No auth for metrics (#1757)

* config scope

* no auth for metrics

* Update spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

---------

Co-authored-by: burnettk <burnettk@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: jasquat <jasquat@users.noreply.github.com>
This commit is contained in:
Kevin Burnett 2024-06-18 18:23:26 +00:00 committed by GitHub
parent 538fbf261c
commit 0bccdb7cba
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 30 additions and 23 deletions

View File

@ -244,3 +244,5 @@ config_from_env("SPIFFWORKFLOW_BACKEND_USE_WERKZEUG_MIDDLEWARE_PROXY_FIX", defau
config_from_env("SPIFFWORKFLOW_BACKEND_USE_THREADS_FOR_TASK_EXECUTION", default=True) config_from_env("SPIFFWORKFLOW_BACKEND_USE_THREADS_FOR_TASK_EXECUTION", default=True)
config_from_env("SPIFFWORKFLOW_BACKEND_OPENID_SCOPE", default="openid profile email") config_from_env("SPIFFWORKFLOW_BACKEND_OPENID_SCOPE", default="openid profile email")
config_from_env("SPIFFWORKFLOW_BACKEND_USE_AUTH_FOR_METRICS", default=False)

View File

@ -80,28 +80,6 @@ PATH_SEGMENTS_FOR_PERMISSION_ALL = [
{"path": "/task-data", "relevant_permissions": ["read", "update"]}, {"path": "/task-data", "relevant_permissions": ["read", "update"]},
] ]
AUTHENTICATION_EXCLUSION_LIST = [
"spiffworkflow_backend.routes.authentication_controller.authentication_options",
"spiffworkflow_backend.routes.authentication_controller.login",
"spiffworkflow_backend.routes.authentication_controller.login_api_return",
"spiffworkflow_backend.routes.authentication_controller.login_return",
"spiffworkflow_backend.routes.authentication_controller.login_with_access_token",
"spiffworkflow_backend.routes.authentication_controller.logout",
"spiffworkflow_backend.routes.authentication_controller.logout_return",
"spiffworkflow_backend.routes.debug_controller.test_raise_error",
"spiffworkflow_backend.routes.debug_controller.url_info",
"spiffworkflow_backend.routes.health_controller.status",
"spiffworkflow_backend.routes.service_tasks_controller.authentication_begin",
"spiffworkflow_backend.routes.service_tasks_controller.authentication_callback",
"spiffworkflow_backend.routes.tasks_controller.task_allows_guest",
"spiffworkflow_backend.routes.webhooks_controller.github_webhook_receive",
"spiffworkflow_backend.routes.webhooks_controller.webhook",
# swagger api calls
"connexion.apis.flask_api.console_ui_home",
"connexion.apis.flask_api.console_ui_static_files",
"connexion.apis.flask_api.get_json_spec",
]
# these are api calls that are allowed to generate a public jwt when called # these are api calls that are allowed to generate a public jwt when called
PUBLIC_AUTHENTICATION_EXCLUSION_LIST = [ PUBLIC_AUTHENTICATION_EXCLUSION_LIST = [
"spiffworkflow_backend.routes.public_controller.form_show", "spiffworkflow_backend.routes.public_controller.form_show",
@ -305,6 +283,33 @@ class AuthorizationService:
function_full_path = f"{controller_name}.{api_function_name}" function_full_path = f"{controller_name}.{api_function_name}"
return (function_full_path, module) return (function_full_path, module)
@classmethod
def authentication_exclusion_list(cls) -> list:
authentication_exclusion_list = [
"spiffworkflow_backend.routes.authentication_controller.authentication_options",
"spiffworkflow_backend.routes.authentication_controller.login",
"spiffworkflow_backend.routes.authentication_controller.login_api_return",
"spiffworkflow_backend.routes.authentication_controller.login_return",
"spiffworkflow_backend.routes.authentication_controller.login_with_access_token",
"spiffworkflow_backend.routes.authentication_controller.logout",
"spiffworkflow_backend.routes.authentication_controller.logout_return",
"spiffworkflow_backend.routes.debug_controller.test_raise_error",
"spiffworkflow_backend.routes.debug_controller.url_info",
"spiffworkflow_backend.routes.health_controller.status",
"spiffworkflow_backend.routes.service_tasks_controller.authentication_begin",
"spiffworkflow_backend.routes.service_tasks_controller.authentication_callback",
"spiffworkflow_backend.routes.tasks_controller.task_allows_guest",
"spiffworkflow_backend.routes.webhooks_controller.github_webhook_receive",
"spiffworkflow_backend.routes.webhooks_controller.webhook",
# swagger api calls
"connexion.apis.flask_api.console_ui_home",
"connexion.apis.flask_api.console_ui_static_files",
"connexion.apis.flask_api.get_json_spec",
]
if not current_app.config["SPIFFWORKFLOW_BACKEND_USE_AUTH_FOR_METRICS"]:
authentication_exclusion_list.append("prometheus_flask_exporter.prometheus_metrics")
return authentication_exclusion_list
@classmethod @classmethod
def should_disable_auth_for_request(cls) -> bool: def should_disable_auth_for_request(cls) -> bool:
if request.method == "OPTIONS": if request.method == "OPTIONS":
@ -320,7 +325,7 @@ class AuthorizationService:
api_function_full_path, module = cls.get_fully_qualified_api_function_from_request() api_function_full_path, module = cls.get_fully_qualified_api_function_from_request()
if ( if (
api_function_full_path api_function_full_path
and (api_function_full_path in AUTHENTICATION_EXCLUSION_LIST) and (api_function_full_path in cls.authentication_exclusion_list())
or (module == openid_blueprint or module == scaffold) # don't check permissions for static assets or (module == openid_blueprint or module == scaffold) # don't check permissions for static assets
): ):
return True return True