Merge pull request #20 from CSCfi/feature/authentication

blankdots · web-flow · commit bcac9b6aabc6 · 2019-12-10T08:16:34.000+02:00
Merge authentication support
diff --git a/Dockerfile b/Dockerfile
@@ -35,4 +35,7 @@ COPY ./deploy/app.sh /app/app.sh
 
 RUN chmod +x /app/app.sh
 
+RUN adduser --disabled-password --no-create-home swiftsharing
+USER swiftsharing
+
 ENTRYPOINT ["/bin/sh", "-c", "/app/app.sh"]
diff --git a/bindings/js/swift_x_account_sharing_bind.js b/bindings/js/swift_x_account_sharing_bind.js
@@ -4,9 +4,11 @@ class SwiftXAccountSharing {
   // Swift cross account sharing backend client.
   
   constructor (
-    address
+    address,
+    signatureAddress = "",
   ) {
     this.address = address;
+    this.signatureAddress = signatureAddress;
   }
 
   _parseListString (
@@ -20,11 +22,37 @@ class SwiftXAccountSharing {
     return ret.slice(0, ret.length - 1);
   }
 
+  async _getSignature(
+    validFor,
+    toSign
+  ) {
+    // Get a signature for an API call.
+    if (this.signatureAddress != "") {
+      let signatureUrl = new URL("/sign/".concat(validFor), this.signatureAddress);
+      signatureUrl.searchParams.append("path", toSign);
+      let signed = await fetch(
+        signatureUrl, {method: "GET", credentials: "same-origin"}
+      );
+      return signed.json();
+    }
+    else {
+      return undefined;
+    }
+  }
+
   async getAccess (
     username
   ) {
     // List the containers the user has been given access to.
     let url = new URL("/access/".concat(username), this.address);
+
+    let signed = await this._getSignature(
+      60,
+      "/access/".concat(username)
+    );
+    url.searchParams.append("valid", signed.valid_until);
+    url.searchParams.append("signature", signed.signature);
+
     let containers = fetch(
       url, {method: "GET"}
     ).then(
@@ -42,6 +70,14 @@ class SwiftXAccountSharing {
     let url = new URL(
       "/access/".concat(username, "/", container), this.address
     );
+
+    let signed = await this._getSignature(
+      60,
+      "/access/".concat(username, "/", container)
+    );
+    url.searchParams.append("valid", signed.valid_until);
+    url.searchParams.append("signature", signed.signature);
+
     url.searchParams.append("owner", owner);
     let details = fetch(
       url, {method: "GET"}
@@ -56,6 +92,14 @@ class SwiftXAccountSharing {
   ) {
     // List the containers the user has shared to another user / users.
     let url = new URL("/share/".concat(username), this.address);
+
+    let signed = await this._getSignature(
+      60,
+      "/share/".concat(username)
+    );
+    url.searchParams.append("valid", signed.valid_until);
+    url.searchParams.append("signature", signed.signature);
+
     let shared = fetch(
       url, {method: "GET"}
     ).then(
@@ -72,6 +116,14 @@ class SwiftXAccountSharing {
     let url = new URL(
       "/share/".concat(username, "/", container), this.address
     );
+
+    let signed = await this._getSignature(
+      60,
+      "/share/".concat(username, "/", container)
+    );
+    url.searchParams.append("valid", signed.valid_until);
+    url.searchParams.append("signature", signed.signature);
+
     let details = fetch(
       url, {method: "GET"}
     ).then(
@@ -94,6 +146,14 @@ class SwiftXAccountSharing {
     url.searchParams.append("user", this._parseListString(userlist));
     url.searchParams.append("access", this._parseListString(accesslist));
     url.searchParams.append("address", address);
+
+    let signed = await this._getSignature(
+      60,
+      "/share/".concat(username, "/", container)
+    );
+    url.searchParams.append("valid", signed.valid_until);
+    url.searchParams.append("signature", signed.signature);
+
     let shared = fetch(
       url, {method: "POST"}
     ).then(
@@ -114,6 +174,14 @@ class SwiftXAccountSharing {
     );
