1 # -*- coding: utf-8 -*-
3 # Copyright 2018 Whitestack, LLC
4 # Copyright 2018 Telefonica S.A.
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or alfonso.tiernosepulveda@telefonica.com
24 Authenticator is responsible for authenticating the users,
25 create the tokens unscoped and scoped, retrieve the role
26 list inside the projects that they are inserted
29 __author__
= "Eduardo Sousa <esousa@whitestack.com>; Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30 __date__
= "$27-jul-2018 23:59:59$"
35 from base64
import standard_b64decode
36 from copy
import deepcopy
37 # from functools import reduce
38 from http
import HTTPStatus
42 from osm_nbi
.authconn
import AuthException
, AuthExceptionUnauthorized
43 from osm_nbi
.authconn_keystone
import AuthconnKeystone
44 from osm_nbi
.authconn_internal
import AuthconnInternal
45 from osm_common
import dbmemory
, dbmongo
, msglocal
, msgkafka
46 from osm_common
.dbbase
import DbException
47 from osm_nbi
.validation
import is_valid_uuid
48 from itertools
import chain
49 from uuid
import uuid4
54 This class should hold all the mechanisms for User Authentication and
55 Authorization. Initially it should support Openstack Keystone as a
56 backend through a plugin model where more backends can be added and a
57 RBAC model to manage permissions on operations.
58 This class must be threading safe
61 periodin_db_pruning
= 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned
62 token_limit
= 500 # when reached, the token cache will be cleared
64 def __init__(self
, valid_methods
, valid_query_string
):
66 Authenticator initializer. Setup the initial state of the object,
67 while it waits for the config dictionary and database initialization.
73 self
.tokens_cache
= dict()
74 self
.next_db_prune_time
= 0 # time when next cleaning of expired tokens must be done
75 self
.roles_to_operations_file
= None
76 # self.roles_to_operations_table = None
77 self
.resources_to_operations_mapping
= {}
78 self
.operation_to_allowed_roles
= {}
79 self
.logger
= logging
.getLogger("nbi.authenticator")
80 self
.role_permissions
= []
81 self
.valid_methods
= valid_methods
82 self
.valid_query_string
= valid_query_string
84 def start(self
, config
):
86 Method to configure the Authenticator object. This method should be called
87 after object creation. It is responsible by initializing the selected backend,
88 as well as the initialization of the database connection.
90 :param config: dictionary containing the relevant parameters for this object.
96 if config
["database"]["driver"] == "mongo":
97 self
.db
= dbmongo
.DbMongo()
98 self
.db
.db_connect(config
["database"])
99 elif config
["database"]["driver"] == "memory":
100 self
.db
= dbmemory
.DbMemory()
101 self
.db
.db_connect(config
["database"])
103 raise AuthException("Invalid configuration param '{}' at '[database]':'driver'"
104 .format(config
["database"]["driver"]))
106 if config
["message"]["driver"] == "local":
107 self
.msg
= msglocal
.MsgLocal()
108 self
.msg
.connect(config
["message"])
109 elif config
["message"]["driver"] == "kafka":
110 self
.msg
= msgkafka
.MsgKafka()
111 self
.msg
.connect(config
["message"])
113 raise AuthException("Invalid configuration param '{}' at '[message]':'driver'"
114 .format(config
["message"]["driver"]))
116 if config
["authentication"]["backend"] == "keystone":
117 self
.backend
= AuthconnKeystone(self
.config
["authentication"], self
.db
)
118 elif config
["authentication"]["backend"] == "internal":
119 self
.backend
= AuthconnInternal(self
.config
["authentication"], self
.db
)
120 self
._internal
_tokens
_prune
()
122 raise AuthException("Unknown authentication backend: {}"
123 .format(config
["authentication"]["backend"]))
125 if not self
.roles_to_operations_file
:
126 if "roles_to_operations" in config
["rbac"]:
127 self
.roles_to_operations_file
= config
["rbac"]["roles_to_operations"]
130 __file__
[:__file__
.rfind("auth.py")] + "roles_to_operations.yml",
131 "./roles_to_operations.yml"
133 for config_file
in possible_paths
:
134 if path
.isfile(config_file
):
135 self
.roles_to_operations_file
= config_file
137 if not self
.roles_to_operations_file
:
138 raise AuthException("Invalid permission configuration: roles_to_operations file missing")
140 # load role_permissions
141 def load_role_permissions(method_dict
):
142 for k
in method_dict
:
143 if k
== "ROLE_PERMISSION":
144 for method
in chain(method_dict
.get("METHODS", ()), method_dict
.get("TODO", ())):
145 permission
= method_dict
["ROLE_PERMISSION"] + method
.lower()
146 if permission
not in self
.role_permissions
:
147 self
.role_permissions
.append(permission
)
148 elif k
in ("TODO", "METHODS"):
151 load_role_permissions(method_dict
[k
])
153 load_role_permissions(self
.valid_methods
)
154 for query_string
in self
.valid_query_string
:
155 for method
in ("get", "put", "patch", "post", "delete"):
156 permission
= query_string
.lower() + ":" + method
157 if permission
not in self
.role_permissions
:
158 self
.role_permissions
.append(permission
)
160 except Exception as e
:
161 raise AuthException(str(e
))
166 self
.db
.db_disconnect()
167 except DbException
as e
:
168 raise AuthException(str(e
), http_code
=e
.http_code
)
170 def create_admin_project(self
):
