From a9abc5699f0842082177ff2401955214373c08de Mon Sep 17 00:00:00 2001 From: Steve Baker Date: Tue, 19 May 2020 10:18:05 +1200 Subject: [PATCH] Implement Basic HTTP authentication middleware This middleware is added to ironic-lib so that it can eventually be used by ironic and ironic-inspector as an alternative to noauth in standalone environments. This middleware is passed a path to a file which supports the Apache htpasswd syntax[1]. This file is read for every request, so no service restart is required when changes are made. The only password digest supported is bcrypt, and the ``bcrypt`` python library is used for password checks since it supports ``$2y$`` prefixed bcrypt passwords as generated by the Apache htpasswd utility. [1] https://httpd.apache.org/docs/current/misc/password_encryptions.html Needed-By: https://review.opendev.org/727467 Needed-By: https://review.opendev.org/729463 Change-Id: I874783b8ece0eedf27a94dfed5163d0c82f8b9de Story: 2007656 Task: 39740 --- ironic_lib/auth_basic.py | 187 ++++++++++++++++ ironic_lib/exception.py | 13 ++ ironic_lib/tests/test_basic_auth.py | 202 ++++++++++++++++++ lower-constraints.txt | 1 + ...asic-auth-middleware-e5af29651b2d7979.yaml | 18 ++ requirements.txt | 1 + 6 files changed, 422 insertions(+) create mode 100644 ironic_lib/auth_basic.py create mode 100644 ironic_lib/tests/test_basic_auth.py create mode 100644 releasenotes/notes/basic-auth-middleware-e5af29651b2d7979.yaml diff --git a/ironic_lib/auth_basic.py b/ironic_lib/auth_basic.py new file mode 100644 index 00000000..651bc5d8 --- /dev/null +++ b/ironic_lib/auth_basic.py @@ -0,0 +1,187 @@ +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import base64 +import binascii + +import bcrypt +from oslo_log import log + +from ironic_lib.common.i18n import _ +from ironic_lib import exception + +LOG = log.getLogger(__name__) + + +class BasicAuthMiddleware(object): + """Middleware which performs HTTP basic authentication on requests + + """ + def __init__(self, app, auth_file): + self.app = app + self.auth_file = auth_file + validate_auth_file(auth_file) + + def __call__(self, env, start_response): + + try: + token = parse_header(env) + username, password = parse_token(token) + env.update(authenticate(self.auth_file, username, password)) + + return self.app(env, start_response) + + except exception.IronicException as e: + status = '%s %s' % (int(e.code), str(e)) + headers = [(k, v) for k, v in e.headers.items()] + start_response(status, headers) + + +def authenticate(auth_file, username, password): + """Finds username and password match in Apache style user auth file + + The user auth file format is expected to comply with Apache + documentation[1] however the bcrypt password digest is the *only* + digest format supported. + + [1] https://httpd.apache.org/docs/current/misc/password_encryptions.html + + :param: auth_file: Path to user auth file + :param: username: Username to authenticate + :param: password: Password encoded as bytes + :returns: A dictionary of WSGI environment values to append to the request + :raises: Unauthorized, if no file entries match supplied username/password + """ + line_prefix = username + ':' + try: + with open(auth_file, 'r') as f: + for line in f: + entry = line.strip() + if entry and entry.startswith(line_prefix): + return auth_entry(entry, password) + except OSError: + raise exception.ConfigInvalid( + error_msg=_('Problem reading auth user file')) + # reached end of file with no matches + unauthorized() + + +def auth_entry(entry, password): + """Compare a password with a single user auth file entry + + :param: entry: Line from auth user file to use for authentication + :param: password: Password encoded as bytes + :returns: A dictionary of WSGI environment values to append to the request + :raises: Unauthorized, if