fix bug 791. Adding input validation for ns-create. It was only for ns-instantiate
[osm/NBI.git] / osm_nbi / auth.py
1 # -*- coding: utf-8 -*-
2
3 # Copyright 2018 Whitestack, LLC
4 # Copyright 2018 Telefonica S.A.
5 #
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
9 #
10 # http://www.apache.org/licenses/LICENSE-2.0
11 #
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
16 # under the License.
17 #
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or alfonso.tiernosepulveda@telefonica.com
20 ##
21
22
23 """
24 Authenticator is responsible for authenticating the users,
25 create the tokens unscoped and scoped, retrieve the role
26 list inside the projects that they are inserted
27 """
28
29 __author__ = "Eduardo Sousa <esousa@whitestack.com>; Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30 __date__ = "$27-jul-2018 23:59:59$"
31
32 import cherrypy
33 import logging
34 import yaml
35 from base64 import standard_b64decode
36 from copy import deepcopy
37 # from functools import reduce
38 from http import HTTPStatus
39 from time import time
40 from os import path
41
42 from authconn import AuthException, AuthExceptionUnauthorized
43 from authconn_keystone import AuthconnKeystone
44 from authconn_internal import AuthconnInternal # Comment out for testing&debugging, uncomment when ready
45 from osm_common import dbmongo
46 from osm_common import dbmemory
47 from osm_common.dbbase import DbException
48 from itertools import chain
49
50 from uuid import uuid4 # For Role _id with internal authentication backend
51
52
53 class Authenticator:
54 """
55 This class should hold all the mechanisms for User Authentication and
56 Authorization. Initially it should support Openstack Keystone as a
57 backend through a plugin model where more backends can be added and a
58 RBAC model to manage permissions on operations.
59 This class must be threading safe
60 """
61
62 periodin_db_pruning = 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned
63
64 def __init__(self, valid_methods, valid_query_string):
65 """
66 Authenticator initializer. Setup the initial state of the object,
67 while it waits for the config dictionary and database initialization.
68 """
69 self.backend = None
70 self.config = None
71 self.db = None
72 self.tokens_cache = dict()
73 self.next_db_prune_time = 0 # time when next cleaning of expired tokens must be done
74 self.roles_to_operations_file = None
75 self.roles_to_operations_table = None
76 self.resources_to_operations_mapping = {}
77 self.operation_to_allowed_roles = {}
78 self.logger = logging.getLogger("nbi.authenticator")
79 self.role_permissions = []
80 self.valid_methods = valid_methods
81 self.valid_query_string = valid_query_string
82
83 def start(self, config):
84 """
85 Method to configure the Authenticator object. This method should be called
86 after object creation. It is responsible by initializing the selected backend,
87 as well as the initialization of the database connection.
88
89 :param config: dictionary containing the relevant parameters for this object.
90 """
91 self.config = config
92
93 try:
94 if not self.db:
95 if config["database"]["driver"] == "mongo":
96 self.db = dbmongo.DbMongo()
97 self.db.db_connect(config["database"])
98 elif config["database"]["driver"] == "memory":
99 self.db = dbmemory.DbMemory()
100 self.db.db_connect(config["database"])
101 else:
102 raise AuthException("Invalid configuration param '{}' at '[database]':'driver'"
103 .format(config["database"]["driver"]))
104 if not self.backend:
105 if config["authentication"]["backend"] == "keystone":
106 self.backend = AuthconnKeystone(self.config["authentication"])
107 elif config["authentication"]["backend"] == "internal":
108 self.backend = AuthconnInternal(self.config["authentication"], self.db, self.tokens_cache)
109 self._internal_tokens_prune()
110 else:
111 raise AuthException("Unknown authentication backend: {}"
112 .format(config["authentication"]["backend"]))
113
114 if not self.roles_to_operations_file:
115 if "roles_to_operations" in config["rbac"]:
116 self.roles_to_operations_file = config["rbac"]["roles_to_operations"]
117 else:
118 possible_paths = (
119 __file__[:__file__.rfind("auth.py")] + "roles_to_operations.yml",
120 "./roles_to_operations.yml"
121 )
122 for config_file in possible_paths:
123 if path.isfile(config_file):
124 self.roles_to_operations_file = config_file
125 break
126 if not self.roles_to_operations_file:
127 raise AuthException("Invalid permission configuration: roles_to_operations file missing")
128
129 if not self.roles_to_operations_table: # PROVISIONAL ?
