Source code for ska_aaa_authhelpers.auth_context

from base64 import b32encode
from random import randbytes

from pydantic import BaseModel, Field, JsonValue

from .roles import Role


def _random_trace(nbytes=5) -> str:
    return b32encode(randbytes(nbytes)).decode("ascii").lower()




[docs]
class AuthContext(BaseModel, extra="forbid", frozen=True):
    user_id: str = Field(
        description=(
            "An opaque (UUID) account identifier associated with a request. "
            "This value is stable for one account and can be used as a database key."
            "This may represent a human user or an automated app-user"
        )
    )
    principals: frozenset[str] = Field(
        description=(
            "A set of security principals associated with this request. "
            "This set includes one or more account IDs and zero or "
            "more group IDs. Use this field to help make authorization judgements. "
        )
    )
    groups: frozenset[str] = Field(
        description=(
            "An opaque set of group UUIDs of which the user is a member. "
            "Typically you would use `principals` unless you are "
            "specifically interested in group membership."
        )
    )
    scopes: frozenset[str] = Field(
        description=(
            "A set of OAuth2 scopes associated with the request, showing the user "
            "has granted these permissions to this client. "
            "Use this field to help make authorization judgements."
        )
    )
    roles: frozenset[Role] = Field(
        description=(
            "A set of Roles granted to this user account by the system administrators. "
            "Use this field to help make authorization judgements."
        )
    )
    audience: str = Field(
        description=(
            "Identifier by which the authorization server knows this service. "
            "Consumers should check this to verify this request has been sent to "
            "the right place. This should always be 'us'."
        )
    )
    token_claims: dict[str, JsonValue] = Field(
        description="All the claims provided in the access token by the Authorsation Provider."
    )
    access_token: str = Field(
        description=(
            "The original access token as sent by the client."
            "May be used to revalidate for extra assurance."
        )
    )
    trace: str = Field(
        description=("Used to reconcile together log entries spanning a single user action."),
        default_factory=_random_trace,
    )