172 Creates a new project 'admin' into database if it doesn't exist. Useful for initialization.
173 :return: _id identity of the 'admin' project
176 # projects = self.db.get_one("projects", fail_on_empty=False, fail_on_more=False)
177 project_desc
= {"name": "admin"}
178 projects
= self
.backend
.get_project_list(project_desc
)
180 return projects
[0]["_id"]
182 project_desc
["_id"] = str(uuid4())
183 project_desc
["_admin"] = {"created": now
, "modified": now
}
184 pid
= self
.backend
.create_project(project_desc
)
185 self
.logger
.info("Project '{}' created at database".format(project_desc
["name"]))
188 def create_admin_user(self
, project_id
):
190 Creates a new user admin/admin into database if database is empty. Useful for initialization
191 :return: _id identity of the inserted data, or None
193 # users = self.db.get_one("users", fail_on_empty=False, fail_on_more=False)
194 users
= self
.backend
.get_user_list()
197 # user_desc = {"username": "admin", "password": "admin", "projects": [project_id]}
199 user_desc
= {"username": "admin", "password": "admin", "_admin": {"created": now
, "modified": now
}}
203 # proj = self.db.get_one("projects", {"name": "admin"}, fail_on_empty=False, fail_on_more=False)
204 proj
= self
.backend
.get_project_list({"name": "admin"})
205 pid
= proj
[0]["_id"] if proj
else None
206 # role = self.db.get_one("roles", {"name": "system_admin"}, fail_on_empty=False, fail_on_more=False)
207 roles
= self
.backend
.get_role_list({"name": "system_admin"})
209 user_desc
["project_role_mappings"] = [{"project": pid
, "role": roles
[0]["_id"]}]
210 uid
= self
.backend
.create_user(user_desc
)
211 self
.logger
.info("User '{}' created at database".format(user_desc
["username"]))
214 def init_db(self
, target_version
='1.0'):
216 Check if the database has been initialized, with at least one user. If not, create the required tables
217 and insert the predefined mappings between roles and permissions.
219 :param target_version: schema version that should be present in the database.
220 :return: None if OK, exception if error or version is different.
223 records
= self
.backend
.get_role_list()
225 # Loading permissions to MongoDB if there is not any permission.
