Gitiles
Code Review Sign In
osm.etsi.org / osm / NBI / b2e48bdecec7cd57f303becf40c5d469b8fdadff / . / osm_nbi / auth.py
blob: 1b8fa2b0adcef246e817a3f3600f0e4379971907 [file] [log] [blame]
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]1# -*- coding: utf-8 -*-
2
Eduardo Sousad795f872019-02-05 16:05:53 +0000[diff] [blame]3# Copyright 2018 Whitestack, LLC
4# Copyright 2018 Telefonica S.A.
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]5#
Eduardo Sousad795f872019-02-05 16:05:53 +0000[diff] [blame]6# Licensed under the Apache License, Version 2.0 (the "License"); you may
7# not use this file except in compliance with the License. You may obtain
8# a copy of the License at
9#
10# http://www.apache.org/licenses/LICENSE-2.0
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]11#
12# Unless required by applicable law or agreed to in writing, software
Eduardo Sousad795f872019-02-05 16:05:53 +0000[diff] [blame]13# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15# License for the specific language governing permissions and limitations
16# under the License.
17#
18# For those usages not covered by the Apache License, Version 2.0 please
19# contact: esousa@whitestack.com or alfonso.tiernosepulveda@telefonica.com
20##
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]21
22
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]23"""
24Authenticator is responsible for authenticating the users,
25create the tokens unscoped and scoped, retrieve the role
26list inside the projects that they are inserted
27"""
28
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]29__author__ = "Eduardo Sousa <esousa@whitestack.com>; Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]30__date__ = "$27-jul-2018 23:59:59$"
31
Eduardo Sousad1b525d2018-10-04 04:24:18 +0100[diff] [blame]32import cherrypy
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]33import logging
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]34import yaml
Eduardo Sousa2f988212018-07-26 01:04:11 +0100[diff] [blame]35from base64 import standard_b64decode
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]36from copy import deepcopy
tierno38dcfeb2019-06-10 16:44:00 +0000[diff] [blame]37# from functools import reduce
Eduardo Sousa2f988212018-07-26 01:04:11 +0100[diff] [blame]38from http import HTTPStatus
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]39from time import time
Eduardo Sousa5c01e192019-05-08 02:35:47 +0100[diff] [blame]40from os import path
Eduardo Sousa2f988212018-07-26 01:04:11 +0100[diff] [blame]41
tierno9c630112019-08-29 14:21:41 +0000[diff] [blame]42from osm_nbi.authconn import AuthException, AuthExceptionUnauthorized
43from osm_nbi.authconn_keystone import AuthconnKeystone
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]44from osm_nbi.authconn_internal import AuthconnInternal
45from osm_common import dbmemory, dbmongo, msglocal, msgkafka
Eduardo Sousad1b525d2018-10-04 04:24:18 +0100[diff] [blame]46from osm_common.dbbase import DbException
delacruzramo029405d2019-09-26 10:52:56 +0200[diff] [blame]47from osm_nbi.validation import is_valid_uuid
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]48from itertools import chain
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]49from uuid import uuid4
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]50
Eduardo Sousa2f988212018-07-26 01:04:11 +0100[diff] [blame]51
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]52class Authenticator:
53 """
54 This class should hold all the mechanisms for User Authentication and
55 Authorization. Initially it should support Openstack Keystone as a
56 backend through a plugin model where more backends can be added and a
57 RBAC model to manage permissions on operations.
tierno65ca36d2019-02-12 19:27:52 +0100[diff] [blame]58 This class must be threading safe
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]59 """
Eduardo Sousa2f988212018-07-26 01:04:11 +0100[diff] [blame]60
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]61 periodin_db_pruning = 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]62 token_limit = 500 # when reached, the token cache will be cleared
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]63
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]64 def __init__(self, valid_methods, valid_query_string):
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]65 """
66 Authenticator initializer. Setup the initial state of the object,
67 while it waits for the config dictionary and database initialization.
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]68 """
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]69 self.backend = None
70 self.config = None
71 self.db = None
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]72 self.msg = None
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]73 self.tokens_cache = dict()
74 self.next_db_prune_time = 0 # time when next cleaning of expired tokens must be done
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]75 self.roles_to_operations_file = None
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]76 # self.roles_to_operations_table = None
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]77 self.resources_to_operations_mapping = {}
78 self.operation_to_allowed_roles = {}
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]79 self.logger = logging.getLogger("nbi.authenticator")
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]80 self.role_permissions = []
81 self.valid_methods = valid_methods
82 self.valid_query_string = valid_query_string
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]83
84 def start(self, config):
85 """
86 Method to configure the Authenticator object. This method should be called
87 after object creation. It is responsible by initializing the selected backend,
88 as well as the initialization of the database connection.
