def wrapper(*args, **kwargs):
get_claims()
if len(settings.LEEK_API_WHITELISTED_ORGS
) and g.org_name not in settings.LEEK_API_WHITELISTED_ORGS:
raise JWTError(
f'Only {settings.LEEK_API_WHITELISTED_ORGS} are whitelisted to use this app'
)
if allowed_org_names:
if g.org_name not in allowed_org_names:
raise JWTError(
f'Only {allowed_org_names} org can access this endpoint'
)
if only_app_owner:
try:
app_name = request.headers["x-leek-app-name"]
except KeyError as e:
return responses.missing_headers
try:
app = get_app(f"{g.org_name}-{app_name}")
if g.email != app.get("owner"):
return responses.insufficient_permission
except es_exceptions.NotFoundError:
return responses.application_not_found
except es_exceptions.ConnectionError:
return responses.cache_backend_unavailable
return route(*args, **kwargs)
def wrapper(*args, **kwargs):
g.app_name = request.headers.get("x-leek-app-name")
g.app_env = request.headers.get("x-leek-app-env")
if settings.LEEK_API_ENABLE_AUTH:
get_claims()
if len(
settings.LEEK_API_WHITELISTED_ORGS
) and g.org_name not in settings.LEEK_API_WHITELISTED_ORGS:
raise JWTError(
f'Only {settings.LEEK_API_WHITELISTED_ORGS} are whitelisted to use this app'
)
if allowed_org_names:
if g.org_name not in allowed_org_names:
raise JWTError(
f'Only {allowed_org_names} org can access this endpoint'
)
if only_app_owner:
if not g.app_name:
return responses.missing_headers
try:
app = get_app(f"{g.org_name}-{g.app_name}")
if g.email != app.get("owner"):
return responses.insufficient_permission
except es_exceptions.NotFoundError:
return responses.application_not_found
except es_exceptions.ConnectionError:
return responses.search_backend_unavailable
else:
g.org_name = "mono"
g.index_alias = f"{g.org_name}-{g.app_name}"
return route(*args, **kwargs)
def decode(token, verify_expiration=True, authorized_audiences=None):
# since we passed the verification, we can now safely
# use the unverified claims
claims = jwt.get_unverified_claims(token)
# additionally we can verify the token expiration
if verify_expiration:
if time.time() > claims['exp']:
raise JWTError('Token is expired')
# and the Audience
if authorized_audiences:
# OID TOKEN (aud), OAUTH ACCESS TOKEN (client_id)
aud = claims.get('aud', claims.get('client_id'))
if not aud:
raise JWTError('Token does not have aud nor client_id attribute')
if aud not in authorized_audiences:
raise JWTError('Token was not issued for this audience')
# now we can use the claims
return claims
def search_for_key(token, keys):
# get the kid from the headers prior to verification
headers = jwt.get_unverified_headers(token)
kid = headers["kid"]
# search for the kid in the downloaded public keys
for key in keys:
if kid == key["kid"]:
return key
raise JWTError(f"Public key not found in provided keys")
def get_jwt_value(self, request):
auth = get_authorization_header(request).split()
header_prefix = "Bearer"
if not auth:
return None
if smart_text(auth[0].lower()) != header_prefix.lower():
raise JWTError("No Bearer Authorization header")
if len(auth) == 1:
msg = "Invalid Authorization header. No credentials provided"
raise JWTError(msg)
elif len(auth) > 2:
msg = ("Invalid Authorization header. Credentials string should "
"not contain spaces.")
raise JWTError(msg)
return auth[1]
def valid_signature(token, key):
if isinstance(key, dict):
# verify the signature, exception should be thrown if verification failed
jws.verify(token, key['pem'], [key['alg']], verify=True)
else:
# get the last two sections of the token,
# message and signature (encoded in base64)
message, encoded_signature = str(token).rsplit('.', 1)
# decode the signature
decoded_signature = base64url_decode(encoded_signature.encode('utf-8'))
# verify the signature
if not key.verify(message.encode("utf8"), decoded_signature):
raise JWTError('Signature verification failed')
return True
def get_claims():
"""
Validates the auth token and build context
"""
# Get and Validate Header
id_token_header = request.headers.get("Authorization")
if not id_token_header:
raise JWTError("The endpoint requires a bearer id token")
if id_token_header.startswith("Bearer"):
g.id_token = id_token_header.split()[1]
else:
g.id_token = id_token_header
# Authorize
g.claims = decode_jwt_token(g.id_token)
build_context()
def test_decode_jwt_error(api_request):
with patch('controlpanel.jwt.jwt') as jwt:
jwt.decode.side_effect = JWTError("test_decode_jwt_error")
assert api_request(
HTTP_AUTHORIZATION=f'Bearer {token()}').status_code == 403