diff options
Diffstat (limited to 'muck_poc')
-rwxr-xr-x | muck_poc | 18 |
1 files changed, 17 insertions, 1 deletions
@@ -14,6 +14,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. +import copy import json import logging import os @@ -83,6 +84,7 @@ class MuckAPI: r.add_headers(rr.headers) if self._ac.request_is_allowed(r, req_method, [req_scope]): claims = self._ac.get_claims_from_token(r) + claims = self._claims_as_effective_user(r, claims) return callback(claims) logging.error('Access denied') return bottle.HTTPError(401) @@ -187,7 +189,8 @@ class MuckAPI: return ms[rid] def _access_is_allowed(self, meta, claims): - return claims['sub'] == meta['owner'] + scopes = claims.get('scope', '').split() + return claims['sub'] == meta['owner'] or 'super' in scopes def _create_response(self, status, operation, meta, res): headers = self._meta_headers(meta) @@ -201,6 +204,19 @@ class MuckAPI: 'Muck-Owner': meta['owner'], } + def _claims_as_effective_user(self, r, claims): + scopes = claims.get('scope', '').split() + if 'super' in scopes: + claims = copy.deepcopy(claims) + user = r.get_user() + if user: + claims['sub'] = user + logging.info( + 'Pretending to be %s (claims: %r)', claims['sub'], claims) + else: + logging.info('Reuqest by normal user') + return claims + with open(sys.argv[1]) as f: config = json.load(f) |