1 # -*- coding: utf-8 -*-
3 # Copyright 2018 Whitestack, LLC
4 # Copyright 2018 Telefonica S.A.
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or alfonso.tiernosepulveda@telefonica.com
24 Authenticator is responsible for authenticating the users,
25 create the tokens unscoped and scoped, retrieve the role
26 list inside the projects that they are inserted
29 __author__
= "Eduardo Sousa <esousa@whitestack.com>; Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30 __date__
= "$27-jul-2018 23:59:59$"
35 from base64
import standard_b64decode
36 from copy
import deepcopy
38 # from functools import reduce
39 from http
import HTTPStatus
43 from osm_nbi
.authconn
import AuthException
, AuthconnException
, AuthExceptionUnauthorized
44 from osm_nbi
.authconn_keystone
import AuthconnKeystone
45 from osm_nbi
.authconn_internal
import AuthconnInternal
46 from osm_nbi
.authconn_tacacs
import AuthconnTacacs
47 from osm_common
import dbmemory
, dbmongo
, msglocal
, msgkafka
48 from osm_common
.dbbase
import DbException
49 from osm_nbi
.validation
import is_valid_uuid
50 from itertools
import chain
51 from uuid
import uuid4
56 This class should hold all the mechanisms for User Authentication and
57 Authorization. Initially it should support Openstack Keystone as a
58 backend through a plugin model where more backends can be added and a
59 RBAC model to manage permissions on operations.
60 This class must be threading safe
63 periodin_db_pruning
= (
65 ) # for the internal backend only. every 30 minutes expired tokens will be pruned
66 token_limit
= 500 # when reached, the token cache will be cleared
68 def __init__(self
, valid_methods
, valid_query_string
):
70 Authenticator initializer. Setup the initial state of the object,
71 while it waits for the config dictionary and database initialization.
77 self
.tokens_cache
= dict()
78 self
.next_db_prune_time
= (
79 0 # time when next cleaning of expired tokens must be done
81 self
.roles_to_operations_file
= None
82 # self.roles_to_operations_table = None
83 self
.resources_to_operations_mapping
= {}
84 self
.operation_to_allowed_roles
= {}
85 self
.logger
= logging
.getLogger("nbi.authenticator")
86 self
.role_permissions
= []
87 self
.valid_methods
= valid_methods
88 self
.valid_query_string
= valid_query_string
89 self
.system_admin_role_id
= None # system_role id
90 self
.test_project_id
= None # test_project_id
92 def start(self
, config
):
94 Method to configure the Authenticator object. This method should be called
95 after object creation. It is responsible by initializing the selected backend,
96 as well as the initialization of the database connection.
98 :param config: dictionary containing the relevant parameters for this object.
104 if config
["database"]["driver"] == "mongo":
105 self
.db
= dbmongo
.DbMongo()
106 self
.db
.db_connect(config
["database"])
107 elif config
["database"]["driver"] == "memory":
108 self
.db
= dbmemory
.DbMemory()
109 self
.db
.db_connect(config
["database"])
112 "Invalid configuration param '{}' at '[database]':'driver'".format(
113 config
["database"]["driver"]
117 if config
["message"]["driver"] == "local":
118 self
.msg
= msglocal
.MsgLocal()
119 self
.msg
.connect(config
["message"])
120 elif config
["message"]["driver"] == "kafka":
121 self
.msg
= msgkafka
.MsgKafka()
122 self
.msg
.connect(config
["message"])
125 "Invalid configuration param '{}' at '[message]':'driver'".format(
126 config
["message"]["driver"]
130 if config
["authentication"]["backend"] == "keystone":
131 self
.backend
= AuthconnKeystone(
132 self
.config
["authentication"], self
.db
, self
.role_permissions
134 elif config
["authentication"]["backend"] == "internal":
135 self
.backend
= AuthconnInternal(
136 self
.config
["authentication"], self
.db
, self
.role_permissions
138 self
._internal
_tokens
_prune
("tokens")
139 elif config
["authentication"]["backend"] == "tacacs":
140 self
.backend
= AuthconnTacacs(
141 self
.config
["authentication"], self
.db
, self
.role_permissions
143 self
._internal
_tokens
_prune
("tokens_tacacs")
146 "Unknown authentication backend: {}".format(
147 config
["authentication"]["backend"]
151 if not self
.roles_to_operations_file
:
152 if "roles_to_operations" in config
["rbac"]:
153 self
.roles_to_operations_file
= config
["rbac"][
154 "roles_to_operations"
158 __file__
[: __file__
.rfind("auth.py")]
159 + "roles_to_operations.yml",
160 "./roles_to_operations.yml",
162 for config_file
in possible_paths
:
163 if path
.isfile(config_file
):
164 self
.roles_to_operations_file
= config_file
166 if not self
.roles_to_operations_file
:
168 "Invalid permission configuration: roles_to_operations file missing"
171 # load role_permissions
172 def load_role_permissions(method_dict
):
173 for k
in method_dict
:
174 if k
== "ROLE_PERMISSION":
176 method_dict
.get("METHODS", ()), method_dict
.get("TODO", ())
178 permission
= method_dict
["ROLE_PERMISSION"] + method
.lower()
179 if permission
not in self
.role_permissions
:
180 self
.role_permissions
.append(permission
)
181 elif k
in ("TODO", "METHODS"):
184 load_role_permissions(method_dict
[k
])
186 load_role_permissions(self
.valid_methods
)
187 for query_string
in self
.valid_query_string
:
188 for method
in ("get", "put", "patch", "post", "delete"):
189 permission
= query_string
.lower() + ":" + method
190 if permission
not in self
.role_permissions
:
191 self
.role_permissions
.append(permission
)
193 # get ids of role system_admin and test project
194 role_system_admin
= self
.db
.get_one(
195 "roles", {"name": "system_admin"}, fail_on_empty
=False
197 if role_system_admin
:
198 self
.system_admin_role_id
= role_system_admin
["_id"]
199 test_project_name
= self
.config
["authentication"].get(
200 "project_not_authorized", "admin"
202 test_project
= self
.db
.get_one(
203 "projects", {"name": test_project_name
}, fail_on_empty
=False
206 self
.test_project_id
= test_project
["_id"]
208 except Exception as e
:
209 raise AuthException(str(e
))
214 self
.db
.db_disconnect()
215 except DbException
as e
:
216 raise AuthException(str(e
), http_code
=e
.http_code
)
218 def create_admin_project(self
):
220 Creates a new project 'admin' into database if it doesn't exist. Useful for initialization.
221 :return: _id identity of the 'admin' project
224 # projects = self.db.get_one("projects", fail_on_empty=False, fail_on_more=False)
225 project_desc
= {"name": "admin"}
226 projects
= self
.backend
.get_project_list(project_desc
)
228 return projects
[0]["_id"]
230 project_desc
["_id"] = str(uuid4())
231 project_desc
["_admin"] = {"created": now
, "modified": now
}
232 pid
= self
.backend
.create_project(project_desc
)
234 "Project '{}' created at database".format(project_desc
["name"])
238 def create_admin_user(self
, project_id
):
240 Creates a new user admin/admin into database if database is empty. Useful for initialization
241 :return: _id identity of the inserted data, or None
243 # users = self.db.get_one("users", fail_on_empty=False, fail_on_more=False)
244 users
= self
.backend
.get_user_list()
247 # user_desc = {"username": "admin", "password": "admin", "projects": [project_id]}
252 "_admin": {"created": now
, "modified": now
},
257 # proj = self.db.get_one("projects", {"name": "admin"}, fail_on_empty=False, fail_on_more=False)
258 proj
= self
.backend
.get_project_list({"name": "admin"})
259 pid
= proj
[0]["_id"] if proj
else None
260 # role = self.db.get_one("roles", {"name": "system_admin"}, fail_on_empty=False, fail_on_more=False)
261 roles
= self
.backend
.get_role_list({"name": "system_admin"})
263 user_desc
["project_role_mappings"] = [
264 {"project": pid
, "role": roles
[0]["_id"]}
266 uid
= self
.backend
.create_user(user_desc
)
267 self
.logger
.info("User '{}' created at database".format(user_desc
["username"]))
270 def init_db(self
, target_version
="1.0"):
272 Check if the database has been initialized, with at least one user. If not, create the required tables
273 and insert the predefined mappings between roles and permissions.
275 :param target_version: schema version that should be present in the database.
276 :return: None if OK, exception if error or version is different.
279 records
= self
.backend
.get_role_list()
281 # Loading permissions to AUTH. At lease system_admin must be present.
282 if not records
or not next(
283 (r
for r
in records
if r
["name"] == "system_admin"), None
285 with
open(self
.roles_to_operations_file
, "r") as stream
:
286 roles_to_operations_yaml
= yaml
.load(stream
, Loader
=yaml
.Loader
)
289 for role_with_operations
in roles_to_operations_yaml
["roles"]:
290 # Verifying if role already exists. If it does, raise exception
291 if role_with_operations
["name"] not in role_names
:
292 role_names
.append(role_with_operations
["name"])
295 "Duplicated role name '{}' at file '{}''".format(
296 role_with_operations
["name"], self
.roles_to_operations_file
300 if not role_with_operations
["permissions"]:
303 for permission
, is_allowed
in role_with_operations
[
306 if not isinstance(is_allowed
, bool):
308 "Invalid value for permission '{}' at role '{}'; at file '{}'".format(
310 role_with_operations
["name"],
311 self
.roles_to_operations_file
,
315 # TODO check permission is ok
316 if permission
[-1] == ":":
318 "Invalid permission '{}' terminated in ':' for role '{}'; at file {}".format(
320 role_with_operations
["name"],
321 self
.roles_to_operations_file
,
325 if "default" not in role_with_operations
["permissions"]:
326 role_with_operations
["permissions"]["default"] = False
327 if "admin" not in role_with_operations
["permissions"]:
328 role_with_operations
["permissions"]["admin"] = False
331 role_with_operations
["_admin"] = {
336 # self.db.create(self.roles_to_operations_table, role_with_operations)
338 self
.backend
.create_role(role_with_operations
)
340 "Role '{}' created".format(role_with_operations
["name"])
342 except (AuthException
, AuthconnException
) as e
:
343 if role_with_operations
["name"] == "system_admin":
346 "Role '{}' cannot be created: {}".format(
347 role_with_operations
["name"], e
351 # Create admin project&user if required
352 pid
= self
.create_admin_project()
353 user_id
= self
.create_admin_user(pid
)
355 # try to assign system_admin role to user admin if not any user has this role
358 users
= self
.backend
.get_user_list()
359 roles
= self
.backend
.get_role_list({"name": "system_admin"})
360 role_id
= roles
[0]["_id"]
361 user_with_system_admin
= False
364 if not user_admin_id
:
365 user_admin_id
= user
["_id"]
366 if user
["username"] == "admin":
367 user_admin_id
= user
["_id"]
368 for prm
in user
.get("project_role_mappings", ()):
369 if prm
["role"] == role_id
:
370 user_with_system_admin
= True
372 if user_with_system_admin
:
374 if not user_with_system_admin
:
375 self
.backend
.update_user(
377 "_id": user_admin_id
,
378 "add_project_role_mappings": [
379 {"project": pid
, "role": role_id
}
384 "Added role system admin to user='{}' project=admin".format(
388 except Exception as e
:
390 "Error in Authorization DataBase initialization: {}: {}".format(
395 self
.load_operation_to_allowed_roles()
397 def load_operation_to_allowed_roles(self
):
399 Fills the internal self.operation_to_allowed_roles based on database role content and self.role_permissions
400 It works in a shadow copy and replace at the end to allow other threads working with the old copy
403 permissions
= {oper
: [] for oper
in self
.role_permissions
}
404 # records = self.db.get_list(self.roles_to_operations_table)
405 records
= self
.backend
.get_role_list()
407 ignore_fields
= ["_id", "_admin", "name", "default"]
408 for record
in records
:
409 if not record
.get("permissions"):
411 record_permissions
= {
412 oper
: record
["permissions"].get("default", False)
413 for oper
in self
.role_permissions
415 operations_joined
= [
417 for oper
, value
in record
["permissions"].items()
418 if oper
not in ignore_fields
420 operations_joined
.sort(key
=lambda x
: x
[0].count(":"))
422 for oper
in operations_joined
:
424 filter(lambda x
: x
.find(oper
[0]) == 0, record_permissions
.keys())
428 record_permissions
[m
] = oper
[1]
430 allowed_operations
= [k
for k
, v
in record_permissions
.items() if v
is True]
432 for allowed_op
in allowed_operations
:
433 permissions
[allowed_op
].append(record
["name"])
435 self
.operation_to_allowed_roles
= permissions
438 self
, role_permission
=None, query_string_operations
=None, item_id
=None
443 # 1. Get token Authorization bearer
444 auth
= cherrypy
.request
.headers
.get("Authorization")
446 auth_list
= auth
.split(" ")
447 if auth_list
[0].lower() == "bearer":
448 token
= auth_list
[-1]
449 elif auth_list
[0].lower() == "basic":
450 user_passwd64
= auth_list
[-1]
452 if cherrypy
.session
.get("Authorization"):
453 # 2. Try using session before request a new token. If not, basic authentication will generate
454 token
= cherrypy
.session
.get("Authorization")
455 if token
== "logout":
456 token
= None # force Unauthorized response to insert user password again
457 elif user_passwd64
and cherrypy
.request
.config
.get(
458 "auth.allow_basic_authentication"
460 # 3. Get new token from user password
464 user_passwd
= standard_b64decode(user_passwd64
).decode()
465 user
, _
, passwd
= user_passwd
.partition(":")
468 outdata
= self
.new_token(
469 None, {"username": user
, "password": passwd
}
471 token
= outdata
["_id"]
472 cherrypy
.session
["Authorization"] = token
476 "Needed a token or Authorization http header",
477 http_code
=HTTPStatus
.UNAUTHORIZED
,
480 # try to get from cache first
482 token_info
= self
.tokens_cache
.get(token
)
483 if token_info
and token_info
["expires"] < now
:
484 # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
485 self
.tokens_cache
.pop(token
, None)
488 # get from database if not in cache
490 token_info
= self
.backend
.validate_token(token
)
491 # Clear cache if token limit reached
492 if len(self
.tokens_cache
) > self
.token_limit
:
493 self
.tokens_cache
.clear()
494 self
.tokens_cache
[token
] = token_info
495 # TODO add to token info remote host, port
498 RBAC_auth
= self
.check_permissions(
500 cherrypy
.request
.method
,
502 query_string_operations
,
505 self
.logger
.info("RBAC_auth: {}".format(RBAC_auth
))
506 token_info
["allow_show_user_project_role"] = RBAC_auth
509 except AuthException
as e
:
510 if not isinstance(e
, AuthExceptionUnauthorized
):
511 if cherrypy
.session
.get("Authorization"):
512 del cherrypy
.session
["Authorization"]
513 cherrypy
.response
.headers
[
515 ] = 'Bearer realm="{}"'.format(e
)
516 if self
.config
["authentication"].get("user_not_authorized"):
518 "id": "testing-token",
519 "_id": "testing-token",
520 "project_id": self
.test_project_id
,
521 "username": self
.config
["authentication"]["user_not_authorized"],
522 "roles": [self
.system_admin_role_id
],
524 "allow_show_user_project_role": True,
528 def new_token(self
, token_info
, indata
, remote
):
529 new_token_info
= self
.backend
.authenticate(
531 token_info
=token_info
,
534 new_token_info
["remote_port"] = remote
.port
535 if not new_token_info
.get("expires"):
536 new_token_info
["expires"] = time() + 3600
537 if not new_token_info
.get("admin"):
538 new_token_info
["admin"] = (
539 True if new_token_info
.get("project_name") == "admin" else False
541 # TODO put admin in RBAC
544 new_token_info
["remote_host"] = remote
.name
546 new_token_info
["remote_host"] = remote
.ip
548 # TODO call self._internal_tokens_prune(now) ?
549 return deepcopy(new_token_info
)
551 def get_token_list(self
, token_info
):
552 if self
.config
["authentication"]["backend"] == "internal":
553 return self
._internal
_get
_token
_list
(token_info
)
555 # TODO: check if this can be avoided. Backend may provide enough information
558 for token
in self
.tokens_cache
.values()
559 if token
["username"] == token_info
["username"]
562 def get_token(self
, token_info
, token
):
563 if self
.config
["authentication"]["backend"] == "internal":
564 return self
._internal
_get
_token
(token_info
, token
)
566 # TODO: check if this can be avoided. Backend may provide enough information
567 token_value
= self
.tokens_cache
.get(token
)
569 raise AuthException("token not found", http_code
=HTTPStatus
.NOT_FOUND
)
571 token_value
["username"] != token_info
["username"]
572 and not token_info
["admin"]
575 "needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
579 def del_token(self
, token
):
581 self
.backend
.revoke_token(token
)
582 # self.tokens_cache.pop(token, None)
583 self
.remove_token_from_cache(token
)
584 return "token '{}' deleted".format(token
)
587 "Token '{}' not found".format(token
), http_code
=HTTPStatus
.NOT_FOUND
590 def check_permissions(
594 role_permission
=None,
595 query_string_operations
=None,
599 Checks that operation has permissions to be done, base on the assigned roles to this user project
600 :param token_info: Dictionary that contains "roles" with a list of assigned roles.
601 This method fills the token_info["admin"] with True or False based on assigned tokens, if any allows admin
602 This will be used among others to hide or not the _admin content of topics
603 :param method: GET,PUT, POST, ...
604 :param role_permission: role permission name of the operation required
605 :param query_string_operations: list of possible admin query strings provided by user. It is checked that the
606 assigned role allows this query string for this method
607 :param item_id: item identifier if included in the URL, None otherwise
608 :return: True if access granted by permission rules, False if access granted by default rules (Bug 853)
609 :raises: AuthExceptionUnauthorized if access denied
611 self
.load_operation_to_allowed_roles()
613 roles_required
= self
.operation_to_allowed_roles
[role_permission
]
614 roles_allowed
= [role
["name"] for role
in token_info
["roles"]]
616 # fills token_info["admin"] if some roles allows it
617 token_info
["admin"] = False
618 for role
in roles_allowed
:
619 if role
in self
.operation_to_allowed_roles
["admin:" + method
.lower()]:
620 token_info
["admin"] = True
623 if "anonymous" in roles_required
:
625 operation_allowed
= False
626 for role
in roles_allowed
:
627 if role
in roles_required
:
628 operation_allowed
= True
629 # if query_string operations, check if this role allows it
630 if not query_string_operations
:
632 for query_string_operation
in query_string_operations
:
635 not in self
.operation_to_allowed_roles
[query_string_operation
]
641 # Bug 853 - Final Solution
642 # User/Project/Role whole listings are filtered elsewhere
643 # uid, pid, rid = ("user_id", "project_id", "id") if is_valid_uuid(id) else ("username", "project_name", "name")
644 uid
= "user_id" if is_valid_uuid(item_id
) else "username"
654 ) or (role_permission
== "users:id:get" and item_id
== token_info
[uid
]):
655 # or (role_permission == "projects:id:get" and item_id == token_info[pid]) \
656 # or (role_permission == "roles:id:get" and item_id in [role[rid] for role in token_info["roles"]]):
659 if not operation_allowed
:
660 raise AuthExceptionUnauthorized("Access denied: lack of permissions.")
662 raise AuthExceptionUnauthorized(
663 "Access denied: You have not permissions to use these admin query string"
666 def get_user_list(self
):
667 return self
.backend
.get_user_list()
669 def _normalize_url(self
, url
, method
):
671 # Removing query strings
672 normalized_url
= url
if "?" not in url
else url
[: url
.find("?")]
673 normalized_url_splitted
= normalized_url
.split("/")
678 for key
in self
.resources_to_operations_mapping
.keys()
679 if method
in key
.split()[0]
682 for idx
, path_part
in enumerate(normalized_url_splitted
):
684 for tmp_key
in filtered_keys
:
685 splitted
= tmp_key
.split()[1].split("/")
686 if idx
>= len(splitted
):
688 elif "<" in splitted
[idx
] and ">" in splitted
[idx
]:
689 if splitted
[idx
] == "<artifactPath>":
690 tmp_keys
.append(tmp_key
)
692 elif idx
== len(normalized_url_splitted
) - 1 and len(
693 normalized_url_splitted
697 tmp_keys
.append(tmp_key
)
698 elif splitted
[idx
] == path_part
:
699 if idx
== len(normalized_url_splitted
) - 1 and len(
700 normalized_url_splitted
704 tmp_keys
.append(tmp_key
)
705 filtered_keys
= tmp_keys
707 len(filtered_keys
) == 1
708 and filtered_keys
[0].split("/")[-1] == "<artifactPath>"
712 if len(filtered_keys
) == 0:
714 "Cannot make an authorization decision. URL not found. URL: {0}".format(
718 elif len(filtered_keys
) > 1:
720 "Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(
725 filtered_key
= filtered_keys
[0]
727 for idx
, path_part
in enumerate(filtered_key
.split()[1].split("/")):
728 if "<" in path_part
and ">" in path_part
:
729 if path_part
== "<artifactPath>":
730 parameters
[path_part
[1:-1]] = "/".join(
731 normalized_url_splitted
[idx
:]
734 parameters
[path_part
[1:-1]] = normalized_url_splitted
[idx
]
736 return filtered_key
, parameters
738 def _internal_get_token_list(self
, token_info
):
740 token_list
= self
.db
.get_list(
741 "tokens", {"username": token_info
["username"], "expires.gt": now
}
745 def _internal_get_token(self
, token_info
, token_id
):
746 token_value
= self
.db
.get_one("tokens", {"_id": token_id
}, fail_on_empty
=False)
748 raise AuthException("token not found", http_code
=HTTPStatus
.NOT_FOUND
)
750 token_value
["username"] != token_info
["username"]
751 and not token_info
["admin"]
754 "needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
758 def _internal_tokens_prune(self
, token_collection
, now
=None):
760 if not self
.next_db_prune_time
or self
.next_db_prune_time
>= now
:
761 self
.db
.del_list(token_collection
, {"expires.lt": now
})
762 self
.next_db_prune_time
= self
.periodin_db_pruning
+ now
763 # self.tokens_cache.clear() # not required any more
765 def remove_token_from_cache(self
, token
=None):
767 self
.tokens_cache
.pop(token
, None)
769 self
.tokens_cache
.clear()
770 self
.msg
.write("admin", "revoke_token", {"_id": token
} if token
else None)
772 def check_password_expiry(self
, outdata
):
774 This method will check for password expiry of the user
775 :param outdata: user token information
779 present_time
= time()
780 user
= outdata
["username"]
781 if self
.config
["authentication"].get("pwd_expiry_check"):
782 user_content
= self
.db
.get_list("users", {"username": user
})[0]
783 if not user_content
.get("username") == "admin":
784 user_content
["_admin"]["modified_time"] = present_time
785 if user_content
.get("_admin").get("expire_time"):
786 expire_time
= user_content
["_admin"]["expire_time"]
788 expire_time
= present_time
789 uid
= user_content
["_id"]
790 self
.db
.set_one("users", {"_id": uid
}, user_content
)
791 if not present_time
< expire_time
: