def wrapper(*args, **kwargs): if self.e.watcher and self.e.watcher.should_reload(): self.e.watcher.update_callback() # Check sub, obj act against Casbin polices self.app.logger.debug( "Enforce Headers Config: %s\nRequest Headers: %s" % (self.app.config.get("CASBIN_OWNER_HEADERS"), request.headers)) for header in self.app.config.get("CASBIN_OWNER_HEADERS"): if header in request.headers: # Make Authorization Header Parser standard if header == "Authorization": # Get Auth Value then decode and parse for owner try: owner = authorization_decoder( request.headers.get(header)) except UnSupportedAuthType: # Continue if catch unsupported type in the event of # Other headers needing to be checked self.app.logger.info( "Authorization header type requested for " "decoding is unsupported by flask-casbin at this time" ) continue if self.e.enforce(owner, str(request.url_rule), request.method): return func(*args, **kwargs) else: # Split header by ',' in case of groups when groups are # sent "group1,group2,group3,..." in the header for owner in self.sanitize_group_headers( request.headers.get(header)): self.app.logger.debug( "Enforce against owner: %s header: %s" % (owner.strip('"'), header)) if self.e.enforce(owner.strip('"'), str(request.url_rule), request.method): return func(*args, **kwargs) else: return (jsonify({"message": "Unauthorized"}), 401)
def wrapper(*args, **kwargs): if self.e.watcher and self.e.watcher.should_reload(): self.e.watcher.update_callback() # String used to hold the owners user name for audit logging owner_audit = "" # Check sub, obj act against Casbin polices self.app.logger.debug( "Enforce Headers Config: %s\nRequest Headers: %s" % (self.app.config.get("CASBIN_OWNER_HEADERS"), request.headers)) # Set resource URI from request uri = str(request.path) # Get owner from owner_loader if self._owner_loader: self.app.logger.info("Get owner from owner_loader") for owner in self._owner_loader(): if self.e.enforce(owner.strip('"'), uri, request.method): return func(*args, **kwargs) for header in map(str.lower, self.app.config.get("CASBIN_OWNER_HEADERS")): if header in request.headers: # Make Authorization Header Parser standard if header == "authorization": # Get Auth Value then decode and parse for owner try: owner = authorization_decoder( request.headers.get(header)) except UnSupportedAuthType: # Continue if catch unsupported type in the event of # Other headers needing to be checked self.app.logger.info( "Authorization header type requested for " "decoding is unsupported by flask-casbin at this time" ) continue if self.user_name_headers and header in map( str.lower, self.user_name_headers): owner_audit = owner if self.e.enforce(owner, uri, request.method): self.app.logger.info( "access granted: method: %s resource: %s%s" % (request.method, uri, "" if not self.user_name_headers and owner_audit != "" else " to user: %s" % owner_audit)) return func(*args, **kwargs) else: # Split header by ',' in case of groups when groups are # sent "group1,group2,group3,..." in the header for owner in self.sanitize_group_headers( request.headers.get(header)): self.app.logger.debug( "Enforce against owner: %s header: %s" % (owner.strip('"'), header)) if self.user_name_headers and header in map( str.lower, self.user_name_headers): owner_audit = owner if self.e.enforce(owner.strip('"'), uri, request.method): self.app.logger.info( "access granted: method: %s resource: %s%s" % (request.method, uri, "" if not self.user_name_headers and owner_audit != "" else " to user: %s" % owner_audit)) return func(*args, **kwargs) else: self.app.logger.error( "Unauthorized attempt: method: %s resource: %s%s" % (request.method, uri, "" if not self.user_name_headers and owner_audit != "" else " by user: %s" % owner_audit)) return (jsonify({"message": "Unauthorized"}), 401)
def test_auth_docode(auth_str, result): assert authorization_decoder(auth_str) == "bob"
def test_auth_docode_exceptions(auth_str): with pytest.raises(UnSupportedAuthType): authorization_decoder(auth_str)
def test_auth_docode(app_fixture, auth_str, result): assert authorization_decoder(app_fixture.config, auth_str) == "bob"
def test_auth_docode_exceptions(app_fixture, auth_str): with pytest.raises(jwt.ExpiredSignatureError): authorization_decoder(app_fixture.config, auth_str)
def test_auth_docode_exceptions(app_fixture, auth_str): with pytest.raises(UnSupportedAuthType): authorization_decoder(app_fixture.config, auth_str)