Added support for multiple entitlements granting site access

2025-03-04 13:53:56 +01:00 · 2025-03-04 13:53:56 +01:00 · f43aa53ca8
commit f43aa53ca8
parent ee83905291
2 changed files with 28 additions and 18 deletions
--- a/api/init.py
+++ b/api/init.py
@ -26,10 +26,21 @@ config.read('./config.ini')
 app = Flask(__name__)
 oauth = Oauth(config['oauth'])
 app.wg = WireGuard(config['wireguard'])
-required_entitlement = config.get('security',
-                                  'required_entitlement',
-                                  fallback=None)

+required_entitlement_list = []
+if 'required_entitlement' in config['security']:
+    entitlement_conf = config.get('security', 'required_entitlement')
+    required_entitlement_list = [e.strip() for e
+                                 in entitlement_conf.split(',')]
+
+
+def check_access(user_entitlements):
+    if not required_entitlement_list:
+        return True
+    for e in required_entitlement_list:
+        if e in user_entitlements:
+            return True
+    return False

 def fail(message: str) -> Response:
    response = jsonify({'result': 'failed',
@ -37,6 +48,7 @@ def fail(message: str) -> Response:
    response.status = 400
    return response

+
@app.before_request
 def setup() -> None:
    if request.path in public_paths:
@ -47,19 +59,16 @@ def setup() -> None:
    if not user_info:
        return Response(status=403)

-    if required_entitlement is None \
-       or required_entitlement in user_info['entitlements']:
-        remote_user = user_info['sub']
-        app.wg.set_user(remote_user)
-        return
-
-    response = Response(status=403)
-    response.set_cookie(access_cookie,
-                        'denied',
-                        secure=True,
-                        samesite='Strict')
-    return response
+    if not check_access(user_info['entitlements']):
+        response = Response(status=403)
+        response.set_cookie(access_cookie,
+                            'denied',
+                            secure=True,
+                            samesite='Strict')
+        return response

+    remote_user = user_info['sub']
+    app.wg.set_user(remote_user)

@app.after_request
 def reload(response: Response) -> Response:
--- a/config.ini.example
+++ b/config.ini.example
@ -34,10 +34,11 @@ user_client_limit = 3


 [security]
-# The user entitlement (as read from the oauth token) to require
-# for users who are to be able to use the service.
+# A comma-separated list of entitlements (as read from oauth) that should
+# be required to access the site. Access is granted if the user has any of
+# the listed entitlements.
 # Optional.
-required_entitlement = urn:mace:some:entitilement
+required_entitlement = urn:mace:some:entitlement


 [oauth]