Merge "Implement Basic HTTP authentication middleware"

ironic_lib/auth_basic.py

@@ -0,0 +1,187 @@
+# Copyright 2020 Red Hat, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import base64
+import binascii
+
+import bcrypt
+from oslo_log import log
+
+from ironic_lib.common.i18n import _
+from ironic_lib import exception
+
+LOG = log.getLogger(__name__)
+
+
+class BasicAuthMiddleware(object):
+    """Middleware which performs HTTP basic authentication on requests
+
+    """
+    def __init__(self, app, auth_file):
+        self.app = app
+        self.auth_file = auth_file
+        validate_auth_file(auth_file)
+
+    def __call__(self, env, start_response):
+
+        try:
+            token = parse_header(env)
+            username, password = parse_token(token)
+            env.update(authenticate(self.auth_file, username, password))
+
+            return self.app(env, start_response)
+
+        except exception.IronicException as e:
+            status = '%s %s' % (int(e.code), str(e))
+            headers = [(k, v) for k, v in e.headers.items()]
+            start_response(status, headers)
+
+
+def authenticate(auth_file, username, password):
+    """Finds username and password match in Apache style user auth file
+
+    The user auth file format is expected to comply with Apache
+    documentation[1] however the bcrypt password digest is the *only*
+    digest format supported.
+
+    [1] https://httpd.apache.org/docs/current/misc/password_encryptions.html
+
+    :param: auth_file: Path to user auth file
+    :param: username: Username to authenticate
+    :param: password: Password encoded as bytes
+    :returns: A dictionary of WSGI environment values to append to the request
+    :raises: Unauthorized, if no file entries match supplied username/password
+    """
+    line_prefix = username + ':'
+    try:
+        with open(auth_file, 'r') as f:
+            for line in f:
+                entry = line.strip()
+                if entry and entry.startswith(line_prefix):
+                    return auth_entry(entry, password)
+    except OSError:
+        raise exception.ConfigInvalid(
+            error_msg=_('Problem reading auth user file'))
+    # reached end of file with no matches
+    unauthorized()
+
+
+def auth_entry(entry, password):
+    """Compare a password with a single user auth file entry
+
+    :param: entry: Line from auth user file to use for authentication
+    :param: password: Password encoded as bytes
+    :returns: A dictionary of WSGI environment values to append to the request
+    :raises: Unauthorized, if the entry doesn't match supplied password or
+        if the entry is crypted with a method other than bcrypt
+    """
+    username, crypted = parse_entry(entry)
+
+    if not bcrypt.checkpw(password, crypted):
+        unauthorized()
+
+    return {
+        'HTTP_X_USER': username,
+        'HTTP_X_USER_NAME': username
+    }
+
+
+def validate_auth_file(auth_file):
+    """Read the auth user file and validate its correctness
+
+    :param: auth_file: Path to user auth file
+    :raises: ConfigInvalid on validation error
+    """
+    try:
+        with open(auth_file, 'r') as f:
+            for line in f:
+                entry = line.strip()
+                if entry and ':' in entry:
+                    parse_entry(entry)
+    except OSError:
+        raise exception.ConfigInvalid(
+            error_msg=_('Problem reading auth user file: %s') % auth_file)
+
+
+def parse_entry(entry):
+    """Extrace the username and crypted password from a user auth file entry
+
+    :param: entry: Line from auth user file to use for authentication
+    :returns: a tuple of username and crypted password
+    :raises: ConfigInvalid if the password is not in the supported bcrypt
+             format
+    """
+    username, crypted_str = entry.split(':', maxsplit=1)
+    crypted = crypted_str.encode('utf-8')
+
+    if not crypted.startswith(b'$2y$'):
+        error_msg = _('Only bcrypt digested passwords are supported for '
+                      '%(username)s') % {'username': username}
+        raise exception.ConfigInvalid(error_msg=error_msg)
+    return username, crypted
+
+
+def parse_token(token):
+    """Parse the token portion of the Authentication header value
+
+    :param: token: Token value from basic authorization header
+    :returns: tuple of username, password
+    :raises: Unauthorized, if username and password could not be parsed for any
+        reason
+    """
+    try:
+        if isinstance(token, str):
+            token = token.encode('utf-8')
+        auth_pair = base64.b64decode(token, validate=True)
+        (username, password) = auth_pair.split(b':', maxsplit=1)
+
+        return (username.decode('utf-8'), password)
+    except (TypeError, binascii.Error, ValueError):
+        raise exception.BadRequest(_('Could not decode authorization token'))
+
+
+def parse_header(env):
+    """Parse WSGI environment for Authorization header of type Basic
+
+    :param: env: WSGI environment to get header from
+    :returns: Token portion of the header value
+    :raises: Unauthorized, if header is missing or if the type is not Basic
+    """
+    try:
+        auth_header = env.pop('HTTP_AUTHORIZATION')
+    except KeyError:
+        unauthorized(_('Authorization required'))
+    try:
+        auth_type, token = auth_header.strip().split(maxsplit=1)
+    except (ValueError, AttributeError):
+        raise exception.BadRequest(_('Could not parse Authorization header'))
+
+    if auth_type.lower() != 'basic':
+        raise exception.BadRequest(_('Unsupported authorization type: '
+                                   '%(auth_type)s') % {'auth_type': auth_type})
+    return token
+
+
+def unauthorized(message=None):
+    """Raise an Unauthorized exception to prompt for basic authentication
+
+    :param: message: Optional message for esception
+    :raises: Unauthorized with WWW-Authenticate header set
+    """
+    if not message:
+        message = _('Incorrect username or password')
+    e = exception.Unauthorized(message)
+    e.headers['WWW-Authenticate'] = 'Basic realm="Baremetal API"'
+    raise e

