Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom auth types in security_map #1940

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions connexion/security.py
Original file line number Diff line number Diff line change
Expand Up @@ -493,11 +493,26 @@ def parse_security_scheme(
security_handler = self.security_handlers["apiKey"]
return security_handler().get_fn(security_scheme, required_scopes)

# Custom security handler
elif (scheme := security_scheme["scheme"].lower()) in self.security_handlers:
elif security_type == "openIdConnect":
if security_type in self.security_handlers:
security_handler = self.security_handlers[security_type]
return security_handler().get_fn(security_scheme, required_scopes)
logger.warning("... No default implementation for openIdConnect")
return None

# Custom security scheme handler
elif (
"scheme" in security_scheme
and (scheme := security_scheme["scheme"].lower()) in self.security_handlers
):
security_handler = self.security_handlers[scheme]
return security_handler().get_fn(security_scheme, required_scopes)

# Custom security type handler
elif security_type in self.security_handlers:
security_handler = self.security_handlers[security_type]
return security_handler().get_fn(security_scheme, required_scopes)

else:
logger.warning(
"... Unsupported security scheme type %s",
Expand Down
87 changes: 87 additions & 0 deletions tests/api/test_secure_api.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@
from connexion.exceptions import OAuthProblem
from connexion.security import NO_VALUE, BasicSecurityHandler, OAuthSecurityHandler

from tests.conftest import OPENAPI3_SPEC


class FakeResponse:
def __init__(self, status_code, text):
Expand Down Expand Up @@ -288,3 +290,88 @@ def wrapper(request):
headers={"Authorization": "my_basic dGVzdDp0ZXN0"},
)
assert res.status_code == 200


def test_security_map_custom_type(secure_api_spec_dir):
def generate_token(scopes):
token_segments = [
json.dumps({"alg": "none", "typ": "JWT"}),
json.dumps({"sub": "1234567890", "name": "John Doe", "scopes": scopes}),
"",
]
token = ".".join(
base64.urlsafe_b64encode(s.encode()).decode().rstrip("=")
for s in token_segments
)
return token

class FakeOIDCSecurityHandler(OAuthSecurityHandler):
"""
Uses openIdConnect (not currently directly implemented) as auth type to test custom/unimplemented auth types.
Doesn't attempt to actually implement OIDC
"""

def _get_verify_func(
self, token_info_func, scope_validate_func, required_scopes
):
check_oauth_func = self.check_oauth_func(
token_info_func, scope_validate_func
)

def wrapper(request):
auth_type, token = self.get_auth_header_value(request)
if auth_type != "bearer":
return NO_VALUE

return check_oauth_func(request, token, required_scopes=required_scopes)

return wrapper

def get_tokeninfo_func(self, security_definition: dict):
def wrapper(token):
segments = token.split(".")
body = segments[1]
body += "=" * (-len(body) % 4)
return json.loads(base64.urlsafe_b64decode(body))

return wrapper

security_map = {
"openIdConnect": FakeOIDCSecurityHandler,
}
# api level
app = App(__name__, specification_dir=secure_api_spec_dir)
app.add_api(OPENAPI3_SPEC, security_map=security_map)
app_client = app.test_client()
invalid_token = generate_token(["invalidscope"])
res = app_client.post(
"/v1.0/greeting_oidc",
headers={"Authorization": f"bearer {invalid_token}"},
)
assert res.status_code == 403

valid_token = generate_token(["mytestscope"])
res = app_client.post(
"/v1.0/greeting_oidc",
headers={"Authorization": f"bearer {valid_token}"},
)
assert res.status_code == 200

# app level
app = App(
__name__, specification_dir=secure_api_spec_dir, security_map=security_map
)
app.add_api(OPENAPI3_SPEC)
app_client = app.test_client()

res = app_client.post(
"/v1.0/greeting_oidc",
headers={"Authorization": f"bearer {invalid_token}"},
)
assert res.status_code == 403

res = app_client.post(
"/v1.0/greeting_oidc",
headers={"Authorization": f"bearer {valid_token}"},
)
assert res.status_code == 200
5 changes: 5 additions & 0 deletions tests/fakeapi/hello/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ def post_greeting_basic():
return data


def post_greeting_oidc():
data = {"greeting": "Hello oidc"}
return data


def post_greeting3(body, **kwargs):
data = {"greeting": "Hello {name}".format(name=body["name"])}
return data
Expand Down
20 changes: 20 additions & 0 deletions tests/fixtures/secure_api/openapi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,21 @@ paths:
type: object
security:
- basic: []
'/greeting_oidc':
post:
summary: Generate greeting
description: Generates a greeting message.
operationId: fakeapi.hello.post_greeting_oidc
responses:
'200':
description: greeting response
content:
'*/*':
schema:
type: object
security:
- openIdConnect:
- mytestscope
components:
securitySchemes:
oauth:
Expand All @@ -56,3 +71,8 @@ components:
scheme: basic
description: Basic auth
x-basicInfoFunc: fakeapi.auth.fake_basic_auth

openIdConnect:
type: openIdConnect
description: Fake OIDC auth
openIdConnectUrl: https://oauth.example/.well-known/openid-configuration
Loading