1 # -*- coding: utf-8 -*-
3 # Copyright 2018 Whitestack, LLC
4 # Copyright 2018 Telefonica S.A.
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or alfonso.tiernosepulveda@telefonica.com
24 Authenticator is responsible for authenticating the users,
25 create the tokens unscoped and scoped, retrieve the role
26 list inside the projects that they are inserted
29 __author__
= "Eduardo Sousa <esousa@whitestack.com>; Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30 __date__
= "$27-jul-2018 23:59:59$"
35 from base64
import standard_b64decode
36 from copy
import deepcopy
37 # from functools import reduce
38 from hashlib
import sha256
39 from http
import HTTPStatus
40 from random
import choice
as random_choice
43 from base_topic
import BaseTopic
# To allow project names in project_id
45 from authconn
import AuthException
46 from authconn_keystone
import AuthconnKeystone
47 from osm_common
import dbmongo
48 from osm_common
import dbmemory
49 from osm_common
.dbbase
import DbException
54 This class should hold all the mechanisms for User Authentication and
55 Authorization. Initially it should support Openstack Keystone as a
56 backend through a plugin model where more backends can be added and a
57 RBAC model to manage permissions on operations.
58 This class must be threading safe
61 periodin_db_pruning
= 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned
65 Authenticator initializer. Setup the initial state of the object,
66 while it waits for the config dictionary and database initialization.
71 self
.tokens_cache
= dict()
72 self
.next_db_prune_time
= 0 # time when next cleaning of expired tokens must be done
73 self
.resources_to_operations_file
= None
74 self
.roles_to_operations_file
= None
75 self
.resources_to_operations_mapping
= {}
76 self
.operation_to_allowed_roles
= {}
77 self
.logger
= logging
.getLogger("nbi.authenticator")
79 def start(self
, config
):
81 Method to configure the Authenticator object. This method should be called
82 after object creation. It is responsible by initializing the selected backend,
83 as well as the initialization of the database connection.
85 :param config: dictionary containing the relevant parameters for this object.
91 if config
["database"]["driver"] == "mongo":
92 self
.db
= dbmongo
.DbMongo()
93 self
.db
.db_connect(config
["database"])
94 elif config
["database"]["driver"] == "memory":
95 self
.db
= dbmemory
.DbMemory()
96 self
.db
.db_connect(config
["database"])
98 raise AuthException("Invalid configuration param '{}' at '[database]':'driver'"
99 .format(config
["database"]["driver"]))
101 if config
["authentication"]["backend"] == "keystone":
102 self
.backend
= AuthconnKeystone(self
.config
["authentication"])
103 elif config
["authentication"]["backend"] == "internal":
104 self
._internal
_tokens
_prune
()
106 raise AuthException("Unknown authentication backend: {}"
107 .format(config
["authentication"]["backend"]))
108 if not self
.resources_to_operations_file
:
109 if "resources_to_operations" in config
["rbac"]:
110 self
.resources_to_operations_file
= config
["rbac"]["resources_to_operations"]
113 __file__
[:__file__
.rfind("auth.py")] + "resources_to_operations.yml",
114 "./resources_to_operations.yml"
116 for config_file
in possible_paths
:
117 if path
.isfile(config_file
):
118 self
.resources_to_operations_file
= config_file
120 if not self
.resources_to_operations_file
:
121 raise AuthException("Invalid permission configuration: resources_to_operations file missing")
122 if not self
.roles_to_operations_file
:
123 if "roles_to_operations" in config
["rbac"]:
124 self
.roles_to_operations_file
= config
["rbac"]["roles_to_operations"]
127 __file__
[:__file__
.rfind("auth.py")] + "roles_to_operations.yml",
128 "./roles_to_operations.yml"
130 for config_file
in possible_paths
:
131 if path
.isfile(config_file
):
132 self
.roles_to_operations_file
= config_file
134 if not self
.roles_to_operations_file
:
135 raise AuthException("Invalid permission configuration: roles_to_operations file missing")
136 except Exception as e
:
137 raise AuthException(str(e
))
142 self
.db
.db_disconnect()
143 except DbException
as e
:
144 raise AuthException(str(e
), http_code
=e
.http_code
)
146 def init_db(self
, target_version
='1.0'):
148 Check if the database has been initialized, with at least one user. If not, create the required tables
149 and insert the predefined mappings between roles and permissions.
