Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
GÉANT Service Orchestrator
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Jira
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package registry
Container registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
GÉANT Orchestration and Automation Team
GAP
GÉANT Service Orchestrator
Commits
a101cfe9
Commit
a101cfe9
authored
1 year ago
by
Mohammad Torkashvand
Committed by
Neda Moeini
1 year ago
Browse files
Options
Downloads
Patches
Plain Diff
fix linter
parent
ddcff9cb
Branches
Branches containing commit
Tags
Tags containing commit
1 merge request
!198
add client_id to the user_info sent to opa
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
gso/auth/oidc_policy_helper.py
+17
-18
17 additions, 18 deletions
gso/auth/oidc_policy_helper.py
with
17 additions
and
18 deletions
gso/auth/oidc_policy_helper.py
+
17
−
18
View file @
a101cfe9
...
@@ -11,7 +11,6 @@ FastAPI to ensure secure API development.
...
@@ -11,7 +11,6 @@ FastAPI to ensure secure API development.
import
re
import
re
import
ssl
import
ssl
from
collections.abc
import
AsyncGenerator
,
Awaitable
,
Callable
,
Mapping
from
collections.abc
import
AsyncGenerator
,
Awaitable
,
Callable
,
Mapping
from
enum
import
StrEnum
from
http
import
HTTPStatus
from
http
import
HTTPStatus
from
json
import
JSONDecodeError
from
json
import
JSONDecodeError
from
typing
import
Any
,
ClassVar
,
cast
from
typing
import
Any
,
ClassVar
,
cast
...
@@ -188,13 +187,13 @@ class OIDCUser(HTTPBearer):
...
@@ -188,13 +187,13 @@ class OIDCUser(HTTPBearer):
resource_server_secret
:
str
resource_server_secret
:
str
def
__init__
(
def
__init__
(
self
,
self
,
openid_url
:
str
,
openid_url
:
str
,
resource_server_id
:
str
,
resource_server_id
:
str
,
resource_server_secret
:
str
,
resource_server_secret
:
str
,
*
,
*
,
auto_error
:
bool
=
True
,
auto_error
:
bool
=
True
,
scheme_name
:
str
|
None
=
None
,
scheme_name
:
str
|
None
=
None
,
):
):
"""
Set up OIDCUser with specified OpenID Connect configurations and credentials.
"""
"""
Set up OIDCUser with specified OpenID Connect configurations and credentials.
"""
super
().
__init__
(
auto_error
=
auto_error
)
super
().
__init__
(
auto_error
=
auto_error
)
...
@@ -204,7 +203,7 @@ class OIDCUser(HTTPBearer):
...
@@ -204,7 +203,7 @@ class OIDCUser(HTTPBearer):
self
.
scheme_name
=
scheme_name
or
self
.
__class__
.
__name__
self
.
scheme_name
=
scheme_name
or
self
.
__class__
.
__name__
async
def
__call__
(
# type: ignore[override]
async
def
__call__
(
# type: ignore[override]
self
,
request
:
Request
,
token
:
str
|
None
=
None
self
,
request
:
Request
,
token
:
str
|
None
=
None
)
->
OIDCUserModel
|
None
:
)
->
OIDCUserModel
|
None
:
"""
Return the OIDC user from OIDC introspect endpoint.
"""
Return the OIDC user from OIDC introspect endpoint.
...
@@ -242,7 +241,7 @@ class OIDCUser(HTTPBearer):
...
@@ -242,7 +241,7 @@ class OIDCUser(HTTPBearer):
user_info
=
await
self
.
userinfo
(
async_request
,
token
)
user_info
=
await
self
.
userinfo
(
async_request
,
token
)
user_info
[
'
client_id
'
]
=
intercepted_token
.
get
(
"
client_id
"
)
user_info
[
"
client_id
"
]
=
intercepted_token
.
get
(
"
client_id
"
)
logger
.
debug
(
"
OIDCUserModel object.
"
,
intercepted_token
=
intercepted_token
)
logger
.
debug
(
"
OIDCUserModel object.
"
,
intercepted_token
=
intercepted_token
)
return
user_info
return
user_info
...
@@ -367,11 +366,11 @@ def _evaluate_decision(decision: OPAResult, *, auto_error: bool, **context: dict
...
@@ -367,11 +366,11 @@ def _evaluate_decision(decision: OPAResult, *, auto_error: bool, **context: dict
def
opa_decision
(
def
opa_decision
(
opa_url
:
str
,
opa_url
:
str
,
oidc_security
:
OIDCUser
,
oidc_security
:
OIDCUser
,
*
,
*
,
auto_error
:
bool
=
True
,
auto_error
:
bool
=
True
,
opa_kwargs
:
Mapping
[
str
,
str
]
|
None
=
None
,
opa_kwargs
:
Mapping
[
str
,
str
]
|
None
=
None
,
)
->
Callable
[[
Request
,
OIDCUserModel
,
AsyncClient
],
Awaitable
[
bool
|
None
]]:
)
->
Callable
[[
Request
,
OIDCUserModel
,
AsyncClient
],
Awaitable
[
bool
|
None
]]:
"""
Create a decision function for Open Policy Agent (OPA) authorization checks.
"""
Create a decision function for Open Policy Agent (OPA) authorization checks.
...
@@ -388,9 +387,9 @@ def opa_decision(
...
@@ -388,9 +387,9 @@ def opa_decision(
"""
"""
async
def
_opa_decision
(
async
def
_opa_decision
(
request
:
Request
,
request
:
Request
,
user_info
:
OIDCUserModel
=
Depends
(
oidc_security
),
# noqa: B008
user_info
:
OIDCUserModel
=
Depends
(
oidc_security
),
# noqa: B008
async_request
:
AsyncClient
=
Depends
(
_make_async_client
),
# noqa: B008
async_request
:
AsyncClient
=
Depends
(
_make_async_client
),
# noqa: B008
)
->
bool
|
None
:
)
->
bool
|
None
:
"""
Check OIDCUserModel against the OPA policy.
"""
Check OIDCUserModel against the OPA policy.
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