130 self.roles_to_operations_table = "roles_operations" \
131 if config["authentication"]["backend"] == "keystone" \
132 else "roles"
133
134 # load role_permissions
135 def load_role_permissions(method_dict):
136 for k in method_dict:
137 if k == "ROLE_PERMISSION":
138 for method in chain(method_dict.get("METHODS", ()), method_dict.get("TODO", ())):
139 permission = method_dict["ROLE_PERMISSION"] + method.lower()
140 if permission not in self.role_permissions:
141 self.role_permissions.append(permission)
142 elif k in ("TODO", "METHODS"):
143 continue
144 else:
145 load_role_permissions(method_dict[k])
146
147 load_role_permissions(self.valid_methods)
148 for query_string in self.valid_query_string:
149 for method in ("get", "put", "patch", "post", "delete"):
150 permission = query_string.lower() + ":" + method
151 if permission not in self.role_permissions:
152 self.role_permissions.append(permission)
153
154 except Exception as e:
155 raise AuthException(str(e))
156
157 def stop(self):
158 try:
159 if self.db:
160 self.db.db_disconnect()
161 except DbException as e:
162 raise AuthException(str(e), http_code=e.http_code)
163
164 def init_db(self, target_version='1.0'):
165 """
166 Check if the database has been initialized, with at least one user. If not, create the required tables
167 and insert the predefined mappings between roles and permissions.
168
169 :param target_version: schema version that should be present in the database.
170 :return: None if OK, exception if error or version is different.
171 """
172
173 # PCR 28/05/2019 Commented out to allow initialization for internal backend
174 # if self.config["authentication"]["backend"] == "internal":
175 # return
176
177 records = self.db.get_list(self.roles_to_operations_table)
178
179 # Loading permissions to MongoDB if there is not any permission.
180 if not records:
181 with open(self.roles_to_operations_file, "r") as stream:
182 roles_to_operations_yaml = yaml.load(stream)
183
184 role_names = []
185 for role_with_operations in roles_to_operations_yaml["roles"]:
186 # Verifying if role already exists. If it does, raise exception
187 if role_with_operations["name"] not in role_names:
188 role_names.append(role_with_operations["name"])
189 else:
190 raise AuthException("Duplicated role name '{}' at file '{}''"
191 .format(role_with_operations["name"], self.roles_to_operations_file))
192
193 if not role_with_operations["permissions"]:
194 continue
195
196 for permission, is_allowed in role_with_operations["permissions"].items():
197 if not isinstance(is_allowed, bool):
198 raise AuthException("Invalid value for permission '{}' at role '{}'; at file '{}'"
199 .format(permission, role_with_operations["name"],
200 self.roles_to_operations_file))
201
202 # TODO chek permission is ok
203 if permission[-1] == ":":
204 raise AuthException("Invalid permission '{}' terminated in ':' for role '{}'; at file {}"
205 .format(permission, role_with_operations["name"],
206 self.roles_to_operations_file))
207
208 if "default" not in role_with_operations["permissions"]:
209 role_with_operations["permissions"]["default"] = False
210 if "admin" not in role_with_operations["permissions"]:
211 role_with_operations["permissions"]["admin"] = False
212
213 now = time()
214 role_with_operations["_admin"] = {
215 "created": now,
216 "modified": now,
217 }
218
219 if self.config["authentication"]["backend"] == "keystone":
220 if role_with_operations["name"] != "anonymous":
221 backend_roles = self.backend.get_role_list(filter_q={"name": role_with_operations["name"]})
222 if backend_roles:
223 backend_id = backend_roles[0]["_id"]
224 else:
225 backend_id = self.backend.create_role(role_with_operations["name"])
226 role_with_operations["_id"] = backend_id
227 else:
228 role_with_operations["_id"] = str(uuid4())
229
230 self.db.create(self.roles_to_operations_table, role_with_operations)
231 self.logger.info("Role '{}' created at database".format(role_with_operations["name"]))
232
233 if self.config["authentication"]["backend"] != "internal":
234 self.backend.assign_role_to_user("admin", "admin", "system_admin")
235
236 self.load_operation_to_allowed_roles()
237
238 def load_operation_to_allowed_roles(self):
239 """
240 Fills the internal self.operation_to_allowed_roles based on database role content and self.role_permissions
241 It works in a shadow copy and replace at the end to allow other threads working with the old copy
242 :return: None
243 """
244
245 permissions = {oper: [] for oper in self.role_permissions}
246 records = self.db.get_list(self.roles_to_operations_table)
247
248 ignore_fields = ["_id", "_admin", "name", "default"]
249 for record in records:
250 record_permissions = {oper: record["permissions"].get("default", False) for oper in self.role_permissions}
