diff options
| author | Frederick Muriuki Muriithi | 2023-03-09 04:39:37 +0300 |
|---|---|---|
| committer | Frederick Muriuki Muriithi | 2023-03-09 04:39:37 +0300 |
| commit | dee42dd14dc7786b1ccf9465bb28dfe74024166c (patch) | |
| tree | 31af463e825d03776ac46cd859e65610dfcc5457 /gn3/auth | |
| parent | a35d16f9a191afbb31e2c185e87e5eec5e23122f (diff) | |
| download | genenetwork3-dee42dd14dc7786b1ccf9465bb28dfe74024166c.tar.gz | |
auth: introspection: Protect introspection endpoint
The introspection endpoint could contain privileged information, thus requires
that the endpoint be protected. This commit ensures that a user has
authenticated to the system and that the client they are using be one of the
allowed clients.
Diffstat (limited to 'gn3/auth')
| -rw-r--r-- | gn3/auth/authentication/oauth2/views.py | 19 | ||||
| -rw-r--r-- | gn3/auth/authorisation/errors.py | 4 |
2 files changed, 19 insertions, 4 deletions
diff --git a/gn3/auth/authentication/oauth2/views.py b/gn3/auth/authentication/oauth2/views.py index e440c6e..3a14a48 100644 --- a/gn3/auth/authentication/oauth2/views.py +++ b/gn3/auth/authentication/oauth2/views.py @@ -1,8 +1,11 @@ """Endpoints for the oauth2 server""" import uuid -from flask import Blueprint, current_app as app +from flask import Response, Blueprint, current_app as app +from gn3.auth.authorisation.errors import ForbiddenAccess + +from .resource_server import require_oauth from .endpoints.revocation import RevocationEndpoint from .endpoints.introspection import IntrospectionEndpoint @@ -36,7 +39,15 @@ def revoke_token(): RevocationEndpoint.ENDPOINT_NAME) @auth.route("/introspect", methods=["POST"]) -def introspect_token(): +@require_oauth("introspect") +def introspect_token() -> Response: """Provide introspection information for the token.""" - return app.config["OAUTH2_SERVER"].create_endpoint_response( - IntrospectionEndpoint.ENDPOINT_NAME) + # This is dangerous to provide publicly + authorised_clients = app.config.get( + "OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE", []) + with require_oauth.acquire("introspect") as the_token: + if the_token.client.client_id in authorised_clients: + return app.config["OAUTH2_SERVER"].create_endpoint_response( + IntrospectionEndpoint.ENDPOINT_NAME) + + raise ForbiddenAccess("You cannot access this endpoint") diff --git a/gn3/auth/authorisation/errors.py b/gn3/auth/authorisation/errors.py index ff28cd4..3bc7a04 100644 --- a/gn3/auth/authorisation/errors.py +++ b/gn3/auth/authorisation/errors.py @@ -8,6 +8,10 @@ class AuthorisationError(Exception): """ error_code: int = 400 +class ForbiddenAccess(AuthorisationError): + """Raised for forbidden access.""" + error_code: int = 403 + class UserRegistrationError(AuthorisationError): """Raised whenever a user registration fails""" |