feat: basic RBAC support

This commit is contained in:
Timothy J. Baek 2023-11-18 21:41:43 -08:00
parent 921eef03b3
commit 8547b7807d
13 changed files with 266 additions and 44 deletions

View file

@ -8,7 +8,7 @@ import json
from apps.web.models.users import Users
from constants import ERROR_MESSAGES
from utils import extract_token_from_auth_header
from utils.utils import extract_token_from_auth_header
from config import OLLAMA_API_BASE_URL, OLLAMA_WEBUI_AUTH
app = Flask(__name__)
@ -25,24 +25,37 @@ TARGET_SERVER_URL = OLLAMA_API_BASE_URL
def proxy(path):
# Combine the base URL of the target server with the requested path
target_url = f"{TARGET_SERVER_URL}/{path}"
print(target_url)
print(path)
# Get data from the original request
data = request.get_data()
headers = dict(request.headers)
# Basic RBAC support
if OLLAMA_WEBUI_AUTH:
if "Authorization" in headers:
token = extract_token_from_auth_header(headers["Authorization"])
user = Users.get_user_by_token(token)
if user:
print(user)
# Only user and admin roles can access
if user.role in ["user", "admin"]:
if path in ["pull", "delete", "push", "copy", "create"]:
# Only admin role can perform actions above
if user.role == "admin":
pass
else:
return (
jsonify({"detail": ERROR_MESSAGES.ACCESS_PROHIBITED}),
401,
)
else:
pass
else:
return jsonify({"detail": ERROR_MESSAGES.ACCESS_PROHIBITED}), 401
else:
return jsonify({"detail": ERROR_MESSAGES.UNAUTHORIZED}), 401
else:
return jsonify({"detail": ERROR_MESSAGES.UNAUTHORIZED}), 401
else:
pass

View file

@ -5,7 +5,7 @@ import uuid
from apps.web.models.users import UserModel, Users
from utils import (
from utils.utils import (
verify_password,
get_password_hash,
bearer_scheme,
@ -43,6 +43,7 @@ class UserResponse(BaseModel):
email: str
name: str
role: str
profile_image_url: str
class SigninResponse(Token, UserResponse):
@ -66,7 +67,7 @@ class AuthsTable:
self.table = db.auths
def insert_new_auth(
self, email: str, password: str, name: str, role: str = "user"
self, email: str, password: str, name: str, role: str = "pending"
) -> Optional[UserModel]:
print("insert_new_auth")

View file

@ -3,7 +3,9 @@ from typing import List, Union, Optional
from pymongo import ReturnDocument
import time
from utils import decode_token
from utils.utils import decode_token
from utils.misc import get_gravatar_url
from config import DB
####################
@ -15,7 +17,8 @@ class UserModel(BaseModel):
id: str
name: str
email: str
role: str = "user"
role: str = "pending"
profile_image_url: str = "/user.png"
created_at: int # timestamp in epoch
@ -30,7 +33,7 @@ class UsersTable:
self.table = db.users
def insert_new_user(
self, id: str, name: str, email: str, role: str = "user"
self, id: str, name: str, email: str, role: str = "pending"
) -> Optional[UserModel]:
user = UserModel(
**{
@ -38,6 +41,7 @@ class UsersTable:
"name": name,
"email": email,
"role": role,
"profile_image_url": get_gravatar_url(email),
"created_at": int(time.time()),
}
)

View file

@ -9,12 +9,14 @@ import time
import uuid
from constants import ERROR_MESSAGES
from utils import (
from utils.utils import (
get_password_hash,
bearer_scheme,
create_token,
)
from utils.misc import get_gravatar_url
from apps.web.models.auths import (
SigninForm,
SignupForm,
@ -45,10 +47,12 @@ async def get_session_user(cred=Depends(bearer_scheme)):
"email": user.email,
"name": user.name,
"role": user.role,
"profile_image_url": user.profile_image_url,
}
else:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=ERROR_MESSAGES.INVALID_TOKEN,
)
@ -70,9 +74,10 @@ async def signin(form_data: SigninForm):
"email": user.email,
"name": user.name,
"role": user.role,
"profile_image_url": user.profile_image_url,
}
else:
raise HTTPException(400, detail=ERROR_MESSAGES.DEFAULT())
raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
############################
@ -98,6 +103,7 @@ async def signup(form_data: SignupForm):
"email": user.email,
"name": user.name,
"role": user.role,
"profile_image_url": user.profile_image_url,
}
else:
raise HTTPException(500, detail=ERROR_MESSAGES.DEFAULT(err))

