Commits · 5a404e555dc20ba714196c67b1e4e94aa7435121 · Information Services / DevOps / Django Libraries / API Gateway Auth

Mar 06, 2025
- chore(deps): update pre-commit hook pre-commit/pre-commit-hooks to v5 · 5a404e55
  UIS DevOps Renovate Bot authored 1 week ago
  
  5a404e55
Feb 19, 2025
- Merge branch 'renovate/configure' into 'main' · 3c616c3b
  Dr Rich Wareham authored 3 weeks ago
  
  chore: Configure Renovate See merge request !8
  3c616c3b
Oct 02, 2024
- Add renovate.json · d0527209
  UIS DevOps Renovate Bot authored 5 months ago
  
  d0527209
Mar 05, 2024
- Merge branch 'fix-trailing-slash' into 'main' · 7ca86706
  Robin Goodall authored 1 year ago
  
  Fix trailing slash See merge request !7
  0.0.7
  
  7ca86706
Mar 04, 2024
- fix: dockerfile for local testing · 46c403ca
  Robin Goodall authored 1 year ago
  
  46c403ca
- fix: resolve geddit dependency failure · 4a8b5f5c
  Robin Goodall authored 1 year ago
  
  4a8b5f5c
- chore: version 0.0.7 · 1ecc32b1
  Robin Goodall authored 1 year ago
  
  1ecc32b1
- fix: allow trailing slash or not in expected audiences · bc379fa3
  Robin Goodall authored 1 year ago
  
  bc379fa3
Feb 07, 2024
- Merge branch 'issue-4-validate-gateway-token' into 'main' · 4fa01af1
  Dr Rich Wareham authored 1 year ago
  
  verify incoming id token for API backends Closes #4 See merge request !6
  0.0.6
  
  4fa01af1
Feb 06, 2024

fix(id_token): change spelling of _API_GATEWAY_SERVICE_ACCOUNTS · 7febe88e
Dr Rich Wareham authored 1 year ago
```
Rename the variable to _DEFAULT_EXPECTED_AUTHORISED_PARTIES which better
reflects its actual meaning.
```
7febe88e
fix: make trusted issuers and expected parties settings lists · e431de6e
Dr Rich Wareham authored 1 year ago
```
Rather than having Django settings be strings which are parsed, have
them be actual lists like they should be.
```
e431de6e

fix: change ..._VERIFY_TOKEN setting to _ENFORCE_ID_TOKEN_VERIFICATION · 5259d6f9

Change the enforcement setting's semantics. Now the incoming token is
*always* verified but only a warning is printed to the logs unless
API_GATEWAY_AUTH_ENFORCE_IF_TOKEN_VERIFICATION is True.

5259d6f9

Jan 30, 2024
- Merge branch 'main' into issue-4-validate-gateway-token · a725a00e
  Dr Rich Wareham authored 1 year ago
  
  a725a00e
- hotfix(gitlab-ci): pin poetry and tox requirements for compatibility · e51399c4
  Dr Rich Wareham authored 1 year ago
  
  Pin the poetry and tox version numbers to a know good set. Ensure that we're using the most recent CI pipeline templates. The most recent (as of writing) version of tox conflicts with the most recent poetry.
  0.0.5
  
  e51399c4
- hotfix: bump package version · 3bf26589
  Dr Rich Wareham authored 1 year ago
  
  3bf26589
- Merge branch 'add-user' into 'main' · 0d2a88ce
  Dr Rich Wareham authored 1 year ago
  
  add user when authenticating Closes #2 See merge request !4
  0d2a88ce
Oct 17, 2023

feat(README): add note on local development · f39fa10c
Dr Rich Wareham authored 1 year ago

f39fa10c
feat(README): add note on IsAuthenticated permission · 67501bac
Dr Rich Wareham authored 1 year ago

67501bac

feat: verify API Gateway id token in request · e7255d7c

Dr Rich Wareham authored 1 year ago

Add verification for the Authorization header for incoming requests. The
defaults are to verify that the request is appropriately authenticated
with a Google service account corresponding to the API Gateway.

Expected issuer, authorised parties, issuer certificate URLs, etc can be
customised via settings. This is unlikely to be used in production but
is useful when combined with the API Gateway emulator for local
development.

Verification can be disabled entirely by setting an appropriately
dire-named setting.

Tests have been updated to exercise verification assuming that the
Google verification library works as documented.

