using token for auth on paths

wmo-im · Sep 12, 2023 · 641eaae · 641eaae
1 parent f42e767
commit 641eaae
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 9 deletions.
diff --git a/docs/source/reference/auth.rst b/docs/source/reference/auth.rst
@@ -7,8 +7,23 @@ wis2box provides built in access control for the WAF and API on a topic hierarch
 using the wis2box command line utility. Authentication tokens are only required for topics that have access control
 configured.
 
-Adding Access Control
----------------------
+In addition, wis2box restricts access to the execution of wis2box processes and PUT/POST/DELETE requests to the stations collection.
+
+Access control on paths
+-----------------------
+
+To add a token to the execution of a wis2box process, use the following command:
+
+.. code-block:: bash
+
+    wis2box auth add-token --path processes/wis2box myexecutiontoken
+
+To add a token to PUT/POST/DELETE requests to the stations collection, use the following command:
+
+    wis2box auth add-token --path collections/stations mystationupdatetoken
+
+Adding Access Control on topics
+-------------------------------
 
 All topic hierarchies in wis2box are open by default. A topic becomes closed, with access control applied, the
 first time a token is generated for a topic hierarchy.
@@ -33,8 +48,8 @@ Token credentials can be validated using the wis2box command line utility.
 .. code-block:: bash
 
     wis2box auth show
-    wis2box auth has-access --topic-hierarchy mwi.mwi_met_centre.data.core.weather.surface-based-observations.synop mytoken
-    wis2box auth has-access --topic-hierarchy mwi.mwi_met_centre.data.core.weather.surface-based-observations.synop notmytoken
+    wis2box auth has-access-topic --topic-hierarchy mwi.mwi_met_centre.data.core.weather.surface-based-observations.synop mytoken
+    wis2box auth has-access-topic --topic-hierarchy mwi.mwi_met_centre.data.core.weather.surface-based-observations.synop notmytoken
 
 
 Once a token has been generated, access to any data of that topic in the WAF or API requires token authentication.

diff --git a/wis2box-management/docker/entrypoint.sh b/wis2box-management/docker/entrypoint.sh
@@ -40,10 +40,32 @@ curl https://wmo-im.github.io/wis2-topic-hierarchy/all.json.zip --output /tmp/al
 cd ~/.pywcmp/wis2-topic-hierarchy && unzip -j /tmp/all.json.zip
 
 # wis2box commands
+# TODO: avoid re-creating environment if it already exists
+# TODO: catch errors and avoid bounce in conjuction with restart: always
 wis2box environment create
-wis2box environment show
+wis2box environment show | grep -v "password" | grep -v "PASSWORD"  # avoid printing passwords in logs
 wis2box api setup
 wis2box metadata discovery setup
 wis2box metadata station publish-collection
+
+# Check if the path is restricted and capture the output
+is_restricted=$(wis2box auth is-restricted-path --path processes/wis2box)
+if [ "$is_restricted" = "True" ]; then
+    echo "processes/wis2box execution is restricted"
+else
+    echo "restricting processes/wis2box"
+    # Add the token
+    wis2box auth add-token --path processes/wis2box -y
+fi
+# repeat for collections/stations
+is_restricted=$(wis2box auth is-restricted-path --path collections/stations)
+if [ "$is_restricted" = "True" ]; then
+    echo "collections/stations execution is restricted"
+else
+    echo "restricting collections/stations"
+    # Add the token
+    wis2box auth add-token --path collections/stations -y
+fi
+
 echo "END /entrypoint.sh"
 exec "$@"
diff --git a/wis2box-management/wis2box/auth.py b/wis2box-management/wis2box/auth.py
@@ -112,21 +112,34 @@ def auth():
 @click.command()
 @click.pass_context
 @cli_helpers.OPTION_TOPIC_HIERARCHY
-def is_restricted(ctx, topic_hierarchy):
+def is_restricted_topic(ctx, topic_hierarchy):
     """Check if topic has access control"""
     th, _ = validate_and_load(topic_hierarchy)
     click.echo(not is_resource_open(th.dotpath))
 
+@click.command()
+@click.pass_context
+@click.option('--path', '-p')
+def is_restricted_path(ctx, path):
+    """Check if path has access control"""
+    click.echo(not is_resource_open(path))
 
 @click.command()
 @click.pass_context
 @cli_helpers.OPTION_TOPIC_HIERARCHY
 @click.argument('token')
-def has_access(ctx, topic_hierarchy, token):
+def has_access_topic(ctx, topic_hierarchy, token):
     """Check if a token has access to a topic"""
     th, _ = validate_and_load(topic_hierarchy)
     click.echo(is_token_authorized(th.dotpath, token))
 
+@click.command()
+@click.pass_context
+@click.option('--path', '-p')
+@click.argument('token')
+def has_access_path(ctx, path, token):
+    """Check if a token has access to a path"""
+    click.echo(is_token_authorized(path, token))
 
 @click.command()
 @click.pass_context
@@ -177,5 +190,7 @@ def remove_token(ctx, topic_hierarchy, path, token):
 
 auth.add_command(add_token)
 auth.add_command(remove_token)
-auth.add_command(has_access)
-auth.add_command(is_restricted)
+auth.add_command(has_access_topic)
+auth.add_command(has_access_path)
+auth.add_command(is_restricted_topic)
+auth.add_command(is_restricted_path)