Gitiles
Code Review Sign In
osm.etsi.org / osm / NBI / 9e87a7fbc49d98dfae5fc6b7f4c17b81729a2af7 / . / osm_nbi / authconn_internal.py
blob: 88b276d73c70d9d09cd52be7f5f45e0430462b23 [file] [log] [blame]
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]1# -*- coding: utf-8 -*-
2
3# Copyright 2018 Telefonica S.A.
4# Copyright 2018 ALTRAN InnovaciĆ³n S.L.
5#
6# Licensed under the Apache License, Version 2.0 (the "License"); you may
7# not use this file except in compliance with the License. You may obtain
8# a copy of the License at
9#
10# http://www.apache.org/licenses/LICENSE-2.0
11#
12# Unless required by applicable law or agreed to in writing, software
13# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15# License for the specific language governing permissions and limitations
16# under the License.
17#
18# For those usages not covered by the Apache License, Version 2.0 please
19# contact: esousa@whitestack.com or glavado@whitestack.com
20##
21
22"""
23AuthconnInternal implements implements the connector for
24OSM Internal Authentication Backend and leverages the RBAC model
25"""
26
tierno23acf402019-08-28 13:36:34 +0000[diff] [blame]27__author__ = "Pedro de la Cruz Ramos <pdelacruzramos@altran.com>, " \
28 "Alfonso Tierno <alfonso.tiernosepulveda@telefoncia.com"
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]29__date__ = "$06-jun-2019 11:16:08$"
30
tierno23acf402019-08-28 13:36:34 +0000[diff] [blame]31from osm_nbi.authconn import Authconn, AuthException # , AuthconnOperationException
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]32from osm_common.dbbase import DbException
tierno23acf402019-08-28 13:36:34 +0000[diff] [blame]33from osm_nbi.base_topic import BaseTopic
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]34
35import logging
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]36import re
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]37from time import time, sleep
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]38from http import HTTPStatus
39from uuid import uuid4
40from hashlib import sha256
41from copy import deepcopy
42from random import choice as random_choice
43
44
45class AuthconnInternal(Authconn):
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]46 token_time_window = 2 # seconds
47 token_delay = 1 # seconds to wait upon second request within time window
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]48
tierno9e87a7f2020-03-23 09:24:10 +0000[diff] [blame^]49 def __init__(self, config, db, role_permissions):
50 Authconn.__init__(self, config, db, role_permissions)
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]51 self.logger = logging.getLogger("nbi.authenticator.internal")
52
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]53 self.db = db
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]54 # self.msg = msg
55 # self.token_cache = token_cache
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]56
57 # To be Confirmed
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]58 self.sess = None
59
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]60 def validate_token(self, token):
61 """
62 Check if the token is valid.
63
64 :param token: token to validate
65 :return: dictionary with information associated with the token:
66 "_id": token id
67 "project_id": project id
68 "project_name": project name
69 "user_id": user id
70 "username": user name
71 "roles": list with dict containing {name, id}
72 "expires": expiration date
73 If the token is not valid an exception is raised.
74 """
75
76 try:
77 if not token:
78 raise AuthException("Needed a token or Authorization HTTP header", http_code=HTTPStatus.UNAUTHORIZED)
79
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]80 now = time()
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]81
82 # get from database if not in cache
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]83 # if not token_info:
84 token_info = self.db.get_one("tokens", {"_id": token})
85 if token_info["expires"] < now:
86 raise AuthException("Expired Token or Authorization HTTP header", http_code=HTTPStatus.UNAUTHORIZED)
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]87
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]88 return token_info
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]89
90 except DbException as e:
91 if e.http_code == HTTPStatus.NOT_FOUND:
92 raise AuthException("Invalid Token or Authorization HTTP header", http_code=HTTPStatus.UNAUTHORIZED)
93 else:
94 raise
95 except AuthException:
tiernoe1eb3b22019-08-26 15:59:24 +0000[diff] [blame]96 raise
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]97 except Exception:
98 self.logger.exception("Error during token validation using internal backend")
99 raise AuthException("Error during token validation using internal backend",
100 http_code=HTTPStatus.UNAUTHORIZED)
101
102 def revoke_token(self, token):
103 """
