Merge pull request #2 from Zxilly/master

feat: early implement of fastapi-authz

Author: hsluoyz

.gitignore

@@ -127,3 +127,7 @@ dmypy.json
 
 # Pyre type checker
 .pyre/
+
+.idea/
+
+test/

dev-requirements.in

@@ -0,0 +1,11 @@
+fastapi
+casbin
+pytest
+pip-tools
+pytest-cov
+coverage
+pypi-publisher
+bumpversion
+uvicorn
+starlette-auth-toolkit
+requests

dev-requirements.txt

@@ -0,0 +1,85 @@
+#
+# This file is autogenerated by pip-compile
+# To update, run:
+#
+#    pip-compile dev-requirements.in
+#
+--index-url https://mirrors.aliyun.com/pypi/simple/
+
+atomicwrites==1.4.0
+    # via pytest
+attrs==20.3.0
+    # via pytest
+bump2version==1.0.1
+    # via bumpversion
+bumpversion==0.6.0
+    # via -r dev-requirements.in
+casbin==0.18.1
+    # via -r dev-requirements.in
+certifi==2020.12.5
+    # via requests
+chardet==4.0.0
+    # via requests
+click==7.1.2
+    # via
+    #   pip-tools
+    #   uvicorn
+colorama==0.4.4
+    # via pytest
+coverage==5.4
+    # via
+    #   -r dev-requirements.in
+    #   pytest-cov
+fastapi==0.63.0
+    # via -r dev-requirements.in
+gitdb==4.0.5
+    # via gitpython
+gitpython==0.3.6
+    # via pypi-publisher
+h11==0.12.0
+    # via uvicorn
+idna==2.10
+    # via requests
+iniconfig==1.1.1
+    # via pytest
+packaging==20.9
+    # via pytest
+pip-tools==5.5.0
+    # via -r dev-requirements.in
+pluggy==0.13.1
+    # via pytest
+py==1.10.0
+    # via pytest
+pydantic==1.7.3
+    # via fastapi
+pyparsing==2.4.7
+    # via packaging
+pypi-publisher==0.0.4
+    # via -r dev-requirements.in
+pytest-cov==2.11.1
+    # via -r dev-requirements.in
+pytest==6.2.2
+    # via
+    #   -r dev-requirements.in
+    #   pytest-cov
+requests==2.25.1
+    # via -r dev-requirements.in
+simpleeval==0.9.10
+    # via casbin
+smmap==3.0.5
+    # via gitdb
+starlette-auth-toolkit==0.5.0
+    # via -r dev-requirements.in
+starlette==0.13.6
+    # via
+    #   fastapi
+    #   starlette-auth-toolkit
+toml==0.10.2
+    # via pytest
+urllib3==1.26.3
+    # via requests
+uvicorn==0.13.4
+    # via -r dev-requirements.in
+
+# The following packages are considered to be unsafe in a requirements file:
+# pip

examples/rbac_model.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = (p.sub == "*" || g(r.sub, p.sub)) && (r.obj == p.obj || keyMatch(r.obj, p.obj)) && (p.act == "*" || r.act == p.act)

examples/rbac_policy.csv

@@ -0,0 +1,11 @@
+p, alice, /dataset1/*, GET
+p, alice, /dataset1/resource1, POST
+p, bob, /dataset2/resource1, *
+p, bob, /dataset2/resource2, GET
+p, bob, /dataset2/folder1/*, POST
+p, dataset1_admin, /dataset1/*, *
+p, *, /login, *
+
+p, anonymous, /, GET
+
+g, cathy, dataset1_admin

fastapi_authz/__init__.py

@@ -0,0 +1 @@
+from .middleware import CasbinMiddleware

fastapi_authz/middleware.py

@@ -0,0 +1,67 @@
+from casbin.enforcer import Enforcer
+from starlette.authentication import BaseUser
+from starlette.requests import Request
+from starlette.responses import JSONResponse
+from starlette.status import HTTP_403_FORBIDDEN
+from starlette.types import ASGIApp, Receive, Scope, Send
+
+
+class CasbinMiddleware:
+    """
+    Middleware for Casbin
+    """
+
+    def __init__(
+            self,
+            app: ASGIApp,
+            enforcer: Enforcer,
+    ) -> None:
+        """
+        Configure Casbin Middleware
+
+        :param app:Retain for ASGI.
+        :param enforcer:Casbin Enforcer, must be initialized before FastAPI start.
+        """
+        self.app = app
+        self.enforcer = enforcer
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
+        if scope["type"] not in ("http", "websocket"):
+            await self.app(scope, receive, send)
+            return
+
+        if self._enforce(scope, receive):
+            await self.app(scope, receive, send)
+            return
+        else:
+            response = JSONResponse(
+                status_code=HTTP_403_FORBIDDEN,
+                content="Forbidden"
+            )
+
+            await response(scope, receive, send)
+            return
+
+    def _enforce(self, scope: Scope, receive: Receive) -> bool:
+        """
+        Enforce a request
+
+        :param user: user will be sent to enforcer
+        :param request: ASGI Request
+        :return: Enforce Result
+        """
+
+        request = Request(scope, receive)
+
+        path = request.url.path
+        method = request.method
+        if 'user' not in scope:
+            raise RuntimeError("Casbin Middleware must work with an Authentication Middleware")
+
+        assert isinstance(request.user, BaseUser)
+
+        user = request.user.display_name if request.user.is_authenticated else 'anonymous'
+
+        print(user, path, method)
+
+        return self.enforcer.enforce(user, path, method)

requirements.in

@@ -0,0 +1,2 @@
+fastapi
+casbin

requirements.txt

@@ -0,0 +1,17 @@
+#
+# This file is autogenerated by pip-compile
+# To update, run:
+#
+#    pip-compile requirements.in
+#
+
+casbin==0.18.1
+    # via -r requirements.in
+fastapi==0.63.0
+    # via -r requirements.in
+pydantic==1.7.3
+    # via fastapi
+simpleeval==0.9.10
+    # via casbin
+starlette==0.13.6
+    # via fastapi

setup.cfg

@@ -0,0 +1,5 @@
+[bdist_wheel]
+universal=1
+
+[metadata]
+description-file=README.md