No auth for metrics (#1757)

* config scope * no auth for metrics * Update spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --------- Co-authored-by: burnettk <burnettk@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: jasquat <jasquat@users.noreply.github.com>
2024-06-18 18:23:26 +00:00 · 2024-06-18 18:23:26 +00:00 · 0bccdb7cba
parent 538fbf261c
commit 0bccdb7cba
2 changed files with 30 additions and 23 deletions
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@ -244,3 +244,5 @@ config_from_env("SPIFFWORKFLOW_BACKEND_USE_WERKZEUG_MIDDLEWARE_PROXY_FIX", defau
 config_from_env("SPIFFWORKFLOW_BACKEND_USE_THREADS_FOR_TASK_EXECUTION", default=True)

 config_from_env("SPIFFWORKFLOW_BACKEND_OPENID_SCOPE", default="openid profile email")
+
+config_from_env("SPIFFWORKFLOW_BACKEND_USE_AUTH_FOR_METRICS", default=False)
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@ -80,28 +80,6 @@ PATH_SEGMENTS_FOR_PERMISSION_ALL = [
    {"path": "/task-data", "relevant_permissions": ["read", "update"]},
 ]

-AUTHENTICATION_EXCLUSION_LIST = [
-    "spiffworkflow_backend.routes.authentication_controller.authentication_options",
-    "spiffworkflow_backend.routes.authentication_controller.login",
-    "spiffworkflow_backend.routes.authentication_controller.login_api_return",
-    "spiffworkflow_backend.routes.authentication_controller.login_return",
-    "spiffworkflow_backend.routes.authentication_controller.login_with_access_token",
-    "spiffworkflow_backend.routes.authentication_controller.logout",
-    "spiffworkflow_backend.routes.authentication_controller.logout_return",
-    "spiffworkflow_backend.routes.debug_controller.test_raise_error",
-    "spiffworkflow_backend.routes.debug_controller.url_info",
-    "spiffworkflow_backend.routes.health_controller.status",
-    "spiffworkflow_backend.routes.service_tasks_controller.authentication_begin",
-    "spiffworkflow_backend.routes.service_tasks_controller.authentication_callback",
-    "spiffworkflow_backend.routes.tasks_controller.task_allows_guest",
-    "spiffworkflow_backend.routes.webhooks_controller.github_webhook_receive",
-    "spiffworkflow_backend.routes.webhooks_controller.webhook",
-    # swagger api calls
-    "connexion.apis.flask_api.console_ui_home",
-    "connexion.apis.flask_api.console_ui_static_files",
-    "connexion.apis.flask_api.get_json_spec",
-]
-
 # these are api calls that are allowed to generate a public jwt when called
 PUBLIC_AUTHENTICATION_EXCLUSION_LIST = [
    "spiffworkflow_backend.routes.public_controller.form_show",
@ -305,6 +283,33 @@ class AuthorizationService:
            function_full_path = f"{controller_name}.{api_function_name}"
        return (function_full_path, module)

+    @classmethod
+    def authentication_exclusion_list(cls) -> list:
+        authentication_exclusion_list = [
+            "spiffworkflow_backend.routes.authentication_controller.authentication_options",
+            "spiffworkflow_backend.routes.authentication_controller.login",
+            "spiffworkflow_backend.routes.authentication_controller.login_api_return",
+            "spiffworkflow_backend.routes.authentication_controller.login_return",
+            "spiffworkflow_backend.routes.authentication_controller.login_with_access_token",
+            "spiffworkflow_backend.routes.authentication_controller.logout",
+            "spiffworkflow_backend.routes.authentication_controller.logout_return",
+            "spiffworkflow_backend.routes.debug_controller.test_raise_error",
+            "spiffworkflow_backend.routes.debug_controller.url_info",
+            "spiffworkflow_backend.routes.health_controller.status",
+            "spiffworkflow_backend.routes.service_tasks_controller.authentication_begin",
+            "spiffworkflow_backend.routes.service_tasks_controller.authentication_callback",
+            "spiffworkflow_backend.routes.tasks_controller.task_allows_guest",
+            "spiffworkflow_backend.routes.webhooks_controller.github_webhook_receive",
+            "spiffworkflow_backend.routes.webhooks_controller.webhook",
+            # swagger api calls
+            "connexion.apis.flask_api.console_ui_home",
+            "connexion.apis.flask_api.console_ui_static_files",
+            "connexion.apis.flask_api.get_json_spec",
+        ]
+        if not current_app.config["SPIFFWORKFLOW_BACKEND_USE_AUTH_FOR_METRICS"]:
+            authentication_exclusion_list.append("prometheus_flask_exporter.prometheus_metrics")
+        return authentication_exclusion_list
+
    @classmethod
    def should_disable_auth_for_request(cls) -> bool:
        if request.method == "OPTIONS":
@ -320,7 +325,7 @@ class AuthorizationService:
        api_function_full_path, module = cls.get_fully_qualified_api_function_from_request()
        if (
            api_function_full_path
-            and (api_function_full_path in AUTHENTICATION_EXCLUSION_LIST)
+            and (api_function_full_path in cls.authentication_exclusion_list())
            or (module == openid_blueprint or module == scaffold)  # don't check permissions for static assets
        ):
            return True