osm_nbi/authconn_tacacs.py - osm/NBI - Gitiles

 # -*- coding: utf-8 -*-

 # Copyright 2020 TATA ELXSI
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
 #
 # For those usages not covered by the Apache License, Version 2.0 please
 # contact: saikiran.k@tataelxsi.co.in
 ##


 """
 AuthconnTacacs implements implements the connector for TACACS.
 Leverages AuthconnInternal for token lifecycle management and the RBAC model.

 When NBI bootstraps, it tries to create admin user with admin role associated to admin project.
 Hence, the TACACS server should contain admin user.
 """

 __author__ = "K Sai Kiran <saikiran.k@tataelxsi.co.in>"
 __date__ = "$11-Nov-2020 11:04:00$"


 from osm_nbi.authconn import Authconn, AuthException
 from osm_nbi.authconn_internal import AuthconnInternal
 from osm_nbi.base_topic import BaseTopic

 import logging
 from time import time
 from http import HTTPStatus

 # TACACS+ Library
 from tacacs_plus.client import TACACSClient


 class AuthconnTacacs(AuthconnInternal):
     token_time_window = 2
     token_delay = 1

     tacacs_def_port = 49
     tacacs_def_timeout = 10
     users_collection = "users_tacacs"
     roles_collection = "roles_tacacs"
     projects_collection = "projects_tacacs"
     tokens_collection = "tokens_tacacs"

     def __init__(self, config, db, role_permissions):
         """
         Constructor to initialize db and TACACS server attributes to members.
         """
         Authconn.__init__(self, config, db, role_permissions)
         self.logger = logging.getLogger("nbi.authenticator.tacacs")
         self.db = db
         self.tacacs_host = config["tacacs_host"]
         self.tacacs_secret = config["tacacs_secret"]
         self.tacacs_port = config["tacacs_port"] if config.get("tacacs_port") else self.tacacs_def_port
         self.tacacs_timeout = config["tacacs_timeout"] if config.get("tacacs_timeout") else self.tacacs_def_timeout
         self.tacacs_cli = TACACSClient(self.tacacs_host, self.tacacs_port, self.tacacs_secret,
                                        self.tacacs_timeout)

     def validate_user(self, user, password):
         """
         """
         now = time()
         try:
             tacacs_authen = self.tacacs_cli.authenticate(user, password)
         except Exception as e:
             raise AuthException("TACACS server error: {}".format(e), http_code=HTTPStatus.UNAUTHORIZED)
         user_content = None
         user_rows = self.db.get_list(self.users_collection, {BaseTopic.id_field("users", user): user})
         if not tacacs_authen.valid:
             if user_rows:
                 # To remove TACACS stale user from system.
                 self.delete_user(user_rows[0][BaseTopic.id_field("users", user)])
             return user_content
         if user_rows:
             user_content = user_rows[0]
         else:
             new_user = {'username': user,
                         'password': password,
                         '_admin': {
                             'created': now,
                             'modified': now
                         },
                         'project_role_mappings': []
                         }
             user_content = self.create_user(new_user)
         return user_content

     def create_user(self, user_info):
         """
         Validates user credentials in TACACS and add user.

         :param user_info: Full user information in dict.
         :return: returns username and id if credentails are valid. Otherwise, raise exception
         """
         BaseTopic.format_on_new(user_info, make_public=False)
         try:
             authen = self.tacacs_cli.authenticate(user_info["username"], user_info["password"])
             if authen.valid:
                 user_info.pop("password")
                 self.db.create(self.users_collection, user_info)
             else:
                 raise AuthException("TACACS server error: Invalid credentials", http_code=HTTPStatus.FORBIDDEN)
         except Exception as e:
             raise AuthException("TACACS server error: {}".format(e), http_code=HTTPStatus.BAD_REQUEST)
         return {"username": user_info["username"], "_id": user_info["_id"]}

     def update_user(self, user_info):
         """
         Updates user information, in particular for add/remove of project and role mappings.
         Does not allow change of username or password.

         :param user_info: Full user information in dict.
         :return: returns None for successful add/remove of project and role map.
         """
         if(user_info.get("username")):
             raise AuthException("Can not update username of this user", http_code=HTTPStatus.FORBIDDEN)
         if(user_info.get("password")):
             raise AuthException("Can not update password of this user", http_code=HTTPStatus.FORBIDDEN)
         super(AuthconnTacacs, self).update_user(user_info)
	# -- coding: utf-8 --

	# Copyright 2020 TATA ELXSI
	#
	# Licensed under the Apache License, Version 2.0 (the "License"); you may
	# not use this file except in compliance with the License. You may obtain
	# a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
	# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
	# License for the specific language governing permissions and limitations
	# under the License.
	#
	# For those usages not covered by the Apache License, Version 2.0 please
	# contact: saikiran.k@tataelxsi.co.in
	##


	"""
	AuthconnTacacs implements implements the connector for TACACS.
	Leverages AuthconnInternal for token lifecycle management and the RBAC model.

	When NBI bootstraps, it tries to create admin user with admin role associated to admin project.
	Hence, the TACACS server should contain admin user.
	"""

	__author__ = "K Sai Kiran <saikiran.k@tataelxsi.co.in>"
	__date__ = "$11-Nov-2020 11:04:00$"


	from osm_nbi.authconn import Authconn, AuthException
	from osm_nbi.authconn_internal import AuthconnInternal
	from osm_nbi.base_topic import BaseTopic

	import logging
	from time import time
	from http import HTTPStatus

	# TACACS+ Library
	from tacacs_plus.client import TACACSClient


	class AuthconnTacacs(AuthconnInternal):
	token_time_window = 2
	token_delay = 1

	tacacs_def_port = 49
	tacacs_def_timeout = 10
	users_collection = "users_tacacs"
	roles_collection = "roles_tacacs"
	projects_collection = "projects_tacacs"
	tokens_collection = "tokens_tacacs"

	def __init__(self, config, db, role_permissions):
	"""
	Constructor to initialize db and TACACS server attributes to members.
	"""
	Authconn.__init__(self, config, db, role_permissions)
	self.logger = logging.getLogger("nbi.authenticator.tacacs")
	self.db = db
	self.tacacs_host = config["tacacs_host"]
	self.tacacs_secret = config["tacacs_secret"]
	self.tacacs_port = config["tacacs_port"] if config.get("tacacs_port") else self.tacacs_def_port
	self.tacacs_timeout = config["tacacs_timeout"] if config.get("tacacs_timeout") else self.tacacs_def_timeout
	self.tacacs_cli = TACACSClient(self.tacacs_host, self.tacacs_port, self.tacacs_secret,
	self.tacacs_timeout)

	def validate_user(self, user, password):
	"""
	"""
	now = time()
	try:
	tacacs_authen = self.tacacs_cli.authenticate(user, password)
	except Exception as e:
	raise AuthException("TACACS server error: {}".format(e), http_code=HTTPStatus.UNAUTHORIZED)
	user_content = None
	user_rows = self.db.get_list(self.users_collection, {BaseTopic.id_field("users", user): user})
	if not tacacs_authen.valid:
	if user_rows:
	# To remove TACACS stale user from system.
	self.delete_user(user_rows[0][BaseTopic.id_field("users", user)])
	return user_content
	if user_rows:
	user_content = user_rows[0]
	else:
	new_user = {'username': user,
	'password': password,
	'_admin': {
	'created': now,
	'modified': now
	},
	'project_role_mappings': []
	}
	user_content = self.create_user(new_user)
	return user_content

	def create_user(self, user_info):
	"""
	Validates user credentials in TACACS and add user.

	:param user_info: Full user information in dict.
	:return: returns username and id if credentails are valid. Otherwise, raise exception
	"""
	BaseTopic.format_on_new(user_info, make_public=False)
	try:
	authen = self.tacacs_cli.authenticate(user_info["username"], user_info["password"])
	if authen.valid:
	user_info.pop("password")
	self.db.create(self.users_collection, user_info)
	else:
	raise AuthException("TACACS server error: Invalid credentials", http_code=HTTPStatus.FORBIDDEN)
	except Exception as e:
	raise AuthException("TACACS server error: {}".format(e), http_code=HTTPStatus.BAD_REQUEST)
	return {"username": user_info["username"], "_id": user_info["_id"]}

	def update_user(self, user_info):
	"""
	Updates user information, in particular for add/remove of project and role mappings.
	Does not allow change of username or password.

	:param user_info: Full user information in dict.
	:return: returns None for successful add/remove of project and role map.
	"""
	if(user_info.get("username")):
	raise AuthException("Can not update username of this user", http_code=HTTPStatus.FORBIDDEN)
	if(user_info.get("password")):
	raise AuthException("Can not update password of this user", http_code=HTTPStatus.FORBIDDEN)
	super(AuthconnTacacs, self).update_user(user_info)