88b276d73c70d9d09cd52be7f5f45e0430462b23
1 # -*- coding: utf-8 -*-
3 # Copyright 2018 Telefonica S.A.
4 # Copyright 2018 ALTRAN InnovaciĆ³n S.L.
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or glavado@whitestack.com
23 AuthconnInternal implements implements the connector for
24 OSM Internal Authentication Backend and leverages the RBAC model
27 __author__
= "Pedro de la Cruz Ramos <pdelacruzramos@altran.com>, " \
28 "Alfonso Tierno <alfonso.tiernosepulveda@telefoncia.com"
29 __date__
= "$06-jun-2019 11:16:08$"
31 from osm_nbi
.authconn
import Authconn
, AuthException
# , AuthconnOperationException
32 from osm_common
.dbbase
import DbException
33 from osm_nbi
.base_topic
import BaseTopic
37 from time
import time
, sleep
38 from http
import HTTPStatus
39 from uuid
import uuid4
40 from hashlib
import sha256
41 from copy
import deepcopy
42 from random
import choice
as random_choice
45 class AuthconnInternal(Authconn
):
46 token_time_window
= 2 # seconds
47 token_delay
= 1 # seconds to wait upon second request within time window
49 def __init__(self
, config
, db
, role_permissions
):
50 Authconn
.__init
__(self
, config
, db
, role_permissions
)
51 self
.logger
= logging
.getLogger("nbi.authenticator.internal")
55 # self.token_cache = token_cache
60 def validate_token(self
, token
):
62 Check if the token is valid.
64 :param token: token to validate
65 :return: dictionary with information associated with the token:
67 "project_id": project id
68 "project_name": project name
71 "roles": list with dict containing {name, id}
72 "expires": expiration date
73 If the token is not valid an exception is raised.
78 raise AuthException("Needed a token or Authorization HTTP header", http_code
=HTTPStatus
.UNAUTHORIZED
)
82 # get from database if not in cache
84 token_info
= self
.db
.get_one("tokens", {"_id": token
})
85 if token_info
["expires"] < now
:
86 raise AuthException("Expired Token or Authorization HTTP header", http_code
=HTTPStatus
.UNAUTHORIZED
)
90 except DbException
as e
:
91 if e
.http_code
== HTTPStatus
.NOT_FOUND
:
92 raise AuthException("Invalid Token or Authorization HTTP header", http_code
=HTTPStatus
.UNAUTHORIZED
)
98 self
.logger
.exception("Error during token validation using internal backend")
99 raise AuthException("Error during token validation using internal backend",
100 http_code
=HTTPStatus
.UNAUTHORIZED
)
102 def revoke_token(self
, token
):
106 :param token: token to be revoked
109 # self.token_cache.pop(token, None)
110 self
.db
.del_one("tokens", {"_id": token
})
112 except DbException
as e
:
113 if e
.http_code
== HTTPStatus
.NOT_FOUND
:
114 raise AuthException("Token '{}' not found".format(token
), http_code
=HTTPStatus
.NOT_FOUND
)
117 exmsg
= "Error during token revocation using internal backend"
118 self
.logger
.exception(exmsg
)
119 raise AuthException(exmsg
, http_code
=HTTPStatus
.UNAUTHORIZED
)
121 def authenticate(self
, credentials
, token_info
=None):
123 Authenticate a user using username/password or previous token_info plus project; its creates a new token
125 :param credentials: dictionary that contains:
126 username: name, id or None
127 password: password or None
128 project_id: name, id, or None. If None first found project will be used to get an scope token
129 other items are allowed and ignored
130 :param token_info: previous token_info to obtain authorization
131 :return: the scoped token info or raises an exception. The token is a dictionary with:
132 _id: token string id,
134 project_id: scoped_token project_id,
135 project_name: scoped_token project_name,
136 expires: epoch time when it expires,
141 user
= credentials
.get("username")
142 password
= credentials
.get("password")
143 project
= credentials
.get("project_id")
145 # Try using username/password
147 user_rows
= self
.db
.get_list("users", {BaseTopic
.id_field("users", user
): user
})
149 user_content
= user_rows
[0]
150 salt
= user_content
["_admin"]["salt"]
151 shadow_password
= sha256(password
.encode('utf-8') + salt
.encode('utf-8')).hexdigest()
152 if shadow_password
!= user_content
["password"]:
155 raise AuthException("Invalid username/password", http_code
=HTTPStatus
.UNAUTHORIZED
)
157 user_rows
= self
.db
.get_list("users", {"username": token_info
["username"]})
159 user_content
= user_rows
[0]
161 raise AuthException("Invalid token", http_code
