1 # -*- coding: utf-8 -*-
3 # Copyright 2018 Telefonica S.A.
4 # Copyright 2018 ALTRAN InnovaciĆ³n S.L.
6 # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 # not use this file except in compliance with the License. You may obtain
8 # a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 # License for the specific language governing permissions and limitations
18 # For those usages not covered by the Apache License, Version 2.0 please
19 # contact: esousa@whitestack.com or glavado@whitestack.com
23 AuthconnInternal implements implements the connector for
24 OSM Internal Authentication Backend and leverages the RBAC model
27 __author__
= "Pedro de la Cruz Ramos <pdelacruzramos@altran.com>"
28 __date__
= "$06-jun-2019 11:16:08$"
30 from authconn
import Authconn
, AuthException
# , AuthconnOperationException
31 from osm_common
.dbbase
import DbException
32 from base_topic
import BaseTopic
37 from http
import HTTPStatus
38 from uuid
import uuid4
39 from hashlib
import sha256
40 from copy
import deepcopy
41 from random
import choice
as random_choice
44 class AuthconnInternal(Authconn
):
45 def __init__(self
, config
, db
, token_cache
):
46 Authconn
.__init
__(self
, config
, db
, token_cache
)
48 self
.logger
= logging
.getLogger("nbi.authenticator.internal")
51 self
.token_cache
= token_cache
57 def validate_token(self
, token
):
59 Check if the token is valid.
61 :param token: token to validate
62 :return: dictionary with information associated with the token:
64 "project_id": project id
65 "project_name": project name
68 "roles": list with dict containing {name, id}
69 "expires": expiration date
70 If the token is not valid an exception is raised.
75 raise AuthException("Needed a token or Authorization HTTP header", http_code
=HTTPStatus
.UNAUTHORIZED
)
77 # try to get from cache first
79 token_info
= self
.token_cache
.get(token
)
80 if token_info
and token_info
["expires"] < now
:
81 # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
82 self
.token_cache
.pop(token
, None)
85 # get from database if not in cache
87 token_info
= self
.db
.get_one("tokens", {"_id": token
})
88 if token_info
["expires"] < now
:
89 raise AuthException("Expired Token or Authorization HTTP header", http_code
=HTTPStatus
.UNAUTHORIZED
)
93 except DbException
as e
:
94 if e
.http_code
== HTTPStatus
.NOT_FOUND
:
95 raise AuthException("Invalid Token or Authorization HTTP header", http_code
=HTTPStatus
.UNAUTHORIZED
)
101 self
.logger
.exception("Error during token validation using internal backend")
102 raise AuthException("Error during token validation using internal backend",
103 http_code
=HTTPStatus
.UNAUTHORIZED
)
105 def revoke_token(self
, token
):
109 :param token: token to be revoked
112 self
.token_cache
.pop(token
, None)
113 self
.db
.del_one("tokens", {"_id": token
})
115 except DbException
as e
:
116 if e
.http_code
== HTTPStatus
.NOT_FOUND
:
117 raise AuthException("Token '{}' not found".format(token
), http_code
=HTTPStatus
.NOT_FOUND
)
120 msg
= "Error during token revocation using internal backend"
121 self
.logger
.exception(msg
)
122 raise AuthException(msg
, http_code
=HTTPStatus
.UNAUTHORIZED
)
124 def authenticate(self
, user
, password
, project
=None, token_info
=None):
126 Authenticate a user using username/password or previous token_info plus project; its creates a new token
128 :param user: user: name, id or None
129 :param password: password or None
130 :param project: name, id, or None. If None first found project will be used to get an scope token
131 :param token_info: previous token_info to obtain authorization
132 :param remote: remote host information
133 :return: the scoped token info or raises an exception. The token is a dictionary with:
134 _id: token string id,
136 project_id: scoped_token project_id,
137 project_name: scoped_token project_name,
138 expires: epoch time when it expires,
144 # Try using username/password
146 user_rows
= self
.db
.get_list("users", {BaseTopic
.id_field("users", user
): user
})
148 user_content
= user_rows
[0]
149 salt
= user_content
["_admin"]["salt"]
150 shadow_password
= sha256(password
.encode('utf-8') + salt
.encode('utf-8')).hexdigest()
151 if shadow_password
