fix: Add access-control for admin-specific route

app/__init__.py

@@ -2,6 +2,7 @@
 import logging
 import os.path
 from envparse import env
+
 import sys
 from flask import Flask, json, make_response
 from app.settings import get_settings, get_setts
@@ -13,7 +14,7 @@
 from flask_cors import CORS
 from flask_rest_jsonapi.errors import jsonapi_errors
 from flask_rest_jsonapi.exceptions import JsonApiException
-from healthcheck import HealthCheck, EnvironmentDump
+from healthcheck import HealthCheck
 from apscheduler.schedulers.background import BackgroundScheduler
 from elasticsearch_dsl.connections import connections
 from pytz import utc
@@ -46,7 +47,6 @@
 static_dir = os.path.dirname(os.path.dirname(__file__)) + "/static"
 template_dir = os.path.dirname(__file__) + "/templates"
 app = Flask(__name__, static_folder=static_dir, template_folder=template_dir)
-
 env.read_envfile()
 
 
@@ -127,7 +127,7 @@ def create_app():
         from app.api.users import user_misc_routes
         from app.api.orders import order_misc_routes
         from app.api.role_invites import role_invites_misc_routes
-        from app.api.auth import ticket_blueprint
+        from app.api.auth import ticket_blueprint, authorised_blueprint
         from app.api.admin_translations import admin_blueprint
 
         app.register_blueprint(api_v1)
@@ -143,6 +143,7 @@ def create_app():
         app.register_blueprint(order_misc_routes)
         app.register_blueprint(role_invites_misc_routes)
         app.register_blueprint(ticket_blueprint)
+        app.register_blueprint(authorised_blueprint)
         app.register_blueprint(admin_blueprint)
 
     sa.orm.configure_mappers()
@@ -205,7 +206,6 @@ def __call__(self, *args, **kwargs):
 
 # Health-check
 health = HealthCheck(current_app, "/health-check")
-envdump = EnvironmentDump(current_app, "/environment", include_config=False)
 health.add_check(health_check_celery)
 health.add_check(health_check_db)
 with current_app.app_context():

app/api/auth.py

@@ -4,6 +4,8 @@
 import string
 
 import requests
+from healthcheck import EnvironmentDump
+from functools import wraps
 from flask import request, jsonify, make_response, Blueprint, send_file, url_for, redirect
 from flask_jwt import current_identity as current_user, jwt_required
 from sqlalchemy.orm.exc import NoResultFound
@@ -28,6 +30,7 @@
 from app.api.helpers.storage import UPLOAD_PATHS
 
 
+authorised_blueprint = Blueprint('authorised_blueprint', __name__, url_prefix='/')
 ticket_blueprint = Blueprint('ticket_blueprint', __name__, url_prefix='/v1')
 auth_routes = Blueprint('auth', __name__, url_prefix='/v1/auth')
 
@@ -328,3 +331,36 @@ def order_invoices(order_identifier):
             return ForbiddenError({'source': ''}, 'Unauthorized Access').respond()
     else:
         return ForbiddenError({'source': ''}, 'Authentication Required to access Invoice').respond()
+
+
+# Access for Environment details & Basic Auth Support
+def check_auth_admin(username, password):
+    """
+    This function is called to check for proper authentication & admin rights
+    """
+    if username and password:
+        user = User.query.filter_by(_email=username).first()
+        if user:
+            if user.is_correct_password(password):
+                if user.is_admin:
+                    return True
+    return False
+
+
+def requires_basic_auth(f):
+    @wraps(f)
+    def decorated(*args, **kwargs):
+        auth = request.authorization
+        if not auth or not check_auth_admin(auth.username, auth.password):
+            return make_response('Could not verify your access level for that URL.\n'
+                                 'You have to login with proper credentials', 401,
+                                 {'WWW-Authenticate': 'Basic realm="Login Required"'})
+        return f(*args, **kwargs)
+    return decorated
+
+
+@authorised_blueprint.route('/environment')
+@requires_basic_auth
+def environment_details():
+    envdump = EnvironmentDump(include_config=False)
+    return envdump.dump_environment()