Spaces:

naotakigawa
/

qatool

Sleeping

File size: 2,273 Bytes

231ac24

# common.py
import extra_streamlit_components as stx
import streamlit as st
import logging
import os

from time import time
from requests_oauthlib import OAuth2Session
from streamlit import runtime
from streamlit.runtime.scriptrunner import get_script_run_ctx
import ipaddress

logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("__name__")
logger.debug("調査用ログ")

# 接続元制御
ALLOW_IP_ADDRESS = os.environ["ALLOW_IP_ADDRESS"]

# Azure AD app registration details
CLIENT_ID = os.environ["CLIENT_ID"]
TENANT_ID = os.environ["TENANT_ID"]

# Azure API
AUTHORITY = f"https://login.microsoftonline.com/{TENANT_ID}"
REDIRECT_PATH = os.environ["REDIRECT_PATH"]
AUTHORIZATION_URL = f"{AUTHORITY}/oauth2/v2.0/authorize"
SCOPES = ["openid", "profile", "User.Read"]

# 認証用URL取得
def authorization_request():
    oauth = OAuth2Session(CLIENT_ID, redirect_uri=REDIRECT_PATH, scope=SCOPES)
    authorization_url, state = oauth.authorization_url(AUTHORIZATION_URL)
    return authorization_url, state

# 接続元IP取得
def get_remote_ip():
    ctx = get_script_run_ctx()
    session_info = runtime.get_instance().get_client(ctx.session_id)
    return session_info.request.remote_ip

# 接続元IP許可判定
def is_allow_ip_address():
    remote_ip = get_remote_ip()
    logger.info("remote_ip")
    logger.info(remote_ip)
    # localhost
    if remote_ip == "::1":
        return True

    # プライベートIP
    ipaddr = ipaddress.IPv4Address(remote_ip)
    logger.info("ipaddr")
    logger.info(ipaddr)
    if ipaddr.is_private:
        return True

    # その他（許可リスト判定）
    return remote_ip in ALLOW_IP_ADDRESS

#ログインの確認
def check_login():
    # 接続元IP許可判定
    if not is_allow_ip_address():
        st.title("HTTP 403 Forbidden")
        return

    if "token" not in st.session_state or st.session_state["token"] is None or float(st.session_state["token_expires"]) <= time():
        # 認証用リンク表示
        authorization_url, st.session_state["authorization_state"] = authorization_request()
        st.markdown(f'[Click here to log in]({authorization_url})', unsafe_allow_html=True)
        st.stop()