Fixes 1367 by preventing pyang discard repeated constituent-base-element-id

[osm/NBI.git] / osm_nbi / authconn_internal.py
diff --git a/osm_nbi/authconn_internal.py b/osm_nbi/authconn_internal.py

index 40d3215..b3de1cd 100644 (file)
--- a/osm_nbi/authconn_internal.py
+++ b/osm_nbi/authconn_internal.py
@@ -24,16 +24,18 @@ AuthconnInternal implements implements the connector for
  OSM Internal Authentication Backend and leverages the RBAC model
  """
  
  OSM Internal Authentication Backend and leverages the RBAC model
  """
  
-__author__ = "Pedro de la Cruz Ramos <pdelacruzramos@altran.com>"
+__author__ = "Pedro de la Cruz Ramos <pdelacruzramos@altran.com>, " \
+             "Alfonso Tierno <alfonso.tiernosepulveda@telefoncia.com"
  __date__ = "$06-jun-2019 11:16:08$"
  
  __date__ = "$06-jun-2019 11:16:08$"
  
-from authconn import Authconn, AuthException   # , AuthconnOperationException
-from osm_common.dbbase import DbException
-from base_topic import BaseTopic
-
  import logging
  import re
  import logging
  import re
-from time import time
+
+from osm_nbi.authconn import Authconn, AuthException   # , AuthconnOperationException
+from osm_common.dbbase import DbException
+from osm_nbi.base_topic import BaseTopic
+from osm_nbi.validation import is_valid_uuid
+from time import time, sleep
  from http import HTTPStatus
  from uuid import uuid4
  from hashlib import sha256
  from http import HTTPStatus
  from uuid import uuid4
  from hashlib import sha256
@@ -42,19 +44,23 @@ from random import choice as random_choice
  
  
  class AuthconnInternal(Authconn):
  
  
  class AuthconnInternal(Authconn):
-    def __init__(self, config, db, token_cache):
-        Authconn.__init__(self, config, db, token_cache)
+    token_time_window = 2   # seconds
+    token_delay = 1   # seconds to wait upon second request within time window
  
  
-        self.logger = logging.getLogger("nbi.authenticator.internal")
+    users_collection = "users"
+    roles_collection = "roles"
+    projects_collection = "projects"
+    tokens_collection = "tokens"
  
  
-        # Get Configuration
-        # self.xxx = config.get("xxx", "default")
+    def __init__(self, config, db, role_permissions):
+        Authconn.__init__(self, config, db, role_permissions)
+        self.logger = logging.getLogger("nbi.authenticator.internal")
  
          self.db = db
  
          self.db = db
-        self.token_cache = token_cache
+        # self.msg = msg
+        # self.token_cache = token_cache
  
          # To be Confirmed
  
          # To be Confirmed
-        self.auth = None
          self.sess = None
  
      def validate_token(self, token):
          self.sess = None
  
      def validate_token(self, token):
@@ -77,19 +83,13 @@ class AuthconnInternal(Authconn):
              if not token:
                  raise AuthException("Needed a token or Authorization HTTP header", http_code=HTTPStatus.UNAUTHORIZED)
  
              if not token:
                  raise AuthException("Needed a token or Authorization HTTP header", http_code=HTTPStatus.UNAUTHORIZED)
  
-            # try to get from cache first
              now = time()
              now = time()
-            token_info = self.token_cache.get(token)
-            if token_info and token_info["expires"] < now:
-                # delete token. MUST be done with care, as another thread maybe already delete it. Do not use del
-                self.token_cache.pop(token, None)
-                token_info = None
  
              # get from database if not in cache
  
              # get from database if not in cache
-            if not token_info:
-                token_info = self.db.get_one("tokens", {"_id": token})
-                if token_info["expires"] < now:
-                    raise AuthException("Expired Token or Authorization HTTP header", http_code=HTTPStatus.UNAUTHORIZED)
+            # if not token_info:
+            token_info = self.db.get_one(self.tokens_collection, {"_id": token})
+            if token_info["expires"] < now:
+                raise AuthException("Expired Token or Authorization HTTP header", http_code=HTTPStatus.UNAUTHORIZED)
  
