projects / osm / NBI.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix bug 726
[osm/NBI.git] / osm_nbi / auth.py
1 # -*- coding: utf-8 -*-
2
3 # Copyright 2018 Whitestack, LLC
4 # Copyright 2018 Telefonica S.A.
5 #
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
9 #
10 # http://www.apache.org/licenses/LICENSE-2.0
11 #
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
16 # under the License.
17 #
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or alfonso.tiernosepulveda@telefonica.com
20 ##
21
22
23 """
24 Authenticator is responsible for authenticating the users,
25 create the tokens unscoped and scoped, retrieve the role
26 list inside the projects that they are inserted
27 """
28
29 __author__ = "Eduardo Sousa <esousa@whitestack.com>; Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30 __date__ = "$27-jul-2018 23:59:59$"
31
32 import cherrypy
33 import logging
34 import yaml
35 from base64 import standard_b64decode
36 from copy import deepcopy
37 from functools import reduce
38 from hashlib import sha256
39 from http import HTTPStatus
40 from random import choice as random_choice
41 from time import time
42 from os import path
43 from base_topic import BaseTopic # To allow project names in project_id
44
45 from authconn import AuthException
46 from authconn_keystone import AuthconnKeystone
47 from osm_common import dbmongo
48 from osm_common import dbmemory
49 from osm_common.dbbase import DbException
50
51
52 class Authenticator:
53 """
54 This class should hold all the mechanisms for User Authentication and
55 Authorization. Initially it should support Openstack Keystone as a
56 backend through a plugin model where more backends can be added and a
57 RBAC model to manage permissions on operations.
58 This class must be threading safe
59 """
60
61 periodin_db_pruning = 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned
62
63 def __init__(self):
64 """
65 Authenticator initializer. Setup the initial state of the object,
66 while it waits for the config dictionary and database initialization.
67 """
68 self.backend = None
69 self.config = None
70 self.db = None
71 self.tokens_cache = dict()
72 self.next_db_prune_time = 0 # time when next cleaning of expired tokens must be done
73 self.resources_to_operations_file = None
74 self.roles_to_operations_file = None
75 self.resources_to_operations_mapping = {}
76 self.operation_to_allowed_roles = {}
77 self.logger = logging.getLogger("nbi.authenticator")
78
79 def start(self, config):
80 """
81 Method to configure the Authenticator object. This method should be called
82 after object creation. It is responsible by initializing the selected backend,
83 as well as the initialization of the database connection.
84
85 :param config: dictionary containing the relevant parameters for this object.
86 """
87 self.config = config
88
89 try:
90 if not self.db:
91 if config["database"]["driver"] == "mongo":
92 self.db = dbmongo.DbMongo()
93 self.db.db_connect(config["database"])
94 elif config["database"]["driver"] == "memory":
95 self.db = dbmemory.DbMemory()
96 self.db.db_connect(config["database"])
97 else:
98 raise AuthException("Invalid configuration param '{}' at '[database]':'driver'"
99 .format(config["database"]["driver"]))
100 if not self.backend:
101 if config["authentication"]["backend"] == "keystone":
102 self.backend = AuthconnKeystone(self.config["authentication"])
103 elif config["authentication"]["backend"] == "internal":
104 self._internal_tokens_prune()
105 else:
106 raise AuthException("Unknown authentication backend: {}"
107 .format(config["authentication"]["backend"]))
108 if not self.resources_to_operations_file:
109 if "resources_to_operations" in config["rbac"]:
110 self.resources_to_operations_file = config["rbac"]["resources_to_operations"]
111 else:
112 possible_paths = (
113 __file__[:__file__.rfind("auth.py")] + "resources_to_operations.yml",
114 "./resources_to_operations.yml"
115 )
116 for config_file in possible_paths:
117 if path.isfile(config_file):
118 self.resources_to_operations_file = config_file
119 break
120 if not self.resources_to_operations_file:
121 raise AuthException("Invalid permission configuration: resources_to_operations file missing")
122 if not self.roles_to_operations_file:
123 if "roles_to_operations" in config["rbac"]:
124 self.roles_to_operations_file = config["rbac"]["roles_to_operations"]
125 else:
126 possible_paths = (
127 __file__[:__file__.rfind("auth.py")] + "roles_to_operations.yml",
128 "./roles_to_operations.yml"
129 )
130 for config_file in possible_paths:
131 if path.isfile(config_file):
132 self.roles_to_operations_file = config_file
133 break
134 if not self.roles_to_operations_file:
135 raise AuthException("Invalid permission configuration: roles_to_operations file missing")
136 except Exception as e:
137 raise AuthException(str(e))
138
139 def stop(self):
140 try:
141 if self.db:
142 self.db.db_disconnect()
143 except DbException as e:
144 raise AuthException(str(e), http_code=e.http_code)
145
146 def init_db(self, target_version='1.0'):
147 """
148 Check if the database has been initialized, with at least one user. If not, create the required tables
149 and insert the predefined mappings between roles and permissions.
