From f30e2ea73c32a2f5e9d8cd807eaa9a79c7c59f5d Mon Sep 17 00:00:00 2001 From: Mark Waddle Date: Fri, 25 Oct 2024 23:03:00 +0000 Subject: [PATCH] Simplify app-id configuration To a single value and provide docs on how to configure with env var --- workbench-service/.env.example | 3 +++ workbench-service/semantic_workbench_service/config.py | 2 +- workbench-service/semantic_workbench_service/middleware.py | 3 +-- workbench-service/tests/conftest.py | 2 +- workbench-service/tests/test_middleware.py | 2 +- 5 files changed, 7 insertions(+), 5 deletions(-) diff --git a/workbench-service/.env.example b/workbench-service/.env.example index 12bc69a2..16eb77de 100644 --- a/workbench-service/.env.example +++ b/workbench-service/.env.example @@ -21,3 +21,6 @@ # AZURE_SPEECH__RESOURCE_ID= AZURE_SPEECH__REGION= + +# Environment variable to override the default Entra App ID +WORKBENCH__AUTH__ALLOWED_APP_ID= diff --git a/workbench-service/semantic_workbench_service/config.py b/workbench-service/semantic_workbench_service/config.py index dc185783..6f615624 100644 --- a/workbench-service/semantic_workbench_service/config.py +++ b/workbench-service/semantic_workbench_service/config.py @@ -23,7 +23,7 @@ def is_secured(self) -> bool: class AuthSettings(BaseSettings): allowed_jwt_algorithms: set[str] = {"RS256"} - allowed_app_ids: set[str] = {"22cb77c3-ca98-4a26-b4db-ac4dcecba690"} + allowed_app_id: str = "22cb77c3-ca98-4a26-b4db-ac4dcecba690" class WebServiceSettings(BaseSettings): diff --git a/workbench-service/semantic_workbench_service/middleware.py b/workbench-service/semantic_workbench_service/middleware.py index b3263937..5f1ed990 100644 --- a/workbench-service/semantic_workbench_service/middleware.py +++ b/workbench-service/semantic_workbench_service/middleware.py @@ -69,7 +69,6 @@ async def _user_principal_from_request(request: Request) -> auth.UserPrincipal | return None allowed_jwt_algorithms = settings.auth.allowed_jwt_algorithms - allowed_app_ids = settings.auth.allowed_app_ids try: algorithm: str = jwt.get_unverified_header(token).get("alg") or "" @@ -102,7 +101,7 @@ async def _user_principal_from_request(request: Request) -> auth.UserPrincipal | if algorithm not in allowed_jwt_algorithms: raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token algorithm") - if app_id not in allowed_app_ids: + if app_id != settings.auth.allowed_app_id: raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid app") return auth.UserPrincipal(user_id=user_id, name=name) diff --git a/workbench-service/tests/conftest.py b/workbench-service/tests/conftest.py index a929dee6..dfdb5b50 100644 --- a/workbench-service/tests/conftest.py +++ b/workbench-service/tests/conftest.py @@ -35,7 +35,7 @@ def create_test_user(monkeypatch: pytest.MonkeyPatch) -> MockUser: # monkeypatch the allowed_jwt_algorithms and app_ids for tests monkeypatch.setattr(settings.auth, "allowed_jwt_algorithms", {test_user.token_algo}) - monkeypatch.setattr(settings.auth, "allowed_app_ids", {test_user.app_id}) + monkeypatch.setattr(settings.auth, "allowed_app_id", test_user.app_id) return test_user diff --git a/workbench-service/tests/test_middleware.py b/workbench-service/tests/test_middleware.py index e035b9cc..7ce20164 100644 --- a/workbench-service/tests/test_middleware.py +++ b/workbench-service/tests/test_middleware.py @@ -41,7 +41,7 @@ async def test_auth_middleware_rejects_disallowed_algo(monkeypatch: pytest.Monke def test_auth_middleware_rejects_disallowed_app_id(monkeypatch: pytest.MonkeyPatch) -> None: algo = "HS256" - monkeypatch.setattr(settings.auth, "allowed_app_ids", {}) + monkeypatch.setattr(settings.auth, "allowed_app_id", "fake-app-id") monkeypatch.setattr(settings.auth, "allowed_jwt_algorithms", {algo}) token = jwt.encode(