Fix Bug 774 - NBI+Keystone: Trying to obtain a token with user+password+project gives...
[osm/NBI.git] / osm_nbi / auth.py
index f0e00b9..576ae4d 100644 (file)
@@ -31,15 +31,18 @@ __date__ = "$27-jul-2018 23:59:59$"
 
 import cherrypy
 import logging
 
 import cherrypy
 import logging
+import yaml
 from base64 import standard_b64decode
 from copy import deepcopy
 from base64 import standard_b64decode
 from copy import deepcopy
-from functools import reduce
+from functools import reduce
 from hashlib import sha256
 from http import HTTPStatus
 from random import choice as random_choice
 from time import time
 from hashlib import sha256
 from http import HTTPStatus
 from random import choice as random_choice
 from time import time
+from os import path
+from base_topic import BaseTopic    # To allow project names in project_id
 
 
-from authconn import AuthException
+from authconn import AuthException, AuthExceptionUnauthorized
 from authconn_keystone import AuthconnKeystone
 from osm_common import dbmongo
 from osm_common import dbmemory
 from authconn_keystone import AuthconnKeystone
 from osm_common import dbmongo
 from osm_common import dbmemory
@@ -52,9 +55,10 @@ class Authenticator:
     Authorization. Initially it should support Openstack Keystone as a
     backend through a plugin model where more backends can be added and a
     RBAC model to manage permissions on operations.
     Authorization. Initially it should support Openstack Keystone as a
     backend through a plugin model where more backends can be added and a
     RBAC model to manage permissions on operations.
+    This class must be threading safe
     """
 
     """
 
-    periodin_db_pruning = 60*30  # for the internal backend only. every 30 minutes expired tokens will be pruned
+    periodin_db_pruning = 60 * 30  # for the internal backend only. every 30 minutes expired tokens will be pruned
 
     def __init__(self):
         """
 
     def __init__(self):
         """
@@ -66,8 +70,12 @@ class Authenticator:
         self.db = None
         self.tokens_cache = dict()
         self.next_db_prune_time = 0  # time when next cleaning of expired tokens must be done
         self.db = None
         self.tokens_cache = dict()
         self.next_db_prune_time = 0  # time when next cleaning of expired tokens must be done
-
+        self.resources_to_operations_file = None
+        self.roles_to_operations_file = None
+        self.resources_to_operations_mapping = {}
+        self.operation_to_allowed_roles = {}
         self.logger = logging.getLogger("nbi.authenticator")
         self.logger = logging.getLogger("nbi.authenticator")
+        self.operations = []
 
     def start(self, config):
         """
 
     def start(self, config):
         """
@@ -98,6 +106,34 @@ class Authenticator:
                 else:
                     raise AuthException("Unknown authentication backend: {}"
                                         .format(config["authentication"]["backend"]))
                 else:
                     raise AuthException("Unknown authentication backend: {}"
                                         .format(config["authentication"]["backend"]))
+            if not self.resources_to_operations_file:
+                if "resources_to_operations" in config["rbac"]:
+                    self.resources_to_operations_file = config["rbac"]["resources_to_operations"]
+                else:
+                    possible_paths = (
+                        __file__[:__file__.rfind("auth.py")] + "resources_to_operations.yml",
+                        "./resources_to_operations.yml"
+                    )
+                    for config_file in possible_paths:
+                        if path.isfile(config_file):
+                            self.resources_to_operations_file = config_file
+                            break
+                    if not self.resources_to_operations_file:
+                        raise AuthException("Invalid permission configuration: resources_to_operations file missing")
+            if not self.roles_to_operations_file:
+                if "roles_to_operations" in config["rbac"]:
+                    self.roles_to_operations_file = config["rbac"]["roles_to_operations"]
+                else:
+                    possible_paths = (
+                        __file__[:__file__.rfind("auth.py")] + "roles_to_operations.yml",
+                        "./roles_to_operations.yml"
+                    )
+                    for config_file in possible_paths:
+                        if path.isfile(config_file):
+                            self.roles_to_operations_file = config_file
+                            break
+                    if not self.roles_to_operations_file:
+                        raise AuthException("Invalid permission configuration: roles_to_operations file missing")
         except Exception as e:
             raise AuthException(str(e))
 
         except Exception as e:
             raise AuthException(str(e))
 
@@ -108,15 +144,117 @@ class Authenticator:
         except DbException as e:
             raise AuthException(str(e), http_code=e.http_code)
 
         except DbException as e:
             raise AuthException(str(e), http_code=e.http_code)
 
-    def init_db(self, target_version='1.1'):
+    def init_db(self, target_version='1.0'):
         """
         """
-        Check if the database has been initialized, with at least one user. If not, create an adthe required tables
+        Check if the database has been initialized, with at least one user. If not, create the required tables
         and insert the predefined mappings between roles and permissions.
 
