Merge "Implement Basic HTTP authentication middleware"
This commit is contained in:
commit
df238ba1f3
187
ironic_lib/auth_basic.py
Normal file
187
ironic_lib/auth_basic.py
Normal file
@ -0,0 +1,187 @@
|
|||||||
|
# Copyright 2020 Red Hat, Inc.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
import base64
|
||||||
|
import binascii
|
||||||
|
|
||||||
|
import bcrypt
|
||||||
|
from oslo_log import log
|
||||||
|
|
||||||
|
from ironic_lib.common.i18n import _
|
||||||
|
from ironic_lib import exception
|
||||||
|
|
||||||
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
class BasicAuthMiddleware(object):
|
||||||
|
"""Middleware which performs HTTP basic authentication on requests
|
||||||
|
|
||||||
|
"""
|
||||||
|
def __init__(self, app, auth_file):
|
||||||
|
self.app = app
|
||||||
|
self.auth_file = auth_file
|
||||||
|
validate_auth_file(auth_file)
|
||||||
|
|
||||||
|
def __call__(self, env, start_response):
|
||||||
|
|
||||||
|
try:
|
||||||
|
token = parse_header(env)
|
||||||
|
username, password = parse_token(token)
|
||||||
|
env.update(authenticate(self.auth_file, username, password))
|
||||||
|
|
||||||
|
return self.app(env, start_response)
|
||||||
|
|
||||||
|
except exception.IronicException as e:
|
||||||
|
status = '%s %s' % (int(e.code), str(e))
|
||||||
|
headers = [(k, v) for k, v in e.headers.items()]
|
||||||
|
start_response(status, headers)
|
||||||
|
|
||||||
|
|
||||||
|
def authenticate(auth_file, username, password):
|
||||||
|
"""Finds username and password match in Apache style user auth file
|
||||||
|
|
||||||
|
The user auth file format is expected to comply with Apache
|
||||||
|
documentation[1] however the bcrypt password digest is the *only*
|
||||||
|
digest format supported.
|
||||||
|
|
||||||
|
[1] https://httpd.apache.org/docs/current/misc/password_encryptions.html
|
||||||
|
|
||||||
|
:param: auth_file: Path to user auth file
|
||||||
|
:param: username: Username to authenticate
|
||||||
|
:param: password: Password encoded as bytes
|
||||||
|
:returns: A dictionary of WSGI environment values to append to the request
|
||||||
|
:raises: Unauthorized, if no file entries match supplied username/password
|
||||||
|
"""
|
||||||
|
line_prefix = username + ':'
|
||||||
|
try:
|
||||||
|
with open(auth_file, 'r') as f:
|
||||||
|
for line in f:
|
||||||
|
entry = line.strip()
|
||||||
|
if entry and entry.startswith(line_prefix):
|
||||||
|
return auth_entry(entry, password)
|
||||||
|
except OSError:
|
||||||
|
raise exception.ConfigInvalid(
|
||||||
|
error_msg=_('Problem reading auth user file'))
|
||||||
|
# reached end of file with no matches
|
||||||
|
unauthorized()
|
||||||
|
|
||||||
|
|
||||||
|
def auth_entry(entry, password):
|
||||||
|
"""Compare a password with a single user auth file entry
|
||||||
|
|
||||||
|
:param: entry: Line from auth user file to use for authentication
|
||||||
|
:param: password: Password encoded as bytes
|
||||||
|
:returns: A dictionary of WSGI environment values to append to the request
|
||||||
|
:raises: Unauthorized, if the entry doesn't match supplied password or
|
||||||
|
if the entry is crypted with a method other than bcrypt
|
||||||
|
"""
|
||||||
|
username, crypted = parse_entry(entry)
|
||||||
|
|
||||||
|
if not bcrypt.checkpw(password, crypted):
|
||||||
|
unauthorized()
|
||||||
|
|
||||||
|
return {
|
||||||
|
'HTTP_X_USER': username,
|
||||||
|
'HTTP_X_USER_NAME': username
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
def validate_auth_file(auth_file):
|
||||||
|
"""Read the auth user file and validate its correctness
