From 77e4edea828c53bc623e6120901988071718b871 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20B=C3=B6ttcher?= <c.boettcher@fz-juelich.de> Date: Mon, 28 Nov 2022 12:30:50 +0100 Subject: [PATCH] check access rights of the external user --- apiserver/main.py | 15 ++++++++++++--- apiserver/security/user.py | 4 ++-- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/apiserver/main.py b/apiserver/main.py index 5cba6e0..6a9f227 100644 --- a/apiserver/main.py +++ b/apiserver/main.py @@ -128,9 +128,18 @@ async def keycloak_token(request: Request): # store it in the session cookie, return it via a redirect to the user frontend username = user['preferred_username'] email = user['email'] + groups = user['groups'] + if userdb.get(username) is None: - # add user to db - userdb.add_external_auth_user(username, email) + # check if user should be added, and with or without secrets + access_group = "datacat_write" + secrets_group = "datacat_secrets" + if access_group not in groups: + raise HTTPException(403, "User is not authorized for write access to the datacatalogue.") + if secrets_group not in groups: + userdb.add_external_auth_user(username, email) + else: + userdb.add_external_auth_user(username, email, True) datacat_user = userdb.get(username) access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRES_MINUTES) @@ -142,7 +151,7 @@ async def keycloak_token(request: Request): # set token in cookie, this can then be extractet via the frontend javascript response = RedirectResponse("/login.html?external_auth=True") response.set_cookie( - key="datacat_auth_token", value=access_token, secure=True, expires=datetime.utcnow()+timedelta(minutes=5) # TODO get domain from settings + key="datacat_auth_token", value=access_token, secure=True, expires=datetime.utcnow()+timedelta(minutes=5) ) return response diff --git a/apiserver/security/user.py b/apiserver/security/user.py index 6e95462..2ed2ce0 100644 --- a/apiserver/security/user.py +++ b/apiserver/security/user.py @@ -116,8 +116,8 @@ class JsonDBInterface(AbstractDBInterface): self.__save_all(data) log.debug("Deleted user %s from userdb.", username) - def add_external_auth_user(cls, username: str, email: str): - cls.add(UserInDB(username=username, email=email)) + def add_external_auth_user(cls, username: str, email: str, secrets: bool = False): + cls.add(UserInDB(username=username, email=email, has_secrets_access=secrets)) pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") -- GitLab