Add support to ExternalJWT Auth for external user linking

data/users/__init__.py

@@ -54,8 +54,12 @@ def get_users_handler(config, config_provider, override_config_dir):
     verify_url = config.get('JWT_VERIFY_ENDPOINT')
     issuer = config.get('JWT_AUTH_ISSUER')
     max_fresh_s = config.get('JWT_AUTH_MAX_FRESH_S', 300)
-    return ExternalJWTAuthN(verify_url, issuer, override_config_dir, config['HTTPCLIENT'],
-                            max_fresh_s)
+
+    query_url = config.get('JWT_QUERY_ENDPOINT', None)
+    getuser_url = config.get('JWT_GETUSER_ENDPOINT', None)
+
+    return ExternalJWTAuthN(verify_url, query_url, getuser_url, issuer, override_config_dir,
+                            config['HTTPCLIENT'], max_fresh_s)
 
   if authentication_type == 'Keystone':
     auth_url = config.get('KEYSTONE_AUTH_URL')

data/users/externaljwt.py

@@ -2,7 +2,7 @@ import logging
 import json
 import os
 
-from data.users.federated import FederatedUsers, VerifiedCredentials
+from data.users.federated import FederatedUsers, UserInformation
 from util.security import jwtutil
 
 
@@ -13,10 +13,13 @@ class ExternalJWTAuthN(FederatedUsers):
   """ Delegates authentication to a REST endpoint that returns JWTs. """
   PUBLIC_KEY_FILENAME = 'jwt-authn.cert'
 
-  def __init__(self, verify_url, issuer, override_config_dir, http_client, max_fresh_s,
-               public_key_path=None):
+  def __init__(self, verify_url, query_url, getuser_url, issuer, override_config_dir, http_client,
+               max_fresh_s, public_key_path=None):
     super(ExternalJWTAuthN, self).__init__('jwtauthn')
     self.verify_url = verify_url
+    self.query_url = query_url
+    self.getuser_url = getuser_url
+
     self.issuer = issuer
     self.client = http_client
     self.max_fresh_s = max_fresh_s
@@ -32,34 +35,80 @@ class ExternalJWTAuthN(FederatedUsers):
     with open(public_key_path) as public_key_file:
       self.public_key = public_key_file.read()
 
-  def verify_credentials(self, username_or_email, password):
-    result = self.client.get(self.verify_url, timeout=2, auth=(username_or_email, password))
 
+  def get_user(self, username_or_email):
+    if self.getuser_url is None:
+      return (None, 'No endpoint defined for retrieving user')
+
+    (payload, err_msg) = self._execute_call(self.getuser_url, 'quay.io/jwtauthn/getuser',
+                                            params=dict(username=username_or_email))
+    if err_msg is not None:
+      return (None, err_msg)
+
+    if not 'sub' in payload:
+      raise Exception('Missing sub field in JWT')
+
+    if not 'email' in payload:
+      raise Exception('Missing email field in JWT')
+
+    # Parse out the username and email.
+    user_info = UserInformation(username=payload['sub'], email=payload['email'], id=payload['sub'])
+    return (user_info, None)
+
+
+  def query_users(self, query, limit=20):
+    if self.query_url is None:
+      return (None, self.federated_service, 'No endpoint defined for querying users')
+
+    (payload, err_msg) = self._execute_call(self.query_url, 'quay.io/jwtauthn/query',
+                                            params=dict(query=query, limit=limit))
+    if err_msg is not None:
+      return (None, self.federated_service, err_msg)
+
+    query_results = []
+    for result in payload['results'][0:limit]:
+      user_info = UserInformation(username=result['username'], email=result['email'],
+                                  id=result['username'])
+      query_results.append(user_info)
+
+    return (query_results, self.federated_service, None)
+
+
+  def verify_credentials(self, username_or_email, password):
+    (payload, err_msg) = self._execute_call(self.verify_url, 'quay.io/jwtauthn',
+                                            auth=(username_or_email, password))
+    if err_msg is not None:
+      return (None, err_msg)
+
+    if not 'sub' in payload:
+      raise Exception('Missing sub field in JWT')
+
+    if not 'email' in payload:
+      raise Exception('Missing email field in JWT')
+
+    user_info = UserInformation(username=payload['sub'], email=payload['email'], id=payload['sub'])
+    return (user_info, None)
+
+
+  def _execute_call(self, url, aud, auth=None, params=None):
+    """ Executes a call to the external JWT auth provider. """
+    result = self.client.get(url, timeout=2, auth=auth, params=params)
     if result.status_code != 200:
-      return (None, result.text or 'Invalid username or password')
+      return (None, result.text or 'Could not make JWT auth call')
 
     try:
       result_data = json.loads(result.text)
     except ValueError:
-      raise Exception('Returned JWT Authentication body does not contain JSON')
+      raise Exception('Returned JWT body for url %s does not contain JSON', url)
 
     # Load the JWT returned.
     encoded = result_data.get('token', '')
     exp_limit_options = jwtutil.exp_max_s_option(self.max_fresh_s)
     try:
       payload = jwtutil.decode(encoded, self.public_key, algorithms=['RS256'],
-                               audience='quay.io/jwtauthn', issuer=self.issuer,
+                               audience=aud, issuer=self.issuer,
                                options=exp_limit_options)
+      return (payload, None)
     except jwtutil.InvalidTokenError:
-      logger.exception('Exception when decoding returned JWT')
-      return (None, 'Invalid username or password')
-
-    if not 'sub' in payload:
-      raise Exception('Missing username field in JWT')
-
-    if not 'email' in payload:
-      raise Exception('Missing email field in JWT')
-
-    # Parse out the username and email.
-    return (VerifiedCredentials(username=payload['sub'], email=payload['email']), None)
-
+      logger.exception('Exception when decoding returned JWT for url %s', url)
+      return (None, 'Exception when decoding returned JWT')