89
90 :param config: dictionary containing the relevant parameters for this object.
91 """
92 self.config = config
93
94 try:
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]95 if not self.db:
Eduardo Sousad1b525d2018-10-04 04:24:18 +0100[diff] [blame]96 if config["database"]["driver"] == "mongo":
97 self.db = dbmongo.DbMongo()
98 self.db.db_connect(config["database"])
99 elif config["database"]["driver"] == "memory":
100 self.db = dbmemory.DbMemory()
101 self.db.db_connect(config["database"])
102 else:
103 raise AuthException("Invalid configuration param '{}' at '[database]':'driver'"
104 .format(config["database"]["driver"]))
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]105 if not self.msg:
106 if config["message"]["driver"] == "local":
107 self.msg = msglocal.MsgLocal()
108 self.msg.connect(config["message"])
109 elif config["message"]["driver"] == "kafka":
110 self.msg = msgkafka.MsgKafka()
111 self.msg.connect(config["message"])
112 else:
113 raise AuthException("Invalid configuration param '{}' at '[message]':'driver'"
114 .format(config["message"]["driver"]))
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]115 if not self.backend:
116 if config["authentication"]["backend"] == "keystone":
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]117 self.backend = AuthconnKeystone(self.config["authentication"], self.db)
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]118 elif config["authentication"]["backend"] == "internal":
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]119 self.backend = AuthconnInternal(self.config["authentication"], self.db)
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]120 self._internal_tokens_prune()
121 else:
122 raise AuthException("Unknown authentication backend: {}"
123 .format(config["authentication"]["backend"]))
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]124
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]125 if not self.roles_to_operations_file:
126 if "roles_to_operations" in config["rbac"]:
127 self.roles_to_operations_file = config["rbac"]["roles_to_operations"]
128 else:
Eduardo Sousa5c01e192019-05-08 02:35:47 +0100[diff] [blame]129 possible_paths = (
130 __file__[:__file__.rfind("auth.py")] + "roles_to_operations.yml",
131 "./roles_to_operations.yml"
132 )
133 for config_file in possible_paths:
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]134 if path.isfile(config_file):
135 self.roles_to_operations_file = config_file
136 break
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]137 if not self.roles_to_operations_file:
138 raise AuthException("Invalid permission configuration: roles_to_operations file missing")
139
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]140 # load role_permissions
141 def load_role_permissions(method_dict):
142 for k in method_dict:
143 if k == "ROLE_PERMISSION":
144 for method in chain(method_dict.get("METHODS", ()), method_dict.get("TODO", ())):
145 permission = method_dict["ROLE_PERMISSION"] + method.lower()
146 if permission not in self.role_permissions:
147 self.role_permissions.append(permission)
148 elif k in ("TODO", "METHODS"):
149 continue
150 else:
151 load_role_permissions(method_dict[k])
152
153 load_role_permissions(self.valid_methods)
154 for query_string in self.valid_query_string:
155 for method in ("get", "put", "patch", "post", "delete"):
156 permission = query_string.lower() + ":" + method
157 if permission not in self.role_permissions:
158 self.role_permissions.append(permission)
159
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]160 except Exception as e:
161 raise AuthException(str(e))
162
Eduardo Sousad1b525d2018-10-04 04:24:18 +0100[diff] [blame]163 def stop(self):
164 try:
165 if self.db:
166 self.db.db_disconnect()
167 except DbException as e:
168 raise AuthException(str(e), http_code=e.http_code)
169
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]170 def create_admin_project(self):
171 """
