projects / osm / NBI.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fix bug 748: provide a proper error when user is not valid upon new token
[osm/NBI.git] / osm_nbi / auth.py
1 # -*- coding: utf-8 -*-
2
3 # Copyright 2018 Whitestack, LLC
4 # Copyright 2018 Telefonica S.A.
5 #
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
9 #
10 # http://www.apache.org/licenses/LICENSE-2.0
11 #
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
16 # under the License.
17 #
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or alfonso.tiernosepulveda@telefonica.com
20 ##
21
22
23 """
24 Authenticator is responsible for authenticating the users,
25 create the tokens unscoped and scoped, retrieve the role
26 list inside the projects that they are inserted
27 """
28
29 __author__ = "Eduardo Sousa <esousa@whitestack.com>; Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30 __date__ = "$27-jul-2018 23:59:59$"
31
32 import cherrypy
33 import logging
34 import yaml
35 from base64 import standard_b64decode
36 from copy import deepcopy
37 # from functools import reduce
38 from hashlib import sha256
39 from http import HTTPStatus
40 from random import choice as random_choice
41 from time import time
42 from os import path
43 from base_topic import BaseTopic # To allow project names in project_id
44
45 from authconn import AuthException
46 from authconn_keystone import AuthconnKeystone
47 from osm_common import dbmongo
48 from osm_common import dbmemory
49 from osm_common.dbbase import DbException
50
51
52 class Authenticator:
53 """
54 This class should hold all the mechanisms for User Authentication and
55 Authorization. Initially it should support Openstack Keystone as a
56 backend through a plugin model where more backends can be added and a
57 RBAC model to manage permissions on operations.
58 This class must be threading safe
59 """
60
61 periodin_db_pruning = 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned
62
63 def __init__(self):
64 """
65 Authenticator initializer. Setup the initial state of the object,
66 while it waits for the config dictionary and database initialization.
67 """
68 self.backend = None
69 self.config = None
70 self.db = None
71 self.tokens_cache = dict()
72 self.next_db_prune_time = 0 # time when next cleaning of expired tokens must be done
73 self.resources_to_operations_file = None
74 self.roles_to_operations_file = None
75 self.resources_to_operations_mapping = {}
76 self.operation_to_allowed_roles = {}
77 self.logger = logging.getLogger("nbi.authenticator")
78
79 def start(self, config):
80 """
81 Method to configure the Authenticator object. This method should be called
82 after object creation. It is responsible by initializing the selected backend,
83 as well as the initialization of the database connection.
84
85 :param config: dictionary containing the relevant parameters for this object.
86 """
87 self.config = config
88
89 try:
90 if not self.db:
91 if config["database"]["driver"] == "mongo":
92 self.db = dbmongo.DbMongo()
93 self.db.db_connect(config["database"])
94 elif config["database"]["driver"] == "memory":
95 self.db = dbmemory.DbMemory()
96 self.db.db_connect(config["database"])
97 else:
98 raise AuthException("Invalid configuration param '{}' at '[database]':'driver'"
99 .format(config["database"]["driver"]))
100 if not self.backend:
101 if config["authentication"]["backend"] == "keystone":
102 self.backend = AuthconnKeystone(self.config["authentication"])
103 elif config["authentication"]["backend"] == "internal":
104 self._internal_tokens_prune()
105 else:
106 raise AuthException("Unknown authentication backend: {}"
107 .format(config["authentication"]["backend"]))
108 if not self.resources_to_operations_file:
109 if "resources_to_operations" in config["rbac"]:
110 self.resources_to_operations_file = config["rbac"]["resources_to_operations"]
111 else:
112 possible_paths = (
113 __file__[:__file__.rfind("auth.py")] + "resources_to_operations.yml",
114 "./resources_to_operations.yml"
115 )
116 for config_file in possible_paths:
117 if path.isfile(config_file):
118 self.resources_to_operations_file = config_file
119 break
120 if not self.resources_to_operations_file:
121 raise AuthException("Invalid permission configuration: resources_to_operations file missing")
122 if not self.roles_to_operations_file:
123 if "roles_to_operations" in config["rbac"]:
124 self.roles_to_operations_file = config["rbac"]["roles_to_operations"]
125 else:
126 possible_paths = (
127 __file__[:__file__.rfind("auth.py")] + "roles_to_operations.yml",
128 "./roles_to_operations.yml"
129 )
130 for config_file in possible_paths:
131 if path.isfile(config_file):
132 self.roles_to_operations_file = config_file
133 break
134 if not self.roles_to_operations_file:
135 raise AuthException("Invalid permission configuration: roles_to_operations file missing")
136 except Exception as e:
137 raise AuthException(str(e))
138
139 def stop(self):
140 try:
141 if self.db:
142 self.db.db_disconnect()
143 except DbException as e:
144 raise AuthException(str(e), http_code=e.http_code)
145
146 def init_db(self, target_version='1.0'):
147 """
148 Check if the database has been initialized, with at least one user. If not, create the required tables
149 and insert the predefined mappings between roles and permissions.