226 if not records
or (len(records
) == 1 and records
[0]["name"] == "admin"):
227 with
open(self
.roles_to_operations_file
, "r") as stream
:
228 roles_to_operations_yaml
= yaml
.load(stream
, Loader
=yaml
.Loader
)
231 for role_with_operations
in roles_to_operations_yaml
["roles"]:
232 # Verifying if role already exists. If it does, raise exception
233 if role_with_operations
["name"] not in role_names
:
234 role_names
.append(role_with_operations
["name"])
236 raise AuthException("Duplicated role name '{}' at file '{}''"
237 .format(role_with_operations
["name"], self
.roles_to_operations_file
))
239 if not role_with_operations
["permissions"]:
242 for permission
, is_allowed
in role_with_operations
["permissions"].items():
243 if not isinstance(is_allowed
, bool):
244 raise AuthException("Invalid value for permission '{}' at role '{}'; at file '{}'"
245 .format(permission
, role_with_operations
["name"],
246 self
.roles_to_operations_file
))
248 # TODO chek permission is ok
249 if permission
[-1] == ":":
250 raise AuthException("Invalid permission '{}' terminated in ':' for role '{}'; at file {}"
251 .format(permission
, role_with_operations
["name"],
252 self
.roles_to_operations_file
))
254 if "default" not in role_with_operations
["permissions"]:
255 role_with_operations
["permissions"]["default"] = False
256 if "admin" not in role_with_operations
["permissions"]:
257 role_with_operations
["permissions"]["admin"] = False
260 role_with_operations
["_admin"] = {
265 # self.db.create(self.roles_to_operations_table, role_with_operations)
266 self
.backend
.create_role(role_with_operations
)
267 self
.logger
.info("Role '{}' created at database".format(role_with_operations
["name"]))
269 # Create admin project&user if required
270 pid
= self
.create_admin_project()
271 user_id
= self
.create_admin_user(pid
)
273 # try to assign system_admin role to user admin if not any user has this role
276 users
= self
.backend
.get_user_list()
277 roles
= self
.backend
.get_role_list({"name": "system_admin"})
278 role_id
= roles
[0]["_id"]
279 user_with_system_admin
= False
282 if not user_admin_id
:
283 user_admin_id
= user
["_id"]
284 if user
["username"] == "admin":
285 user_admin_id
= user
["_id"]
286 for prm
in user
.get("project_role_mappings", ()):
287 if prm
["role"] == role_id
:
288 user_with_system_admin
= True
290 if user_with_system_admin
:
292 if not user_with_system_admin
:
293 self
.backend
.update_user({"_id": user_admin_id
,
294 "add_project_role_mappings": [{"project": pid
, "role": role_id
}]})
295 self
.logger
.info("Added role system admin to user='{}' project=admin".format(user_admin_id
))
296 except Exception as e
:
297 self
.logger
.error("Error in Authorization DataBase initialization: {}: {}".format(type(e
).__name
__, e
))
299 self
.load_operation_to_allowed_roles()
301 def load_operation_to_allowed_roles(self
):
303 Fills the internal self.operation_to_allowed_roles based on database role content and self.role_permissions
304 It works in a shadow copy and replace at the end to allow other threads working with the old copy
308 permissions
= {oper
: [] for oper
in self
.role_permissions
}
309 # records = self.db.get_list(self.roles_to_operations_table)
310 records
= self
.backend
.get_role_list()
312 ignore_fields
= ["_id", "_admin", "name", "default"]
313 for record
in records
:
314 if not record
.get("permissions"):
316 record_permissions
= {oper
: record
["permissions"].get("default", False) for oper
in self
.role_permissions
}
317 operations_joined
= [(oper
, value
) for oper
, value
in record
["permissions"].items()
318 if oper
not in ignore_fields
]
319 operations_joined
.sort(key
=lambda x
: x
[0].count(":"))
321 for oper
in operations_joined
:
322 match
= list(filter(lambda x
: x
.find(oper
[0]) == 0, record_permissions
.keys()))
325 record_permissions
[m
] = oper
[1]
327 allowed_operations
= [k
for k
, v
in record_permissions
.items() if v
is True]
329 for allowed_op
in allowed_operations
:
330 permissions
[allowed_op
].append(record
["name"])
332 self
.operation_to_allowed_roles
= permissions
334 def authorize(self
, role_permission
=None, query_string_operations
=None, item_id
=None):
338 # 1. Get token Authorization bearer
339 auth
= cherrypy
.request
.headers
.get("Authorization")
341 auth_list
= auth
.split(" ")
342 if auth_list
[0].lower() == "bearer":
343 token
= auth_list
[-1]
344 elif auth_list
[0].lower() == "basic":
345 user_passwd64
= auth_list
[-1]
347 if cherrypy
.session
.get("Authorization"):
348 # 2. Try using session before request a new token. If not, basic authentication will generate
