Technical Articles

Tia Xu

August 10, 2020 4 minute read

[SAP Cloud Platform on Alibaba Cloud series] Develop Python App with Authentication and Authorization in Cloud Foundry – Part 3

This topic Develop Python App with Authentication and Authorization in Cloud Foundry will guide you through creating a Python application, setting up authentication checks and authorization checks in Cloud Foundry (for ease of reading “CF).

Since this is a large topic, in order to give you a better reading experience, I would like to divide it into 3 parts:

Part 1: Create and Deploy a Python Application

Part 2: Authentication Checks in Python Application

Part 3: Authorization Checks in Python Application

This blog post is Part 3.

Authorization in the Cloud Foundry environment is provided by the XSUAA service. In the last blog post, the @sap/approuter package was added to provide a central entry point for the business application and enable authentication. Now to extend our sample app, authorization will be added. The authorization concept includes elements such as Roles, Scopes, and Attributes provided in the security descriptor file xs-security.json of XSUAA, more details can be found here: What Is Authorization and Trust Management.

Step 1: Add and Vendor Dependencies

In order to consume the service from the application, you need to enable application to read the service settings and credentials from the application. To do that, we can use the Python module cfenv.

Besides, you need to set restrictions on the content you serve as well. The sap_xssec security library can do this.

Thus, let’s add these two dependencies to the requirements.txt file as below (you can specify the version number or not):

Flask==1.1.0
cfenv==0.5.3
sap_xssec

To get sap_xssec and other SAP developed Python modules:

go to https://support.sap.com/en/my-support/software-downloads.html,
select Access downloads located under Support Packages and Patches,
in the search bar type XS PYTHON,
select the XS PYTHON 1.0 component.

From there you can download the XS_PYTHON archive and extract it in a local directory, for example: sap_dependencies

Then vendor sap_xssec by executing the following command from the root of the application:

pip download -d vendor -r requirements.txt --find-links ./sap_dependencies

Step 2: Define Scope and Role Template

Modify the xs-security.json file in the python-with-xsuaa directory with scopes and role-templates section as below:

{
   "xsappname":"myapp",
   "tenant-mode":"dedicated",
   "scopes":[
      {
         "name":"$XSAPPNAME.Display",
         "description":"display"
      }
   ],
   "role-templates":[
      {
         "name":"Viewer",
         "description":"View Hello World",
         "scope-references":[
            "$XSAPPNAME.Display"
         ]
      }
   ],
   "oauth2-configuration":{
      "redirect-uris":[
         "https://*.<custom-domain>/**"
      ]
   }
}

Update the XSUAA instance myuaa via the following command:

cf update-service myuaa -c xs-security.json

Step 3: Add Role Scope Check

Modify the xs-app.json file in the approuter directory with scope as below:

{
  "routes": [
    {
      "source": "^/myapp/(.*)$",
      "target": "$1",
      "destination": "myapp",
      "scope": "$XSAPPNAME.Display"
    }
  ]
}

Push your app again via:

cf push

Try to access the approuter application and click into the myapp link, you should see 403 Forbidden since you haven’t assigned the role you defined to yourself yet.

Step 4: Create Role Collection

Open Cockpit, navigate to your subaccount, under Security, click on Role Collections , create a new Role Collection named Myapp Administrator by clicking on the New Role Collection button:

Go into the Myapp Administrator Role Collection, add roles you defined by clicking on the Add Role button:

Step 5: Assign Role Collection

Go back to your subaccount, click on the Trust Configuration under Security, then click on sap.default:

Enter your email in the E-Mail Address field, and click on the Show Assignment button.

Then you can assign the new Role Collection you just defined to yourself by clicking on the Assign Role Collection button:

Now, you can try to access the approuter application and click into the myapp link again. You will find you got the access permission to myapp finally.

Step 6: Add Authorization Checks

Until now, you can still access the myapp application directly without approuter, which doesn’t make sense:

We should modify server.py to use the security library and make authorization check as below:

import os
from flask import Flask
from flask import request
from flask import abort
from cfenv import AppEnv
from sap import xssec

app = Flask(__name__)
env = AppEnv()

port = int(os.environ.get('PORT', 3000))
uaa_service = env.get_service(name='myuaa').credentials

@app.route('/')
def hello():
    if 'authorization' not in request.headers:
        abort(403)
    access_token = request.headers.get('authorization')[7:]
    security_context = xssec.create_security_context(access_token, uaa_service)
    isAuthorized = security_context.check_scope('openid')
    if not isAuthorized:
        abort(403)

    return "Hello World"
    
if __name__ == '__main__':
    app.run(host='0.0.0.0',port=port)

Push your app again via:

cf push

Access the myapp application directly again, you should see 403 Forbidden error:

Of course, if you, however, access the application through the application router, you should see the Hello World.

Conclusion

This blog post shared how to leverage XSUAA service in SAP Cloud Platform to:

define scopes and add the scope checks to your services
define roles and assign them to users

Moreover, this blog post shared how to protect backend services from outside.

Until now, all the parts on the topic Develop Python App with Authentication and Authorization in Cloud Foundry have been shared.

If you would like to get more step-by-step hands-ons on SAP Cloud Platform Alibaba Cloud, please follow me!

Be the first to leave a comment

You must be Logged on to comment or reply to a post.