diff --git a/Mieter.py b/Mieter.py index 7803b26..6524c83 100644 --- a/Mieter.py +++ b/Mieter.py @@ -1,6 +1,8 @@ from dbpool import getConnection, getMany, getOne +from auth import check_scope -def get_mieters(): +def get_mieters(token_info): + check_scope(token_info, [ "mieter/read", "wohnung/read", "objekt/read" ]) return getMany(""" SELECT m.id as id, o.id as objekt, @@ -21,7 +23,8 @@ SELECT m.id as id, w.id = m.wohnung """, [], "Mieter") -def get_mieter(id=None): +def get_mieter(id, token_info): + check_scope(token_info, [ "mieter/read", "wohnung/read", "objekt/read" ]) return getOne(""" SELECT m.id as id, o.id as objekt, diff --git a/Objekte.py b/Objekte.py index be6ea68..7c779d6 100644 --- a/Objekte.py +++ b/Objekte.py @@ -1,8 +1,11 @@ from dbpool import getConnection, getMany, getOne +from auth import check_scope -def get_objekte(): +def get_objekte(token_info): + check_scope(token_info, "objekt/read") return getMany("SELECT id, shortname, flaeche FROM objekt", [], "Objekt") -def get_objekt(id=None): +def get_objekt(id, token_info): + check_scope(token_info, "objekt/read") return getOne("SELECT id, shortname, flaeche FROM objekt WHERE id = ?", (id,), "Objekt") diff --git a/Wohnungen.py b/Wohnungen.py index f4768a8..afd1eb3 100644 --- a/Wohnungen.py +++ b/Wohnungen.py @@ -1,6 +1,9 @@ from dbpool import getConnection, getOne, getMany +from auth import check_scope -def get_wohnungen(): + +def get_wohnungen(token_info): + check_scope(token_info, "wohnung/read") return getMany(""" SELECT w.id as id, w.objekt as objekt, @@ -11,7 +14,8 @@ SELECT w.id as id, WHERE o.id = w.objekt """, [], "Wohnung") -def get_wohnung(id=None): +def get_wohnung(id, token_info): + check_scope(token_info, [ "wohnung/read", "objekt/read" ]) return getOne(""" SELECT w.id as id, w.objekt as objekt, @@ -23,7 +27,8 @@ SELECT w.id as id, w.id = ? """, (id, ), "Wohnung") -def get_wohnungen_by_objekt(id): +def get_wohnungen_by_objekt(id, token_info): + check_scope(token_info, [ "wohnung/read", "objekt/read" ]) return getMany(""" SELECT w.id as id, w.objekt as objekt, diff --git a/ZahlungenForderungen.py b/ZahlungenForderungen.py index 6660e49..e485e1a 100644 --- a/ZahlungenForderungen.py +++ b/ZahlungenForderungen.py @@ -2,8 +2,10 @@ from dbpool import getConnection, getOne, getMany, putOne import datetime import decimal import dateparser +from auth import check_scope -def get_zahlungen_by_mieter(mieter_id): +def get_zahlungen_by_mieter(mieter_id, token_info): + check_scope(token_info, "zahlung/read") return getMany(""" SELECT id, mieter, @@ -28,7 +30,8 @@ SELECT id, """, [ id ], "Zahlung") -def get_forderungen_by_mieter(mieter_id): +def get_forderungen_by_mieter(mieter_id, token_info): + check_scope(token_info, "forderung/read") return getMany(""" SELECT id, mieter, @@ -40,7 +43,8 @@ SELECT id, WHERE mieter = ? """, [ mieter_id ], "Forderung") -def get_forderung(id): +def get_forderung(id, token_info): + check_scope(token_info, "forderung/read") return getOne(""" SELECT id, mieter, @@ -52,7 +56,8 @@ SELECT id, WHERE id = ? """, [ id ], "Forderung") -def get_zahlungforderung_by_mieter_and_year(mieter_id, year): +def get_zahlungforderung_by_mieter_and_year(mieter_id, year, token_info): + check_scope(token_info, [ "forderung/read", "zahlung/read", "mieter/read" ]) if year == 0: year = datetime.datetime.now().year start_date = "{}-01-01".format(year) @@ -72,7 +77,8 @@ WHERE mieter = ? AND datum_soll BETWEEN ? AND ? """, [mieter_id, start_date, end_date], "ZahlungForderung") -def get_saldo_by_mieter_and_year(mieter_id, year): +def get_saldo_by_mieter_and_year(mieter_id, year, token_info): + check_scope(token_info, [ "forderung/read", "zahlung/read", "mieter/read" ]) if year == 0: year = datetime.datetime.now().year start_date = "{}-01-01".format(year) @@ -106,7 +112,8 @@ WHERE mieter = ? AND "zahlungen": float(sumZ) } -def put_zahlung(zahlung): +def put_zahlung(zahlung, token_info): + check_scope(token_info, "zahlung/write") print("Input of put_zahlung: {} {}".format(type(zahlung), zahlung)) datum_soll = dateparser.parse(zahlung["datum_soll"], languages=["de"]) datum_ist = dateparser.parse(zahlung["datum_ist"], languages=["de"]) diff --git a/auth.py b/auth.py index 7243e77..071b27f 100755 --- a/auth.py +++ b/auth.py @@ -1,7 +1,6 @@ import time import connexion -import six -from werkzeug.exceptions import Unauthorized +from werkzeug.exceptions import Unauthorized, Forbidden from jose import JWTError, jwt import os @@ -11,10 +10,26 @@ JWT_SECRET = os.environ['JWT_SECRET'] def decode_token(token): try: - return jwt.decode(token, JWT_SECRET) + print("DEBUG decode_token: try to decode") + token_info = jwt.decode(token, JWT_SECRET) + print("DEBUG decode_token: token_info: {}".format(token_info)) + return token_info except JWTError as e: - six.raise_from(Unauthorized, e) + print("ERROR decode_token: error when decoding token: {}".format(e)) + raise Unauthorized() +def check_token(token, key, value): + if (key in token) and ((token[key] == value) or (isinstance(token[key], list) and (value in token[key]))): + return True + print("WARN: check_token: {} -> {} required but not granted".format(key, value)) + raise Forbidden() + +def check_scope(token, value): + if isinstance(value, list): + for v in value: + check_token(token, "x-scope", v) + else: + check_token(token, "x-scope", value) def get_secret(user, token_info) -> str: return ''' @@ -23,6 +38,7 @@ def get_secret(user, token_info) -> str: '''.format(user=user, token_info=token_info) + def _current_timestamp() -> int: return int(time.time())