def requires_admin_auth():
request_helper.check_proxy_header_before_request()
auth_token = get_auth_token(request)
client = __get_token_issuer(auth_token)
if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
g.service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME')
for secret in current_app.config.get('API_INTERNAL_SECRETS'):
try:
decode_jwt_token(auth_token, secret)
return
except TokenExpiredError:
raise AuthError(
"Invalid token: expired, check that your system clock is accurate",
403)
except TokenDecodeError:
# TODO: Change this so it doesn't also catch `TokenIssuerError` or `TokenIssuedAtError` exceptions
# (which are children of `TokenDecodeError`) as these should cause an auth error immediately rather
# than continue on to check the next admin client secret
continue
# Either there are no admin client secrets or their token didn't match one of them so error
raise AuthError("Unauthorized: admin authentication token not found",
401)
else:
raise AuthError('Unauthorized: admin authentication token required',
401)
def requires_auth():
request_helper.check_proxy_header_before_request()
auth_token = get_auth_token(request)
issuer = __get_token_issuer(auth_token) # ie the `iss` claim which should be a service ID
try:
with AUTH_DB_CONNECTION_DURATION_SECONDS.time():
service = SerialisedService.from_id(issuer)
except DataError:
raise AuthError("Invalid token: service id is not the right data type", 403)
except NoResultFound:
raise AuthError("Invalid token: service not found", 403)
if not service.api_keys:
raise AuthError("Invalid token: service has no API keys", 403, service_id=service.id)
if not service.active:
raise AuthError("Invalid token: service is archived", 403, service_id=service.id)
for api_key in service.api_keys:
try:
decode_jwt_token(auth_token, api_key.secret)
except TokenExpiredError:
err_msg = "Error: Your system clock must be accurate to within 30 seconds"
raise AuthError(err_msg, 403, service_id=service.id, api_key_id=api_key.id)
except TokenAlgorithmError:
err_msg = "Invalid token: algorithm used is not HS256"
raise AuthError(err_msg, 403, service_id=service.id, api_key_id=api_key.id)
except TokenDecodeError:
# we attempted to validate the token but it failed meaning it was not signed using this api key.
# Let's try the next one
# TODO: Change this so it doesn't also catch `TokenIssuerError` or `TokenIssuedAtError` exceptions (which
# are children of `TokenDecodeError`) as these should cause an auth error immediately rather than
# continue on to check the next API key
continue
except TokenError:
# General error when trying to decode and validate the token
raise AuthError(GENERAL_TOKEN_ERROR_MESSAGE, 403, service_id=service.id, api_key_id=api_key.id)
if api_key.expiry_date:
raise AuthError("Invalid token: API key revoked", 403, service_id=service.id, api_key_id=api_key.id)
g.service_id = service.id
_request_ctx_stack.top.authenticated_service = service
_request_ctx_stack.top.api_user = api_key
current_app.logger.info('API authorised for service {} with api key {}, using issuer {} for URL: {}'.format(
service.id,
api_key.id,
request.headers.get('User-Agent'),
request.base_url
))
return
else:
# service has API keys, but none matching the one the user provided
raise AuthError("Invalid token: API key not found", 403, service_id=service.id)
def requires_auth():
request_helper.check_proxy_header_before_request()
auth_token = get_auth_token(request)
client = __get_token_issuer(auth_token)
try:
service = dao_fetch_service_by_id_with_api_keys(client)
except DataError:
raise AuthError("Invalid token: service id is not the right data type",
403)
except NoResultFound:
raise AuthError("Invalid token: service not found", 403)
if not service.api_keys:
raise AuthError("Invalid token: service has no API keys",
403,
service_id=service.id)
if not service.active:
raise AuthError("Invalid token: service is archived",
403,
service_id=service.id)
for api_key in service.api_keys:
try:
decode_jwt_token(auth_token, api_key.secret)
except TokenDecodeError:
continue
except TokenExpiredError:
err_msg = (
"Error: Your system clock must be accurate to within 30 seconds"
)
raise AuthError(err_msg,
403,
service_id=service.id,
api_key_id=api_key.id)
if api_key.expiry_date:
raise AuthError("Invalid token: API key revoked",
403,
service_id=service.id,
api_key_id=api_key.id)
g.service_id = api_key.service_id
_request_ctx_stack.top.authenticated_service = service
_request_ctx_stack.top.api_user = api_key
current_app.logger.info(
'API authorised for service {} with api key {}, using client {}'.
format(service.id, api_key.id, request.headers.get('User-Agent')))
return
else:
# service has API keys, but none matching the one the user provided
raise AuthError("Invalid token: signature, api token not found",
403,
service_id=service.id)
def requires_admin_auth():
request_helper.check_proxy_header_before_request()
auth_token = get_auth_token(request)
client = __get_token_issuer(auth_token)
if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
g.service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME')
return handle_admin_key(auth_token, current_app.config.get('ADMIN_CLIENT_SECRET'))
else:
raise AuthError('Unauthorized, admin authentication token required', 401)
def requires_admin_auth():
request_helper.check_proxy_header_before_request()
auth_type, auth_token = get_auth_token(request)
if auth_type != JWT_AUTH_TYPE:
raise AuthError("Invalid scheme: can only use JWT for admin authentication", 401)
client = __get_token_issuer(auth_token)
if client == current_app.config.get("ADMIN_CLIENT_USER_NAME"):
g.service_id = current_app.config.get("ADMIN_CLIENT_USER_NAME")
return handle_admin_key(auth_token, current_app.config.get("ADMIN_CLIENT_SECRET"))
else:
raise AuthError("Unauthorized, admin authentication token required", 401)
def requires_auth():
request_helper.check_proxy_header_before_request()
auth_type, auth_token = get_auth_token(request)
if auth_type == API_KEY_V1_AUTH_TYPE:
_auth_by_api_key(auth_token)
return
client = __get_token_issuer(auth_token)
try:
service = dao_fetch_service_by_id_with_api_keys(client)
except DataError:
raise AuthError("Invalid token: service id is not the right data type",
403)
except NoResultFound:
raise AuthError("Invalid token: service not found", 403)
if not service.api_keys:
raise AuthError("Invalid token: service has no API keys",
403,
service_id=service.id)
if not service.active:
raise AuthError("Invalid token: service is archived",
403,
service_id=service.id)
for api_key in service.api_keys:
try:
decode_jwt_token(auth_token, api_key.secret)
except TokenDecodeError:
continue
except TokenExpiredError:
err_msg = (
"Error: Your system clock must be accurate to within 30 seconds"
)
raise AuthError(err_msg,
403,
service_id=service.id,
api_key_id=api_key.id)
_auth_with_api_key(api_key, service)
return
else:
# service has API keys, but none matching the one the user provided
raise AuthError("Invalid token: signature, api token not found",
403,
service_id=service.id)