172 Creates a new project 'admin' into database if it doesn't exist. Useful for initialization.
173 :return: _id identity of the 'admin' project
174 """
175
176 # projects = self.db.get_one("projects", fail_on_empty=False, fail_on_more=False)
177 project_desc = {"name": "admin"}
178 projects = self.backend.get_project_list(project_desc)
179 if projects:
180 return projects[0]["_id"]
181 now = time()
182 project_desc["_id"] = str(uuid4())
183 project_desc["_admin"] = {"created": now, "modified": now}
184 pid = self.backend.create_project(project_desc)
185 self.logger.info("Project '{}' created at database".format(project_desc["name"]))
186 return pid
187
188 def create_admin_user(self, project_id):
189 """
190 Creates a new user admin/admin into database if database is empty. Useful for initialization
191 :return: _id identity of the inserted data, or None
192 """
193 # users = self.db.get_one("users", fail_on_empty=False, fail_on_more=False)
194 users = self.backend.get_user_list()
195 if users:
196 return None
197 # user_desc = {"username": "admin", "password": "admin", "projects": [project_id]}
198 now = time()
199 user_desc = {"username": "admin", "password": "admin", "_admin": {"created": now, "modified": now}}
200 if project_id:
201 pid = project_id
202 else:
203 # proj = self.db.get_one("projects", {"name": "admin"}, fail_on_empty=False, fail_on_more=False)
204 proj = self.backend.get_project_list({"name": "admin"})
205 pid = proj[0]["_id"] if proj else None
206 # role = self.db.get_one("roles", {"name": "system_admin"}, fail_on_empty=False, fail_on_more=False)
207 roles = self.backend.get_role_list({"name": "system_admin"})
208 if pid and roles:
209 user_desc["project_role_mappings"] = [{"project": pid, "role": roles[0]["_id"]}]
210 uid = self.backend.create_user(user_desc)
211 self.logger.info("User '{}' created at database".format(user_desc["username"]))
212 return uid
213
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]214 def init_db(self, target_version='1.0'):
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]215 """
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]216 Check if the database has been initialized, with at least one user. If not, create the required tables
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]217 and insert the predefined mappings between roles and permissions.
218
219 :param target_version: schema version that should be present in the database.
220 :return: None if OK, exception if error or version is different.
221 """
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]222
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]223 records = self.backend.get_role_list()
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]224
tierno1f029d82019-06-13 22:37:04 +0000[diff] [blame]225 # Loading permissions to MongoDB if there is not any permission.
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]226 if not records or (len(records) == 1 and records[0]["name"] == "admin"):
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]227 with open(self.roles_to_operations_file, "r") as stream:
delacruzramob19cadc2019-10-08 10:18:02 +0200[diff] [blame]228 roles_to_operations_yaml = yaml.load(stream, Loader=yaml.Loader)
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]229
tierno1f029d82019-06-13 22:37:04 +0000[diff] [blame]230 role_names = []
231 for role_with_operations in roles_to_operations_yaml["roles"]:
232 # Verifying if role already exists. If it does, raise exception
233 if role_with_operations["name"] not in role_names:
234 role_names.append(role_with_operations["name"])
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]235 else:
tierno1f029d82019-06-13 22:37:04 +0000[diff] [blame]236 raise AuthException("Duplicated role name '{}' at file '{}''"
237 .format(role_with_operations["name"], self.roles_to_operations_file))
238
239 if not role_with_operations["permissions"]:
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]240 continue
241
tierno1f029d82019-06-13 22:37:04 +0000[diff] [blame]242 for permission, is_allowed in role_with_operations["permissions"].items():
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]243 if not isinstance(is_allowed, bool):
tierno1f029d82019-06-13 22:37:04 +0000[diff] [blame]244 raise AuthException("Invalid value for permission '{}' at role '{}'; at file '{}'"
245 .format(permission, role_with_operations["name"],
246 self.roles_to_operations_file))
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]247
tierno1f029d82019-06-13 22:37:04 +0000[diff] [blame]248 # TODO chek permission is ok
249 if permission[-1] == ":":
250 raise AuthException("Invalid permission '{}' terminated in ':' for role '{}'; at file {}"
251 .format(permission, role_with_operations["name"],
252 self.roles_to_operations_file))
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]253
tierno1f029d82019-06-13 22:37:04 +0000[diff] [blame]254 if "default" not in role_with_operations["permissions"]:
255 role_with_operations["permissions"]["default"] = False
256 if "admin" not in role_with_operations["permissions"]:
257 role_with_operations["permissions"]["admin"] = False
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]258
259 now = time()
tierno1f029d82019-06-13 22:37:04 +0000[diff] [blame]260 role_with_operations["_admin"] = {
261 "created": now,
262 "modified": now,
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]263 }
264
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]265 # self.db.create(self.roles_to_operations_table, role_with_operations)
266 self.backend.create_role(role_with_operations)
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]267 self.logger.info("Role '{}' created at database".format(role_with_operations["name"]))
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]268
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]269 # Create admin project&user if required
270 pid = self.create_admin_project()
tierno9ebbf852019-09-03 14:58:09 +0000[diff] [blame]271 user_id = self.create_admin_user(pid)
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]272
tierno9ebbf852019-09-03 14:58:09 +0000[diff] [blame]273 # try to assign system_admin role to user admin if not any user has this role
274 if not user_id:
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]275 try:
tierno9ebbf852019-09-03 14:58:09 +0000[diff] [blame]276 users = self.backend.get_user_list()
277 roles = self.backend.get_role_list({"name": "system_admin"})
278 role_id = roles[0]["_id"]
279 user_with_system_admin = False
280 user_admin_id = None
281 for user in users:
282 if not user_admin_id:
283 user_admin_id = user["_id"]
284 if user["username"] == "admin":
285 user_admin_id = user["_id"]
286 for prm in user.get("project_role_mappings", ()):
287 if prm["role"] == role_id:
288 user_with_system_admin = True
289 break
290 if user_with_system_admin:
291 break
292 if not user_with_system_admin:
293 self.backend.update_user({"_id": user_admin_id,
294 "add_project_role_mappings": [{"project": pid, "role": role_id}]})
295 self.logger.info("Added role system admin to user='{}' project=admin".format(user_admin_id))
delacruzramo15ec7062019-12-26 10:09:04 +0000[diff] [blame]296 except Exception as e:
297 self.logger.error("Error in Authorization DataBase initialization: {}: {}".format(type(e).__name__, e))
tierno1f029d82019-06-13 22:37:04 +0000[diff] [blame]298
299 self.load_operation_to_allowed_roles()
300
301 def load_operation_to_allowed_roles(self):
302 """
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]303 Fills the internal self.operation_to_allowed_roles based on database role content and self.role_permissions
tiernoa6bb45d2019-06-14 09:45:39 +0000[diff] [blame]304 It works in a shadow copy and replace at the end to allow other threads working with the old copy
tierno1f029d82019-06-13 22:37:04 +0000[diff] [blame]305 :return: None
306 """
307
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]308 permissions = {oper: [] for oper in self.role_permissions}
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]309 # records = self.db.get_list(self.roles_to_operations_table)
310 records = self.backend.get_role_list()
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]311
tiernoa6bb45d2019-06-14 09:45:39 +0000[diff] [blame]312 ignore_fields = ["_id", "_admin", "name", "default"]
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]313 for record in records:
delacruzramo01b15d32019-07-02 14:37:47 +0200[diff] [blame]314 if not record.get("permissions"):
315 continue
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]316 record_permissions = {oper: record["permissions"].get("default", False) for oper in self.role_permissions}
tierno1f029d82019-06-13 22:37:04 +0000[diff] [blame]317 operations_joined = [(oper, value) for oper, value in record["permissions"].items()
318 if oper not in ignore_fields]
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]319 operations_joined.sort(key=lambda x: x[0].count(":"))
320
321 for oper in operations_joined:
322 match = list(filter(lambda x: x.find(oper[0]) == 0, record_permissions.keys()))
323
324 for m in match:
325 record_permissions[m] = oper[1]
326
327 allowed_operations = [k for k, v in record_permissions.items() if v is True]
328
329 for allowed_op in allowed_operations:
Eduardo Sousa5c01e192019-05-08 02:35:47 +0100[diff] [blame]330 permissions[allowed_op].append(record["name"])
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]331
tiernoa6bb45d2019-06-14 09:45:39 +0000[diff] [blame]332 self.operation_to_allowed_roles = permissions
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]333
delacruzramo029405d2019-09-26 10:52:56 +0200[diff] [blame]334 def authorize(self, role_permission=None, query_string_operations=None, item_id=None):
Eduardo Sousa2f988212018-07-26 01:04:11 +0100[diff] [blame]335 token = None
336 user_passwd64 = None
337 try:
338 # 1. Get token Authorization bearer
