aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gn3/auth/authentication/oauth2/views.py19
-rw-r--r--gn3/auth/authorisation/errors.py4
-rw-r--r--gn3/settings.py15
3 files changed, 32 insertions, 6 deletions
diff --git a/gn3/auth/authentication/oauth2/views.py b/gn3/auth/authentication/oauth2/views.py
index e440c6e..3a14a48 100644
--- a/gn3/auth/authentication/oauth2/views.py
+++ b/gn3/auth/authentication/oauth2/views.py
@@ -1,8 +1,11 @@
"""Endpoints for the oauth2 server"""
import uuid
-from flask import Blueprint, current_app as app
+from flask import Response, Blueprint, current_app as app
+from gn3.auth.authorisation.errors import ForbiddenAccess
+
+from .resource_server import require_oauth
from .endpoints.revocation import RevocationEndpoint
from .endpoints.introspection import IntrospectionEndpoint
@@ -36,7 +39,15 @@ def revoke_token():
RevocationEndpoint.ENDPOINT_NAME)
@auth.route("/introspect", methods=["POST"])
-def introspect_token():
+@require_oauth("introspect")
+def introspect_token() -> Response:
"""Provide introspection information for the token."""
- return app.config["OAUTH2_SERVER"].create_endpoint_response(
- IntrospectionEndpoint.ENDPOINT_NAME)
+ # This is dangerous to provide publicly
+ authorised_clients = app.config.get(
+ "OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE", [])
+ with require_oauth.acquire("introspect") as the_token:
+ if the_token.client.client_id in authorised_clients:
+ return app.config["OAUTH2_SERVER"].create_endpoint_response(
+ IntrospectionEndpoint.ENDPOINT_NAME)
+
+ raise ForbiddenAccess("You cannot access this endpoint")
diff --git a/gn3/auth/authorisation/errors.py b/gn3/auth/authorisation/errors.py
index ff28cd4..3bc7a04 100644
--- a/gn3/auth/authorisation/errors.py
+++ b/gn3/auth/authorisation/errors.py
@@ -8,6 +8,10 @@ class AuthorisationError(Exception):
"""
error_code: int = 400
+class ForbiddenAccess(AuthorisationError):
+ """Raised for forbidden access."""
+ error_code: int = 403
+
class UserRegistrationError(AuthorisationError):
"""Raised whenever a user registration fails"""
diff --git a/gn3/settings.py b/gn3/settings.py
index 1de4d27..1b4a105 100644
--- a/gn3/settings.py
+++ b/gn3/settings.py
@@ -1,7 +1,7 @@
"""Configuration settings for this project"""
-
-import tempfile
import os
+import uuid
+import tempfile
BCRYPT_SALT = "$2b$12$mxLvu9XRLlIaaSeDxt8Sle" # Change this!
DATA_DIR = ""
@@ -70,3 +70,14 @@ MULTIPROCESSOR_PROCS = 6 # Number of processes to spawn
AUTH_MIGRATIONS = "migrations/auth"
AUTH_DB = os.environ.get(
"AUTH_DB", f"{os.environ.get('HOME')}/genenetwork/gn3_files/db/auth.db")
+
+try:
+ # *** SECURITY CONCERN ***
+ # Clients with access to this privileges create a security concern.
+ # Be careful when adding to this configuration
+ OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE = tuple(
+ uuid.UUID(client_id) for client_id in
+ os.environ.get(
+ "OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE", "").split(","))
+except ValueError as _valerr:
+ OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE = tuple()