gce-api/gceapi/api/oauth.py

# Copyright 2014
# The Cloudscaling Group, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import base64
import json
import time
import uuid

from keystoneclient import client as keystone_client
from keystoneclient import exceptions
from oslo_config import cfg
from oslo_log import log as logging
import webob

from gceapi.i18n import _
from gceapi import wsgi_ext as openstack_wsgi

CONF = cfg.CONF
LOG = logging.getLogger(__name__)


INTERNAL_GCUTIL_PROJECTS = ["debian-cloud", "centos-cloud", "suse-cloud",
                            "rhel-cloud", "windows-cloud", "google",
                            "coreos-cloud", "opensuse-cloud"]


class OAuthFault(openstack_wsgi.Fault):
    """Fault compliant with RFC

    To prevent extra info added by openstack.wsgi.Fault class
    to response which is not compliant RFC6749.
    """
    @webob.dec.wsgify(RequestClass=openstack_wsgi.Request)
    def __call__(self, req):
        return self.wrapped_exc


class Controller(object):
    """Simple OAuth2.0 Controller

    If you need other apps to work with GCE API you should add it here
    in VALID_CLIENTS.
    Based on https://developers.google.com/accounts/docs/OAuth2InstalledApp
    and on RFC 6749(paragraph 4.1).
    """

    AUTH_TIMEOUT = 300
    VALID_CLIENTS = {
        "32555940559.apps.googleusercontent.com": "ZmssLNjJy2998hD4CTg2ejr2",
        "1025389682001.apps.googleusercontent.com": "xslsVXhA7C8aOfSfb6edB6p6",
    }

    INTERNAL_REDIRECT_URI = "urn:ietf:wg:oauth:2.0:oob"
    AUTH_PAGE_TEMPLATE =\
        "<!DOCTYPE html>"\
        "<html xmlns=\"http://www.w3.org/1999/xhtml\"><body>"\
        "Enter Openstack username and password to access GCE API<br/>"\
        "<br/>"\
        "<form action=\"approval\" name=\"approval\" method=\"post\">"\
        "<input type=\"hidden\" name=\"redirect_uri\" value=\""\
        + "{redirect_uri}\"/>"\
        "<input type=\"hidden\" name=\"code\" value=\"{code}\"/>"\
        "<input type=\"text\" name=\"username\" value=\"\"/><br/>"\
        "<input type=\"password\" name=\"password\" value=\"\"/><br/>"\
        "<input type=\"submit\" value=\"Login\"/>"\
        "</form>"\
        "</body></html>"

    class Client(object):
        auth_start_time = 0
        auth_token = None
        expires_in = 1

    # NOTE(apavlov): there is no cleaning of the dictionary
    _clients = {}

    def _check_redirect_uri(self, uri):
        if uri is None:
            msg = _("redirect_uri should be present")
            raise webob.exc.HTTPBadRequest(explanation=msg)
        if "localhost" not in uri and uri != self.INTERNAL_REDIRECT_URI:
            msg = _("redirect_uri has invalid format."
                    "it must confirms installed application uri of GCE")
            json_body = {"error": "invalid_request",
                         "error_description": msg}
            raise OAuthFault(webob.exc.HTTPBadRequest(json_body=json_body))

    def auth(self, req):
        """OAuth protocol authorization endpoint handler

        Returns login authorization webpage invoked for example by gcutil auth.
        """
        client_id = req.GET.get("client_id")
        if client_id is None or client_id not in self.VALID_CLIENTS:
            json_body = {"error": "unauthorized_client"}
            raise OAuthFault(webob.exc.HTTPBadRequest(json_body=json_body))

        if req.GET.get("response_type") != "code":
            json_body = {"error": "unsupported_response_type"}
            raise OAuthFault(webob.exc.HTTPBadRequest(json_body=json_body))
        self._check_redirect_uri(req.GET.get("redirect_uri"))

        code = base64.urlsafe_b64encode(uuid.uuid4().bytes).replace('=', '')
        self._clients[code] = self.Client()
        self._clients[code].auth_start_time = time.time()

        html_page = self.AUTH_PAGE_TEMPLATE.format(
            redirect_uri=req.GET.get("redirect_uri"),
            code=code)
        return html_page

    def approval(self, req):
        """OAuth protocol authorization endpoint handler second part

