X-Git-Url: https://osm.etsi.org/gitweb/?a=blobdiff_plain;ds=inline;f=osm_nbi%2Fauth.py;h=ec33b1c9ac8a534b952e379c0cf360ee264754f8;hb=5f3111606f278c4b21c9f0d37b7c5c9af92cfe43;hp=a99cea7e556067acf9562af6f4a884005af487c0;hpb=a9a1fc8427db17f47ea7ff782e35d24be4094f95;p=osm%2FNBI.git diff --git a/osm_nbi/auth.py b/osm_nbi/auth.py index a99cea7..ec33b1c 100644 --- a/osm_nbi/auth.py +++ b/osm_nbi/auth.py @@ -44,6 +44,7 @@ from osm_nbi.authconn import AuthException, AuthconnException, AuthExceptionUnau from osm_nbi.authconn_keystone import AuthconnKeystone from osm_nbi.authconn_internal import AuthconnInternal from osm_nbi.authconn_tacacs import AuthconnTacacs +from osm_nbi.utils import cef_event, cef_event_builder from osm_common import dbmemory, dbmongo, msglocal, msgkafka from osm_common.dbbase import DbException from osm_nbi.validation import is_valid_uuid @@ -88,6 +89,7 @@ class Authenticator: self.valid_query_string = valid_query_string self.system_admin_role_id = None # system_role id self.test_project_id = None # test_project_id + self.cef_logger = None def start(self, config): """ @@ -98,6 +100,7 @@ class Authenticator: :param config: dictionary containing the relevant parameters for this object. """ self.config = config + self.cef_logger = cef_event_builder(config["authentication"]) try: if not self.db: @@ -283,7 +286,7 @@ class Authenticator: (r for r in records if r["name"] == "system_admin"), None ): with open(self.roles_to_operations_file, "r") as stream: - roles_to_operations_yaml = yaml.load(stream, Loader=yaml.Loader) + roles_to_operations_yaml = yaml.safe_load(stream) role_names = [] for role_with_operations in roles_to_operations_yaml["roles"]: @@ -449,9 +452,11 @@ class Authenticator: elif auth_list[0].lower() == "basic": user_passwd64 = auth_list[-1] if not token: - if cherrypy.session.get("Authorization"): + if cherrypy.session.get("Authorization"): # pylint: disable=E1101 # 2. Try using session before request a new token. If not, basic authentication will generate - token = cherrypy.session.get("Authorization") + token = cherrypy.session.get( # pylint: disable=E1101 + "Authorization" + ) if token == "logout": token = None # force Unauthorized response to insert user password again elif user_passwd64 and cherrypy.request.config.get( @@ -466,10 +471,10 @@ class Authenticator: except Exception: pass outdata = self.new_token( - None, {"username": user, "password": passwd} + None, {"username": user, "password": passwd}, None ) token = outdata["_id"] - cherrypy.session["Authorization"] = token + cherrypy.session["Authorization"] = token # pylint: disable=E1101 if not token: raise AuthException( @@ -503,13 +508,25 @@ class Authenticator: item_id, ) self.logger.info("RBAC_auth: {}".format(RBAC_auth)) + if RBAC_auth: + cef_event( + self.cef_logger, + { + "name": "System Access", + "sourceUserName": token_info.get("username"), + "message": "Accessing account with system privileges, Project={}".format( + token_info.get("project_name") + ), + }, + ) + self.logger.info("{}".format(self.cef_logger)) token_info["allow_show_user_project_role"] = RBAC_auth return token_info except AuthException as e: if not isinstance(e, AuthExceptionUnauthorized): - if cherrypy.session.get("Authorization"): - del cherrypy.session["Authorization"] + if cherrypy.session.get("Authorization"): # pylint: disable=E1101 + del cherrypy.session["Authorization"] # pylint: disable=E1101 cherrypy.response.headers[ "WWW-Authenticate" ] = 'Bearer realm="{}"'.format(e) @@ -775,7 +792,6 @@ class Authenticator: :param outdata: user token information """ user_content = None - detail = {} present_time = time() user = outdata["username"] if self.config["authentication"].get("pwd_expiry_check"):