339 auth = cherrypy.request.headers.get("Authorization")
340 if auth:
341 auth_list = auth.split(" ")
342 if auth_list[0].lower() == "bearer":
343 token = auth_list[-1]
344 elif auth_list[0].lower() == "basic":
345 user_passwd64 = auth_list[-1]
346 if not token:
347 if cherrypy.session.get("Authorization"):
348 # 2. Try using session before request a new token. If not, basic authentication will generate
349 token = cherrypy.session.get("Authorization")
350 if token == "logout":
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]351 token = None # force Unauthorized response to insert user password again
Eduardo Sousa2f988212018-07-26 01:04:11 +0100[diff] [blame]352 elif user_passwd64 and cherrypy.request.config.get("auth.allow_basic_authentication"):
353 # 3. Get new token from user password
354 user = None
355 passwd = None
356 try:
357 user_passwd = standard_b64decode(user_passwd64).decode()
358 user, _, passwd = user_passwd.partition(":")
359 except Exception:
360 pass
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]361 outdata = self.new_token(None, {"username": user, "password": passwd})
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]362 token = outdata["_id"]
Eduardo Sousa2f988212018-07-26 01:04:11 +0100[diff] [blame]363 cherrypy.session['Authorization'] = token
tiernoa6bb45d2019-06-14 09:45:39 +0000[diff] [blame]364
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]365 if not token:
366 raise AuthException("Needed a token or Authorization http header",
367 http_code=HTTPStatus.UNAUTHORIZED)
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]368
369 # try to get from cache first
370 now = time()
371 token_info = self.tokens_cache.get(token)
372 if token_info and token_info["expires"] < now:
373 # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
374 self.tokens_cache.pop(token, None)
375 token_info = None
376
377 # get from database if not in cache
378 if not token_info:
379 token_info = self.backend.validate_token(token)
380 # Clear cache if token limit reached
381 if len(self.tokens_cache) > self.token_limit:
382 self.tokens_cache.clear()
383 self.tokens_cache[token] = token_info
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]384 # TODO add to token info remote host, port
385
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]386 if role_permission:
delacruzramo029405d2019-09-26 10:52:56 +0200[diff] [blame]387 RBAC_auth = self.check_permissions(token_info, cherrypy.request.method, role_permission,
388 query_string_operations, item_id)
389 token_info["allow_show_user_project_role"] = RBAC_auth
390
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]391 return token_info
Eduardo Sousad1b525d2018-10-04 04:24:18 +0100[diff] [blame]392 except AuthException as e:
tiernoc8445362019-06-14 12:07:15 +0000[diff] [blame]393 if not isinstance(e, AuthExceptionUnauthorized):
394 if cherrypy.session.get('Authorization'):
395 del cherrypy.session['Authorization']
396 cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
tiernoe1eb3b22019-08-26 15:59:24 +0000[diff] [blame]397 elif self.config.get("user_not_authorized"):
398 # TODO provide user_id, roles id (not name), project_id
399 return {"id": "fake-token-id-for-test",
400 "project_id": self.config.get("project_not_authorized", "admin"),
401 "username": self.config["user_not_authorized"],
402 "roles": ["system_admin"]}
tiernoc8445362019-06-14 12:07:15 +0000[diff] [blame]403 raise
Eduardo Sousa2f988212018-07-26 01:04:11 +0100[diff] [blame]404
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]405 def new_token(self, token_info, indata, remote):
406 new_token_info = self.backend.authenticate(
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]407 user=indata.get("username"),
408 password=indata.get("password"),
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]409 token_info=token_info,
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]410 project=indata.get("project_id")
411 )
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]412
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]413 new_token_info["remote_port"] = remote.port
414 if not new_token_info.get("expires"):
415 new_token_info["expires"] = time() + 3600
416 if not new_token_info.get("admin"):
417 new_token_info["admin"] = True if new_token_info.get("project_name") == "admin" else False
418 # TODO put admin in RBAC
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]419
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]420 if remote.name:
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]421 new_token_info["remote_host"] = remote.name
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]422 elif remote.ip:
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]423 new_token_info["remote_host"] = remote.ip
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]424
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]425 # TODO call self._internal_tokens_prune(now) ?
