1 # -*- coding: utf-8 -*-
3 # Copyright 2018 Whitestack, LLC
4 # Copyright 2018 Telefonica S.A.
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or alfonso.tiernosepulveda@telefonica.com
24 Authenticator is responsible for authenticating the users,
25 create the tokens unscoped and scoped, retrieve the role
26 list inside the projects that they are inserted
29 __author__
= "Eduardo Sousa <esousa@whitestack.com>; Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30 __date__
= "$27-jul-2018 23:59:59$"
35 from base64
import standard_b64decode
36 from copy
import deepcopy
37 # from functools import reduce
38 from http
import HTTPStatus
42 from osm_nbi
.authconn
import AuthException
, AuthExceptionUnauthorized
43 from osm_nbi
.authconn_keystone
import AuthconnKeystone
44 from osm_nbi
.authconn_internal
import AuthconnInternal
# Comment out for testing&debugging, uncomment when ready
45 from osm_common
import dbmongo
46 from osm_common
import dbmemory
47 from osm_common
.dbbase
import DbException
48 from itertools
import chain
50 from uuid
import uuid4
55 This class should hold all the mechanisms for User Authentication and
56 Authorization. Initially it should support Openstack Keystone as a
57 backend through a plugin model where more backends can be added and a
58 RBAC model to manage permissions on operations.
59 This class must be threading safe
62 periodin_db_pruning
= 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned
64 def __init__(self
, valid_methods
, valid_query_string
):
66 Authenticator initializer. Setup the initial state of the object,
67 while it waits for the config dictionary and database initialization.
72 self
.tokens_cache
= dict()
73 self
.next_db_prune_time
= 0 # time when next cleaning of expired tokens must be done
74 self
.roles_to_operations_file
= None
75 # self.roles_to_operations_table = None
76 self
.resources_to_operations_mapping
= {}
77 self
.operation_to_allowed_roles
= {}
78 self
.logger
= logging
.getLogger("nbi.authenticator")
79 self
.role_permissions
= []
80 self
.valid_methods
= valid_methods
81 self
.valid_query_string
= valid_query_string
83 def start(self
, config
):
85 Method to configure the Authenticator object. This method should be called
86 after object creation. It is responsible by initializing the selected backend,
87 as well as the initialization of the database connection.
89 :param config: dictionary containing the relevant parameters for this object.
95 if config
["database"]["driver"] == "mongo":
96 self
.db
= dbmongo
.DbMongo()
97 self
.db
.db_connect(config
["database"])
98 elif config
["database"]["driver"] == "memory":
99 self
.db
= dbmemory
.DbMemory()
100 self
.db
.db_connect(config
["database"])
102 raise AuthException("Invalid configuration param '{}' at '[database]':'driver'"
103 .format(config
["database"]["driver"]))
105 if config
["authentication"]["backend"] == "keystone":
106 self
.backend
= AuthconnKeystone(self
.config
["authentication"], self
.db
, self
.tokens_cache
)
107 elif config
["authentication"]["backend"] == "internal":
108 self
.backend
= AuthconnInternal(self
.config
["authentication"], self
.db
, self
.tokens_cache
)
109 self
._internal
_tokens
_prune
()
111 raise AuthException("Unknown authentication backend: {}"
112 .format(config
["authentication"]["backend"]))
114 if not self
.roles_to_operations_file
:
115 if "roles_to_operations" in config
["rbac"]:
116 self
.roles_to_operations_file
= config
["rbac"]["roles_to_operations"]
119 __file__
[:__file__
.rfind("auth.py")] + "roles_to_operations.yml",
120 "./roles_to_operations.yml"
122 for config_file
in possible_paths
:
123 if path
.isfile(config_file
):
124 self
.roles_to_operations_file
= config_file
126 if not self
.roles_to_operations_file
:
127 raise AuthException("Invalid permission configuration: roles_to_operations file missing")
129 # load role_permissions
130 def load_role_permissions(method_dict
):
131 for k
in method_dict
:
132 if k
== "ROLE_PERMISSION":
133 for method
in chain(method_dict
.get("METHODS", ()), method_dict
.get("TODO", ())):
134 permission
= method_dict
["ROLE_PERMISSION"] + method
.lower()
135 if permission
not in self
.role_permissions
:
136 self
.role_permissions
.append(permission
)
137 elif k
in ("TODO", "METHODS"):
140 load_role_permissions(method_dict
[k
])
142 load_role_permissions(self
.valid_methods
)
143 for query_string
in self
.valid_query_string
:
144 for method
in ("get", "put", "patch", "post", "delete"):
145 permission
= query_string
.lower() + ":" + method
146 if permission
not in self
.role_permissions
:
147 self
.role_permissions
.append(permission
)
149 except Exception as e
:
150 raise AuthException(str(e
))
155 self
.db
.db_disconnect()
156 except DbException
as e
:
157 raise AuthException(str(e
), http_code
=e
.http_code
)
159 def create_admin_project(self
):
161 Creates a new project 'admin' into database if it doesn't exist. Useful for initialization.
162 :return: _id identity of the 'admin' project
165 # projects = self.db.get_one("projects", fail_on_empty=False, fail_on_more=False)
166 project_desc
= {"name": "admin"}
167 projects
= self
.backend
.get_project_list(project_desc
)
169 return projects
[0]["_id"]
171 project_desc
["_id"] = str(uuid4())
172 project_desc
["_admin"] = {"created": now
, "modified": now
}
173 pid
= self
.backend
.create_project(project_desc
)
174 self
.logger
.info("Project '{}' created at database".format(project_desc
["name"]))
177 def create_admin_user(self
, project_id
):
179 Creates a new user admin/admin into database if database is empty. Useful for initialization
180 :return: _id identity of the inserted data, or None
182 # users = self.db.get_one("users", fail_on_empty=False, fail_on_more=False)
183 users
= self
.backend
.get_user_list()
186 # user_desc = {"username": "admin", "password": "admin", "projects": [project_id]}
188 user_desc
= {"username": "admin", "password": "admin", "_admin": {"created": now
, "modified": now
}}
192 # proj = self.db.get_one("projects", {"name": "admin"}, fail_on_empty=False, fail_on_more=False)
193 proj
= self
.backend
.get_project_list({"name": "admin"})
194 pid
= proj
[0]["_id"] if proj
else None
195 # role = self.db.get_one("roles", {"name": "system_admin"}, fail_on_empty=False, fail_on_more=False)
196 roles
= self
.backend
.get_role_list({"name": "system_admin"})
198 user_desc
["project_role_mappings"] = [{"project": pid
, "role": roles
[0]["_id"]}]
199 uid
= self
.backend
.create_user(user_desc
)
200 self
.logger
.info("User '{}' created at database".format(user_desc
["username"]))
203 def init_db(self
, target_version
='1.0'):
205 Check if the database has been initialized, with at least one user. If not, create the required tables
206 and insert the predefined mappings between roles and permissions.
208 :param target_version: schema version that should be present in the database.
209 :return: None if OK, exception if error or version is different.
212 records
= self
.backend
.get_role_list()
214 # Loading permissions to MongoDB if there is not any permission.
215 if not records
or (len(records
) == 1 and records
[0]["name"] == "admin"):
216 with
open(self
.roles_to_operations_file
, "r") as stream
:
217 roles_to_operations_yaml
= yaml
.load(stream
)
220 for role_with_operations
in roles_to_operations_yaml
["roles"]:
221 # Verifying if role already exists. If it does, raise exception
222 if role_with_operations
["name"] not in role_names
:
223 role_names
.append(role_with_operations
["name"])
225 raise AuthException("Duplicated role name '{}' at file '{}''"
226 .format(role_with_operations
["name"], self
.roles_to_operations_file
))
228 if not role_with_operations
["permissions"]:
231 for permission
, is_allowed
in role_with_operations
["permissions"].items():
232 if not isinstance(is_allowed
, bool):
233 raise AuthException("Invalid value for permission '{}' at role '{}'; at file '{}'"
234 .format(permission
, role_with_operations
["name"],
235 self
.roles_to_operations_file
))
237 # TODO chek permission is ok
238 if permission
[-1] == ":":
239 raise AuthException("Invalid permission '{}' terminated in ':' for role '{}'; at file {}"
240 .format(permission
, role_with_operations
["name"],
241 self
.roles_to_operations_file
))
243 if "default" not in role_with_operations
["permissions"]:
244 role_with_operations
["permissions"]["default"] = False
245 if "admin" not in role_with_operations
["permissions"]:
246 role_with_operations
["permissions"]["admin"] = False
249 role_with_operations
["_admin"] = {
254 # self.db.create(self.roles_to_operations_table, role_with_operations)
255 self
.backend
.create_role(role_with_operations
)
256 self
.logger
.info("Role '{}' created at database".format(role_with_operations
["name"]))
258 # Create admin project&user if required
259 pid
= self
.create_admin_project()
260 user_id
= self
.create_admin_user(pid
)
262 # try to assign system_admin role to user admin if not any user has this role
265 users
= self
.backend
.get_user_list()
266 roles
= self
.backend
.get_role_list({"name": "system_admin"})
267 role_id
= roles
[0]["_id"]
268 user_with_system_admin
= False
271 if not user_admin_id
:
272 user_admin_id
= user
["_id"]
273 if user
["username"] == "admin":
274 user_admin_id
= user
["_id"]
275 for prm
in user
.get("project_role_mappings", ()):
276 if prm
["role"] == role_id
:
277 user_with_system_admin
= True
279 if user_with_system_admin
:
281 if not user_with_system_admin
:
282 self
.backend
.update_user({"_id": user_admin_id
,
283 "add_project_role_mappings": [{"project": pid
, "role": role_id
}]})
284 self
.logger
.info("Added role system admin to user='{}' project=admin".format(user_admin_id
))
288 self
.load_operation_to_allowed_roles()
290 def load_operation_to_allowed_roles(self
):
292 Fills the internal self.operation_to_allowed_roles based on database role content and self.role_permissions
293 It works in a shadow copy and replace at the end to allow other threads working with the old copy
297 permissions
= {oper
: [] for oper
in self
.role_permissions
}
298 # records = self.db.get_list(self.roles_to_operations_table)
299 records
= self
.backend
.get_role_list()
301 ignore_fields
= ["_id", "_admin", "name", "default"]
302 for record
in records
:
303 if not record
.get("permissions"):
305 record_permissions
= {oper
: record
["permissions"].get("default", False) for oper
in self
.role_permissions
}
306 operations_joined
= [(oper
, value
) for oper
, value
in record
["permissions"].items()
307 if oper
not in ignore_fields
]
308 operations_joined
.sort(key
=lambda x
: x
[0].count(":"))
310 for oper
in operations_joined
:
311 match
= list(filter(lambda x
: x
.find(oper
[0]) == 0, record_permissions
.keys()))
314 record_permissions
[m
] = oper
[1]
316 allowed_operations
= [k
for k
, v
in record_permissions
.items() if v
is True]
318 for allowed_op
in allowed_operations
:
319 permissions
[allowed_op
].append(record
["name"])
321 self
.operation_to_allowed_roles
= permissions
323 def authorize(self
, role_permission
=None, query_string_operations
=None):
327 # 1. Get token Authorization bearer
328 auth
= cherrypy
.request
.headers
.get("Authorization")
330 auth_list
= auth
.split(" ")
331 if auth_list
[0].lower() == "bearer":
332 token
= auth_list
[-1]
333 elif auth_list
[0].lower() == "basic":
334 user_passwd64
= auth_list
[-1]
336 if cherrypy
.session
.get("Authorization"):
337 # 2. Try using session before request a new token. If not, basic authentication will generate
338 token
= cherrypy
.session
.get("Authorization")
339 if token
== "logout":
340 token
= None # force Unauthorized response to insert user password again
341 elif user_passwd64
and cherrypy
.request
.config
.get("auth.allow_basic_authentication"):
342 # 3. Get new token from user password
346 user_passwd
= standard_b64decode(user_passwd64
).decode()
347 user
, _
, passwd
= user_passwd
.partition(":")
350 outdata
= self
.new_token(None, {"username": user
, "password": passwd
})
351 token
= outdata
["_id"]
352 cherrypy
.session
['Authorization'] = token
355 raise AuthException("Needed a token or Authorization http header",
356 http_code
=HTTPStatus
.UNAUTHORIZED
)
357 token_info
= self
.backend
.validate_token(token
)
358 # TODO add to token info remote host, port
361 self
.check_permissions(token_info
, cherrypy
.request
.method
, role_permission
,
362 query_string_operations
)
364 except AuthException
as e
:
365 if not isinstance(e
, AuthExceptionUnauthorized
):
366 if cherrypy
.session
.get('Authorization'):
367 del cherrypy
.session
['Authorization']
368 cherrypy
.response
.headers
["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e
)
369 elif self
.config
.get("user_not_authorized"):
370 # TODO provide user_id, roles id (not name), project_id
371 return {"id": "fake-token-id-for-test",
372 "project_id": self
.config
.get("project_not_authorized", "admin"),
373 "username": self
.config
["user_not_authorized"],
374 "roles": ["system_admin"]}
377 def new_token(self
, token_info
, indata
, remote
):
378 new_token_info
= self
.backend
.authenticate(
379 user
=indata
.get("username"),
380 password
=indata
.get("password"),
381 token_info
=token_info
,
382 project
=indata
.get("project_id")
385 new_token_info
["remote_port"] = remote
.port
386 if not new_token_info
.get("expires"):
387 new_token_info
["expires"] = time() + 3600
388 if not new_token_info
.get("admin"):
389 new_token_info
["admin"] = True if new_token_info
.get("project_name") == "admin" else False
390 # TODO put admin in RBAC
393 new_token_info
["remote_host"] = remote
.name
395 new_token_info
["remote_host"] = remote
.ip
397 self
.tokens_cache
[new_token_info
["_id"]] = new_token_info
399 # TODO call self._internal_tokens_prune(now) ?
400 return deepcopy(new_token_info
)
402 def get_token_list(self
, token_info
):
403 if self
.config
["authentication"]["backend"] == "internal":
404 return self
._internal
_get
_token
_list
(token_info
)
406 # TODO: check if this can be avoided. Backend may provide enough information
407 return [deepcopy(token
) for token
in self
.tokens_cache
.values()
408 if token
["username"] == token_info
["username"]]
410 def get_token(self
, token_info
, token
):
411 if self
.config
["authentication"]["backend"] == "internal":
412 return self
._internal
_get
_token
(token_info
, token
)
414 # TODO: check if this can be avoided. Backend may provide enough information
415 token_value
= self
.tokens_cache
.get(token
)
417 raise AuthException("token not found", http_code
=HTTPStatus
.NOT_FOUND
)
418 if token_value
["username"] != token_info
["username"] and not token_info
["admin"]:
419 raise AuthException("needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
)
422 def del_token(self
, token
):
424 self
.backend
.revoke_token(token
)
425 self
.tokens_cache
.pop(token
, None)
426 return "token '{}' deleted".format(token
)
428 raise AuthException("Token '{}' not found".format(token
), http_code
=HTTPStatus
.NOT_FOUND
)
430 def check_permissions(self
, token_info
, method
, role_permission
=None, query_string_operations
=None):
432 Checks that operation has permissions to be done, base on the assigned roles to this user project
433 :param token_info: Dictionary that contains "roles" with a list of assigned roles.
434 This method fills the token_info["admin"] with True or False based on assigned tokens, if any allows admin
435 This will be used among others to hide or not the _admin content of topics
436 :param method: GET,PUT, POST, ...
437 :param role_permission: role permission name of the operation required
438 :param query_string_operations: list of possible admin query strings provided by user. It is checked that the
439 assigned role allows this query string for this method
440 :return: None if granted, exception if not allowed
443 roles_required
= self
.operation_to_allowed_roles
[role_permission
]
444 roles_allowed
= [role
["name"] for role
in token_info
["roles"]]
446 # fills token_info["admin"] if some roles allows it
447 token_info
["admin"] = False
448 for role
in roles_allowed
:
449 if role
in self
.operation_to_allowed_roles
["admin:" + method
.lower()]:
450 token_info
["admin"] = True
453 if "anonymous" in roles_required
:
455 operation_allowed
= False
456 for role
in roles_allowed
:
457 if role
in roles_required
:
458 operation_allowed
= True
459 # if query_string operations, check if this role allows it
460 if not query_string_operations
:
462 for query_string_operation
in query_string_operations
:
463 if role
not in self
.operation_to_allowed_roles
[query_string_operation
]:
468 if not operation_allowed
:
469 raise AuthExceptionUnauthorized("Access denied: lack of permissions.")
471 raise AuthExceptionUnauthorized("Access denied: You have not permissions to use these admin query string")
473 def get_user_list(self
):
474 return self
.backend
.get_user_list()
476 def _normalize_url(self
, url
, method
):
478 # Removing query strings
479 normalized_url
= url
if '?' not in url
else url
[:url
.find("?")]
480 normalized_url_splitted
= normalized_url
.split("/")
483 filtered_keys
= [key
for key
in self
.resources_to_operations_mapping
.keys()
484 if method
in key
.split()[0]]
486 for idx
, path_part
in enumerate(normalized_url_splitted
):
488 for tmp_key
in filtered_keys
:
489 splitted
= tmp_key
.split()[1].split("/")
490 if idx
>= len(splitted
):
492 elif "<" in splitted
[idx
] and ">" in splitted
[idx
]:
493 if splitted
[idx
] == "<artifactPath>":
494 tmp_keys
.append(tmp_key
)
496 elif idx
== len(normalized_url_splitted
) - 1 and \
497 len(normalized_url_splitted
) != len(splitted
):
500 tmp_keys
.append(tmp_key
)
501 elif splitted
[idx
] == path_part
:
502 if idx
== len(normalized_url_splitted
) - 1 and \
503 len(normalized_url_splitted
) != len(splitted
):
506 tmp_keys
.append(tmp_key
)
507 filtered_keys
= tmp_keys
508 if len(filtered_keys
) == 1 and \
509 filtered_keys
[0].split("/")[-1] == "<artifactPath>":
512 if len(filtered_keys
) == 0:
513 raise AuthException("Cannot make an authorization decision. URL not found. URL: {0}".format(url
))
514 elif len(filtered_keys
) > 1:
515 raise AuthException("Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(url
))
517 filtered_key
= filtered_keys
[0]
519 for idx
, path_part
in enumerate(filtered_key
.split()[1].split("/")):
520 if "<" in path_part
and ">" in path_part
:
521 if path_part
== "<artifactPath>":
522 parameters
[path_part
[1:-1]] = "/".join(normalized_url_splitted
[idx
:])
524 parameters
[path_part
[1:-1]] = normalized_url_splitted
[idx
]
526 return filtered_key
, parameters
528 def _internal_get_token_list(self
, token_info
):
530 token_list
= self
.db
.get_list("tokens", {"username": token_info
["username"], "expires.gt": now
})
533 def _internal_get_token(self
, token_info
, token_id
):
534 token_value
= self
.db
.get_one("tokens", {"_id": token_id
}, fail_on_empty
=False)
536 raise AuthException("token not found", http_code
=HTTPStatus
.NOT_FOUND
)
537 if token_value
["username"] != token_info
["username"] and not token_info
["admin"]:
538 raise AuthException("needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
)
541 def _internal_tokens_prune(self
, now
=None):
543 if not self
.next_db_prune_time
or self
.next_db_prune_time
>= now
:
544 self
.db
.del_list("tokens", {"expires.lt": now
})
545 self
.next_db_prune_time
= self
.periodin_db_pruning
+ now
546 self
.tokens_cache
.clear() # force to reload tokens from database