Blame - osm_nbi/auth.py - osm/NBI

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

1

# -*- coding: utf-8 -*-

2

3

"""

4

Authenticator is responsible for authenticating the users,

5

create the tokens unscoped and scoped, retrieve the role

6

list inside the projects that they are inserted

7

"""

8

9

__author__ = "Eduardo Sousa <esousa@whitestack.com>"

10

__date__ = "$27-jul-2018 23:59:59$"

11

12

import logging

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

13

from base64 import standard_b64decode

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

14

from copy import deepcopy

15

from functools import reduce

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

16

from http import HTTPStatus

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

17

from time import time

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

18

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

19

import cherrypy

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

20

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

21

from authconn import AuthException

22

from authconn_keystone import AuthconnKeystone

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

23

from engine import EngineException

24

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

25

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

26

class Authenticator:

27

"""

28

This class should hold all the mechanisms for User Authentication and

29

Authorization. Initially it should support Openstack Keystone as a

30

backend through a plugin model where more backends can be added and a

31

RBAC model to manage permissions on operations.

32

"""

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

33

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

34

def __init__(self, engine):

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

35

"""

36

Authenticator initializer. Setup the initial state of the object,

37

while it waits for the config dictionary and database initialization.

38

39

Note: engine is only here until all the calls can to it can be replaced.

40

41

:param engine: reference to engine object used.

42

"""

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

super().__init__()

self.engine = engine

Eduardo Sousa

2018-07-31 01:20:02 +0100

[diff] [blame^]

self.backend = None

self.config = None

self.db = None

self.tokens = dict()

self.logger = logging.getLogger("nbi.authenticator")

52

53

def start(self, config):

54

"""

55

Method to configure the Authenticator object. This method should be called

56

after object creation. It is responsible by initializing the selected backend,

57

as well as the initialization of the database connection.

58

59

:param config: dictionary containing the relevant parameters for this object.

"""

self.config = config

try:

if not self.backend:

if config["authentication"]["backend"] == "keystone":

66

self.backend = AuthconnKeystone(self.config["authentication"])

67

elif config["authentication"]["backend"] == "internal":

68

pass

69

else:

70

raise Exception("No authentication backend defined")

71

if not self.db:

72

pass

73

# TODO: Implement database initialization

74

# NOTE: Database needed to store the mappings

75

except Exception as e:

76

raise AuthException(str(e))

77

78

def init_db(self, target_version='1.0'):

79

"""

80

Check if the database has been initialized. If not, create the required tables

81

and insert the predefined mappings between roles and permissions.

82

83

:param target_version: schema version that should be present in the database.

84

:return: None if OK, exception if error or version is different.

"""

pass

Eduardo Sousa

2018-07-26 01:04:11 +0100

[diff] [blame]

def authorize(self):

token = None

user_passwd64 = None

try:

# 1. Get token Authorization bearer

93

auth = cherrypy.request.headers.get("Authorization")

94

if auth:

95

auth_list = auth.split(" ")

96

if auth_list[0].lower() == "bearer":

97

token = auth_list[-1]

98

elif auth_list[0].lower() == "basic":

99

user_passwd64 = auth_list[-1]

100

if not token:

101

if cherrypy.session.get("Authorization"):

102

# 2. Try using session before request a new token. If not, basic authentication will generate

103

token = cherrypy.session.get("Authorization")

104

if token == "logout":

105

token = None # force Unauthorized response to insert user pasword again

106

elif user_passwd64 and cherrypy.request.config.get("auth.allow_basic_authentication"):

107

# 3. Get new token from user password

user = None

passwd = None

try:

user_passwd = standard_b64decode(user_passwd64).decode()

112

user, _, passwd = user_passwd.partition(":")

113

except Exception:

114

pass

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

115

outdata = self.new_token(None, {"username": user, "password": passwd})

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

116

token = outdata["id"]

117

cherrypy.session['Authorization'] = token

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

118

if self.config["authentication"]["backend"] == "internal":

119

return self.engine.authorize(token)

120

else:

121

try:

122

self.backend.validate_token(token)

123

return self.tokens[token]

124

except AuthException:

125

self.del_token(token)

126

raise

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

127

except EngineException as e:

128

if cherrypy.session.get('Authorization'):

129

del cherrypy.session['Authorization']

130

cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

131

raise AuthException(str(e))

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

132

133

def new_token(self, session, indata, remote):

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

134

if self.config["authentication"]["backend"] == "internal":

135

return self.engine.new_token(session, indata, remote)

136

else:

137

if indata.get("username"):

138

token, projects = self.backend.authenticate_with_user_password(

139

indata.get("username"), indata.get("password"))

140

elif session:

141

token, projects = self.backend.authenticate_with_token(

142

session.get("id"), indata.get("project_id"))

143

else:

144

raise AuthException("Provide credentials: username/password or Authorization Bearer token",

145

http_code=HTTPStatus.UNAUTHORIZED)

146

147

if indata.get("project_id"):

148

project_id = indata.get("project_id")

149

if project_id not in projects:

150

raise AuthException("Project {} not allowed for this user".format(project_id),

151

http_code=HTTPStatus.UNAUTHORIZED)

152

else:

153

project_id = projects[0]

154

155

if project_id == "admin":

156

session_admin = True

157

else:

158

session_admin = reduce(lambda x, y: x or (True if y == "admin" else False),

projects, False)

now = time()

new_session = {

"_id": token,

"id": token,

"issued_at": now,

"expires": now+3600,

"project_id": project_id,

168

"username": indata.get("username") if not session else session.get("username"),

169

"remote_port": remote.port,

170

"admin": session_admin

}

if remote.name:

new_session["remote_host"] = remote.name

175

elif remote.ip:

176

new_session["remote_host"] = remote.ip

177

178

self.tokens[token] = new_session

179

180

return deepcopy(new_session)

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

181

182

def get_token_list(self, session):

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

183

if self.config["authentication"]["backend"] == "internal":

184

return self.engine.get_token_list(session)

185

else:

186

return [deepcopy(token) for token in self.tokens.values()

187

if token["username"] == session["username"]]

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

188

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

189

def get_token(self, session, token):

190

if self.config["authentication"]["backend"] == "internal":

191

return self.engine.get_token(session, token)

192

else:

193

token_value = self.tokens.get(token)

194

if not token_value:

195

raise EngineException("token not found", http_code=HTTPStatus.NOT_FOUND)

196

if token_value["username"] != session["username"] and not session["admin"]:

197

raise EngineException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)

198

return token_value

Eduardo Sousa

2f98821

2018-07-26 01:04:11 +0100

[diff] [blame]

199

Eduardo Sousa

819d34c

2018-07-31 01:20:02 +0100

[diff] [blame^]

200

def del_token(self, token):

201

if self.config["authentication"]["backend"] == "internal":

202

return self.engine.del_token(token)

203

else:

204

try:

205

self.backend.revoke_token(token)

206

del self.tokens[token]

207

return "token '{}' deleted".format(token)

208

except KeyError:

209

raise EngineException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)