Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password

2017-12-08 17:05:59 -05:00 · 2017-12-08 17:05:59 -05:00 · 524d77f527
commit 524d77f527
parent 53b762a875
50 changed files with 943 additions and 289 deletions
--- a/data/users/init.py
+++ b/data/users/init.py
@ -10,7 +10,7 @@ from data.users.database import DatabaseUsers
 from data.users.externalldap import LDAPUsers
 from data.users.externaljwt import ExternalJWTAuthN
 from data.users.keystone import get_keystone_users
-from data.users.oidc import OIDCInternalAuth
+from data.users.apptoken import AppTokenInternalAuth
 from util.security.aes import AESCipher

 logger = logging.getLogger(__name__)
@ -25,7 +25,7 @@ def get_federated_service_name(authentication_type):
  if authentication_type == 'Keystone':
    return 'keystone'

-  if authentication_type == 'OIDC':
+  if authentication_type == 'AppToken':
    return None

  if authentication_type == 'Database':
@ -84,12 +84,14 @@ def get_users_handler(config, _, override_config_dir):
                              keystone_admin_password, keystone_admin_tenant, timeout,
                              requires_email=features.MAILING)

-  if authentication_type == 'OIDC':
+  if authentication_type == 'AppToken':
    if features.DIRECT_LOGIN:
-      raise Exception('Direct login feature must be disabled to use OIDC internal auth')
+      raise Exception('Direct login feature must be disabled to use AppToken internal auth')

-    login_service = config.get('INTERNAL_OIDC_SERVICE_ID')
-    return OIDCInternalAuth(config, login_service, requires_email=features.MAILING)
+    if not features.APP_SPECIFIC_TOKENS:
+      raise Exception('AppToken internal auth requires app specific token support to be enabled')
+
+    return AppTokenInternalAuth()

  raise RuntimeError('Unknown authentication type: %s' % authentication_type)

--- a/data/users/apptoken.py
+++ b/data/users/apptoken.py
@ -0,0 +1,59 @@
+import logging
+
+from data import model
+from oauth.loginmanager import OAuthLoginManager
+from oauth.oidc import PublicKeyLoadException
+from util.security.jwtutil import InvalidTokenError
+
+
+logger = logging.getLogger(__name__)
+
+class AppTokenInternalAuth(object):
+  """ Forces all internal credential login to go through an app token, by disabling all other
+      access.
+  """
+
+  @property
+  def federated_service(self):
+    return None
+
+  @property
+  def requires_distinct_cli_password(self):
+    # Since there is no supported "password".
+    return False
+
+  @property
+  def supports_encrypted_credentials(self):
+    # Since there is no supported "password".
+    return False
+
+  def verify_credentials(self, username_or_email, id_token):
+    return (None, 'An application specific token is required to login')
+
+  def verify_and_link_user(self, username_or_email, password):
+    return self.verify_credentials(username_or_email, password)
+
+  def confirm_existing_user(self, username, password):
+    return self.verify_credentials(username, password)
+
+  def link_user(self, username_or_email):
+    return (None, 'Unsupported for this authentication system')
+
+  def get_and_link_federated_user_info(self, user_info):
+    return (None, 'Unsupported for this authentication system')
+
+  def query_users(self, query, limit):
+    return (None, '', '')
+
+  def check_group_lookup_args(self, group_lookup_args):
+    return (False, 'Not supported')
+
+  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
+    return (None, 'Not supported')
+
+  def service_metadata(self):
+    return {}
+
+  def ping(self):
+    """ Always assumed to be working. If the DB is broken, other checks will handle it. """
+    return (True, None)
--- a/data/users/oidc.py
+++ b/data/users/oidc.py
@ -1,92 +0,0 @@
-import logging
-
-from data import model
-from oauth.loginmanager import OAuthLoginManager
-from oauth.oidc import PublicKeyLoadException
-from util.security.jwtutil import InvalidTokenError
-
-
-logger = logging.getLogger(__name__)
-
-
-class UnknownServiceException(Exception):
-  pass
-
-
-class OIDCInternalAuth(object):
-  """ Handles authentication by delegating authentication to a signed OIDC JWT produced by the
-      configured OIDC service.
-  """
-  def __init__(self, config, login_service_id, requires_email):
-    login_manager = OAuthLoginManager(config)
-
-    self.login_service_id = login_service_id
-    self.login_service = login_manager.get_service(login_service_id)
-    if self.login_service is None:
-      raise UnknownServiceException('Unknown OIDC login service %s' % login_service_id)
-
-  @property
-  def federated_service(self):
-    return None
-
-  @property
-  def requires_distinct_cli_password(self):
-    # Since the "password" is the generated ID token.
-    return False
-
-  @property
-  def supports_encrypted_credentials(self):
-    # Since the "password" is already a signed JWT.
-    return False
-
-  def verify_credentials(self, username_or_email, id_token):
-    # Parse the ID token.
-    try:
-      payload = self.login_service.decode_user_jwt(id_token)
-    except InvalidTokenError as ite:
-      logger.exception('Got invalid token error on OIDC decode: %s. Token: %s', ite.message, id_token)
-      return (None, 'Could not validate OIDC token')
-    except PublicKeyLoadException as pke:
-      logger.exception('Could not load public key during OIDC decode: %s. Token: %s', pke.message, id_token)
-      return (None, 'Could not validate OIDC token')
-
-    # Find the user ID.
-    user_id = payload['sub']
-
-    # Lookup the federated login and user record with that matching ID and service.
-    user_found = model.user.verify_federated_login(self.login_service_id, user_id)
-    if user_found is None:
-      return (None, 'User does not exist')
-
-    if not user_found.enabled:
-      return (None, 'User account is disabled. Please contact your administrator.')
-
-    return (user_found, None)
-
-  def verify_and_link_user(self, username_or_email, password):
-    return self.verify_credentials(username_or_email, password)
-
-  def confirm_existing_user(self, username, password):
-    return self.verify_credentials(username, password)
-
-  def link_user(self, username_or_email):
-    return (None, 'Unsupported for this authentication system')
-
-  def get_and_link_federated_user_info(self, user_info):
-    return (None, 'Unsupported for this authentication system')
-
-  def query_users(self, query, limit):
-    return (None, '', '')
-
-  def check_group_lookup_args(self, group_lookup_args):
-    return (False, 'Not supported')
-
-  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
-    return (None, 'Not supported')
-
-  def service_metadata(self):
-    return {}
-
-  def ping(self):
-    """ Always assumed to be working. If the DB is broken, other checks will handle it. """
-    return (True, None)
--- a/data/users/test/test_oidc.py
+++ b/data/users/test/test_oidc.py
@ -1,38 +0,0 @@
-import pytest
-
-from httmock import HTTMock
-
-from data import model
-from data.users.oidc import OIDCInternalAuth
-from oauth.test.test_oidc import *
-from test.fixtures import *
-
-@pytest.mark.parametrize('username, expect_success', [
-  ('devtable', True),
-  ('disabled', False)
-])
-def test_oidc_login(username, expect_success, app_config, id_token, jwks_handler,
-                    discovery_handler, app):
-  internal_auth = OIDCInternalAuth(app_config, 'someoidc', False)
-  with HTTMock(jwks_handler, discovery_handler):
-    # Try an invalid token.
-    (user, err) = internal_auth.verify_credentials('someusername', 'invalidtoken')
-    assert err is not None
-    assert user is None
-
-    # Try a valid token for an unlinked user.
-    (user, err) = internal_auth.verify_credentials('someusername', id_token)
-    assert err is not None
-    assert user is None
-
-    # Link the user to the service.
-    model.user.attach_federated_login(model.user.get_user(username), 'someoidc', 'cooluser')
-
-    # Try a valid token for a linked user.
-    (user, err) = internal_auth.verify_credentials('someusername', id_token)
-    if expect_success:
-      assert err is None
-      assert user.username == username
-    else:
-      assert err is not None
-      assert user is None
--- a/data/users/test/test_users.py
+++ b/data/users/test/test_users.py
@ -5,7 +5,6 @@ from mock import patch

 from data.database import model
 from data.users.federated import DISABLED_MESSAGE
-from data.users.oidc import OIDCInternalAuth
 from test.test_ldap import mock_ldap
 from test.test_keystone_auth import fake_keystone
 from test.test_external_jwt_authn import fake_jwt
@ -38,18 +37,11 @@ def test_auth_createuser(auth_system_builder, user1, user2, config, app):
      assert new_user is None
      assert err == DISABLED_MESSAGE

-@contextmanager
-def fake_oidc(app_config):
-  yield OIDCInternalAuth(app_config, 'someoidc', False)
-
@pytest.mark.parametrize('auth_system_builder,auth_kwargs', [
  (mock_ldap, {}),
  (fake_keystone, {'version': 3}),
  (fake_keystone, {'version': 2}),
  (fake_jwt, {}),
-  (fake_oidc, {'app_config': {
-    'SOMEOIDC_LOGIN_CONFIG': {},
-  }}),
 ])
 def test_ping(auth_system_builder, auth_kwargs, app):
  with auth_system_builder(**auth_kwargs) as auth: