bug when migrating from old user format containing project instead project_role_mappings

[osm/NBI.git] / osm_nbi / auth.py

diff --git a/osm_nbi/auth.py b/osm_nbi/auth.py
index 3d74d89..36b6dc5 100644 (file)
--- a/osm_nbi/auth.py
+++ b/osm_nbi/auth.py
@@ -39,15 +39,15 @@ from http import HTTPStatus
 from time import time
 from os import path
 
-from authconn import AuthException, AuthExceptionUnauthorized
-from authconn_keystone import AuthconnKeystone
-from authconn_internal import AuthconnInternal   # Comment out for testing&debugging, uncomment when ready
+from osm_nbi.authconn import AuthException, AuthExceptionUnauthorized
+from osm_nbi.authconn_keystone import AuthconnKeystone
+from osm_nbi.authconn_internal import AuthconnInternal   # Comment out for testing&debugging, uncomment when ready
 from osm_common import dbmongo
 from osm_common import dbmemory
 from osm_common.dbbase import DbException
 from itertools import chain
 
-from uuid import uuid4   # For Role _id with internal authentication backend
+from uuid import uuid4
 
 
 class Authenticator:
@@ -72,7 +72,7 @@ class Authenticator:
         self.tokens_cache = dict()
         self.next_db_prune_time = 0  # time when next cleaning of expired tokens must be done
         self.roles_to_operations_file = None
-        self.roles_to_operations_table = None
+        # self.roles_to_operations_table = None
         self.resources_to_operations_mapping = {}
         self.operation_to_allowed_roles = {}
         self.logger = logging.getLogger("nbi.authenticator")
@@ -103,7 +103,7 @@ class Authenticator:
                                         .format(config["database"]["driver"]))
             if not self.backend:
                 if config["authentication"]["backend"] == "keystone":
-                    self.backend = AuthconnKeystone(self.config["authentication"])
+                    self.backend = AuthconnKeystone(self.config["authentication"], self.db, self.tokens_cache)
                 elif config["authentication"]["backend"] == "internal":
                     self.backend = AuthconnInternal(self.config["authentication"], self.db, self.tokens_cache)
                     self._internal_tokens_prune()
@@ -126,11 +126,6 @@ class Authenticator:
                 if not self.roles_to_operations_file:
                     raise AuthException("Invalid permission configuration: roles_to_operations file missing")
 
-            if not self.roles_to_operations_table:  # PROVISIONAL ?
-                self.roles_to_operations_table = "roles_operations" \
-                    if config["authentication"]["backend"] == "keystone" \
-                    else "roles"
-
             # load role_permissions
             def load_role_permissions(method_dict):
                 for k in method_dict:
@@ -161,6 +156,50 @@ class Authenticator:
         except DbException as e:
             raise AuthException(str(e), http_code=e.http_code)
 
+    def create_admin_project(self):
+        """
+        Creates a new project 'admin' into database if it doesn't exist. Useful for initialization.
+        :return: _id identity of the 'admin' project
+        """
+
+        # projects = self.db.get_one("projects", fail_on_empty=False, fail_on_more=False)
+        project_desc = {"name": "admin"}
+        projects = self.backend.get_project_list(project_desc)
+        if projects:
+            return projects[0]["_id"]
+        now = time()
+        project_desc["_id"] = str(uuid4())
+        project_desc["_admin"] = {"created": now, "modified": now}
+        pid = self.backend.create_project(project_desc)
+        self.logger.info("Project '{}' created at database".format(project_desc["name"]))
+        return pid
+
+    def create_admin_user(self, project_id):
+        """
+        Creates a new user admin/admin into database if database is empty. Useful for initialization
+        :return: _id identity of the inserted data, or None
+        """
+        # users = self.db.get_one("users", fail_on_empty=False, fail_on_more=False)
+        users = self.backend.get_user_list()
+        if users:
+            return None
+        # user_desc = {"username": "admin", "password": "admin", "projects": [project_id]}
+        now = time()
+        user_desc = {"username": "admin", "password": "admin", "_admin": {"created": now, "modified": now}}
+        if project_id:
+            pid = project_id
+        else:
+            # proj = self.db.get_one("projects", {"name": "admin"}, fail_on_empty=False, fail_on_more=False)
+            proj = self.backend.get_project_list({"name": "admin"})
+            pid = proj[0]["_id"] if proj else None
+        # role = self.db.get_one("roles", {"name": "system_admin"}, fail_on_empty=False, fail_on_more=False)
+        roles = self.backend.get_role_list({"name": "system_admin"})
+        if pid and roles:
+            user_desc["project_role_mappings"] = [{"project": pid, "role": roles[0]["_id"]}]
+        uid = self.backend.create_user(user_desc)
+        self.logger.info("User '{}' created at database".format(user_desc["username"]))
+        return uid
+
     def init_db(self, target_version='1.0'):
         """
         Check if the database has been initialized, with at least one user. If not, create the required tables
@@ -170,14 +209,10 @@ class Authenticator:
         :return: None if OK, exception if error or version is different.
         """
 