              return token_info
  
  
              return token_info
  
@@ -99,12 +99,7 @@ class AuthconnInternal(Authconn):
              else:
                  raise
          except AuthException:
              else:
                  raise
          except AuthException:
-            if self.config["global"].get("test.user_not_authorized"):
-                return {"id": "fake-token-id-for-test",
-                        "project_id": self.config["global"].get("test.project_not_authorized", "admin"),
-                        "username": self.config["global"]["test.user_not_authorized"], "admin": True}
-            else:
-                raise
+            raise
          except Exception:
              self.logger.exception("Error during token validation using internal backend")
              raise AuthException("Error during token validation using internal backend",
          except Exception:
              self.logger.exception("Error during token validation using internal backend")
              raise AuthException("Error during token validation using internal backend",
@@ -117,27 +112,44 @@ class AuthconnInternal(Authconn):
          :param token: token to be revoked
          """
          try:
          :param token: token to be revoked
          """
          try:
-            self.token_cache.pop(token, None)
-            self.db.del_one("tokens", {"_id": token})
+            # self.token_cache.pop(token, None)
+            self.db.del_one(self.tokens_collection, {"_id": token})
              return True
          except DbException as e:
              if e.http_code == HTTPStatus.NOT_FOUND:
                  raise AuthException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)
              else:
                  # raise
              return True
          except DbException as e:
              if e.http_code == HTTPStatus.NOT_FOUND:
                  raise AuthException("Token '{}' not found".format(token), http_code=HTTPStatus.NOT_FOUND)
              else:
                  # raise
-                msg = "Error during token revocation using internal backend"
-                self.logger.exception(msg)
-                raise AuthException(msg, http_code=HTTPStatus.UNAUTHORIZED)
+                exmsg = "Error during token revocation using internal backend"
+                self.logger.exception(exmsg)
+                raise AuthException(exmsg, http_code=HTTPStatus.UNAUTHORIZED)
  
  
-    def authenticate(self, user, password, project=None, token_info=None):
+    def validate_user(self, user, password):
+        """
+        Validate username and password via appropriate backend.
+        :param user: username of the user.
+        :param password: password to be validated.
+        """
+        user_rows = self.db.get_list(self.users_collection, {BaseTopic.id_field("users", user): user})
+        user_content = None
+        if user_rows:
+            user_content = user_rows[0]
+            salt = user_content["_admin"]["salt"]
+            shadow_password = sha256(password.encode('utf-8') + salt.encode('utf-8')).hexdigest()
+            if shadow_password != user_content["password"]:
+                user_content = None
+        return user_content
+
+    def authenticate(self, credentials, token_info=None):
          """
          Authenticate a user using username/password or previous token_info plus project; its creates a new token
  
          """
          Authenticate a user using username/password or previous token_info plus project; its creates a new token
  
-        :param user: user: name, id or None
-        :param password: password or None
-        :param project: name, id, or None. If None first found project will be used to get an scope token
+        :param credentials: dictionary that contains:
+            username: name, id or None
+            password: password or None
+            project_id: name, id, or None. If None first found project will be used to get an scope token
+            other items are allowed and ignored
          :param token_info: previous token_info to obtain authorization
          :param token_info: previous token_info to obtain authorization
-        :param remote: remote host information
          :return: the scoped token info or raises an exception. The token is a dictionary with:
              _id:  token string id,
              username: username,
          :return: the scoped token info or raises an exception. The token is a dictionary with:
              _id:  token string id,
              username: username,
@@ -148,20 +160,19 @@ class AuthconnInternal(Authconn):
  
          now = time()
          user_content = None
  
          now = time()
          user_content = None
+        user = credentials.get("username")
+        password = credentials.get("password")
+        project = credentials.get("project_id")
  
          # Try using username/password
          if user:
  
          # Try using username/password
          if user:
-            user_rows = self.db.get_list("users", {BaseTopic.id_field("users", user): user})
-            if user_rows:
-                user_content = user_rows[0]
-                salt = user_content["_admin"]["salt"]
-                shadow_password = sha256(password.encode('utf-8') + salt.encode('utf-8')).hexdigest()
-                if shadow_password != user_content["password"]:
-                    user_content = None
+            user_content = self.validate_user(user, password)
              if not user_content:
                  raise AuthException("Invalid username/password", http_code=HTTPStatus.UNAUTHORIZED)
              if not user_content:
                  raise AuthException("Invalid username/password", http_code=HTTPStatus.UNAUTHORIZED)
+            if not user_content.get("_admin", None):
+                raise AuthException("No default project for this user.", http_code=HTTPStatus.UNAUTHORIZED)
          elif token_info:
          elif token_info:
-            user_rows = self.db.get_list("users", {"username": token_info["username"]})
+            user_rows = self.db.get_list(self.users_collection, {"username": token_info["username"]})
              if user_rows:
                  user_content = user_rows[0]
              else:
              if user_rows:
                  user_content = user_rows[0]
              else:
@@ -169,6 +180,13 @@ class AuthconnInternal(Authconn):
          else:
              raise AuthException("Provide credentials: username/password or Authorization Bearer token",
                                  http_code=HTTPStatus.UNAUTHORIZED)
          else:
              raise AuthException("Provide credentials: username/password or Authorization Bearer token",
                                  http_code=HTTPStatus.UNAUTHORIZED)
+        # Delay upon second request within time window
+        if now - user_content["_admin"].get("last_token_time", 0) < self.token_time_window:
+            sleep(self.token_delay)
+        # user_content["_admin"]["last_token_time"] = now
+        # self.db.replace("users", user_content["_id"], user_content)   # might cause race conditions
+        self.db.set_one(self.users_collection,
+                        {"_id": user_content["_id"]}, {"_admin.last_token_time": now})
  
