projects / osm / NBI.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix usageState of descriptors.
[osm/NBI.git] / osm_nbi / auth.py
1 # -*- coding: utf-8 -*-
2
3 # Copyright 2018 Whitestack, LLC
4 # Copyright 2018 Telefonica S.A.
5 #
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
9 #
10 # http://www.apache.org/licenses/LICENSE-2.0
11 #
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
16 # under the License.
17 #
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or alfonso.tiernosepulveda@telefonica.com
20 ##
21
22
23 """
24 Authenticator is responsible for authenticating the users,
25 create the tokens unscoped and scoped, retrieve the role
26 list inside the projects that they are inserted
27 """
28
29 __author__ = "Eduardo Sousa <esousa@whitestack.com>; Alfonso Tierno <alfonso.tiernosepulveda@telefonica.com>"
30 __date__ = "$27-jul-2018 23:59:59$"
31
32 import cherrypy
33 import logging
34 import yaml
35 from base64 import standard_b64decode
36 from copy import deepcopy
37 from functools import reduce
38 from hashlib import sha256
39 from http import HTTPStatus
40 from random import choice as random_choice
41 from time import time
42 from os import path
43 from base_topic import BaseTopic # To allow project names in project_id
44
45 from authconn import AuthException
46 from authconn_keystone import AuthconnKeystone
47 from osm_common import dbmongo
48 from osm_common import dbmemory
49 from osm_common.dbbase import DbException
50
51
52 class Authenticator:
53 """
54 This class should hold all the mechanisms for User Authentication and
55 Authorization. Initially it should support Openstack Keystone as a
56 backend through a plugin model where more backends can be added and a
57 RBAC model to manage permissions on operations.
58 This class must be threading safe
59 """
60
61 periodin_db_pruning = 60 * 30 # for the internal backend only. every 30 minutes expired tokens will be pruned
62
63 def __init__(self):
64 """
65 Authenticator initializer. Setup the initial state of the object,
66 while it waits for the config dictionary and database initialization.
67 """
68 self.backend = None
69 self.config = None
70 self.db = None
71 self.tokens_cache = dict()
72 self.next_db_prune_time = 0 # time when next cleaning of expired tokens must be done
73 self.resources_to_operations_file = None
74 self.roles_to_operations_file = None
75 self.resources_to_operations_mapping = {}
76 self.operation_to_allowed_roles = {}
77 self.logger = logging.getLogger("nbi.authenticator")
78
79 def start(self, config):
80 """
81 Method to configure the Authenticator object. This method should be called
82 after object creation. It is responsible by initializing the selected backend,
83 as well as the initialization of the database connection.
84
85 :param config: dictionary containing the relevant parameters for this object.
86 """
87 self.config = config
88
89 try:
90 if not self.db:
91 if config["database"]["driver"] == "mongo":
92 self.db = dbmongo.DbMongo()
93 self.db.db_connect(config["database"])
94 elif config["database"]["driver"] == "memory":
95 self.db = dbmemory.DbMemory()
96 self.db.db_connect(config["database"])
97 else:
98 raise AuthException("Invalid configuration param '{}' at '[database]':'driver'"
99 .format(config["database"]["driver"]))
100 if not self.backend:
101 if config["authentication"]["backend"] == "keystone":
102 self.backend = AuthconnKeystone(self.config["authentication"])
103 elif config["authentication"]["backend"] == "internal":
104 self._internal_tokens_prune()
105 else:
106 raise AuthException("Unknown authentication backend: {}"
107 .format(config["authentication"]["backend"]))
108 if not self.resources_to_operations_file:
109 if "resources_to_operations" in config["rbac"]:
110 self.resources_to_operations_file = config["rbac"]["resources_to_operations"]
111 else:
112 possible_paths = (
113 __file__[:__file__.rfind("auth.py")] + "resources_to_operations.yml",
114 "./resources_to_operations.yml"
115 )
116 for config_file in possible_paths:
117 if path.isfile(config_file):
118 self.resources_to_operations_file = config_file
119 break
120 if not self.resources_to_operations_file:
121 raise AuthException("Invalid permission configuration: resources_to_operations file missing")
122 if not self.roles_to_operations_file:
123 if "roles_to_operations" in config["rbac"]:
124 self.roles_to_operations_file = config["rbac"]["roles_to_operations"]
125 else:
126 possible_paths = (
127 __file__[:__file__.rfind("auth.py")] + "roles_to_operations.yml",
128 "./roles_to_operations.yml"
129 )
130 for config_file in possible_paths:
131 if path.isfile(config_file):
132 self.roles_to_operations_file = config_file
133 break
134 if not self.roles_to_operations_file:
135 raise AuthException("Invalid permission configuration: roles_to_operations file missing")
136 except Exception as e:
137 raise AuthException(str(e))
138
139 def stop(self):
140 try:
141 if self.db:
142 self.db.db_disconnect()
143 except DbException as e:
144 raise AuthException(str(e), http_code=e.http_code)
145
146 def init_db(self, target_version='1.0'):
147 """
148 Check if the database has been initialized, with at least one user. If not, create the required tables
149 and insert the predefined mappings between roles and permissions.
