omnibot.authnz package

Submodules

omnibot.authnz.envoy_checks module

omnibot.authnz.envoy_checks.envoy_internal_check(header='x-envoy-internal')

Perform a check to ensure that the x-envoy-internal is set to ‘true’. By default this check will apply to all routes, if enabled. It’s possible to disable this check on a per-route basis in the permissions section of the authorization config, by setting internal_only: false in the relevant permissions section:

authorization:
  permissions:
    slack_api:
      methods:
        - "POST"
      paths:
        - "/api/v1/slack/event"
        - "/api/v1/slack/slash_command"
        - "/api/v1/slack/interactive"
      # Do not require x-envoy-internal check for this set of paths
      internal_only: false
omnibot.authnz.envoy_checks.envoy_permissions_check(header='x-envoy-downstream-service-cluster')

Perform a check against the defined permissions and bindings in the authorization configuration to ensure the service defined in the x-envoy-downstream-service-cluster header is allowed to access the path and method in the current request context. By default, if this check is enabled, all routes will be denied access unless a service defined in the bindings has permissions with a matching method and path.

For example, the following configuration allows POST calls, from a service named envoy, to a set of endpoints used to accept events from slack. It also allows a service that starts with the name echobot to post to into the testteam workspace, as the echobot slack app:

authorization:
  permissions:
    slack_api:
      methods:
        - "POST"
      paths:
        - "/api/v1/slack/event"
        - "/api/v1/slack/slash_command"
        - "/api/v1/slack/interactive"
      # Do not require x-envoy-internal check for this set of paths
      # see (envoy_internal_check)
      internal_only: false
    echobot_slack_action:
      methods:
        - "POST"
      paths:
        - "/api/v2/slack/action/testteam/echobot"
  bindings:
    "envoy":
      - "slack_api"
    "echobot.*":
      - "echobot_slack_action"

Module contents

Authentication and authorization module for omnibot. This module applies checks defined in the authorization section of the configuration. See the documentation on checks:

  • omnibot.authnz:enforce_checks()

Also see the documentation for the built-in checks:

  • omnibot.authnz.envoy_checks:envoy_internal_check()

  • omnibot.authnz.envoy_checks:envoy_permissions_check()

omnibot.authnz.allowed_paths(paths)

Perform a check against the paths configured for this function, to ensure we only allow basic access to the paths if they’re explicitly defined. For example:

authorization:
  checks:
    - module: "omnibot.authnz:allowed_paths"
      kwargs:
        paths:
          - "/api/v1/slack/event"
          - "/api/v1/slack/slash_command"
          - "/api/v1/slack/interactive"
          - "/api/v1/slack/get_team/.*"
omnibot.authnz.enforce_checks(f)

Enforce a list of checks, defined in the authorization configuration.

For example, the following configuration would enforce two checks, one of which passes a kwarg into a check:

authorization:
  checks:
    - module: "omnibot.authnz.envoy_checks:envoy_internal_check"
      kwargs:
        header: 'x-nginx-internal'
    - module: "omnibot.authnz.envoy_checks:envoy_permissions_check"

Checks will be executed in the order defined by the list. All checks must pass for a request to be accepted.