Skip to content

Commit

Permalink
using CloudOperationsClient API
Browse files Browse the repository at this point in the history
  • Loading branch information
phillipskevin committed Oct 1, 2024
1 parent d38c972 commit 524e430
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 44 deletions.
68 changes: 29 additions & 39 deletions encryption_jwt/codec_server.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,22 @@
import os
import ssl

import grpc
import jwt
import requests
from aiohttp import hdrs, web
from google.protobuf import json_format
from jwt.algorithms import RSAAlgorithm
from temporalio.api.cloud.cloudservice.v1 import request_response_pb2, service_pb2_grpc
from temporalio.api.common.v1 import Payload, Payloads
from temporalio.api.cloud.cloudservice.v1 import GetUsersRequest
from temporalio.api.common.v1 import Payloads
from temporalio.client import CloudOperationsClient

from encryption_jwt.codec import EncryptionCodec

AUTHORIZED_ACCOUNT_ACCESS_ROLES = ["owner", "admin"]
AUTHORIZED_NAMESPACE_ACCESS_ROLES = ["read", "write", "admin"]

TEMPORAL_CLIENT_CLOUD_API_VERSION = "2024-05-13-00"

temporal_ops_address = "saas-api.tmprl.cloud:443"
if os.environ.get("TEMPORAL_OPS_ADDRESS"):
temporal_ops_address = os.environ.get("TEMPORAL_OPS_ADDRESS")
Expand Down Expand Up @@ -45,44 +47,32 @@ async def cors_options(req: web.Request) -> web.Response:

return resp

def decryption_authorized(email: str, namespace: str) -> bool:
credentials = grpc.composite_channel_credentials(
grpc.ssl_channel_credentials(),
grpc.access_token_call_credentials(os.environ.get("TEMPORAL_API_KEY")),
async def decryption_authorized(email: str, namespace: str) -> bool:
client = await CloudOperationsClient.connect(
api_key=os.environ.get("TEMPORAL_API_KEY"),
version=TEMPORAL_CLIENT_CLOUD_API_VERSION,
)

with grpc.secure_channel(temporal_ops_address, credentials) as channel:
client = service_pb2_grpc.CloudServiceStub(channel)
request = request_response_pb2.GetUsersRequest()

response = client.GetUsers(
request,
metadata=(
(
"temporal-cloud-api-version",
os.environ.get("TEMPORAL_OPS_API_VERSION"),
),
),
)
response = await client.cloud_service.get_users(
GetUsersRequest(namespace=namespace)
)

for user in response.users:
if user.spec.email.lower() == email.lower():
if (
user.spec.access.account_access.role
in AUTHORIZED_ACCOUNT_ACCESS_ROLES
):
return True
else:
if namespace in user.spec.access.namespace_accesses:
if (
user.spec.access.namespace_accesses[
namespace
].permission
in AUTHORIZED_NAMESPACE_ACCESS_ROLES
):
return True

return False
for user in response.users:
if user.spec.email.lower() == email.lower():
if (
user.spec.access.account_access.role
in AUTHORIZED_ACCOUNT_ACCESS_ROLES
):
return True
else:
if namespace in user.spec.access.namespace_accesses:
if (
user.spec.access.namespace_accesses[namespace].permission
in AUTHORIZED_NAMESPACE_ACCESS_ROLES
):
return True

return False

def make_handler(fn: str):
async def handler(req: web.Request):
Expand Down Expand Up @@ -122,7 +112,7 @@ async def handler(req: web.Request):
)

# Use the email to determine if the user is authorized to decrypt the payload
authorized = decryption_authorized(
authorized = await decryption_authorized(
decoded["https://saas-api.tmprl.cloud/user/email"], namespace
)

Expand Down
8 changes: 4 additions & 4 deletions poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ dependencies = { cryptography = "^38.0.1", aiohttp = "^3.8.1" }

[tool.poetry.group.encryption_jwt]
optional = true
dependencies = { cryptography = "^38.0.1", aiohttp = "^3.8.1", pyjwt = "^2.9.0", grpcio = "^1.66.1", aioboto3 = "^13.1.1", "requests" = "^2.32.3" }
dependencies = { cryptography = "^38.0.1", aiohttp = "^3.8.1", pyjwt = "^2.9.0", aioboto3 = "^13.1.1", "requests" = "^2.32.3" }

[tool.poetry.group.gevent]
optional = true
Expand Down

0 comments on commit 524e430

Please sign in to comment.