150
151 :param target_version: schema version that should be present in the database.
152 :return: None if OK, exception if error or version is different.
153 """
154 # Always reads operation to resource mapping from file (this is static, no need to store it in MongoDB)
155 # Operations encoding: "<METHOD> <URL>"
156 # Note: it is faster to rewrite the value than to check if it is already there or not
157 if self.config["authentication"]["backend"] == "internal":
158 return
159
160 operations = []
161 with open(self.resources_to_operations_file, "r") as stream:
162 resources_to_operations_yaml = yaml.load(stream)
163
164 for resource, operation in resources_to_operations_yaml["resources_to_operations"].items():
165 operation_key = operation.replace(".", ":")
166 if operation_key not in operations:
167 operations.append(operation_key)
168 self.resources_to_operations_mapping[resource] = operation_key
169
170 records = self.db.get_list("roles_operations")
171
172 # Loading permissions to MongoDB. If there are permissions already in MongoDB, do nothing.
173 if len(records) == 0:
174 with open(self.roles_to_operations_file, "r") as stream:
175 roles_to_operations_yaml = yaml.load(stream)
176
177 roles = []
178 for role_with_operations in roles_to_operations_yaml["roles_to_operations"]:
179 # Verifying if role already exists. If it does, send warning to log and ignore it.
180 if role_with_operations["role"] not in roles:
181 roles.append(role_with_operations["role"])
182 else:
183 self.logger.warning("Duplicated role with name: {0}. Role definition is ignored."
184 .format(role_with_operations["role"]))
185 continue
186
187 role_ops = {}
188 root = None
189
190 if not role_with_operations["operations"]:
191 continue
192
193 for operation, is_allowed in role_with_operations["operations"].items():
194 if not isinstance(is_allowed, bool):
195 continue
196
197 if operation == ".":
198 root = is_allowed
199 continue
200
201 if len(operation) != 1 and operation[-1] == ".":
202 self.logger.warning("Invalid operation {0} terminated in '.'. "
203 "Operation will be discarded"
204 .format(operation))
205 continue
206
207 operation_key = operation.replace(".", ":")
208 if operation_key not in role_ops.keys():
209 role_ops[operation_key] = is_allowed
210 else:
211 self.logger.info("In role {0}, the operation {1} with the value {2} was discarded due to "
212 "repetition.".format(role_with_operations["role"], operation, is_allowed))
213
214 if not root:
215 root = False
216 self.logger.info("Root for role {0} not defined. Default value 'False' applied."
