tking/fastapi-gsap
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
fastapi-gsap/gsap_broker/routers/authorize.py
Tyler J King 8196396ce6 feat(drivers): add native Entra identity driver 
Validates Entra JWTs directly via JWKS verification.
Extracts device_id for compliance gating, MFA status,
roles, and constructs DID from Entra tenant + oid.
Adds device_id field to AuthResult dataclass.

Signed-off-by: Tyler King <tking@guildhouse.dev>
2026-04-14 05:19:54 -04:00

110 lines
5.3 KiB
Python
Raw Blame History

"""POST /governance/authorize/ — GSAP §5.2"""
import secrets, uuid
from datetime import datetime, timedelta, UTC
from fastapi import APIRouter, Depends, HTTPException, Request
from sqlmodel.ext.asyncio.session import AsyncSession
from gsap_broker.db import get_session
from gsap_broker.db_models import AuthorizationContextDB
from gsap_broker.drivers.registry import DriverRegistry
from gsap_broker.models import (
AuthorizeRequest, AuthorizeResponse, AuthorizationContext,
Principal, Accord, Operation, IdentityProof)
from gsap_broker.settings import settings
from gsap_broker import chronicle
router = APIRouter()
def _extract_token_data(http_request: Request) -> dict:
"""Extract and decode JWT from Authorization header (unverified — driver validates)."""
auth = http_request.headers.get("authorization", "")
if not auth.startswith("Bearer "):
return {}
token = auth[7:]
try:
import base64, json
payload = token.split(".")[1]
payload += "=" * (4 - len(payload) % 4)
return json.loads(base64.urlsafe_b64decode(payload))
except Exception:
return {}
@router.post("/authorize/", response_model=AuthorizeResponse, summary="Issue AC (GSAP §5.2)")
async def authorize(body: AuthorizeRequest, http_request: Request, db: AsyncSession = Depends(get_session)):
request = body
token_data = _extract_token_data(http_request)
raw_token = ""
auth_header = http_request.headers.get("authorization", "")
if auth_header.startswith("Bearer "):
raw_token = auth_header[7:]
try:
driver = DriverRegistry.get(request.driver_id, config={
"requested_accord": request.accord_template,
"domain": settings.keycloak_domain,
"did_template": settings.keycloak_did_template,
"elevated_suffix": settings.keycloak_elevated_role_suffix,
"_token_data": token_data,
"_raw_token": raw_token,
"entra_tenant_id": settings.entra_tenant_id,
"entra_client_id": settings.entra_client_id,
})
except KeyError as e:
raise HTTPException(status_code=400, detail=str(e))
auth_result = await driver.authenticate()
if auth_result.needs_elevation:
poll_token = secrets.token_urlsafe(32)
ac_db = AuthorizationContextDB(
principal_did="", driver_id=request.driver_id, playbook=request.playbook,
corpus_entry_cid=request.corpus_entry_cid, parameters_cid=request.parameters_cid,
accord_template=request.accord_template, status="pending",
expires_at=datetime.now(UTC) + timedelta(minutes=10), poll_token=poll_token)
db.add(ac_db); await db.commit()
return AuthorizeResponse(
status="pending_elevation", poll_token=poll_token,
elevation_instructions=auth_result.elevation_required.instructions,
activation_url=auth_result.elevation_required.activation_url)
if not auth_result.is_authorized:
raise HTTPException(status_code=403, detail=auth_result.denial_reason)
now = datetime.now(UTC)
expires = now + timedelta(minutes=settings.ac_ttl_minutes)
ctx_id = uuid.uuid4()
# on_behalf_of: trusted caller (Bascule SA) asserts who the AC is for
principal_did = request.on_behalf_of or auth_result.principal_did
display_name = request.on_behalf_of.rsplit("/", 1)[-1] if request.on_behalf_of else auth_result.display_name
ac = AuthorizationContext(
context_id=ctx_id, issued_at=now, expires_at=expires,
principal=Principal(did=principal_did, display_name=display_name, driver_id=request.driver_id),
accord=Accord(template=request.accord_template),
operation=Operation(playbook=request.playbook, corpus_entry_cid=request.corpus_entry_cid, parameters_cid=request.parameters_cid),
identity_proof=IdentityProof(token_jti=auth_result.token_jti, elevation_active=auth_result.elevation_active, mfa_satisfied=auth_result.mfa_satisfied),
broker={"did": settings.broker_did, "name": settings.broker_name})
ac_db = AuthorizationContextDB(
context_id=ctx_id, principal_did=principal_did, driver_id=request.driver_id,
playbook=request.playbook, corpus_entry_cid=request.corpus_entry_cid,
parameters_cid=request.parameters_cid, accord_template=request.accord_template,
token_jti=auth_result.token_jti, elevation_active=auth_result.elevation_active,
mfa_satisfied=auth_result.mfa_satisfied, status="authorized", issued_at=now, expires_at=expires,
session_mode=request.session_mode)
db.add(ac_db)
cid = await chronicle.emit("GSAP_AC_ISSUED", {"event_code": "0x2704", "context_id": str(ctx_id), "principal_did": principal_did, "playbook": request.playbook})
ac_db.chronicle_event_cid = cid
await db.commit()
return AuthorizeResponse(status="authorized", authorization_context=ac)
@router.get("/authorize/{poll_token}/", response_model=AuthorizeResponse, summary="Poll (GSAP §5.3)")
async def authorize_poll(poll_token: str, db: AsyncSession = Depends(get_session)):
from sqlmodel import select
result = await db.exec(select(AuthorizationContextDB).where(AuthorizationContextDB.poll_token == poll_token))
ac_db = result.first()
if not ac_db: raise HTTPException(status_code=404, detail="Not found.")
return AuthorizeResponse(status=ac_db.status, poll_token=poll_token)
Reference in a new issue View git blame Copy permalink