omnibot.authnz package¶
Submodules¶
omnibot.authnz.envoy_checks module¶
-
omnibot.authnz.envoy_checks.
envoy_internal_check
(header='x-envoy-internal')¶ Perform a check to ensure that the
x-envoy-internal
is set to ‘true’. By default this check will apply to all routes, if enabled. It’s possible to disable this check on a per-route basis in the permissions section of the authorization config, by settinginternal_only: false
in the relevant permissions section:authorization: permissions: slack_api: methods: - "POST" paths: - "/api/v1/slack/event" - "/api/v1/slack/slash_command" - "/api/v1/slack/interactive" # Do not require x-envoy-internal check for this set of paths internal_only: false
-
omnibot.authnz.envoy_checks.
envoy_permissions_check
(header='x-envoy-downstream-service-cluster')¶ Perform a check against the defined permissions and bindings in the authorization configuration to ensure the service defined in the
x-envoy-downstream-service-cluster
header is allowed to access the path and method in the current request context. By default, if this check is enabled, all routes will be denied access unless a service defined in the bindings has permissions with a matching method and path.For example, the following configuration allows
POST
calls, from a service namedenvoy
, to a set of endpoints used to accept events from slack. It also allows a service that starts with the nameechobot
to post to into thetestteam
workspace, as theechobot
slack app:authorization: permissions: slack_api: methods: - "POST" paths: - "/api/v1/slack/event" - "/api/v1/slack/slash_command" - "/api/v1/slack/interactive" # Do not require x-envoy-internal check for this set of paths # see (envoy_internal_check) internal_only: false echobot_slack_action: methods: - "POST" paths: - "/api/v2/slack/action/testteam/echobot" bindings: "envoy": - "slack_api" "echobot.*": - "echobot_slack_action"
Module contents¶
Authentication and authorization module for omnibot. This module applies
checks defined in the authorization
section of the configuration. See
the documentation on checks:
omnibot.authnz:enforce_checks()
Also see the documentation for the built-in checks:
omnibot.authnz.envoy_checks:envoy_internal_check()
omnibot.authnz.envoy_checks:envoy_permissions_check()
-
omnibot.authnz.
allowed_paths
(paths)¶ Perform a check against the paths configured for this function, to ensure we only allow basic access to the paths if they’re explicitly defined. For example:
authorization: checks: - module: "omnibot.authnz:allowed_paths" kwargs: paths: - "/api/v1/slack/event" - "/api/v1/slack/slash_command" - "/api/v1/slack/interactive" - "/api/v1/slack/get_team/.*"
-
omnibot.authnz.
enforce_checks
(f)¶ Enforce a list of checks, defined in the
authorization
configuration.For example, the following configuration would enforce two checks, one of which passes a kwarg into a check:
authorization: checks: - module: "omnibot.authnz.envoy_checks:envoy_internal_check" kwargs: header: 'x-nginx-internal' - module: "omnibot.authnz.envoy_checks:envoy_permissions_check"
Checks will be executed in the order defined by the list. All checks must pass for a request to be accepted.