Add group based access support

2023-08-13 06:36:12 +03:00 · 2023-08-13 06:36:12 +03:00 · 4b79a5e353
commit 4b79a5e353
parent 43776722a1
1 changed files with 19 additions and 9 deletions
--- a/inventory-app/oidc.py
+++ b/inventory-app/oidc.py
@ -13,15 +13,25 @@ db = MongoClient(const.MONGO_URI).get_default_database()
 gw_uri = os.getenv("OIDC_GATEWAY_URI")
 metadata = requests.get(f"{gw_uri}.well-known/openid-configuration").json()

-def login_required(f):
-    @wraps(f)
-    def decorated_function(*args, **kwargs):
-        if not read_user():
-            print("doing login redirect")
-            session["original_url"] = request.full_path
-            return do_login()
-        return f(*args, **kwargs)
-    return decorated_function
+def login_required(_f=None, *, groups=[]):
+    def login_required_inner(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            print(groups)
+            user = read_user()
+            if not user:
+                print("doing login redirect")
+                session["original_url"] = request.full_path
+                return do_login()
+            if groups and not any(g in groups for g in user["groups"]):
+                return "not allowed", 401
+            return f(*args, **kwargs)
+        return decorated_function
+
+    if _f is None:
+        return login_required_inner
+    else:
+        return login_required_inner(_f)

 def do_login():
    url = add_url_params(metadata["authorization_endpoint"], {