From f6ef426407d9a6c21bc24e4d068ab3906ffa7b57 Mon Sep 17 00:00:00 2001 From: "C. Weaver" Date: Fri, 9 Feb 2024 23:13:24 -0500 Subject: [PATCH] Add an authentication pseudo-mechanism for requests within mutli-requests --- scimma_admin/hopskotch_auth/api_views.py | 16 ++++++++++++++++ .../static/hopskotch_auth/api/schema.yml | 6 +++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/scimma_admin/hopskotch_auth/api_views.py b/scimma_admin/hopskotch_auth/api_views.py index 3f46a2b..8e046b5 100644 --- a/scimma_admin/hopskotch_auth/api_views.py +++ b/scimma_admin/hopskotch_auth/api_views.py @@ -158,6 +158,14 @@ def __init__(self, mech, sid, s): class ScramAuthentication(BaseAuthentication): def authenticate(self, request): + # This is a bit tricky, as it doesn't directly have anything to do with SCRAM Auth: + # If the request wraps one which is already authenticated, we hoist out that authentication + # information and just return it immediately. + # This is used by the multi request mechanism to cascade authentication down to sub-requests + if hasattr(request._request,"user") and request._request.user.is_authenticated \ + and hasattr(request._request,"auth"): + return (request._request.user, request._request.auth) + auth_header = get_authorization_header(request) if not auth_header or len(auth_header)==0: return None @@ -335,6 +343,14 @@ def header_transform(name): continue sr_headers = { header_transform(k):v for k,v in rdata["headers"].items()} sub_request.META.update(sr_headers) + # Implement our own auth pseudo-mecahnism, allowing the sub-request to re-use the + # parent request's auth. Note that what we replicate is not the authentication data + # which was sent, but the end result of the authentication, so that authentication + # is not repeated. + if "HTTP_AUTHORIZATION" in sub_request.META \ + and sub_request.META["HTTP_AUTHORIZATION"] == "Inherit": + sub_request.user = request.user + sub_request.auth = request.auth # overwrite headers which should not be inherited sub_request.META["REQUEST_METHOD"] = rdata["method"] sub_request.META["REQUEST_URI"] = rdata["path"] diff --git a/scimma_admin/hopskotch_auth/static/hopskotch_auth/api/schema.yml b/scimma_admin/hopskotch_auth/static/hopskotch_auth/api/schema.yml index 6970bf9..5d0314c 100644 --- a/scimma_admin/hopskotch_auth/static/hopskotch_auth/api/schema.yml +++ b/scimma_admin/hopskotch_auth/static/hopskotch_auth/api/schema.yml @@ -21,7 +21,11 @@ paths: /hopauth/api/v{version}/multi: post: operationId: multiRequest - description: 'Submit a request to perform a bundle of sub-requests. Each sub-request is processed independently, including its authentication. The request body is a mapping of user-chosen keys to sub-requests, and the response will be in the form of a mapping with the same keys, so that sub-responses can be matched to the sub-requests the client wanted to make. Each sub-request must include a method (HTTP verb) and path requested. Each may optionally include headers (useful for including authorization tokens), and a request body if applicable. Each sub-response will include a status and response body, and may also include response headers.' + description: "Submit a request to perform a bundle of sub-requests. Each sub-request is processed independently, including its authentication. The request body is a mapping of user-chosen keys to sub-requests, and the response will be in the form of a mapping with the same keys, so that sub-responses can be matched to the sub-requests the client wanted to make. Each sub-request must include a method (HTTP verb) and path requested. Each may optionally include headers (useful for including authorization tokens), and a request body if applicable. Each sub-response will include a status and response body, and may also include response headers. Authentication (and authorization) +is generally checked separately for each sub-request independent of both other sub-requests and the +original multi-request, so in most cases each sub-request should include its own `Authorization` +header. Besides using the `Token` scheme, a speical 'pseudo-scheme', `Inherit`, is supported, which +causes the sub-request to share the parent multi-request's authentication." parameters: - name: version in: path