View file

@ -7,7 +7,12 @@ class MESSAGES(str, Enum):
class ERROR_MESSAGES(str, Enum):
DEFAULT = lambda err="": f"Something went wrong :/\n{err if err else ''}"
INVALID_TOKEN = (
"Your session has expired or the token is invalid. Please sign in again."
)
INVALID_CRED = "The email or password provided is incorrect. Please check for typos and try logging in again."
UNAUTHORIZED = "401 Unauthorized"
ACCESS_PROHIBITED = "You do not have permission to access this resource. Please contact your administrator for assistance."
NOT_FOUND = "We could not find what you're looking for :/"
USER_NOT_FOUND = "We could not find what you're looking for :/"
MALICIOUS = "Unusual activities detected, please try again in a few minutes."

15
backend/utils/misc.py Normal file
View file

@ -0,0 +1,15 @@
import hashlib
def get_gravatar_url(email):
# Trim leading and trailing whitespace from
# an email address and force all characters
# to lower case
address = str(email).strip().lower()
# Create a SHA256 hash of the final string
hash_object = hashlib.sha256(address.encode())
hash_hex = hash_object.hexdigest()
# Grab the actual image URL
return f"https://www.gravatar.com/avatar/{hash_hex}"

View file

@ -149,6 +149,10 @@
if (data.error) {
throw data.error;
}
if (data.detail) {
throw data.detail;
}
if (data.status) {
if (!data.status.includes('downloading')) {
toast.success(data.status);
@ -206,6 +210,10 @@
if (data.error) {
throw data.error;
}
if (data.detail) {
throw data.detail;
}
if (data.status) {
}
} else {

View file

@ -388,17 +388,17 @@
{#if $user !== undefined}
<button
class=" flex rounded-md py-3 px-3.5 w-full hover:bg-gray-900 transition"
on:focus={() => {
showDropdown = true;
on:click={() => {
showDropdown = !showDropdown;
}}
on:focusout={() => {
setTimeout(() => {
showDropdown = false;
}, 100);
}, 150);
}}
>
<div class=" self-center mr-3">
<img src="/user.png" class=" max-w-[30px] object-cover rounded-full" />
<img src={$user.profile_image_url} class=" max-w-[30px] object-cover rounded-full" />
</div>
<div class=" self-center font-semibold">{$user.name}</div>
</button>
@ -406,7 +406,7 @@
{#if showDropdown}
<div
id="dropdownDots"
class="absolute z-10 bottom-[4.5rem] rounded-lg shadow w-[240px] bg-gray-900"
class="absolute z-10 bottom-[70px] 4.5rem rounded-lg shadow w-[240px] bg-gray-900"
>
<div class="py-2 w-full">
<button
@ -440,14 +440,14 @@
</button>
</div>
<hr class=" dark:border-gray-700 m-0 p-0" />
<hr class=" border-gray-700 m-0 p-0" />
<div class="py-2 w-full">
<button
class="flex py-2.5 px-3.5 w-full hover:bg-gray-800 transition"
on:click={() => {
localStorage.removeItem('token');
location.href = '/';
location.href = '/auth';
}}
>
<div class=" self-center mr-3">

View file

@ -1,12 +1,19 @@
<script>
import { config, user } from '$lib/stores';
import { goto } from '$app/navigation';
import { onMount, tick } from 'svelte';
let loaded = false;
onMount(async () => {
if ($config && $config.auth && $user === undefined) {
goto('/auth');
await goto('/auth');
}
await tick();
loaded = true;
});
</script>
{#if $config !== undefined}
{#if loaded}
<slot />
{/if}

