projects / osm / NBI.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
bug 710: send dummy messages to kafka before subscribe
[osm/NBI.git] / osm_nbi / auth.py
1 # -*- coding: utf-8 -*-
2
3 # Copyright 2018 Whitestack, LLC
4 # Copyright 2018 Telefonica S.A.
5 #
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
9 #
10 # http://www.apache.org/licenses/LICENSE-2.0
11 #
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
16 # under the License.
17 #
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or alfonso.tiernosepulveda@telefonica.com
20 ##
21
22
23 """
24 Authenticator is responsible for authenticating the users,
25 create the tokens unscoped and scoped, retrieve the role
26 list inside the projects that they are inserted
27 """
28
29 __author__ = "Eduardo Sousa <esousa@whitestack.com>; Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30 __date__ = "$27-jul-2018 23:59:59$"
31
32 import cherrypy
33 import logging
34 import yaml
35 from base64 import standard_b64decode
36 from copy import deepcopy
37 from functools import reduce
38 from hashlib import sha256
39 from http import HTTPStatus
40 from random import choice as random_choice
41 from time import time
42 from os import path
43 from base_topic import BaseTopic # To allow project names in project_id
44
45 from authconn import AuthException
46 from authconn_keystone import AuthconnKeystone
47 from osm_common import dbmongo
48 from osm_common import dbmemory
49 from osm_common.dbbase import DbException
50
51
52 class Authenticator:
53 """
54 This class should hold all the mechanisms for User Authentication and
55 Authorization. Initially it should support Openstack Keystone as a
56 backend through a plugin model where more backends can be added and a
57 RBAC model to manage permissions on operations.
58 This class must be threading safe
59 """
60
61 periodin_db_pruning = 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned
62
63 def __init__(self):
64 """
65 Authenticator initializer. Setup the initial state of the object,
66 while it waits for the config dictionary and database initialization.
67 """
68 self.backend = None
69 self.config = None
70 self.db = None
71 self.tokens_cache = dict()
72 self.next_db_prune_time = 0 # time when next cleaning of expired tokens must be done
73 self.resources_to_operations_file = None
74 self.roles_to_operations_file = None
75 self.resources_to_operations_mapping = {}
76 self.operation_to_allowed_roles = {}
77 self.logger = logging.getLogger("nbi.authenticator")
78
79 def start(self, config):
80 """
81 Method to configure the Authenticator object. This method should be called
82 after object creation. It is responsible by initializing the selected backend,
83 as well as the initialization of the database connection.
84
85 :param config: dictionary containing the relevant parameters for this object.
86 """
87 self.config = config
88
89 try:
90 if not self.db:
91 if config["database"]["driver"] == "mongo":
92 self.db = dbmongo.DbMongo()
93 self.db.db_connect(config["database"])
94 elif config["database"]["driver"] == "memory":
95 self.db = dbmemory.DbMemory()
96 self.db.db_connect(config["database"])
97 else:
98 raise AuthException("Invalid configuration param '{}' at '[database]':'driver'"
99 .format(config["database"]["driver"]))
100 if not self.backend:
101 if config["authentication"]["backend"] == "keystone":
102 self.backend = AuthconnKeystone(self.config["authentication"])
103 elif config["authentication"]["backend"] == "internal":
104 self._internal_tokens_prune()
105 else:
106 raise AuthException("Unknown authentication backend: {}"
107 .format(config["authentication"]["backend"]))
108 if not self.resources_to_operations_file:
109 if "resources_to_operations" in config["rbac"]:
110 self.resources_to_operations_file = config["rbac"]["resources_to_operations"]
111 else:
112 possible_paths = (
113 __file__[:__file__.rfind("auth.py")] + "resources_to_operations.yml",
114 "./resources_to_operations.yml"
115 )
116 for config_file in possible_paths:
117 if path.isfile(config_file):
118 self.resources_to_operations_file = config_file
119 break
120 if not self.resources_to_operations_file:
121 raise AuthException("Invalid permission configuration: resources_to_operations file missing")
122 if not self.roles_to_operations_file:
123 if "roles_to_operations" in config["rbac"]:
124 self.roles_to_operations_file = config["rbac"]["roles_to_operations"]
125 else:
126 possible_paths = (
127 __file__[:__file__.rfind("auth.py")] + "roles_to_operations.yml",
128 "./roles_to_operations.yml"
129 )
130 for config_file in possible_paths:
131 if path.isfile(config_file):
132 self.roles_to_operations_file = config_file
133 break
134 if not self.roles_to_operations_file:
135 raise AuthException("Invalid permission configuration: roles_to_operations file missing")
136 except Exception as e:
137 raise AuthException(str(e))
138
139 def stop(self):
140 try:
141 if self.db:
142 self.db.db_disconnect()
143 except DbException as e:
144 raise AuthException(str(e), http_code=e.http_code)
145
146 def init_db(self, target_version='1.0'):
147 """
148 Check if the database has been initialized, with at least one user. If not, create the required tables
149 and insert the predefined mappings between roles and permissions.