150
151 :param target_version: schema version that should be present in the database.
152 :return: None if OK, exception if error or version is different.
153 """
154 # Always reads operation to resource mapping from file (this is static, no need to store it in MongoDB)
155 # Operations encoding: "<METHOD> <URL>"
156 # Note: it is faster to rewrite the value than to check if it is already there or not
157 if self.config["authentication"]["backend"] == "internal":
158 return
159
160 operations = []
161 with open(self.resources_to_operations_file, "r") as stream:
162 resources_to_operations_yaml = yaml.load(stream)
163
164 for resource, operation in resources_to_operations_yaml["resources_to_operations"].items():
165 operation_key = operation.replace(".", ":")
166 if operation_key not in operations:
167 operations.append(operation_key)
168 self.resources_to_operations_mapping[resource] = operation_key
169
170 records = self.db.get_list("roles_operations")
171
172 # Loading permissions to MongoDB. If there are permissions already in MongoDB, do nothing.
173 if len(records) == 0:
174 with open(self.roles_to_operations_file, "r") as stream:
175 roles_to_operations_yaml = yaml.load(stream)
176
177 roles = []
178 for role_with_operations in roles_to_operations_yaml["roles_to_operations"]:
179 # Verifying if role already exists. If it does, send warning to log and ignore it.
180 if role_with_operations["role"] not in roles:
181 roles.append(role_with_operations["role"])
182 else:
183 self.logger.warning("Duplicated role with name: {0}. Role definition is ignored."
184 .format(role_with_operations["role"]))
185 continue
186
187 role_ops = {}
188 root = None
189
190 if not role_with_operations["operations"]:
191 continue
192
193 for operation, is_allowed in role_with_operations["operations"].items():
194 if not isinstance(is_allowed, bool):
195 continue
196
197 if operation == ".":
198 root = is_allowed
199 continue
200
201 if len(operation) != 1 and operation[-1] == ".":
202 self.logger.warning("Invalid operation {0} terminated in '.'. "
203 "Operation will be discarded"
204 .format(operation))
205 continue
206
207 operation_key = operation.replace(".", ":")
208 if operation_key not in role_ops.keys():
209 role_ops[operation_key] = is_allowed
210 else:
211 self.logger.info("In role {0}, the operation {1} with the value {2} was discarded due to "
212 "repetition.".format(role_with_operations["role"], operation, is_allowed))
213
214 if not root:
215 root = False
216 self.logger.info("Root for role {0} not defined. Default value 'False' applied."