View file

@ -16,7 +16,7 @@
import Navbar from '$lib/components/layout/Navbar.svelte';
import SettingsModal from '$lib/components/chat/SettingsModal.svelte';
import Suggestions from '$lib/components/chat/Suggestions.svelte';
import { user } from '$lib/stores';
import { config, user } from '$lib/stores';
let API_BASE_URL = BUILD_TIME_API_BASE_URL;
let db;
@ -1224,14 +1224,27 @@
<div class="flex justify-between px-5 mb-3 max-w-3xl mx-auto rounded-lg group">
<div class=" flex w-full">
<div class=" mr-4">
{#if message.role === 'user'}
{#if $config === null}
<img
src="{message.role == 'user'
? settings.gravatarUrl
? settings.gravatarUrl
: '/user'
: '/favicon'}.png"
src="{settings.gravatarUrl ? settings.gravatarUrl : '/user'}.png"
class=" max-w-[28px] object-cover rounded-full"
alt="User profile"
/>
{:else}
<img
src={$user.profile_image_url}
class=" max-w-[28px] object-cover rounded-full"
alt="User profile"
/>
{/if}
{:else}
<img
src="/favicon.png"
class=" max-w-[28px] object-cover rounded-full"
alt="Ollama profile"
/>
{/if}
</div>
<div class="w-full">

View file

@ -11,7 +11,7 @@
let loaded = false;
onMount(async () => {
const webBackendStatus = await fetch(`${WEBUI_API_BASE_URL}/`, {
const resBackend = await fetch(`${WEBUI_API_BASE_URL}/`, {
method: 'GET',
headers: {
'Content-Type': 'application/json'
@ -26,11 +26,11 @@
return null;
});
console.log(webBackendStatus);
await config.set(webBackendStatus);
console.log(resBackend);
await config.set(resBackend);
if (webBackendStatus) {
if (webBackendStatus.auth) {
if ($config) {
if ($config.auth) {
if (localStorage.token) {
const res = await fetch(`${WEBUI_API_BASE_URL}/auths`, {
method: 'GET',
@ -49,9 +49,14 @@
return null;
});
if (res) {
await user.set(res);
} else {
goto('/auth');
localStorage.removeItem('token');
await goto('/auth');
}
} else {
await goto('/auth');
}
}
}