251 operations_joined = [(oper, value) for oper, value in record["permissions"].items()
252 if oper not in ignore_fields]
253 operations_joined.sort(key=lambda x: x[0].count(":"))
254
255 for oper in operations_joined:
256 match = list(filter(lambda x: x.find(oper[0]) == 0, record_permissions.keys()))
257
258 for m in match:
259 record_permissions[m] = oper[1]
260
261 allowed_operations = [k for k, v in record_permissions.items() if v is True]
262
263 for allowed_op in allowed_operations:
264 permissions[allowed_op].append(record["name"])
265
266 self.operation_to_allowed_roles = permissions
267
268 def authorize(self, role_permission=None, query_string_operations=None):
269 token = None
270 user_passwd64 = None
271 try:
272 # 1. Get token Authorization bearer
273 auth = cherrypy.request.headers.get("Authorization")
274 if auth:
275 auth_list = auth.split(" ")
276 if auth_list[0].lower() == "bearer":
277 token = auth_list[-1]
278 elif auth_list[0].lower() == "basic":
279 user_passwd64 = auth_list[-1]
280 if not token:
281 if cherrypy.session.get("Authorization"):
282 # 2. Try using session before request a new token. If not, basic authentication will generate
283 token = cherrypy.session.get("Authorization")
284 if token == "logout":
285 token = None # force Unauthorized response to insert user password again
286 elif user_passwd64 and cherrypy.request.config.get("auth.allow_basic_authentication"):
287 # 3. Get new token from user password
288 user = None
289 passwd = None
290 try:
291 user_passwd = standard_b64decode(user_passwd64).decode()
292 user, _, passwd = user_passwd.partition(":")
293 except Exception:
294 pass
295 outdata = self.new_token(None, {"username": user, "password": passwd})
296 token = outdata["_id"]
297 cherrypy.session['Authorization'] = token
298
299 if not token:
300 raise AuthException("Needed a token or Authorization http header",
301 http_code=HTTPStatus.UNAUTHORIZED)
302 token_info = self.backend.validate_token(token)
303 # TODO add to token info remote host, port
304
305 if role_permission:
306 self.check_permissions(token_info, cherrypy.request.method, role_permission,
307 query_string_operations)
308 return token_info
309 except AuthException as e:
310 if not isinstance(e, AuthExceptionUnauthorized):
311 if cherrypy.session.get('Authorization'):
312 del cherrypy.session['Authorization']
313 cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
314 raise
315
316 def new_token(self, token_info, indata, remote):
317 new_token_info = self.backend.authenticate(
318 user=indata.get("username"),
319 password=indata.get("password"),
320 token_info=token_info,
321 project=indata.get("project_id")
322 )
323
324 new_token_info["remote_port"] = remote.port
325 if not new_token_info.get("expires"):
326 new_token_info["expires"] = time() + 3600
327 if not new_token_info.get("admin"):
328 new_token_info["admin"] = True if new_token_info.get("project_name") == "admin" else False
329 # TODO put admin in RBAC
330
331 if remote.name:
332 new_token_info["remote_host"] = remote.name
333 elif remote.ip:
334 new_token_info["remote_host"] = remote.ip
335
336 self.tokens_cache[new_token_info["_id"]] = new_token_info
337
338 # TODO call self._internal_tokens_prune(now) ?
339 return deepcopy(new_token_info)
340
341 def get_token_list(self, token_info):
342 if self.config["authentication"]["backend"] == "internal":
343 return self._internal_get_token_list(token_info)
344 else:
345 # TODO: check if this can be avoided. Backend may provide enough information
346 return [deepcopy(token) for token in self.tokens_cache.values()
347 if token["username"] == token_info["username"]]
348
349 def get_token(self, token_info, token):
350 if self.config["authentication"]["backend"] == "internal":
351 return self._internal_get_token(token_info, token)
352 else:
353 # TODO: check if this can be avoided. Backend may provide enough information
354 token_value = self.tokens_cache.get(token)
355 if not token_value:
356 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
357 if token_value["username"] != token_info["username"] and not token_info["admin"]:
358 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
359 return token_value
360
361 def del_token(self, token):
362 try:
363 self.backend.revoke_token(token)
364 self.tokens_cache.pop(token, None)
365 return "token '{}' deleted".format(token)
366 except KeyError:
367 raise AuthException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)
368
369 def check_permissions(self, token_info, method, role_permission=None, query_string_operations=None):
370 """
371 Checks that operation has permissions to be done, base on the assigned roles to this user project
372 :param token_info: Dictionary that contains "roles" with a list of assigned roles.