426 return deepcopy(new_token_info)
Eduardo Sousa2f988212018-07-26 01:04:11 +0100[diff] [blame]427
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]428 def get_token_list(self, token_info):
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]429 if self.config["authentication"]["backend"] == "internal":
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]430 return self._internal_get_token_list(token_info)
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]431 else:
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]432 # TODO: check if this can be avoided. Backend may provide enough information
433 return [deepcopy(token) for token in self.tokens_cache.values()
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]434 if token["username"] == token_info["username"]]
Eduardo Sousa2f988212018-07-26 01:04:11 +0100[diff] [blame]435
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]436 def get_token(self, token_info, token):
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]437 if self.config["authentication"]["backend"] == "internal":
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]438 return self._internal_get_token(token_info, token)
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]439 else:
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]440 # TODO: check if this can be avoided. Backend may provide enough information
441 token_value = self.tokens_cache.get(token)
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]442 if not token_value:
Eduardo Sousad1b525d2018-10-04 04:24:18 +0100[diff] [blame]443 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]444 if token_value["username"] != token_info["username"] and not token_info["admin"]:
Eduardo Sousad1b525d2018-10-04 04:24:18 +0100[diff] [blame]445 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]446 return token_value
Eduardo Sousa2f988212018-07-26 01:04:11 +0100[diff] [blame]447
Eduardo Sousa819d34c2018-07-31 01:20:02 +0100[diff] [blame]448 def del_token(self, token):
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]449 try:
450 self.backend.revoke_token(token)
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]451 # self.tokens_cache.pop(token, None)
452 self.remove_token_from_cache(token)
delacruzramoceb8baf2019-06-21 14:25:38 +0200[diff] [blame]453 return "token '{}' deleted".format(token)
454 except KeyError:
455 raise AuthException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)
Eduardo Sousad1b525d2018-10-04 04:24:18 +0100[diff] [blame]456
delacruzramo029405d2019-09-26 10:52:56 +0200[diff] [blame]457 def check_permissions(self, token_info, method, role_permission=None, query_string_operations=None, item_id=None):
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]458 """
459 Checks that operation has permissions to be done, base on the assigned roles to this user project
460 :param token_info: Dictionary that contains "roles" with a list of assigned roles.
461 This method fills the token_info["admin"] with True or False based on assigned tokens, if any allows admin
462 This will be used among others to hide or not the _admin content of topics
463 :param method: GET,PUT, POST, ...
464 :param role_permission: role permission name of the operation required
465 :param query_string_operations: list of possible admin query strings provided by user. It is checked that the
466 assigned role allows this query string for this method
delacruzramo029405d2019-09-26 10:52:56 +0200[diff] [blame]467 :param item_id: item identifier if included in the URL, None otherwise
468 :return: True if access granted by permission rules, False if access granted by default rules (Bug 853)
469 :raises: AuthExceptionUnauthorized if access denied
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]470 """
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]471
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]472 roles_required = self.operation_to_allowed_roles[role_permission]
473 roles_allowed = [role["name"] for role in token_info["roles"]]
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]474
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]475 # fills token_info["admin"] if some roles allows it
476 token_info["admin"] = False
tiernoa6bb45d2019-06-14 09:45:39 +0000[diff] [blame]477 for role in roles_allowed:
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]478 if role in self.operation_to_allowed_roles["admin:" + method.lower()]:
479 token_info["admin"] = True
tiernoa6bb45d2019-06-14 09:45:39 +0000[diff] [blame]480 break
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]481
482 if "anonymous" in roles_required:
delacruzramo029405d2019-09-26 10:52:56 +0200[diff] [blame]483 return True
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]484 operation_allowed = False
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]485 for role in roles_allowed:
486 if role in roles_required:
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]487 operation_allowed = True
488 # if query_string operations, check if this role allows it
489 if not query_string_operations:
delacruzramo029405d2019-09-26 10:52:56 +0200[diff] [blame]490 return True
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]491 for query_string_operation in query_string_operations:
492 if role not in self.operation_to_allowed_roles[query_string_operation]:
493 break
494 else:
delacruzramo029405d2019-09-26 10:52:56 +0200[diff] [blame]495 return True
496
497 # Bug 853 - Final Solution
498 # User/Project/Role whole listings are filtered elsewhere
499 # uid, pid, rid = ("user_id", "project_id", "id") if is_valid_uuid(id) else ("username", "project_name", "name")
500 uid = "user_id" if is_valid_uuid(item_id) else "username"
501 if (role_permission in ["projects:get", "projects:id:get", "roles:get", "roles:id:get", "users:get"]) \
502 or (role_permission == "users:id:get" and item_id == token_info[uid]):
503 # or (role_permission == "projects:id:get" and item_id == token_info[pid]) \
504 # or (role_permission == "roles:id:get" and item_id in [role[rid] for role in token_info["roles"]]):
505 return False
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]506
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]507 if not operation_allowed:
508 raise AuthExceptionUnauthorized("Access denied: lack of permissions.")