217 .format(role_with_operations["role"]))
218
219 now = time()
220 operation_to_roles_item = {
221 "_admin": {
222 "created": now,
223 "modified": now,
224 },
225 "name": role_with_operations["role"],
226 "root": root
227 }
228
229 for operation, value in role_ops.items():
230 operation_to_roles_item[operation] = value
231
232 if self.config["authentication"]["backend"] != "internal" and \
233 role_with_operations["role"] != "anonymous":
234 keystone_id = [role for role in self.backend.get_role_list()
235 if role["name"] == role_with_operations["role"]]
236 if keystone_id:
237 keystone_id = keystone_id[0]
238 else:
239 keystone_id = self.backend.create_role(role_with_operations["role"])
240 operation_to_roles_item["_id"] = keystone_id["_id"]
241
242 self.db.create("roles_operations", operation_to_roles_item)
243
244 permissions = {oper: [] for oper in operations}
245 records = self.db.get_list("roles_operations")
246
247 ignore_fields = ["_id", "_admin", "name", "root"]
248 for record in records:
249 record_permissions = {oper: record["root"] for oper in operations}
250 operations_joined = [(oper, value) for oper, value in record.items() if oper not in ignore_fields]
251 operations_joined.sort(key=lambda x: x[0].count(":"))
252
253 for oper in operations_joined:
254 match = list(filter(lambda x: x.find(oper[0]) == 0, record_permissions.keys()))
255
256 for m in match:
257 record_permissions[m] = oper[1]
258
259 allowed_operations = [k for k, v in record_permissions.items() if v is True]
260
261 for allowed_op in allowed_operations:
262 permissions[allowed_op].append(record["name"])
263
264 for oper, role_list in permissions.items():
265 self.operation_to_allowed_roles[oper] = role_list
266
267 if self.config["authentication"]["backend"] != "internal":
268 self.backend.assign_role_to_user("admin", "admin", "system_admin")
269
270 def authorize(self):
271 token = None
272 user_passwd64 = None
273 try:
274 # 1. Get token Authorization bearer
275 auth = cherrypy.request.headers.get("Authorization")
276 if auth:
277 auth_list = auth.split(" ")
278 if auth_list[0].lower() == "bearer":
279 token = auth_list[-1]
280 elif auth_list[0].lower() == "basic":
281 user_passwd64 = auth_list[-1]
282 if not token:
283 if cherrypy.session.get("Authorization"):
284 # 2. Try using session before request a new token. If not, basic authentication will generate
285 token = cherrypy.session.get("Authorization")
286 if token == "logout":
287 token = None # force Unauthorized response to insert user password again
288 elif user_passwd64 and cherrypy.request.config.get("auth.allow_basic_authentication"):
289 # 3. Get new token from user password
290 user = None
291 passwd = None
292 try:
293 user_passwd = standard_b64decode(user_passwd64).decode()
294 user, _, passwd = user_passwd.partition(":")
295 except Exception:
296 pass
297 outdata = self.new_token(None, {"username": user, "password": passwd})
298 token = outdata["id"]
299 cherrypy.session['Authorization'] = token
300 if self.config["authentication"]["backend"] == "internal":
301 return self._internal_authorize(token)
302 else:
303 if not token:
304 raise AuthException("Needed a token or Authorization http header",
305 http_code=HTTPStatus.UNAUTHORIZED)
306 try:
307 self.backend.validate_token(token)
308 self.check_permissions(self.tokens_cache[token], cherrypy.request.path_info,
309 cherrypy.request.method)
310 # TODO: check if this can be avoided. Backend may provide enough information
311 return deepcopy(self.tokens_cache[token])
312 except AuthException:
313 self.del_token(token)
314 raise
315 except AuthException as e:
316 if cherrypy.session.get('Authorization'):
317 del cherrypy.session['Authorization']
318 cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
319 raise AuthException(str(e))
320
321 def new_token(self, session, indata, remote):
322 if self.config["authentication"]["backend"] == "internal":
323 return self._internal_new_token(session, indata, remote)
324 else:
325 if indata.get("username"):
326 token, projects = self.backend.authenticate_with_user_password(
327 indata.get("username"), indata.get("password"))
328 elif session:
329 token, projects = self.backend.authenticate_with_token(
330 session.get("id"), indata.get("project_id"))
331 else:
332 raise AuthException("Provide credentials: username/password or Authorization Bearer token",
333 http_code=HTTPStatus.UNAUTHORIZED)
334
335 if indata.get("project_id"):
336 project_id = indata.get("project_id")
337 if project_id not in projects:
338 raise AuthException("Project {} not allowed for this user".format(project_id),
339 http_code=HTTPStatus.UNAUTHORIZED)
340 else:
341 project_id = projects[0]
342
343 if not session:
344 token, projects = self.backend.authenticate_with_token(token, project_id)
345
346 if project_id == "admin":