151 :param target_version: schema version that should be present in the database.
152 :return: None if OK, exception if error or version is different.
154 # Always reads operation to resource mapping from file (this is static, no need to store it in MongoDB)
155 # Operations encoding: "<METHOD> <URL>"
156 # Note: it is faster to rewrite the value than to check if it is already there or not
157 if self
.config
["authentication"]["backend"] == "internal":
161 with
open(self
.resources_to_operations_file
, "r") as stream
:
162 resources_to_operations_yaml
= yaml
.load(stream
)
164 for resource
, operation
in resources_to_operations_yaml
["resources_to_operations"].items():
165 if operation
not in operations
:
166 operations
.append(operation
)
167 self
.resources_to_operations_mapping
[resource
] = operation
169 records
= self
.db
.get_list("roles_operations")
171 # Loading permissions to MongoDB. If there are permissions already in MongoDB, do nothing.
172 if len(records
) == 0:
173 with
open(self
.roles_to_operations_file
, "r") as stream
:
174 roles_to_operations_yaml
= yaml
.load(stream
)
177 for role_with_operations
in roles_to_operations_yaml
["roles_to_operations"]:
178 # Verifying if role already exists. If it does, send warning to log and ignore it.
179 if role_with_operations
["role"] not in roles
:
180 roles
.append(role_with_operations
["role"])
182 self
.logger
.warning("Duplicated role with name: {0}. Role definition is ignored."
183 .format(role_with_operations
["role"]))
189 if not role_with_operations
["operations"]:
192 for operation
, is_allowed
in role_with_operations
["operations"].items():
193 if not isinstance(is_allowed
, bool):
200 if len(operation
) != 1 and operation
[-1] == ":":
201 self
.logger
.warning("Invalid operation {0} terminated in ':'. "
202 "Operation will be discarded"
206 if operation
not in role_ops
.keys():
207 role_ops
[operation
] = is_allowed
209 self
.logger
.info("In role {0}, the operation {1} with the value {2} was discarded due to "
210 "repetition.".format(role_with_operations
["role"], operation
, is_allowed
))
214 self
.logger
.info("Root for role {0} not defined. Default value 'False' applied."
215 .format(role_with_operations
["role"]))
218 operation_to_roles_item
= {
223 "name": role_with_operations
["role"],
227 for operation
, value
in role_ops
.items():
228 operation_to_roles_item
[operation
] = value
230 if self
.config
["authentication"]["backend"] != "internal" and \
231 role_with_operations
["role"] != "anonymous":
232 keystone_id
= [role
for role
in self
.backend
.get_role_list()
233 if role
["name"] == role_with_operations
["role"]]
235 keystone_id
= keystone_id
[0]
237 keystone_id
= self
.backend
.create_role(role_with_operations
["role"])
238 operation_to_roles_item
["_id"] = keystone_id
["_id"]
240 self
.db
.create("roles_operations", operation_to_roles_item
)
242 permissions
= {oper
: [] for oper
in operations
}
243 records
= self
.db
.get_list("roles_operations")
245 ignore_fields
= ["_id", "_admin", "name", "root"]
246 for record
in records
:
247 record_permissions
= {oper
: record
["root"] for oper
in operations
}
248 operations_joined
= [(oper
, value
) for oper
, value
in record
.items() if oper
not in ignore_fields
]
249 operations_joined
.sort(key
=lambda x
: x
[0].count(":"))
251 for oper
in operations_joined
:
252 match
= list(filter(lambda x
: x
.find(oper
[0]) == 0, record_permissions
.keys()))
255 record_permissions
[m
] = oper
[1]
257 allowed_operations
= [k
for k
, v
in record_permissions
.items() if v
is True]
259 for allowed_op
in allowed_operations
:
260 permissions
[allowed_op
].append(record
["name"])
262 for oper
, role_list
in permissions
.items():
263 self
.operation_to_allowed_roles
[oper
] = role_list
265 if self
.config
["authentication"]["backend"] != "internal":
266 self
.backend
.assign_role_to_user("admin", "admin", "system_admin")
272 # 1. Get token Authorization bearer
273 auth
= cherrypy
.request
.headers
.get("Authorization")
275 auth_list