     url.searchParams.append("user", this._parseListString(userlist));
     url.searchParams.append("access", this._parseListString(accesslist));
+
+    let signed = await this._getSignature(
+      60,
+      "/share/".concat(username, "/", container)
+    );
+    url.searchParams.append("valid", signed.valid_until);
+    url.searchParams.append("signature", signed.signature);
+
     let shared = fetch(
       url, {method: "PATCH"}
     ).then(
@@ -132,6 +200,14 @@ class SwiftXAccountSharing {
       "/share/".concat(username, "/", container), this.address
     );
     url.searchParams.append("user", this._parseListString(userlist));
+    url.searchParams.append("valid", signed.valid_until);
+    url.searchParams.append("signature", signed.signature);
+
+    let signed = await this._getSignature(
+      60,
+      "/share/".concat(username, "/", container)
+    );
+
     let deleted = fetch(
       url, {method: "DELETE"}
     ).then(
diff --git a/swift_x_account_sharing/auth.py b/swift_x_account_sharing/auth.py
@@ -0,0 +1,74 @@
+"""Authentication module for the swift-sharing-request."""
+
+# The authentication is done via requests signed with a pre-whitelisted token.
+# This is done to prevent invalid usage. New tokens can be created either
+# manually on the platform that's running the software, or by
+# pre-authenticating via Openstack Keystone.
+
+# Authentication engine is written as an aiohttp middleware function.
+
+
+import os
+import typing
+import hmac
+
+import aiohttp.web
+
+
+AiohttpHandler = typing.Callable[[aiohttp.web.Request], aiohttp.web.Response]
+
+
+async def read_in_keys(
+        app: aiohttp.web.Application
+):
+    """Read in keys to the application."""
+    keys = os.environ.get("SWIFT_UI_API_AUTH_TOKENS", None)
+    app["tokens"] = keys.split(",") if keys is not None else []
+    if app["tokens"]:
+        app["tokens"] = [
+            token.encode("utf-8") for token in app["tokens"]
+        ]
+
+
+async def test_signature(
+        tokens: typing.List[bytes],
+        signature: str,
+        message: str,
+) -> bool:
+    """Validate signature against the given tokens."""
+    byte_message = message.encode("utf-8")
+    for token in tokens:
+        digest = hmac.new(
+            token,
+            byte_message,
+            digestmod="sha256"
+        ).hexdigest()
+        if digest == signature:
+            return
+    raise aiohttp.web.HTTPUnauthorized(
+        reason="Missing valid query signature"
+    )
+
+
+@aiohttp.web.middleware
+async def handle_validate_authentication(
+        request: aiohttp.web.Request,
+        handler: AiohttpHandler,
+) -> aiohttp.web.Response:
+    """Handle the authentication of a response as a middleware function."""
+    try:
+        signature = request.query["signature"]
+        validity = request.query["valid"]
+        path = request.url.path
+    except KeyError:
+        raise aiohttp.web.HTTPClientError(
+            reason="Query string missing validity or signature."
+        )
+
+    await test_signature(
+        request.app["tokens"],
+        signature,
+        validity + path
+    )
+
+    return await handler(request)
diff --git a/swift_x_account_sharing/middleware.py b/swift_x_account_sharing/middleware.py
@@ -1,13 +1,22 @@
 """Middleware for adding CORS headers for API calls."""
 
 
+import typing
+
 import aiohttp.web
+from asyncpg import UniqueViolationError
 
 from .db import DBConn
 
 
+AiohttpHandler = typing.Callable[[aiohttp.web.Request], aiohttp.web.Response]
+
+
 @aiohttp.web.middleware
-async def add_cors(request, handler):
+async def add_cors(
+        request: aiohttp.web.Request,
+        handler: AiohttpHandler
+) -> aiohttp.web.Response:
     """Add CORS header for API responses."""
     resp = await handler(request)
     if "origin" in request.headers.keys():
@@ -16,7 +25,10 @@ async def add_cors(request, handler):
 