ironic_lib/exception.py

@@ -23,6 +23,7 @@ SHOULD include dedicated exception logging.
 """
 
 import collections
+from http import client as http_client
 
 from oslo_config import cfg
 from oslo_log import log as logging
@@ -167,3 +168,15 @@ class ServiceLookupFailure(IronicException):
 
 class ServiceRegistrationFailure(IronicException):
     _msg_fmt = _("Cannot register %(service)s service: %(error)s")
+
+
+class BadRequest(IronicException):
+    code = http_client.BAD_REQUEST
+
+
+class Unauthorized(IronicException):
+    code = http_client.UNAUTHORIZED
+
+
+class ConfigInvalid(IronicException):
+    _msg_fmt = _("Invalid configuration file. %(error_msg)s")

ironic_lib/tests/test_basic_auth.py

@@ -0,0 +1,202 @@
+# Copyright 2020 Red Hat, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import base64
+import os
+import tempfile
+
+import mock
+
+from ironic_lib import auth_basic
+from ironic_lib import exception
+from ironic_lib.tests import base
+
+
+class TestAuthBasic(base.IronicLibTestCase):
+
+    def write_auth_file(self, data=None):
+        if not data:
+            data = '\n'
+        with tempfile.NamedTemporaryFile(mode='w', delete=False) as f:
+            f.write(data)
+            self.addCleanup(os.remove, f.name)
+            return f.name
+
+    def test_middleware_authenticate(self):
+        auth_file = self.write_auth_file(
+            'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.'
+            'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n')
+        app = mock.Mock()
+        start_response = mock.Mock()
+        middleware = auth_basic.BasicAuthMiddleware(app, auth_file)
+        env = {
+            'HTTP_AUTHORIZATION': 'Basic bXlOYW1lOm15UGFzc3dvcmQ='
+        }
+
+        result = middleware(env, start_response)
+        self.assertEqual(app.return_value, result)
+        start_response.assert_not_called()
+
+    def test_middleware_unauthenticated(self):
+        auth_file = self.write_auth_file(
+            'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.'
+            'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n')
+        app = mock.Mock()
+        start_response = mock.Mock()
+        middleware = auth_basic.BasicAuthMiddleware(app, auth_file)
+        env = {}
+
+        middleware(env, start_response)
+
+        start_response.assert_called_once_with(
+            '401 Authorization required',
+            [('WWW-Authenticate', 'Basic realm="Baremetal API"')]
+        )
+        app.assert_not_called()
+
+    def test_authenticate(self):
+        auth_file = self.write_auth_file(
+            'foo:bar\nmyName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.'
+            'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n')
+
+        # test basic auth
+        self.assertEqual(
+            {'HTTP_X_USER': 'myName', 'HTTP_X_USER_NAME': 'myName'},
+            auth_basic.authenticate(
+                auth_file, 'myName', b'myPassword')
+        )
+
+        # test failed auth
+        e = self.assertRaises(exception.ConfigInvalid,
+                              auth_basic.authenticate,
+                              auth_file, 'foo', b'bar')
+        self.assertEqual('Invalid configuration file. Only bcrypt digested '
+                         'passwords are supported for foo', str(e))
+
+        # test problem reading user data file
+        auth_file = auth_file + '.missing'
+        e = self.assertRaises(exception.ConfigInvalid,
+                              auth_basic.authenticate,
+                              auth_file, 'myName',
+                              b'myPassword')
+        self.assertEqual('Invalid configuration file. Problem reading '
+                         'auth user file', str(e))
+
+    def test_auth_entry(self):
+        entry_pass = ('myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.'
+                      'JETVCWBkc32C63UP2aYrGoYOEpbJm')
+        entry_fail = 'foo:bar'
+
+        # success
+        self.assertEqual(
+            {'HTTP_X_USER': 'myName', 'HTTP_X_USER_NAME': 'myName'},
+            auth_basic.auth_entry(
+                entry_pass, b'myPassword')
+        )
+
+        # failed, unknown digest format
+        e = self.assertRaises(exception.ConfigInvalid,
+                              auth_basic.auth_entry, entry_fail, b'bar')
+        self.assertEqual('Invalid configuration file. Only bcrypt digested '
+                         'passwords are supported for foo', str(e))
+
+        # failed, incorrect password
+        e = self.assertRaises(exception.Unauthorized,
