Source code for twitcher.owssecurity
from pyramid.settings import asbool
from twitcher.interface import OWSSecurityInterface
from twitcher.owsrequest import OWSRequest
from twitcher.utils import get_settings
[docs]class OWSSecurity(OWSSecurityInterface):
[docs] def verify_request(self, request):
"""Verify that the service request is allowed.
This method verifies that the provided credentials are valid.
Depending on the authentication configuration this could be
a client X509 certificate or an OAuth2 token.
"""
ows_request = OWSRequest(request)
if ows_request.service_allowed() is False:
return False
try:
service_name = request.matchdict.get('service_name')
service = request.owsregistry.get_service_by_name(service_name)
except Exception:
return False
if service.get('public', False) is True:
return True
if ows_request.public_access() is True:
return True
if service.get('auth', '') == 'cert':
# Check the verification result of the client certificate.
# Verification is done by nginx.
return request.headers.get('X-Ssl-Client-Verify', '') == 'SUCCESS'
else:
# verify the oauth token for compute scope.
return request.verify_request(scopes=["compute"])
def includeme(config):
from twitcher.adapter import get_adapter_factory
settings = get_settings(config)
security_enabled = asbool(settings.get('twitcher.ows_security', True))
def is_verified(request):
if not security_enabled:
return True
adapter = get_adapter_factory(request)
return adapter.owssecurity_factory().verify_request(request)
config.add_request_method(is_verified, reify=True)