Incorporated OIDC for authenticating towards Azure in GH Action

hvalfangst · hvalfangst · commit e9d9327f47e7 · 2024-12-26T14:07:34.000+01:00
diff --git a/hvalfangst_function/function_app.py b/hvalfangst_function/function_app.py
@@ -1,8 +1,11 @@
-import logging
 import json
-import pandas as pd
-import azure.functions as func
+import logging
+import os
 from io import StringIO
+
+import azure.functions as func
+import jwt
+import pandas as pd
 from sklearn.preprocessing import LabelEncoder
 
 # Decree and declare our project as an Azure Function App subsidiary
@@ -60,10 +63,25 @@ def blob_trigger(inbound: func.InputStream, outbound: func.Out[str]):
         return f"Error: {str(e)}"
 
 
+def validate_jwt(token: str, audience: str) -> bool:
+    try:
+        decoded = jwt.decode(token, audience=audience, options={"verify_signature": False})
+        # Optionally check claims like roles or scopes
+        return True
+    except Exception as e:
+        logging.error(f"JWT validation failed: {e}")
+        return False
+
+
 @app.route(route="upload_csv", auth_level=func.AuthLevel.ANONYMOUS)
-@app.blob_output(arg_name="outbound", path="hvalfangstcontainer/in/input.csv", connection="") # AzureWebJobsStorage
+@app.blob_output(arg_name="outbound", path="hvalfangstcontainer/in/input.csv", connection="AzureWebJobsStorage")
 def upload_csv(req: func.HttpRequest, outbound: func.Out[str]) -> str:
     try:
+
+        token = req.headers.get("Authorization").split(" ")[1]  # Extract Bearer token
+        if not validate_jwt(token, audience=os.environ.get("FUNCTION_APP_CLIENT_ID")):
+            return func.HttpResponse("Unauthorized", status_code=401)
+
         logging.info("Received HTTP request to upload CSV")
 
         # Parse raw bytes derived from request body to string
