Don't return tenant/roles but allow client to query it separately.

educates · Aug 25, 2024 · 4a541d5 · 4a541d5
1 parent 0d8ec41
commit 4a541d5
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 10 deletions.
diff --git a/lookup-service/service/routes/authnz.py b/lookup-service/service/routes/authnz.py
@@ -35,8 +35,6 @@ def generate_login_response(client: ClientConfig) -> dict:
         "access_token": jwt_token,
         "token_type": "Bearer",
         "expires_at": expires_at,
-        "roles": client.roles,
-        "tenants": client.tenants,
     }
 
 

diff --git a/lookup-service/service/routes/clients.py b/lookup-service/service/routes/clients.py
@@ -24,19 +24,18 @@ async def api_get_v1_clients(request: web.Request) -> web.Response:
 
 
 @login_required
-@roles_accepted("admin")
+@roles_accepted("admin", "tenant")
 async def api_get_v1_clients_details(request: web.Request) -> web.Response:
     """Returns details for the specified client."""
 
-    client_name = request.match_info["client"]
-
-    service_state = request.app["service_state"]
-    client_database = service_state.client_database
+    client = request["remote_client"]
+    client_roles = request["client_roles"]
 
-    client = client_database.get_client(client_name)
+    client_name = request.match_info["client"]
 
-    if not client:
-        return web.Response(text="Client not available", status=404)
+    if "tenant" in client_roles:
+        if client.name != client_name:
+            return web.Response(text="Client access not permitted", status=403)
 
     details = {
         "name": client.name,