=HTTPStatus
.UNAUTHORIZED
)
163 raise AuthException("Provide credentials: username/password or Authorization Bearer token",
164 http_code
=HTTPStatus
.UNAUTHORIZED
)
166 # Delay upon second request within time window
167 if now
- user_content
["_admin"].get("last_token_time", 0) < self
.token_time_window
:
168 sleep(self
.token_delay
)
169 # user_content["_admin"]["last_token_time"] = now
170 # self.db.replace("users", user_content["_id"], user_content) # might cause race conditions
171 self
.db
.set_one("users", {"_id": user_content
["_id"]}, {"_admin.last_token_time": now
})
173 token_id
= ''.join(random_choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
174 for _
in range(0, 32))
176 # projects = user_content.get("projects", [])
177 prm_list
= user_content
.get("project_role_mappings", [])
180 project
= prm_list
[0]["project"] if prm_list
else None
182 raise AuthException("can't find a default project for this user", http_code
=HTTPStatus
.UNAUTHORIZED
)
184 projects
= [prm
["project"] for prm
in prm_list
]
186 proj
= self
.db
.get_one("projects", {BaseTopic
.id_field("projects", project
): project
})
187 project_name
= proj
["name"]
188 project_id
= proj
["_id"]
189 if project_name
not in projects
and project_id
not in projects
:
190 raise AuthException("project {} not allowed for this user".format(project
),
191 http_code
=HTTPStatus
.UNAUTHORIZED
)
193 # TODO remove admin, this vill be used by roles RBAC
194 if project_name
== "admin":
197 token_admin
= proj
.get("admin", False)
203 if prm
["project"] in [project_id
, project_name
]:
204 role
= self
.db
.get_one("roles", {BaseTopic
.id_field("roles", prm
["role"]): prm
["role"]})
209 roles_list
.append({"name": rnm
, "id": rid
})
211 rid
= self
.db
.get_one("roles", {"name": "project_admin"})["_id"]
212 roles_list
= [{"name": "project_admin", "id": rid
}]
214 new_token
= {"issued_at": now
,
215 "expires": now
+ 3600,
218 "project_id": proj
["_id"],
219 "project_name": proj
["name"],
220 "username": user_content
["username"],
221 "user_id": user_content
["_id"],
222 "admin": token_admin
,
226 self
.db
.create("tokens", new_token
)
227 return deepcopy(new_token
)
229 def get_role_list(self
, filter_q
={}):
233 :return: returns the list of roles.
235 return self
.db
.get_list("roles", filter_q
)
237 def create_role(self
, role_info
):
241 :param role_info: full role info.
242 :return: returns the role id.
243 :raises AuthconnOperationException: if role creation failed.
245 # TODO: Check that role name does not exist ?
247 role_info
["_id"] = rid
248 rid
= self
.db
.create("roles", role_info
)
251 def delete_role(self
, role_id
):
255 :param role_id: role identifier.
256 :raises AuthconnOperationException: if role deletion failed.
258 rc
= self
.db
.del_one("roles", {"_id": role_id
})
259 self
.db
.del_list("tokens", {"roles.id": role_id
})
262 def update_role(self
, role_info
):
266 :param role_info: full role info.
267 :return: returns the role name and id.
268 :raises AuthconnOperationException: if user creation failed.
270 rid
= role_info
["_id"]
271 self
.db
.set_one("roles", {"_id": rid
}, role_info
)
272 return {"_id": rid
, "name": role_info
["name"]}
274 def create_user(self
, user_info
):
278 :param user_info: full user info.
279 :return: returns the username and id of the user.
281 BaseTopic
.format_on_new(user_info
, make_public
=False)
283 user_info
["_admin"]["salt"] = salt
284 if "password" in user_info
:
285 user_info
["password"] = sha256(user_info
["password"].encode('utf-8') + salt
.encode('utf-8')).hexdigest()
286 # "projects" are not stored any more
287 if "projects" in user_info
:
288 del user_info
["projects"]
289 self
.db
.create("users", user_info
)
290 return {"username": user_info
["username"], "_id": user_info
["_id"]}
292 def update_user(self
, user_info
):
294 Change the user name and/or password.
296 :param user_info: user info modifications
298 uid
= user_info
["_id"]
299 user_data
= self
.db
.get_one("users", {BaseTopic
.id_field("users", uid
): uid
})
300 BaseTopic
.format_on_edit(user_data
, user_info
)
302 usnm
= user_info
.get("username")
304 user_data
["username"] = usnm
305 # If password is given and is not already encripted
306 pswd
= user_info
.get("password")
307 if pswd
and (len(pswd
) != 64 or not re
.match('[a-fA-F0-9]*', pswd
)): # TODO: Improve check?
