chore: set up authz middleware

bento-platform · Oct 16, 2023 · 8ed9d26 · 8ed9d26
1 parent e6db026
commit 8ed9d26
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 8 deletions.
diff --git a/chord_metadata_service/metadata/authz.py b/chord_metadata_service/metadata/authz.py
@@ -0,0 +1,17 @@
+from bento_lib.auth.middleware.django import DjangoAuthMiddleware
+from django.conf import settings
+
+from ..logger import logger
+
+__all__ = [
+    "authz_middleware",
+]
+
+authz_middleware = DjangoAuthMiddleware(
+    bento_authz_service_url=settings.BENTO_AUTHZ_SERVICE_URL,
+    debug_mode=settings.DEBUG,
+    enabled=settings.BENTO_AUTHZ_ENABLED,
+    logger=logger,
+)
+
+AuthzMiddleware = authz_middleware.make_django_middleware()
diff --git a/chord_metadata_service/metadata/settings.py b/chord_metadata_service/metadata/settings.py
@@ -45,13 +45,18 @@
 LOG_LEVEL = os.environ.get("KATSU_LOG_LEVEL", "DEBUG" if DEBUG else "INFO").upper()
 
 
-# CHORD-specific settings
+# Bento-specific settings
 
-CHORD_URL = os.environ.get("CHORD_URL")  # Leave None if not specified, for running in other contexts
-
-# SECURITY WARNING: Don't run with CHORD_PERMISSIONS turned off in production,
+# SECURITY WARNING: Don't run with AUTHZ_ENABLED turned off in production,
 # unless an alternative permissions system is in place.
-CHORD_PERMISSIONS = os.environ.get("CHORD_PERMISSIONS", str(not DEBUG)).lower() == "true"
+#  - This needs to be here to avoid a circular import with settings.py
+BENTO_AUTHZ_ENABLED: bool = os.environ.get("BENTO_AUTHZ_ENABLED", "true").strip().lower() == "true"
+
+BENTO_AUTHZ_SERVICE_URL: str = (
+    os.environ.get("BENTO_AUTHZ_SERVICE_URL").strip().rstrip("/") if BENTO_AUTHZ_ENABLED else ""
+)
+
+CHORD_URL = os.environ.get("CHORD_URL")  # Leave None if not specified, for running in other contexts
 
 CHORD_SERVICE_ARTIFACT = "metadata"
 # NOTE: LEAVE CHORD UNLESS YOU WANT A BUNCH OF BROKEN TABLES... vvv
@@ -65,9 +70,6 @@
 CHORD_SERVICE_ID = os.environ.get("SERVICE_ID", CHORD_SERVICE_TYPE_NO_VER)
 BENTO_SERVICE_KIND = "metadata"
 
-# SECURITY WARNING: don't run with AUTH_OVERRIDE turned on in production!
-AUTH_OVERRIDE = not CHORD_PERMISSIONS
-
 # When Katsu is hosted on a subpath (e.g. http://myportal.com/api/katsu), this
 # parameter is used by Django to compute correct URLs in templates (for example
 # in DRF API discovery pages, or swagger UI)
@@ -145,6 +147,9 @@
     'rest_framework',
     'adrf',
     'drf_spectacular',
+
+    # Keep authz middleware last!
+    'chord_metadata_service.metadata.authz.AuthzMiddleware'
 ]
 
 MIDDLEWARE = [