|
||||||
|
|
||||||
|
:param: auth_file: Path to user auth file
|
||||||
|
:raises: ConfigInvalid on validation error
|
||||||
|
"""
|
||||||
|
try:
|
||||||
|
with open(auth_file, 'r') as f:
|
||||||
|
for line in f:
|
||||||
|
entry = line.strip()
|
||||||
|
if entry and ':' in entry:
|
||||||
|
parse_entry(entry)
|
||||||
|
except OSError:
|
||||||
|
raise exception.ConfigInvalid(
|
||||||
|
error_msg=_('Problem reading auth user file: %s') % auth_file)
|
||||||
|
|
||||||
|
|
||||||
|
def parse_entry(entry):
|
||||||
|
"""Extrace the username and crypted password from a user auth file entry
|
||||||
|
|
||||||
|
:param: entry: Line from auth user file to use for authentication
|
||||||
|
:returns: a tuple of username and crypted password
|
||||||
|
:raises: ConfigInvalid if the password is not in the supported bcrypt
|
||||||
|
format
|
||||||
|
"""
|
||||||
|
username, crypted_str = entry.split(':', maxsplit=1)
|
||||||
|
crypted = crypted_str.encode('utf-8')
|
||||||
|
|
||||||
|
if not crypted.startswith(b'$2y$'):
|
||||||
|
error_msg = _('Only bcrypt digested passwords are supported for '
|
||||||
|
'%(username)s') % {'username': username}
|
||||||
|
raise exception.ConfigInvalid(error_msg=error_msg)
|
||||||
|
return username, crypted
|
||||||
|
|
||||||
|
|
||||||
|
def parse_token(token):
|
||||||
|
"""Parse the token portion of the Authentication header value
|
||||||
|
|
||||||
|
:param: token: Token value from basic authorization header
|
||||||
|
:returns: tuple of username, password
|
||||||
|
:raises: Unauthorized, if username and password could not be parsed for any
|
||||||
|
reason
|
||||||
|
"""
|
||||||
|
try:
|
||||||
|
if isinstance(token, str):
|
||||||
|
token = token.encode('utf-8')
|
||||||
|
auth_pair = base64.b64decode(token, validate=True)
|
||||||
|
(username, password) = auth_pair.split(b':', maxsplit=1)
|
||||||
|
|
||||||
|
return (username.decode('utf-8'), password)
|
||||||
|
except (TypeError, binascii.Error, ValueError):
|
||||||
|
raise exception.BadRequest(_('Could not decode authorization token'))
|
||||||
|
|
||||||
|
|
||||||
|
def parse_header(env):
|
||||||
|
"""Parse WSGI environment for Authorization header of type Basic
|
||||||
|
|
||||||
|
:param: env: WSGI environment to get header from
|
||||||
|
:returns: Token portion of the header value
|
||||||
|
:raises: Unauthorized, if header is missing or if the type is not Basic
|
||||||
|
"""
|
||||||
|
try:
|
||||||
|
auth_header = env.pop('HTTP_AUTHORIZATION')
|
||||||
|
except KeyError:
|
||||||
|
unauthorized(_('Authorization required'))
|
||||||
|
try:
|
||||||
|
auth_type, token = auth_header.strip().split(maxsplit=1)
|
||||||
|
except (ValueError, AttributeError):
|
||||||
|
raise exception.BadRequest(_('Could not parse Authorization header'))
|
||||||
|
|
||||||
|
if auth_type.lower() != 'basic':
|
||||||
|
raise exception.BadRequest(_('Unsupported authorization type: '
|
||||||
|
'%(auth_type)s') % {'auth_type': auth_type})
|
||||||
|
return token
|
||||||
|
|
||||||
|
|
||||||
|
def unauthorized(message=None):
|
||||||
|
"""Raise an Unauthorized exception to prompt for basic authentication
|
||||||
|
|
||||||
|
:param: message: Optional message for esception
|
||||||
|
:raises: Unauthorized with WWW-Authenticate header set
|
||||||
|
"""
|
||||||
|
if not message:
|
||||||
|
message = _('Incorrect username or password')
|
||||||
|
e = exception.Unauthorized(message)
|
||||||
|
e.headers['WWW-Authenticate'] = 'Basic realm="Baremetal API"'
|
||||||
|
raise e
|
@ -23,6 +23,7 @@ SHOULD include dedicated exception logging.