309 if "_admin" not in user_data
:
310 user_data
["_admin"] = {}
311 user_data
["_admin"]["salt"] = salt
312 user_data
["password"] = sha256(pswd
.encode('utf-8') + salt
.encode('utf-8')).hexdigest()
313 # Project-Role Mappings
314 # TODO: Check that user_info NEVER includes "project_role_mappings"
315 if "project_role_mappings" not in user_data
:
316 user_data
["project_role_mappings"] = []
317 for prm
in user_info
.get("add_project_role_mappings", []):
318 user_data
["project_role_mappings"].append(prm
)
319 for prm
in user_info
.get("remove_project_role_mappings", []):
320 for pidf
in ["project", "project_name"]:
321 for ridf
in ["role", "role_name"]:
323 user_data
["project_role_mappings"].remove({"role": prm
[ridf
], "project": prm
[pidf
]})
328 idf
= BaseTopic
.id_field("users", uid
)
329 self
.db
.set_one("users", {idf
: uid
}, user_data
)
330 if user_info
.get("remove_project_role_mappings"):
331 idf
= "user_id" if idf
== "_id" else idf
332 self
.db
.del_list("tokens", {idf
: uid
})
334 def delete_user(self
, user_id
):
338 :param user_id: user identifier.
339 :raises AuthconnOperationException: if user deletion failed.
341 self
.db
.del_one("users", {"_id": user_id
})
342 self
.db
.del_list("tokens", {"user_id": user_id
})
345 def get_user_list(self
, filter_q
=None):
349 :param filter_q: dictionary to filter user list by name (username is also admited) and/or _id
350 :return: returns a list of users.
352 filt
= filter_q
or {}
354 filt
["username"] = filt
["name"]
356 users
= self
.db
.get_list("users", filt
)
360 prms
= user
.get("project_role_mappings")
361 projects
= user
.get("projects")
364 # add project_name and role_name. Generate projects for backward compatibility
366 project_id
= prm
["project"]
367 if project_id
not in project_id_name
:
368 pr
= self
.db
.get_one("projects", {BaseTopic
.id_field("projects", project_id
): project_id
},
370 project_id_name
[project_id
] = pr
["name"] if pr
else None
371 prm
["project_name"] = project_id_name
[project_id
]
372 if prm
["project_name"] not in projects
:
373 projects
.append(prm
["project_name"])
375 role_id
= prm
["role"]
376 if role_id
not in role_id_name
:
377 role
= self
.db
.get_one("roles", {BaseTopic
.id_field("roles", role_id
): role_id
},
379 role_id_name
[role_id
] = role
["name"] if role
else None
380 prm
["role_name"] = role_id_name
[role_id
]
381 user
["projects"] = projects
# for backward compatibility
383 # user created with an old version. Create a project_role mapping with role project_admin
384 user
["project_role_mappings"] = []
385 role
= self
.db
.get_one("roles", {BaseTopic
.id_field("roles", "project_admin"): "project_admin"})
386 for p_id_name
in projects
:
387 pr
= self
.db
.get_one("projects", {BaseTopic
.id_field("projects", p_id_name
): p_id_name
})
388 prm
= {"project": pr
["_id"],
389 "project_name": pr
["name"],
390 "role_name": "project_admin",
393 user
["project_role_mappings"].append(prm
)
395 user
["projects"] = []
396 user
["project_role_mappings"] = []
400 def get_project_list(self
, filter_q
={}):
404 :return: returns the list of projects.
406 return self
.db
.get_list("projects", filter_q
)
408 def create_project(self
, project_info
):
412 :param project: full project info.
413 :return: the internal id of the created project
414 :raises AuthconnOperationException: if project creation failed.
416 pid
= self
.db
.create("projects", project_info
)
419 def delete_project(self
, project_id
):
423 :param project_id: project identifier.
424 :raises AuthconnOperationException: if project deletion failed.
426 idf
= BaseTopic
.id_field("projects", project_id
)
427 r
= self
.db
.del_one("projects", {idf
: project_id
})
428 idf
= "project_id" if idf
== "_id" else "project_name"
429 self
.db
.del_list("tokens", {idf
: project_id
})
432 def update_project(self
, project_id
, project_info
):
434 Change the name of a project
436 :param project_id: project to be changed
437 :param project_info: full project info
439 :raises AuthconnOperationException: if project update failed.
441 self
.db
.set_one("projects", {BaseTopic
.id_field("projects", project_id
): project_id
}, project_info
)