         :param target_version: schema version that should be present in the database.
         :return: None if OK, exception if error or version is different.
         """
         and insert the predefined mappings between roles and permissions.
 
         :param target_version: schema version that should be present in the database.
         :return: None if OK, exception if error or version is different.
         """
-        pass
+        # Always reads operation to resource mapping from file (this is static, no need to store it in MongoDB)
+        # Operations encoding: "<METHOD> <URL>"
+        # Note: it is faster to rewrite the value than to check if it is already there or not
+        if self.config["authentication"]["backend"] == "internal":
+            return
+
+        with open(self.resources_to_operations_file, "r") as stream:
+            resources_to_operations_yaml = yaml.load(stream)
+
+        for resource, operation in resources_to_operations_yaml["resources_to_operations"].items():
+            if operation not in self.operations:
+                self.operations.append(operation)
+            self.resources_to_operations_mapping[resource] = operation
+
+        records = self.db.get_list("roles_operations")
+
+        # Loading permissions to MongoDB if there is not any permission.
+        if not records:
+            with open(self.roles_to_operations_file, "r") as stream:
+                roles_to_operations_yaml = yaml.load(stream)
+
+            role_names = []
+            for role_with_operations in roles_to_operations_yaml["roles"]:
+                # Verifying if role already exists. If it does, raise exception
+                if role_with_operations["name"] not in role_names:
+                    role_names.append(role_with_operations["name"])
+                else:
+                    raise AuthException("Duplicated role name '{}' at file '{}''"
+                                        .format(role_with_operations["name"], self.roles_to_operations_file))
+
+                if not role_with_operations["permissions"]:
+                    continue
+
+                for permission, is_allowed in role_with_operations["permissions"].items():
+                    if not isinstance(is_allowed, bool):
+                        raise AuthException("Invalid value for permission '{}' at role '{}'; at file '{}'"
+                                            .format(permission, role_with_operations["name"],
+                                                    self.roles_to_operations_file))
+
+                    # TODO chek permission is ok
+                    if permission[-1] == ":":
+                        raise AuthException("Invalid permission '{}' terminated in ':' for role '{}'; at file {}"
+                                            .format(permission, role_with_operations["name"],
+                                                    self.roles_to_operations_file))
+
+                if "default" not in role_with_operations["permissions"]:
+                    role_with_operations["permissions"]["default"] = False
+                if "admin" not in role_with_operations["permissions"]:
+                    role_with_operations["permissions"]["admin"] = False
+
+                now = time()
+                role_with_operations["_admin"] = {
+                    "created": now,
+                    "modified": now,
+                }
+
+                if self.config["authentication"]["backend"] != "internal" and \
+                        role_with_operations["name"] != "anonymous":
+
+                    backend_roles = self.backend.get_role_list(filter_q={"name": role_with_operations["name"]})
+
+                    if backend_roles:
+                        backend_id = backend_roles[0]["_id"]
+                    else:
+                        backend_id = self.backend.create_role(role_with_operations["name"])
+                    role_with_operations["_id"] = backend_id
+
+                self.db.create("roles_operations", role_with_operations)
+
+        if self.config["authentication"]["backend"] != "internal":
+            self.backend.assign_role_to_user("admin", "admin", "system_admin")
+
+        self.load_operation_to_allowed_roles()
+
+    def load_operation_to_allowed_roles(self):
+        """
+        Fills the internal self.operation_to_allowed_roles based on database role content and self.operations
+        It works in a shadow copy and replace at the end to allow other threads working with the old copy
+        :return: None
+        """
+
+        permissions = {oper: [] for oper in self.operations}
+        records = self.db.get_list("roles_operations")
+
+        ignore_fields = ["_id", "_admin", "name", "default"]
+        for record in records:
+            record_permissions = {oper: record["permissions"].get("default", False) for oper in self.operations}
+            operations_joined = [(oper, value) for oper, value in record["permissions"].items()
+                                 if oper not in ignore_fields]
+            operations_joined.sort(key=lambda x: x[0].count(":"))
+
+            for oper in operations_joined:
+                match = list(filter(lambda x: x.find(oper[0]) == 0, record_permissions.keys()))
+
+                for m in match:
+                    record_permissions[m] = oper[1]
+
+            allowed_operations = [k for k, v in record_permissions.items() if v is True]
+
+            for allowed_op in allowed_operations:
+                permissions[allowed_op].append(record["name"])
+
+        self.operation_to_allowed_roles = permissions
 
     def authorize(self):
         token = None
 
     def authorize(self):
         token = None
@@ -151,57 +289,73 @@ class Authenticator:
             if self.config["authentication"]["backend"] == "internal":
                 return self._internal_authorize(token)
             else:
             if self.config["authentication"]["backend"] == "internal":
                 return self._internal_authorize(token)
             else:
-                try:
-                    self.backend.validate_token(token)
-                    # TODO: check if this can be avoided. Backend may provide enough information
-                    return self.tokens_cache[token]
-                except AuthException:
-                    self.del_token(token)
-                    raise
+                if not token:
+                    raise AuthException("Needed a token or Authorization http header",
+                                        http_code=HTTPStatus.UNAUTHORIZED)
+                token_info = self.backend.validate_token(token)
+                # TODO add to token info remote host, port
+
+                self.check_permissions(token_info, cherrypy.request.path_info,
+                                       cherrypy.request.method)
+                return token_info
         except AuthException as e:
         except AuthException as e:
-            if cherrypy.session.get('Authorization'):
-                del cherrypy.session['Authorization']
-            cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
-            raise AuthException(str(e))
+            if not isinstance(e, AuthExceptionUnauthorized):
+                if cherrypy.session.get('Authorization'):
+                    del cherrypy.session['Authorization']
+                cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
+            raise
 
     def new_token(self, session, indata, remote):
         if self.config["authentication"]["backend"] == "internal":
             return self._internal_new_token(session, indata, remote)
         else:
 
     def new_token(self, session, indata, remote):
         if self.config["authentication"]["backend"] == "internal":
             return self._internal_new_token(session, indata, remote)
         else:
-            if indata.get("username"):
-                token, projects = self.backend.authenticate_with_user_password(
-                    indata.get("username"), indata.get("password"))
-            elif session:
-                token, projects = self.backend.authenticate_with_token(
-                    session.get("id"), indata.get("project_id"))
-            else:
-                raise AuthException("Provide credentials: username/password or Authorization Bearer token",
-                                    http_code=HTTPStatus.UNAUTHORIZED)
-
-            if indata.get("project_id"):
-                project_id = indata.get("project_id")
-                if project_id not in projects:
-                    raise AuthException("Project {} not allowed for this user".format(project_id),
-                                        http_code=HTTPStatus.UNAUTHORIZED)
-            else:
-                project_id = projects[0]
-
-            if project_id == "admin":
-                session_admin = True
-            else:
-                session_admin = reduce(lambda x, y: x or (True if y == "admin" else False),
-                                       projects, False)
+            current_token = None
+            if session:
+                current_token = session.get("token")
+            token_info = self.backend.authenticate(
+                user=indata.get("username"),
+                password=indata.get("password"),
+                token=current_token,
+                project=indata.get("project_id")
+            )
+
+            # if indata.get("username"):
+            #     token, projects = self.backend.authenticate_with_user_password(
+            #         indata.get("username"), indata.get("password"))
+            # elif session:
+            #     token, projects = self.backend.authenticate_with_token(
+            #         session.get("id"), indata.get("project_id"))
+            # else:
+            #     raise AuthException("Provide credentials: username/password or Authorization Bearer token",
+            #                         http_code=HTTPStatus.UNAUTHORIZED)
+            #
+            # if indata.get("project_id"):
+            #     project_id = indata.get("project_id")
+            #     if project_id not in projects:
+            #         raise AuthException("Project {} not allowed for this user".format(project_id),
+            #                             http_code=HTTPStatus.UNAUTHORIZED)
+            # else:
+            #     project_id = projects[0]
+            #
+            # if not session:
+            #     token, projects = self.backend.authenticate_with_token(token, project_id)
+            #
+            # if project_id == "admin":
+            #     session_admin = True
+            # else:
+            #     session_admin = reduce(lambda x, y: x or (True if y == "admin" else False),
+            #                            projects, False)
 