347 session_admin = True
348 else:
349 session_admin = reduce(lambda x, y: x or (True if y == "admin" else False),
350 projects, False)
351
352 now = time()
353 new_session = {
354 "_id": token,
355 "id": token,
356 "issued_at": now,
357 "expires": now + 3600,
358 "project_id": project_id,
359 "username": indata.get("username") if not session else session.get("username"),
360 "remote_port": remote.port,
361 "admin": session_admin
362 }
363
364 if remote.name:
365 new_session["remote_host"] = remote.name
366 elif remote.ip:
367 new_session["remote_host"] = remote.ip
368
369 # TODO: check if this can be avoided. Backend may provide enough information
370 self.tokens_cache[token] = new_session
371
372 return deepcopy(new_session)
373
374 def get_token_list(self, session):
375 if self.config["authentication"]["backend"] == "internal":
376 return self._internal_get_token_list(session)
377 else:
378 # TODO: check if this can be avoided. Backend may provide enough information
379 return [deepcopy(token) for token in self.tokens_cache.values()
380 if token["username"] == session["username"]]
381
382 def get_token(self, session, token):
383 if self.config["authentication"]["backend"] == "internal":
384 return self._internal_get_token(session, token)
385 else:
386 # TODO: check if this can be avoided. Backend may provide enough information
387 token_value = self.tokens_cache.get(token)
388 if not token_value:
389 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
390 if token_value["username"] != session["username"] and not session["admin"]:
391 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
392 return token_value
393
394 def del_token(self, token):
395 if self.config["authentication"]["backend"] == "internal":
396 return self._internal_del_token(token)
397 else:
398 try:
399 self.backend.revoke_token(token)
400 del self.tokens_cache[token]
401 return "token '{}' deleted".format(token)
402 except KeyError:
403 raise AuthException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)
404
405 def check_permissions(self, session, url, method):
406 self.logger.info("Session: {}".format(session))
407 self.logger.info("URL: {}".format(url))
408 self.logger.info("Method: {}".format(method))
409
410 key, parameters = self._normalize_url(url, method)
411
412 # TODO: Check if parameters might be useful for the decision
413
414 operation = self.resources_to_operations_mapping[key]
415 roles_required = self.operation_to_allowed_roles[operation]
416 roles_allowed = self.backend.get_user_role_list(session["id"])
417
418 if "anonymous" in roles_required:
419 return
420
421 for role in roles_allowed:
422 if role in roles_required:
423 return
424
425 raise AuthException("Access denied: lack of permissions.")
426
427 def get_user_list(self):
428 return self.backend.get_user_list()
429
430 def _normalize_url(self, url, method):
431 # Removing query strings
432 normalized_url = url if '?' not in url else url[:url.find("?")]
433 normalized_url_splitted = normalized_url.split("/")
434 parameters = {}
435
436 filtered_keys = [key for key in self.resources_to_operations_mapping.keys()
437 if method in key.split()[0]]
438
439 for idx, path_part in enumerate(normalized_url_splitted):
440 tmp_keys = []
441 for tmp_key in filtered_keys:
442 splitted = tmp_key.split()[1].split("/")
443 if idx >= len(splitted):
444 continue
445 elif "<" in splitted[idx] and ">" in splitted[idx]:
446 if splitted[idx] == "<artifactPath>":
447 tmp_keys.append(tmp_key)
448 continue
449 elif idx == len(normalized_url_splitted) - 1 and \
450 len(normalized_url_splitted) != len(splitted):
451 continue
452 else:
453 tmp_keys.append(tmp_key)
454 elif splitted[idx] == path_part:
455 if idx == len(normalized_url_splitted) - 1 and \
456 len(normalized_url_splitted) != len(splitted):
457 continue
458 else:
459 tmp_keys.append(tmp_key)
460 filtered_keys = tmp_keys
461 if len(filtered_keys) == 1 and \
462 filtered_keys[0].split("/")[-1] == "<artifactPath>":
463 break
464
465 if len(filtered_keys) == 0:
466 raise AuthException("Cannot make an authorization decision. URL not found. URL: {0}".format(url))
467 elif len(filtered_keys) > 1:
468 raise AuthException("Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(url))
469
470 filtered_key = filtered_keys[0]
471
472 for idx, path_part in enumerate(filtered_key.split()[1].split("/")):
473 if "<" in path_part and ">" in path_part:
474 if path_part == "<artifactPath>":
475 parameters[path_part[1:-1]] = "/".join(normalized_url_splitted[idx:])
476 else:
477 parameters[path_part[1:-1]] = normalized_url_splitted[idx]
478
479 return filtered_key, parameters
480
481 def _internal_authorize(self, token_id):
482 try:
483 if not token_id:
484 raise AuthException("Needed a token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED)
485 # try to get from cache first