= auth
.split(" ")
276 if auth_list
[0].lower() == "bearer":
277 token
= auth_list
[-1]
278 elif auth_list
[0].lower() == "basic":
279 user_passwd64
= auth_list
[-1]
281 if cherrypy
.session
.get("Authorization"):
282 # 2. Try using session before request a new token. If not, basic authentication will generate
283 token
= cherrypy
.session
.get("Authorization")
284 if token
== "logout":
285 token
= None # force Unauthorized response to insert user password again
286 elif user_passwd64
and cherrypy
.request
.config
.get("auth.allow_basic_authentication"):
287 # 3. Get new token from user password
291 user_passwd
= standard_b64decode(user_passwd64
).decode()
292 user
, _
, passwd
= user_passwd
.partition(":")
295 outdata
= self
.new_token(None, {"username": user
, "password": passwd
})
296 token
= outdata
["id"]
297 cherrypy
.session
['Authorization'] = token
298 if self
.config
["authentication"]["backend"] == "internal":
299 return self
._internal
_authorize
(token
)
302 raise AuthException("Needed a token or Authorization http header",
303 http_code
=HTTPStatus
.UNAUTHORIZED
)
305 self
.backend
.validate_token(token
)
306 self
.check_permissions(self
.tokens_cache
[token
], cherrypy
.request
.path_info
,
307 cherrypy
.request
.method
)
308 # TODO: check if this can be avoided. Backend may provide enough information
309 return deepcopy(self
.tokens_cache
[token
])
310 except AuthException
:
311 self
.del_token(token
)
313 except AuthException
as e
:
314 if cherrypy
.session
.get('Authorization'):
315 del cherrypy
.session
['Authorization']
316 cherrypy
.response
.headers
["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e
)
317 raise AuthException(str(e
))
319 def new_token(self
, session
, indata
, remote
):
320 if self
.config
["authentication"]["backend"] == "internal":
321 return self
._internal
_new
_token
(session
, indata
, remote
)
325 current_token
= session
.get("token")
326 token_info
= self
.backend
.authenticate(
327 user
=indata
.get("username"),
328 password
=indata
.get("username"),
330 project
=indata
.get("project_id")
333 # if indata.get("username"):
334 # token, projects = self.backend.authenticate_with_user_password(
335 # indata.get("username"), indata.get("password"))
337 # token, projects = self.backend.authenticate_with_token(
338 # session.get("id"), indata.get("project_id"))
340 # raise AuthException("Provide credentials: username/password or Authorization Bearer token",
341 # http_code=HTTPStatus.UNAUTHORIZED)
343 # if indata.get("project_id"):
344 # project_id = indata.get("project_id")
345 # if project_id not in projects:
346 # raise AuthException("Project {} not allowed for this user".format(project_id),
347 # http_code=HTTPStatus.UNAUTHORIZED)
349 # project_id = projects[0]
352 # token, projects = self.backend.authenticate_with_token(token, project_id)
354 # if project_id == "admin":
355 # session_admin = True
357 # session_admin = reduce(lambda x, y: x or (True if y == "admin" else False),
362 "_id": token_info
["_id"],
363 "id": token_info
["_id"],
365 "expires": token_info
.get("expires", now
+ 3600),
366 "project_id": token_info
["project_id"],
367 "username": token_info
.get("username") or session
.get("username"),
368 "remote_port": remote
.port
,
369 "admin": True if token_info
.get("project_name") == "admin" else False # TODO put admin in RBAC
373 new_session
["remote_host"] = remote
.name
375 new_session
["remote_host"] = remote
.ip
377 # TODO: check if this can be avoided. Backend may provide enough information
378 self
.tokens_cache
[token_info
["_id"]] = new_session
380 return deepcopy(new_session
)
382 def get_token_list(self
, session
):
383 if self
.config
["authentication"]["backend"] == "internal":
384 return self
._internal
_get
_token
_list
(session
)
386 # TODO: check if this can be avoided. Backend may provide enough information
387 return [deepcopy(token
) for token
in self
.tokens_cache
.values()
388 if token
["username"] == session
["username"]]
390 def get_token(self