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
import collections
|
import collections
|
||||||
|
from http import client as http_client
|
||||||
|
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
@ -167,3 +168,15 @@ class ServiceLookupFailure(IronicException):
|
|||||||
|
|
||||||
class ServiceRegistrationFailure(IronicException):
|
class ServiceRegistrationFailure(IronicException):
|
||||||
_msg_fmt = _("Cannot register %(service)s service: %(error)s")
|
_msg_fmt = _("Cannot register %(service)s service: %(error)s")
|
||||||
|
|
||||||
|
|
||||||
|
class BadRequest(IronicException):
|
||||||
|
code = http_client.BAD_REQUEST
|
||||||
|
|
||||||
|
|
||||||
|
class Unauthorized(IronicException):
|
||||||
|
code = http_client.UNAUTHORIZED
|
||||||
|
|
||||||
|
|
||||||
|
class ConfigInvalid(IronicException):
|
||||||
|
_msg_fmt = _("Invalid configuration file. %(error_msg)s")
|
||||||
|
202
ironic_lib/tests/test_basic_auth.py
Normal file
202
ironic_lib/tests/test_basic_auth.py
Normal file
@ -0,0 +1,202 @@
|
|||||||
|
# Copyright 2020 Red Hat, Inc.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
import base64
|
||||||
|
import os
|
||||||
|
import tempfile
|
||||||
|
|
||||||
|
import mock
|
||||||
|
|
||||||
|
from ironic_lib import auth_basic
|
||||||
|
from ironic_lib import exception
|
||||||
|
from ironic_lib.tests import base
|
||||||
|
|
||||||
|
|
||||||
|
class TestAuthBasic(base.IronicLibTestCase):
|
||||||
|
|
||||||
|
def write_auth_file(self, data=None):
|
||||||
|
if not data:
|
||||||
|
data = '\n'
|
||||||
|
with tempfile.NamedTemporaryFile(mode='w', delete=False) as f:
|
||||||
|
f.write(data)
|
||||||
|
self.addCleanup(os.remove, f.name)
|
||||||
|
return f.name
|
||||||
|
|
||||||
|
def test_middleware_authenticate(self):
|
||||||
|
auth_file = self.write_auth_file(
|
||||||
|
'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.'
|
||||||
|
'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n')
|
||||||
|
app = mock.Mock()
|
||||||
|
start_response = mock.Mock()
|
||||||
|
middleware = auth_basic.BasicAuthMiddleware(app, auth_file)
|
||||||
|
env = {
|
||||||
|
'HTTP_AUTHORIZATION': 'Basic bXlOYW1lOm15UGFzc3dvcmQ='
|
||||||
|
}
|
||||||
|
|
||||||
|
result = middleware(env, start_response)
|
||||||
|
self.assertEqual(app.return_value, result)
|
||||||
|
start_response.assert_not_called()
|
||||||
|
|
||||||
|
def test_middleware_unauthenticated(self):
|
||||||
|
auth_file = self.write_auth_file(
|
||||||
|
'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.'
|
||||||
|
'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n')
|
||||||
|
app = mock.Mock()
|
||||||
|
start_response = mock.Mock()
|
||||||
|
middleware = auth_basic.BasicAuthMiddleware(app, auth_file)
|
||||||
|
env = {}
|
||||||
|
|
||||||
|
middleware(env, start_response)
|
||||||
|
|
||||||
|
start_response.assert_called_once_with(
|
||||||
|
'401 Authorization required',
|
||||||
|
[('WWW-Authenticate', 'Basic realm="Baremetal API"')]
|
||||||
|
)
|
||||||
|
app.assert_not_called()
|
||||||
|
|
||||||
|
def test_authenticate(self):
|
||||||
|
auth_file = self.write_auth_file(
|
||||||
|
'foo:bar\nmyName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.'