150
151 :param target_version: schema version that should be present in the database.
152 :return: None if OK, exception if error or version is different.
153 """
154 # Always reads operation to resource mapping from file (this is static, no need to store it in MongoDB)
155 # Operations encoding: "<METHOD> <URL>"
156 # Note: it is faster to rewrite the value than to check if it is already there or not
157 if self.config["authentication"]["backend"] == "internal":
158 return
159
160 operations = []
161 with open(self.resources_to_operations_file, "r") as stream:
162 resources_to_operations_yaml = yaml.load(stream)
163
164 for resource, operation in resources_to_operations_yaml["resources_to_operations"].items():
165 if operation not in operations:
166 operations.append(operation)
167 self.resources_to_operations_mapping[resource] = operation
168
169 records = self.db.get_list("roles_operations")
170
171 # Loading permissions to MongoDB. If there are permissions already in MongoDB, do nothing.
172 if len(records) == 0:
173 with open(self.roles_to_operations_file, "r") as stream:
174 roles_to_operations_yaml = yaml.load(stream)
175
176 roles = []
177 for role_with_operations in roles_to_operations_yaml["roles_to_operations"]:
178 # Verifying if role already exists. If it does, send warning to log and ignore it.
179 if role_with_operations["role"] not in roles:
180 roles.append(role_with_operations["role"])
181 else:
182 self.logger.warning("Duplicated role with name: {0}. Role definition is ignored."
183 .format(role_with_operations["role"]))
184 continue
185
186 role_ops = {}
187 root = None
188
189 if not role_with_operations["operations"]:
190 continue
191
192 for operation, is_allowed in role_with_operations["operations"].items():
193 if not isinstance(is_allowed, bool):
194 continue
195
196 if operation == ":":
197 root = is_allowed
198 continue
199
200 if len(operation) != 1 and operation[-1] == ":":
201 self.logger.warning("Invalid operation {0} terminated in ':'. "
202 "Operation will be discarded"
203 .format(operation))
204 continue
205
206 if operation not in role_ops.keys():
207 role_ops[operation] = is_allowed
208 else:
209 self.logger.info("In role {0}, the operation {1} with the value {2} was discarded due to "
210 "repetition.".format(role_with_operations["role"], operation, is_allowed))
211
212 if not root:
213 root = False
214 self.logger.info("Root for role {0} not defined. Default value 'False' applied."
215 .format(role_with_operations["role"]))
216
217 now = time()
218 operation_to_roles_item = {
219 "_admin": {
220 "created": now,
221 "modified": now,
222 },
223 "name": role_with_operations["role"],
224 "root": root
225 }
226
227 for operation, value in role_ops.items():
228 operation_to_roles_item[operation] = value
229
230 if self.config["authentication"]["backend"] != "internal" and \
231 role_with_operations["role"] != "anonymous":
232 keystone_id = [role for role in self.backend.get_role_list()
233 if role["name"] == role_with_operations["role"]]
234 if keystone_id:
235 keystone_id = keystone_id[0]
236 else:
237 keystone_id = self.backend.create_role(role_with_operations["role"])
238 operation_to_roles_item["_id"] = keystone_id["_id"]
239
240 self.db.create("roles_operations", operation_to_roles_item)
241
242 permissions = {oper: [] for oper in operations}
243 records = self.db.get_list("roles_operations")
244
245 ignore_fields = ["_id", "_admin", "name", "root"]
246 for record in records:
247 record_permissions = {oper: record["root"] for oper in operations}
248 operations_joined = [(oper, value) for oper, value in record.items() if oper not in ignore_fields]
249 operations_joined.sort(key=lambda x: x[0].count(":"))
250
251 for oper in operations_joined:
252 match = list(filter(lambda x: x.find(oper[0]) == 0, record_permissions.keys()))
253
254 for m in match:
255 record_permissions[m] = oper[1]
256
257 allowed_operations = [k for k, v in record_permissions.items() if v is True]
258
259 for allowed_op in allowed_operations:
260 permissions[allowed_op].append(record["name"])
261
262 for oper, role_list in permissions.items():
263 self.operation_to_allowed_roles[oper] = role_list
264
265 if self.config["authentication"]["backend"] != "internal":
266 self.backend.assign_role_to_user("admin", "admin", "system_admin")
267
268 def authorize(self):
269 token = None
270 user_passwd64 = None
271 try:
272 # 1. Get token Authorization bearer
273 auth = cherrypy.request.headers.get("Authorization")
274 if auth:
275 auth_list = auth.split(" ")
276 if auth_list[0].lower() == "bearer":
277 token = auth_list[-1]
278 elif auth_list[0].lower() == "basic":
279 user_passwd64 = auth_list[-1]
280 if not token:
281 if cherrypy.session.get("Authorization"):
282 # 2. Try using session before request a new token. If not, basic authentication will generate
283 token = cherrypy.session.get("Authorization")
284 if token == "logout":
285 token = None # force Unauthorized response to insert user password again
286 elif user_passwd64 and cherrypy.request.config.get("auth.allow_basic_authentication"):
287 # 3. Get new token from user password
288 user = None
289 passwd = None
290 try:
291 user_passwd = standard_b64decode(user_passwd64).decode()
292 user, _, passwd = user_passwd.partition(":")
293 except Exception:
294 pass
295 outdata = self.new_token(None, {"username": user, "password": passwd})
296 token = outdata["id"]
297 cherrypy.session['Authorization'] = token
298 if self.config["authentication"]["backend"] == "internal":
299 return self._internal_authorize(token)
300 else:
301 if not token:
302 raise AuthException("Needed a token or Authorization http header",
303 http_code=HTTPStatus.UNAUTHORIZED)
304 try:
305 self.backend.validate_token(token)
306 self.check_permissions(self.tokens_cache[token], cherrypy.request.path_info,
307 cherrypy.request.method)
308 # TODO: check if this can be avoided. Backend may provide enough information
309 return deepcopy(self.tokens_cache[token])
310 except AuthException:
311 self.del_token(token)
312 raise
313 except AuthException as e:
314 if cherrypy.session.get('Authorization'):
315 del cherrypy.session['Authorization']
316 cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
317 raise AuthException(str(e))
318
319 def new_token(self, session, indata, remote):
320 if self.config["authentication"]["backend"] == "internal":
321 return self._internal_new_token(session, indata, remote)
322 else:
323 current_token = None
324 if session:
325 current_token = session.get("token")
326 token_info = self.backend.authenticate(
327 user=indata.get("username"),
328 password=indata.get("username"),
329 token=current_token,
330 project=indata.get("project_id")
331 )
332
333 # if indata.get("username"):
334 # token, projects = self.backend.authenticate_with_user_password(
335 # indata.get("username"), indata.get("password"))
336 # elif session:
337 # token, projects = self.backend.authenticate_with_token(
338 # session.get("id"), indata.get("project_id"))
339 # else:
340 # raise AuthException("Provide credentials: username/password or Authorization Bearer token",
341 # http_code=HTTPStatus.UNAUTHORIZED)
342 #
343 # if indata.get("project_id"):
344 # project_id = indata.get("project_id")
345 # if project_id not in projects:
346 # raise AuthException("Project {} not allowed for this user".format(project_id),
347 # http_code=HTTPStatus.UNAUTHORIZED)
348 # else:
349 # project_id = projects[0]
350 #
351 # if not session:
352 # token, projects = self.backend.authenticate_with_token(token, project_id)
353 #
354 # if project_id == "admin":
355 # session_admin = True
356 # else:
357 # session_admin = reduce(lambda x, y: x or (True if y == "admin" else False),
358 # projects, False)
359
360 now = time()
361 new_session = {
362 "_id": token_info["_id"],
363 "id": token_info["_id"],
364 "issued_at": now,
365 "expires": token_info.get("expires", now + 3600),
366 "project_id": token_info["project_id"],
367 "username": token_info.get("username") or session.get("username"),
368 "remote_port": remote.port,
369 "admin": True if token_info.get("project_name") == "admin" else False # TODO put admin in RBAC
370 }
371
372 if remote.name:
373 new_session["remote_host"] = remote.name
374 elif remote.ip:
375 new_session["remote_host"] = remote.ip
376
377 # TODO: check if this can be avoided. Backend may provide enough information
378 self.tokens_cache[token_info["_id"]] = new_session
379
380 return deepcopy(new_session)
381
382 def get_token_list(self, session):
383 if self.config["authentication"]["backend"] == "internal":
384 return self._internal_get_token_list(session)
385 else:
386 # TODO: check if this can be avoided. Backend may provide enough information
