oso.framework.auth namespace

Submodules

oso.framework.auth.common module

Common Authentication Types.

class oso.framework.auth.common.AuthConfig(*, parsers: ~collections.abc.Sequence[~oso.framework.auth.common.BaseParserConfig] = <factory>)[source]

Bases: AutoLoadConfig, _parsers

Container for parser configs.

parsers

Parser configs, discriminated by type.

Type:

list[BaseParserConfig]

class oso.framework.auth.common.AuthParser(*args, **kwargs)[source]

Bases: Protocol

Required Parser implementation details.

parse(request: Request) AuthResult[source]

Parse a given request into an AuthResult.

Parameters:

request (flask.Request) – Incoming request.

Returns:

The authentication result.

Return type:

AuthResult

parse_allowlist(allowlist: list[str]) list[Any][source]

Parse input allowlist.

Given an allowlist configuration, parse it into a format that RequireAuth() can utilize to raise HTTP 403: Forbidden.

Parameters:

allowlist (list[str]) – Input configuration as a list of strings.

Returns:

A list of allowed users to compare a request’s AuthResult._user to.

Return type:

list[Any]

class oso.framework.auth.common.AuthResult[source]

Bases: TypedDict

Parser’s authentication result.

authorized

Whether a HTTP 401: Unauthorized should be raised.

Type:

bool

errors

A list of errors that may help with debugging.

Type:

list[str]

_user

The authorized user to check against the allowlist, if any.

Type:

Any

class oso.framework.auth.common.BaseParserConfig(*, type: ImportString, allowlist: Annotated[Mapping[str, Sequence[str]], Json])[source]

Bases: ImportableConfig

A parser’s base configuration.

allowlist

A mapping of allowlist keys to allowlist filter values. Loaded from envvar the key should be in the format of AUTH_name_ALLOWLIST_key, and the value should be in the format of a JSON object.

Type:

collections.abc.Mapping[str, list[str]]

oso.framework.auth.extension module

Authentication Flask Extension.

class oso.framework.auth.extension.AuthExtension(config: AuthConfig)[source]

Bases: object

Authentication Extension.

An extension to manage authentication states for flask.Flask applications.

NAME

The literal oso-auth.

Type:

str

Parameters:

config (.common.AuthConfig) – Configuration with all parsers defined.

init_app(app: Flask) None[source]

Attach to a flask.Flask application.

Parameters:

app (flask.Flask) – Application.

parse_request_auth() None[source]

Authenticate a flask.Request with all parsers.

oso.framework.auth.extension.RequireAuth(handler_name: str, allowlist: str, *allowlists: str) Callable[source]

Mark an endpoint as requiring authentication.

Parameters:

  • handler_name (str) – The AuthParser that is required.

  • *allowlists (list[str]) – The allowlists that is allowed for the endpoint.

Returns:

The wrapped function.

Return type:

~typing.Callable

oso.framework.auth.extension.current_auth_ext() AuthExtension[source]

Get Current Authentication Extension.

Returns:

The current authentication extension registered to the flask.Flask application.

Return type:

.AuthExtension

oso.framework.auth.mtls module

mTLS (Mutual Transport Layer Security) Authentication Handler.

oso.framework.auth.mtls.NAME

Constaint equal to mtls, the name of this handler.

Type:

str

oso.framework.auth.mtls.HEADER_SSL_VERIFY

Constant equal to X-SSL-VERIFY header key. This header’s value should be set by the TLS terminator, with a MTLS.SSL_VERIFY_SUCCESS value being authorized.

Type:

str

oso.framework.auth.mtls.HEADER_SSL_CERT

Constant equal to X-SSL-CERT header key. This header’s value should be set by the TLS terminator, with a url-encoded certificate string.

Type:

str

oso.framework.auth.mtls.SSL_VERIFY_SUCCESS

Constant equal to SUCCESS. This is the authorized value.

Type:

str

oso.framework.auth.mtls.SSL_VERIFY_MISSING

Constant equal to FAILED: Header missing from request. This is the default header value.

Type:

str

oso.framework.auth.mtls.OPENSSH_FINGERPRINT_HEADER

Constant equal to SHA256:, which is the prefix for the OpenSSH fingerprint type.

Type:

str

oso.framework.auth.mtls.MD5_FINGERPRINT_HEADER

Constant equal to MD5:, which is the prefix for the MD5 fingerprint type.

Type:

str

oso.framework.auth.mtls.load_fingerprint(hash: str) bytes[source]

Load fingerprint.

oso.framework.auth.mtls.parse(request: Request) dict[source]

Return an AuthResult.

oso.framework.auth.mtls.parse_allowlist(allowlist: list[str]) list[bytes][source]

Parse allowlist.

oso.framework.auth.mtls.parse_user_fingerprint(cert: Certificate) bytes[source]

Calculate the user’s public key fingerprint.

Parameters:

cert (~cryptography.x509.Certificate) – The user’s public X.509 certificate.

Returns:

The user’s public key fingerprint in OpenSSH format.

Return type:

str

oso.framework.auth.mtls.parse_user_subject(cert: Certificate) str[source]

Retrive the certificate’s subject line as a string.

Parameters:

cert (cryptography.x509.Certificate) – The user’s public X.509 certificate.

Returns:

The user’s subject line in string format.

Return type:

str