the entry doesn't match supplied password or + if the entry is crypted with a method other than bcrypt + """ + username, crypted = parse_entry(entry) + + if not bcrypt.checkpw(password, crypted): + unauthorized() + + return { + 'HTTP_X_USER': username, + 'HTTP_X_USER_NAME': username + } + + +def validate_auth_file(auth_file): + """Read the auth user file and validate its correctness + + :param: auth_file: Path to user auth file + :raises: ConfigInvalid on validation error + """ + try: + with open(auth_file, 'r') as f: + for line in f: + entry = line.strip() + if entry and ':' in entry: + parse_entry(entry) + except OSError: + raise exception.ConfigInvalid( + error_msg=_('Problem reading auth user file: %s') % auth_file) + + +def parse_entry(entry): + """Extrace the username and crypted password from a user auth file entry + + :param: entry: Line from auth user file to use for authentication + :returns: a tuple of username and crypted password + :raises: ConfigInvalid if the password is not in the supported bcrypt + format + """ + username, crypted_str = entry.split(':', maxsplit=1) + crypted = crypted_str.encode('utf-8') + + if not crypted.startswith(b'$2y$'): + error_msg = _('Only bcrypt digested passwords are supported for ' + '%(username)s') % {'username': username} + raise exception.ConfigInvalid(error_msg=error_msg) + return username, crypted + + +def parse_token(token): + """Parse the token portion of the Authentication header value + + :param: token: Token value from basic authorization header + :returns: tuple of username, password + :raises: Unauthorized, if username and password could not be parsed for any + reason + """ + try: + if isinstance(token, str): + token = token.encode('utf-8') + auth_pair = base64.b64decode(token, validate=True) + (username, password) = auth_pair.split(b':', maxsplit=1) + + return (username.decode('utf-8'), password) + except (TypeError, binascii.Error, ValueError): + raise exception.BadRequest(_('Could not decode authorization token')) + + +def parse_header(env): + """Parse WSGI environment for Authorization header of type Basic + + :param: env: WSGI environment to get header from + :returns: Token portion of the header value + :raises: Unauthorized, if header is missing or if the type is not Basic + """ + try: + auth_header = env.pop('HTTP_AUTHORIZATION') + except KeyError: + unauthorized(_('Authorization required')) + try: + auth_type, token = auth_header.strip().split(maxsplit=1) + except (ValueError, AttributeError): + raise exception.BadRequest(_('Could not parse Authorization header')) + + if auth_type.lower() != 'basic': + raise exception.BadRequest(_('Unsupported authorization type: ' + '%(auth_type)s') % {'auth_type': auth_type}) + return token + + +def unauthorized(message=None): + """Raise an Unauthorized exception to prompt for basic authentication + + :param: message: Optional message for esception + :raises: Unauthorized with WWW-Authenticate header set + """ + if not message: + message = _('Incorrect username or password') + e = exception.Unauthorized(message) + e.headers['WWW-Authenticate'] = 'Basic realm="Baremetal API"' + raise e diff --git a/ironic_lib/exception.py b/ironic_lib/exception.py index f9f30849..0062d60b 100644 --- a/ironic_lib/exception.py +++ b/ironic_lib/exception.py @@ -23,6 +23,7 @@ SHOULD include dedicated exception logging. """ import collections +from http import client as http_client from oslo_config import cfg from oslo_log import log as logging @@ -167,3 +168,15 @@ class ServiceLookupFailure(IronicException): class ServiceRegistrationFailure(IronicException): _msg_fmt = _("Cannot register %(service)s service: %(error)s") + + +class BadRequest(IronicException): + code = http_client.BAD_REQUEST + + +class Unauthorized(IronicException): + code = http_client.UNAUTHORIZED + + +class ConfigInvalid(IronicException): + _msg_fmt = _("Invalid configuration file. %(error_msg)s") diff --git a/ironic_lib/tests/test_basic_auth.py b/ironic_lib/tests/test_basic_auth.py new file mode 100644 index 00000000..ef33717a --- /dev/null +++ b/ironic_lib/tests/test_basic_auth.py @@ -0,0 +1,202 @@ +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import base64 +import os +import tempfile + +import mock + +from ironic_lib import auth_basic +from ironic_lib import exception +from ironic_lib.tests import base + + +class TestAuthBasic(base.IronicLibTestCase): + + def write_auth_file(self, data=None): + if not data: + data = '\n' + with tempfile.NamedTemporaryFile(mode='w', delete=False) as f: + f.write(data) + self.addCleanup(os.remove, f.name) + return f.name + + def test_middleware_authenticate(self): + auth_file = self.write_auth_file( + 'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.' + 'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n') + app = mock.Mock() + start_response = mock.Mock() + middleware = auth_basic.BasicAuthMiddleware(app, auth_file) + env = { + 'HTTP_AUTHORIZATION': 'Basic bXlOYW1lOm15UGFzc3dvcmQ=' + } + + result = middleware(env, start_response) + self.assertEqual(app.return_value, result) + start_response.assert_not_called() + + def test_middleware_unauthenticated(self): + auth_file = self.write_auth_file( + 'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.' + 'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n') + app = mock.Mock() + start_response = mock.Mock() + middleware = auth_basic.BasicAuthMiddleware(app, auth_file) + env = {} + + middleware(env, start_response) + + start_response.assert_called_once_with( + '401 Authorization required', + [('WWW-Authenticate', 'Basic realm="Baremetal API"')] + ) + app.assert_not_called() + + def test_authenticate(self): + auth_file = self.write_auth_file( + 'foo:bar\nmyName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.' + 'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n') + + # test basic auth + self.assertEqual( + {'HTTP_X_USER': 'myName', 'HTTP_X_USER_NAME': 'myName'}, + auth_basic.authenticate( + auth_file, 'myName', b'myPassword') + ) + + # test failed auth + e = self.assertRaises(exception.ConfigInvalid, + auth_basic.authenticate, + auth_file, 'foo', b'bar') + self.assertEqual('Invalid configuration file. Only bcrypt digested ' + 'passwords are supported for foo', str(e)) + + # test problem reading user data file + auth_file = auth_file + '.missing' + e = self.assertRaises(exception.ConfigInvalid, + auth_basic.authenticate, + auth_file, 'myName', + b'myPassword') + self.assertEqual('Invalid configuration file. Problem reading ' + 'auth user file', str(e)) + + def test_auth_entry(self): + entry_pass = ('myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.' + 'JETVCWBkc32C63UP2aYrGoYOEpbJm') + entry_fail = 'foo:bar' + + # success + self.assertEqual( + {'HTTP_X_USER': 'myName', 'HTTP_X_USER_NAME': 'myName'}, + auth_basic.auth_entry( + entry_pass, b'myPassword') + ) + + # failed, unknown digest format + e = self.assertRaises(exception.ConfigInvalid, + auth_basic.auth_entry, entry_fail, b'bar') + self.assertEqual('Invalid configuration file. Only bcrypt digested ' + 'passwords are supported for foo', str(e)) + + # failed, incorrect password + e = self.assertRaises(exception.Unauthorized, + auth_basic.auth_entry, entry_pass, b'bar') + self.assertEqual('Incorrect username or password', str(e)) + + def test_validate_auth_file(self): + auth_file = self.write_auth_file( + 'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.' + 'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n') + # success, valid config + auth_basic.validate_auth_file(auth_file) + + # failed, missing auth file + auth_file = auth_file + '.missing' + self.assertRaises(exception.ConfigInvalid, + auth_basic.validate_auth_file, auth_file) + + # failed, invalid entry + auth_file = self.write_auth_file( + 'foo:bar\nmyName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.' + 'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n') + self.assertRaises(exception.ConfigInvalid, + auth_basic.validate_auth_file, auth_file) + + def test_parse_token(self): + + # success with bytes + token = base64.b64encode(b'myName:myPassword') + self.assertEqual( + ('myName', b'myPassword'), + auth_basic.parse_token(token) + ) + + # success with string + token = str(token, encoding='utf-8') + self.assertEqual( + ('myName', b'myPassword'), + auth_basic.parse_token(token) + ) + + # failed, invalid base64 + e = self.assertRaises(exception.BadRequest, + auth_basic.parse_token, token[:-1]) + self.assertEqual('Could not decode authorization token', str(e)) + + # failed, no colon in token + token = str(base64.b64encode(b'myNamemyPassword'), encoding='utf-8') + e = self.assertRaises(exception.BadRequest, + auth_basic.parse_token, token[:-1]) + self.assertEqual('Could not decode authorization token', str(e)) + + def test_parse_header(self): + auth_value = 'Basic bXlOYW1lOm15UGFzc3dvcmQ=' + + # success + self.assertEqual( + 'bXlOYW1lOm15UGFzc3dvcmQ=', + auth_basic.parse_header({ + 'HTTP_AUTHORIZATION': auth_value + }) + ) + + # failed, missing Authorization header + e = self.assertRaises(exception.Unauthorized, + auth_basic.parse_header, + {}) + self.assertEqual('Authorization required', str(e)) + + # failed missing token + e = self.assertRaises(exception.BadRequest, + auth_basic.parse_header, + {'HTTP_AUTHORIZATION': 'Basic'}) + self.assertEqual('Could not parse Authorization header', str(e)) + + # failed, type other than Basic + digest_value = 'Digest username="myName" nonce="foobar"' + e = self.assertRaises(exception.BadRequest, + auth_basic.parse_header, + {'HTTP_AUTHORIZATION': digest_value}) + self.assertEqual('Unsupported authorization type: Digest', str(e)) + + def test_unauthorized(self): + e = self.assertRaises(exception.Unauthorized, + auth_basic.unauthorized, 'ouch') + self.assertEqual('ouch', str(e)) + self.assertEqual({ + 'WWW-Authenticate': 'Basic realm="Baremetal API"' + }, e.headers) diff --git a/lower-constraints.txt b/lower-constraints.txt index fec4e144..d81b86a6 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -1,5 +1,6 @@ appdirs==1.3.0 Babel==2.3.4 +bcrypt==3.1.3 chardet==3.0.4 coverage==4.0 debtcollector==1.2.0 diff --git a/releasenotes/notes/basic-auth-middleware-e5af29651b2d7979.yaml b/releasenotes/notes/basic-auth-middleware-e5af29651b2d7979.yaml new file mode 100644 index 00000000..e8c5cc56 --- /dev/null +++ b/releasenotes/notes/basic-auth-middleware-e5af29651b2d7979.yaml @@ -0,0 +1,18 @@ +--- +features: + - | + Implement Basic HTTP authentication middleware. + + This middleware is added to ironic-lib so that it can eventually be + used by ironic and ironic-inspector as an alternative to noauth in + standalone environments. + + This middleware is passed a path to a file which supports the + Apache htpasswd syntax[1]. This file is read for every request, so no + service restart is required when changes are made. + + The only password digest supported is bcrypt, and the ``bcrypt`` + python library is used for password checks since it supports ``$2y$`` + prefixed bcrypt passwords as generated by the Apache htpasswd utility. + + [1] https://httpd.apache.org/docs/current/misc/password_encryptions.html diff --git a/requirements.txt b/requirements.txt index a2ff45f3..53d867c0 100644 --- a/requirements.txt +++ b/requirements.txt @@ -12,3 +12,4 @@ oslo.utils>=3.33.0 # Apache-2.0 requests>=2.14.2 # Apache-2.0 oslo.log>=3.36.0 # Apache-2.0 zeroconf>=0.24.0 # LGPL +bcrypt>=3.1.3 # Apache-2.0