, session
, token
):
391 if self
.config
["authentication"]["backend"] == "internal":
392 return self
._internal
_get
_token
(session
, token
)
394 # TODO: check if this can be avoided. Backend may provide enough information
395 token_value
= self
.tokens_cache
.get(token
)
397 raise AuthException("token not found", http_code
=HTTPStatus
.NOT_FOUND
)
398 if token_value
["username"] != session
["username"] and not session
["admin"]:
399 raise AuthException("needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
)
402 def del_token(self
, token
):
403 if self
.config
["authentication"]["backend"] == "internal":
404 return self
._internal
_del
_token
(token
)
407 self
.backend
.revoke_token(token
)
408 del self
.tokens_cache
[token
]
409 return "token '{}' deleted".format(token
)
411 raise AuthException("Token '{}' not found".format(token
), http_code
=HTTPStatus
.NOT_FOUND
)
413 def check_permissions(self
, session
, url
, method
):
414 self
.logger
.info("Session: {}".format(session
))
415 self
.logger
.info("URL: {}".format(url
))
416 self
.logger
.info("Method: {}".format(method
))
418 key
, parameters
= self
._normalize
_url
(url
, method
)
420 # TODO: Check if parameters might be useful for the decision
422 operation
= self
.resources_to_operations_mapping
[key
]
423 roles_required
= self
.operation_to_allowed_roles
[operation
]
424 roles_allowed
= self
.backend
.get_user_role_list(session
["id"])
426 if "anonymous" in roles_required
:
429 for role
in roles_allowed
:
430 if role
in roles_required
:
433 raise AuthException("Access denied: lack of permissions.")
435 def get_user_list(self
):
436 return self
.backend
.get_user_list()
438 def _normalize_url(self
, url
, method
):
439 # Removing query strings
440 normalized_url
= url
if '?' not in url
else url
[:url
.find("?")]
441 normalized_url_splitted
= normalized_url
.split("/")
444 filtered_keys
= [key
for key
in self
.resources_to_operations_mapping
.keys()
445 if method
in key
.split()[0]]
447 for idx
, path_part
in enumerate(normalized_url_splitted
):
449 for tmp_key
in filtered_keys
:
450 splitted
= tmp_key
.split()[1].split("/")
451 if idx
>= len(splitted
):
453 elif "<" in splitted
[idx
] and ">" in splitted
[idx
]:
454 if splitted
[idx
] == "<artifactPath>":
455 tmp_keys
.append(tmp_key
)
457 elif idx
== len(normalized_url_splitted
) - 1 and \
458 len(normalized_url_splitted
) != len(splitted
):
461 tmp_keys
.append(tmp_key
)
462 elif splitted
[idx
] == path_part
:
463 if idx
== len(normalized_url_splitted
) - 1 and \
464 len(normalized_url_splitted
) != len(splitted
):
467 tmp_keys
.append(tmp_key
)
468 filtered_keys
= tmp_keys
469 if len(filtered_keys
) == 1 and \
470 filtered_keys
[0].split("/")[-1] == "<artifactPath>":
473 if len(filtered_keys
) == 0:
474 raise AuthException("Cannot make an authorization decision. URL not found. URL: {0}".format(url
))
475 elif len(filtered_keys
) > 1:
476 raise AuthException("Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(url
))
478 filtered_key
= filtered_keys
[0]
480 for idx
, path_part
in enumerate(filtered_key
.split()[1].split("/")):
481 if "<" in path_part
and ">" in path_part
:
482 if path_part
== "<artifactPath>":
483 parameters
[path_part
[1:-1]] = "/".join(normalized_url_splitted
[idx
:])
485 parameters
[path_part
[1:-1]] = normalized_url_splitted
[idx
]
487 return filtered_key
, parameters
489 def _internal_authorize(self
, token_id
):
492 raise AuthException("Needed a token or Authorization http header", http_code
=HTTPStatus
.UNAUTHORIZED
)
493 # try to get from cache first
495 session
= self
.tokens_cache
.get(token_id
)
496 if session
and session
["expires"] < now
:
497 # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
498 self
.tokens_cache
.pop(token_id
, None)
503 # get from database if not in cache
504 session
= self
.db
.get_one("tokens", {"_id": token_id
})
505 if session
["expires"] < now
:
506 raise AuthException("Expired Token or Authorization http header", http_code
=HTTPStatus
.UNAUTHORIZED
