def wrapper(*args, **kwargs):
if self.e.watcher and self.e.watcher.should_reload():
self.e.watcher.update_callback()
# Check sub, obj act against Casbin polices
self.app.logger.debug(
"Enforce Headers Config: %s\nRequest Headers: %s" %
(self.app.config.get("CASBIN_OWNER_HEADERS"), request.headers))
for header in self.app.config.get("CASBIN_OWNER_HEADERS"):
if header in request.headers:
# Make Authorization Header Parser standard
if header == "Authorization":
# Get Auth Value then decode and parse for owner
try:
owner = authorization_decoder(
request.headers.get(header))
except UnSupportedAuthType:
# Continue if catch unsupported type in the event of
# Other headers needing to be checked
self.app.logger.info(
"Authorization header type requested for "
"decoding is unsupported by flask-casbin at this time"
)
continue
if self.e.enforce(owner, str(request.url_rule),
request.method):
return func(*args, **kwargs)
else:
# Split header by ',' in case of groups when groups are
# sent "group1,group2,group3,..." in the header
for owner in self.sanitize_group_headers(
request.headers.get(header)):
self.app.logger.debug(
"Enforce against owner: %s header: %s" %
(owner.strip('"'), header))
if self.e.enforce(owner.strip('"'),
str(request.url_rule),
request.method):
return func(*args, **kwargs)
else:
return (jsonify({"message": "Unauthorized"}), 401)
def wrapper(*args, **kwargs):
if self.e.watcher and self.e.watcher.should_reload():
self.e.watcher.update_callback()
# String used to hold the owners user name for audit logging
owner_audit = ""
# Check sub, obj act against Casbin polices
self.app.logger.debug(
"Enforce Headers Config: %s\nRequest Headers: %s" %
(self.app.config.get("CASBIN_OWNER_HEADERS"), request.headers))
# Set resource URI from request
uri = str(request.path)
# Get owner from owner_loader
if self._owner_loader:
self.app.logger.info("Get owner from owner_loader")
for owner in self._owner_loader():
if self.e.enforce(owner.strip('"'), uri, request.method):
return func(*args, **kwargs)
for header in map(str.lower,
self.app.config.get("CASBIN_OWNER_HEADERS")):
if header in request.headers:
# Make Authorization Header Parser standard
if header == "authorization":
# Get Auth Value then decode and parse for owner
try:
owner = authorization_decoder(
request.headers.get(header))
except UnSupportedAuthType:
# Continue if catch unsupported type in the event of
# Other headers needing to be checked
self.app.logger.info(
"Authorization header type requested for "
"decoding is unsupported by flask-casbin at this time"
)
continue
if self.user_name_headers and header in map(
str.lower, self.user_name_headers):
owner_audit = owner
if self.e.enforce(owner, uri, request.method):
self.app.logger.info(
"access granted: method: %s resource: %s%s" %
(request.method, uri,
"" if not self.user_name_headers
and owner_audit != "" else " to user: %s" %
owner_audit))
return func(*args, **kwargs)
else:
# Split header by ',' in case of groups when groups are
# sent "group1,group2,group3,..." in the header
for owner in self.sanitize_group_headers(
request.headers.get(header)):
self.app.logger.debug(
"Enforce against owner: %s header: %s" %
(owner.strip('"'), header))
if self.user_name_headers and header in map(
str.lower, self.user_name_headers):
owner_audit = owner
if self.e.enforce(owner.strip('"'), uri,
request.method):
self.app.logger.info(
"access granted: method: %s resource: %s%s"
% (request.method, uri,
"" if not self.user_name_headers
and owner_audit != "" else
" to user: %s" % owner_audit))
return func(*args, **kwargs)
else:
self.app.logger.error(
"Unauthorized attempt: method: %s resource: %s%s" %
(request.method, uri, "" if not self.user_name_headers
and owner_audit != "" else " by user: %s" % owner_audit))
return (jsonify({"message": "Unauthorized"}), 401)
def test_auth_docode(auth_str, result):
assert authorization_decoder(auth_str) == "bob"
def test_auth_docode_exceptions(auth_str):
with pytest.raises(UnSupportedAuthType):
authorization_decoder(auth_str)
def test_auth_docode(app_fixture, auth_str, result):
assert authorization_decoder(app_fixture.config, auth_str) == "bob"
def test_auth_docode_exceptions(app_fixture, auth_str):
with pytest.raises(jwt.ExpiredSignatureError):
authorization_decoder(app_fixture.config, auth_str)
def test_auth_docode_exceptions(app_fixture, auth_str):
with pytest.raises(UnSupportedAuthType):
authorization_decoder(app_fixture.config, auth_str)