@@ -28,6 +28,7 @@ def __init__(self, app, adapter, watcher=None):
2828 if watcher :
2929 self .e .set_watcher (watcher )
3030 self ._owner_loader = None
31+ self .user_name_headers = app .config .get ("CASBIN_USER_NAME_HEADERS" , None )
3132
3233 def set_watcher (self , watcher ):
3334 """
@@ -55,6 +56,9 @@ def enforcer(self, func):
5556 def wrapper (* args , ** kwargs ):
5657 if self .e .watcher and self .e .watcher .should_reload ():
5758 self .e .watcher .update_callback ()
59+ # String used to hold the owners user name for audit logging
60+ owner_audit = ""
61+
5862 # Check sub, obj act against Casbin polices
5963 self .app .logger .debug (
6064 "Enforce Headers Config: %s\n Request Headers: %s"
@@ -85,6 +89,9 @@ def wrapper(*args, **kwargs):
8589 "decoding is unsupported by flask-casbin at this time"
8690 )
8791 continue
92+
93+ if self .user_name_headers and header in self .user_name_headers :
94+ owner_audit = owner
8895 if self .e .enforce (owner , uri , request .method ):
8996 return func (* args , ** kwargs )
9097 else :
@@ -97,11 +104,20 @@ def wrapper(*args, **kwargs):
97104 "Enforce against owner: %s header: %s"
98105 % (owner .strip ('"' ), header )
99106 )
107+ if self .user_name_headers and header in self .user_name_headers :
108+ owner_audit = owner
100109 if self .e .enforce (
101110 owner .strip ('"' ), uri , request .method
102111 ):
103112 return func (* args , ** kwargs )
104113 else :
114+ self .app .logger .error (
115+ "Unauthorized attempt: method: %s resource: %s%s" % (
116+ request .method ,
117+ uri ,
118+ "" if not self .user_name_headers and owner_audit != "" else " by user: %s" % owner_audit
119+ )
120+ )
105121 return (jsonify ({"message" : "Unauthorized" }), 401 )
106122
107123 return wrapper
0 commit comments