150
151 :param target_version: schema version that should be present in the database.
152 :return: None if OK, exception if error or version is different.
153 """
154 # Always reads operation to resource mapping from file (this is static, no need to store it in MongoDB)
155 # Operations encoding: "<METHOD> <URL>"
156 # Note: it is faster to rewrite the value than to check if it is already there or not
157 if self.config["authentication"]["backend"] == "internal":
158 return
159
160 operations = []
161 with open(self.resources_to_operations_file, "r") as stream:
162 resources_to_operations_yaml = yaml.load(stream)
163
164 for resource, operation in resources_to_operations_yaml["resources_to_operations"].items():
165 if operation not in operations:
166 operations.append(operation)
167 self.resources_to_operations_mapping[resource] = operation
168
169 records = self.db.get_list("roles_operations")
170
171 # Loading permissions to MongoDB. If there are permissions already in MongoDB, do nothing.
172 if len(records) == 0:
173 with open(self.roles_to_operations_file, "r") as stream:
174 roles_to_operations_yaml = yaml.load(stream)
175
176 roles = []
177 for role_with_operations in roles_to_operations_yaml["roles_to_operations"]:
178 # Verifying if role already exists. If it does, send warning to log and ignore it.
179 if role_with_operations["role"] not in roles:
180 roles.append(role_with_operations["role"])
181 else:
182 self.logger.warning("Duplicated role with name: {0}. Role definition is ignored."
183 .format(role_with_operations["role"]))
184 continue
185
186 role_ops = {}
187 root = None
188
189 if not role_with_operations["operations"]:
190 continue
191
192 for operation, is_allowed in role_with_operations["operations"].items():
193 if not isinstance(is_allowed, bool):
194 continue
195
196 if operation == ":":
197 root = is_allowed
198 continue
199
200 if len(operation) != 1 and operation[-1] == ":":
201 self.logger.warning("Invalid operation {0} terminated in ':'. "
202 "Operation will be discarded"
203 .format(operation))
204 continue
205
206 if operation not in role_ops.keys():
207 role_ops[operation] = is_allowed
208 else:
209 self.logger.info("In role {0}, the operation {1} with the value {2} was discarded due to "
210 "repetition.".format(role_with_operations["role"], operation, is_allowed))
211
212 if not root:
213 root = False
214 self.logger.info("Root for role {0} not defined. Default value 'False' applied."