             now = time()
             new_session = {
 
             now = time()
             new_session = {
-                "_id": token,
-                "id": token,
+                "_id": token_info["_id"],
+                "id": token_info["_id"],
                 "issued_at": now,
                 "issued_at": now,
-                "expires": now + 3600,
-                "project_id": project_id,
-                "username": indata.get("username") if not session else session.get("username"),
+                "expires": token_info.get("expires", now + 3600),
+                "project_id": token_info["project_id"],
+                "username": token_info.get("username") or session.get("username"),
                 "remote_port": remote.port,
                 "remote_port": remote.port,
-                "admin": session_admin
+                "admin": True if token_info.get("project_name") == "admin" else False   # TODO put admin in RBAC
             }
 
             if remote.name:
             }
 
             if remote.name:
@@ -210,7 +364,7 @@ class Authenticator:
                 new_session["remote_host"] = remote.ip
 
             # TODO: check if this can be avoided. Backend may provide enough information
                 new_session["remote_host"] = remote.ip
 
             # TODO: check if this can be avoided. Backend may provide enough information
-            self.tokens_cache[token] = new_session
+            self.tokens_cache[token_info["_id"]] = new_session
 
             return deepcopy(new_session)
 
 
             return deepcopy(new_session)
 
@@ -245,6 +399,89 @@ class Authenticator:
             except KeyError:
                 raise AuthException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)
 
             except KeyError:
                 raise AuthException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)
 
+    def check_permissions(self, session, url, method):
+        self.logger.info("Session: {}".format(session))
+        self.logger.info("URL: {}".format(url))
+        self.logger.info("Method: {}".format(method))
+
+        key, parameters = self._normalize_url(url, method)
+
+        # TODO: Check if parameters might be useful for the decision
+
+        operation = self.resources_to_operations_mapping[key]
+        roles_required = self.operation_to_allowed_roles[operation]
+        roles_allowed = [role["name"] for role in session["roles"]]
+
+        # fills session["admin"] if some roles allows it
+        session["admin"] = False
+        for role in roles_allowed:
+            if role in self.operation_to_allowed_roles["admin"]:
+                session["admin"] = True
+                break
+
+        if "anonymous" in roles_required:
+            return
+
+        for role in roles_allowed:
+            if role in roles_required:
+                return
+
+        raise AuthExceptionUnauthorized("Access denied: lack of permissions.")
+
+    def get_user_list(self):
+        return self.backend.get_user_list()
+
+    def _normalize_url(self, url, method):
+        # Removing query strings
+        normalized_url = url if '?' not in url else url[:url.find("?")]
+        normalized_url_splitted = normalized_url.split("/")
+        parameters = {}
+
+        filtered_keys = [key for key in self.resources_to_operations_mapping.keys()
+                         if method in key.split()[0]]
+
+        for idx, path_part in enumerate(normalized_url_splitted):
+            tmp_keys = []
+            for tmp_key in filtered_keys:
+                splitted = tmp_key.split()[1].split("/")
+                if idx >= len(splitted):
+                    continue
+                elif "<" in splitted[idx] and ">" in splitted[idx]:
+                    if splitted[idx] == "<artifactPath>":
+                        tmp_keys.append(tmp_key)
+                        continue
+                    elif idx == len(normalized_url_splitted) - 1 and \
+                            len(normalized_url_splitted) != len(splitted):
+                        continue
+                    else:
+                        tmp_keys.append(tmp_key)
+                elif splitted[idx] == path_part:
+                    if idx == len(normalized_url_splitted) - 1 and \
+                            len(normalized_url_splitted) != len(splitted):
+                        continue
+                    else:
+                        tmp_keys.append(tmp_key)
+            filtered_keys = tmp_keys
+            if len(filtered_keys) == 1 and \
+                    filtered_keys[0].split("/")[-1] == "<artifactPath>":
+                break
+
+        if len(filtered_keys) == 0:
+            raise AuthException("Cannot make an authorization decision. URL not found. URL: {0}".format(url))
+        elif len(filtered_keys) > 1:
+            raise AuthException("Cannot make an authorization decision. Multiple URLs found. URL: {0}".format(url))
+
+        filtered_key = filtered_keys[0]
+
+        for idx, path_part in enumerate(filtered_key.split()[1].split("/")):
+            if "<" in path_part and ">" in path_part:
+                if path_part == "<artifactPath>":
+                    parameters[path_part[1:-1]] = "/".join(normalized_url_splitted[idx:])
+                else:
+                    parameters[path_part[1:-1]] = normalized_url_splitted[idx]
+
+        return filtered_key, parameters
+
     def _internal_authorize(self, token_id):
         try:
             if not token_id:
     def _internal_authorize(self, token_id):
         try:
             if not token_id:
@@ -253,7 +490,8 @@ class Authenticator:
             now = time()
             session = self.tokens_cache.get(token_id)
             if session and session["expires"] < now:
             now = time()
             session = self.tokens_cache.get(token_id)
             if session and session["expires"] < now:
-                del self.tokens_cache[token_id]
+                # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
+                self.tokens_cache.pop(token_id, None)
                 session = None
             if session:
                 return session
                 session = None
             if session:
                 return session
@@ -274,7 +512,7 @@ class Authenticator:
             if self.config["global"].get("test.user_not_authorized"):
                 return {"id": "fake-token-id-for-test",
                         "project_id": self.config["global"].get("test.project_not_authorized", "admin"),
             if self.config["global"].get("test.user_not_authorized"):
                 return {"id": "fake-token-id-for-test",
                         "project_id": self.config["global"].get("test.project_not_authorized", "admin"),
-                        "username": self.config["global"]["test.user_not_authorized"]}
+                        "username": self.config["global"]["test.user_not_authorized"], "admin": True}
             else:
                 raise
 
