Authorization fails with Flask Blueprints

[msdcanderson]

Hi,

Am I using flask-authz correctly?

My casbinmodel.conf:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)

My security policy:

p, 1, /forms, POST
p, 1, /forms/1, GET
p, 1, /forms/2, GET

It looks like I have connected flask-authz up OK, when I do a POST request it works correctly, but when I do a GET (with a correctly logged in user) for '/forms/1', I get a fail:

2020-08-12 14:51:37,068 - INFO - Request: 1, /forms/<int:_id>, GET ---> False

It looks like the flask 'request.url_rule' is picking up forms/int:_id rather than /forms/1

My get resource:

@bp.route("/<int:_id>", methods=["GET"])
@jwt_required
@casbin_enforcer.enforcer
def get_form(_id):
    form = FormModel.find_by_id(_id)
    if not form:
        return {"message": gettext("FORM_NOT_FOUND")}, 404
    return form_schema.dump(form), 200

Thanks for any ideas :-)

[hsluoyz]

@techoner @Xhy-5000

[msdcanderson]

In casbin_enforcer.py, something like this might work:

base_url = request.base_url
host_url = request.host_url
if not base_url.startswith(host_url):
    end_url = str(base_url)
else:
    end_url = str(base_url.replace(host_url, "/"))
if self.e.enforce(owner, end_url, request.method):
    return func(*args, **kwargs)

I don't know whether the if/else statement is needed or it could just have: end_url = str(base_url.replace(host_url, "/"))

This code would probably have to go higher up, probably before for header in self.app.config.get("CASBIN_OWNER_HEADERS"): so that it can be used by both authorization types.

[Xhy-5000]

Sorry that I'm unfamiliar with flask-authz... @techoner may know more about that...

[jessecooper]

@msdcanderson That sounds like a good fix for this. The issue comes from the use of request.url_rule on line 66 and 79.

I never hit this because I use wild cards in my rules and that could be a workaround for you:

p, 1, /forms, POST
p, 1, /forms/*, GET

That should work but if you would like to create a PR for this it would be appreciated.

[Xhy-5000]

Here is some information copy from https://forum.casbin.com/t/21.
flask-authz only implements authorization verification. After the user logs in, the user information can be passed to the authorization verification middleware through request.header.
@[app.route ('/',](https://forum.casbin.com/member/app.route ('/', ) methods=['GET']) @[casbin_enforcer.enforcer ](https://forum.casbin.com/member/casbin_enforcer.enforcer ) def get_root (): return jsonify ({'message': 'If you see this you have access'})
In the middleware: https://github.com/pycasbin/flask-authz/blob/master/flask_authz/casbin_enforcer.py#L66
// get user log in info，https://github.com/pycasbin/flask-authz/blob/master/flask_authz/casbin_enforcer.py#L57 owner = authorization_decoder (request.headers.get (header)) //..... // authorization verification if self.e.enforce (owner, str (request.url_rule), request.method): return func (*args, **kwargs)

[hsluoyz]

@jessecooper @dfresh613 I think we should feed the actual URL path value like /forms/1, /forms/2 than the routing pattern /forms/<int:_id> into the Casbin. Can we change the authz middleware code to do this?

@msdcanderson can you also try to make a PR?

[jessecooper]

@hsluoyz I am not sure I understand what that would be used for given each request comes in one at a time to a given route and is handled as such. I think the best way is to pass in the intended URI and let the enforcer evaluate it based on the rules it is it has. That was the original intention but it seems I made an error in the request object property that I am passing in.

@msdcanderson It looks like request.url_rule can just be changed with request.path to get the requested URI

[hsluoyz]

@jessecooper can anyone provide a fix?