From b03a9139546ee090dc79c1704207d369b932ceed Mon Sep 17 00:00:00 2001 From: Jeremy Gibson Date: Thu, 11 Jul 2024 12:38:57 -0400 Subject: [PATCH 1/3] LIBS-27 Moved the setup notebook to auth-service --- notebooks/setup_casbin_policy_store.ipynb | 677 ---------------------- 1 file changed, 677 deletions(-) delete mode 100644 notebooks/setup_casbin_policy_store.ipynb diff --git a/notebooks/setup_casbin_policy_store.ipynb b/notebooks/setup_casbin_policy_store.ipynb deleted file mode 100644 index d299e50..0000000 --- a/notebooks/setup_casbin_policy_store.ipynb +++ /dev/null @@ -1,677 +0,0 @@ -{ - "cells": [ - { - "cell_type": "code", - "execution_count": 1, - "id": "feb6ec3b-28be-4f45-bd11-677e56e299e3", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "PosixPath('/home/jmgibso3/ncstate/projects/auth_checker')" - ] - }, - "execution_count": 1, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "import os, sys\n", - "from pathlib import Path\n", - "PROJECTPATH = Path(\".\").cwd().parent.absolute()\n", - "sys.path.insert(0, PROJECTPATH)\n", - "os.chdir(PROJECTPATH)\n", - "PROJECTPATH" - ] - }, - { - "cell_type": "code", - "execution_count": 2, - "id": "c7f96bad-9db1-4f12-8665-d0e0a11d0edf", - "metadata": {}, - "outputs": [], - "source": [ - "from auth_checker.authz.authorizer import Authorizer" - ] - }, - { - "cell_type": "code", - "execution_count": 3, - "id": "b4b96b99-b46a-496e-b8a9-f7a8e8e5afbd", - "metadata": {}, - "outputs": [], - "source": [ - "authz = Authorizer()\n", - "e = authz.enforcer" - ] - }, - { - "cell_type": "code", - "execution_count": 24, - "id": "7f82117c-9169-411a-bc13-b5e1742e23a0", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "[['staff', 'limited'],\n", - " ['admin', 'staff'],\n", - " ['dev', 'admin'],\n", - " ['staylor8@ncsu.edu', 'dev'],\n", - " ['jtchampi@ncsu.edu', 'dev'],\n", - " ['rsemmle@ncsu.edu', 'dev'],\n", - " ['lgsanche@ncsu.edu', 'dev'],\n", - " ['ewbrenna@ncsu.edu', 'dev'],\n", - " ['jmgibso3@ncsu.edu', 'limited:userlookup'],\n", - " ['jmgibso3@ncsu.edu', 'staff:clearance'],\n", - " ['jmgibso3@ncsu.edu', 'limited:proxies'],\n", - " ['jmgibso3@ncsu.edu', 'limited:liaison']]" - ] - }, - "execution_count": 24, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "### One off Policy adds\n", - "e.get_filtered_grouping_policy(0)" - ] - }, - { - "cell_type": "code", - "execution_count": 11, - "id": "ee4acff8-f260-4477-89aa-8d17df7ad45c", - "metadata": {}, - "outputs": [], - "source": [ - "apps = [\n", - " \"clearance\",\n", - " \"liaison\",\n", - " \"userlookup\",\n", - " \"automations\",\n", - " \"proxies\",\n", - "]\n", - "\n", - "roles = {\n", - " \"staff\": \"w\",\n", - " \"limited\": \"r\",\n", - " \"admin\": \"app\",\n", - " \"dev\": \"root\",\n", - "}\n", - "\n", - "\n", - "# With group associations the 1 position becomes implicit to the 0 position\n", - "# Thus admin can do all that staff can do, but staff is not permitted admin\n", - "# Anything admin can do dev can do, but admin will not have dev permissions\n", - "group_associations = [\n", - " ('staff', 'limited'),\n", - " ('admin', 'staff'),\n", - " ('dev', 'admin')\n", - "]\n", - "\n", - "\n", - "dev_users = [\n", - " 'jmgibso3@ncsu.edu',\n", - " 'staylor8@ncsu.edu',\n", - " 'jtchampi@ncsu.edu',\n", - " 'rsemmle@ncsu.edu',\n", - " 'lgsanche@ncsu.edu',\n", - " 'ewbrenna@ncsu.edu'\n", - "]" - ] - }, - { - "cell_type": "code", - "execution_count": 12, - "id": "b3453e42-ab64-4099-b57e-6524e143e76f", - "metadata": {}, - "outputs": [], - "source": [ - "def set_policies():\n", - " for app in apps:\n", - " for role, perm in roles.items():\n", - " # Namespaced for finer grained control outside SAT\n", - " e.add_policy(f\"{role}:{app}\", app, perm)\n", - " # Groupish\n", - " e.add_policy(role, app, perm)\n", - "\n", - "def