View file

@ -2,8 +2,10 @@
import { goto } from '$app/navigation';
import { WEBUI_API_BASE_URL } from '$lib/constants';
import { config, user } from '$lib/stores';
import { onMount } from 'svelte';
import toast from 'svelte-french-toast';
let loaded = false;
let mode = 'signin';
let name = '';
@ -33,7 +35,7 @@
if (res) {
console.log(res);
toast.success(`You're now logged in. Redirecting you to the main page."`);
toast.success(`You're now logged in. Redirecting you to the main page.`);
localStorage.token = res.token;
await user.set(res);
goto('/');
@ -71,12 +73,15 @@
}
};
onMount(async () => {
if ($config === null || !$config.auth || ($config.auth && $user !== undefined)) {
goto('/');
await goto('/');
}
loaded = true;
});
</script>
{#if $config && $config.auth}
{#if loaded && $config && $config.auth}
<div class="fixed m-10 z-50">
<div class="flex space-x-2">
<div class=" self-center">
@ -1065,6 +1070,146 @@
</div>
</div>
<div class=" my-auto pb-36 w-full px-4">
<div class=" text-center flex flex-col justify-center">
<div class=" text-xl md:text-2xl font-bold">Get Started</div>
<div
class=" mt-4 flex flex-col md:flex-row space-y-2 md:space-y-0 md:space-x-1 px-3 justify-center"
>
<button class=" flex-1 px-4 py-3.5 bg-blue-700 text-white font-medium rounded-lg">
Log in
</button>
<button class=" flex-1 px-4 py-3.5 bg-blue-700 text-white font-medium rounded-lg">
Sign up
</button>
</div>
</div>
</div>
</div> -->
<!-- <div class=" bg-white min-h-screen w-full flex flex-col">
<div class=" mt-6 mx-6">
<div class="flex space-x-2">
<div class=" self-center text-2xl font-semibold">Ollama</div>
<div class=" self-center">
<img src="/ollama.png" class=" w-5" />
</div>
</div>
</div>
<div class=" my-auto pb-36 w-full px-4">
<div class=" text-center flex flex-col justify-center">
<div class=" text-xl md:text-2xl font-bold">Get Started</div>
<div
class=" mt-4 flex flex-col md:flex-row space-y-2 md:space-y-0 md:space-x-1 px-3 justify-center"
>
<button class=" flex-1 px-4 py-3.5 bg-blue-700 text-white font-medium rounded-lg">
Log in
</button>
<button class=" flex-1 px-4 py-3.5 bg-blue-700 text-white font-medium rounded-lg">
Sign up
</button>
</div>
</div>
</div>
</div> -->
<!-- <div class=" bg-white min-h-screen w-full flex flex-col">
<div class=" mt-6 mx-6">
<div class="flex space-x-2">
<div class=" self-center text-2xl font-semibold">Ollama</div>
<div class=" self-center">
<img src="/ollama.png" class=" w-5" />
</div>
</div>
</div>
<div class=" my-auto pb-36 w-full px-4">
<div class=" text-center flex flex-col justify-center">
<div class=" text-xl md:text-2xl font-bold">Get Started</div>
<div
class=" mt-4 flex flex-col md:flex-row space-y-2 md:space-y-0 md:space-x-1 px-3 justify-center"
>
<button class=" flex-1 px-4 py-3.5 bg-blue-700 text-white font-medium rounded-lg">
Log in
</button>
<button class=" flex-1 px-4 py-3.5 bg-blue-700 text-white font-medium rounded-lg">
Sign up
</button>
</div>
</div>
</div>
</div> -->
<!-- <div class=" bg-white min-h-screen w-full flex flex-col">
<div class=" mt-6 mx-6">
<div class="flex space-x-2">
<div class=" self-center text-2xl font-semibold">Ollama</div>
<div class=" self-center">
<img src="/ollama.png" class=" w-5" />
</div>
</div>
</div>
<div class=" my-auto pb-36 w-full px-4">
<div class=" text-center flex flex-col justify-center">
<div class=" text-xl md:text-2xl font-bold">Get Started</div>
<div
class=" mt-4 flex flex-col md:flex-row space-y-2 md:space-y-0 md:space-x-1 px-3 justify-center"
>
<button class=" flex-1 px-4 py-3.5 bg-blue-700 text-white font-medium rounded-lg">
Log in
</button>
<button class=" flex-1 px-4 py-3.5 bg-blue-700 text-white font-medium rounded-lg">
Sign up
</button>
</div>
</div>
</div>
</div> -->
<!-- <div class=" bg-white min-h-screen w-full flex flex-col">
<div class=" mt-6 mx-6">
<div class="flex space-x-2">
<div class=" self-center text-2xl font-semibold">Ollama</div>
<div class=" self-center">
<img src="/ollama.png" class=" w-5" />
</div>
</div>
</div>
<div class=" my-auto pb-36 w-full px-4">
<div class=" text-center flex flex-col justify-center">
<div class=" text-xl md:text-2xl font-bold">Get Started</div>
<div
class=" mt-4 flex flex-col md:flex-row space-y-2 md:space-y-0 md:space-x-1 px-3 justify-center"
>
<button class=" flex-1 px-4 py-3.5 bg-blue-700 text-white font-medium rounded-lg">
Log in
</button>
<button class=" flex-1 px-4 py-3.5 bg-blue-700 text-white font-medium rounded-lg">
Sign up
</button>
</div>
</div>
</div>
</div> -->
<!-- <div class=" bg-white min-h-screen w-full flex flex-col">
<div class=" mt-6 mx-6">
<div class="flex space-x-2">
<div class=" self-center text-2xl font-semibold">Ollama</div>
<div class=" self-center">
<img src="/ollama.png" class=" w-5" />
</div>
</div>
</div>
<div class=" my-auto pb-36 w-full px-4">
<div class=" text-center flex flex-col justify-center">
<div class=" text-xl md:text-2xl font-bold">Get Started</div>