-        # PCR 28/05/2019 Commented out to allow initialization for internal backend
-        # if self.config["authentication"]["backend"] == "internal":
-        #    return
-
-        records = self.db.get_list(self.roles_to_operations_table)
+        records = self.backend.get_role_list()
 
         # Loading permissions to MongoDB if there is not any permission.
-        if not records:
+        if not records or (len(records) == 1 and records[0]["name"] == "admin"):
             with open(self.roles_to_operations_file, "r") as stream:
                 roles_to_operations_yaml = yaml.load(stream)
 
@@ -216,22 +251,39 @@ class Authenticator:
                     "modified": now,
                 }
 
-                if self.config["authentication"]["backend"] == "keystone":
-                    if role_with_operations["name"] != "anonymous":
-                        backend_roles = self.backend.get_role_list(filter_q={"name": role_with_operations["name"]})
-                        if backend_roles:
-                            backend_id = backend_roles[0]["_id"]
-                        else:
-                            backend_id = self.backend.create_role(role_with_operations["name"])
-                        role_with_operations["_id"] = backend_id
-                else:
-                    role_with_operations["_id"] = str(uuid4())
-
-                self.db.create(self.roles_to_operations_table, role_with_operations)
+                # self.db.create(self.roles_to_operations_table, role_with_operations)
+                self.backend.create_role(role_with_operations)
                 self.logger.info("Role '{}' created at database".format(role_with_operations["name"]))
 
-        if self.config["authentication"]["backend"] != "internal":
-            self.backend.assign_role_to_user("admin", "admin", "system_admin")
+        # Create admin project&user if required
+        pid = self.create_admin_project()
+        user_id = self.create_admin_user(pid)
+
+        # try to assign system_admin role to user admin if not any user has this role
+        if not user_id:
+            try:
+                users = self.backend.get_user_list()
+                roles = self.backend.get_role_list({"name": "system_admin"})
+                role_id = roles[0]["_id"]
+                user_with_system_admin = False
+                user_admin_id = None
+                for user in users:
+                    if not user_admin_id:
+                        user_admin_id = user["_id"]
+                    if user["username"] == "admin":
+                        user_admin_id = user["_id"]
+                    for prm in user.get("project_role_mappings", ()):
+                        if prm["role"] == role_id:
+                            user_with_system_admin = True
+                            break
+                    if user_with_system_admin:
+                        break
+                if not user_with_system_admin:
+                    self.backend.update_user({"_id": user_admin_id,
+                                              "add_project_role_mappings": [{"project": pid, "role": role_id}]})
+                    self.logger.info("Added role system admin to user='{}' project=admin".format(user_admin_id))
+            except Exception:
+                pass
 
         self.load_operation_to_allowed_roles()
 
@@ -243,10 +295,13 @@ class Authenticator:
         """
 
         permissions = {oper: [] for oper in self.role_permissions}
-        records = self.db.get_list(self.roles_to_operations_table)
+        # records = self.db.get_list(self.roles_to_operations_table)
+        records = self.backend.get_role_list()
 
         ignore_fields = ["_id", "_admin", "name", "default"]
         for record in records:
+            if not record.get("permissions"):
+                continue
             record_permissions = {oper: record["permissions"].get("default", False) for oper in self.role_permissions}
             operations_joined = [(oper, value) for oper, value in record["permissions"].items()
                                  if oper not in ignore_fields]
@@ -311,6 +366,12 @@ class Authenticator:
                 if cherrypy.session.get('Authorization'):
                     del cherrypy.session['Authorization']
                 cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
+            elif self.config.get("user_not_authorized"):
+                # TODO provide user_id, roles id (not name), project_id
+                return {"id": "fake-token-id-for-test",
+                        "project_id": self.config.get("project_not_authorized", "admin"),
+                        "username": self.config["user_not_authorized"],
+                        "roles": ["system_admin"]}
             raise
 
     def new_token(self, token_info, indata, remote):