104 Invalidate a token.
105
106 :param token: token to be revoked
107 """
108 try:
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]109 # self.token_cache.pop(token, None)
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]110 self.db.del_one("tokens", {"_id": token})
111 return True
112 except DbException as e:
113 if e.http_code == HTTPStatus.NOT_FOUND:
114 raise AuthException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)
115 else:
116 # raise
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]117 exmsg = "Error during token revocation using internal backend"
118 self.logger.exception(exmsg)
119 raise AuthException(exmsg, http_code=HTTPStatus.UNAUTHORIZED)
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]120
tierno6486f742020-02-13 16:30:14 +0000[diff] [blame]121 def authenticate(self, credentials, token_info=None):
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]122 """
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]123 Authenticate a user using username/password or previous token_info plus project; its creates a new token
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]124
tierno6486f742020-02-13 16:30:14 +0000[diff] [blame]125 :param credentials: dictionary that contains:
126 username: name, id or None
127 password: password or None
128 project_id: name, id, or None. If None first found project will be used to get an scope token
129 other items are allowed and ignored
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]130 :param token_info: previous token_info to obtain authorization
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]131 :return: the scoped token info or raises an exception. The token is a dictionary with:
132 _id: token string id,
133 username: username,
134 project_id: scoped_token project_id,
135 project_name: scoped_token project_name,
136 expires: epoch time when it expires,
137 """
138
139 now = time()
140 user_content = None
tierno6486f742020-02-13 16:30:14 +0000[diff] [blame]141 user = credentials.get("username")
142 password = credentials.get("password")
143 project = credentials.get("project_id")
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]144
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]145 # Try using username/password
146 if user:
147 user_rows = self.db.get_list("users", {BaseTopic.id_field("users", user): user})
148 if user_rows:
149 user_content = user_rows[0]
150 salt = user_content["_admin"]["salt"]
151 shadow_password = sha256(password.encode('utf-8') + salt.encode('utf-8')).hexdigest()
152 if shadow_password != user_content["password"]:
153 user_content = None
154 if not user_content:
155 raise AuthException("Invalid username/password", http_code=HTTPStatus.UNAUTHORIZED)
156 elif token_info:
157 user_rows = self.db.get_list("users", {"username": token_info["username"]})
158 if user_rows:
159 user_content = user_rows[0]
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]160 else:
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]161 raise AuthException("Invalid token", http_code=HTTPStatus.UNAUTHORIZED)
162 else:
163 raise AuthException("Provide credentials: username/password or Authorization Bearer token",
164 http_code=HTTPStatus.UNAUTHORIZED)
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]165
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]166 # Delay upon second request within time window
167 if now - user_content["_admin"].get("last_token_time", 0) < self.token_time_window:
168 sleep(self.token_delay)
169 # user_content["_admin"]["last_token_time"] = now
170 # self.db.replace("users", user_content["_id"], user_content) # might cause race conditions
171 self.db.set_one("users", {"_id": user_content["_id"]}, {"_admin.last_token_time": now})
172
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]173 token_id = ''.join(random_choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
174 for _ in range(0, 32))
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]175
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]176 # projects = user_content.get("projects", [])
177 prm_list = user_content.get("project_role_mappings", [])
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]178
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]179 if not project:
180 project = prm_list[0]["project"] if prm_list else None
181 if not project:
182 raise AuthException("can't find a default project for this user", http_code=HTTPStatus.UNAUTHORIZED)
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]183
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]184 projects = [prm["project"] for prm in prm_list]
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]185
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]186 proj = self.db.get_one("projects", {BaseTopic.id_field("projects", project): project})
187 project_name = proj["name"]
188 project_id = proj["_id"]
189 if project_name not in projects and project_id not in projects:
190 raise AuthException("project {} not allowed for this user".format(project),
191 http_code=HTTPStatus.UNAUTHORIZED)
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]192
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]193 # TODO remove admin, this vill be used by roles RBAC
194 if project_name == "admin":
195 token_admin = True
196 else:
197 token_admin = proj.get("admin", False)
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]198
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]199 # add token roles
200 roles = []
201 roles_list = []
202 for prm in prm_list:
203 if prm["project"] in [project_id, project_name]:
204 role = self.db.get_one("roles", {BaseTopic.id_field("roles", prm["role"]): prm["role"]})
205 rid = role["_id"]
206 if rid not in roles:
207 rnm = role["name"]
208 roles.append(rid)
209 roles_list.append({"name": rnm, "id": rid})
210 if not roles_list:
211 rid = self.db.get_one("roles", {"name": "project_admin"})["_id"]
212 roles_list = [{"name": "project_admin", "id": rid}]
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]213
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]214 new_token = {"issued_at": now,
215 "expires": now + 3600,
216 "_id": token_id,
217 "id": token_id,
218 "project_id": proj["_id"],
219 "project_name": proj["name"],
220 "username": user_content["username"],
221 "user_id": user_content["_id"],
222 "admin": token_admin,
223 "roles": roles_list,
224 }
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]225
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]226 self.db.create("tokens", new_token)
227 return deepcopy(new_token)
228
229 def get_role_list(self, filter_q={}):
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]230 """
