2014-04-07 16:43:39 -04:00
|
|
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
|
|
|
|
|
|
# Copyright 2014 IBM Corporation
|
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
|
|
|
|
2013-09-06 15:47:39 -04:00
|
|
|
# authentication and authorization routines for confluent
|
2013-10-09 16:17:37 -04:00
|
|
|
# authentication scheme caches passphrase values to help HTTP Basic auth
|
2014-02-06 13:13:16 -05:00
|
|
|
# the PBKDF2 transform is skipped unless a user has been idle for sufficient
|
2013-10-09 16:17:37 -04:00
|
|
|
# time
|
2013-09-06 15:47:39 -04:00
|
|
|
|
2015-07-31 17:07:40 -04:00
|
|
|
import confluentd.config.configmanager as configmanager
|
2013-10-08 17:49:38 -04:00
|
|
|
import eventlet
|
2014-04-24 13:00:07 -04:00
|
|
|
import eventlet.tpool
|
2014-04-18 15:52:29 -04:00
|
|
|
import Crypto.Protocol.KDF as KDF
|
|
|
|
import hashlib
|
|
|
|
import hmac
|
2014-04-24 13:00:07 -04:00
|
|
|
import multiprocessing
|
2015-07-30 17:08:52 -04:00
|
|
|
try:
|
|
|
|
import PAM
|
|
|
|
except ImportError:
|
|
|
|
pass
|
2013-10-08 18:25:59 -04:00
|
|
|
import time
|
2013-09-06 15:47:39 -04:00
|
|
|
|
2014-07-14 14:54:12 -04:00
|
|
|
_pamservice = 'confluent'
|
2013-10-08 17:49:38 -04:00
|
|
|
_passcache = {}
|
|
|
|
_passchecking = {}
|
|
|
|
|
2014-04-24 13:00:07 -04:00
|
|
|
authworkers = None
|
|
|
|
|
2013-10-08 18:25:59 -04:00
|
|
|
|
2014-07-14 14:54:12 -04:00
|
|
|
class Credentials(object):
|
|
|
|
def __init__(self, username, passphrase):
|
|
|
|
self.username = username
|
|
|
|
self.passphrase = passphrase
|
|
|
|
self.haspam = False
|
|
|
|
|
|
|
|
def pam_conv(self, auth, query_list):
|
|
|
|
# use stored credentials in a pam conversation
|
|
|
|
self.haspam = True
|
|
|
|
resp = []
|
|
|
|
for query_entry in query_list:
|
|
|
|
query, pamtype = query_entry
|
|
|
|
if query.startswith('Password'):
|
|
|
|
resp.append((self.passphrase, 0))
|
|
|
|
else:
|
|
|
|
return None
|
|
|
|
return resp
|
|
|
|
|
|
|
|
|
2013-10-08 18:25:59 -04:00
|
|
|
def _prune_passcache():
|
|
|
|
# This function makes sure we don't remember a passphrase in memory more
|
|
|
|
# than 10 seconds
|
2014-04-18 15:52:29 -04:00
|
|
|
while True:
|
2013-10-08 18:25:59 -04:00
|
|
|
curtime = time.time()
|
|
|
|
for passent in _passcache.iterkeys():
|
|
|
|
if passent[2] < curtime - 10:
|
|
|
|
del _passcache[passent]
|
|
|
|
eventlet.sleep(10)
|
|
|
|
|
|
|
|
|
2013-10-08 17:49:38 -04:00
|
|
|
def _get_usertenant(name, tenant=False):
|
|
|
|
"""_get_usertenant
|
|
|
|
|
|
|
|
Convenience function to parse name into username and tenant.
|
|
|
|
If tenant is explicitly passed in, then name must be the username
|
|
|
|
tenant name with '/' is forbidden. If '/' is seen in name, tenant
|
|
|
|
is assumed to preface the /.
|
|
|
|
If the username is a tenant name, then it is to be the implied
|
|
|
|
administrator account a tenant gets.
|
|
|
|
Otherwise, just assume a user in the default tenant
|
|
|
|
"""
|
2014-02-06 13:13:16 -05:00
|
|
|
if not isinstance(tenant, bool):
|
2013-10-09 16:17:37 -04:00
|
|
|
# if not boolean, it must be explicit tenant
|
2013-10-08 17:49:38 -04:00
|
|
|
user = name
|
2013-10-09 16:17:37 -04:00
|
|
|
elif '/' in name: # tenant scoped name
|
2013-10-08 17:49:38 -04:00
|
|
|
tenant, user = name.split('/', 1)
|
2013-11-02 16:58:38 -04:00
|
|
|
elif configmanager.is_tenant(name):
|
2013-10-09 16:17:37 -04:00
|
|
|
# the account is the implicit tenant owner account
|
2013-10-08 17:49:38 -04:00
|
|
|
user = name
|
|
|
|
tenant = name
|
2014-02-06 13:13:16 -05:00
|
|
|
else: # assume it is a non-tenant user account
|
2013-10-08 17:49:38 -04:00
|
|
|
user = name
|
|
|
|
tenant = None
|
2013-10-08 18:25:59 -04:00
|
|
|
yield user
|
|
|
|
yield tenant
|
2013-10-08 17:49:38 -04:00
|
|
|
|
2014-02-06 13:13:16 -05:00
|
|
|
|
2014-07-14 14:54:12 -04:00
|
|
|
def authorize(name, element, tenant=False, operation='create',
|
|
|
|
skipuserobj=False):
|
2013-09-06 15:47:39 -04:00
|
|
|
#TODO: actually use the element to ascertain if this user is good enough
|
2013-09-06 16:15:59 -04:00
|
|
|
"""Determine whether the given authenticated name is authorized.