215 .format(role_with_operations["role"]))
216
217 now = time()
218 operation_to_roles_item = {
219 "_admin": {
220 "created": now,
221 "modified": now,
222 },
223 "name": role_with_operations["role"],
224 "root": root
225 }
226
227 for operation, value in role_ops.items():
228 operation_to_roles_item[operation] = value
229
230 if self.config["authentication"]["backend"] != "internal" and \
231 role_with_operations["role"] != "anonymous":
232 keystone_id = [role for role in self.backend.get_role_list()
233 if role["name"] == role_with_operations["role"]]
234 if keystone_id:
235 keystone_id = keystone_id[0]
236 else:
237 keystone_id = self.backend.create_role(role_with_operations["role"])
238 operation_to_roles_item["_id"] = keystone_id["_id"]
239
240 self.db.create("roles_operations", operation_to_roles_item)
241
242 permissions = {oper: [] for oper in operations}
243 records = self.db.get_list("roles_operations")
244
245 ignore_fields = ["_id", "_admin", "name", "root"]
246 for record in records:
247 record_permissions = {oper: record["root"] for oper in operations}
248 operations_joined = [(oper, value) for oper, value in record.items() if oper not in ignore_fields]
249 operations_joined.sort(key=lambda x: x[0].count(":"))
250
251 for oper in operations_joined:
252 match = list(filter(lambda x: x.find(oper[0]) == 0, record_permissions.keys()))
253
254 for m in match:
255 record_permissions[m] = oper[1]
256
257 allowed_operations = [k for k, v in record_permissions.items() if v is True]
258
259 for allowed_op in allowed_operations:
260 permissions[allowed_op].append(record["name"])
261
262 for oper, role_list in permissions.items():
263 self.operation_to_allowed_roles[oper] = role_list
264
265 if self.config["authentication"]["backend"] != "internal":
266 self.backend.assign_role_to_user("admin", "admin", "system_admin")
267
268 def authorize(self):
269 token = None
270 user_passwd64 = None
271 try:
272 # 1. Get token Authorization bearer
273 auth = cherrypy.request.headers.get("Authorization")
274 if auth:
275 auth_list = auth.split(" ")
276 if auth_list[0].lower() == "bearer":
277 token = auth_list[-1]
278 elif auth_list[0].lower() == "basic":
279 user_passwd64 = auth_list[-1]
280 if not token:
281 if cherrypy.session.get("Authorization"):
282 # 2. Try using session before request a new token. If not, basic authentication will generate
283 token = cherrypy.session.get("Authorization")
284 if token == "logout":
285 token = None # force Unauthorized response to insert user password again
286 elif user_passwd64 and cherrypy.request.config.get("auth.allow_basic_authentication"):
287 # 3. Get new token from user password
288 user = None
289 passwd = None
290 try:
291 user_passwd = standard_b64decode(user_passwd64).decode()
292 user, _, passwd = user_passwd.partition(":")
293 except Exception:
294 pass
295 outdata = self.new_token(None, {"username": user, "password": passwd})
296 token = outdata["id"]
297 cherrypy.session['Authorization'] = token
298 if self.config["authentication"]["backend"] == "internal":
299 return self._internal_authorize(token)
300 else:
301 if not token:
302 raise AuthException("Needed a token or Authorization http header",
303 http_code=HTTPStatus.UNAUTHORIZED)
304 try:
305 self.backend.validate_token(token)
306 self.check_permissions(self.tokens_cache[token], cherrypy.request.path_info,
307 cherrypy.request.method)
308 # TODO: check if this can be avoided. Backend may provide enough information
309 return deepcopy(self.tokens_cache[token])
310 except AuthException:
311 self.del_token(token)
312 raise
313 except AuthException as e:
314 if cherrypy.session.get('Authorization'):
315 del cherrypy.session['Authorization']
316 cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
317 raise AuthException(str(e))
318
319 def new_token(self, session, indata, remote):
320 if self.config["authentication"]["backend"] == "internal":
321 return self._internal_new_token(session, indata, remote)
322 else:
323 if indata.get("username"):
324 token, projects = self.backend.authenticate_with_user_password(
325 indata.get("username"), indata.get("password"))
326 elif session:
327 token, projects = self.backend.authenticate_with_token(
328 session.get("id"), indata.get("project_id"))
329 else:
330 raise AuthException("Provide credentials: username/password or Authorization Bearer token",
331 http_code=HTTPStatus.UNAUTHORIZED)
332
333 if indata.get("project_id"):
334 project_id = indata.get("project_id")
335 if project_id not in projects:
336 raise AuthException("Project {} not allowed for this user".format(project_id),
337 http_code=HTTPStatus.UNAUTHORIZED)
338 else:
339 project_id = projects[0]
340
341 if not session:
342 token, projects = self.backend.authenticate_with_token(token, project_id)
343
344 if project_id == "admin":