231 Get role list.
232
233 :return: returns the list of roles.
234 """
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]235 return self.db.get_list("roles", filter_q)
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]236
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]237 def create_role(self, role_info):
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]238 """
239 Create a role.
240
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]241 :param role_info: full role info.
242 :return: returns the role id.
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]243 :raises AuthconnOperationException: if role creation failed.
244 """
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]245 # TODO: Check that role name does not exist ?
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]246 rid = str(uuid4())
247 role_info["_id"] = rid
248 rid = self.db.create("roles", role_info)
249 return rid
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]250
251 def delete_role(self, role_id):
252 """
253 Delete a role.
254
255 :param role_id: role identifier.
256 :raises AuthconnOperationException: if role deletion failed.
257 """
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]258 rc = self.db.del_one("roles", {"_id": role_id})
259 self.db.del_list("tokens", {"roles.id": role_id})
260 return rc
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]261
262 def update_role(self, role_info):
263 """
264 Update a role.
265
266 :param role_info: full role info.
267 :return: returns the role name and id.
268 :raises AuthconnOperationException: if user creation failed.
269 """
270 rid = role_info["_id"]
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]271 self.db.set_one("roles", {"_id": rid}, role_info)
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]272 return {"_id": rid, "name": role_info["name"]}
273
274 def create_user(self, user_info):
275 """
276 Create a user.
277
278 :param user_info: full user info.
279 :return: returns the username and id of the user.
280 """
281 BaseTopic.format_on_new(user_info, make_public=False)
282 salt = uuid4().hex
283 user_info["_admin"]["salt"] = salt
284 if "password" in user_info:
285 user_info["password"] = sha256(user_info["password"].encode('utf-8') + salt.encode('utf-8')).hexdigest()
286 # "projects" are not stored any more
287 if "projects" in user_info:
288 del user_info["projects"]
289 self.db.create("users", user_info)
290 return {"username": user_info["username"], "_id": user_info["_id"]}
291
292 def update_user(self, user_info):
293 """
294 Change the user name and/or password.
295
296 :param user_info: user info modifications
297 """
298 uid = user_info["_id"]
299 user_data = self.db.get_one("users", {BaseTopic.id_field("users", uid): uid})
300 BaseTopic.format_on_edit(user_data, user_info)
301 # User Name
302 usnm = user_info.get("username")
303 if usnm:
304 user_data["username"] = usnm
305 # If password is given and is not already encripted
306 pswd = user_info.get("password")
307 if pswd and (len(pswd) != 64 or not re.match('[a-fA-F0-9]*', pswd)): # TODO: Improve check?
308 salt = uuid4().hex
309 if "_admin" not in user_data:
310 user_data["_admin"] = {}
311 user_data["_admin"]["salt"] = salt
312 user_data["password"] = sha256(pswd.encode('utf-8') + salt.encode('utf-8')).hexdigest()
313 # Project-Role Mappings
314 # TODO: Check that user_info NEVER includes "project_role_mappings"
315 if "project_role_mappings" not in user_data:
316 user_data["project_role_mappings"] = []
317 for prm in user_info.get("add_project_role_mappings", []):
318 user_data["project_role_mappings"].append(prm)
319 for prm in user_info.get("remove_project_role_mappings", []):
320 for pidf in ["project", "project_name"]:
321 for ridf in ["role", "role_name"]:
322 try:
323 user_data["project_role_mappings"].remove({"role": prm[ridf], "project": prm[pidf]})
324 except KeyError:
325 pass
326 except ValueError:
327 pass
delacruzramo3d6881c2019-12-04 13:42:26 +0100[diff] [blame]328 idf = BaseTopic.id_field("users", uid)
329 self.db.set_one("users", {idf: uid}, user_data)
330 if user_info.get("remove_project_role_mappings"):
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]331 idf = "user_id" if idf == "_id" else idf
332 self.db.del_list("tokens", {idf: uid})
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]333
334 def delete_user(self, user_id):
335 """
336 Delete user.
337
338 :param user_id: user identifier.
