diff options
author | Lars Wirzenius <liw@liw.fi> | 2018-11-16 21:36:04 +0200 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2018-11-16 21:36:04 +0200 |
commit | 6d621d3a51ba68f0a436d5c5b27ace6cb2825f50 (patch) | |
tree | 6817d537d5475ccd3b8d888e20cdc51bd357f33e /muck_poc | |
parent | d30c7d5dac5891ad86a3491e198cb384e466932e (diff) | |
download | muck-poc-6d621d3a51ba68f0a436d5c5b27ace6cb2825f50.tar.gz |
Change: allow super users to impersonate other users
Diffstat (limited to 'muck_poc')
-rwxr-xr-x | muck_poc | 18 |
1 files changed, 17 insertions, 1 deletions
@@ -14,6 +14,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. +import copy import json import logging import os @@ -83,6 +84,7 @@ class MuckAPI: r.add_headers(rr.headers) if self._ac.request_is_allowed(r, req_method, [req_scope]): claims = self._ac.get_claims_from_token(r) + claims = self._claims_as_effective_user(r, claims) return callback(claims) logging.error('Access denied') return bottle.HTTPError(401) @@ -187,7 +189,8 @@ class MuckAPI: return ms[rid] def _access_is_allowed(self, meta, claims): - return claims['sub'] == meta['owner'] + scopes = claims.get('scope', '').split() + return claims['sub'] == meta['owner'] or 'super' in scopes def _create_response(self, status, operation, meta, res): headers = self._meta_headers(meta) @@ -201,6 +204,19 @@ class MuckAPI: 'Muck-Owner': meta['owner'], } + def _claims_as_effective_user(self, r, claims): + scopes = claims.get('scope', '').split() + if 'super' in scopes: + claims = copy.deepcopy(claims) + user = r.get_user() + if user: + claims['sub'] = user + logging.info( + 'Pretending to be %s (claims: %r)', claims['sub'], claims) + else: + logging.info('Reuqest by normal user') + return claims + with open(sys.argv[1]) as f: config = json.load(f) |