             else:
                 raise
 
@@ -305,17 +543,21 @@ class Authenticator:
 
         token_id = ''.join(random_choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
                            for _ in range(0, 32))
 
         token_id = ''.join(random_choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
                            for _ in range(0, 32))
-        if indata.get("project_id"):
-            project_id = indata.get("project_id")
-            if project_id not in user_content["projects"]:
-                raise AuthException("project {} not allowed for this user"
-                                    .format(project_id), http_code=HTTPStatus.UNAUTHORIZED)
+        project_id = indata.get("project_id")
+        if project_id:
+            if project_id != "admin":
+                # To allow project names in project_id
+                proj = self.db.get_one("projects", {BaseTopic.id_field("projects", project_id): project_id})
+                if proj["_id"] not in user_content["projects"] and proj["name"] not in user_content["projects"]:
+                    raise AuthException("project {} not allowed for this user"
+                                        .format(project_id), http_code=HTTPStatus.UNAUTHORIZED)
         else:
             project_id = user_content["projects"][0]
         if project_id == "admin":
             session_admin = True
         else:
         else:
             project_id = user_content["projects"][0]
         if project_id == "admin":
             session_admin = True
         else:
-            project = self.db.get_one("projects", {"_id": project_id})
+            # To allow project names in project_id
+            project = self.db.get_one("projects", {BaseTopic.id_field("projects", project_id): project_id})
             session_admin = project.get("admin", False)
         new_session = {"issued_at": now, "expires": now + 3600,
                        "_id": token_id, "id": token_id, "project_id": project_id, "username": user_content["username"],
             session_admin = project.get("admin", False)
         new_session = {"issued_at": now, "expires": now + 3600,
                        "_id": token_id, "id": token_id, "project_id": project_id, "username": user_content["username"],
@@ -360,4 +602,4 @@ class Authenticator:
         if not self.next_db_prune_time or self.next_db_prune_time >= now:
             self.db.del_list("tokens", {"expires.lt": now})
             self.next_db_prune_time = self.periodin_db_pruning + now
         if not self.next_db_prune_time or self.next_db_prune_time >= now:
             self.db.del_list("tokens", {"expires.lt": now})
             self.next_db_prune_time = self.periodin_db_pruning + now
-            self.tokens_cache.clear()   # force to reload tokens from database
+            self.tokens_cache.clear()  # force to reload tokens from database