From 0bccdb7cbae967dce96ee39bec54efceee303f47 Mon Sep 17 00:00:00 2001 From: Kevin Burnett <18027+burnettk@users.noreply.github.com> Date: Tue, 18 Jun 2024 18:23:26 +0000 Subject: [PATCH] No auth for metrics (#1757) * config scope * no auth for metrics * Update spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --------- Co-authored-by: burnettk Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: jasquat --- .../spiffworkflow_backend/config/default.py | 2 + .../services/authorization_service.py | 51 ++++++++++--------- 2 files changed, 30 insertions(+), 23 deletions(-) diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py index 1f2306e1d..133071870 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py @@ -244,3 +244,5 @@ config_from_env("SPIFFWORKFLOW_BACKEND_USE_WERKZEUG_MIDDLEWARE_PROXY_FIX", defau config_from_env("SPIFFWORKFLOW_BACKEND_USE_THREADS_FOR_TASK_EXECUTION", default=True) config_from_env("SPIFFWORKFLOW_BACKEND_OPENID_SCOPE", default="openid profile email") + +config_from_env("SPIFFWORKFLOW_BACKEND_USE_AUTH_FOR_METRICS", default=False) diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py index 17390ded8..308d37314 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py @@ -80,28 +80,6 @@ PATH_SEGMENTS_FOR_PERMISSION_ALL = [ {"path": "/task-data", "relevant_permissions": ["read", "update"]}, ] -AUTHENTICATION_EXCLUSION_LIST = [ - "spiffworkflow_backend.routes.authentication_controller.authentication_options", - "spiffworkflow_backend.routes.authentication_controller.login", - "spiffworkflow_backend.routes.authentication_controller.login_api_return", - "spiffworkflow_backend.routes.authentication_controller.login_return", - "spiffworkflow_backend.routes.authentication_controller.login_with_access_token", - "spiffworkflow_backend.routes.authentication_controller.logout", - "spiffworkflow_backend.routes.authentication_controller.logout_return", - "spiffworkflow_backend.routes.debug_controller.test_raise_error", - "spiffworkflow_backend.routes.debug_controller.url_info", - "spiffworkflow_backend.routes.health_controller.status", - "spiffworkflow_backend.routes.service_tasks_controller.authentication_begin", - "spiffworkflow_backend.routes.service_tasks_controller.authentication_callback", - "spiffworkflow_backend.routes.tasks_controller.task_allows_guest", - "spiffworkflow_backend.routes.webhooks_controller.github_webhook_receive", - "spiffworkflow_backend.routes.webhooks_controller.webhook", - # swagger api calls - "connexion.apis.flask_api.console_ui_home", - "connexion.apis.flask_api.console_ui_static_files", - "connexion.apis.flask_api.get_json_spec", -] - # these are api calls that are allowed to generate a public jwt when called PUBLIC_AUTHENTICATION_EXCLUSION_LIST = [ "spiffworkflow_backend.routes.public_controller.form_show", @@ -305,6 +283,33 @@ class AuthorizationService: function_full_path = f"{controller_name}.{api_function_name}" return (function_full_path, module) + @classmethod + def authentication_exclusion_list(cls) -> list: + authentication_exclusion_list = [ + "spiffworkflow_backend.routes.authentication_controller.authentication_options", + "spiffworkflow_backend.routes.authentication_controller.login", + "spiffworkflow_backend.routes.authentication_controller.login_api_return", + "spiffworkflow_backend.routes.authentication_controller.login_return", + "spiffworkflow_backend.routes.authentication_controller.login_with_access_token", + "spiffworkflow_backend.routes.authentication_controller.logout", + "spiffworkflow_backend.routes.authentication_controller.logout_return", + "spiffworkflow_backend.routes.debug_controller.test_raise_error", + "spiffworkflow_backend.routes.debug_controller.url_info", + "spiffworkflow_backend.routes.health_controller.status", + "spiffworkflow_backend.routes.service_tasks_controller.authentication_begin", + "spiffworkflow_backend.routes.service_tasks_controller.authentication_callback", + "spiffworkflow_backend.routes.tasks_controller.task_allows_guest", + "spiffworkflow_backend.routes.webhooks_controller.github_webhook_receive", + "spiffworkflow_backend.routes.webhooks_controller.webhook", + # swagger api calls + "connexion.apis.flask_api.console_ui_home", + "connexion.apis.flask_api.console_ui_static_files", + "connexion.apis.flask_api.get_json_spec", + ] + if not current_app.config["SPIFFWORKFLOW_BACKEND_USE_AUTH_FOR_METRICS"]: + authentication_exclusion_list.append("prometheus_flask_exporter.prometheus_metrics") + return authentication_exclusion_list + @classmethod def should_disable_auth_for_request(cls) -> bool: if request.method == "OPTIONS": @@ -320,7 +325,7 @@ class AuthorizationService: api_function_full_path, module = cls.get_fully_qualified_api_function_from_request() if ( api_function_full_path - and (api_function_full_path in AUTHENTICATION_EXCLUSION_LIST) + and (api_function_full_path in cls.authentication_exclusion_list()) or (module == openid_blueprint or module == scaffold) # don't check permissions for static assets ): return True