From b99f2078a1cdd010b814a2491f2b245bbe4affa7 Mon Sep 17 00:00:00 2001 From: Lisa Zangrando Date: Mon, 22 May 2017 12:23:38 +0200 Subject: [PATCH] Missing security support This fix provides to Synergy a security mechanism highly configurable. The security policies are pluggable so that it is possible to define any kind of authorization checks. This commit includes a very simple authorization plugin (i.e. synergy.auth.plugin.LocalHostAuthorization) which denies any command coming from clients having IP address different from the Synergy's one. Bug: #1691352 Change-Id: I2535b2a3edeea5e56cd8918d01070a6f8a534c3e Sem-Ver: bugfix --- config/synergy.conf | 3 ++ synergy/auth/__init__.py | 0 synergy/auth/plugin.py | 30 ++++++++++++++ synergy/client/command.py | 14 ++++++- synergy/client/keystone_v3.py | 5 +++ synergy/client/shell.py | 6 +-- synergy/common/config.py | 8 ++-- synergy/common/utils.py | 4 ++ synergy/exception.py | 4 ++ synergy/service.py | 40 +++++++++++++++++-- .../unit/test_client_command_httpcommand.py | 2 +- 11 files changed, 104 insertions(+), 12 deletions(-) create mode 100644 synergy/auth/__init__.py create mode 100644 synergy/auth/plugin.py diff --git a/config/synergy.conf b/config/synergy.conf index 214e469..3a67517 100644 --- a/config/synergy.conf +++ b/config/synergy.conf @@ -37,3 +37,6 @@ max_header_line = 16384 retry_until_window = 30 tcp_keepidle = 600 backlog = 4096 + +[Authorization] +# plugin = synergy.auth.plugin.LocalHostAuthorization diff --git a/synergy/auth/__init__.py b/synergy/auth/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/synergy/auth/plugin.py b/synergy/auth/plugin.py new file mode 100644 index 0000000..07b8433 --- /dev/null +++ b/synergy/auth/plugin.py @@ -0,0 +1,30 @@ +from synergy.exception import AuthorizationError + + +__author__ = "Lisa Zangrando" +__email__ = "lisa.zangrando[AT]pd.infn.it" +__copyright__ = """Copyright (c) 2015 INFN - INDIGO-DataCloud +All Rights Reserved + +Licensed under the Apache License, Version 2.0; +you may not use this file except in compliance with the +License. You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + either express or implied. + See the License for the specific language governing + permissions and limitations under the License.""" + + +class LocalHostAuthorization(object): + + def authorize(self, context): + server_addr = context.get("SERVER_NAME") + remote_addr = context.get("REMOTE_ADDR") + + if not server_addr or not remote_addr or server_addr != remote_addr: + raise AuthorizationError("You are not authorized!") diff --git a/synergy/client/command.py b/synergy/client/command.py index 5482b14..48593c8 100644 --- a/synergy/client/command.py +++ b/synergy/client/command.py @@ -28,15 +28,27 @@ class HTTPCommand(object): def __init__(self, name): self.name = name + self.token = None def getName(self): return self.name + def setToken(self, token): + self.token = token + def configureParser(self, subparser): raise NotImplementedError("not implemented!") def execute(self, synergy_url, payload=None): - request = requests.get(synergy_url, params=payload) + headers = None + + if self.token: + headers = {"Content-Type": "application/json", + "Accept": "application/json", + "User-Agent": "synergy_client", + "X-Auth-Token": self.token.getId()} + + request = requests.get(synergy_url, headers=headers, params=payload) request.raise_for_status() try: diff --git a/synergy/client/keystone_v3.py b/synergy/client/keystone_v3.py index 7eee1f3..dc793f6 100644 --- a/synergy/client/keystone_v3.py +++ b/synergy/client/keystone_v3.py @@ -208,6 +208,11 @@ class KeystoneClient(object): self.token = Token(token_subject, token_data) + return self.token + + def getToken(self): + return self.token + def getService(self, name): for service in self.token.getCatalog(): if service["name"] == name: diff --git a/synergy/client/shell.py b/synergy/client/shell.py index 0cc3a56..627a1c4 100644 --- a/synergy/client/shell.py +++ b/synergy/client/shell.py @@ -124,6 +124,7 @@ def main(): os_cacert = args.os_cacert bypass_url = args.bypass_url command_name = args.command_name + token = None if bypass_url: synergy_url = bypass_url @@ -157,15 +158,14 @@ def main(): project_domain_id=os_project_domain_id, project_domain_name=os_project_domain_name) - client.authenticate() - + token = client.authenticate() synergy_endpoint = client.getEndpoint("synergy") - synergy_url = synergy_endpoint["url"] if command_name not in commands: print("command %r not found!" % command_name) + commands[command_name].setToken(token) commands[command_name].execute(synergy_url, args) except KeyboardInterrupt as e: print("Shutting down synergyclient") diff --git a/synergy/common/config.py b/synergy/common/config.py index cac32a9..fb7be2a 100644 --- a/synergy/common/config.py +++ b/synergy/common/config.py @@ -21,9 +21,9 @@ permissions