          token_id = ''.join(random_choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
                             for _ in range(0, 32))
  
          token_id = ''.join(random_choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
                             for _ in range(0, 32))
@@ -183,7 +201,8 @@ class AuthconnInternal(Authconn):
  
          projects = [prm["project"] for prm in prm_list]
  
  
          projects = [prm["project"] for prm in prm_list]
  
-        proj = self.db.get_one("projects", {BaseTopic.id_field("projects", project): project})
+        proj = self.db.get_one(self.projects_collection,
+                               {BaseTopic.id_field("projects", project): project})
          project_name = proj["name"]
          project_id = proj["_id"]
          if project_name not in projects and project_id not in projects:
          project_name = proj["name"]
          project_id = proj["_id"]
          if project_name not in projects and project_id not in projects:
@@ -201,14 +220,15 @@ class AuthconnInternal(Authconn):
          roles_list = []
          for prm in prm_list:
              if prm["project"] in [project_id, project_name]:
          roles_list = []
          for prm in prm_list:
              if prm["project"] in [project_id, project_name]:
-                role = self.db.get_one("roles", {BaseTopic.id_field("roles", prm["role"]): prm["role"]})
+                role = self.db.get_one(self.roles_collection,
+                                       {BaseTopic.id_field("roles", prm["role"]): prm["role"]})
                  rid = role["_id"]
                  if rid not in roles:
                      rnm = role["name"]
                      roles.append(rid)
                      roles_list.append({"name": rnm, "id": rid})
          if not roles_list:
                  rid = role["_id"]
                  if rid not in roles:
                      rnm = role["name"]
                      roles.append(rid)
                      roles_list.append({"name": rnm, "id": rid})
          if not roles_list:
-            rid = self.db.get_one("roles", {"name": "project_admin"})["_id"]
+            rid = self.db.get_one(self.roles_collection, {"name": "project_admin"})["_id"]
              roles_list = [{"name": "project_admin", "id": rid}]
  
          new_token = {"issued_at": now,
              roles_list = [{"name": "project_admin", "id": rid}]
  
          new_token = {"issued_at": now,
@@ -223,8 +243,7 @@ class AuthconnInternal(Authconn):
                       "roles": roles_list,
                       }
  
                       "roles": roles_list,
                       }
  
-        self.token_cache[token_id] = new_token
-        self.db.create("tokens", new_token)
+        self.db.create(self.tokens_collection, new_token)
          return deepcopy(new_token)
  
      def get_role_list(self, filter_q={}):
          return deepcopy(new_token)
  
      def get_role_list(self, filter_q={}):
@@ -233,7 +252,7 @@ class AuthconnInternal(Authconn):
  
          :return: returns the list of roles.
          """
  
          :return: returns the list of roles.
          """
-        return self.db.get_list("roles", filter_q)
+        return self.db.get_list(self.roles_collection, filter_q)
  
      def create_role(self, role_info):
          """
  
      def create_role(self, role_info):
          """
@@ -246,7 +265,7 @@ class AuthconnInternal(Authconn):
          # TODO: Check that role name does not exist ?
          rid = str(uuid4())
          role_info["_id"] = rid
          # TODO: Check that role name does not exist ?
          rid = str(uuid4())
          role_info["_id"] = rid
-        rid = self.db.create("roles", role_info)
+        rid = self.db.create(self.roles_collection, role_info)
          return rid
  
      def delete_role(self, role_id):
          return rid
  
      def delete_role(self, role_id):
@@ -256,7 +275,9 @@ class AuthconnInternal(Authconn):
          :param role_id: role identifier.
          :raises AuthconnOperationException: if role deletion failed.
          """
          :param role_id: role identifier.
          :raises AuthconnOperationException: if role deletion failed.
          """
-        return self.db.del_one("roles", {"_id": role_id})
+        rc = self.db.del_one(self.roles_collection, {"_id": role_id})
+        self.db.del_list(self.tokens_collection, {"roles.id": role_id})
+        return rc
  