217 .format(role_with_operations["role"]))
218
219 now = time()
220 operation_to_roles_item = {
221 "_admin": {
222 "created": now,
223 "modified": now,
224 },
225 "name": role_with_operations["role"],
226 "root": root
227 }
228
229 for operation, value in role_ops.items():
230 operation_to_roles_item[operation] = value
231
232 if self.config["authentication"]["backend"] != "internal" and \
233 role_with_operations["role"] != "anonymous":
234 keystone_id = self.backend.create_role(role_with_operations["role"])
235 operation_to_roles_item["_id"] = keystone_id["_id"]
236
237 self.db.create("roles_operations", operation_to_roles_item)
238
239 permissions = {oper: [] for oper in operations}
240 records = self.db.get_list("roles_operations")
241
242 ignore_fields = ["_id", "_admin", "name", "root"]
243 for record in records:
244 record_permissions = {oper: record["root"] for oper in operations}
245 operations_joined = [(oper, value) for oper, value in record.items() if oper not in ignore_fields]
246 operations_joined.sort(key=lambda x: x[0].count(":"))
247
248 for oper in operations_joined:
249 match = list(filter(lambda x: x.find(oper[0]) == 0, record_permissions.keys()))
250
251 for m in match:
252 record_permissions[m] = oper[1]
253
254 allowed_operations = [k for k, v in record_permissions.items() if v is True]
255
256 for allowed_op in allowed_operations:
257 permissions[allowed_op].append(record["name"])
258
259 for oper, role_list in permissions.items():
260 self.operation_to_allowed_roles[oper] = role_list
261
262 if self.config["authentication"]["backend"] != "internal":
263 self.backend.assign_role_to_user("admin", "admin", "system_admin")
264
265 def authorize(self):
266 token = None
267 user_passwd64 = None
268 try:
269 # 1. Get token Authorization bearer
270 auth = cherrypy.request.headers.get("Authorization")
271 if auth:
272 auth_list = auth.split(" ")
273 if auth_list[0].lower() == "bearer":
274 token = auth_list[-1]
275 elif auth_list[0].lower() == "basic":
276 user_passwd64 = auth_list[-1]
277 if not token:
278 if cherrypy.session.get("Authorization"):
279 # 2. Try using session before request a new token. If not, basic authentication will generate
280 token = cherrypy.session.get("Authorization")
281 if token == "logout":
282 token = None # force Unauthorized response to insert user password again
283 elif user_passwd64 and cherrypy.request.config.get("auth.allow_basic_authentication"):
284 # 3. Get new token from user password
285 user = None
286 passwd = None
287 try:
288 user_passwd = standard_b64decode(user_passwd64).decode()
289 user, _, passwd = user_passwd.partition(":")
290 except Exception:
291 pass
292 outdata = self.new_token(None, {"username": user, "password": passwd})
293 token = outdata["id"]
294 cherrypy.session['Authorization'] = token
295 if self.config["authentication"]["backend"] == "internal":
296 return self._internal_authorize(token)
297 else:
298 if not token:
299 raise AuthException("Needed a token or Authorization http header",
300 http_code=HTTPStatus.UNAUTHORIZED)
301 try:
302 self.backend.validate_token(token)
303 self.check_permissions(self.tokens_cache[token], cherrypy.request.path_info,
304 cherrypy.request.method)
305 # TODO: check if this can be avoided. Backend may provide enough information
306 return deepcopy(self.tokens_cache[token])
307 except AuthException:
308 self.del_token(token)
309 raise
310 except AuthException as e:
311 if cherrypy.session.get('Authorization'):
312 del cherrypy.session['Authorization']
313 cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
314 raise AuthException(str(e))
315
316 def new_token(self, session, indata, remote):
317 if self.config["authentication"]["backend"] == "internal":
318 return self._internal_new_token(session, indata, remote)
319 else:
320 if indata.get("username"):
321 token, projects = self.backend.authenticate_with_user_password(
322 indata.get("username"), indata.get("password"))
323 elif session:
324 token, projects = self.backend.authenticate_with_token(
325 session.get("id"), indata.get("project_id"))
326 else:
327 raise AuthException("Provide credentials: username/password or Authorization Bearer token",
328 http_code=HTTPStatus.UNAUTHORIZED)
329
330 if indata.get("project_id"):
331 project_id = indata.get("project_id")
332 if project_id not in projects:
333 raise AuthException("Project {} not allowed for this user".format(project_id),
334 http_code=HTTPStatus.UNAUTHORIZED)
335 else:
336 project_id = projects[0]
337
338 if not session:
339 token, projects = self.backend.authenticate_with_token(token, project_id)
340
341 if project_id == "admin":
342 session_admin = True
343 else:
344 session_admin = reduce(lambda x, y: x or (True if y == "admin" else False),
345 projects, False)