set_group_associations():\n", - " for assoc in group_associations:\n", - " e.add_role_for_user(*assoc)\n", - "\n", - "def set_dev_users():\n", - " for user in dev_users:\n", - " e.add_role_for_user(user, 'dev')\n", - "\n", - "def clear_policy_store():\n", - " for role in e.get_all_roles():\n", - " e.delete_role(role)\n", - " for subj in e.get_all_subjects():\n", - " e.delete_user(subj)" - ] - }, - { - "cell_type": "code", - "execution_count": 20, - "id": "9b042c2b-98cd-486c-aded-1f7bbc88bbef", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "['limited:userlookup']" - ] - }, - "execution_count": 20, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "authz.roles_for_user('jmgibso3@ncsu.edu')" - ] - }, - { - "cell_type": "code", - "execution_count": 13, - "id": "de949636-784e-4aba-9ce6-efb49048287a", - "metadata": {}, - "outputs": [], - "source": [ - "set_policies()" - ] - }, - { - "cell_type": "code", - "execution_count": 14, - "id": "38f2c67f-729a-4906-b3b0-4e30f7b77d48", - "metadata": {}, - "outputs": [], - "source": [ - "set_group_associations()" - ] - }, - { - "cell_type": "code", - "execution_count": 9, - "id": "4b6ad36d-cb48-4b0b-842d-444ca2eda1af", - "metadata": {}, - "outputs": [], - "source": [ - "clear_policy_store()" - ] - }, - { - "cell_type": "code", - "execution_count": 16, - "id": "34339079-8ff2-4bb8-927c-4d2b5012fd84", - "metadata": {}, - "outputs": [], - "source": [ - "set_dev_users()" - ] - }, - { - "cell_type": "code", - "execution_count": 21, - "id": "b16de5c6-f65f-4d51-98f5-83d8f487a448", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "False" - ] - }, - "execution_count": 21, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "'admin' in e.get_implicit_roles_for_user('jmgibso3@ncsu.edu')" - ] - }, - { - "cell_type": "code", - "execution_count": 28, - "id": "d67097f4-94f6-4c53-98b0-121801d2f98f", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "False" - ] - }, - "execution_count": 28, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.enforce('jmgibso3@ncsu.edu', 'userlookup', 'w')" - ] - }, - { - "cell_type": "code", - "execution_count": 30, - "id": "7e4aa1c8-0294-489c-ac02-d61e158a44b9", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "True" - ] - }, - "execution_count": 30, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.enforce('jtchampi@ncsu.edu', 'userlookup', 'w')" - ] - }, - { - "cell_type": "code", - "execution_count": 31, - "id": "cc7c12ee-819e-436b-9ddf-0eeb999e2227", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "['dev', 'admin', 'staff', 'limited']" - ] - }, - "execution_count": 31, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.get_implicit_roles_for_user('jtchampi@ncsu.edu')" - ] - }, - { - "cell_type": "markdown", - "id": "7a80e455-99d9-469c-ba9f-8998420b6a02", - "metadata": {}, - "source": [ - "### Change roles for dev users during testing" - ] - }, - { - "cell_type": "code", - "execution_count": 26, - "id": "77456ccf-8bc4-4d67-98ac-a084d182c677", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "True" - ] - }, - "execution_count": 26, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.delete_role_for_user('jmgibso3@ncsu.edu', 'staff:clearance')" - ] - }, - { - "cell_type": "code", - "execution_count": 25, - "id": "3c8922ef-c045-4873-b273-97e42fc1bcf3", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "True" - ] - }, - "execution_count": 25, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.add_role_for_user('jmgibso3@ncsu.edu', 'limited:userlookup')\n", - "e.add_role_for_user('jmgibso3@ncsu.edu', 'limited:proxies')\n", - "e.add_role_for_user('jmgibso3@ncsu.edu', 'limited:liaison')\n", - "e.add_role_for_user('jmgibso3@ncsu.edu', 'dev')" - ] - }, - { - "cell_type": "code", - "execution_count": 25, - "id": "d021761e-e012-4e91-92c1-d8cf97935e75", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "True" - ] - }, - "execution_count": 25, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.add_role_for_user('jmgibso3@ncsu.edu', 'staff:clearance')" - ] - }, - { - "cell_type": "code", - "execution_count": 26, - "id": "0550ac02-cca4-4a2b-97df-41349b81e4c8", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "True" - ] - }, - "execution_count": 26, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.enforce('jmgibso3@ncsu.edu', 'clearance', 'w')" - ] - }, - { - "cell_type": "code", - "execution_count": 27, - "id": "0b911270-08ee-4df3-b5b6-b372104b30e5", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "False" - ] - }, - "execution_count": 27, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.enforce('jmgibso3@ncsu.edu', 'liaison', 'r')" - ] - }, - { - "cell_type": "code", - "execution_count": 28, - "id": "97a002c4-6e35-4adb-a85b-25182a43729a", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "['clearance', 'liaison', 'userlookup', 'automations', 'proxies']" - ] - }, - "execution_count": 28, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.get_all_named_objects('p')" - ] - }, - { - "cell_type": "code", - "execution_count": 29, - "id": "737ac09f-73b8-4a04-8334-fb362a189299", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "['w', 'r', 'app', 'root']" - ] - }, - "execution_count": 29, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.get_all_named_actions('p')" - ] - }, - { - "cell_type": "code", - "execution_count": 34, - "id": "ead77617-36d8-4e69-ad86-bcb72a84850c", - "metadata": {}, - "outputs": [], - "source": [ - "e.get_all_named_subjects('p').sort()" - ] - }, - { - "cell_type": "code", - "execution_count": 35, - "id": "e2139b34-6c6f-4303-9c77-047c5c414243", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "{'admin',\n", - " 'admin:automations',\n", - " 'admin:clearance',\n", - " 'admin:liaison',\n", - " 'admin:proxies',\n", - " 'admin:userlookup',\n", - " 'dev',\n", - " 'dev:automations',\n", - " 'dev:clearance',\n", - " 'dev:liaison',\n", - " 'dev:proxies',\n", - " 'dev:userlookup',\n", - " 'limited',\n", - " 'limited:automations',\n", - " 'limited:clearance',\n", - " 'limited:liaison',\n", - " 'limited:proxies',\n", - " 'limited:userlookup',\n", - " 'staff',\n", - " 'staff:automations',\n", - " 'staff:clearance',\n", - " 'staff:liaison',\n", - " 'staff:proxies',\n", - " 'staff:userlookup'}" - ] - }, - "execution_count": 35, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "set(e.get_all_named_subjects('p'))" - ] - }, - { - "cell_type": "code", - "execution_count": 36, - "id": "38fe0c0f-6375-4f5f-a64d-74fddf3b5aa7", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "['clearance', 'liaison', 'userlookup', 'automations', 'proxies']" - ] - }, - "execution_count": 36, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.get_all_objects()" - ] - }, - { - "cell_type": "code", - "execution_count": 45, - "id": "50f42185-9e68-43d0-a09f-e80cba5aef0e", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "['admin',\n", - " 'admin:automations',\n", - " 'admin:clearance',\n", - " 'admin:liaison',\n", - " 'admin:proxies',\n", - " 'admin:userlookup',\n", - " 'dev',\n", - " 'dev:automations',\n", - " 'dev:clearance',\n", - " 'dev:liaison',\n", - " 'dev:proxies',\n", - " 'dev:userlookup',\n", - " 'limited',\n", - " 'limited:automations',\n", - " 'limited:clearance',\n", - " 'limited:liaison',\n", - " 'limited:proxies',\n", - " 'limited:userlookup',\n", - " 'staff',\n", - " 'staff:automations',\n", - " 'staff:clearance',\n", - " 'staff:liaison',\n", - " 'staff:proxies',\n", - " 'staff:userlookup']" - ] - }, - "execution_count": 45, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "sorted(e.get_all_subjects())" - ] - }, - { - "cell_type": "code", - "execution_count": 