      def update_role(self, role_info):
          """
  
      def update_role(self, role_info):
          """
@@ -267,7 +288,7 @@ class AuthconnInternal(Authconn):
          :raises AuthconnOperationException: if user creation failed.
          """
          rid = role_info["_id"]
          :raises AuthconnOperationException: if user creation failed.
          """
          rid = role_info["_id"]
-        self.db.set_one("roles", {"_id": rid}, role_info)   # CONFIRM
+        self.db.set_one(self.roles_collection, {"_id": rid}, role_info)
          return {"_id": rid, "name": role_info["name"]}
  
      def create_user(self, user_info):
          return {"_id": rid, "name": role_info["name"]}
  
      def create_user(self, user_info):
@@ -285,7 +306,7 @@ class AuthconnInternal(Authconn):
          # "projects" are not stored any more
          if "projects" in user_info:
              del user_info["projects"]
          # "projects" are not stored any more
          if "projects" in user_info:
              del user_info["projects"]
-        self.db.create("users", user_info)
+        self.db.create(self.users_collection, user_info)
          return {"username": user_info["username"], "_id": user_info["_id"]}
  
      def update_user(self, user_info):
          return {"username": user_info["username"], "_id": user_info["_id"]}
  
      def update_user(self, user_info):
@@ -295,7 +316,7 @@ class AuthconnInternal(Authconn):
          :param user_info: user info modifications
          """
          uid = user_info["_id"]
          :param user_info: user info modifications
          """
          uid = user_info["_id"]
-        user_data = self.db.get_one("users", {BaseTopic.id_field("users", uid): uid})
+        user_data = self.db.get_one(self.users_collection, {BaseTopic.id_field("users", uid): uid})
          BaseTopic.format_on_edit(user_data, user_info)
          # User Name
          usnm = user_info.get("username")
          BaseTopic.format_on_edit(user_data, user_info)
          # User Name
          usnm = user_info.get("username")
@@ -324,7 +345,11 @@ class AuthconnInternal(Authconn):
                          pass
                      except ValueError:
                          pass
                          pass
                      except ValueError:
                          pass
-        self.db.set_one("users", {BaseTopic.id_field("users", uid): uid}, user_data)   # CONFIRM
+        idf = BaseTopic.id_field("users", uid)
+        self.db.set_one(self.users_collection, {idf: uid}, user_data)
+        if user_info.get("remove_project_role_mappings"):
+            idf = "user_id" if idf == "_id" else idf
+            self.db.del_list(self.tokens_collection, {idf: uid})
  
      def delete_user(self, user_id):
          """
  
      def delete_user(self, user_id):
          """
@@ -333,21 +358,26 @@ class AuthconnInternal(Authconn):
          :param user_id: user identifier.
          :raises AuthconnOperationException: if user deletion failed.
          """
          :param user_id: user identifier.
          :raises AuthconnOperationException: if user deletion failed.
          """
-        self.db.del_one("users", {"_id": user_id})
+        self.db.del_one(self.users_collection, {"_id": user_id})
+        self.db.del_list(self.tokens_collection, {"user_id": user_id})
          return True
  
      def get_user_list(self, filter_q=None):
          """
          Get user list.
  
          return True
  
      def get_user_list(self, filter_q=None):
          """
          Get user list.
  
-        :param filter_q: dictionary to filter user list by name (username is also admited) and/or _id
+        :param filter_q: dictionary to filter user list by:
+            name (username is also admitted).  If a user id is equal to the filter name, it is also provided
+            other
          :return: returns a list of users.
          """
          filt = filter_q or {}
          :return: returns a list of users.
          """
          filt = filter_q or {}
-        if "name" in filt:
-            filt["username"] = filt["name"]
-            del filt["name"]
-        users = self.db.get_list("users", filt)
+        if "name" in filt:  # backward compatibility
+            filt["username"] = filt.pop("name")
+        if filt.get("username") and is_valid_uuid(filt["username"]):
+            # username cannot be a uuid. If this is the case, change from username to _id
+            filt["_id"] = filt.pop("username")
+        users = self.db.get_list(self.users_collection, filt)
          project_id_name = {}
          role_id_name = {}
          for user in users:
          project_id_name = {}
          role_id_name = {}
          for user in users:
@@ -359,7 +389,8 @@ class AuthconnInternal(Authconn):
                  for prm in prms:
                      project_id = prm["project"]
                      if project_id not in project_id_name:
                  for prm in prms:
                      project_id = prm["project"]
                      if project_id not in project_id_name:
-                        pr = self.db.get_one("projects", {BaseTopic.id_field("projects", project_id): project_id},
+                        pr = self.db.get_one(self.projects_collection,
+                                             {BaseTopic.id_field("projects", project_id): project_id},
                                               fail_on_empty=False)
                          project_id_name[project_id] = pr["name"] if pr else None
                      prm["project_name"] = project_id_name[project_id]
                                               fail_on_empty=False)
                          project_id_name[project_id] = pr["name"] if pr else None
                      prm["project_name"] = project_id_name[project_id]
@@ -368,7 +399,8 @@ class AuthconnInternal(Authconn):
  