345 session_admin = True
346 else:
347 session_admin = reduce(lambda x, y: x or (True if y == "admin" else False),
348 projects, False)
349
350 now = time()
351 new_session = {
352 "_id": token,
353 "id": token,
354 "issued_at": now,
355 "expires": now + 3600,
356 "project_id": project_id,
357 "username": indata.get("username") if not session else session.get("username"),
358 "remote_port": remote.port,
359 "admin": session_admin
360 }
361
362 if remote.name:
363 new_session["remote_host"] = remote.name
364 elif remote.ip:
365 new_session["remote_host"] = remote.ip
366
367 # TODO: check if this can be avoided. Backend may provide enough information
368 self.tokens_cache[token] = new_session
369
370 return deepcopy(new_session)
371
372 def get_token_list(self, session):
373 if self.config["authentication"]["backend"] == "internal":
374 return self._internal_get_token_list(session)
375 else:
376 # TODO: check if this can be avoided. Backend may provide enough information
377 return [deepcopy(token) for token in self.tokens_cache.values()
378 if token["username"] == session["username"]]
379
380 def get_token(self, session, token):
381 if self.config["authentication"]["backend"] == "internal":
382 return self._internal_get_token(session, token)
383 else:
384 # TODO: check if this can be avoided. Backend may provide enough information
385 token_value = self.tokens_cache.get(token)
386 if not token_value:
387 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
388 if token_value["username"] != session["username"] and not session["admin"]:
389 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
390 return token_value
391
392 def del_token(self, token):
393 if self.config["authentication"]["backend"] == "internal":
394 return self._internal_del_token(token)
395 else:
396 try:
397 self.backend.revoke_token(token)
398 del self.tokens_cache[token]
399 return "token '{}' deleted".format(token)
400 except KeyError:
401 raise AuthException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)
402
403 def check_permissions(self, session, url, method):
404 self.logger.info("Session: {}".format(session))
405 self.logger.info("URL: {}".format(url))
406 self.logger.info("Method: {}".format(method))
407
408 key, parameters = self._normalize_url(url, method)
409
410 # TODO: Check if parameters might be useful for the decision
411
412 operation = self.resources_to_operations_mapping[key]
413 roles_required = self.operation_to_allowed_roles[operation]
414 roles_allowed = self.backend.get_user_role_list(session["id"])
415
416 if "anonymous" in roles_required:
417 return
418
419 for role in roles_allowed:
420 if role in roles_required:
421 return
422
423 raise AuthException("Access denied: lack of permissions.")
424
425 def get_user_list(self):
426 return self.backend.get_user_list()
427
428 def _normalize_url(self, url, method):
429 # Removing query strings
430 normalized_url = url if '?' not in url else url[:url.find("?")]
431 normalized_url_splitted = normalized_url.split("/")
432 parameters = {}
433
434 filtered_keys = [key for key in self.resources_to_operations_mapping.keys()
435 if method in key.split()[0]]
436
437 for idx, path_part in enumerate(normalized_url_splitted):
438 tmp_keys = []
439 for tmp_key in filtered_keys:
440 splitted = tmp_key.split()[1].split("/")
441 if idx >= len(splitted):
442 continue
443 elif "<" in splitted[idx] and ">" in splitted[idx]:
444 if splitted[idx] == "<artifactPath>":
445 tmp_keys.append(tmp_key)
446 continue
447 elif idx == len(normalized_url_splitted) - 1 and \
448 len(normalized_url_splitted) != len(splitted):
449 continue
450 else:
451 tmp_keys.append(tmp_key)
452 elif splitted[idx] == path_part:
453 if idx == len(normalized_url_splitted) - 1 and \
454 len(normalized_url_splitted) != len(splitted):
455 continue
456 else:
457 tmp_keys.append(tmp_key)
458 filtered_keys = tmp_keys
459 if len(filtered_keys) == 1 and \
460 filtered_keys[0].split("/")[-1] == "<artifactPath>":
461 break
462
463 if len(filtered_keys) == 0:
464 raise AuthException("Cannot make an authorization decision. URL not found. URL: {0}".format(url))
465 elif len(filtered_keys) > 1:
466 raise AuthException("Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(url))
467
468 filtered_key = filtered_keys[0]
469
470 for idx, path_part in enumerate(filtered_key.split()[1].split("/")):
471 if "<" in path_part and ">" in path_part:
472 if path_part == "<artifactPath>":
473 parameters[path_part[1:-1]] = "/".join(normalized_url_splitted[idx:])
474 else:
475 parameters[path_part[1:-1]] = normalized_url_splitted[idx]
476
477 return filtered_key, parameters
478
479 def _internal_authorize(self, token_id):
480 try:
481 if not token_id:
482 raise AuthException("Needed a token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED)
483 # try to get from cache first