373 This method fills the token_info["admin"] with True or False based on assigned tokens, if any allows admin
374 This will be used among others to hide or not the _admin content of topics
375 :param method: GET,PUT, POST, ...
376 :param role_permission: role permission name of the operation required
377 :param query_string_operations: list of possible admin query strings provided by user. It is checked that the
378 assigned role allows this query string for this method
379 :return: None if granted, exception if not allowed
380 """
381
382 roles_required = self.operation_to_allowed_roles[role_permission]
383 roles_allowed = [role["name"] for role in token_info["roles"]]
384
385 # fills token_info["admin"] if some roles allows it
386 token_info["admin"] = False
387 for role in roles_allowed:
388 if role in self.operation_to_allowed_roles["admin:" + method.lower()]:
389 token_info["admin"] = True
390 break
391
392 if "anonymous" in roles_required:
393 return
394 operation_allowed = False
395 for role in roles_allowed:
396 if role in roles_required:
397 operation_allowed = True
398 # if query_string operations, check if this role allows it
399 if not query_string_operations:
400 return
401 for query_string_operation in query_string_operations:
402 if role not in self.operation_to_allowed_roles[query_string_operation]:
403 break
404 else:
405 return
406
407 if not operation_allowed:
408 raise AuthExceptionUnauthorized("Access denied: lack of permissions.")
409 else:
410 raise AuthExceptionUnauthorized("Access denied: You have not permissions to use these admin query string")
411
412 def get_user_list(self):
413 return self.backend.get_user_list()
414
415 def _normalize_url(self, url, method):
416 # DEPRECATED !!!
417 # Removing query strings
418 normalized_url = url if '?' not in url else url[:url.find("?")]
419 normalized_url_splitted = normalized_url.split("/")
420 parameters = {}
421
422 filtered_keys = [key for key in self.resources_to_operations_mapping.keys()
423 if method in key.split()[0]]
424
425 for idx, path_part in enumerate(normalized_url_splitted):
426 tmp_keys = []
427 for tmp_key in filtered_keys:
428 splitted = tmp_key.split()[1].split("/")
429 if idx >= len(splitted):
430 continue
431 elif "<" in splitted[idx] and ">" in splitted[idx]:
432 if splitted[idx] == "<artifactPath>":
433 tmp_keys.append(tmp_key)
434 continue
435 elif idx == len(normalized_url_splitted) - 1 and \
436 len(normalized_url_splitted) != len(splitted):
437 continue
438 else:
439 tmp_keys.append(tmp_key)
440 elif splitted[idx] == path_part:
441 if idx == len(normalized_url_splitted) - 1 and \
442 len(normalized_url_splitted) != len(splitted):
443 continue
444 else:
445 tmp_keys.append(tmp_key)
446 filtered_keys = tmp_keys
447 if len(filtered_keys) == 1 and \
448 filtered_keys[0].split("/")[-1] == "<artifactPath>":
449 break
450
451 if len(filtered_keys) == 0:
452 raise AuthException("Cannot make an authorization decision. URL not found. URL: {0}".format(url))
453 elif len(filtered_keys) > 1:
454 raise AuthException("Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(url))
455
456 filtered_key = filtered_keys[0]
457
458 for idx, path_part in enumerate(filtered_key.split()[1].split("/")):
459 if "<" in path_part and ">" in path_part:
460 if path_part == "<artifactPath>":
461 parameters[path_part[1:-1]] = "/".join(normalized_url_splitted[idx:])
462 else:
463 parameters[path_part[1:-1]] = normalized_url_splitted[idx]
464
465 return filtered_key, parameters
466
467 def _internal_get_token_list(self, token_info):
468 now = time()
469 token_list = self.db.get_list("tokens", {"username": token_info["username"], "expires.gt": now})
470 return token_list
471
472 def _internal_get_token(self, token_info, token_id):
473 token_value = self.db.get_one("tokens", {"_id": token_id}, fail_on_empty=False)
474 if not token_value:
475 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
476 if token_value["username"] != token_info["username"] and not token_info["admin"]:
477 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
478 return token_value
479
480 def _internal_tokens_prune(self, now=None):
481 now = now or time()
482 if not self.next_db_prune_time or self.next_db_prune_time >= now:
483 self.db.del_list("tokens", {"expires.lt": now})
484 self.next_db_prune_time = self.periodin_db_pruning + now
485 self.tokens_cache.clear() # force to reload tokens from database