Closes #4

e7255d7c

Oct 02, 2023
- Merge branch 'main' into add-user · 57409a46
  Dr Rich Wareham authored 1 year ago
  
  57409a46
- Merge branch 'issue-3-port-to-poetry' into 'main' · 85213b38
  Dr Rich Wareham authored 1 year ago
  
  Move over to using poetry for packaging and pre-commit for code checking Closes #3 See merge request !5
  0.0.4
  
  85213b38
Sep 21, 2023

feat: update README and CHANGELOG to note new poetry-based packaging · 8cd9ce7f
Dr Rich Wareham authored 1 year ago

8cd9ce7f

feat: add pre-commit checks · ee3b982a

Dr Rich Wareham authored 1 year ago

This commit changes no functionality but add pre-commit checks based on
our usual template and fixes up the code to match. Note that this found
a real bug in the type annotation for the override_permissions_spec
decorator.

ee3b982a

feat: port packaging over to poetry · 107f7042

Dr Rich Wareham authored 1 year ago

Port packaging to poetry. This does not make any changes to the existing
test matrix or requirements.

107f7042

Jun 29, 2023

chore:setup.py: bump version and changelog · c5e5ce1a
Dr Rich Wareham authored 1 year ago

c5e5ce1a

feat: add user when authenticating · 9c53abab

Dr Rich Wareham authored 1 year ago

When authenticating a principal add a synthetic "APIGatewayUser" object
as the request user. This object is not backed by a database object but
does have an id meaning that DRF templates used to render the API views
will correctly identify the authenticated user.

This unpacked somewhat because of a slight break with Django convention
exhibited by this app.

One needs to be _very_ careful with what is imported as a side-effect of
importing the top-level application module. That is because that module
is imported at application configure time as part of configuring the
application. It follows that applications in general are not yet
configured when the top-level application module is imported.

The top-level module here then directly imports some of the
implementation. So now our implementation must not rely on applications
having been configured at import time.

We got away with this due to the simplicity of the application but
attempting to derive from AnonymousUser triggered the problem: trying to
import anything from django.contrib.auth.models threw an exception about
applications not being configured.

The convention for DRF authentication classes is for them to sit in a
submodule named "authentication" within the top-level application. This
is for good reason; trying to have them in the top-level leads to this
sort of pain.

Unfortunately we have users in the wild using
"apigatewayauth.APIGatewayAuthentication" in their settings and so we
need to support that until users are fixed up to use
"apigatewayauth.authentication.APIGatewayAuthentication".

In the meantime, do some nasty hackery to support what was required by
the original issue.

Closes #2

9c53abab

Merge branch 'support-later-djangos' into 'main' · 97b8a448
Dr Rich Wareham authored 1 year ago
```
Support later Django versions

Closes #1

See merge request !3
```
0.0.3

97b8a448
chore:setup.py: bump version number · d548a18b
Dr Rich Wareham authored 1 year ago
```
Update (or, more correctly, create) the changelog in the process.
```
d548a18b

feat: move to using common Python CI templates · e7a88daf

Dr Rich Wareham authored 1 year ago

We now have common Python project CI templates which, while continuing
to support PyPI publication, also allow for parallel matrix testing with
tox.

The GitLab CI configuration in this repo dates from a time before this
feature was in GitLab (as noted in the comments) and so had to work
around it by creating a lot of templated jobs.

Simplify the CI configuration by making use of the common template.

e7a88daf

feat: support later Djangos · fe9ff8b2
Dr Rich Wareham authored 1 year ago

fe9ff8b2

Mar 25, 2022
- Merge branch 'up-version-identitylib-requirement' into 'main' · d6e14f5b
  Robin Goodall authored 2 years ago
  
  Downgrade required version of ucam-identitylib and be more permissive about required versions See merge request !2
  d6e14f5b
- Update for 0.0.2 release · 3d909bad
  Monty Dawson authored 2 years ago
  
  3d909bad
- Update package version for 0.0.2-rc1 release · 8bc68ae0
  Monty Dawson authored 2 years ago
  
  8bc68ae0
- Downgrade required version of ucam-identitylib and be more permissive about required versions · 42488095
  Monty Dawson authored 2 years ago
  
  This is not ideal, but given that we only need the identifiers from identitylib the downgrade in version and more permission version allows us to use this library with libraries which are making use of different versions of identitylib without needing to upgrade identitylib and refactor.
  42488095
Mar 23, 2022
- Merge branch 'initial-implementation' into 'main' · 4dcc4726
  Robin Goodall authored 2 years ago
  
  Initial implementation See merge request !1
  4dcc4726
- Improve test coverage of permissions handlers · a7aa04a9
  Monty Dawson authored 2 years ago
  
  a7aa04a9
- Fix documentation of get_principals_with_permission · c061c8c2
  Robin Goodall authored 2 years ago and Monty Dawson committed 2 years ago
  
  c061c8c2
- Ensure we don't cache ibis error responses · e41f931b
  Monty Dawson authored 2 years ago
  
  e41f931b
- Remove references to the Card API · c754887a
  Monty Dawson authored 2 years ago
  
  c754887a
Mar 18, 2022
- Update readme and up-version for 0.0.1 release · b3d564b3
  Monty Dawson authored 3 years ago
  
  b3d564b3

Admin message