Add JWT based authentication support (PR #7570)

Pull request opened by the merge tool on behalf of #7570

Author: bartv

changelogs/unreleased/auth-improvements.yml

@@ -0,0 +1,5 @@
+description: Add JWT based authentication support
+change-type: minor
+destination-branches: [master, iso7]
+sections:
+  minor-improvement: Update auth to be able to authenticate against a provided JWT

src/inmanta/data/model.py

@@ -729,6 +729,12 @@ class User(BaseModel):
     auth_method: AuthMethod
 
 
+class CurrentUser(BaseModel):
+    """Information about the current logged in user"""
+
+    username: str
+
+
 class LoginReturn(BaseModel):
     """
     Login information

src/inmanta/protocol/auth.py

@@ -162,7 +162,7 @@ def encode_token(
     return jwt.encode(payload=payload, key=cfg.key, algorithm=cfg.algo)
 
 
-def decode_token(token: str) -> claim_type:
+def decode_token(token: str) -> tuple[claim_type, "AuthJWTConfig"]:
     try:
         # First decode the token without verification
         header = jwt.get_unverified_header(token)
@@ -200,6 +200,7 @@ def decode_token(token: str) -> claim_type:
     try:
         # copy the payload and make sure the type is claim_type
         decoded_payload: MutableMapping[str, str | Sequence[str]] = {}
+        unsupported = []
         for k, v in jwt.decode(token, key, audience=cfg.audience, algorithms=[cfg.algo]).items():
             match v:
                 case str():
@@ -213,19 +214,23 @@ def decode_token(token: str) -> claim_type:
                             )
                     decoded_payload[k] = v
                 case _:
-                    logging.getLogger(__name__).info(
-                        "Only claims of type string or list of strings are supported. %s is filtered out.", k
-                    )
+                    unsupported.append(k)
+
+        if unsupported:
+            logging.getLogger(__name__).debug(
+                "Only claims of type string or list of strings are supported. %s are filtered out.", ", ".join(unsupported)
+            )
 
         ct_key = const.INMANTA_URN + "ct"
-        decoded_payload[ct_key] = [x.strip() for x in str(payload[ct_key]).split(",")]
+        ct_value = str(payload.get(ct_key, "api"))
+        decoded_payload[ct_key] = [x.strip() for x in ct_value.split(",")]
     except Exception as e:
         raise exceptions.Forbidden(*e.args)
 
     if not check_custom_claims(claims=decoded_payload, claim_constraints=cfg.claims):
         raise exceptions.Forbidden("The configured claims constraints did not match. See logs for details.")
 
-    return decoded_payload
+    return decoded_payload, cfg
 
 
 #############################
@@ -325,6 +330,13 @@ def __init__(self, name: str, section: str, config: configparser.SectionProxy) -
         self.keys: dict[str, bytes] = {}
         self._config: configparser.SectionProxy = config
         self.claims: list[ClaimMatch] = []
+
+        self.jwt_username_claim: str = "sub"
+        self.expire: int = 0
+        self.sign: bool = False
+        self.issuer: str = "https://localhost:8888/"
+        self.audience: str
+
         if "algorithm" not in config:
             raise ValueError("algorithm is required in %s section" % self.section)
 
@@ -344,8 +356,6 @@ def validate_generic(self) -> None:
         """
         if "sign" in self._config:
             self.sign = config.is_bool(self._config["sign"])
-        else:
-            self.sign = False
 
         if "client_types" not in self._config:
             raise ValueError("client_types is a required options for %s" % self.section)
@@ -357,13 +367,9 @@ def validate_generic(self) -> None:
 
         if "expire" in self._config:
             self.expire = config.is_int(self._config["expire"])
-        else:
-            self.expire = 0
 
         if "issuer" in self._config:
             self.issuer = config.is_str(self._config["issuer"])
-        else:
-            self.issuer = "https://localhost:8888/"
 
         if "audience" in self._config:
             self.audience = config.is_str(self._config["audience"])
@@ -373,6 +379,11 @@ def validate_generic(self) -> None:
         if "claims" in self._config:
             self.parse_claim_matching(self._config["claims"])
 
+        if "jwt-username-claim" in self._config:
+            if self.sign:
+                raise ValueError(f"auth config {self.section} used for signing cannot use a custom claim.")
+            self.jwt_username_claim = self._config.get("jwt-username-claim")
+
     def parse_claim_matching(self, claim_conf: str) -> None:
         """Parse claim matching expressions"""
         items = re.findall(AUTH_JWT_CLAIM_RE, claim_conf, re.MULTILINE)

src/inmanta/protocol/common.py

@@ -44,6 +44,7 @@
 
 from inmanta import const, execute, types, util
 from inmanta.data.model import BaseModel, DateTimeNormalizerModel
+from inmanta.protocol import auth
 from inmanta.protocol.exceptions import BadRequest, BaseHttpException
 from inmanta.protocol.openapi import model as openapi_model
 from inmanta.stable_api import stable_api
@@ -66,6 +67,21 @@
 HTML_CONTENT_WITH_UTF8_CHARSET = f"{HTML_CONTENT}; {UTF8_CHARSET}"
 
 
+class CallContext:
+    """A context variable that provides more information about the current call context"""
+
+    request_headers: dict[str, str]
+    auth_token: Optional[auth.claim_type]
+    auth_username: Optional[str]
+
+    def __init__(
+        self, request_headers: dict[str, str], auth_token: Optional[auth.claim_type], auth_username: Optional[str]
+    ) -> None:
+        self.request_headers = request_headers
+        self.auth_token = auth_token
+        self.auth_username = auth_username
+
+
 class ArgOption:
     """
     Argument options to transform arguments before dispatch
@@ -574,7 +590,6 @@ def _validate_type_arg(
         :param allow_none_type: If true, allow `None` as the type for this argument
         :param in_url: This argument is passed in the URL
         """
-
         if typing_inspect.is_new_type(arg_type):
             return self._validate_type_arg(
                 arg,
@@ -656,6 +671,8 @@ def _validate_type_arg(
         elif allow_none_type and types.issubclass(arg_type, type(None)):
             # A check for optional arguments
             pass
+        elif issubclass(arg_type, CallContext):
+            raise InvalidMethodDefinition("CallContext should only be defined in the handler, not the method.")
         else:
             valid_types = ", ".join([x.__name__ for x in VALID_SIMPLE_ARG_TYPES])
             raise InvalidMethodDefinition(

src/inmanta/protocol/endpoints.py

@@ -288,7 +288,9 @@ async def dispatch_method(self, transport: client.RESTClient, method_call: commo
             else:
                 body[key] = [v.decode("latin-1") for v in value]
 
-        response: common.Response = await transport._execute_call(kwargs, method_call.method, config, body, method_call.headers)
+        body.update(kwargs)
+
+        response: common.Response = await transport._execute_call(config, body, method_call.headers)
 
         if response.status_code == 500:
             msg = ""

src/inmanta/protocol/methods_v2.py

@@ -1489,6 +1489,14 @@ def list_users() -> list[model.User]:
     :return: A list of all users"""
 
 
+@typedmethod(path="/current_user", operation="GET", client_types=[ClientType.api], api_version=2)
+def get_current_user() -> model.CurrentUser:
+    """Get the current logged in user (based on the provided JWT) and server auth settings
+
+    :raises NotFound: Raised when server authentication is not enabled
+    """
+
+
 @typedmethod(path="/user/<username>", operation="DELETE", client_types=[ClientType.api], api_version=2)
 def delete_user(username: str) -> None:
     """Delete a user from the system with given username.