confidant.authnz package¶

Submodules¶

confidant.authnz.errors module¶

exception confidant.authnz.errors.AuthenticationError¶: Bases: Exception

exception confidant.authnz.errors.NotAuthorized¶: Bases: Exception

exception confidant.authnz.errors.TokenVersionError¶: Bases: Exception

exception confidant.authnz.errors.UserUnknownError¶: Bases: Exception

confidant.authnz.rbac module¶

confidant.authnz.rbac.default_acl(*args, **kwargs)¶

Default ACLs for confidant: Allow access to all resource types and actions for users, except for certificate resource_type. Deny access to all resource types and actions for services, except:

resource_type: service actions: metadata, get resource_id: must match logged-in user’s username
resource_type: certificate actions: get resource_id: must match against ACM_PRIVATE_CA_DOMAIN_REGEX setting

for the CA for the CN in the CSR, and for all SAN values in the CSR, and the server_name named group in the regex must match the logged in user’s username.

kwargs (ca): CA used for this get kwargs (san): A list of subject alternative names in the CSR

confidant.authnz.rbac.no_acl(*args, **kwargs)¶: Stub function that always returns true This function is set by settings.py by the variable ACL_MODULE When you’d like to integrate a custom RBAC module, the ACL_MODULE should be repointed from this function to the function that will perform the ACL checks.

confidant.authnz.userauth module¶

class confidant.authnz.userauth.AbstractUserAuthenticator¶

Bases: object

property allowed_email_suffix¶

A whitelisted suffix for email addresses. Loaded from config[‘USER_EMAIL_SUFFIX’].

Returns either a string or None.

property allowed_email_whitelist¶: A whitelist of authorized email addresses or None. Loaded from config[‘USERS_FILE’] as YAML.

abstract property auth_type¶: A string describing the type of authentication used

check_authorization()¶

check_csrf_token()¶

clear_session()¶

current_email()¶

current_first_name()¶

current_last_name()¶

current_user()¶

get_csrf_token()¶

is_authenticated()¶

is_expired()¶

abstract log_in()¶

Perform steps needed to start the SSO login process.

This method must return a Flask response.

Initially this method will probably return a redirect to an external login page for SSO.

This handler MAY also be used to handle login callbacks from the SSO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call set_current_user() to set user data on the session, then redirect to the desired post-login page (e.g. with redirect_to_index()).

On failure, this method should likely return abort(403).

log_out()¶

Perform steps needed to start the SLO (SingleLogOut) process.

This method must return a Flask response.

This handler MAY also be used to handle logout callbacks from the SSO/SLO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call clear_session(), then redirect to the desired post-logout page (e.g. with redirect_to_goodbye()).

passes_email_suffix(email)¶

passes_email_whitelist(email)¶

redirect_to_goodbye()¶

redirect_to_index()¶

set_csrf_token(resp)¶

set_current_user(email, first_name=None, last_name=None)¶

set_expiration()¶

class confidant.authnz.userauth.GoogleOauthAuthenticator¶

Bases: confidant.authnz.userauth.AbstractUserAuthenticator

User authenticator class implementing Google OAuth.

property auth_type¶: A string describing the type of authentication used

log_in()¶

Perform steps needed to start the SSO login process.

This method must return a Flask response.

Initially this method will probably return a redirect to an external login page for SSO.

This handler MAY also be used to handle login callbacks from the SSO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call set_current_user() to set user data on the session, then redirect to the desired post-login page (e.g. with redirect_to_index()).

On failure, this method should likely return abort(403).

class confidant.authnz.userauth.HeaderAuthenticator¶

Bases: confidant.authnz.userauth.AbstractUserAuthenticator

User authenticator that pulls user information from HTTP headers. Note that this assumes we’re running behind some form of load-balancer or reverse proxy that performs the authentication, and that simply being able to make requests to this service implies that the user is authenticated.

assert_headers()¶: Asserts that the current request contains the appropriate headers.

property auth_type¶: A string describing the type of authentication used

check_authorization()¶: Header users are always authorized

current_user()¶

is_authenticated()¶: Any user that is able to make requests is authenticated

is_expired()¶: Sessions are not managed here and do not expire

log_in()¶

Perform steps needed to start the SSO login process.

This method must return a Flask response.

Initially this method will probably return a redirect to an external login page for SSO.

This handler MAY also be used to handle login callbacks from the SSO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call set_current_user() to set user data on the session, then redirect to the desired post-login page (e.g. with redirect_to_index()).

On failure, this method should likely return abort(403).

class confidant.authnz.userauth.NullUserAuthenticator¶

Bases: confidant.authnz.userauth.AbstractUserAuthenticator

Fake user authenticator class that performs no authentication.

property auth_type¶: A string describing the type of authentication used

check_authorization()¶: Null users are always authorized

current_user()¶

is_authenticated()¶: Null users are always authenticated

is_expired()¶: Null users are never expired

log_in()¶

Perform steps needed to start the SSO login process.

This method must return a Flask response.

Initially this method will probably return a redirect to an external login page for SSO.

This handler MAY also be used to handle login callbacks from the SSO provider, or you can define a separate route for this. Regardless, the code that implements the callback should call set_current_user() to set user data on the session, then redirect to the desired post-login page (e.g. with redirect_to_index()).

On failure, this method should likely return abort(403).

class confidant.authnz.userauth.SamlAuthenticator¶

Bases: confidant.authnz.userauth.AbstractUserAuthenticator

User authenticator class implementing SAML.

property auth_type¶: A string describing the type of authentication used

consume_saml_assertion()¶: This method is called in routes implementing a SAML attribute consumer service, which receives POST callbacks from the IdP after the user has authenticated.

generate_metadata()¶: Generate SAML metadata XML describing the service endpoints.

log_in()¶

SAML log-in redirect.

This method initiates the SAML authentication process by directing the browser to forward along an AuthNRequest to the IdP.

A separate method handles the post-authentication callback, which will hit /v1/saml/consume, processed by consume_saml_assertion().

log_out()¶: Initiate SAML SLO redirect.

log_out_callback(clear_session_on_errors=True)¶

Callback for SAML logout requests.

Request must have a SAMLResponse GET parameter.

On failure, renders error JSON. On success, redirects to /goodbye.

login_redirect_url(return_to='/', auth=None)¶

confidant.authnz.userauth.init_user_auth_class(*args, **kwargs)¶

Module contents¶

confidant.authnz.account_for_key_alias(key_alias)¶

confidant.authnz.get_logged_in_user()¶: Retrieve logged-in user’s email that is stored in cache

confidant.authnz.log_in()¶

confidant.authnz.redirect_to_logout_if_no_auth(f)¶: Decorator for redirecting users to the logout page when they are not authenticated.

confidant.authnz.require_auth(f)¶

confidant.authnz.require_csrf_token(f)¶

confidant.authnz.require_logout_for_goodbye(f)¶

confidant.authnz.service_in_account(account)¶

confidant.authnz.user_is_service(service)¶

confidant.authnz.user_is_user_type(user_type)¶