|
||||||
|
'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n')
|
||||||
|
|
||||||
|
# test basic auth
|
||||||
|
self.assertEqual(
|
||||||
|
{'HTTP_X_USER': 'myName', 'HTTP_X_USER_NAME': 'myName'},
|
||||||
|
auth_basic.authenticate(
|
||||||
|
auth_file, 'myName', b'myPassword')
|
||||||
|
)
|
||||||
|
|
||||||
|
# test failed auth
|
||||||
|
e = self.assertRaises(exception.ConfigInvalid,
|
||||||
|
auth_basic.authenticate,
|
||||||
|
auth_file, 'foo', b'bar')
|
||||||
|
self.assertEqual('Invalid configuration file. Only bcrypt digested '
|
||||||
|
'passwords are supported for foo', str(e))
|
||||||
|
|
||||||
|
# test problem reading user data file
|
||||||
|
auth_file = auth_file + '.missing'
|
||||||
|
e = self.assertRaises(exception.ConfigInvalid,
|
||||||
|
auth_basic.authenticate,
|
||||||
|
auth_file, 'myName',
|
||||||
|
b'myPassword')
|
||||||
|
self.assertEqual('Invalid configuration file. Problem reading '
|
||||||
|
'auth user file', str(e))
|
||||||
|
|
||||||
|
def test_auth_entry(self):
|
||||||
|
entry_pass = ('myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.'
|
||||||
|
'JETVCWBkc32C63UP2aYrGoYOEpbJm')
|
||||||
|
entry_fail = 'foo:bar'
|
||||||
|
|
||||||
|
# success
|
||||||
|
self.assertEqual(
|
||||||
|
{'HTTP_X_USER': 'myName', 'HTTP_X_USER_NAME': 'myName'},
|
||||||
|
auth_basic.auth_entry(
|
||||||
|
entry_pass, b'myPassword')
|
||||||
|
)
|
||||||
|
|
||||||
|
# failed, unknown digest format
|
||||||
|
e = self.assertRaises(exception.ConfigInvalid,
|
||||||
|
auth_basic.auth_entry, entry_fail, b'bar')
|
||||||
|
self.assertEqual('Invalid configuration file. Only bcrypt digested '
|
||||||
|
'passwords are supported for foo', str(e))
|
||||||
|
|
||||||
|
# failed, incorrect password
|
||||||
|
e = self.assertRaises(exception.Unauthorized,
|
||||||
|
auth_basic.auth_entry, entry_pass, b'bar')
|
||||||
|
self.assertEqual('Incorrect username or password', str(e))
|
||||||
|
|
||||||
|
def test_validate_auth_file(self):
|
||||||
|
auth_file = self.write_auth_file(
|
||||||
|
'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.'
|
||||||
|
'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n')
|
||||||
|
# success, valid config
|
||||||
|
auth_basic.validate_auth_file(auth_file)
|
||||||
|
|
||||||
|
# failed, missing auth file
|
||||||
|
auth_file = auth_file + '.missing'
|
||||||
|
self.assertRaises(exception.ConfigInvalid,
|
||||||
|
auth_basic.validate_auth_file, auth_file)
|
||||||
|
|
||||||
|
# failed, invalid entry
|
||||||
|
auth_file = self.write_auth_file(
|
||||||
|
'foo:bar\nmyName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.'
|
||||||
|
'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n')
|
||||||
|
self.assertRaises(exception.ConfigInvalid,
|
||||||
|
auth_basic.validate_auth_file, auth_file)
|
||||||
|
|
||||||
|
def test_parse_token(self):
|
||||||
|
|
||||||
|
# success with bytes
|
||||||
|
token = base64.b64encode(b'myName:myPassword')
|
||||||
|
self.assertEqual(
|
||||||
|
('myName', b'myPassword'),
|
||||||
|
auth_basic.parse_token(token)
|
||||||
|
)
|
||||||
|
|
||||||
|
# success with string
|
||||||
|
token = str(token, encoding='utf-8')
|
||||||
|
self.assertEqual(
|
||||||
|
('myName', b'myPassword'),
|
||||||
|
auth_basic.parse_token(token)
|
||||||
|
)
|
||||||
|
|
||||||
|
# failed, invalid base64
|
||||||
|
e = self.assertRaises(exception.BadRequest,
