feat: add app check for state

Signed-off-by: Youngjin Jo <[email protected]>
cloudforet-io · Apr 9, 2024 · a1a7332 · a1a7332
1 parent 05c813f
commit a1a7332
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/src/cloudforet/console_api_v2/manager/cloudforet_manager.py b/src/cloudforet/console_api_v2/manager/cloudforet_manager.py
@@ -8,19 +8,18 @@
 
 
 class CloudforetManager(BaseManager):
-
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
     def dispatch_api(self, grpc_method: str, params: dict, token: str = None):
         service, resource, verb = self._parse_grpc_method(grpc_method)
         space_connector = SpaceConnector(service=service, token=token)
-        return space_connector.dispatch(f'{resource}.{verb}', params)
+        return space_connector.dispatch(f"{resource}.{verb}", params)
 
     @staticmethod
     def _parse_grpc_method(grpc_method):
         try:
-            service, resource, verb = grpc_method.split('.')
+            service, resource, verb = grpc_method.split(".")
             return service, resource, verb
         except Exception as e:
             raise ERROR_PARSE_GRPC_METHOD(grpc_method=grpc_method, reason=e)
diff --git a/src/cloudforet/console_api_v2/service/auth_service.py b/src/cloudforet/console_api_v2/service/auth_service.py
@@ -1,6 +1,7 @@
 import json
 import logging
 
+from spaceone.core import cache
 from spaceone.core import config
 from spaceone.core.auth.jwt import JWTAuthenticator, JWTUtil
 from spaceone.core.error import ERROR_AUTHENTICATE_FAILURE
@@ -35,7 +36,9 @@ def basic(self, params: dict) -> None:
         token = params["password"]
 
         decoded_token_info = self.decode_token(token)
+
         domain_id = self.extract_domain_id(decoded_token_info)
+        client_id = decoded_token_info.get("jti")
         decoded_service_account_id = decoded_token_info["injected_params"][
             "service_account_id"
         ]
@@ -45,6 +48,7 @@ def basic(self, params: dict) -> None:
                 message=f"Given service account id {service_account_id} is not matched with {decoded_service_account_id}."
             )
 
+        self._check_app(client_id, domain_id)
         self._authenticate(token, domain_id)
 
     def _authenticate(self, token: str, domain_id: str) -> dict:
@@ -79,3 +83,20 @@ def decode_token(token: str) -> dict:
             raise ERROR_AUTHENTICATE_FAILURE(message="failed to decode token.")
 
         return decoded
+
+    @staticmethod
+    @cache.cacheable(
+        key="console-api-v2:auth:check-app:{domain_id}:client_id:{client_id}",
+        alias="local",
+    )
+    def _check_app(client_id: str, domain_id: str):
+        system_token = config.get_global("TOKEN")
+
+        _LOGGER.debug(f"[_check_app] check app from identity service: {client_id}")
+
+        cloudforet_mgr = CloudforetManager()
+        cloudforet_mgr.dispatch_api(
+            "identity.App.check",
+            {"client_id": client_id, "domain_id": domain_id},
+            token=system_token,
+        )