and limitations under the License.""" CONF = cfg.CONF -service_opts = [ - cfg.StrOpt("topic", default="synergy_topic", help="the topic"), - cfg.StrOpt("exchange", default="synergy_exchange", help="the exchange"), +auth_opts = [ + cfg.StrOpt("plugin", default="noauth", help="the authorization plugin"), + cfg.StrOpt("policy_file", default="policy.json", help="the plucy file"), ] wsgi_opts = [ @@ -67,9 +67,9 @@ manager_opts = [ cfg.IntOpt("rate", default=60) ] -cfg.CONF.register_opts(service_opts) cfg.CONF.register_opts(wsgi_opts, group="WSGI") cfg.CONF.register_opts(logger_opts, group="Logger") +cfg.CONF.register_opts(auth_opts, group="Authorization") def parseArgs(args=None, usage=None, default_config_files=None): diff --git a/synergy/common/utils.py b/synergy/common/utils.py index 15b8f77..2add5ee 100644 --- a/synergy/common/utils.py +++ b/synergy/common/utils.py @@ -37,6 +37,10 @@ def import_class(import_str): (class_str, traceback.format_exception(*sys.exc_info()))) +def instantiate_class(class_str): + return import_class(class_str)() + + def objectHookHandler(json_dict): for key, value in json_dict.items(): if isinstance(value, dict): diff --git a/synergy/exception.py b/synergy/exception.py index 9005b28..955ebc8 100644 --- a/synergy/exception.py +++ b/synergy/exception.py @@ -19,3 +19,7 @@ permissions and limitations under the License.""" class SynergyError(Exception): pass + + +class AuthorizationError(Exception): + pass diff --git a/synergy/service.py b/synergy/service.py index 39d4a7c..e5a1b55 100644 --- a/synergy/service.py +++ b/synergy/service.py @@ -15,7 +15,9 @@ from synergy.common import config from synergy.common.manager import Manager from synergy.common.serializer import SynergyEncoder from synergy.common.service import Service +from synergy.common import utils from synergy.common.wsgi import Server +from synergy.exception import AuthorizationError from synergy.exception import SynergyError @@ -91,9 +93,17 @@ class Synergy(Service): self.managers = {} self.wsgi_server = None + self.auth_plugin = CONF.Authorization.plugin + + if self.auth_plugin == "noauth": + LOG.info("the authorization is disabled!") + self.auth_plugin = None + else: + LOG.info("loading the auth_plugin %s" % self.auth_plugin) + self.auth_plugin = utils.instantiate_class(self.auth_plugin) for entry in iter_entry_points(MANAGER_ENTRY_POINT): - LOG.info("loading manager %s", entry.name) + LOG.info("loading the %s manager", entry.name) try: CONF.register_opts(config.manager_opts, group=entry.name) @@ -143,6 +153,28 @@ class Synergy(Service): self.saved_args, self.saved_kwargs = args, kwargs + def authorizationRequired(f): + def wrapper(self, *args, **kw): + if self.auth_plugin: + context = args[0] + context["managers"] = self.managers + query = context.get("QUERY_STRING", None) + + if query: + context.update(parse_qs(query)) + + try: + self.auth_plugin.authorize(context) + except AuthorizationError as ex: + args[1]("401 Unauthorized", + [("Content-Type", "text/plain")]) + return [ex.message] + + return f(self, *args, **kw) + + return wrapper + + @authorizationRequired def listManagers(self, environ, start_response): result = [] @@ -156,6 +188,7 @@ class Synergy(Service): start_response("200 OK", [("Content-Type", "text/html")]) return ["%s" % json.dumps(result, cls=SynergyEncoder)] + @authorizationRequired def getManagerStatus(self, environ, start_response): manager_list = None result = [] @@ -194,10 +227,10 @@ class Synergy(Service): start_response("200 OK", [("Content-Type", "text/html")]) return ["%s" % json.dumps(result, cls=SynergyEncoder)] + @authorizationRequired def executeCommand(self, environ, start_response): manager_name = None command = None - query = environ.get("QUERY_STRING", None) if not query: @@ -251,6 +284,7 @@ class Synergy(Service): [("Content-Type", "text/plain")]) return ["error: %s" % ex] + @authorizationRequired def startManager(self, environ, start_response): manager_list = None result = [] @@ -308,10 +342,10 @@ class Synergy(Service): start_response("200 OK", [("Content-Type", "text/html")]) return ["%s" % json.dumps(result, cls=SynergyEncoder)] + @authorizationRequired def stopManager(self, environ, start_response): manager_list = None result = [] - query = environ.get("QUERY_STRING", None) if not query: diff --git a/synergy/tests/unit/test_client_command_httpcommand.py b/synergy/tests/unit/test_client_command_httpcommand.py index d241db6..694d755 100644 --- a/synergy/tests/unit/test_client_command_httpcommand.py +++ b/synergy/tests/unit/test_client_command_httpcommand.py @@ -47,5 +47,5 @@ class TestHTTPCommand(base.TestCase): as m: result = self.http_command.execute("dummy_url") - m.assert_called_once_with("dummy_url", params=None) + m.assert_called_once_with("dummy_url", headers=None, params=None) self.assertEqual({"test": True}, result)