484 now = time()
485 session = self.tokens_cache.get(token_id)
486 if session and session["expires"] < now:
487 # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
488 self.tokens_cache.pop(token_id, None)
489 session = None
490 if session:
491 return session
492
493 # get from database if not in cache
494 session = self.db.get_one("tokens", {"_id": token_id})
495 if session["expires"] < now:
496 raise AuthException("Expired Token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED)
497 self.tokens_cache[token_id] = session
498 return session
499 except DbException as e:
500 if e.http_code == HTTPStatus.NOT_FOUND:
501 raise AuthException("Invalid Token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED)
502 else:
503 raise
504
505 except AuthException:
506 if self.config["global"].get("test.user_not_authorized"):
507 return {"id": "fake-token-id-for-test",
508 "project_id": self.config["global"].get("test.project_not_authorized", "admin"),
509 "username": self.config["global"]["test.user_not_authorized"], "admin": True}
510 else:
511 raise
512
513 def _internal_new_token(self, session, indata, remote):
514 now = time()
515 user_content = None
516
517 # Try using username/password
518 if indata.get("username"):
519 user_rows = self.db.get_list("users", {"username": indata.get("username")})
520 if user_rows:
521 user_content = user_rows[0]
522 salt = user_content["_admin"]["salt"]
523 shadow_password = sha256(indata.get("password", "").encode('utf-8') + salt.encode('utf-8')).hexdigest()
524 if shadow_password != user_content["password"]:
525 user_content = None
526 if not user_content:
527 raise AuthException("Invalid username/password", http_code=HTTPStatus.UNAUTHORIZED)
528 elif session:
529 user_rows = self.db.get_list("users", {"username": session["username"]})
530 if user_rows:
531 user_content = user_rows[0]
532 else:
533 raise AuthException("Invalid token", http_code=HTTPStatus.UNAUTHORIZED)
534 else:
535 raise AuthException("Provide credentials: username/password or Authorization Bearer token",
536 http_code=HTTPStatus.UNAUTHORIZED)
537
538 token_id = ''.join(random_choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
539 for _ in range(0, 32))
540 project_id = indata.get("project_id")
541 if project_id:
542 if project_id != "admin":
543 # To allow project names in project_id
544 proj = self.db.get_one("projects", {BaseTopic.id_field("projects", project_id): project_id})
545 if proj["_id"] not in user_content["projects"] and proj["name"] not in user_content["projects"]:
546 raise AuthException("project {} not allowed for this user"
547 .format(project_id), http_code=HTTPStatus.UNAUTHORIZED)
548 else:
549 project_id = user_content["projects"][0]
550 if project_id == "admin":
551 session_admin = True
552 else:
553 # To allow project names in project_id
554 project = self.db.get_one("projects", {BaseTopic.id_field("projects", project_id): project_id})
555 session_admin = project.get("admin", False)
556 new_session = {"issued_at": now, "expires": now + 3600,
557 "_id": token_id, "id": token_id, "project_id": project_id, "username": user_content["username"],
558 "remote_port": remote.port, "admin": session_admin}
559 if remote.name:
560 new_session["remote_host"] = remote.name
561 elif remote.ip:
562 new_session["remote_host"] = remote.ip
563
564 self.tokens_cache[token_id] = new_session
565 self.db.create("tokens", new_session)
566 # check if database must be prune
567 self._internal_tokens_prune(now)
568 return deepcopy(new_session)
569
570 def _internal_get_token_list(self, session):
571 now = time()
572 token_list = self.db.get_list("tokens", {"username": session["username"], "expires.gt": now})
573 return token_list
574
575 def _internal_get_token(self, session, token_id):
576 token_value = self.db.get_one("tokens", {"_id": token_id}, fail_on_empty=False)
577 if not token_value:
578 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
579 if token_value["username"] != session["username"] and not session["admin"]:
580 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
581 return token_value
582
583 def _internal_del_token(self, token_id):
584 try:
585 self.tokens_cache.pop(token_id, None)
586 self.db.del_one("tokens", {"_id": token_id})
587 return "token '{}' deleted".format(token_id)
588 except DbException as e:
589 if e.http_code == HTTPStatus.NOT_FOUND:
590 raise AuthException("Token '{}' not found".format(token_id), http_code=HTTPStatus.NOT_FOUND)
591 else:
592 raise
593
594 def _internal_tokens_prune(self, now=None):
595 now = now or time()
596 if not self.next_db_prune_time or self.next_db_prune_time >= now:
597 self.db.del_list("tokens", {"expires.lt": now})
598 self.next_db_prune_time = self.periodin_db_pruning + now
599 self.tokens_cache.clear() # force to reload tokens from database