)
507 self
.tokens_cache
[token_id
] = session
509 except DbException
as e
:
510 if e
.http_code
== HTTPStatus
.NOT_FOUND
:
511 raise AuthException("Invalid Token or Authorization http header", http_code
=HTTPStatus
.UNAUTHORIZED
)
515 except AuthException
:
516 if self
.config
["global"].get("test.user_not_authorized"):
517 return {"id": "fake-token-id-for-test",
518 "project_id": self
.config
["global"].get("test.project_not_authorized", "admin"),
519 "username": self
.config
["global"]["test.user_not_authorized"], "admin": True}
523 def _internal_new_token(self
, session
, indata
, remote
):
527 # Try using username/password
528 if indata
.get("username"):
529 user_rows
= self
.db
.get_list("users", {"username": indata
.get("username")})
531 user_content
= user_rows
[0]
532 salt
= user_content
["_admin"]["salt"]
533 shadow_password
= sha256(indata
.get("password", "").encode('utf-8') + salt
.encode('utf-8')).hexdigest()
534 if shadow_password
!= user_content
["password"]:
537 raise AuthException("Invalid username/password", http_code
=HTTPStatus
.UNAUTHORIZED
)
539 user_rows
= self
.db
.get_list("users", {"username": session
["username"]})
541 user_content
= user_rows
[0]
543 raise AuthException("Invalid token", http_code
=HTTPStatus
.UNAUTHORIZED
)
545 raise AuthException("Provide credentials: username/password or Authorization Bearer token",
546 http_code
=HTTPStatus
.UNAUTHORIZED
)
548 token_id
= ''.join(random_choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
549 for _
in range(0, 32))
550 project_id
= indata
.get("project_id")
552 if project_id
!= "admin":
553 # To allow project names in project_id
554 proj
= self
.db
.get_one("projects", {BaseTopic
.id_field("projects", project_id
): project_id
})
555 if proj
["_id"] not in user_content
["projects"] and proj
["name"] not in user_content
["projects"]:
556 raise AuthException("project {} not allowed for this user"
557 .format(project_id
), http_code
=HTTPStatus
.UNAUTHORIZED
)
559 project_id
= user_content
["projects"][0]
560 if project_id
== "admin":
563 # To allow project names in project_id
564 project
= self
.db
.get_one("projects", {BaseTopic
.id_field("projects", project_id
): project_id
})
565 session_admin
= project
.get("admin", False)
566 new_session
= {"issued_at": now
, "expires": now
+ 3600,
567 "_id": token_id
, "id": token_id
, "project_id": project_id
, "username": user_content
["username"],
568 "remote_port": remote
.port
, "admin": session_admin
}
570 new_session
["remote_host"] = remote
.name
572 new_session
["remote_host"] = remote
.ip
574 self
.tokens_cache
[token_id
] = new_session
575 self
.db
.create("tokens", new_session
)
576 # check if database must be prune
577 self
._internal
_tokens
_prune
(now
)
578 return deepcopy(new_session
)
580 def _internal_get_token_list(self
, session
):
582 token_list
= self
.db
.get_list("tokens", {"username": session
["username"], "expires.gt": now
})
585 def _internal_get_token(self
, session
, token_id
):
586 token_value
= self
.db
.get_one("tokens", {"_id": token_id
}, fail_on_empty
=False)
588 raise AuthException("token not found", http_code
=HTTPStatus
.NOT_FOUND
)
589 if token_value
["username"] != session
["username"] and not session
["admin"]:
590 raise AuthException("needed admin privileges", http_code
=HTTPStatus
.UNAUTHORIZED
)
593 def _internal_del_token(self
, token_id
):
595 self
.tokens_cache
.pop(token_id
, None)
596 self
.db
.del_one("tokens", {"_id": token_id
})
597 return "token '{}' deleted".format(token_id
)
598 except DbException
as e
:
599 if e
.http_code
== HTTPStatus
.NOT_FOUND
:
600 raise AuthException("Token '{}' not found".format(token_id
), http_code
=HTTPStatus
.NOT_FOUND
)
604 def _internal_tokens_prune(self
, now
=None):
606 if not self
.next_db_prune_time
or self
.next_db_prune_time
>= now
:
607 self
.db
.del_list("tokens", {"expires.lt": now
})
608 self
.next_db_prune_time
= self
.periodin_db_pruning
+ now
609 self
.tokens_cache
.clear() # force to reload tokens from database