                      role_id = prm["role"]
                      if role_id not in role_id_name:
  
                      role_id = prm["role"]
                      if role_id not in role_id_name:
-                        role = self.db.get_one("roles", {BaseTopic.id_field("roles", role_id): role_id},
+                        role = self.db.get_one(self.roles_collection,
+                                               {BaseTopic.id_field("roles", role_id): role_id},
                                                 fail_on_empty=False)
                          role_id_name[role_id] = role["name"] if role else None
                      prm["role_name"] = role_id_name[role_id]
                                                 fail_on_empty=False)
                          role_id_name[role_id] = role["name"] if role else None
                      prm["role_name"] = role_id_name[role_id]
@@ -376,9 +408,11 @@ class AuthconnInternal(Authconn):
              elif projects:
                  # user created with an old version. Create a project_role mapping with role project_admin
                  user["project_role_mappings"] = []
              elif projects:
                  # user created with an old version. Create a project_role mapping with role project_admin
                  user["project_role_mappings"] = []
-                role = self.db.get_one("roles", {BaseTopic.id_field("roles", "project_admin"): "project_admin"})
+                role = self.db.get_one(self.roles_collection,
+                                       {BaseTopic.id_field("roles", "project_admin"): "project_admin"})
                  for p_id_name in projects:
                  for p_id_name in projects:
-                    pr = self.db.get_one("projects", {BaseTopic.id_field("projects", p_id_name): p_id_name})
+                    pr = self.db.get_one(self.projects_collection,
+                                         {BaseTopic.id_field("projects", p_id_name): p_id_name})
                      prm = {"project": pr["_id"],
                             "project_name": pr["name"],
                             "role_name": "project_admin",
                      prm = {"project": pr["_id"],
                             "project_name": pr["name"],
                             "role_name": "project_admin",
@@ -397,7 +431,7 @@ class AuthconnInternal(Authconn):
  
          :return: returns the list of projects.
          """
  
          :return: returns the list of projects.
          """
-        return self.db.get_list("projects", filter_q)
+        return self.db.get_list(self.projects_collection, filter_q)
  
      def create_project(self, project_info):
          """
  
      def create_project(self, project_info):
          """
@@ -407,7 +441,7 @@ class AuthconnInternal(Authconn):
          :return: the internal id of the created project
          :raises AuthconnOperationException: if project creation failed.
          """
          :return: the internal id of the created project
          :raises AuthconnOperationException: if project creation failed.
          """
-        pid = self.db.create("projects", project_info)
+        pid = self.db.create(self.projects_collection, project_info)
          return pid
  
      def delete_project(self, project_id):
          return pid
  
      def delete_project(self, project_id):
@@ -417,8 +451,10 @@ class AuthconnInternal(Authconn):
          :param project_id: project identifier.
          :raises AuthconnOperationException: if project deletion failed.
          """
          :param project_id: project identifier.
          :raises AuthconnOperationException: if project deletion failed.
          """
-        filter_q = {BaseTopic.id_field("projects", project_id): project_id}
-        r = self.db.del_one("projects", filter_q)
+        idf = BaseTopic.id_field("projects", project_id)
+        r = self.db.del_one(self.projects_collection, {idf: project_id})
+        idf = "project_id" if idf == "_id" else "project_name"
+        self.db.del_list(self.tokens_collection, {idf: project_id})
          return r
  
      def update_project(self, project_id, project_info):
          return r
  
      def update_project(self, project_id, project_info):
@@ -430,4 +466,5 @@ class AuthconnInternal(Authconn):
          :return: None
          :raises AuthconnOperationException: if project update failed.
          """
          :return: None
          :raises AuthconnOperationException: if project update failed.
          """
-        self.db.set_one("projects", {BaseTopic.id_field("projects", project_id): project_id}, project_info)
+        self.db.set_one(self.projects_collection, {BaseTopic.id_field("projects", project_id): project_id},
+                        project_info)