X-Git-Url: https://osm.etsi.org/gitweb/?a=blobdiff_plain;ds=sidebyside;f=osm_nbi%2Fauth.py;h=f7e4844f1fd3cf32db60b6cc68cb8c4df1dc48aa;hb=refs%2Fchanges%2F63%2F7663%2F3;hp=fcebad4b8cd05732f85bd4709c7e5a4b4b735ed4;hpb=65ca36d13f895d0a361d59a5962029d6e3ef7a99;p=osm%2FNBI.git diff --git a/osm_nbi/auth.py b/osm_nbi/auth.py index fcebad4..f7e4844 100644 --- a/osm_nbi/auth.py +++ b/osm_nbi/auth.py @@ -34,7 +34,7 @@ import logging import yaml from base64 import standard_b64decode from copy import deepcopy -from functools import reduce +# from functools import reduce from hashlib import sha256 from http import HTTPStatus from random import choice as random_choice @@ -156,16 +156,15 @@ class Authenticator: # Note: it is faster to rewrite the value than to check if it is already there or not if self.config["authentication"]["backend"] == "internal": return - + operations = [] with open(self.resources_to_operations_file, "r") as stream: resources_to_operations_yaml = yaml.load(stream) for resource, operation in resources_to_operations_yaml["resources_to_operations"].items(): - operation_key = operation.replace(".", ":") - if operation_key not in operations: - operations.append(operation_key) - self.resources_to_operations_mapping[resource] = operation_key + if operation not in operations: + operations.append(operation) + self.resources_to_operations_mapping[resource] = operation records = self.db.get_list("roles_operations") @@ -194,19 +193,18 @@ class Authenticator: if not isinstance(is_allowed, bool): continue - if operation == ".": + if operation == ":": root = is_allowed continue - if len(operation) != 1 and operation[-1] == ".": - self.logger.warning("Invalid operation {0} terminated in '.'. " + if len(operation) != 1 and operation[-1] == ":": + self.logger.warning("Invalid operation {0} terminated in ':'. " "Operation will be discarded" .format(operation)) continue - operation_key = operation.replace(".", ":") - if operation_key not in role_ops.keys(): - role_ops[operation_key] = is_allowed + if operation not in role_ops.keys(): + role_ops[operation] = is_allowed else: self.logger.info("In role {0}, the operation {1} with the value {2} was discarded due to " "repetition.".format(role_with_operations["role"], operation, is_allowed)) @@ -231,7 +229,12 @@ class Authenticator: if self.config["authentication"]["backend"] != "internal" and \ role_with_operations["role"] != "anonymous": - keystone_id = self.backend.create_role(role_with_operations["role"]) + keystone_id = [role for role in self.backend.get_role_list() + if role["name"] == role_with_operations["role"]] + if keystone_id: + keystone_id = keystone_id[0] + else: + keystone_id = self.backend.create_role(role_with_operations["role"]) operation_to_roles_item["_id"] = keystone_id["_id"] self.db.create("roles_operations", operation_to_roles_item) @@ -317,43 +320,53 @@ class Authenticator: if self.config["authentication"]["backend"] == "internal": return self._internal_new_token(session, indata, remote) else: - if indata.get("username"): - token, projects = self.backend.authenticate_with_user_password( - indata.get("username"), indata.get("password")) - elif session: - token, projects = self.backend.authenticate_with_token( - session.get("id"), indata.get("project_id")) - else: - raise AuthException("Provide credentials: username/password or Authorization Bearer token", - http_code=HTTPStatus.UNAUTHORIZED) - - if indata.get("project_id"): - project_id = indata.get("project_id") - if project_id not in projects: - raise AuthException("Project {} not allowed for this user".format(project_id), - http_code=HTTPStatus.UNAUTHORIZED) - else: - project_id = projects[0] - - if not session: - token, projects = self.backend.authenticate_with_token(token, project_id) - - if project_id == "admin": - session_admin = True - else: - session_admin = reduce(lambda x, y: x or (True if y == "admin" else False), - projects, False) + current_token = None + if session: + current_token = session.get("token") + token_info = self.backend.authenticate( + user=indata.get("username"), + password=indata.get("username"), + token=current_token, + project=indata.get("project_id") + ) + + # if indata.get("username"): + # token, projects = self.backend.authenticate_with_user_password( + # indata.get("username"), indata.get("password")) + # elif session: + # token, projects = self.backend.authenticate_with_token( + # session.get("id"), indata.get("project_id")) + # else: + # raise AuthException("Provide credentials: username/password or Authorization Bearer token", + # http_code=HTTPStatus.UNAUTHORIZED) + # + # if indata.get("project_id"): + # project_id = indata.get("project_id") + # if project_id not in projects: + # raise AuthException("Project {} not allowed for this user".format(project_id), + # http_code=HTTPStatus.UNAUTHORIZED) + # else: + # project_id = projects[0] + # + # if not session: + # token, projects = self.backend.authenticate_with_token(token, project_id) + # + # if project_id == "admin": + # session_admin = True + # else: + # session_admin = reduce(lambda x, y: x or (True if y == "admin" else False), + # projects, False) now = time() new_session = { - "_id": token, - "id": token, + "_id": token_info["_id"], + "id": token_info["_id"], "issued_at": now, - "expires": now + 3600, - "project_id": project_id, - "username": indata.get("username") if not session else session.get("username"), + "expires": token_info.get("expires", now + 3600), + "project_id": token_info["project_id"], + "username": token_info.get("username") or session.get("username"), "remote_port": remote.port, - "admin": session_admin + "admin": True if token_info.get("project_name") == "admin" else False # TODO put admin in RBAC } if remote.name: @@ -362,7 +375,7 @@ class Authenticator: new_session["remote_host"] = remote.ip # TODO: check if this can be avoided. Backend may provide enough information - self.tokens_cache[token] = new_session + self.tokens_cache[token_info["_id"]] = new_session return deepcopy(new_session)