!= user_content
["password"]:
154 raise AuthException("Invalid username/password", http_code
=HTTPStatus
.UNAUTHORIZED
)
156 user_rows
= self
.db
.get_list("users", {"username": token_info
["username"]})
158 user_content
= user_rows
[0]
160 raise AuthException("Invalid token", http_code
=HTTPStatus
.UNAUTHORIZED
)
162 raise AuthException("Provide credentials: username/password or Authorization Bearer token",
163 http_code
=HTTPStatus
.UNAUTHORIZED
)
165 token_id
= ''.join(random_choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
166 for _
in range(0, 32))
168 # projects = user_content.get("projects", [])
169 prm_list
= user_content
.get("project_role_mappings", [])
172 project
= prm_list
[0]["project"] if prm_list
else None
174 raise AuthException("can't find a default project for this user", http_code
=HTTPStatus
.UNAUTHORIZED
)
176 projects
= [prm
["project"] for prm
in prm_list
]
178 proj
= self
.db
.get_one("projects", {BaseTopic
.id_field("projects", project
): project
})
179 project_name
= proj
["name"]
180 project_id
= proj
["_id"]
181 if project_name
not in projects
and project_id
not in projects
:
182 raise AuthException("project {} not allowed for this user".format(project
),
183 http_code
=HTTPStatus
.UNAUTHORIZED
)
185 # TODO remove admin, this vill be used by roles RBAC
186 if project_name
== "admin":
189 token_admin
= proj
.get("admin", False)
195 if prm
["project"] in [project_id
, project_name
]:
196 role
= self
.db
.get_one("roles", {BaseTopic
.id_field("roles", prm
["role"]): prm
["role"]})
201 roles_list
.append({"name": rnm
, "id": rid
})
203 rid
= self
.db
.get_one("roles", {"name": "project_admin"})["_id"]
204 roles_list
= [{"name": "project_admin", "id": rid
}]
206 new_token
= {"issued_at": now
,
207 "expires": now
+ 3600,
210 "project_id": proj
["_id"],
211 "project_name": proj
["name"],
212 "username": user_content
["username"],
213 "user_id": user_content
["_id"],
214 "admin": token_admin
,
218 self
.token_cache
[token_id
] = new_token
219 self
.db
.create("tokens", new_token
)
220 return deepcopy(new_token
)
222 def get_role_list(self
, filter_q
={}):
226 :return: returns the list of roles.
228 return self
.db
.get_list("roles", filter_q
)
230 def create_role(self
, role_info
):
234 :param role_info: full role info.
235 :return: returns the role id.
236 :raises AuthconnOperationException: if role creation failed.
238 # TODO: Check that role name does not exist ?
240 role_info
["_id"] = rid
241 rid
= self
.db
.create("roles", role_info
)
244 def delete_role(self
, role_id
):
248 :param role_id: role identifier.
249 :raises AuthconnOperationException: if role deletion failed.
251 return self
.db
.del_one("roles", {"_id": role_id
})
253 def update_role(self
, role_info
):
257 :param role_info: full role info.
258 :return: returns the role name and id.
259 :raises AuthconnOperationException: if user creation failed.
261 rid
= role_info
["_id"]
262 self
.db
.set_one("roles", {"_id": rid
}, role_info
) # CONFIRM
263 return {"_id": rid
, "name": role_info
["name"]}
265 def create_user(self
, user_info
):
269 :param user_info: full user info.
270 :return: returns the username and id of the user.
272 BaseTopic
.format_on_new(user_info
, make_public
=False)
274 user_info
["_admin"]["salt"] = salt
275 if "password" in user_info
:
276 user_info
["password"] = sha256(user_info
["password"].encode('utf-8') + salt
.encode('utf-8')).hexdigest()
277 # "projects" are not stored any more
278 if "projects" in user_info
:
279 del user_info
["projects"]
280 self
.db
.create("users", user_info
)
281 return {"username": user_info
["username"], "_id": user_info
["_id"]}
283 def update_user(self
, user_info
):
285 Change the user name and/or password.
287 :param user_info: user info modifications
289 uid
= user_info
["_id"]
290 user_data
= self
.db
.get_one("users", {BaseTopic
.id_field("users", uid
): uid
})
291 BaseTopic
.format_on_edit(user_data
, user_info
)
293 usnm
= user_info
.get("username")
295 user_data
["username"] = usnm
296 # If password is given and is not already encripted
297 pswd
= user_info
.get("password")
298 if pswd
and (len(pswd
) != 64 or not re
.match('[a-fA-F0-9]*', pswd
)): # TODO: Improve check?
