From dee42dd14dc7786b1ccf9465bb28dfe74024166c Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Thu, 9 Mar 2023 04:39:37 +0300 Subject: auth: introspection: Protect introspection endpoint The introspection endpoint could contain privileged information, thus requires that the endpoint be protected. This commit ensures that a user has authenticated to the system and that the client they are using be one of the allowed clients. --- gn3/auth/authentication/oauth2/views.py | 19 +++++++++++++++---- gn3/auth/authorisation/errors.py | 4 ++++ gn3/settings.py | 15 +++++++++++++-- 3 files changed, 32 insertions(+), 6 deletions(-) (limited to 'gn3') diff --git a/gn3/auth/authentication/oauth2/views.py b/gn3/auth/authentication/oauth2/views.py index e440c6e..3a14a48 100644 --- a/gn3/auth/authentication/oauth2/views.py +++ b/gn3/auth/authentication/oauth2/views.py @@ -1,8 +1,11 @@ """Endpoints for the oauth2 server""" import uuid -from flask import Blueprint, current_app as app +from flask import Response, Blueprint, current_app as app +from gn3.auth.authorisation.errors import ForbiddenAccess + +from .resource_server import require_oauth from .endpoints.revocation import RevocationEndpoint from .endpoints.introspection import IntrospectionEndpoint @@ -36,7 +39,15 @@ def revoke_token(): RevocationEndpoint.ENDPOINT_NAME) @auth.route("/introspect", methods=["POST"]) -def introspect_token(): +@require_oauth("introspect") +def introspect_token() -> Response: """Provide introspection information for the token.""" - return app.config["OAUTH2_SERVER"].create_endpoint_response( - IntrospectionEndpoint.ENDPOINT_NAME) + # This is dangerous to provide publicly + authorised_clients = app.config.get( + "OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE", []) + with require_oauth.acquire("introspect") as the_token: + if the_token.client.client_id in authorised_clients: + return app.config["OAUTH2_SERVER"].create_endpoint_response( + IntrospectionEndpoint.ENDPOINT_NAME) + + raise ForbiddenAccess("You cannot access this endpoint") diff --git a/gn3/auth/authorisation/errors.py b/gn3/auth/authorisation/errors.py index ff28cd4..3bc7a04 100644 --- a/gn3/auth/authorisation/errors.py +++ b/gn3/auth/authorisation/errors.py @@ -8,6 +8,10 @@ class AuthorisationError(Exception): """ error_code: int = 400 +class ForbiddenAccess(AuthorisationError): + """Raised for forbidden access.""" + error_code: int = 403 + class UserRegistrationError(AuthorisationError): """Raised whenever a user registration fails""" diff --git a/gn3/settings.py b/gn3/settings.py index 1de4d27..1b4a105 100644 --- a/gn3/settings.py +++ b/gn3/settings.py @@ -1,7 +1,7 @@ """Configuration settings for this project""" - -import tempfile import os +import uuid +import tempfile BCRYPT_SALT = "$2b$12$mxLvu9XRLlIaaSeDxt8Sle" # Change this! DATA_DIR = "" @@ -70,3 +70,14 @@ MULTIPROCESSOR_PROCS = 6 # Number of processes to spawn AUTH_MIGRATIONS = "migrations/auth" AUTH_DB = os.environ.get( "AUTH_DB", f"{os.environ.get('HOME')}/genenetwork/gn3_files/db/auth.db") + +try: + # *** SECURITY CONCERN *** + # Clients with access to this privileges create a security concern. + # Be careful when adding to this configuration + OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE = tuple( + uuid.UUID(client_id) for client_id in + os.environ.get( + "OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE", "").split(",")) +except ValueError as _valerr: + OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE = tuple() -- cgit v1.2.3