You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@superset.apache.org by li...@apache.org on 2022/02/10 00:30:40 UTC

[superset] branch embedded-guest-token-aud-claim created (now c6225e5)

This is an automated email from the ASF dual-hosted git repository.

lilykuang pushed a change to branch embedded-guest-token-aud-claim
in repository https://gitbox.apache.org/repos/asf/superset.git.


      at c6225e5  add aud claim and type for guest token

This branch includes the following new commits:

     new c6225e5  add aud claim and type for guest token

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[superset] 01/01: add aud claim and type for guest token

Posted by li...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

lilykuang pushed a commit to branch embedded-guest-token-aud-claim
in repository https://gitbox.apache.org/repos/asf/superset.git

commit c6225e5eae0705c31f5252d1a3cab6665df5a0f3
Author: Lily Kuang <li...@preset.io>
AuthorDate: Wed Feb 9 14:58:39 2022 -0800

    add aud claim and type for guest token
---
 superset/security/manager.py              | 11 ++++++++++-
 tests/integration_tests/security_tests.py |  5 ++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/superset/security/manager.py b/superset/security/manager.py
index 0bed447..eebb333 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -74,6 +74,7 @@ from superset.security.guest_token import (
     GuestUser,
 )
 from superset.utils.core import DatasourceName, RowLevelSecurityFilterType
+from superset.utils.urls import get_url_host
 
 if TYPE_CHECKING:
     from superset.common.query_context import QueryContext
@@ -1319,6 +1320,8 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
             # standard jwt claims:
             "iat": now,  # issued at
             "exp": exp,  # expiration time
+            "aud": get_url_host(),
+            "type": "guest",
         }
         token = jwt.encode(claims, secret, algorithm=algo)
         return token
@@ -1344,6 +1347,12 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
                 raise ValueError("Guest token does not contain a resources claim")
             if token.get("rls_rules") is None:
                 raise ValueError("Guest token does not contain an rls_rules claim")
+            if token.get("aud") is None:
+                raise ValueError("Guest token does not contain an aud claim")
+            if token.get("aud") != get_url_host():
+                raise ValueError("Guest token does not match the aud claim")
+            if token.get("type") != "guest":
+                raise ValueError("This is not a guest token.")
         except Exception:  # pylint: disable=broad-except
             # The login manager will handle sending 401s.
             # We don't need to send a special error message.
@@ -1366,7 +1375,7 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         """
         secret = current_app.config["GUEST_TOKEN_JWT_SECRET"]
         algo = current_app.config["GUEST_TOKEN_JWT_ALGO"]
-        return jwt.decode(raw_token, secret, algorithms=[algo])
+        return jwt.decode(raw_token, secret, algorithms=[algo], audience=get_url_host())
 
     @staticmethod
     def is_guest_user(user: Optional[Any] = None) -> bool:
diff --git a/tests/integration_tests/security_tests.py b/tests/integration_tests/security_tests.py
index 46ca679..6651227 100644
--- a/tests/integration_tests/security_tests.py
+++ b/tests/integration_tests/security_tests.py
@@ -44,6 +44,7 @@ from superset.utils.core import (
     get_example_default_schema,
 )
 from superset.utils.database import get_example_database
+from superset.utils.urls import get_url_host
 from superset.views.access_requests import AccessRequestsModelView
 
 from .base_tests import SupersetTestCase
@@ -1177,17 +1178,19 @@ class TestGuestTokens(SupersetTestCase):
         resources = [{"some": "resource"}]
         rls = [{"dataset": 1, "clause": "access = 1"}]
         token = security_manager.create_guest_access_token(user, resources, rls)
-
+        aud = get_url_host()
         # unfortunately we cannot mock time in the jwt lib
         decoded_token = jwt.decode(
             token,
             self.app.config["GUEST_TOKEN_JWT_SECRET"],
             algorithms=[self.app.config["GUEST_TOKEN_JWT_ALGO"]],
+            audience=aud,
         )
 
         self.assertEqual(user, decoded_token["user"])
         self.assertEqual(resources, decoded_token["resources"])
         self.assertEqual(now, decoded_token["iat"])
+        self.assertEqual(aud, decoded_token["aud"])
         self.assertEqual(
             now + (self.app.config["GUEST_TOKEN_JWT_EXP_SECONDS"] * 1000),
             decoded_token["exp"],