API: Return the user object for successfully authenticated people

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/api/auth.py b/src/api/auth.py
index 7bf41388ae5d9dc9352ea83fb3181737c92cef4e..7360be63a5d907a8f5ac89b85edc73c632d8b421 100644 (file)
--- a/src/api/auth.py
+++ b/src/api/auth.py
@@ -29,6 +29,8 @@ import socket
 from . import app
 from . import backend
 
+from .. import users
+
 # Fetch Kerberos configuration
 KERBEROS_KEYTAB    = backend.config.get("krb5", "keytab")
 KERBEROS_REALM     = backend.config.get("krb5", "realm", fallback="IPFIRE.ORG")
@@ -51,15 +53,36 @@ router = fastapi.APIRouter(
 # Class to extract the Bearer token from the request headers
 security = fastapi.security.HTTPBearer()
 
-def get_current_principal(
+async def get_current_principal(
        credentials: fastapi.security.HTTPAuthorizationCredentials = fastapi.Depends(security)
-):
+) -> users.User:
        """
                This is the main function to check whether a client is authenticated.
                It will fetch the Bearer token from the request header and return the
                principal.
        """
-       return get_principal(credentials.credentials)
+       # Fetch the principal
+       principal = get_principal(credentials.credentials)
+
+       # Do nothing further if we could not fetch any credentials
+       if not principal:
+               return
+
+       # Strip off the realm
+       principal, _, realm = principal.rpartition("@")
+
+       # Fail if the realm does not match
+       if not realm == KERBEROS_REALM:
+               raise fastapi.HTTPException(401)
+
+       # Fetch the user object
+       user = await backend.users.get_by_name(principal)
+
+       # Fail if no user could be found
+       if not user:
+               raise fastapi.HTTPException(401)
+
+       return user
 
 class AuthResponse(pydantic.BaseModel):
        # Token Type