300 if "_admin" not in user_data
:
301 user_data
["_admin"] = {}
302 user_data
["_admin"]["salt"] = salt
303 user_data
["password"] = sha256(pswd
.encode('utf-8') + salt
.encode('utf-8')).hexdigest()
304 # Project-Role Mappings
305 # TODO: Check that user_info NEVER includes "project_role_mappings"
306 if "project_role_mappings" not in user_data
:
307 user_data
["project_role_mappings"] = []
308 for prm
in user_info
.get("add_project_role_mappings", []):
309 user_data
["project_role_mappings"].append(prm
)
310 for prm
in user_info
.get("remove_project_role_mappings", []):
311 for pidf
in ["project", "project_name"]:
312 for ridf
in ["role", "role_name"]:
314 user_data
["project_role_mappings"].remove({"role": prm
[ridf
], "project": prm
[pidf
]})
319 self
.db
.set_one("users", {BaseTopic
.id_field("users", uid
): uid
}, user_data
) # CONFIRM
321 def delete_user(self
, user_id
):
325 :param user_id: user identifier.
326 :raises AuthconnOperationException: if user deletion failed.
328 self
.db
.del_one("users", {"_id": user_id
})
331 def get_user_list(self
, filter_q
=None):
335 :param filter_q: dictionary to filter user list by name (username is also admited) and/or _id
336 :return: returns a list of users.
338 filt
= filter_q
or {}
340 filt
["username"] = filt
["name"]
342 users
= self
.db
.get_list("users", filt
)
346 prms
= user
.get("project_role_mappings")
347 projects
= user
.get("projects")
350 # add project_name and role_name. Generate projects for backward compatibility
352 project_id
= prm
["project"]
353 if project_id
not in project_id_name
:
354 pr
= self
.db
.get_one("projects", {BaseTopic
.id_field("projects", project_id
): project_id
},
356 project_id_name
[project_id
] = pr
["name"] if pr
else None
357 prm
["project_name"] = project_id_name
[project_id
]
358 if prm
["project_name"] not in projects
:
359 projects
.append(prm
["project_name"])
361 role_id
= prm
["role"]
362 if role_id
not in role_id_name
:
363 role
= self
.db
.get_one("roles", {BaseTopic
.id_field("roles", role_id
): role_id
},
365 role_id_name
[role_id
] = role
["name"] if role
else None
366 prm
["role_name"] = role_id_name
[role_id
]
367 user
["projects"] = projects
# for backward compatibility
369 # user created with an old version. Create a project_role mapping with role project_admin
370 user
["project_role_mappings"] = []
371 role
= self
.db
.get_one("roles", {BaseTopic
.id_field("roles", "project_admin"): "project_admin"})
372 for p_id_name
in projects
:
373 pr
= self
.db
.get_one("projects", {BaseTopic
.id_field("projects", p_id_name
): p_id_name
})
374 prm
= {"project": pr
["_id"],
375 "project_name": pr
["name"],
376 "role_name": "project_admin",
379 user
["project_role_mappings"].append(prm
)
381 user
["projects"] = []
382 user
["project_role_mappings"] = []
386 def get_project_list(self
, filter_q
={}):
390 :return: returns the list of projects.
392 return self
.db
.get_list("projects", filter_q
)
394 def create_project(self
, project_info
):
398 :param project: full project info.
399 :return: the internal id of the created project
400 :raises AuthconnOperationException: if project creation failed.
402 pid
= self
.db
.create("projects", project_info
)
405 def delete_project(self
, project_id
):
409 :param project_id: project identifier.
410 :raises AuthconnOperationException: if project deletion failed.
412 filter_q
= {BaseTopic
.id_field("projects", project_id
): project_id
}
413 r
= self
.db
.del_one("projects", filter_q
)
416 def update_project(self
, project_id
, project_info
):
418 Change the name of a project
420 :param project_id: project to be changed
421 :param project_info: full project info
423 :raises AuthconnOperationException: if project update failed.
425 self
.db
.set_one("projects", {BaseTopic
.id_field("projects", project_id
): project_id
}, project_info
)