387 return [deepcopy(token) for token in self.tokens_cache.values()
388 if token["username"] == session["username"]]
389
390 def get_token(self, session, token):
391 if self.config["authentication"]["backend"] == "internal":
392 return self._internal_get_token(session, token)
393 else:
394 # TODO: check if this can be avoided. Backend may provide enough information
395 token_value = self.tokens_cache.get(token)
396 if not token_value:
397 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
398 if token_value["username"] != session["username"] and not session["admin"]:
399 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
400 return token_value
401
402 def del_token(self, token):
403 if self.config["authentication"]["backend"] == "internal":
404 return self._internal_del_token(token)
405 else:
406 try:
407 self.backend.revoke_token(token)
408 del self.tokens_cache[token]
409 return "token '{}' deleted".format(token)
410 except KeyError:
411 raise AuthException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)
412
413 def check_permissions(self, session, url, method):
414 self.logger.info("Session: {}".format(session))
415 self.logger.info("URL: {}".format(url))
416 self.logger.info("Method: {}".format(method))
417
418 key, parameters = self._normalize_url(url, method)
419
420 # TODO: Check if parameters might be useful for the decision
421
422 operation = self.resources_to_operations_mapping[key]
423 roles_required = self.operation_to_allowed_roles[operation]
424 roles_allowed = self.backend.get_user_role_list(session["id"])
425
426 if "anonymous" in roles_required:
427 return
428
429 for role in roles_allowed:
430 if role in roles_required:
431 return
432
433 raise AuthException("Access denied: lack of permissions.")
434
435 def get_user_list(self):
436 return self.backend.get_user_list()
437
438 def _normalize_url(self, url, method):
439 # Removing query strings
440 normalized_url = url if '?' not in url else url[:url.find("?")]
441 normalized_url_splitted = normalized_url.split("/")
442 parameters = {}
443
444 filtered_keys = [key for key in self.resources_to_operations_mapping.keys()
445 if method in key.split()[0]]
446
447 for idx, path_part in enumerate(normalized_url_splitted):
448 tmp_keys = []
449 for tmp_key in filtered_keys:
450 splitted = tmp_key.split()[1].split("/")
451 if idx >= len(splitted):
452 continue
453 elif "<" in splitted[idx] and ">" in splitted[idx]:
454 if splitted[idx] == "<artifactPath>":
455 tmp_keys.append(tmp_key)
456 continue
457 elif idx == len(normalized_url_splitted) - 1 and \
458 len(normalized_url_splitted) != len(splitted):
459 continue
460 else:
461 tmp_keys.append(tmp_key)
462 elif splitted[idx] == path_part:
463 if idx == len(normalized_url_splitted) - 1 and \
464 len(normalized_url_splitted) != len(splitted):
465 continue
466 else:
467 tmp_keys.append(tmp_key)
468 filtered_keys = tmp_keys
469 if len(filtered_keys) == 1 and \
470 filtered_keys[0].split("/")[-1] == "<artifactPath>":
471 break
472
473 if len(filtered_keys) == 0:
474 raise AuthException("Cannot make an authorization decision. URL not found. URL: {0}".format(url))
475 elif len(filtered_keys) > 1:
476 raise AuthException("Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(url))
477
478 filtered_key = filtered_keys[0]
479
480 for idx, path_part in enumerate(filtered_key.split()[1].split("/")):
481 if "<" in path_part and ">" in path_part:
482 if path_part == "<artifactPath>":
483 parameters[path_part[1:-1]] = "/".join(normalized_url_splitted[idx:])
484 else:
485 parameters[path_part[1:-1]] = normalized_url_splitted[idx]
486
487 return filtered_key, parameters
488
489 def _internal_authorize(self, token_id):
490 try:
491 if not token_id:
492 raise AuthException("Needed a token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED)
493 # try to get from cache first
494 now = time()
495 session = self.tokens_cache.get(token_id)
496 if session and session["expires"] < now:
497 # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
498 self.tokens_cache.pop(token_id, None)
499 session = None
500 if session:
501 return session
502
503 # get from database if not in cache
504 session = self.db.get_one("tokens", {"_id": token_id})
505 if session["expires"] < now:
506 raise AuthException("Expired Token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED)
