Write new secret manager using existing RSA logic

2025-06-22 17:17:56 +02:00
parent 5985a726e3
commit 82ec7fabb4
34 changed files with 2042 additions and 640 deletions
--- a/packages/sshecret-admin/src/sshecret_admin/api/router.py
+++ b/packages/sshecret-admin/src/sshecret_admin/api/router.py
@ -5,8 +5,9 @@
 import logging
 from typing import Annotated

-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.security import OAuth2PasswordBearer
+from fastapi.security.utils import get_authorization_scheme_param

 from sqlalchemy import select
 from sqlalchemy.orm import Session
@ -57,6 +58,31 @@ def create_router(dependencies: BaseDependencies) -> APIRouter:
            raise credentials_exception
        return user

+    def get_client_origin(request: Request) -> str:
+        """Get client origin."""
+        fallback_origin = "UNKNOWN"
+        if request.client:
+            return request.client.host
+        return fallback_origin
+
+    def get_optional_username(request: Request) -> str | None:
+        """Get username, if available.
+
+        This is purely used for auditing purposes.
+        """
+        authorization = request.headers.get("Authorization")
+        scheme, param = get_authorization_scheme_param(authorization)
+        if not authorization or scheme.lower() != "bearer":
+            return None
+        claims = decode_token(dependencies.settings, param)
+        if not claims:
+            return None
+
+        if claims.provider == LOCAL_ISSUER:
+            return claims.sub
+
+        return f"oidc:{claims.email}"
+
    async def get_current_active_user(
        current_user: Annotated[User, Depends(get_current_user)],
    ) -> User:
@ -66,9 +92,12 @@ def create_router(dependencies: BaseDependencies) -> APIRouter:
        return current_user

    async def get_admin_backend(
+        request: Request,
        session: Annotated[Session, Depends(dependencies.get_db_session)],
    ):
        """Get admin backend API."""
+        username = get_optional_username(request)
+        origin = get_client_origin(request)
        password_db = session.scalars(
            select(PasswordDB).where(PasswordDB.id == 1)
        ).first()
@ -76,7 +105,11 @@ def create_router(dependencies: BaseDependencies) -> APIRouter:
            raise HTTPException(
                500, detail="Error: The password manager has not yet been set up."
            )
-        admin = AdminBackend(dependencies.settings, password_db.encrypted_password)
+        admin = AdminBackend(
+            dependencies.settings,
+            username=username,
+            origin=origin,
+        )
        yield admin

    app = APIRouter(prefix=f"/api/{API_VERSION}")