Protect ASAB API

asab/api/log.py

@@ -6,12 +6,13 @@
 
 from ..web.rest.json import json_response
 from ..log import LOG_NOTICE
-from ..web.auth import noauth
+from ..web.auth import require
 from ..web.tenant import allow_no_tenant
 
 ##
 
 L = logging.getLogger(__name__)
+LOG_ACCESS_RESOURCE_ID = "asab:service:access"
 
 ##
 
@@ -86,7 +87,7 @@ def emit(self, record):
 			asyncio.ensure_future(self._send_ws(log_entry))
 
 
-	@noauth
+	@require(LOG_ACCESS_RESOURCE_ID)
 	@allow_no_tenant
 	async def get_logs(self, request):
 		"""
@@ -137,7 +138,7 @@ async def get_logs(self, request):
 		return json_response(request, self.Buffer)
 
 
-	@noauth
+	@require(LOG_ACCESS_RESOURCE_ID)
 	@allow_no_tenant
 	async def ws(self, request):
 		'''

asab/api/web_handler.py

@@ -4,7 +4,7 @@
 
 from .. import Config
 from ..web.rest import json_response
-from ..web.auth import noauth
+from ..web.auth import noauth, require_superuser
 from ..web.tenant import allow_no_tenant
 
 
@@ -15,8 +15,8 @@ def __init__(self, api_svc, webapp, log_handler):
 		self.ApiService = api_svc
 
 		# Add routes
-		webapp.router.add_get("/asab/v1/environ", self.environ)
-		webapp.router.add_get("/asab/v1/config", self.config)
+		# webapp.router.add_get("/asab/v1/environ", self.environ)  # Disabled for security reasons
+		# webapp.router.add_get("/asab/v1/config", self.config)  # Disabled for security reasons
 
 		webapp.router.add_get("/asab/v1/logs", log_handler.get_logs)
 		webapp.router.add_get("/asab/v1/logws", log_handler.ws)
@@ -78,7 +78,7 @@ async def manifest(self, request):
 		return json_response(request, self.ApiService.Manifest)
 
 
-	@noauth
+	@require_superuser
 	@allow_no_tenant
 	async def environ(self, request):
 		"""
@@ -110,7 +110,7 @@ async def environ(self, request):
 		return json_response(request, dict(os.environ))
 
 
-	@noauth
+	@require_superuser
 	@allow_no_tenant
 	async def config(self, request):
 		"""

asab/metrics/web_handler.py

@@ -16,6 +16,7 @@ def __init__(self, metrics_svc, webapp):
 		self.App = self.MetricsService.App
 
 		# Add routes
+		# TODO: Add access control (asab:service:access). Test with Prometheus first.
 		webapp.router.add_get("/asab/v1/metrics", self.metrics)
 		webapp.router.add_get("/asab/v1/watch_metrics", self.watch)
 		webapp.router.add_get("/asab/v1/metrics.json", self.metrics_json)

asab/web/auth/__init__.py

@@ -1,10 +1,11 @@
-from .decorator import require, noauth
+from .decorator import require, require_superuser, noauth
 from .service import AuthService
 from .authorization import Authorization
 
 __all__ = (
 	"AuthService",
 	"Authorization",
 	"require",
+	"require_superuser",
 	"noauth",
 )

asab/web/auth/decorator.py

@@ -46,6 +46,33 @@ async def _require_resource_access_wrapper(*args, **kwargs):
 	return _require_resource_access_decorator
 
 
+def require_superuser(handler):
+	"""
+	Require that the request have authorized access to the superuser resource.
+	Requests without superuser access result in AccessDeniedError and consequently in an HTTP 403 response.
+
+	Examples:
+
+	```python
+	@asab.web.auth.require_superuser
+	async def get_confidential_info(self, request):
+		data = await self.service.get_confidential_info()
+		return asab.web.rest.json_response(request, data)
+	```
+	"""
+	@functools.wraps(handler)
+	async def _require_superuser_access_wrapper(*args, **kwargs):
+		authz = Authz.get()
+		if authz is None:
+			raise AccessDeniedError()
+
+		authz.require_superuser_access()
+
+		return await handler(*args, **kwargs)
+
+	return _require_superuser_access_wrapper
+
+
 def noauth(handler):
 	"""
 	Exempt the decorated handler from authentication and authorization.