mirror of
https://github.com/langgenius/dify.git
synced 2026-05-12 15:58:19 +08:00
53 lines
1.8 KiB
Python
53 lines
1.8 KiB
Python
"""`OAUTH_BEARER_PIPELINE` — the auth scheme for openapi `/run` endpoints.
|
|
|
|
Endpoints attach via `@OAUTH_BEARER_PIPELINE.guard(scope=…)`. No alternative
|
|
paths. Read endpoints (`/apps`, `/info`, `/parameters`, `/describe`) skip
|
|
the pipeline and use `validate_bearer + require_scope + require_workspace_member`
|
|
inline — they don't need `AppAuthzCheck`/`CallerMount`.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from controllers.openapi.auth.pipeline import Pipeline
|
|
from controllers.openapi.auth.steps import (
|
|
AppAuthzCheck,
|
|
AppResolver,
|
|
BearerCheck,
|
|
CallerMount,
|
|
ScopeCheck,
|
|
SurfaceCheck,
|
|
WorkspaceMembershipCheck,
|
|
)
|
|
from controllers.openapi.auth.strategies import (
|
|
AccountMounter,
|
|
AclStrategy,
|
|
AppAuthzStrategy,
|
|
EndUserMounter,
|
|
MembershipStrategy,
|
|
)
|
|
from libs.oauth_bearer import SubjectType
|
|
from services.feature_service import FeatureService
|
|
|
|
|
|
def _resolve_app_authz_strategy() -> AppAuthzStrategy:
|
|
if FeatureService.get_system_features().webapp_auth.enabled:
|
|
return AclStrategy()
|
|
return MembershipStrategy()
|
|
|
|
|
|
# Pipeline currently serves only `/openapi/v1/apps/<id>/run` — an account
|
|
# (dfoa_) surface route. SurfaceCheck runs right after BearerCheck so
|
|
# pipeline-guarded routes get the same wrong_surface 403 + audit emit as
|
|
# the inline `@accept_subjects` decorator on read endpoints. When the
|
|
# external-surface run route lands, swap in an external-pipeline builder
|
|
# that constructs SurfaceCheck(accepted=frozenset({USER_EXT_SSO})).
|
|
OAUTH_BEARER_PIPELINE = Pipeline(
|
|
BearerCheck(),
|
|
SurfaceCheck(accepted=frozenset({SubjectType.ACCOUNT})),
|
|
ScopeCheck(),
|
|
AppResolver(),
|
|
WorkspaceMembershipCheck(),
|
|
AppAuthzCheck(_resolve_app_authz_strategy),
|
|
CallerMount(AccountMounter(), EndUserMounter()),
|
|
)
|