486 now = time()
487 session = self.tokens_cache.get(token_id)
488 if session and session["expires"] < now:
489 # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
490 self.tokens_cache.pop(token_id, None)
491 session = None
492 if session:
493 return session
494
495 # get from database if not in cache
496 session = self.db.get_one("tokens", {"_id": token_id})
497 if session["expires"] < now:
498 raise AuthException("Expired Token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED)
499 self.tokens_cache[token_id] = session
500 return session
501 except DbException as e:
502 if e.http_code == HTTPStatus.NOT_FOUND:
503 raise AuthException("Invalid Token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED)
504 else:
505 raise
506
507 except AuthException:
508 if self.config["global"].get("test.user_not_authorized"):
509 return {"id": "fake-token-id-for-test",
510 "project_id": self.config["global"].get("test.project_not_authorized", "admin"),
511 "username": self.config["global"]["test.user_not_authorized"], "admin": True}
512 else:
513 raise
514
515 def _internal_new_token(self, session, indata, remote):
516 now = time()
517 user_content = None
518
519 # Try using username/password
520 if indata.get("username"):
521 user_rows = self.db.get_list("users", {"username": indata.get("username")})
522 if user_rows:
523 user_content = user_rows[0]
524 salt = user_content["_admin"]["salt"]
525 shadow_password = sha256(indata.get("password", "").encode('utf-8') + salt.encode('utf-8')).hexdigest()
526 if shadow_password != user_content["password"]:
527 user_content = None
528 if not user_content:
529 raise AuthException("Invalid username/password", http_code=HTTPStatus.UNAUTHORIZED)
530 elif session:
531 user_rows = self.db.get_list("users", {"username": session["username"]})
532 if user_rows:
533 user_content = user_rows[0]
534 else:
535 raise AuthException("Invalid token", http_code=HTTPStatus.UNAUTHORIZED)
536 else:
537 raise AuthException("Provide credentials: username/password or Authorization Bearer token",
538 http_code=HTTPStatus.UNAUTHORIZED)
539
540 token_id = ''.join(random_choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
541 for _ in range(0, 32))
542 project_id = indata.get("project_id")
543 if project_id:
544 if project_id != "admin":
545 # To allow project names in project_id
546 proj = self.db.get_one("projects", {BaseTopic.id_field("projects", project_id): project_id})
547 if proj["_id"] not in user_content["projects"] and proj["name"] not in user_content["projects"]:
548 raise AuthException("project {} not allowed for this user"
549 .format(project_id), http_code=HTTPStatus.UNAUTHORIZED)
550 else:
551 project_id = user_content["projects"][0]
552 if project_id == "admin":
553 session_admin = True
554 else:
555 # To allow project names in project_id
556 project = self.db.get_one("projects", {BaseTopic.id_field("projects", project_id): project_id})
557 session_admin = project.get("admin", False)
558 new_session = {"issued_at": now, "expires": now + 3600,
559 "_id": token_id, "id": token_id, "project_id": project_id, "username": user_content["username"],
560 "remote_port": remote.port, "admin": session_admin}
561 if remote.name:
562 new_session["remote_host"] = remote.name
563 elif remote.ip:
564 new_session["remote_host"] = remote.ip
565
566 self.tokens_cache[token_id] = new_session
567 self.db.create("tokens", new_session)
568 # check if database must be prune
569 self._internal_tokens_prune(now)
570 return deepcopy(new_session)
571
572 def _internal_get_token_list(self, session):
573 now = time()
574 token_list = self.db.get_list("tokens", {"username": session["username"], "expires.gt": now})
575 return token_list
576
577 def _internal_get_token(self, session, token_id):
578 token_value = self.db.get_one("tokens", {"_id": token_id}, fail_on_empty=False)
579 if not token_value:
580 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
581 if token_value["username"] != session["username"] and not session["admin"]:
582 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
583 return token_value
584
585 def _internal_del_token(self, token_id):
586 try:
587 self.tokens_cache.pop(token_id, None)
588 self.db.del_one("tokens", {"_id": token_id})
589 return "token '{}' deleted".format(token_id)
590 except DbException as e:
591 if e.http_code == HTTPStatus.NOT_FOUND:
592 raise AuthException("Token '{}' not found".format(token_id), http_code=HTTPStatus.NOT_FOUND)
593 else:
594 raise
595
596 def _internal_tokens_prune(self, now=None):
597 now = now or time()
598 if not self.next_db_prune_time or self.next_db_prune_time >= now:
599 self.db.del_list("tokens", {"expires.lt": now})
600 self.next_db_prune_time = self.periodin_db_pruning + now
601 self.tokens_cache.clear() # force to reload tokens from database