        Returns webpage with verification code or redirects to provided
        redirect_uri specified in auth request.
        """
        code = req.POST.get("code")
        if code is None:
            json_body = {"error": "invalid_request"}
            raise OAuthFault(webob.exc.HTTPBadRequest(json_body=json_body))

        client = self._clients.get(code)
        if client is None:
            json_body = {"error": "invalid_client"}
            raise OAuthFault(webob.exc.HTTPBadRequest(json_body=json_body))

        if time.time() - client.auth_start_time > self.AUTH_TIMEOUT:
            raise webob.exc.HTTPRequestTimeout()

        redirect_uri = req.POST.get("redirect_uri")
        self._check_redirect_uri(redirect_uri)

        username = req.POST.get("username")
        password = req.POST.get("password")

        try:
            keystone = keystone_client.Client(
                username=username,
                password=password,
                auth_url=CONF.keystone_url)
            if keystone.auth_ref is None:
                # Ver2 doesn't create session and performs
                # authentication automatically, but Ver3 does create session
                # if it's not provided and doesn't perform authentication.
                # TODO(alexy-mr): use sessions
                keystone.authenticate()
            client.auth_token = keystone.auth_token
            s = keystone.auth_ref.issued
            e = keystone.auth_ref.expires
            client.expires_in = (e - s).seconds
        except Exception as ex:
            return webob.exc.HTTPUnauthorized(ex)

        if redirect_uri == self.INTERNAL_REDIRECT_URI:
            return "<html><body>Verification code is: "\
                + code + "</body></html>"

        uri = redirect_uri + "?code=" + code
        raise webob.exc.HTTPFound(location=uri)

    def token(self, req):
        """OAuth protocol authorization endpoint handler second part

        Returns json with tokens(access_token and optionally refresh_token).
        """
        client_id = req.POST.get("client_id")
        if client_id is None or client_id not in self.VALID_CLIENTS:
            json_body = {"error": "unauthorized_client"}
            raise OAuthFault(webob.exc.HTTPBadRequest(json_body=json_body))
        valid_secret = self.VALID_CLIENTS[client_id]
        client_secret = req.POST.get("client_secret")
        if client_secret is None or client_secret != valid_secret:
            json_body = {"error": "unauthorized_client"}
            raise OAuthFault(webob.exc.HTTPBadRequest(json_body=json_body))

        if req.POST.get("grant_type") != "authorization_code":
            json_body = {"error": "unsupported_grant_type"}
            raise OAuthFault(webob.exc.HTTPBadRequest(json_body=json_body))

        code = req.POST.get("code")
        client = self._clients.get(code)
        if client is None:
            json_body = {"error": "invalid_client"}
            raise OAuthFault(webob.exc.HTTPBadRequest(json_body=json_body))

        result = {"access_token": client.auth_token,
                  "expires_in": client.expires_in,
                  "token_type": "Bearer"}
        return json.dumps(result)


class AuthProtocol(object):
    """Filter for translating oauth token to keystone token."""
    def __init__(self, app):
        self.app = app
        self.auth_url = CONF.keystone_url

    def __call__(self, env, start_response):
        auth_token = env.get("HTTP_AUTHORIZATION")
        if auth_token is None:
            return self._reject_request(start_response)

        project = env["PATH_INFO"].split("/")[1]
        try:
            keystone = keystone_client.Client(
                token=auth_token.split()[1],
                tenant_name=project,
                force_new_token=True,
                auth_url=self.auth_url)
            if keystone.auth_ref is None:
                # Ver2 doesn't create session and performs
                # authentication automatically, but Ver3 does create session
                # if it's not provided and doesn't perform authentication.
                # TODO(alexey-mr): use sessions
                keystone.authenticate()
            scoped_token = keystone.auth_token
            env["HTTP_X_AUTH_TOKEN"] = scoped_token
            return self.app(env, start_response)
        except exceptions.Unauthorized:
            if project in INTERNAL_GCUTIL_PROJECTS:
                # NOTE(apavlov): return empty if no such projects(by gcutil)
                headers = [('Content-type', 'application/json;charset=UTF-8')]
                start_response('200 Ok', headers)
                return ["{}"]

            return self._reject_request(start_response)

    def _reject_request(self, start_response):
        headers = [('Content-type', 'application/json;charset=UTF-8')]
        start_response('401 Unauthorized', headers)
        json_body = {"error": "access_denied"}
        return [json.dumps(json_body)]


def filter_factory(global_conf, **local_conf):
    def auth_filter(app):
        return AuthProtocol(app)
    return auth_filter


def create_resource():
    return openstack_wsgi.Resource(Controller())