Change: allow super users to impersonate other users

1 files changed, 17 insertions, 1 deletions

diff --git a/muck_poc b/muck_poc
index 036389b..bb93832 100755
--- a/muck_poc
+++ b/muck_poc
@@ -14,6 +14,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 
+import copy
 import json
 import logging
 import os
@@ -83,6 +84,7 @@ class MuckAPI:
                 r.add_headers(rr.headers)
                 if self._ac.request_is_allowed(r, req_method, [req_scope]):
                     claims = self._ac.get_claims_from_token(r)
+                    claims = self._claims_as_effective_user(r, claims)
                     return callback(claims)
                 logging.error('Access denied')
                 return bottle.HTTPError(401)
@@ -187,7 +189,8 @@ class MuckAPI:
         return ms[rid]
 
     def _access_is_allowed(self, meta, claims):
-        return claims['sub'] == meta['owner']
+        scopes = claims.get('scope', '').split()
+        return claims['sub'] == meta['owner'] or 'super' in scopes
 
     def _create_response(self, status, operation, meta, res):
         headers = self._meta_headers(meta)
@@ -201,6 +204,19 @@ class MuckAPI:
             'Muck-Owner': meta['owner'],
         }
 
+    def _claims_as_effective_user(self, r, claims):
+        scopes = claims.get('scope', '').split()
+        if 'super' in scopes:
+            claims = copy.deepcopy(claims)
+            user = r.get_user()
+            if user:
+                claims['sub'] = user
+            logging.info(
+                'Pretending to be %s (claims: %r)', claims['sub'], claims)
+        else:
+            logging.info('Reuqest by normal user')
+        return claims
+
 
 with open(sys.argv[1]) as f:
     config = json.load(f)