Fix project_user role permissions
[osm/NBI.git] / osm_nbi / auth.py
1 # -*- coding: utf-8 -*-
2
3 # Copyright 2018 Whitestack, LLC
4 # Copyright 2018 Telefonica S.A.
5 #
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
9 #
10 # http://www.apache.org/licenses/LICENSE-2.0
11 #
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
16 # under the License.
17 #
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or alfonso.tiernosepulveda@telefonica.com
20 ##
21
22
23 """
24 Authenticator is responsible for authenticating the users,
25 create the tokens unscoped and scoped, retrieve the role
26 list inside the projects that they are inserted
27 """
28
29 __author__ = "Eduardo Sousa <esousa@whitestack.com>; Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30 __date__ = "$27-jul-2018 23:59:59$"
31
32 import cherrypy
33 import logging
34 import yaml
35 from base64 import standard_b64decode
36 from copy import deepcopy
37 # from functools import reduce
38 from http import HTTPStatus
39 from time import time
40 from os import path
41
42 from osm_nbi.authconn import AuthException, AuthExceptionUnauthorized
43 from osm_nbi.authconn_keystone import AuthconnKeystone
44 from osm_nbi.authconn_internal import AuthconnInternal # Comment out for testing&debugging, uncomment when ready
45 from osm_common import dbmongo
46 from osm_common import dbmemory
47 from osm_common.dbbase import DbException
48 from osm_nbi.validation import is_valid_uuid
49 from itertools import chain
50 from uuid import uuid4
51
52
53 class Authenticator:
54 """
55 This class should hold all the mechanisms for User Authentication and
56 Authorization. Initially it should support Openstack Keystone as a
57 backend through a plugin model where more backends can be added and a
58 RBAC model to manage permissions on operations.
59 This class must be threading safe
60 """
61
62 periodin_db_pruning = 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned
63
64 def __init__(self, valid_methods, valid_query_string):
65 """
66 Authenticator initializer. Setup the initial state of the object,
67 while it waits for the config dictionary and database initialization.
68 """
69 self.backend = None
70 self.config = None
71 self.db = None
72 self.tokens_cache = dict()
73 self.next_db_prune_time = 0 # time when next cleaning of expired tokens must be done
74 self.roles_to_operations_file = None
75 # self.roles_to_operations_table = None
76 self.resources_to_operations_mapping = {}
77 self.operation_to_allowed_roles = {}
78 self.logger = logging.getLogger("nbi.authenticator")
79 self.role_permissions = []
80 self.valid_methods = valid_methods
81 self.valid_query_string = valid_query_string
82
83 def start(self, config):
84 """
85 Method to configure the Authenticator object. This method should be called
86 after object creation. It is responsible by initializing the selected backend,
87 as well as the initialization of the database connection.
88
89 :param config: dictionary containing the relevant parameters for this object.
90 """
91 self.config = config
92
93 try:
94 if not self.db:
95 if config["database"]["driver"] == "mongo":
96 self.db = dbmongo.DbMongo()
97 self.db.db_connect(config["database"])
98 elif config["database"]["driver"] == "memory":
99 self.db = dbmemory.DbMemory()
100 self.db.db_connect(config["database"])
101 else:
102 raise AuthException("Invalid configuration param '{}' at '[database]':'driver'"
103 .format(config["database"]["driver"]))
104 if not self.backend:
105 if config["authentication"]["backend"] == "keystone":
106 self.backend = AuthconnKeystone(self.config["authentication"], self.db, self.tokens_cache)
107 elif config["authentication"]["backend"] == "internal":
108 self.backend = AuthconnInternal(self.config["authentication"], self.db, self.tokens_cache)
109 self._internal_tokens_prune()
110 else:
111 raise AuthException("Unknown authentication backend: {}"
112 .format(config["authentication"]["backend"]))
113
114 if not self.roles_to_operations_file:
115 if "roles_to_operations" in config["rbac"]:
116 self.roles_to_operations_file = config["rbac"]["roles_to_operations"]
117 else:
118 possible_paths = (
119 __file__[:__file__.rfind("auth.py")] + "roles_to_operations.yml",
120 "./roles_to_operations.yml"
121 )
122 for config_file in possible_paths:
123 if path.isfile(config_file):
124 self.roles_to_operations_file = config_file
125 break
126 if not self.roles_to_operations_file:
127 raise AuthException("Invalid permission configuration: roles_to_operations file missing")
128
129 # load role_permissions
130 def load_role_permissions(method_dict):
131 for k in method_dict:
132 if k == "ROLE_PERMISSION":
133 for method in chain(method_dict.get("METHODS", ()), method_dict.get("TODO", ())):
134 permission = method_dict["ROLE_PERMISSION"] + method.lower()
135 if permission not in self.role_permissions:
136 self.role_permissions.append(permission)
137 elif k in ("TODO", "METHODS"):
138 continue
139 else:
140 load_role_permissions(method_dict[k])
141
142 load_role_permissions(self.valid_methods)
143 for query_string in self.valid_query_string:
144 for method in ("get", "put", "patch", "post", "delete"):
145 permission = query_string.lower() + ":" + method
146 if permission not in self.role_permissions:
147 self.role_permissions.append(permission)
148
149 except Exception as e:
150 raise AuthException(str(e))
151
152 def stop(self):
153 try:
154 if self.db:
155 self.db.db_disconnect()
156 except DbException as e:
157 raise AuthException(str(e), http_code=e.http_code)
158
159 def create_admin_project(self):
160 """
161 Creates a new project 'admin' into database if it doesn't exist. Useful for initialization.
162 :return: _id identity of the 'admin' project
163 """
164
165 # projects = self.db.get_one("projects", fail_on_empty=False, fail_on_more=False)
166 project_desc = {"name": "admin"}
167 projects = self.backend.get_project_list(project_desc)
168 if projects:
169 return projects[0]["_id"]
170 now = time()
171 project_desc["_id"] = str(uuid4())
172 project_desc["_admin"] = {"created": now, "modified": now}
173 pid = self.backend.create_project(project_desc)
174 self.logger.info("Project '{}' created at database".format(project_desc["name"]))
175 return pid
176
177 def create_admin_user(self, project_id):
178 """
179 Creates a new user admin/admin into database if database is empty. Useful for initialization
180 :return: _id identity of the inserted data, or None
181 """
182 # users = self.db.get_one("users", fail_on_empty=False, fail_on_more=False)
183 users = self.backend.get_user_list()
184 if users:
185 return None
186 # user_desc = {"username": "admin", "password": "admin", "projects": [project_id]}
187 now = time()
188 user_desc = {"username": "admin", "password": "admin", "_admin": {"created": now, "modified": now}}
189 if project_id:
190 pid = project_id
191 else:
192 # proj = self.db.get_one("projects", {"name": "admin"}, fail_on_empty=False, fail_on_more=False)
193 proj = self.backend.get_project_list({"name": "admin"})
194 pid = proj[0]["_id"] if proj else None
195 # role = self.db.get_one("roles", {"name": "system_admin"}, fail_on_empty=False, fail_on_more=False)
196 roles = self.backend.get_role_list({"name": "system_admin"})
197 if pid and roles:
198 user_desc["project_role_mappings"] = [{"project": pid, "role": roles[0]["_id"]}]
199 uid = self.backend.create_user(user_desc)
200 self.logger.info("User '{}' created at database".format(user_desc["username"]))
201 return uid
202
203 def init_db(self, target_version='1.0'):
204 """
205 Check if the database has been initialized, with at least one user. If not, create the required tables
206 and insert the predefined mappings between roles and permissions.
207
208 :param target_version: schema version that should be present in the database.
209 :return: None if OK, exception if error or version is different.
210 """
211
212 records = self.backend.get_role_list()
213
214 # Loading permissions to MongoDB if there is not any permission.
215 if not records or (len(records) == 1 and records[0]["name"] == "admin"):
216 with open(self.roles_to_operations_file, "r") as stream:
217 roles_to_operations_yaml = yaml.load(stream)
218
219 role_names = []
220 for role_with_operations in roles_to_operations_yaml["roles"]:
221 # Verifying if role already exists. If it does, raise exception
222 if role_with_operations["name"] not in role_names:
223 role_names.append(role_with_operations["name"])
224 else:
225 raise AuthException("Duplicated role name '{}' at file '{}''"
226 .format(role_with_operations["name"], self.roles_to_operations_file))
227
228 if not role_with_operations["permissions"]:
229 continue
230
231 for permission, is_allowed in role_with_operations["permissions"].items():
232 if not isinstance(is_allowed, bool):
233 raise AuthException("Invalid value for permission '{}' at role '{}'; at file '{}'"
234 .format(permission, role_with_operations["name"],
235 self.roles_to_operations_file))
236
237 # TODO chek permission is ok
238 if permission[-1] == ":":
239 raise AuthException("Invalid permission '{}' terminated in ':' for role '{}'; at file {}"
240 .format(permission, role_with_operations["name"],
241 self.roles_to_operations_file))
242
243 if "default" not in role_with_operations["permissions"]:
244 role_with_operations["permissions"]["default"] = False
245 if "admin" not in role_with_operations["permissions"]:
246 role_with_operations["permissions"]["admin"] = False
247
248 now = time()
249 role_with_operations["_admin"] = {
250 "created": now,
251 "modified": now,
252 }
253
254 # self.db.create(self.roles_to_operations_table, role_with_operations)
255 self.backend.create_role(role_with_operations)
256 self.logger.info("Role '{}' created at database".format(role_with_operations["name"]))
257
258 # Create admin project&user if required
259 pid = self.create_admin_project()
260 user_id = self.create_admin_user(pid)
261
262 # try to assign system_admin role to user admin if not any user has this role
263 if not user_id:
264 try:
265 users = self.backend.get_user_list()
266 roles = self.backend.get_role_list({"name": "system_admin"})
267 role_id = roles[0]["_id"]
268 user_with_system_admin = False
269 user_admin_id = None
270 for user in users:
271 if not user_admin_id:
272 user_admin_id = user["_id"]
273 if user["username"] == "admin":
274 user_admin_id = user["_id"]
275 for prm in user.get("project_role_mappings", ()):
276 if prm["role"] == role_id:
277 user_with_system_admin = True
278 break
279 if user_with_system_admin:
280 break
281 if not user_with_system_admin:
282 self.backend.update_user({"_id": user_admin_id,
283 "add_project_role_mappings": [{"project": pid, "role": role_id}]})
284 self.logger.info("Added role system admin to user='{}' project=admin".format(user_admin_id))
285 except Exception:
286 pass
287
288 self.load_operation_to_allowed_roles()
289
290 def load_operation_to_allowed_roles(self):
291 """
292 Fills the internal self.operation_to_allowed_roles based on database role content and self.role_permissions
293 It works in a shadow copy and replace at the end to allow other threads working with the old copy
294 :return: None
295 """
296
297 permissions = {oper: [] for oper in self.role_permissions}
298 # records = self.db.get_list(self.roles_to_operations_table)
299 records = self.backend.get_role_list()
300
301 ignore_fields = ["_id", "_admin", "name", "default"]
302 for record in records:
303 if not record.get("permissions"):
304 continue
305 record_permissions = {oper: record["permissions"].get("default", False) for oper in self.role_permissions}
306 operations_joined = [(oper, value) for oper, value in record["permissions"].items()
307 if oper not in ignore_fields]
308 operations_joined.sort(key=lambda x: x[0].count(":"))
309
310 for oper in operations_joined:
311 match = list(filter(lambda x: x.find(oper[0]) == 0, record_permissions.keys()))
312
313 for m in match:
314 record_permissions[m] = oper[1]
315
316 allowed_operations = [k for k, v in record_permissions.items() if v is True]
317
318 for allowed_op in allowed_operations:
319 permissions[allowed_op].append(record["name"])
320
321 self.operation_to_allowed_roles = permissions
322
323 def authorize(self, role_permission=None, query_string_operations=None, item_id=None):
324 token = None
325 user_passwd64 = None
326 try:
327 # 1. Get token Authorization bearer
328 auth = cherrypy.request.headers.get("Authorization")
329 if auth:
330 auth_list = auth.split(" ")