 
 @aiohttp.web.middleware
-async def check_db_conn(request, handler):
+async def check_db_conn(
+        request: aiohttp.web.Request,
+        handler: AiohttpHandler
+) -> aiohttp.web.Response:
     """Check if an established database connection exists."""
     if (
             isinstance(request.app["db_conn"], DBConn)
@@ -26,3 +38,17 @@ async def check_db_conn(request, handler):
             reason="No database connection."
         )
     return await handler(request)
+
+
+@aiohttp.web.middleware
+async def catch_uniqueness_error(
+        request: aiohttp.web.Request,
+        handler: AiohttpHandler
+) -> aiohttp.web.Response:
+    """Catch excepetion arising from a non-unique primary key."""
+    try:
+        return await handler(request)
+    except UniqueViolationError:
+        raise aiohttp.web.HTTPClientError(
+            reason="Duplicate entries are not allowed."
+        )
diff --git a/swift_x_account_sharing/preflight.py b/swift_x_account_sharing/preflight.py
@@ -0,0 +1,15 @@
+"""Module containing preflight OPTIONS handlers."""
+
+
+import aiohttp.web
+
+
+async def handle_delete_preflight(_) -> aiohttp.web.Response:
+    """Serve correct response headers to allowed DELETE preflight query."""
+    resp = aiohttp.web.Response(
+        headers={
+            "Access-Control-Allow-Methods": "POST, OPTIONS, DELETE",
+            "Access-Control-Max-Age": "84600",
+        }
+    )
+    return resp
diff --git a/swift_x_account_sharing/server.py b/swift_x_account_sharing/server.py
@@ -24,8 +24,14 @@
 from .db import DBConn
 from .middleware import (
     add_cors,
-    check_db_conn
+    check_db_conn,
+    catch_uniqueness_error
 )
+from .auth import (
+    read_in_keys,
+    handle_validate_authentication,
+)
+from .preflight import handle_delete_preflight
 
 
 logging.basicConfig(level=logging.DEBUG)
@@ -34,7 +40,9 @@
 asyncio.set_event_loop_policy(uvloop.EventLoopPolicy())
 
 
-async def resume_on_start(app):
+async def resume_on_start(
+        app: aiohttp.web.Application
+):
     """Resume old instance from start."""
     # If using dict_db read the database on disk, if it exists
     if (
@@ -46,7 +54,9 @@ async def resume_on_start(app):
         await app["db_conn"].open()
 
 
-async def save_on_shutdown(app):
+async def save_on_shutdown(
+        app: aiohttp.web.Application
+):
     """Flush the database on shutdown."""
     # If using dict_db dump the database on disk, using default file.
     if isinstance(app["db_conn"], InMemDB):
@@ -55,10 +65,15 @@ async def save_on_shutdown(app):
         await app["db_conn"].close()
 
 
-async def init_server():
+async def init_server() -> aiohttp.web.Application:
     """Initialize the server."""
     app = aiohttp.web.Application(
-        middlewares=[add_cors, check_db_conn]
+        middlewares=[
+            add_cors,
+            check_db_conn,
+            handle_validate_authentication,
+            catch_uniqueness_error,
+        ]
     )
 
     if os.environ.get("SHARING_DB_POSTGRES", None):
@@ -75,15 +90,20 @@ async def init_server():
                          share_container_handler),
         aiohttp.web.patch("/share/{owner}/{contanier}", edit_share_handler),
         aiohttp.web.delete("/share/{owner}/{container}", delete_share_handler),
+        aiohttp.web.options("/share/{owner}/{container}",
+                            handle_delete_preflight),
     ])
 
     app.on_startup.append(resume_on_start)
+    app.on_startup.append(read_in_keys)
     app.on_shutdown.append(save_on_shutdown)
 
     return app
 
 
-def run_server_devel(app):
+def run_server_devel(
+        app: aiohttp.web.Application
+):
     """Run the server in development mode (without HTTPS)."""
     aiohttp.web.run_app(
         app,