+                              auth_basic.auth_entry, entry_pass, b'bar')
+        self.assertEqual('Incorrect username or password', str(e))
+
+    def test_validate_auth_file(self):
+        auth_file = self.write_auth_file(
+            'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.'
+            'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n')
+        # success, valid config
+        auth_basic.validate_auth_file(auth_file)
+
+        # failed, missing auth file
+        auth_file = auth_file + '.missing'
+        self.assertRaises(exception.ConfigInvalid,
+                          auth_basic.validate_auth_file, auth_file)
+
+        # failed, invalid entry
+        auth_file = self.write_auth_file(
+            'foo:bar\nmyName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.'
+            'JETVCWBkc32C63UP2aYrGoYOEpbJm\n\n\n')
+        self.assertRaises(exception.ConfigInvalid,
+                          auth_basic.validate_auth_file, auth_file)
+
+    def test_parse_token(self):
+
+        # success with bytes
+        token = base64.b64encode(b'myName:myPassword')
+        self.assertEqual(
+            ('myName', b'myPassword'),
+            auth_basic.parse_token(token)
+        )
+
+        # success with string
+        token = str(token, encoding='utf-8')
+        self.assertEqual(
+            ('myName', b'myPassword'),
+            auth_basic.parse_token(token)
+        )
+
+        # failed, invalid base64
+        e = self.assertRaises(exception.BadRequest,
+                              auth_basic.parse_token, token[:-1])
+        self.assertEqual('Could not decode authorization token', str(e))
+
+        # failed, no colon in token
+        token = str(base64.b64encode(b'myNamemyPassword'), encoding='utf-8')
+        e = self.assertRaises(exception.BadRequest,
+                              auth_basic.parse_token, token[:-1])
+        self.assertEqual('Could not decode authorization token', str(e))
+
+    def test_parse_header(self):
+        auth_value = 'Basic bXlOYW1lOm15UGFzc3dvcmQ='
+
+        # success
+        self.assertEqual(
+            'bXlOYW1lOm15UGFzc3dvcmQ=',
+            auth_basic.parse_header({
+                'HTTP_AUTHORIZATION': auth_value
+            })
+        )
+
+        # failed, missing Authorization header
+        e = self.assertRaises(exception.Unauthorized,
+                              auth_basic.parse_header,
+                              {})
+        self.assertEqual('Authorization required', str(e))
+
+        # failed missing token
+        e = self.assertRaises(exception.BadRequest,
+                              auth_basic.parse_header,
+                              {'HTTP_AUTHORIZATION': 'Basic'})
+        self.assertEqual('Could not parse Authorization header', str(e))
+
+        # failed, type other than Basic
+        digest_value = 'Digest username="myName" nonce="foobar"'
+        e = self.assertRaises(exception.BadRequest,
+                              auth_basic.parse_header,
+                              {'HTTP_AUTHORIZATION': digest_value})
+        self.assertEqual('Unsupported authorization type: Digest', str(e))
+
+    def test_unauthorized(self):
+        e = self.assertRaises(exception.Unauthorized,
+                              auth_basic.unauthorized, 'ouch')
+        self.assertEqual('ouch', str(e))
+        self.assertEqual({
+            'WWW-Authenticate': 'Basic realm="Baremetal API"'
+        }, e.headers)

lower-constraints.txt

@@ -1,5 +1,6 @@
 appdirs==1.3.0
 Babel==2.3.4
+bcrypt==3.1.3
 chardet==3.0.4
 coverage==4.0
 debtcollector==1.2.0

releasenotes/notes/basic-auth-middleware-e5af29651b2d7979.yaml

@@ -0,0 +1,18 @@
+---
+features:
+  - |
+    Implement Basic HTTP authentication middleware.
+
+    This middleware is added to ironic-lib so that it can eventually be
+    used by ironic and ironic-inspector as an alternative to noauth in
+    standalone environments.
+
+    This middleware is passed a path to a file which supports the
+    Apache htpasswd syntax[1]. This file is read for every request, so no
+    service restart is required when changes are made.
+
+    The only password digest supported is bcrypt, and the ``bcrypt``
+    python library is used for password checks since it supports ``$2y$``
+    prefixed bcrypt passwords as generated by the Apache htpasswd utility.
+
+    [1] https://httpd.apache.org/docs/current/misc/password_encryptions.html

requirements.txt

@@ -12,3 +12,4 @@ oslo.utils>=3.33.0 # Apache-2.0
 requests>=2.14.2 # Apache-2.0
 oslo.log>=3.36.0 # Apache-2.0
 zeroconf>=0.24.0 # LGPL
+bcrypt>=3.1.3 # Apache-2.0