mirror of
https://github.com/langgenius/dify.git
synced 2026-06-03 08:16:37 +08:00
Xiyuan Chen
cad0942f4d
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
106 lines
3.7 KiB
Python
106 lines
3.7 KiB
Python
from __future__ import annotations
|
|
|
|
from flask import request
|
|
from werkzeug.exceptions import Forbidden, NotFound, UnprocessableEntity
|
|
|
|
from controllers.openapi.auth.data import AuthData
|
|
from extensions.ext_database import db
|
|
from libs.oauth_bearer import Scope, TokenType
|
|
from services.account_service import AccountService, TenantService
|
|
from services.enterprise.enterprise_service import EnterpriseService, WebAppAccessMode
|
|
|
|
|
|
def check_scope(data: AuthData) -> None:
|
|
if data.required_scope is None:
|
|
return
|
|
if Scope.FULL in data.scopes or data.required_scope in data.scopes:
|
|
return
|
|
raise Forbidden("insufficient_scope")
|
|
|
|
|
|
def check_workspace_member(data: AuthData) -> None:
|
|
"""Assert the caller belongs to the resolved tenant.
|
|
|
|
`load_workspace_role` stashes the membership role (None when the caller is
|
|
not a member or is inactive). A missing membership surfaces as 404, not
|
|
403, so workspace IDs don't leak across tenants.
|
|
"""
|
|
if data.tenant_role is None:
|
|
raise NotFound("workspace not found")
|
|
|
|
|
|
def check_workspace_mismatch(data: AuthData) -> None:
|
|
if data.tenant is None:
|
|
return
|
|
request_workspace_id = data.path_params.get("workspace_id") or request.args.get("workspace_id")
|
|
if request_workspace_id and request_workspace_id != str(data.tenant.id):
|
|
raise UnprocessableEntity("workspace_id does not match app's workspace")
|
|
|
|
|
|
def check_workspace_role(data: AuthData) -> None:
|
|
if data.allowed_roles is None:
|
|
return
|
|
if data.tenant_role is None:
|
|
raise NotFound("workspace not found")
|
|
if data.tenant_role not in data.allowed_roles:
|
|
raise Forbidden("insufficient workspace role")
|
|
|
|
|
|
def check_app_api_enabled(data: AuthData) -> None:
|
|
if data.app is None:
|
|
return
|
|
if not data.app.enable_api:
|
|
raise Forbidden("service_api_disabled")
|
|
|
|
|
|
def check_app_access(data: AuthData) -> None:
|
|
if data.tenant is None:
|
|
return
|
|
if not TenantService.account_belongs_to_tenant(db.session, data.account_id, data.tenant.id):
|
|
raise Forbidden("subject_no_app_access")
|
|
|
|
|
|
_ALLOWED_MODES_BY_TOKEN_TYPE: dict[TokenType, frozenset[WebAppAccessMode]] = {
|
|
TokenType.OAUTH_ACCOUNT: frozenset(
|
|
{
|
|
WebAppAccessMode.PUBLIC,
|
|
WebAppAccessMode.SSO_VERIFIED,
|
|
WebAppAccessMode.PRIVATE_ALL,
|
|
WebAppAccessMode.PRIVATE,
|
|
}
|
|
),
|
|
TokenType.OAUTH_EXTERNAL_SSO: frozenset(
|
|
{
|
|
WebAppAccessMode.PUBLIC,
|
|
WebAppAccessMode.SSO_VERIFIED,
|
|
}
|
|
),
|
|
}
|
|
|
|
|
|
def check_acl(data: AuthData) -> None:
|
|
if data.app is None or data.app_access_mode is None:
|
|
raise Forbidden("app or access mode not loaded")
|
|
allowed_modes = _ALLOWED_MODES_BY_TOKEN_TYPE.get(data.token_type, frozenset())
|
|
if data.app_access_mode not in allowed_modes:
|
|
raise Forbidden("subject_not_allowed_for_access_mode")
|
|
|
|
|
|
def check_private_app_permission(data: AuthData) -> None:
|
|
if data.app is None:
|
|
raise Forbidden("app not loaded")
|
|
user_id = _resolve_user_id(data)
|
|
if user_id is None:
|
|
raise Forbidden("cannot resolve user for private app check")
|
|
if not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(user_id=user_id, app_id=data.app.id):
|
|
raise Forbidden("user_not_allowed_for_private_app")
|
|
|
|
|
|
def _resolve_user_id(data: AuthData) -> str | None:
|
|
if data.token_type == TokenType.OAUTH_ACCOUNT:
|
|
return str(data.account_id) if data.account_id is not None else None
|
|
if data.external_identity is None:
|
|
return None
|
|
account = AccountService.get_account_by_email(db.session, data.external_identity.email)
|
|
return str(account.id) if account is not None else None
|