|
||||||
|
auth_basic.parse_token, token[:-1])
|
||||||
|
self.assertEqual('Could not decode authorization token', str(e))
|
||||||
|
|
||||||
|
# failed, no colon in token
|
||||||
|
token = str(base64.b64encode(b'myNamemyPassword'), encoding='utf-8')
|
||||||
|
e = self.assertRaises(exception.BadRequest,
|
||||||
|
auth_basic.parse_token, token[:-1])
|
||||||
|
self.assertEqual('Could not decode authorization token', str(e))
|
||||||
|
|
||||||
|
def test_parse_header(self):
|
||||||
|
auth_value = 'Basic bXlOYW1lOm15UGFzc3dvcmQ='
|
||||||
|
|
||||||
|
# success
|
||||||
|
self.assertEqual(
|
||||||
|
'bXlOYW1lOm15UGFzc3dvcmQ=',
|
||||||
|
auth_basic.parse_header({
|
||||||
|
'HTTP_AUTHORIZATION': auth_value
|
||||||
|
})
|
||||||
|
)
|
||||||
|
|
||||||
|
# failed, missing Authorization header
|
||||||
|
e = self.assertRaises(exception.Unauthorized,
|
||||||
|
auth_basic.parse_header,
|
||||||
|
{})
|
||||||
|
self.assertEqual('Authorization required', str(e))
|
||||||
|
|
||||||
|
# failed missing token
|
||||||
|
e = self.assertRaises(exception.BadRequest,
|
||||||
|
auth_basic.parse_header,
|
||||||
|
{'HTTP_AUTHORIZATION': 'Basic'})
|
||||||
|
self.assertEqual('Could not parse Authorization header', str(e))
|
||||||
|
|
||||||
|
# failed, type other than Basic
|
||||||
|
digest_value = 'Digest username="myName" nonce="foobar"'
|
||||||
|
e = self.assertRaises(exception.BadRequest,
|
||||||
|
auth_basic.parse_header,
|
||||||
|
{'HTTP_AUTHORIZATION': digest_value})
|
||||||
|
self.assertEqual('Unsupported authorization type: Digest', str(e))
|
||||||
|
|
||||||
|
def test_unauthorized(self):
|
||||||
|
e = self.assertRaises(exception.Unauthorized,
|
||||||
|
auth_basic.unauthorized, 'ouch')
|
||||||
|
self.assertEqual('ouch', str(e))
|
||||||
|
self.assertEqual({
|
||||||
|
'WWW-Authenticate': 'Basic realm="Baremetal API"'
|
||||||
|
}, e.headers)
|
@ -1,5 +1,6 @@
|
|||||||
appdirs==1.3.0
|
appdirs==1.3.0
|
||||||
Babel==2.3.4
|
Babel==2.3.4
|
||||||
|
bcrypt==3.1.3
|
||||||
chardet==3.0.4
|
chardet==3.0.4
|
||||||
coverage==4.0
|
coverage==4.0
|
||||||
debtcollector==1.2.0
|
debtcollector==1.2.0
|
||||||
|
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Implement Basic HTTP authentication middleware.
|
||||||
|
|
||||||
|
This middleware is added to ironic-lib so that it can eventually be
|
||||||
|
used by ironic and ironic-inspector as an alternative to noauth in
|
||||||
|
standalone environments.
|
||||||
|
|
||||||
|
This middleware is passed a path to a file which supports the
|
||||||
|
Apache htpasswd syntax[1]. This file is read for every request, so no
|
||||||
|
service restart is required when changes are made.
|
||||||
|
|
||||||
|
The only password digest supported is bcrypt, and the ``bcrypt``
|
||||||
|
python library is used for password checks since it supports ``$2y$``
|
||||||
|
prefixed bcrypt passwords as generated by the Apache htpasswd utility.
|
||||||
|
|
||||||
|
[1] https://httpd.apache.org/docs/current/misc/password_encryptions.html
|
@ -12,3 +12,4 @@ oslo.utils>=3.33.0 # Apache-2.0
|
|||||||
requests>=2.14.2 # Apache-2.0
|
requests>=2.14.2 # Apache-2.0
|
||||||
oslo.log>=3.36.0 # Apache-2.0
|
oslo.log>=3.36.0 # Apache-2.0
|
||||||
zeroconf>=0.24.0 # LGPL
|
zeroconf>=0.24.0 # LGPL
|
||||||
|
bcrypt>=3.1.3 # Apache-2.0
|
||||||
|
Loading…
Reference in New Issue
Block a user