From 77e4edea828c53bc623e6120901988071718b871 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20B=C3=B6ttcher?= <c.boettcher@fz-juelich.de>
Date: Mon, 28 Nov 2022 12:30:50 +0100
Subject: [PATCH] check access rights of the external user

---
 apiserver/main.py          | 15 ++++++++++++---
 apiserver/security/user.py |  4 ++--
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/apiserver/main.py b/apiserver/main.py
index 5cba6e0..6a9f227 100644
--- a/apiserver/main.py
+++ b/apiserver/main.py
@@ -128,9 +128,18 @@ async def keycloak_token(request: Request):
     # store it in the session cookie, return it via a redirect to the user frontend
     username = user['preferred_username']
     email = user['email']
+    groups = user['groups']
+
     if userdb.get(username) is None:
-        # add user to db
-        userdb.add_external_auth_user(username, email)
+        # check if user should be added, and with or without secrets
+        access_group = "datacat_write"
+        secrets_group = "datacat_secrets"
+        if access_group not in groups:
+            raise HTTPException(403, "User is not authorized for write access to the datacatalogue.")
+        if secrets_group not in groups:
+            userdb.add_external_auth_user(username, email)
+        else:
+            userdb.add_external_auth_user(username, email, True)
     datacat_user = userdb.get(username)
 
     access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRES_MINUTES)
@@ -142,7 +151,7 @@ async def keycloak_token(request: Request):
     # set token in cookie, this can then be extractet via the frontend javascript
     response = RedirectResponse("/login.html?external_auth=True")
     response.set_cookie(
-        key="datacat_auth_token", value=access_token, secure=True, expires=datetime.utcnow()+timedelta(minutes=5) # TODO get domain from settings
+        key="datacat_auth_token", value=access_token, secure=True, expires=datetime.utcnow()+timedelta(minutes=5)
     ) 
 
     return response
diff --git a/apiserver/security/user.py b/apiserver/security/user.py
index 6e95462..2ed2ce0 100644
--- a/apiserver/security/user.py
+++ b/apiserver/security/user.py
@@ -116,8 +116,8 @@ class JsonDBInterface(AbstractDBInterface):
         self.__save_all(data)
         log.debug("Deleted user %s from userdb.", username)
 
-    def add_external_auth_user(cls, username: str, email: str):
-        cls.add(UserInDB(username=username, email=email))
+    def add_external_auth_user(cls, username: str, email: str, secrets: bool = False):
+        cls.add(UserInDB(username=username, email=email, has_secrets_access=secrets))
 
 
 pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
-- 
GitLab