diff --git a/inventory-app/oidc.py b/inventory-app/oidc.py index 266b21a..4161cbb 100644 --- a/inventory-app/oidc.py +++ b/inventory-app/oidc.py @@ -13,15 +13,25 @@ db = MongoClient(const.MONGO_URI).get_default_database() gw_uri = os.getenv("OIDC_GATEWAY_URI") metadata = requests.get(f"{gw_uri}.well-known/openid-configuration").json() -def login_required(f): - @wraps(f) - def decorated_function(*args, **kwargs): - if not read_user(): - print("doing login redirect") - session["original_url"] = request.full_path - return do_login() - return f(*args, **kwargs) - return decorated_function +def login_required(_f=None, *, groups=[]): + def login_required_inner(f): + @wraps(f) + def decorated_function(*args, **kwargs): + print(groups) + user = read_user() + if not user: + print("doing login redirect") + session["original_url"] = request.full_path + return do_login() + if groups and not any(g in groups for g in user["groups"]): + return "not allowed", 401 + return f(*args, **kwargs) + return decorated_function + + if _f is None: + return login_required_inner + else: + return login_required_inner(_f) def do_login(): url = add_url_params(metadata["authorization_endpoint"], {