331 if auth_list[0].lower() == "bearer":
332 token = auth_list[-1]
333 elif auth_list[0].lower() == "basic":
334 user_passwd64 = auth_list[-1]
335 if not token:
336 if cherrypy.session.get("Authorization"):
337 # 2. Try using session before request a new token. If not, basic authentication will generate
338 token = cherrypy.session.get("Authorization")
339 if token == "logout":
340 token = None # force Unauthorized response to insert user password again
341 elif user_passwd64 and cherrypy.request.config.get("auth.allow_basic_authentication"):
342 # 3. Get new token from user password
343 user = None
344 passwd = None
345 try:
346 user_passwd = standard_b64decode(user_passwd64).decode()
347 user, _, passwd = user_passwd.partition(":")
348 except Exception:
349 pass
350 outdata = self.new_token(None, {"username": user, "password": passwd})
351 token = outdata["_id"]
352 cherrypy.session['Authorization'] = token
353
354 if not token:
355 raise AuthException("Needed a token or Authorization http header",
356 http_code=HTTPStatus.UNAUTHORIZED)
357 token_info = self.backend.validate_token(token)
358 # TODO add to token info remote host, port
359
360 if role_permission:
361 RBAC_auth = self.check_permissions(token_info, cherrypy.request.method, role_permission,
362 query_string_operations, item_id)
363 token_info["allow_show_user_project_role"] = RBAC_auth
364
365 return token_info
366 except AuthException as e:
367 if not isinstance(e, AuthExceptionUnauthorized):
368 if cherrypy.session.get('Authorization'):
369 del cherrypy.session['Authorization']
370 cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
371 elif self.config.get("user_not_authorized"):
372 # TODO provide user_id, roles id (not name), project_id
373 return {"id": "fake-token-id-for-test",
374 "project_id": self.config.get("project_not_authorized", "admin"),
375 "username": self.config["user_not_authorized"],
376 "roles": ["system_admin"]}
377 raise
378
379 def new_token(self, token_info, indata, remote):
380 new_token_info = self.backend.authenticate(
381 user=indata.get("username"),
382 password=indata.get("password"),
383 token_info=token_info,
384 project=indata.get("project_id")
385 )
386
387 new_token_info["remote_port"] = remote.port
388 if not new_token_info.get("expires"):
389 new_token_info["expires"] = time() + 3600
390 if not new_token_info.get("admin"):
391 new_token_info["admin"] = True if new_token_info.get("project_name") == "admin" else False
392 # TODO put admin in RBAC
393
394 if remote.name:
395 new_token_info["remote_host"] = remote.name
396 elif remote.ip:
397 new_token_info["remote_host"] = remote.ip
398
399 self.tokens_cache[new_token_info["_id"]] = new_token_info
400
401 # TODO call self._internal_tokens_prune(now) ?
402 return deepcopy(new_token_info)
403
404 def get_token_list(self, token_info):
405 if self.config["authentication"]["backend"] == "internal":
406 return self._internal_get_token_list(token_info)
407 else:
408 # TODO: check if this can be avoided. Backend may provide enough information
409 return [deepcopy(token) for token in self.tokens_cache.values()
410 if token["username"] == token_info["username"]]
411
412 def get_token(self, token_info, token):
413 if self.config["authentication"]["backend"] == "internal":
414 return self._internal_get_token(token_info, token)
415 else:
416 # TODO: check if this can be avoided. Backend may provide enough information
417 token_value = self.tokens_cache.get(token)
418 if not token_value:
419 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
420 if token_value["username"] != token_info["username"] and not token_info["admin"]:
421 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
422 return token_value
423
424 def del_token(self, token):
425 try:
426 self.backend.revoke_token(token)
427 self.tokens_cache.pop(token, None)
428 return "token '{}' deleted".format(token)
429 except KeyError:
430 raise AuthException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)
431
432 def check_permissions(self, token_info, method, role_permission=None, query_string_operations=None, item_id=None):
433 """
434 Checks that operation has permissions to be done, base on the assigned roles to this user project
435 :param token_info: Dictionary that contains "roles" with a list of assigned roles.
436 This method fills the token_info["admin"] with True or False based on assigned tokens, if any allows admin
437 This will be used among others to hide or not the _admin content of topics
438 :param method: GET,PUT, POST, ...