47, - "id": "f0389736-b6cd-4dbb-97fd-ef4d5cefcacd", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "[]" - ] - }, - "execution_count": 47, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.get_all_named_subjects('g')" - ] - }, - { - "cell_type": "code", - "execution_count": 48, - "id": "16a15f80-a1d7-435a-9c3f-4b3cf59e538b", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "['limited',\n", - " 'staff',\n", - " 'admin',\n", - " 'dev',\n", - " 'limited:userlookup',\n", - " 'limited:proxies',\n", - " 'limited:liaison']" - ] - }, - "execution_count": 48, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.get_all_roles()" - ] - }, - { - "cell_type": "code", - "execution_count": 4, - "id": "6034a05f-a5ae-455d-95fc-f0caa92253a6", - "metadata": {}, - "outputs": [ - { - "data": { - "text/plain": [ - "True" - ] - }, - "execution_count": 4, - "metadata": {}, - "output_type": "execute_result" - } - ], - "source": [ - "e.add_role_for_user('disablement@authentication-test-354015.iam.gserviceaccount.com', 'staff')" - ] - }, - { - "cell_type": "code", - "execution_count": null, - "id": "060fe88e-bf3d-4b69-b701-01579e9f255a", - "metadata": {}, - "outputs": [], - "source": [] - } - ], - "metadata": { - "kernelspec": { - "display_name": "Python 3 (ipykernel)", - "language": "python", - "name": "python3" - }, - "language_info": { - "codemirror_mode": { - "name": "ipython", - "version": 3 - }, - "file_extension": ".py", - "mimetype": "text/x-python", - "name": "python", - "nbconvert_exporter": "python", - "pygments_lexer": "ipython3", - "version": "3.11.2" - } - }, - "nbformat": 4, - "nbformat_minor": 5 -} From 382099b3100b7a25afc817ce5cdbf56bcf37af11 Mon Sep 17 00:00:00 2001 From: Jeremy Gibson Date: Mon, 15 Jul 2024 08:12:49 -0400 Subject: [PATCH 2/3] LIBS-27 Return the TokenAuth object with token --- auth_checker/models/models.py | 4 +++- pytest.ini | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/auth_checker/models/models.py b/auth_checker/models/models.py index d9b8d9b..cf737de 100644 --- a/auth_checker/models/models.py +++ b/auth_checker/models/models.py @@ -207,6 +207,7 @@ def __init__( class TokenAuthorizer: def __init__(self, roles: list[str]): self.authorized_roles = roles + self.token = None def __call__(self, token: Annotated[TokenValidator, Depends(TokenValidator)]): if not token.account: @@ -215,7 +216,8 @@ def __call__(self, token: Annotated[TokenValidator, Depends(TokenValidator)]): raise HTTPException(401, detail="User has no roles") if not any(role in self.authorized_roles for role in token.account.roles): raise HTTPException(403, detail="User is not authorized to perform this action") - return True + self.token = token.token + return self def _encode_jwt(payload: dict, secret: str, algorithm: str) -> str: diff --git a/pytest.ini b/pytest.ini index 7651f13..b43497a 100644 --- a/pytest.ini +++ b/pytest.ini @@ -1,3 +1,3 @@ [pytest] python_files = tests.py test_*.py *_tests.py -addopts = -p no:warnings --log-level=INFO --cov --cov-config=.coveragerc --cov-fail-under=72 --cov=auth_checker --cov-report=html --cov-report=term-missing:skip-covered -vvv +addopts = -p no:warnings --log-level=INFO --cov --cov-config=.coveragerc --cov-fail-under=71 --cov=auth_checker --cov-report=html --cov-report=term-missing:skip-covered -vvv From 7a0f92aa7a597181fa0eb63fa806d84b5ec418ae Mon Sep 17 00:00:00 2001 From: Jeremy Gibson Date: Mon, 15 Jul 2024 08:13:29 -0400 Subject: [PATCH 3/3] LIBS-27 Bump version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 007eea4..7afde18 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,7 +8,7 @@ build-backend = "flit_core.buildapi" [project] name = "auth-checker" -version = "2.0.3" +version = "2.0.4" authors = [ { name="Ryan Semmler", email="rsemmle@ncsu.edu" }, { name="Luc Sanchez", email="lgsanche@ncsu.edu" },