|
2013-09-06 15:47:39 -04:00
|
|
|
|
2013-09-06 16:15:59 -04:00
|
|
|
:param name: The shortname authenticated by the authentication scheme
|
|
|
|
:param element: The path being examined.
|
|
|
|
:param tenant: The tenant under which the account exists (defaults to
|
|
|
|
detect from name)
|
2014-04-18 10:36:51 -04:00
|
|
|
:param operation: Defaults to checking for 'create' level access
|
2013-09-06 15:47:39 -04:00
|
|
|
|
2013-09-06 16:15:59 -04:00
|
|
|
returns None if authorization fails or a tuple of the user object
|
|
|
|
and the relevant ConfigManager object for the context of the
|
|
|
|
request.
|
|
|
|
"""
|
2014-10-07 11:14:22 -04:00
|
|
|
if operation not in ('create', 'start', 'update', 'retrieve', 'delete'):
|
|
|
|
return None
|
2013-10-08 17:49:38 -04:00
|
|
|
user, tenant = _get_usertenant(name, tenant)
|
2013-11-02 16:58:38 -04:00
|
|
|
if tenant is not None and not configmanager.is_tenant(tenant):
|
2013-09-06 16:15:59 -04:00
|
|
|
return None
|
2013-11-02 17:21:34 -04:00
|
|
|
manager = configmanager.ConfigManager(tenant)
|
2014-07-14 14:54:12 -04:00
|
|
|
if skipuserobj:
|
2014-07-14 15:03:34 -04:00
|
|
|
return None, manager, user, tenant, skipuserobj
|
2013-11-02 17:21:34 -04:00
|
|
|
userobj = manager.get_user(user)
|
2014-02-06 13:13:16 -05:00
|
|
|
if userobj: # returning
|
2014-07-14 15:03:34 -04:00
|
|
|
return userobj, manager, user, tenant, skipuserobj
|
2013-09-06 16:15:59 -04:00
|
|
|
return None
|
2013-10-08 17:49:38 -04:00
|
|
|
|
|
|
|
|
2013-10-09 16:17:37 -04:00
|
|
|
def check_user_passphrase(name, passphrase, element=None, tenant=False):
|
|
|
|
"""Check a a login name and passphrase for authenticity and authorization
|
|
|
|
|
|
|
|
The function combines authentication and authorization into one function.
|
|
|
|
It is highly recommended for a session layer to provide some secure means
|
|
|
|
of protecting a session once this function works once and calling
|
|
|
|
authorize() in order to provide best performance regardless of
|
|
|
|
circumstance. The function makes effort to provide good performance
|
|
|
|
in repeated invocation, but that facility will slow down to deter
|
|
|
|
detected passphrase guessing activity when such activity is detected.
|
|
|
|
|
|
|
|
:param name: The login name provided by client
|
2014-04-18 10:36:51 -04:00
|
|
|
:param passphrase: The passphrase provided by client
|
2013-10-09 16:17:37 -04:00
|
|
|
:param element: Optional specification of a particular destination
|
|
|
|
:param tenant: Optional explicit indication of tenant (defaults to
|
|
|
|
embedded in name)
|
|
|
|
"""
