From df5105c6b71a2cec8050f94a797de51838b6631e Mon Sep 17 00:00:00 2001 From: root Date: Fri, 15 May 2026 08:27:14 +0000 Subject: [PATCH] feat: add authz dependency injection --- src/blueapi/service/authentication.py | 9 +++++++++ src/blueapi/service/main.py | 12 ++++++++++++ 2 files changed, 21 insertions(+) diff --git a/src/blueapi/service/authentication.py b/src/blueapi/service/authentication.py index b107f7b2b..33201c9f2 100644 --- a/src/blueapi/service/authentication.py +++ b/src/blueapi/service/authentication.py @@ -272,3 +272,12 @@ def get_access_token(self): def sync_auth_flow(self, request): request.headers["Authorization"] = f"Bearer {self.get_access_token()}" yield request + + +class OPAClient: # placeholder until https://jira.diamond.ac.uk/browse/ACQP-550 is done + def do_some_checks(self, task_request) -> bool: + return True + + +def get_opa_client() -> OPAClient: # placeholder + return OPAClient() diff --git a/src/blueapi/service/main.py b/src/blueapi/service/main.py index a53c46885..75325236e 100644 --- a/src/blueapi/service/main.py +++ b/src/blueapi/service/main.py @@ -37,6 +37,7 @@ from blueapi import __version__ from blueapi.config import ApplicationConfig, OIDCConfig, Tag from blueapi.service import interface +from blueapi.service.authentication import OPAClient, get_opa_client from blueapi.worker import TrackableTask, WorkerState from blueapi.worker.event import TaskStatusEnum @@ -278,6 +279,16 @@ def get_device_by_name( ) +def submission_check( + opa: Annotated[OPAClient, Depends(get_opa_client)], + task_request: TaskRequest, +): + allowed = opa.do_some_checks(task_request) + + if not allowed: + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN) + + @secure_router_v1.post("/tasks", status_code=status.HTTP_201_CREATED, tags=[Tag.TASK]) @secure_router.post("/tasks", status_code=status.HTTP_201_CREATED, tags=[Tag.TASK]) @start_as_current_span( @@ -291,6 +302,7 @@ def submit_task( request: Request, response: Response, task_request: Annotated[TaskRequest, Body(..., examples=[example_task_request])], + authz_check: Annotated[None, Depends(submission_check)], runner: Annotated[WorkerDispatcher, Depends(_runner)], ) -> TaskResponse: """Submit a task to the worker."""