mirror of
https://pagure.io/fm-orchestrator.git
synced 2026-02-07 07:13:17 +08:00
d1026c0df7
Save the realm and just keep the variable there for any further possible use. Signed-off-by: Chenxiong Qi <cqi@redhat.com>
235 lines
7.6 KiB
Python
235 lines
7.6 KiB
Python
# -*- coding: utf-8 -*-
|
|
# SPDX-License-Identifier: MIT
|
|
"""Auth system based on the client certificate and FAS account"""
|
|
import json
|
|
import ssl
|
|
|
|
import requests
|
|
from flask import g
|
|
|
|
from dogpile.cache import make_region
|
|
|
|
from module_build_service.errors import Unauthorized, Forbidden
|
|
from module_build_service import app, log, conf
|
|
|
|
try:
|
|
import ldap3
|
|
except ImportError:
|
|
log.warning("ldap3 import not found. ldap/krb disabled.")
|
|
|
|
|
|
client_secrets = None
|
|
region = make_region().configure("dogpile.cache.memory")
|
|
|
|
|
|
def _json_loads(content):
|
|
if not isinstance(content, str):
|
|
content = content.decode("utf-8")
|
|
return json.loads(content)
|
|
|
|
|
|
def _load_secrets():
|
|
global client_secrets
|
|
if client_secrets:
|
|
return
|
|
|
|
if "OIDC_CLIENT_SECRETS" not in app.config:
|
|
raise Forbidden("OIDC_CLIENT_SECRETS must be set in server config.")
|
|
|
|
secrets = _json_loads(open(app.config["OIDC_CLIENT_SECRETS"], "r").read())
|
|
client_secrets = list(secrets.values())[0]
|
|
|
|
|
|
def _get_token_info(token):
|
|
"""
|
|
Asks the token_introspection_uri for the validity of a token.
|
|
"""
|
|
if not client_secrets:
|
|
return None
|
|
|
|
request = {
|
|
"token": token,
|
|
"token_type_hint": "Bearer",
|
|
"client_id": client_secrets["client_id"],
|
|
"client_secret": client_secrets["client_secret"],
|
|
}
|
|
headers = {"Content-type": "application/x-www-form-urlencoded"}
|
|
|
|
resp = requests.post(client_secrets["token_introspection_uri"], data=request, headers=headers)
|
|
return resp.json()
|
|
|
|
|
|
def _get_user_info(token):
|
|
"""
|
|
Asks the userinfo_uri for more information on a user.
|
|
"""
|
|
if not client_secrets:
|
|
return None
|
|
|
|
headers = {"authorization": "Bearer " + token}
|
|
resp = requests.get(client_secrets["userinfo_uri"], headers=headers)
|
|
return resp.json()
|
|
|
|
|
|
def get_user_oidc(request):
|
|
"""
|
|
Returns the client's username and groups based on the OIDC token provided.
|
|
"""
|
|
_load_secrets()
|
|
|
|
if "authorization" not in request.headers:
|
|
raise Unauthorized("No 'authorization' header found.")
|
|
|
|
header = request.headers["authorization"].strip()
|
|
prefix = "Bearer "
|
|
if not header.startswith(prefix):
|
|
raise Unauthorized("Authorization headers must start with %r" % prefix)
|
|
|
|
token = header[len(prefix):].strip()
|
|
try:
|
|
data = _get_token_info(token)
|
|
except Exception as e:
|
|
error = "Cannot verify OIDC token: %s" % str(e)
|
|
log.exception(error)
|
|
raise Exception(error)
|
|
|
|
if not data or "active" not in data or not data["active"]:
|
|
raise Unauthorized("OIDC token invalid or expired.")
|
|
|
|
if "OIDC_REQUIRED_SCOPE" not in app.config:
|
|
raise Forbidden("OIDC_REQUIRED_SCOPE must be set in server config.")
|
|
|
|
presented_scopes = data["scope"].split(" ")
|
|
required_scopes = [
|
|
"openid",
|
|
"https://id.fedoraproject.org/scope/groups",
|
|
app.config["OIDC_REQUIRED_SCOPE"],
|
|
]
|
|
for scope in required_scopes:
|
|
if scope not in presented_scopes:
|
|
raise Unauthorized("Required OIDC scope %r not present: %r" % (scope, presented_scopes))
|
|
|
|
try:
|
|
extended_data = _get_user_info(token)
|
|
except Exception:
|
|
error = "OpenIDC auth error: Cannot determine the user's groups"
|
|
log.exception(error)
|
|
raise Unauthorized(error)
|
|
|
|
username = data["username"]
|
|
# If the user is part of the whitelist, then the group membership check is skipped
|
|
if username in conf.allowed_users:
|
|
groups = set()
|
|
else:
|
|
try:
|
|
groups = set(extended_data["groups"])
|
|
except Exception:
|
|
error = "Could not find groups in UserInfo from OIDC"
|
|
log.exception("%s (extended_data: %s)", error, extended_data)
|
|
raise Unauthorized(error)
|
|
|
|
return username, groups
|
|
|
|
|
|
def get_user_kerberos(request):
|
|
remote_name = request.environ.get("REMOTE_USER")
|
|
if not remote_name:
|
|
# When Kerberos authentication is enabled, MBS expects the
|
|
# authentication is done by a specific Apache module which sets
|
|
# REMOTE_USER properly.
|
|
raise Unauthorized("No REMOTE_USER is set.")