439 :param role_permission: role permission name of the operation required
440 :param query_string_operations: list of possible admin query strings provided by user. It is checked that the
441 assigned role allows this query string for this method
442 :param item_id: item identifier if included in the URL, None otherwise
443 :return: True if access granted by permission rules, False if access granted by default rules (Bug 853)
444 :raises: AuthExceptionUnauthorized if access denied
445 """
446
447 roles_required = self.operation_to_allowed_roles[role_permission]
448 roles_allowed = [role["name"] for role in token_info["roles"]]
449
450 # fills token_info["admin"] if some roles allows it
451 token_info["admin"] = False
452 for role in roles_allowed:
453 if role in self.operation_to_allowed_roles["admin:" + method.lower()]:
454 token_info["admin"] = True
455 break
456
457 if "anonymous" in roles_required:
458 return True
459 operation_allowed = False
460 for role in roles_allowed:
461 if role in roles_required:
462 operation_allowed = True
463 # if query_string operations, check if this role allows it
464 if not query_string_operations:
465 return True
466 for query_string_operation in query_string_operations:
467 if role not in self.operation_to_allowed_roles[query_string_operation]:
468 break
469 else:
470 return True
471
472 # Bug 853 - Final Solution
473 # User/Project/Role whole listings are filtered elsewhere
474 # uid, pid, rid = ("user_id", "project_id", "id") if is_valid_uuid(id) else ("username", "project_name", "name")
475 uid = "user_id" if is_valid_uuid(item_id) else "username"
476 if (role_permission in ["projects:get", "projects:id:get", "roles:get", "roles:id:get", "users:get"]) \
477 or (role_permission == "users:id:get" and item_id == token_info[uid]):
478 # or (role_permission == "projects:id:get" and item_id == token_info[pid]) \
479 # or (role_permission == "roles:id:get" and item_id in [role[rid] for role in token_info["roles"]]):
480 return False
481
482 if not operation_allowed:
483 raise AuthExceptionUnauthorized("Access denied: lack of permissions.")
484 else:
485 raise AuthExceptionUnauthorized("Access denied: You have not permissions to use these admin query string")
486
487 def get_user_list(self):
488 return self.backend.get_user_list()
489
490 def _normalize_url(self, url, method):
491 # DEPRECATED !!!
492 # Removing query strings
493 normalized_url = url if '?' not in url else url[:url.find("?")]
494 normalized_url_splitted = normalized_url.split("/")
495 parameters = {}
496
497 filtered_keys = [key for key in self.resources_to_operations_mapping.keys()
498 if method in key.split()[0]]
499
500 for idx, path_part in enumerate(normalized_url_splitted):
501 tmp_keys = []
502 for tmp_key in filtered_keys:
503 splitted = tmp_key.split()[1].split("/")
504 if idx >= len(splitted):
505 continue
506 elif "<" in splitted[idx] and ">" in splitted[idx]:
507 if splitted[idx] == "<artifactPath>":
508 tmp_keys.append(tmp_key)
509 continue
510 elif idx == len(normalized_url_splitted) - 1 and \
511 len(normalized_url_splitted) != len(splitted):
512 continue
513 else:
514 tmp_keys.append(tmp_key)
515 elif splitted[idx] == path_part:
516 if idx == len(normalized_url_splitted) - 1 and \
517 len(normalized_url_splitted) != len(splitted):
518 continue
519 else:
520 tmp_keys.append(tmp_key)
521 filtered_keys = tmp_keys
522 if len(filtered_keys) == 1 and \
523 filtered_keys[0].split("/")[-1] == "<artifactPath>":
524 break
525
526 if len(filtered_keys) == 0:
527 raise AuthException("Cannot make an authorization decision. URL not found. URL: {0}".format(url))
528 elif len(filtered_keys) > 1:
529 raise AuthException("Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(url))
530
531 filtered_key = filtered_keys[0]
532
533 for idx, path_part in enumerate(filtered_key.split()[1].split("/")):
534 if "<" in path_part and ">" in path_part:
535 if path_part == "<artifactPath>":
536 parameters[path_part[1:-1]] = "/".join(normalized_url_splitted[idx:])
537 else:
538 parameters[path_part[1:-1]] = normalized_url_splitted[idx]
539
540 return filtered_key, parameters
541
542 def _internal_get_token_list(self, token_info):
543 now = time()
544 token_list = self.db.get_list("tokens", {"username": token_info["username"], "expires.gt": now})
545 return token_list
546
547 def _internal_get_token(self, token_info, token_id):
548 token_value = self.db.get_one("tokens", {"_id": token_id}, fail_on_empty=False)
549 if not token_value:
550 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
551 if token_value["username"] != token_info["username"] and not token_info["admin"]:
552 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
553 return token_value
554
555 def _internal_tokens_prune(self, now=None):
556 now = now or time()
557 if not self.next_db_prune_time or self.next_db_prune_time >= now:
558 self.db.del_list("tokens", {"expires.lt": now})
559 self.next_db_prune_time = self.periodin_db_pruning + now
560 self.tokens_cache.clear() # force to reload tokens from database