Skip to content
Snippets Groups Projects
Commit 77e4edea authored by Christian Boettcher's avatar Christian Boettcher
Browse files

check access rights of the external user

parent a5077d44
Branches
Tags stable-0.32
No related merge requests found
Pipeline #126445 canceled
...@@ -128,9 +128,18 @@ async def keycloak_token(request: Request): ...@@ -128,9 +128,18 @@ async def keycloak_token(request: Request):
# store it in the session cookie, return it via a redirect to the user frontend # store it in the session cookie, return it via a redirect to the user frontend
username = user['preferred_username'] username = user['preferred_username']
email = user['email'] email = user['email']
groups = user['groups']
if userdb.get(username) is None: if userdb.get(username) is None:
# add user to db # check if user should be added, and with or without secrets
userdb.add_external_auth_user(username, email) access_group = "datacat_write"
secrets_group = "datacat_secrets"
if access_group not in groups:
raise HTTPException(403, "User is not authorized for write access to the datacatalogue.")
if secrets_group not in groups:
userdb.add_external_auth_user(username, email)
else:
userdb.add_external_auth_user(username, email, True)
datacat_user = userdb.get(username) datacat_user = userdb.get(username)
access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRES_MINUTES) access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRES_MINUTES)
...@@ -142,7 +151,7 @@ async def keycloak_token(request: Request): ...@@ -142,7 +151,7 @@ async def keycloak_token(request: Request):
# set token in cookie, this can then be extractet via the frontend javascript # set token in cookie, this can then be extractet via the frontend javascript
response = RedirectResponse("/login.html?external_auth=True") response = RedirectResponse("/login.html?external_auth=True")
response.set_cookie( response.set_cookie(
key="datacat_auth_token", value=access_token, secure=True, expires=datetime.utcnow()+timedelta(minutes=5) # TODO get domain from settings key="datacat_auth_token", value=access_token, secure=True, expires=datetime.utcnow()+timedelta(minutes=5)
) )
return response return response
......
...@@ -116,8 +116,8 @@ class JsonDBInterface(AbstractDBInterface): ...@@ -116,8 +116,8 @@ class JsonDBInterface(AbstractDBInterface):
self.__save_all(data) self.__save_all(data)
log.debug("Deleted user %s from userdb.", username) log.debug("Deleted user %s from userdb.", username)
def add_external_auth_user(cls, username: str, email: str): def add_external_auth_user(cls, username: str, email: str, secrets: bool = False):
cls.add(UserInDB(username=username, email=email)) cls.add(UserInDB(username=username, email=email, has_secrets_access=secrets))
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment