1 # -*- coding: utf-8 -*-
3 # Copyright 2018 Whitestack, LLC
4 # Copyright 2018 Telefonica S.A.
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or alfonso.tiernosepulveda@telefonica.com
24 Authenticator is responsible for authenticating the users,
25 create the tokens unscoped and scoped, retrieve the role
26 list inside the projects that they are inserted
29 __author__
= "Eduardo Sousa <esousa@whitestack.com>; Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30 __date__
= "$27-jul-2018 23:59:59$"
35 from base64
import standard_b64decode
36 from copy
import deepcopy
37 # from functools import reduce
38 from http
import HTTPStatus
42 from osm_nbi
.authconn
import AuthException
, AuthExceptionUnauthorized
43 from osm_nbi
.authconn_keystone
import AuthconnKeystone
44 from osm_nbi
.authconn_internal
import AuthconnInternal
45 from osm_common
import dbmemory
, dbmongo
, msglocal
, msgkafka
46 from osm_common
.dbbase
import DbException
47 from osm_nbi
.validation
import is_valid_uuid
48 from itertools
import chain
49 from uuid
import uuid4
54 This class should hold all the mechanisms for User Authentication and
55 Authorization. Initially it should support Openstack Keystone as a
56 backend through a plugin model where more backends can be added and a
57 RBAC model to manage permissions on operations.
58 This class must be threading safe
61 periodin_db_pruning
= 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned
62 token_limit
= 500 # when reached, the token cache will be cleared
64 def __init__(self
, valid_methods
, valid_query_string
):
66 Authenticator initializer. Setup the initial state of the object,
67 while it waits for the config dictionary and database initialization.
73 self
.tokens_cache
= dict()
74 self
.next_db_prune_time
= 0 # time when next cleaning of expired tokens must be done
75 self
.roles_to_operations_file
= None
76 # self.roles_to_operations_table = None
77 self
.resources_to_operations_mapping
= {}
78 self
.operation_to_allowed_roles
= {}
79 self
.logger
= logging
.getLogger("nbi.authenticator")
80 self
.role_permissions
= []
81 self
.valid_methods
= valid_methods
82 self
.valid_query_string
= valid_query_string
83 self
.system_admin_role_id
= None # system_role id
84 self
.test_project_id
= None # test_project_id
86 def start(self
, config
):
88 Method to configure the Authenticator object. This method should be called
89 after object creation. It is responsible by initializing the selected backend,
90 as well as the initialization of the database connection.
92 :param config: dictionary containing the relevant parameters for this object.
98 if config
["database"]["driver"] == "mongo":
99 self
.db
= dbmongo
.DbMongo()
100 self
.db
.db_connect(config
["database"])
101 elif config
["database"]["driver"] == "memory":
102 self
.db
= dbmemory
.DbMemory()
103 self
.db
.db_connect(config
["database"])
105 raise AuthException("Invalid configuration param '{}' at '[database]':'driver'"
106 .format(config
["database"]["driver"]))
108 if config
["message"]["driver"] == "local":
109 self
.msg
= msglocal
.MsgLocal()
110 self
.msg
.connect(config
["message"])
111 elif config
["message"]["driver"] == "kafka":
112 self
.msg
= msgkafka
.MsgKafka()
113 self
.msg
.connect(config
["message"])
115 raise AuthException("Invalid configuration param '{}' at '[message]':'driver'"
116 .format(config
["message"]["driver"]))
118 if config
["authentication"]["backend"] == "keystone":
119 self
.backend
= AuthconnKeystone(self
.config
["authentication"], self
.db
, self
.role_permissions
)
120 elif config
["authentication"]["backend"] == "internal":
121 self
.backend
= AuthconnInternal(self
.config
["authentication"], self
.db
, self
.role_permissions
)
122 self
._internal
_tokens
_prune
()
124 raise AuthException("Unknown authentication backend: {}"
125 .format(config
["authentication"]["backend"]))
127 if not self
.roles_to_operations_file
:
128 if "roles_to_operations" in config
["rbac"]:
129 self
.roles_to_operations_file
= config
["rbac"]["roles_to_operations"]
132 __file__
[:__file__
.rfind("auth.py")] + "roles_to_operations.yml",
133 "./roles_to_operations.yml"
135 for config_file
in possible_paths
:
136 if path
.isfile(config_file
):
137 self
.roles_to_operations_file
= config_file
139 if not self
.roles_to_operations_file
:
140 raise AuthException("Invalid permission configuration: roles_to_operations file missing")
142 # load role_permissions
143 def load_role_permissions(method_dict
):
144 for k
in method_dict
:
145 if k
== "ROLE_PERMISSION":
146 for method
in chain(method_dict
.get("METHODS", ()), method_dict
.get("TODO", ())):
147 permission
= method_dict
["ROLE_PERMISSION"] + method
.lower()
148 if permission
not in self
.role_permissions
:
149 self
.role_permissions
.append(permission
)
150 elif k
in ("TODO", "METHODS"):
153 load_role_permissions(method_dict
[k
])
155 load_role_permissions(self
.valid_methods
)
156 for query_string
in self
.valid_query_string
:
157 for method
in ("get", "put", "patch", "post", "delete"):
158 permission
= query_string
.lower() + ":" + method
159 if permission
not in self
.role_permissions
:
160 self
.role_permissions
.append(permission
)
162 # get ids of role system_admin and test project
163 role_system_admin
= self
.db
.get_one("roles", {"name": "system_admin"}, fail_on_empty
=False)
164 if role_system_admin
:
165 self
.system_admin_role_id
= role_system_admin
["_id"]
166 test_project_name
= self
.config
["authentication"].get("project_not_authorized", "admin")
167 test_project
= self
.db
.get_one("projects", {"name": test_project_name
}, fail_on_empty
=False)
169 self
.test_project_id
= test_project
["_id"]
171 except Exception as e
:
172 raise AuthException(str(e
))
177 self
.db
.db_disconnect()
178 except DbException
as e
:
179 raise AuthException(str(e
), http_code
=e
.http_code
)
181 def create_admin_project(self
):
183 Creates a new project 'admin' into database if it doesn't exist. Useful for initialization.
184 :return: _id identity of the 'admin' project
187 # projects = self.db.get_one("projects", fail_on_empty=False, fail_on_more=False)
188 project_desc
= {"name": "admin"}
189 projects
= self
.backend
.get_project_list(project_desc
)
191 return projects
[0]["_id"]
193 project_desc
["_id"] = str(uuid4())
194 project_desc
["_admin"] = {"created": now
, "modified": now
}
195 pid
= self
.backend
.create_project(project_desc
)
196 self
.logger
.info("Project '{}' created at database".format(project_desc
["name"]))
199 def create_admin_user(self
, project_id
):
201 Creates a new user admin/admin into database if database is empty. Useful for initialization
202 :return: _id identity of the inserted data, or None
204 # users = self.db.get_one("users", fail_on_empty=False, fail_on_more=False)
205 users
= self
.backend
.get_user_list()
208 # user_desc = {"username": "admin", "password": "admin", "projects": [project_id]}
210 user_desc
= {"username": "admin", "password": "admin", "_admin": {"created": now
, "modified": now
}}
214 # proj = self.db.get_one("projects", {"name": "admin"}, fail_on_empty=False, fail_on_more=False)
215 proj
= self
.backend
.get_project_list({"name": "admin"})
216 pid
= proj
[0]["_id"] if proj
else None
217 # role = self.db.get_one("roles", {"name": "system_admin"}, fail_on_empty=False, fail_on_more=False)
218 roles
= self
.backend
.get_role_list({"name": "system_admin"})
220 user_desc
["project_role_mappings"] = [{"project": pid
, "role": roles
[0]["_id"]}]
221 uid
= self
.backend
.create_user(user_desc
)
222 self
.logger
.info("User '{}' created at database".format(user_desc
["username"]))
225 def init_db(self
, target_version
='1.0'):
227 Check if the database has been initialized, with at least one user. If not, create the required tables
228 and insert the predefined mappings between roles and permissions.
230 :param target_version: schema version that should be present in the database.
231 :return: None if OK, exception if error or version is different.
234 records
= self
.backend
.get_role_list()
236 # Loading permissions to MongoDB if there is not any permission.
237 if not records
or (len(records
) == 1 and records
[0]["name"] == "admin"):
238 with
open(self
.roles_to_operations_file
, "r") as stream
:
239 roles_to_operations_yaml
= yaml
.load(stream
, Loader
=yaml
.Loader
)
242 for role_with_operations
in roles_to_operations_yaml
["roles"]:
243 # Verifying if role already exists. If it does, raise exception
244 if role_with_operations
["name"] not in role_names
:
245 role_names
.append(role_with_operations
["name"])
247 raise AuthException("Duplicated role name '{}' at file '{}''"
248 .format(role_with_operations
["name"], self
.roles_to_operations_file
))
250 if not role_with_operations
["permissions"]:
253 for permission
, is_allowed
in role_with_operations
["permissions"].items():
254 if not isinstance(is_allowed
, bool):
255 raise AuthException("Invalid value for permission '{}' at role '{}'; at file '{}'"
256 .format(permission
, role_with_operations
["name"],
257 self
.roles_to_operations_file
))
259 # TODO chek permission is ok
260 if permission
[-1] == ":":
261 raise AuthException("Invalid permission '{}' terminated in ':' for role '{}'; at file {}"
262 .format(permission
, role_with_operations
["name"],
263 self
.roles_to_operations_file
))
265 if "default" not in role_with_operations
["permissions"]:
266 role_with_operations
["permissions"]["default"] = False
267 if "admin" not in role_with_operations
["permissions"]:
268 role_with_operations
["permissions"]["admin"] = False
271 role_with_operations
["_admin"] = {
276 # self.db.create(self.roles_to_operations_table, role_with_operations)
277 self
.backend
.create_role(role_with_operations
)
278 self
.logger
.info("Role '{}' created at database".format(role_with_operations
["name"]))
280 # Create admin project&user if required
281 pid
= self
.create_admin_project()
282 user_id
= self
.create_admin_user(pid
)
284 # try to assign system_admin role to user admin if not any user has this role
287 users
= self
.backend
.get_user_list()
288 roles
= self
.backend
.get_role_list({"name": "system_admin"})
289 role_id
= roles
[0]["_id"]
290 user_with_system_admin
= False
293 if not user_admin_id
:
294 user_admin_id
= user
["_id"]
295 if user
["username"] == "admin":
296 user_admin_id
= user
["_id"]
297 for prm
in user
.get("project_role_mappings", ()):
298 if prm
["role"] == role_id
:
299 user_with_system_admin
= True
301 if user_with_system_admin
:
303 if not user_with_system_admin
:
304 self
.backend
.update_user({"_id": user_admin_id
,
305 "add_project_role_mappings": [{"project": pid
, "role": role_id
}]})
306 self
.logger
.info("Added role system admin to user='{}' project=admin".format(user_admin_id
))
307 except Exception as e
:
308 self
.logger
.error("Error in Authorization DataBase initialization: {}: {}".format(type(e
).__name
__, e
))
310 self
.load_operation_to_allowed_roles()
312 def load_operation_to_allowed_roles(self
):
314 Fills the internal self.operation_to_allowed_roles based on database role content and self.role_permissions
315 It works in a shadow copy and replace at the end to allow other threads working with the old copy
319 permissions
= {oper
: [] for oper
in self
.role_permissions
}
320 # records = self.db.get_list(self.roles_to_operations_table)
321 records
= self
.backend
.get_role_list()
323 ignore_fields
= ["_id", "_admin", "name", "default"]
324 for record
in records
:
325 if not record
.get("permissions"):
327 record_permissions
= {oper
: record
["permissions"].get("default", False) for oper
in self
.role_permissions
}
328 operations_joined
= [(oper
, value
) for oper
, value
in record
["permissions"].items()
329 if oper
not in ignore_fields
]
330 operations_joined
.sort(key
=lambda x
: x
[0].count(":"))
332 for oper
in operations_joined
:
333 match
= list(filter(lambda x
: x
.find(oper
[0]) == 0, record_permissions
.keys()))
336 record_permissions
[m
] = oper
[1]
338 allowed_operations
= [k
for k
, v
in record_permissions
.items() if v
is True]
340 for allowed_op
in allowed_operations
:
341 permissions
[allowed_op
].append(record
["name"])
343 self
.operation_to_allowed_roles
= permissions
345 def authorize(self
, role_permission
=None, query_string_operations
=None, item_id
=None):
349 # 1. Get token Authorization bearer
350 auth
= cherrypy
.request
.headers
.get("Authorization")
352 auth_list
= auth
.split(" ")
353 if auth_list
[0].lower() == "bearer":
354 token
= auth_list
[-1]
355 elif auth_list
[0].lower() == "basic":
356 user_passwd64
= auth_list
[-1]
358 if cherrypy
.session
.get("Authorization"):
359 # 2. Try using session before request a new token. If not, basic authentication will generate
360 token
= cherrypy
.session
.get("Authorization")
361 if token
== "logout":
362 token
= None # force Unauthorized response to insert user password again
363 elif user_passwd64
and cherrypy
.request
.config
.get("auth.allow_basic_authentication"):
364 # 3. Get new token from user password
368 user_passwd
= standard_b64decode(user_passwd64
).decode()
369 user
, _
, passwd
= user_passwd
.partition(":")
372 outdata
= self
.new_token(None, {"username": user
, "password": passwd
})
373 token
= outdata
["_id"]
374 cherrypy
.session
['Authorization'] = token
377 raise AuthException("Needed a token or Authorization http header",
378 http_code
=HTTPStatus
.UNAUTHORIZED
)
380 # try to get from cache first
382 token_info
= self
.tokens_cache
.get(token
)
383 if token_info
and token_info
["expires"] < now
:
384 # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
385 self
.tokens_cache
.pop(token
, None)
388 # get from database if not in cache
390 token_info
= self
.backend
.validate_token(token
)
391 # Clear cache if token limit reached
392 if len(self
.tokens_cache
) > self
.token_limit
:
393 self
.tokens_cache
.clear()
394 self
.tokens_cache
[token
] = token_info
395 # TODO add to token info remote host, port
398 RBAC_auth
= self
.check_permissions(token_info
, cherrypy
.request
.method
, role_permission
,
399 query_string_operations
, item_id
)
400 token_info
["allow_show_user_project_role"] = RBAC_auth
403 except AuthException
as e
:
404 if not isinstance(e
, AuthExceptionUnauthorized
):
405 if cherrypy
.session
.get('Authorization'):
406 del cherrypy
.session
['Authorization']
407 cherrypy
.response
.headers
["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e
)
408 if self
.config
["authentication"].get("user_not_authorized"):
409 return {"id": "testing-token", "_id": "testing-token",
410 "project_id": self
.test_project_id
,
411 "username": self
.config
["authentication"]["user_not_authorized"],
412 "roles": [self
.system_admin_role_id
],
413 "admin": True, "allow_show_user_project_role": True}
416 def new_token(self
, token_info
, indata
, remote
):
417 new_token_info
= self
.backend
.authenticate(
419 token_info
=token_info
,
422 new_token_info
["remote_port"] = remote
.port
423 if not new_token_info
.get("expires"):
424 new_token_info
["expires"] = time() + 3600
425 if not new_token_info
.get("admin"):
426 new_token_info
["admin"] = True if new_token_info
.get("project_name") == "admin" else False
427 # TODO put admin in RBAC
430 new_token_info
["remote_host"] = remote
.name
432 new_token_info
["remote_host"] = remote
.ip
434 # TODO call self._internal_tokens_prune(now) ?
435 return deepcopy(new_token_info
)
437 def get_token_list(self
, token_info
):
438 if self
.config
["authentication"]["backend"] == "internal":
439 return self
._internal
_get
_token
_list
(token_info
)
441 # TODO: check if this can be avoided. Backend may provide enough information
442 return [deepcopy(token
) for token
in self
.tokens_cache
.values()
443 if token
["username"] == token_info
["username"]]
445 def get_token(self
, token_info
, token
):
446 if self
.config
["authentication"]["backend"] == "internal":
447 return self
._internal
_get
_token
(token_info
, token
)
449 # TODO: check if this can be avoided. Backend may provide enough information
450 token_value
= self
.tokens_cache
.get(token
)
452 raise AuthException("token not found", http_code
=HTTPStatus
.NOT_FOUND
)
453 if token_value
["username"] != token_info
["username"] and not token_info
["admin"]:
454 raise AuthException("needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
)
457 def del_token(self
, token
):
459 self
.backend
.revoke_token(token
)
460 # self.tokens_cache.pop(token, None)
461 self
.remove_token_from_cache(token
)
462 return "token '{}' deleted".format(token
)
464 raise AuthException("Token '{}' not found".format(token
), http_code
=HTTPStatus
.NOT_FOUND
)
466 def check_permissions(self
, token_info
, method
, role_permission
=None, query_string_operations
=None, item_id
=None):
468 Checks that operation has permissions to be done, base on the assigned roles to this user project
469 :param token_info: Dictionary that contains "roles" with a list of assigned roles.
470 This method fills the token_info["admin"] with True or False based on assigned tokens, if any allows admin
471 This will be used among others to hide or not the _admin content of topics
472 :param method: GET,PUT, POST, ...
473 :param role_permission: role permission name of the operation required
474 :param query_string_operations: list of possible admin query strings provided by user. It is checked that the
475 assigned role allows this query string for this method
476 :param item_id: item identifier if included in the URL, None otherwise
477 :return: True if access granted by permission rules, False if access granted by default rules (Bug 853)
478 :raises: AuthExceptionUnauthorized if access denied
481 roles_required
= self
.operation_to_allowed_roles
[role_permission
]
482 roles_allowed
= [role
["name"] for role
in token_info
["roles"]]
484 # fills token_info["admin"] if some roles allows it
485 token_info
["admin"] = False
486 for role
in roles_allowed
:
487 if role
in self
.operation_to_allowed_roles
["admin:" + method
.lower()]:
488 token_info
["admin"] = True
491 if "anonymous" in roles_required
:
493 operation_allowed
= False
494 for role
in roles_allowed
:
495 if role
in roles_required
:
496 operation_allowed
= True
497 # if query_string operations, check if this role allows it
498 if not query_string_operations
:
500 for query_string_operation
in query_string_operations
:
501 if role
not in self
.operation_to_allowed_roles
[query_string_operation
]:
506 # Bug 853 - Final Solution
507 # User/Project/Role whole listings are filtered elsewhere
508 # uid, pid, rid = ("user_id", "project_id", "id") if is_valid_uuid(id) else ("username", "project_name", "name")
509 uid
= "user_id" if is_valid_uuid(item_id
) else "username"
510 if (role_permission
in ["projects:get", "projects:id:get", "roles:get", "roles:id:get", "users:get"]) \
511 or (role_permission
== "users:id:get" and item_id
== token_info
[uid
]):
512 # or (role_permission == "projects:id:get" and item_id == token_info[pid]) \
513 # or (role_permission == "roles:id:get" and item_id in [role[rid] for role in token_info["roles"]]):
516 if not operation_allowed
:
517 raise AuthExceptionUnauthorized("Access denied: lack of permissions.")
519 raise AuthExceptionUnauthorized("Access denied: You have not permissions to use these admin query string")
521 def get_user_list(self
):
522 return self
.backend
.get_user_list()
524 def _normalize_url(self
, url
, method
):
526 # Removing query strings
527 normalized_url
= url
if '?' not in url
else url
[:url
.find("?")]
528 normalized_url_splitted
= normalized_url
.split("/")
531 filtered_keys
= [key
for key
in self
.resources_to_operations_mapping
.keys()
532 if method
in key
.split()[0]]
534 for idx
, path_part
in enumerate(normalized_url_splitted
):
536 for tmp_key
in filtered_keys
:
537 splitted
= tmp_key
.split()[1].split("/")
538 if idx
>= len(splitted
):
540 elif "<" in splitted
[idx
] and ">" in splitted
[idx
]:
541 if splitted
[idx
] == "<artifactPath>":
542 tmp_keys
.append(tmp_key
)
544 elif idx
== len(normalized_url_splitted
) - 1 and \
545 len(normalized_url_splitted
) != len(splitted
):
548 tmp_keys
.append(tmp_key
)
549 elif splitted
[idx
] == path_part
:
550 if idx
== len(normalized_url_splitted
) - 1 and \
551 len(normalized_url_splitted
) != len(splitted
):
554 tmp_keys
.append(tmp_key
)
555 filtered_keys
= tmp_keys
556 if len(filtered_keys
) == 1 and \
557 filtered_keys
[0].split("/")[-1] == "<artifactPath>":
560 if len(filtered_keys
) == 0:
561 raise AuthException("Cannot make an authorization decision. URL not found. URL: {0}".format(url
))
562 elif len(filtered_keys
) > 1:
563 raise AuthException("Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(url
))
565 filtered_key
= filtered_keys
[0]
567 for idx
, path_part
in enumerate(filtered_key
.split()[1].split("/")):
568 if "<" in path_part
and ">" in path_part
:
569 if path_part
== "<artifactPath>":
570 parameters
[path_part
[1:-1]] = "/".join(normalized_url_splitted
[idx
:])
572 parameters
[path_part
[1:-1]] = normalized_url_splitted
[idx
]
574 return filtered_key
, parameters
576 def _internal_get_token_list(self
, token_info
):
578 token_list
= self
.db
.get_list("tokens", {"username": token_info
["username"], "expires.gt": now
})
581 def _internal_get_token(self
, token_info
, token_id
):
582 token_value
= self
.db
.get_one("tokens", {"_id": token_id
}, fail_on_empty
=False)
584 raise AuthException("token not found", http_code
=HTTPStatus
.NOT_FOUND
)
585 if token_value
["username"] != token_info
["username"] and not token_info
["admin"]:
586 raise AuthException("needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
)
589 def _internal_tokens_prune(self
, now
=None):
591 if not self
.next_db_prune_time
or self
.next_db_prune_time
>= now
:
592 self
.db
.del_list("tokens", {"expires.lt": now
})
593 self
.next_db_prune_time
= self
.periodin_db_pruning
+ now
594 # self.tokens_cache.clear() # not required any more
596 def remove_token_from_cache(self
, token
=None):
598 self
.tokens_cache
.pop(token
, None)
600 self
.tokens_cache
.clear()
601 self
.msg
.write("admin", "revoke_token", {"_id": token
} if token
else None)