, or Hexadecimal format)"
+ }
+ },
+ "required": ["api-key"],
+ "additionalProperties": False
+ }
+ },
+ "additionalProperties": False
+ },
'ssh-credentials': {
'type': 'object',
'properties': {
@@ -235,6 +253,7 @@ CONFIG_SCHEMA = {
'type': 'object',
'properties': {
+ 'api-keys': {'$ref': '#/definitions/api-keys-credentials'},
'ssh': {'$ref': '#/definitions/ssh-credentials'},
'nokia-ssh': {'$ref': '#/definitions/nokia-ssh-credentials'},
'redis': {'$ref': '#/definitions/redis-credentials'},
diff --git a/requirements.txt b/requirements.txt
index 0d226651..9095eb74 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -16,6 +16,7 @@ lxml==4.9.4
requests
netifaces
tree-format
+Flask-HTTPAuth
pytest
pytest-mock
--
GitLab