349 token
= cherrypy
.session
.get("Authorization")
350 if token
== "logout":
351 token
= None # force Unauthorized response to insert user password again
352 elif user_passwd64
and cherrypy
.request
.config
.get("auth.allow_basic_authentication"):
353 # 3. Get new token from user password
357 user_passwd
= standard_b64decode(user_passwd64
).decode()
358 user
, _
, passwd
= user_passwd
.partition(":")
361 outdata
= self
.new_token(None, {"username": user
, "password": passwd
})
362 token
= outdata
["_id"]
363 cherrypy
.session
['Authorization'] = token
366 raise AuthException("Needed a token or Authorization http header",
367 http_code
=HTTPStatus
.UNAUTHORIZED
)
369 # try to get from cache first
371 token_info
= self
.tokens_cache
.get(token
)
372 if token_info
and token_info
["expires"] < now
:
373 # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
374 self
.tokens_cache
.pop(token
, None)
377 # get from database if not in cache
379 token_info
= self
.backend
.validate_token(token
)
380 # Clear cache if token limit reached
381 if len(self
.tokens_cache
) > self
.token_limit
:
382 self
.tokens_cache
.clear()
383 self
.tokens_cache
[token
] = token_info
384 # TODO add to token info remote host, port
387 RBAC_auth
= self
.check_permissions(token_info
, cherrypy
.request
.method
, role_permission
,
388 query_string_operations
, item_id
)
389 token_info
["allow_show_user_project_role"] = RBAC_auth
392 except AuthException
as e
:
393 if not isinstance(e
, AuthExceptionUnauthorized
):
394 if cherrypy
.session
.get('Authorization'):
395 del cherrypy
.session
['Authorization']
396 cherrypy
.response
.headers
["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e
)
397 elif self
.config
.get("user_not_authorized"):
398 # TODO provide user_id, roles id (not name), project_id
399 return {"id": "fake-token-id-for-test",
400 "project_id": self
.config
.get("project_not_authorized", "admin"),
401 "username": self
.config
["user_not_authorized"],
402 "roles": ["system_admin"]}
405 def new_token(self
, token_info
, indata
, remote
):
406 new_token_info
= self
.backend
.authenticate(
407 user
=indata
.get("username"),
408 password
=indata
.get("password"),
409 token_info
=token_info
,
410 project
=indata
.get("project_id")
413 new_token_info
["remote_port"] = remote
.port
414 if not new_token_info
.get("expires"):
415 new_token_info
["expires"] = time() + 3600
416 if not new_token_info
.get("admin"):
417 new_token_info
["admin"] = True if new_token_info
.get("project_name") == "admin" else False
418 # TODO put admin in RBAC
421 new_token_info
["remote_host"] = remote
.name
423 new_token_info
["remote_host"] = remote
.ip
425 # TODO call self._internal_tokens_prune(now) ?
426 return deepcopy(new_token_info
)
428 def get_token_list(self
, token_info
):
429 if self
.config
["authentication"]["backend"] == "internal":
430 return self
._internal
_get
_token
_list
(token_info
)
432 # TODO: check if this can be avoided. Backend may provide enough information
433 return [deepcopy(token
) for token
in self
.tokens_cache
.values()
434 if token
["username"] == token_info
["username"]]
436 def get_token(self
, token_info
, token
):
437 if self
.config
["authentication"]["backend"] == "internal":
438 return self
._internal
_get
_token
(token_info
, token
)
440 # TODO: check if this can be avoided. Backend may provide enough information
441 token_value
= self
.tokens_cache
.get(token
)
443 raise AuthException("token not found", http_code
=HTTPStatus
.NOT_FOUND
)
444 if token_value
["username"] != token_info
["username"] and not token_info
["admin"]:
445 raise AuthException("needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
)
448 def del_token(self
, token
):
450 self
.backend
.revoke_token(token
)
451 # self.tokens_cache.pop(token, None)
452 self
.remove_token_from_cache(token
)
453 return "token '{}' deleted".format(token
)
455 raise AuthException("Token '{}' not found".format(token
), http_code
=HTTPStatus
.NOT_FOUND
)
457 def check_permissions(self
, token_info
, method
, role_permission
=None, query_string_operations
=None, item_id
=None):
459 Checks that operation has permissions to be done, base on the assigned roles to this user project
460 :param token_info: Dictionary that contains "roles" with a list of assigned roles.
461 This method fills the token_info["admin"] with True or False based on assigned tokens, if any allows admin
462 This will be used among others to hide or not the _admin content of topics
463 :param method: GET,PUT, POST, ...
464 :param role_permission: role permission name of the operation required
465 :param query_string_operations: list of possible admin query strings provided by user. It is checked that the
466 assigned role allows this query string for this method
467 :param item_id: item identifier if included in the URL, None otherwise
468 :return: True if access granted by permission rules, False if access granted by default rules (Bug 853)
469 :raises: AuthExceptionUnauthorized if access denied
472 roles_required
= self
.operation_to_allowed_roles
[role_permission
]
473 roles_allowed
= [role
["name"] for role
in token_info
["roles"]]
475 # fills token_info["admin"] if some roles allows it
476 token_info
["admin"] = False
477 for role
in roles_allowed
:
478 if role
in self
.operation_to_allowed_roles
["admin:" + method
.lower()]:
479 token_info
["admin"] = True
482 if "anonymous" in roles_required
:
484 operation_allowed
= False
485 for role
in roles_allowed
:
486 if role
in roles_required
:
487 operation_allowed
= True
488 # if query_string operations, check if this role allows it
489 if not query_string_operations
:
491 for query_string_operation
in query_string_operations
:
492 if role
not in self
.operation_to_allowed_roles
[query_string_operation
]:
497 # Bug 853 - Final Solution
498 # User/Project/Role whole listings are filtered elsewhere
499 # uid, pid, rid = ("user_id", "project_id", "id") if is_valid_uuid(id) else ("username", "project_name", "name")
500 uid
= "user_id" if is_valid_uuid(item_id
) else "username"
501 if (role_permission
in ["projects:get", "projects:id:get", "roles:get", "roles:id:get", "users:get"]) \
502 or (role_permission
== "users:id:get" and item_id
== token_info
[uid
]):
503 # or (role_permission == "projects:id:get" and item_id == token_info[pid]) \
504 # or (role_permission == "roles:id:get" and item_id in [role[rid] for role in token_info["roles"]]):
507 if not operation_allowed
:
508 raise AuthExceptionUnauthorized("Access denied: lack of permissions.")
510 raise AuthExceptionUnauthorized("Access denied: You have not permissions to use these admin query string")
512 def get_user_list(self
):
513 return self
.backend
.get_user_list()
515 def _normalize_url(self
, url
, method
):
517 # Removing query strings
518 normalized_url
= url
if '?' not in url
else url
[:url
.find("?")]
519 normalized_url_splitted
= normalized_url
.split("/")
522 filtered_keys
= [key
for key
in self
.resources_to_operations_mapping
.keys()
523 if method
in key
.split()[0]]
525 for idx
, path_part
in enumerate(normalized_url_splitted
):
527 for tmp_key
in filtered_keys
:
528 splitted
= tmp_key
.split()[1].split("/")
529 if idx
>= len(splitted
):
531 elif "<" in splitted
[idx
] and ">" in splitted
[idx
]:
532 if splitted
[idx
] == "<artifactPath>":
533 tmp_keys
.append(tmp_key
)
535 elif idx
== len(normalized_url_splitted
) - 1 and \
536 len(normalized_url_splitted
) != len(splitted
):
539 tmp_keys
.append(tmp_key
)
540 elif splitted
[idx
] == path_part
:
541 if idx
== len(normalized_url_splitted
) - 1 and \
542 len(normalized_url_splitted
) != len(splitted
):
545 tmp_keys
.append(tmp_key
)
546 filtered_keys
= tmp_keys
547 if len(filtered_keys
) == 1 and \
548 filtered_keys
[0].split("/")[-1] == "<artifactPath>":
551 if len(filtered_keys
) == 0:
552 raise AuthException("Cannot make an authorization decision. URL not found. URL: {0}".format(url
))
553 elif len(filtered_keys
) > 1:
554 raise AuthException("Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(url
))
556 filtered_key
= filtered_keys
[0]
558 for idx
, path_part
in enumerate(filtered_key
.split()[1].split("/")):
559 if "<" in path_part
and ">" in path_part
:
560 if path_part
== "<artifactPath>":
561 parameters
[path_part
[1:-1]] = "/".join(normalized_url_splitted
[idx
:])
563 parameters
[path_part
[1:-1]] = normalized_url_splitted
[idx
]
565 return filtered_key
, parameters
567 def _internal_get_token_list(self
, token_info
):
569 token_list
= self
.db
.get_list("tokens", {"username": token_info
["username"], "expires.gt": now
})
572 def _internal_get_token(self
, token_info
, token_id
):
573 token_value
= self
.db
.get_one("tokens", {"_id": token_id
}, fail_on_empty
=False)
575 raise AuthException("token not found", http_code
=HTTPStatus
.NOT_FOUND
)
576 if token_value
["username"] != token_info
["username"] and not token_info
["admin"]:
577 raise AuthException("needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
)
580 def _internal_tokens_prune(self
, now
=None):
582 if not self
.next_db_prune_time
or self
.next_db_prune_time
>= now
:
583 self
.db
.del_list("tokens", {"expires.lt": now
})
584 self
.next_db_prune_time
= self
.periodin_db_pruning
+ now
585 # self.tokens_cache.clear() # not required any more
587 def remove_token_from_cache(self
, token
=None):
589 self
.tokens_cache
.pop(token
, None)
591 self
.tokens_cache
.clear()
592 self
.msg
.write("admin", "revoke_token", {"_id": token
} if token
else None)