airflow/www/extensions/init_security.py - airflow - Git at Google

 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 from __future__ import annotations

 import logging
 from importlib import import_module

 from flask import redirect, request

 from airflow.configuration import conf
 from airflow.exceptions import AirflowConfigException, AirflowException
 from airflow.www.extensions.init_auth_manager import get_auth_manager

 log = logging.getLogger(__name__)


 def init_xframe_protection(app):
     """
     Add X-Frame-Options header.

     Use it to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

     See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
     """
     x_frame_enabled = conf.getboolean("webserver", "X_FRAME_ENABLED", fallback=True)
     if x_frame_enabled:
         return

     def apply_caching(response):
         response.headers["X-Frame-Options"] = "DENY"
         return response

     app.after_request(apply_caching)


 def init_api_experimental_auth(app):
     """Load authentication backends."""
     auth_backends = "airflow.api.auth.backend.default"
     try:
         auth_backends = conf.get("api", "auth_backends")
     except AirflowConfigException:
         pass

     app.api_auth = []
     try:
         for backend in auth_backends.split(","):
             auth = import_module(backend.strip())
             auth.init_app(app)
             app.api_auth.append(auth)
     except ImportError as err:
         log.critical("Cannot import %s for API authentication due to: %s", backend, err)
         raise AirflowException(err)


 def init_cache_control(app):
     def apply_cache_control(response):
         if "Cache-Control" not in response.headers:
             response.headers["Cache-Control"] = "no-store"
         return response

     app.after_request(apply_cache_control)


 def init_check_user_active(app):
     @app.before_request
     def check_user_active():
         url_logout = get_auth_manager().get_url_logout()
         if request.path == url_logout:
             return
         if get_auth_manager().is_logged_in() and not get_auth_manager().get_user().is_active:
             return redirect(url_logout)
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	from __future__ import annotations

	import logging
	from importlib import import_module

	from flask import redirect, request

	from airflow.configuration import conf
	from airflow.exceptions import AirflowConfigException, AirflowException
	from airflow.www.extensions.init_auth_manager import get_auth_manager

	log = logging.getLogger(__name__)


	def init_xframe_protection(app):
	"""
	Add X-Frame-Options header.

	Use it to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

	See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
	"""
	x_frame_enabled = conf.getboolean("webserver", "X_FRAME_ENABLED", fallback=True)
	if x_frame_enabled:
	return

	def apply_caching(response):
	response.headers["X-Frame-Options"] = "DENY"
	return response

	app.after_request(apply_caching)


	def init_api_experimental_auth(app):
	"""Load authentication backends."""
	auth_backends = "airflow.api.auth.backend.default"
	try:
	auth_backends = conf.get("api", "auth_backends")
	except AirflowConfigException:
	pass

	app.api_auth = []
	try:
	for backend in auth_backends.split(","):
	auth = import_module(backend.strip())
	auth.init_app(app)
	app.api_auth.append(auth)
	except ImportError as err:
	log.critical("Cannot import %s for API authentication due to: %s", backend, err)
	raise AirflowException(err)


	def init_cache_control(app):
	def apply_cache_control(response):
	if "Cache-Control" not in response.headers:
	response.headers["Cache-Control"] = "no-store"
	return response

	app.after_request(apply_cache_control)


	def init_check_user_active(app):
	@app.before_request
	def check_user_active():
	url_logout = get_auth_manager().get_url_logout()
	if request.path == url_logout:
	return
	if get_auth_manager().is_logged_in() and not get_auth_manager().get_user().is_active:
	return redirect(url_logout)