339 :raises AuthconnOperationException: if user deletion failed.
340 """
341 self.db.del_one("users", {"_id": user_id})
delacruzramo3d6881c2019-12-04 13:42:26 +0100[diff] [blame]342 self.db.del_list("tokens", {"user_id": user_id})
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]343 return True
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]344
345 def get_user_list(self, filter_q=None):
346 """
347 Get user list.
348
349 :param filter_q: dictionary to filter user list by name (username is also admited) and/or _id
350 :return: returns a list of users.
351 """
352 filt = filter_q or {}
353 if "name" in filt:
354 filt["username"] = filt["name"]
355 del filt["name"]
356 users = self.db.get_list("users", filt)
tierno1546f2a2019-08-20 15:38:11 +0000[diff] [blame]357 project_id_name = {}
358 role_id_name = {}
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]359 for user in users:
tierno1546f2a2019-08-20 15:38:11 +0000[diff] [blame]360 prms = user.get("project_role_mappings")
361 projects = user.get("projects")
362 if prms:
363 projects = []
364 # add project_name and role_name. Generate projects for backward compatibility
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]365 for prm in prms:
tierno1546f2a2019-08-20 15:38:11 +0000[diff] [blame]366 project_id = prm["project"]
367 if project_id not in project_id_name:
368 pr = self.db.get_one("projects", {BaseTopic.id_field("projects", project_id): project_id},
369 fail_on_empty=False)
370 project_id_name[project_id] = pr["name"] if pr else None
371 prm["project_name"] = project_id_name[project_id]
372 if prm["project_name"] not in projects:
373 projects.append(prm["project_name"])
374
375 role_id = prm["role"]
376 if role_id not in role_id_name:
377 role = self.db.get_one("roles", {BaseTopic.id_field("roles", role_id): role_id},
378 fail_on_empty=False)
379 role_id_name[role_id] = role["name"] if role else None
380 prm["role_name"] = role_id_name[role_id]
381 user["projects"] = projects # for backward compatibility
382 elif projects:
383 # user created with an old version. Create a project_role mapping with role project_admin
384 user["project_role_mappings"] = []
385 role = self.db.get_one("roles", {BaseTopic.id_field("roles", "project_admin"): "project_admin"})
386 for p_id_name in projects:
387 pr = self.db.get_one("projects", {BaseTopic.id_field("projects", p_id_name): p_id_name})
388 prm = {"project": pr["_id"],
389 "project_name": pr["name"],
390 "role_name": "project_admin",
391 "role": role["_id"]
392 }
393 user["project_role_mappings"].append(prm)
394 else:
395 user["projects"] = []
396 user["project_role_mappings"] = []
397
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]398 return users
399
400 def get_project_list(self, filter_q={}):
401 """
402 Get role list.
403
404 :return: returns the list of projects.
405 """
406 return self.db.get_list("projects", filter_q)
407
408 def create_project(self, project_info):
409 """
410 Create a project.
411
412 :param project: full project info.
413 :return: the internal id of the created project
414 :raises AuthconnOperationException: if project creation failed.
415 """
416 pid = self.db.create("projects", project_info)
417 return pid
418
419 def delete_project(self, project_id):
420 """
421 Delete a project.
422
423 :param project_id: project identifier.
424 :raises AuthconnOperationException: if project deletion failed.
425 """
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]426 idf = BaseTopic.id_field("projects", project_id)
427 r = self.db.del_one("projects", {idf: project_id})
428 idf = "project_id" if idf == "_id" else "project_name"
429 self.db.del_list("tokens", {idf: project_id})
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]430 return r
431
432 def update_project(self, project_id, project_info):
433 """
434 Change the name of a project
435
436 :param project_id: project to be changed
437 :param project_info: full project info
438 :return: None
439 :raises AuthconnOperationException: if project update failed.
440 """
441 self.db.set_one("projects", {BaseTopic.id_field("projects", project_id): project_id}, project_info)