509 else:
510 raise AuthExceptionUnauthorized("Access denied: You have not permissions to use these admin query string")
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]511
Eduardo Sousa5c01e192019-05-08 02:35:47 +0100[diff] [blame]512 def get_user_list(self):
513 return self.backend.get_user_list()
514
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]515 def _normalize_url(self, url, method):
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]516 # DEPRECATED !!!
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]517 # Removing query strings
518 normalized_url = url if '?' not in url else url[:url.find("?")]
519 normalized_url_splitted = normalized_url.split("/")
520 parameters = {}
521
522 filtered_keys = [key for key in self.resources_to_operations_mapping.keys()
523 if method in key.split()[0]]
524
525 for idx, path_part in enumerate(normalized_url_splitted):
526 tmp_keys = []
527 for tmp_key in filtered_keys:
528 splitted = tmp_key.split()[1].split("/")
Eduardo Sousacc02e9a2019-03-20 17:32:36 +0000[diff] [blame]529 if idx >= len(splitted):
530 continue
531 elif "<" in splitted[idx] and ">" in splitted[idx]:
Eduardo Sousa29933fc2018-11-14 06:36:35 +0000[diff] [blame]532 if splitted[idx] == "<artifactPath>":
533 tmp_keys.append(tmp_key)
534 continue
535 elif idx == len(normalized_url_splitted) - 1 and \
536 len(normalized_url_splitted) != len(splitted):
537 continue
538 else:
539 tmp_keys.append(tmp_key)
540 elif splitted[idx] == path_part:
541 if idx == len(normalized_url_splitted) - 1 and \
542 len(normalized_url_splitted) != len(splitted):
543 continue
544 else:
545 tmp_keys.append(tmp_key)
546 filtered_keys = tmp_keys
547 if len(filtered_keys) == 1 and \
548 filtered_keys[0].split("/")[-1] == "<artifactPath>":
549 break
550
551 if len(filtered_keys) == 0:
552 raise AuthException("Cannot make an authorization decision. URL not found. URL: {0}".format(url))
553 elif len(filtered_keys) > 1:
554 raise AuthException("Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(url))
555
556 filtered_key = filtered_keys[0]
557
558 for idx, path_part in enumerate(filtered_key.split()[1].split("/")):
559 if "<" in path_part and ">" in path_part:
560 if path_part == "<artifactPath>":
561 parameters[path_part[1:-1]] = "/".join(normalized_url_splitted[idx:])
562 else:
563 parameters[path_part[1:-1]] = normalized_url_splitted[idx]
564
565 return filtered_key, parameters
566
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]567 def _internal_get_token_list(self, token_info):
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]568 now = time()
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]569 token_list = self.db.get_list("tokens", {"username": token_info["username"], "expires.gt": now})
Eduardo Sousad1b525d2018-10-04 04:24:18 +0100[diff] [blame]570 return token_list
571
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]572 def _internal_get_token(self, token_info, token_id):
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]573 token_value = self.db.get_one("tokens", {"_id": token_id}, fail_on_empty=False)
Eduardo Sousad1b525d2018-10-04 04:24:18 +0100[diff] [blame]574 if not token_value:
575 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
tierno701018c2019-06-25 11:13:14 +0000[diff] [blame]576 if token_value["username"] != token_info["username"] and not token_info["admin"]:
Eduardo Sousad1b525d2018-10-04 04:24:18 +0100[diff] [blame]577 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
578 return token_value
579
tierno0ea204e2019-01-25 14:16:24 +0000[diff] [blame]580 def _internal_tokens_prune(self, now=None):
581 now = now or time()
582 if not self.next_db_prune_time or self.next_db_prune_time >= now:
583 self.db.del_list("tokens", {"expires.lt": now})
584 self.next_db_prune_time = self.periodin_db_pruning + now
delacruzramoad682a52019-12-10 16:26:34 +0100[diff] [blame]585 # self.tokens_cache.clear() # not required any more
586
587 def remove_token_from_cache(self, token=None):
588 if token:
589 self.tokens_cache.pop(token, None)
590 else:
591 self.tokens_cache.clear()
592 self.msg.write("admin", "revoke_token", {"_id": token} if token else None)