|
|
|
|
try:
|
|
username, realm = remote_name.split("@")
|
|
except ValueError:
|
|
raise Unauthorized("Value of REMOTE_NAME is not in format username@REALM")
|
|
|
|
# Currently, MBS does not handle the realm to authorize user. Just keep it
|
|
# here for any possible further use.
|
|
|
|
# If the user is part of the whitelist, then the group membership check is skipped
|
|
if username in conf.allowed_users:
|
|
groups = []
|
|
else:
|
|
groups = get_ldap_group_membership(username)
|
|
return username, set(groups)
|
|
|
|
|
|
@region.cache_on_arguments()
|
|
def get_ldap_group_membership(uid):
|
|
""" Small wrapper on getting the group membership so that we can use caching
|
|
:param uid: a string of the uid of the user
|
|
:return: a list of groups the user is a member of
|
|
"""
|
|
ldap_con = Ldap()
|
|
return ldap_con.get_user_membership(uid)
|
|
|
|
|
|
class Ldap(object):
|
|
""" A class that handles LDAP connections and queries
|
|
"""
|
|
|
|
connection = None
|
|
base_dn = None
|
|
|
|
def __init__(self):
|
|
if not conf.ldap_uri:
|
|
raise Forbidden("LDAP_URI must be set in server config.")
|
|
if conf.ldap_groups_dn:
|
|
self.base_dn = conf.ldap_groups_dn
|
|
else:
|
|
raise Forbidden("LDAP_GROUPS_DN must be set in server config.")
|
|
|
|
if conf.ldap_uri.startswith("ldaps://"):
|
|
tls = ldap3.Tls(
|
|
ca_certs_file="/etc/pki/tls/certs/ca-bundle.crt", validate=ssl.CERT_REQUIRED)
|
|
server = ldap3.Server(conf.ldap_uri, use_ssl=True, tls=tls)
|
|
else:
|
|
server = ldap3.Server(conf.ldap_uri)
|
|
self.connection = ldap3.Connection(server)
|
|
try:
|
|
self.connection.open()
|
|
except ldap3.core.exceptions.LDAPSocketOpenError as error:
|
|
log.error(
|
|
'The connection to "{0}" failed. The following error was raised: {1}'.format(
|
|
conf.ldap_uri, str(error)))
|
|
raise Forbidden(
|
|
"The connection to the LDAP server failed. Group membership couldn't be obtained.")
|
|
|
|
def get_user_membership(self, uid):
|
|
""" Gets the group membership of a user
|
|
:param uid: a string of the uid of the user
|
|
:return: a list of common names of the posixGroups the user is a member of
|
|
"""
|
|
ldap_filter = "(memberUid={0})".format(uid)
|
|
# Only get the groups in the base container/OU
|
|
self.connection.search(
|
|
self.base_dn, ldap_filter, search_scope=ldap3.LEVEL, attributes=["cn"])
|
|
groups = self.connection.response
|
|
try:
|
|
return [group["attributes"]["cn"][0] for group in groups]
|
|
except KeyError:
|
|
log.exception(
|
|
"The LDAP groups could not be determined based on the search results "
|
|
'of "{0}"'.format(str(groups)))
|
|
return []
|
|
|
|
|
|
def get_user(request):
|
|
""" Authenticates the user and returns the username and group name
|
|
:param request: a Flask request
|
|
:return: a tuple with a string representing the user name and a set with the user's group
|
|
membership such as ('mprahl', {'factory2', 'devel'})
|
|
"""
|
|
if conf.no_auth is True:
|
|
log.debug("Authorization is disabled.")
|
|
return "anonymous", {"packager"}
|
|
|
|
if "user" not in g and "groups" not in g:
|
|
get_user_func_name = "get_user_{0}".format(conf.auth_method)
|
|
get_user_func = globals().get(get_user_func_name)
|
|
if not get_user_func:
|
|
raise RuntimeError('The function "{0}" is not implemented'.format(get_user_func_name))
|
|
g.user, g.groups = get_user_func(request)
|
|
return g.user, g.groups
|