507 self.tokens_cache[token_id] = session
508 return session
509 except DbException as e:
510 if e.http_code == HTTPStatus.NOT_FOUND:
511 raise AuthException("Invalid Token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED)
512 else:
513 raise
514
515 except AuthException:
516 if self.config["global"].get("test.user_not_authorized"):
517 return {"id": "fake-token-id-for-test",
518 "project_id": self.config["global"].get("test.project_not_authorized", "admin"),
519 "username": self.config["global"]["test.user_not_authorized"], "admin": True}
520 else:
521 raise
522
523 def _internal_new_token(self, session, indata, remote):
524 now = time()
525 user_content = None
526
527 # Try using username/password
528 if indata.get("username"):
529 user_rows = self.db.get_list("users", {"username": indata.get("username")})
530 if user_rows:
531 user_content = user_rows[0]
532 salt = user_content["_admin"]["salt"]
533 shadow_password = sha256(indata.get("password", "").encode('utf-8') + salt.encode('utf-8')).hexdigest()
534 if shadow_password != user_content["password"]:
535 user_content = None
536 if not user_content:
537 raise AuthException("Invalid username/password", http_code=HTTPStatus.UNAUTHORIZED)
538 elif session:
539 user_rows = self.db.get_list("users", {"username": session["username"]})
540 if user_rows:
541 user_content = user_rows[0]
542 else:
543 raise AuthException("Invalid token", http_code=HTTPStatus.UNAUTHORIZED)
544 else:
545 raise AuthException("Provide credentials: username/password or Authorization Bearer token",
546 http_code=HTTPStatus.UNAUTHORIZED)
547
548 token_id = ''.join(random_choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
549 for _ in range(0, 32))
550 project_id = indata.get("project_id")
551 if project_id:
552 if project_id != "admin":
553 # To allow project names in project_id
554 proj = self.db.get_one("projects", {BaseTopic.id_field("projects", project_id): project_id})
555 if proj["_id"] not in user_content["projects"] and proj["name"] not in user_content["projects"]:
556 raise AuthException("project {} not allowed for this user"
557 .format(project_id), http_code=HTTPStatus.UNAUTHORIZED)
558 else:
559 project_id = user_content["projects"][0]
560 if project_id == "admin":
561 session_admin = True
562 else:
563 # To allow project names in project_id
564 project = self.db.get_one("projects", {BaseTopic.id_field("projects", project_id): project_id})
565 session_admin = project.get("admin", False)
566 new_session = {"issued_at": now, "expires": now + 3600,
567 "_id": token_id, "id": token_id, "project_id": project_id, "username": user_content["username"],
568 "remote_port": remote.port, "admin": session_admin}
569 if remote.name:
570 new_session["remote_host"] = remote.name
571 elif remote.ip:
572 new_session["remote_host"] = remote.ip
573
574 self.tokens_cache[token_id] = new_session
575 self.db.create("tokens", new_session)
576 # check if database must be prune
577 self._internal_tokens_prune(now)
578 return deepcopy(new_session)
579
580 def _internal_get_token_list(self, session):
581 now = time()
582 token_list = self.db.get_list("tokens", {"username": session["username"], "expires.gt": now})
583 return token_list
584
585 def _internal_get_token(self, session, token_id):
586 token_value = self.db.get_one("tokens", {"_id": token_id}, fail_on_empty=False)
587 if not token_value:
588 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
589 if token_value["username"] != session["username"] and not session["admin"]:
590 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
591 return token_value
592
593 def _internal_del_token(self, token_id):
594 try:
595 self.tokens_cache.pop(token_id, None)
596 self.db.del_one("tokens", {"_id": token_id})
597 return "token '{}' deleted".format(token_id)
598 except DbException as e:
599 if e.http_code == HTTPStatus.NOT_FOUND:
600 raise AuthException("Token '{}' not found".format(token_id), http_code=HTTPStatus.NOT_FOUND)
601 else:
602 raise
603
604 def _internal_tokens_prune(self, now=None):
605 now = now or time()
606 if not self.next_db_prune_time or self.next_db_prune_time >= now:
607 self.db.del_list("tokens", {"expires.lt": now})
608 self.next_db_prune_time = self.periodin_db_pruning + now
609 self.tokens_cache.clear() # force to reload tokens from database