k-space/doorboy-proxy
11
0
Fork 0
Code Issues 3 Pull Requests 1 Projects Activity

move /cards from inventory-app

Browse Source
This commit is contained in:
rasmus
2025-08-08 01:05:29 +03:00
parent eebfc9efe6
commit d6807e3f01
4 changed files with 47 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
app/doorboy-proxy.py
View File

@@ -1,8 +1,7 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
from datetime import date, datetime from datetime import date, datetime
from sanic import Sanic from typing import List
from sanic.response import text, json
from sanic_prometheus import monitor
from dateutil.parser import parse from dateutil.parser import parse
import httpx import httpx
from functools import wraps from functools import wraps
@@ -10,6 +9,7 @@ from motor.motor_asyncio import AsyncIOMotorClient
from pymongo.errors import PyMongoError from pymongo.errors import PyMongoError
import os import os
from .slack import add_slack_routes from .slack import add_slack_routes
from .users import users_with_group
app = Sanic(__name__) app = Sanic(__name__)
add_slack_routes(app) add_slack_routes(app)
@@ -21,7 +21,6 @@ FLOOR_ACCESS_GROUP = os.environ["FLOOR_ACCESS_GROUP"]
WORKSHOP_ACCESS_GROUP = os.environ["WORKSHOP_ACCESS_GROUP"] WORKSHOP_ACCESS_GROUP = os.environ["WORKSHOP_ACCESS_GROUP"]
MONGO_URI = os.environ["MONGO_URI"] MONGO_URI = os.environ["MONGO_URI"]
INVENTORY_API_KEY = os.environ["INVENTORY_API_KEY"] # asshole forwards to inventory-app, instead of using mongo directly INVENTORY_API_KEY = os.environ["INVENTORY_API_KEY"] # asshole forwards to inventory-app, instead of using mongo directly
CARD_URI = os.environ["CARD_URI"]
assert len(DOORBOY_SECRET_FLOOR) >= 10 assert len(DOORBOY_SECRET_FLOOR) >= 10
assert len(DOORBOY_SECRET_WORKSHOP) >= 10 assert len(DOORBOY_SECRET_WORKSHOP) >= 10
@@ -48,29 +47,29 @@ def authenticate_door(wrapped):
@app.route("/allowed") @app.route("/allowed")
@authenticate_door @authenticate_door
async def view_doorboy_uids(request): async def view_doorboy_uids(request):
users = List[str]
# authorize # authorize
key = request.headers.get("KEY") key = request.headers.get("KEY")
groups = []
if key == DOORBOY_SECRET_FLOOR: if key == DOORBOY_SECRET_FLOOR:
groups.append(FLOOR_ACCESS_GROUP) users = users_with_group(FLOOR_ACCESS_GROUP)
if key == DOORBOY_SECRET_WORKSHOP: elif key == DOORBOY_SECRET_WORKSHOP:
groups.append(WORKSHOP_ACCESS_GROUP) users = users_with_group(WORKSHOP_ACCESS_GROUP)
if not groups: else:
return "fail", 500 print("WARN: unknown door token in /allowed")
async with httpx.AsyncClient() as client: return "unknown doorboy secret token", 403
r = await client.post(CARD_URI, json={
"groups": groups flt = {
}, headers={ "token.uid_hash": {"$exists": True},
"Content-Type": "application/json", "inventory.owner.username": {"$in": users}
"Authorization": f"Basic {INVENTORY_API_KEY}" }
}) prj = {
j = r.json() "token.uid_hash": True
allowed_uids = [] }
for obj in j: tokens = await app.ctx.db.inventory.find(flt, prj)
allowed_uids.append({
"token": obj["token"] print(f"delegating {len(tokens)} doorkey tokens")
}) return json({"allowed_uids": tokens})
return json({"allowed_uids": allowed_uids})
def datetime_to_json_formatting(o): def datetime_to_json_formatting(o):
if isinstance(o, (date, datetime)): if isinstance(o, (date, datetime)):
@@ -153,7 +152,7 @@ async def swipe(request):
if key == DOORBOY_SECRET_WORKSHOP: if key == DOORBOY_SECRET_WORKSHOP:
doors.add("workshopdoor") doors.add("workshopdoor")
if data.get("door") not in doors: if data.get("door") not in doors:
print("Door", repr(data.get("door")), "not in", doors) print("WARN: Door", repr(data.get("door")), "not in", doors)
return text("Not allowed", 403) return text("Not allowed", 403)
timestamp = parse(data["timestamp"]) if data.get("timestamp") else datetime.now(datetime.timezone.utc) timestamp = parse(data["timestamp"]) if data.get("timestamp") else datetime.now(datetime.timezone.utc)

22
app/users.py Normal file
View File

@@ -0,0 +1,22 @@
from typing import List
from kubernetes import client, config
import os
OIDC_USERS_NAMESPACE = os.getenv("OIDC_USERS_NAMESPACE")
def users_with_group(group: str) -> List[str]:
config.load_incluster_config()
api_instance = client.CustomObjectsApi()
users = List[str]
ret = api_instance.list_namespaced_custom_object("codemowers.cloud", "v1beta1", OIDC_USERS_NAMESPACE, "oidcusers")
for item in ret["items"]:
if group not in item.get("status", {}).get("groups", []):
continue
users.append(item['metadata']['name'])
print(f"INFO: {len(users)} users in group {group}")
return users

2
docker-compose.yml
View File

@@ -24,12 +24,10 @@ services:
doorboy_proxy: doorboy_proxy:
network_mode: host network_mode: host
environment: environment:
INVENTORY_API_KEY: "sptWL6XFxl4b8"
DOORBOY_SECRET_FLOOR: "0123456789" DOORBOY_SECRET_FLOOR: "0123456789"
DOORBOY_SECRET_WORKSHOP: "9999999999" DOORBOY_SECRET_WORKSHOP: "9999999999"
FLOOR_ACCESS_GROUP: "k-space:floor" FLOOR_ACCESS_GROUP: "k-space:floor"
WORKSHOP_ACCESS_GROUP: "k-space:workshop" WORKSHOP_ACCESS_GROUP: "k-space:workshop"
CARD_URI: "https://inventory-app-72zn4.codemowers.ee/cards"
SLACK_DOORLOG_CALLBACK: DEV SLACK_DOORLOG_CALLBACK: DEV
env_file: .env env_file: .env
build: build:

1
requirements.txt
View File

@@ -5,3 +5,4 @@ python_dateutil==2.9.0
Requests==2.32.4 Requests==2.32.4
sanic==25.3.0 sanic==25.3.0
sanic_prometheus==0.2.1 sanic_prometheus==0.2.1
kubernetes