346
347 now = time()
348 new_session = {
349 "_id": token,
350 "id": token,
351 "issued_at": now,
352 "expires": now + 3600,
353 "project_id": project_id,
354 "username": indata.get("username") if not session else session.get("username"),
355 "remote_port": remote.port,
356 "admin": session_admin
357 }
358
359 if remote.name:
360 new_session["remote_host"] = remote.name
361 elif remote.ip:
362 new_session["remote_host"] = remote.ip
363
364 # TODO: check if this can be avoided. Backend may provide enough information
365 self.tokens_cache[token] = new_session
366
367 return deepcopy(new_session)
368
369 def get_token_list(self, session):
370 if self.config["authentication"]["backend"] == "internal":
371 return self._internal_get_token_list(session)
372 else:
373 # TODO: check if this can be avoided. Backend may provide enough information
374 return [deepcopy(token) for token in self.tokens_cache.values()
375 if token["username"] == session["username"]]
376
377 def get_token(self, session, token):
378 if self.config["authentication"]["backend"] == "internal":
379 return self._internal_get_token(session, token)
380 else:
381 # TODO: check if this can be avoided. Backend may provide enough information
382 token_value = self.tokens_cache.get(token)
383 if not token_value:
384 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
385 if token_value["username"] != session["username"] and not session["admin"]:
386 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
387 return token_value
388
389 def del_token(self, token):
390 if self.config["authentication"]["backend"] == "internal":
391 return self._internal_del_token(token)
392 else:
393 try:
394 self.backend.revoke_token(token)
395 del self.tokens_cache[token]
396 return "token '{}' deleted".format(token)
397 except KeyError:
398 raise AuthException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)
399
400 def check_permissions(self, session, url, method):
401 self.logger.info("Session: {}".format(session))
402 self.logger.info("URL: {}".format(url))
403 self.logger.info("Method: {}".format(method))
404
405 key, parameters = self._normalize_url(url, method)
406
407 # TODO: Check if parameters might be useful for the decision
408
409 operation = self.resources_to_operations_mapping[key]
410 roles_required = self.operation_to_allowed_roles[operation]
411 roles_allowed = self.backend.get_user_role_list(session["id"])
412
413 if "anonymous" in roles_required:
414 return
415
416 for role in roles_allowed:
417 if role in roles_required:
418 return
419
420 raise AuthException("Access denied: lack of permissions.")
421
422 def get_user_list(self):
423 return self.backend.get_user_list()
424
425 def _normalize_url(self, url, method):
426 # Removing query strings
427 normalized_url = url if '?' not in url else url[:url.find("?")]
428 normalized_url_splitted = normalized_url.split("/")
429 parameters = {}
430
431 filtered_keys = [key for key in self.resources_to_operations_mapping.keys()
432 if method in key.split()[0]]
433
434 for idx, path_part in enumerate(normalized_url_splitted):
435 tmp_keys = []
436 for tmp_key in filtered_keys:
437 splitted = tmp_key.split()[1].split("/")
438 if idx >= len(splitted):
439 continue
440 elif "<" in splitted[idx] and ">" in splitted[idx]:
441 if splitted[idx] == "<artifactPath>":
442 tmp_keys.append(tmp_key)
443 continue
444 elif idx == len(normalized_url_splitted) - 1 and \
445 len(normalized_url_splitted) != len(splitted):
446 continue
447 else:
448 tmp_keys.append(tmp_key)
449 elif splitted[idx] == path_part:
450 if idx == len(normalized_url_splitted) - 1 and \
451 len(normalized_url_splitted) != len(splitted):
452 continue
453 else:
454 tmp_keys.append(tmp_key)
455 filtered_keys = tmp_keys
456 if len(filtered_keys) == 1 and \
457 filtered_keys[0].split("/")[-1] == "<artifactPath>":
458 break
459
460 if len(filtered_keys) == 0:
461 raise AuthException("Cannot make an authorization decision. URL not found. URL: {0}".format(url))
462 elif len(filtered_keys) > 1:
463 raise AuthException("Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(url))
464
465 filtered_key = filtered_keys[0]
466
467 for idx, path_part in enumerate(filtered_key.split()[1].split("/")):
468 if "<" in path_part and ">" in path_part:
469 if path_part == "<artifactPath>":
470 parameters[path_part[1:-1]] = "/".join(normalized_url_splitted[idx:])
471 else:
472 parameters[path_part[1:-1]] = normalized_url_splitted[idx]
473
474 return filtered_key, parameters
475
476 def _internal_authorize(self, token_id):
477 try:
478 if not token_id:
479 raise AuthException("Needed a token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED)
480 # try to get from cache first
481 now = time()
482 session = self.tokens_cache.get(token_id)
483 if session and session["expires"] < now:
484 # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
485 self.tokens_cache.pop(token_id, None)
486 session = None
487 if session:
488 return session
489
490 # get from database if not in cache
491 session = self.db.get_one("tokens", {"_id": token_id})
492 if session["expires"] < now:
493 raise AuthException("Expired Token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED)
494 self.tokens_cache[token_id] = session
495 return session
496 except DbException as e:
497 if e.http_code == HTTPStatus.NOT_FOUND:
498 raise AuthException("Invalid Token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED)
499 else:
500 raise
501
502 except AuthException:
503 if self.config["global"].get("test.user_not_authorized"):
504 return {"id": "fake-token-id-for-test",
505 "project_id": self.config["global"].get("test.project_not_authorized", "admin"),
506 "username": self.config["global"]["test.user_not_authorized"], "admin": True}
507 else:
508 raise
509
510 def _internal_new_token(self, session, indata, remote):
511 now = time()
512 user_content = None
513
514 # Try using username/password
515 if indata.get("username"):
516 user_rows = self.db.get_list("users", {"username": indata.get("username")})
517 if user_rows:
518 user_content = user_rows[0]
519 salt = user_content["_admin"]["salt"]
520 shadow_password = sha256(indata.get("password", "").encode('utf-8') + salt.encode('utf-8')).hexdigest()
521 if shadow_password != user_content["password"]:
522 user_content = None
523 if not user_content:
524 raise AuthException("Invalid username/password", http_code=HTTPStatus.UNAUTHORIZED)
525 elif session:
526 user_rows = self.db.get_list("users", {"username": session["username"]})
527 if user_rows:
528 user_content = user_rows[0]
529 else:
530 raise AuthException("Invalid token", http_code=HTTPStatus.UNAUTHORIZED)
531 else:
532 raise AuthException("Provide credentials: username/password or Authorization Bearer token",
533 http_code=HTTPStatus.UNAUTHORIZED)
534
535 token_id = ''.join(random_choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
536 for _ in range(0, 32))
537 project_id = indata.get("project_id")
538 if project_id:
539 if project_id != "admin":
540 # To allow project names in project_id
541 proj = self.db.get_one("projects", {BaseTopic.id_field("projects", project_id): project_id})
542 if proj["_id"] not in user_content["projects"] and proj["name"] not in user_content["projects"]:
543 raise AuthException("project {} not allowed for this user"
544 .format(project_id), http_code=HTTPStatus.UNAUTHORIZED)
545 else:
546 project_id = user_content["projects"][0]
547 if project_id == "admin":
548 session_admin = True
549 else:
550 # To allow project names in project_id
551 project = self.db.get_one("projects", {BaseTopic.id_field("projects", project_id): project_id})
552 session_admin = project.get("admin", False)
553 new_session = {"issued_at": now, "expires": now + 3600,
554 "_id": token_id, "id": token_id, "project_id": project_id, "username": user_content["username"],
555 "remote_port": remote.port, "admin": session_admin}
556 if remote.name:
557 new_session["remote_host"] = remote.name
558 elif remote.ip:
559 new_session["remote_host"] = remote.ip
560
561 self.tokens_cache[token_id] = new_session
562 self.db.create("tokens", new_session)
563 # check if database must be prune
564 self._internal_tokens_prune(now)
565 return deepcopy(new_session)
566
567 def _internal_get_token_list(self, session):
568 now = time()
569 token_list = self.db.get_list("tokens", {"username": session["username"], "expires.gt": now})
570 return token_list
571
572 def _internal_get_token(self, session, token_id):
573 token_value = self.db.get_one("tokens", {"_id": token_id}, fail_on_empty=False)
574 if not token_value:
575 raise AuthException("token not found", http_code=HTTPStatus.NOT_FOUND)
576 if token_value["username"] != session["username"] and not session["admin"]:
577 raise AuthException("needed admin privileges", http_code=HTTPStatus.UNAUTHORIZED)
578 return token_value
579
580 def _internal_del_token(self, token_id):
581 try:
582 self.tokens_cache.pop(token_id, None)
583 self.db.del_one("tokens", {"_id": token_id})
584 return "token '{}' deleted".format(token_id)
585 except DbException as e:
586 if e.http_code == HTTPStatus.NOT_FOUND:
587 raise AuthException("Token '{}' not found".format(token_id), http_code=HTTPStatus.NOT_FOUND)
588 else:
589 raise
590
591 def _internal_tokens_prune(self, now=None):
592 now = now or time()
593 if not self.next_db_prune_time or self.next_db_prune_time >= now:
594 self.db.del_list("tokens", {"expires.lt": now})
595 self.next_db_prune_time = self.periodin_db_pruning + now
596 self.tokens_cache.clear() # force to reload tokens from database