Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify app-id configuration #176

Merged
merged 1 commit into from
Oct 25, 2024
Merged

Simplify app-id configuration #176

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions workbench-service/.env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,6 @@
#
AZURE_SPEECH__RESOURCE_ID=<YOUR_RESOURCE_ID>
AZURE_SPEECH__REGION=<YOUR_REGION>

# Environment variable to override the default Entra App ID
WORKBENCH__AUTH__ALLOWED_APP_ID=<YOUR_APP_ID>
2 changes: 1 addition & 1 deletion workbench-service/semantic_workbench_service/config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ def is_secured(self) -> bool:

class AuthSettings(BaseSettings):
allowed_jwt_algorithms: set[str] = {"RS256"}
allowed_app_ids: set[str] = {"22cb77c3-ca98-4a26-b4db-ac4dcecba690"}
allowed_app_id: str = "22cb77c3-ca98-4a26-b4db-ac4dcecba690"


class WebServiceSettings(BaseSettings):
Expand Down
3 changes: 1 addition & 2 deletions workbench-service/semantic_workbench_service/middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,6 @@ async def _user_principal_from_request(request: Request) -> auth.UserPrincipal |
return None

allowed_jwt_algorithms = settings.auth.allowed_jwt_algorithms
allowed_app_ids = settings.auth.allowed_app_ids

try:
algorithm: str = jwt.get_unverified_header(token).get("alg") or ""
Expand Down Expand Up @@ -102,7 +101,7 @@ async def _user_principal_from_request(request: Request) -> auth.UserPrincipal |
if algorithm not in allowed_jwt_algorithms:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token algorithm")

if app_id not in allowed_app_ids:
if app_id != settings.auth.allowed_app_id:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid app")

return auth.UserPrincipal(user_id=user_id, name=name)
Expand Down
2 changes: 1 addition & 1 deletion workbench-service/tests/conftest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ def create_test_user(monkeypatch: pytest.MonkeyPatch) -> MockUser:

# monkeypatch the allowed_jwt_algorithms and app_ids for tests
monkeypatch.setattr(settings.auth, "allowed_jwt_algorithms", {test_user.token_algo})
monkeypatch.setattr(settings.auth, "allowed_app_ids", {test_user.app_id})
monkeypatch.setattr(settings.auth, "allowed_app_id", test_user.app_id)

return test_user

Expand Down
2 changes: 1 addition & 1 deletion workbench-service/tests/test_middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ async def test_auth_middleware_rejects_disallowed_algo(monkeypatch: pytest.Monke
def test_auth_middleware_rejects_disallowed_app_id(monkeypatch: pytest.MonkeyPatch) -> None:
algo = "HS256"

monkeypatch.setattr(settings.auth, "allowed_app_ids", {})
monkeypatch.setattr(settings.auth, "allowed_app_id", "fake-app-id")
monkeypatch.setattr(settings.auth, "allowed_jwt_algorithms", {algo})

token = jwt.encode(
Expand Down