diff --git a/mogan/conf/__init__.py b/mogan/conf/__init__.py index 7fcb156d..8885d9ef 100644 --- a/mogan/conf/__init__.py +++ b/mogan/conf/__init__.py @@ -16,6 +16,7 @@ from oslo_config import cfg from mogan.conf import api +from mogan.conf import cache from mogan.conf import database from mogan.conf import default from mogan.conf import engine @@ -40,3 +41,4 @@ neutron.register_opts(CONF) quota.register_opts(CONF) scheduler.register_opts(CONF) shellinabox.register_opts(CONF) +cache.register_opts(CONF) diff --git a/mogan/conf/cache.py b/mogan/conf/cache.py new file mode 100644 index 00000000..ae9a3220 --- /dev/null +++ b/mogan/conf/cache.py @@ -0,0 +1,24 @@ +# Copyright 2017 Huawei Technologies Co.,LTD. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_cache import core + + +def register_opts(conf): + core.configure(conf) + + +def list_opts(): + # The oslo_cache library returns a list of tuples + return dict(core._opts.list_opts()) diff --git a/mogan/consoleauth/__init__.py b/mogan/consoleauth/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/mogan/consoleauth/manager.py b/mogan/consoleauth/manager.py new file mode 100644 index 00000000..af982ed1 --- /dev/null +++ b/mogan/consoleauth/manager.py @@ -0,0 +1,155 @@ +# Copyright (c) 2012 OpenStack Foundation +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Auth Components for Consoles.""" + +import time + +from eventlet import greenpool +import oslo_cache +from oslo_log import log as logging +import oslo_messaging as messaging +from oslo_serialization import jsonutils + +import mogan.conf +from mogan.engine import rpcapi + +LOG = logging.getLogger(__name__) + +CONF = mogan.conf.CONF + + +class ConsoleAuthManager(object): + """Manages token based authentication.""" + + target = messaging.Target(version='1.0') + + def __init__(self, host, topic): + super(ConsoleAuthManager, self).__init__() + self.host = host + self.topic = topic + self._started = False + self._cache = None + self._cache_instance = None + self.engine_rpcapi = rpcapi.EngineAPI() + + def init_host(self): + self._worker_pool = greenpool.GreenPool( + size=CONF.engine.workers_pool_size) + self._started = True + + def del_host(self): + self._worker_pool.waitall() + self._started = False + + def periodic_tasks(self, context, raise_on_error=False): + pass + + @property + def cache(self): + """The recommended config example: + [cache] + backend_argument = url:127.0.0.1:11211 + expiration_time = 600 + backend = dogpile.cache.memcached + enabled = True + """ + # TODO(liusheng)may need to define config options [consoleauth] + # section and then override to the [cache] section + if self._cache is None: + cache_region = oslo_cache.create_region() + self._cache = oslo_cache.configure_cache_region(CONF, cache_region) + return self._cache + + @property + def cache_instance(self): + """Init a permanent cache region for instance token storage.""" + if self._cache_instance is None: + cache_ttl = CONF.cache.expiration_time + try: + CONF.set_override('expiration_time', None, 'cache') + cache_region = oslo_cache.create_region() + self._cache_instance = oslo_cache.configure_cache_region( + CONF, cache_region) + finally: + CONF.set_override('expiration_time', cache_ttl, 'cache') + return self._cache_instance + + def reset(self): + LOG.info('Reloading Mogan engine RPC API') + self.engine_rpcapi = rpcapi.EngineAPI() + + def _get_tokens_for_instance(self, instance_uuid): + tokens_str = self.cache_instance.get(instance_uuid.encode('UTF-8')) + if not tokens_str: + tokens = [] + else: + tokens = jsonutils.loads(tokens_str) + return tokens + + def authorize_console(self, context, token, console_type, host, port, + internal_access_path, instance_uuid, + access_url=None): + + token_dict = {'token': token, + 'instance_uuid': instance_uuid, + 'console_type': console_type, + 'host': host, + 'port': port, + 'internal_access_path': internal_access_path, + 'access_url': access_url, + 'last_activity_at': time.time()} + data = jsonutils.dumps(token_dict) + + self.cache.set(token.encode('UTF-8'), data) + tokens = self._get_tokens_for_instance(instance_uuid) + + # Remove the expired tokens from cache. + token_values = self.cache.get_multi( + [tok.encode('UTF-8') for tok in tokens]) + tokens = [name for name, value in zip(tokens, token_values) + if value] + tokens.append(token) + + self.cache_instance.set(instance_uuid.encode('UTF-8'), + jsonutils.dumps(tokens)) + + LOG.info("Received Token: %(token)s, %(token_dict)s", + {'token': token, 'token_dict': token_dict}) + + def _validate_token(self, context, token): + instance_uuid = token['instance_uuid'] + if instance_uuid is None: + return False + return True + # TODO(need to validate the console port) + # return self.compute_rpcapi.validate_console_port( + # context, instance, token['port'], token['console_type']) + + def check_token(self, context, token): + token_str = self.cache.get(token.encode('UTF-8')) + token_valid = bool(token_str) + LOG.info("Checking Token: %(token)s, %(token_valid)s", + {'token': token, 'token_valid': token_valid}) + if token_valid: + token = jsonutils.loads(token_str) + if self._validate_token(context, token): + return token + + def delete_tokens_for_instance(self, context, instance_uuid): + tokens = self._get_tokens_for_instance(instance_uuid) + self.cache.delete_multi( + [tok.encode('UTF-8') for tok in tokens]) + self.cache_instance.delete(instance_uuid.encode('UTF-8')) diff --git a/mogan/tests/unit/consoleauth/__init__.py b/mogan/tests/unit/consoleauth/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/mogan/tests/unit/consoleauth/test_manager.py b/mogan/tests/unit/consoleauth/test_manager.py new file mode 100644 index 00000000..dd5971f0 --- /dev/null +++ b/mogan/tests/unit/consoleauth/test_manager.py @@ -0,0 +1,106 @@ +# Copyright 2017 Huawei Technologies Co.,LTD. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +""" +Tests For ConsoleAuth manager +""" +import time + +import mock + +from mogan.consoleauth import manager +from mogan.tests import base as test + + +class ConsoleAuthManagerTestCase(test.TestCase): + """Test case for ConsoleAuthManager class.""" + + def setUp(self): + super(ConsoleAuthManagerTestCase, self).setUp() + self.manager = manager.ConsoleAuthManager('test-host', + 'test-consoleauth-topic') + self.instance_uuid = 'e7481762-3215-4489-bde5-0068a6bf79d1' + self.config(backend='oslo_cache.dict', enabled=True, + group='cache') + self.addCleanup( + self.manager.delete_tokens_for_instance, self.context, + self.instance_uuid) + + def test_reset(self): + with mock.patch('mogan.engine.rpcapi.EngineAPI') as mock_rpc: + old_rpcapi = self.manager.engine_rpcapi + self.manager.reset() + mock_rpc.assert_called_once_with() + self.assertNotEqual(old_rpcapi, + self.manager.engine_rpcapi) + + def test_tokens_expire(self): + # Test that tokens expire correctly. + token = u'mytok' + self.config(expiration_time=1, group='cache') + self.manager.authorize_console( + self.context, token, 'shellinabox', '127.0.0.1', 4321, + None, self.instance_uuid, None) + self.assertIsNotNone(self.manager.check_token(self.context, token)) + time.sleep(1) + self.assertIsNone(self.manager.check_token(self.context, token)) + + def test_multiple_tokens_for_instance(self): + tokens = [u"token" + str(i) for i in range(10)] + + for token in tokens: + self.manager.authorize_console( + self.context, token, 'shellinabox', '127.0.0.1', 4321, + None, self.instance_uuid, None) + + for token in tokens: + self.assertIsNotNone( + self.manager.check_token(self.context, token)) + + def test_delete_tokens_for_instance(self): + tokens = [u"token" + str(i) for i in range(10)] + for token in tokens: + self.manager.authorize_console( + self.context, token, 'shellinabox', '127.0.0.1', 4321, + None, self.instance_uuid, None) + self.manager.delete_tokens_for_instance(self.context, + self.instance_uuid) + stored_tokens = self.manager._get_tokens_for_instance( + self.instance_uuid) + + self.assertEqual(len(stored_tokens), 0) + + for token in tokens: + self.assertIsNone( + self.manager.check_token(self.context, token)) + + def test_delete_expired_tokens(self): + token = u'mytok' + self.config(expiration_time=1, group='cache') + + self.manager.authorize_console( + self.context, token, 'shellinabox', '127.0.0.1', 4321, + None, self.instance_uuid, None) + time.sleep(1) + self.assertIsNone(self.manager.check_token(self.context, token)) + + token1 = u'mytok2' + self.manager.authorize_console( + self.context, token1, 'shellinabox', '127.0.0.1', 4321, + None, self.instance_uuid, None) + stored_tokens = self.manager._get_tokens_for_instance( + self.instance_uuid) + # when trying to store token1, expired token is removed fist. + self.assertEqual(len(stored_tokens), 1) + self.assertEqual(stored_tokens[0], token1) diff --git a/requirements.txt b/requirements.txt index 7fb7e901..1043d6ea 100644 --- a/requirements.txt +++ b/requirements.txt @@ -10,6 +10,7 @@ WebOb>=1.6.0 # MIT python-ironicclient>=1.11.0 # Apache-2.0 python-neutronclient>=5.1.0 # Apache-2.0 python-glanceclient>=2.5.0 # Apache-2.0 +oslo.cache>=1.5.0 # Apache-2.0 oslo.concurrency>=3.8.0 # Apache-2.0 oslo.config>=3.22.0 # Apache-2.0 oslo.context>=2.12.0 # Apache-2.0