|
2014-02-09 10:43:26 -05:00
|
|
|
# The reason why tenant is 'False' instead of 'None':
|
2014-04-18 15:52:29 -04:00
|
|
|
# None means explicitly not a tenant. False means check
|
2014-02-09 10:43:26 -05:00
|
|
|
# the username for signs of being a tenant
|
2013-10-09 16:17:37 -04:00
|
|
|
# If there is any sign of guessing on a user, all valid and
|
|
|
|
# invalid attempts are equally slowed to no more than 20 per second
|
|
|
|
# for that particular user.
|
|
|
|
# similarly, guessing usernames is throttled to 20/sec
|
2013-10-08 17:49:38 -04:00
|
|
|
user, tenant = _get_usertenant(name, tenant)
|
2014-02-06 13:13:16 -05:00
|
|
|
while (user, tenant) in _passchecking:
|
2013-10-08 18:25:59 -04:00
|
|
|
# Want to serialize passphrase checking activity
|
|
|
|
# by a user, which might be malicious
|
|
|
|
# would normally make an event and wait
|
|
|
|
# but here there's no need for that
|
|
|
|
eventlet.sleep(0.5)
|
2014-07-14 14:54:12 -04:00
|
|
|
credobj = Credentials(user, passphrase)
|
|
|
|
try:
|
|
|
|
pammy = PAM.pam()
|
|
|
|
pammy.start(_pamservice, user, credobj.pam_conv)
|
|
|
|
pammy.authenticate()
|
|
|
|
pammy.acct_mgmt()
|
|
|
|
del pammy
|
2015-02-03 11:04:32 -05:00
|
|
|
return authorize(user, element, tenant, skipuserobj=False)
|
2015-07-30 17:08:52 -04:00
|
|
|
except NameError:
|
|
|
|
pass
|
2014-07-14 14:54:12 -04:00
|
|
|
except PAM.error:
|
|
|
|
if credobj.haspam:
|
|
|
|
return None
|
2014-02-06 13:13:16 -05:00
|
|
|
if (user, tenant) in _passcache:
|
|
|
|
if passphrase == _passcache[(user, tenant)]:
|
2013-10-09 16:17:37 -04:00
|
|
|
return authorize(user, element, tenant)
|
2013-10-08 17:49:38 -04:00
|
|
|
else:
|
|
|
|
# In case of someone trying to guess,
|
|
|
|
# while someone is legitimately logged in
|
|
|
|
# invalidate cache and force the slower check
|
2013-10-08 18:25:59 -04:00
|
|
|
del _passcache[(user, tenant)]
|
2013-10-09 16:17:37 -04:00
|
|
|
return None
|
2013-11-02 16:58:38 -04:00
|
|
|
cfm = configmanager.ConfigManager(tenant)
|
2013-10-08 17:49:38 -04:00
|
|
|
ucfg = cfm.get_user(user)
|
|
|
|
if ucfg is None or 'cryptpass' not in ucfg:
|
2014-04-18 15:52:29 -04:00
|
|
|
eventlet.sleep(0.05) # stall even on test for existence of a username
|
2013-10-09 16:17:37 -04:00
|
|
|
return None
|
2013-10-08 17:49:38 -04:00
|
|
|
_passchecking[(user, tenant)] = True
|
|
|
|
# TODO(jbjohnso): WORKERPOOL
|
|
|
|
# PBKDF2 is, by design, cpu intensive
|
|
|
|
# throw it at the worker pool when implemented
|
2014-03-04 17:12:19 -05:00
|
|
|
# maybe a distinct worker pool, wondering about starving out non-auth stuff
|
2013-10-08 17:49:38 -04:00
|
|
|
salt, crypt = ucfg['cryptpass']
|
2014-04-24 13:00:07 -04:00
|
|
|
# execute inside tpool to get greenthreads to give it a special thread
|
|
|
|
# world
|
|
|
|
#TODO(jbjohnso): util function to generically offload a call
|
|
|
|
#such a beast could be passed into pyghmi as a way for pyghmi to
|
|
|
|
#magically get offload of the crypto functions without having
|
|
|
|
#to explicitly get into the eventlet tpool game
|
|
|
|
crypted = eventlet.tpool.execute(_do_pbkdf, passphrase, salt)
|
2013-10-08 18:25:59 -04:00
|
|
|
del _passchecking[(user, tenant)]
|
2014-02-06 13:13:16 -05:00
|
|
|
eventlet.sleep(0.05) # either way, we want to stall so that client can't
|
2013-10-09 16:17:37 -04:00
|
|
|
# determine failure because there is a delay, valid response will
|
|
|
|
# delay as well
|
2013-10-08 18:25:59 -04:00
|
|
|
if crypt == crypted:
|
|
|
|
_passcache[(user, tenant)] = passphrase
|
2013-10-09 16:17:37 -04:00
|
|
|
return authorize(user, element, tenant)
|
|
|
|
return None
|
2014-04-24 13:00:07 -04:00
|
|
|
|
|
|
|
|
|
|
|
def _apply_pbkdf(passphrase, salt):
|
|
|
|
return KDF.PBKDF2(passphrase, salt, 32, 10000,
|
|
|
|
lambda p, s: hmac.new(p, s, hashlib.sha256).digest())
|
|
|
|
|
|
|
|
|
|
|
|
def _do_pbkdf(passphrase, salt):
|
|
|
|
# we must get it over to the authworkers pool or else get blocked in
|
|
|
|
# compute. However, we do want to wait for result, so we have
|
|
|
|
# one of the exceedingly rare sort of circumstances where 'apply'
|
|
|
|
# actually makes sense
|
|
|
|
return authworkers.apply(_apply_pbkdf, [passphrase, salt])
|
|
|
|
|
|
|
|
|
|
|
|
def init_auth():
|
|
|
|
# have a some auth workers available. Keep them distinct from
|
|
|
|
# the general populace of workers to avoid unauthorized users
|
|
|
|
# starving out productive work
|
|
|
|
global authworkers
|
|
|
|
# for now we'll just have one auth worker and see if there is any
|
|
|
|
# demand for more. I personally doubt it.
|
2014-07-14 14:54:12 -04:00
|
|
|
authworkers = multiprocessing.Pool(processes=1)
|