def _expired_token_callback():
"""When an expired token attempts to access a protected endpoint, throw a
401 status response.
"""
exc = Unauthorized()
exc.data = {
'message': 'Access denied, token has expired!',
'headers': {
'WWW-Authenticate': '{} realm="{}"'.format(
current_app.config.get('JWT_HEADER_TYPE'),
current_app.config.get('AUTH_JWT_REALM'))
},
}
return rest_api.handle_http_exception(exc)
def decorate(*args, **kwargs):
resp = Unauthorized()
resp.data = {"message": "Invalid token"}
target_audit_uuid = ""
if "audit_uuid" in kwargs:
target_audit_uuid = kwargs["audit_uuid"]
elif "scan_uuid" in kwargs:
target_audit_uuid = kwargs["scan_uuid"][0:24] + "0" * 8
# Anonymous access configuration is allowed for non administration APIs only
if app.config["ALLOW_ANONYMOUS_AUDIT_ACCESS"] is True and self.admin is False:
identity = {"name": ""}
else:
try:
# Check if given JWT is valid
verify_jwt_in_request()
identity = get_jwt_identity()
# If the token is valid but already expired
except ExpiredSignatureError:
encoded_token, _ = _decode_jwt_from_headers()
expired_token = decode_token(encoded_token, allow_expired=True)
identity = expired_token["sub"]
if "auth_endpoint" in identity:
# Offer re-authorization endpoint for the target audit
url = urlparse(identity["auth_endpoint"])
audit_qs = {"audit": target_audit_uuid}
new_qs = {**parse_qs(url.query), **audit_qs}
auth_endpoint = url._replace(query=urlencode(new_qs, doseq=True)).geturl()
resp.data["reauth_endpoint"] = auth_endpoint
raise resp
except Exception:
raise resp
# Anonymous token is not allowed when anonymous access configuration is disabled
if "name" not in identity or len(identity["name"]) == 0:
raise resp
# Check if the token's scope is valid for the specified API's target
target_scopes = ["*"]
if self.admin is False and len(target_audit_uuid) > 0:
target_scopes.append(target_audit_uuid)
if identity["scope"] not in target_scopes:
raise resp
g.identity = identity
return f(*args, **kwargs)
def raise_auth_error(errors):
"""
Raises authorization error
Args:
errors (list): list of errors
Raises:
(ValidationError): raise an exception
"""
error = Unauthorized()
error.data = {
'status': 'error',
'errors': errors
}
raise error
def _unauthorized_callback(error_string):
"""When a protected endpoint is accessed without a JWT, throw a 401 status
response (including an error string explaining why this is unauthorized).
:param error_string: String indicating why this request is unauthorized.
"""
exc = Unauthorized()
exc.data = {
'message': (
'Access denied, authentication required: {}'.format(error_string)),
'headers': {
'WWW-Authenticate': '{} realm="{}"'.format(
current_app.config.get('JWT_HEADER_TYPE'),
current_app.config.get('AUTH_JWT_REALM'))
},
}
return rest_api.handle_http_exception(exc)
