From 44d6eb8570090544620ac6bd174f3f249f47190d Mon Sep 17 00:00:00 2001 From: Terrtia Date: Thu, 11 Jul 2019 13:58:15 +0200 Subject: [PATCH] chg: [rest API] access: check token user role --- var/www/modules/restApi/Flask_restApi.py | 48 +++++++++++++++++------- 1 file changed, 35 insertions(+), 13 deletions(-) diff --git a/var/www/modules/restApi/Flask_restApi.py b/var/www/modules/restApi/Flask_restApi.py index 4535da28..f73434de 100644 --- a/var/www/modules/restApi/Flask_restApi.py +++ b/var/www/modules/restApi/Flask_restApi.py @@ -36,7 +36,7 @@ def check_token_format(strg, search=re.compile(r'[^a-zA-Z0-9_-]').search): return not bool(search(strg)) def verify_token(token): - if len(token) != 55: + if len(token) != 41: return False if not check_token_format(token): @@ -47,23 +47,41 @@ def verify_token(token): else: return False +def verify_user_role(role, token): + user_id = r_serv_db.hget('user:tokens', token) + if user_id: + if is_in_role(user_id, role): + return True + else: + return False + else: + return False + +def is_in_role(user_id, role): + if r_serv_db.sismember('user_role:{}'.format(role), user_id): + return True + else: + return False + # ============ DECORATOR ============ -def token_required(funct): - @wraps(funct) - def api_token(*args, **kwargs): - data = authErrors() - if data: - return Response(json.dumps(data[0], indent=2, sort_keys=True), mimetype='application/json'), data[1] - else: - return funct(*args, **kwargs) - return api_token +def token_required(user_role): + def actual_decorator(funct): + @wraps(funct) + def api_token(*args, **kwargs): + data = authErrors(user_role) + if data: + return Response(json.dumps(data[0], indent=2, sort_keys=True), mimetype='application/json'), data[1] + else: + return funct(*args, **kwargs) + return api_token + return actual_decorator def get_auth_from_header(): token = request.headers.get('Authorization').replace(' ', '') # remove space return token -def authErrors(): +def authErrors(user_role): # Check auth if not request.headers.get('Authorization'): return ({'status': 'error', 'reason': 'Authentication needed'}, 401) @@ -76,6 +94,10 @@ def authErrors(): if verify_token(token): authenticated = True + # check user role + if not verify_user_role(user_role, token): + data = ({'status': 'error', 'reason': 'Access Forbidden'}, 403) + if not authenticated: data = ({'status': 'error', 'reason': 'Authentication failed'}, 401) except Exception as e: @@ -98,8 +120,8 @@ def one(): # def api(): # return 'api doc' -@restApi.route("api/items", methods=['POST']) -@token_required +@restApi.route("api/items", methods=['GET', 'POST']) +@token_required('admin') def items(): item = request.args.get('id')