-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathaccess-demo-resource.py
executable file
·77 lines (62 loc) · 2.65 KB
/
access-demo-resource.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/usr/bin/python3
import argparse
import json
from http import HTTPStatus
from typing import Dict
import requests
from jose import jwt
from requests_oauth2client import OAuth2Client
HTTP_VERY_LONG_TIMEOUT = 300
identity_headers = {'Content-Type': 'application/json', 'X-IDAP-NATIVE-CLIENT': 'true'}
def get_identity_user_attributes(tenant_url: str, token: str, user_id: str) -> Dict:
# Get User attributes
payload = {'Table': 'users', 'ID': user_id}
headers = {'Content-Type': 'application/json', 'Authorization': f'Bearer {token}'}
url = f'{tenant_url}ExtData/GetColumns'
response = requests.request(method='POST', url=url, json=payload, headers=headers)
if response.status_code == HTTPStatus.OK:
user_attributes = json.loads(response.text)['Result']
return user_attributes
def identity_login(identity_url: str, username: str, password: str) -> str:
try:
oauth2client = OAuth2Client(
token_endpoint=f"{identity_url}/oauth2/platformtoken",
auth=(username, password),
)
token = oauth2client.client_credentials(scope="", resource="")
return str(token)
except (Exception) as ex:
print(ex)
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--user')
parser.add_argument('-p', '--password')
parser.add_argument('-i', '--identity_url')
parser.add_argument('-g', '--gw_url')
args = parser.parse_args()
# login and get token
token = identity_login(username=args.user, password=args.password, identity_url=args.identity_url)
print(f'user token: {token}')
# get user id from claims
claims = jwt.get_unverified_claims(token)
user_id = claims['sub']
print (f'user id: {user_id}')
print (f'user claims are: {claims}')
# get user attributes
attributes = get_identity_user_attributes(tenant_url=args.identity_url, token = token , user_id = user_id)
print (f'user attributes: {attributes}')
# call api gateway resource, protected by token authorizer and Amazon Verified Permissions as the decision service
print('invoking the resource rest endpoint...')
url = f'{args.gw_url}/protected-resource'
headers = {'Authorization': f'Bearer {token}'}
response = requests.api.post(url, json={}, headers=headers)
# verifying and analyzing the result
if response.status_code == HTTPStatus.OK:
print(f'you are authorized')
elif response.status_code == HTTPStatus.FORBIDDEN:
print(f'you are not authorized')
else:
print(f'unexpected error occurred: {response.status_code}')
print(f'api response is\n{response.text}\n')
if __name__ == "__main__":
main()