79 lines
3.1 KiB
Python
79 lines
3.1 KiB
Python
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
""" AuthMiddleware provides header processing that will decorate the
|
|
request context with auth values provided by the identity service.
|
|
"""
|
|
import logging
|
|
|
|
from shipyard_airflow import policy
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
|
class AuthMiddleware(object):
|
|
""" Authentication middleware class that handles auth headers
|
|
and adds them to the request context
|
|
"""
|
|
def process_request(self, req, resp):
|
|
ctx = req.context
|
|
ctx.set_policy_engine(policy.policy_engine)
|
|
|
|
auth_status = req.get_header(
|
|
'X-SERVICE-IDENTITY-STATUS') # will be set to Confirmed or Invalid
|
|
service = True
|
|
|
|
if auth_status is None:
|
|
auth_status = req.get_header('X-IDENTITY-STATUS')
|
|
service = False
|
|
|
|
if auth_status == 'Confirmed':
|
|
# Process account and roles
|
|
ctx.authenticated = True
|
|
# User Identity, unique within owning domain
|
|
ctx.user = req.get_header(
|
|
'X-SERVICE-USER-NAME') if service else req.get_header(
|
|
'X-USER-NAME')
|
|
# Identity-service managed unique identifier
|
|
ctx.user_id = req.get_header(
|
|
'X-SERVICE-USER-ID') if service else req.get_header(
|
|
'X-USER-ID')
|
|
# Identity service managed unique identifier of owning domain of
|
|
# user name
|
|
ctx.user_domain_id = req.get_header(
|
|
'X-SERVICE-USER-DOMAIN-ID') if service else req.get_header(
|
|
'X-USER-DOMAIN-ID')
|
|
# Identity service managed unique identifier
|
|
ctx.project_id = req.get_header(
|
|
'X-SERVICE-PROJECT-ID') if service else req.get_header(
|
|
'X-PROJECT-ID')
|
|
# Name of owning domain of project
|
|
ctx.project_domain_id = req.get_header(
|
|
'X-SERVICE-PROJECT-DOMAIN-ID') if service else req.get_header(
|
|
'X-PROJECT-DOMAIN-NAME')
|
|
if service:
|
|
# comma delimieted list of case-sensitive role names
|
|
ctx.add_roles(req.get_header('X-SERVICE-ROLES').split(','))
|
|
else:
|
|
ctx.add_roles(req.get_header('X-ROLES').split(','))
|
|
|
|
if req.get_header('X-IS-ADMIN-PROJECT') == 'True':
|
|
ctx.is_admin_project = True
|
|
else:
|
|
ctx.is_admin_project = False
|
|
|
|
LOG.debug('Request from authenticated user %s with roles %s',
|
|
ctx.user, ','.join(ctx.roles))
|
|
else:
|
|
ctx.authenticated = False
|