1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import functools
import flask
from oslo_log import log
from oslo_policy import opts
from oslo_policy import policy as common_policy
from oslo_utils import strutils
from keystone.common import authorization
from keystone.common import context
from keystone.common import policies
from keystone.common import provider_api
from keystone.common import utils
import keystone.conf
from keystone import exception
from keystone.i18n import _
CONF = keystone.conf.CONF
LOG = log.getLogger(__name__)
PROVIDER_APIS = provider_api.ProviderAPIs
_POSSIBLE_TARGET_ACTIONS = frozenset([
rule.name for
rule in policies.list_rules() if not rule.deprecated_for_removal
])
_ENFORCEMENT_CHECK_ATTR = 'keystone:RBAC:enforcement_called'
# TODO(gmann): Remove setting the default value of config policy_file
# once oslo_policy change the default value to 'policy.yaml'.
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
DEFAULT_POLICY_FILE = 'policy.yaml'
opts.set_defaults(CONF, DEFAULT_POLICY_FILE)
class RBACEnforcer(object):
"""Enforce RBAC on API calls."""
__shared_state__ = {}
__ENFORCER = None
ACTION_STORE_ATTR = 'keystone:RBAC:action_name'
# FOR TESTS ONLY
suppress_deprecation_warnings = False
def __init__(self):
# NOTE(morgan): All Enforcer Instances use the same shared state;
# BORG pattern.
self.__dict__ = self.__shared_state__
def _check_deprecated_rule(self, action):
def _name_is_changing(rule):
deprecated_rule = rule.deprecated_rule
return (deprecated_rule and
deprecated_rule.name != rule.name and
deprecated_rule.name in self._enforcer.file_rules)
def _check_str_is_changing(rule):
deprecated_rule = rule.deprecated_rule
return (deprecated_rule and
deprecated_rule.check_str != rule.check_str and
rule.name not in self._enforcer.file_rules)
def _is_deprecated_for_removal(rule):
return (rule.deprecated_for_removal and
rule.name in self._enforcer.file_rules)
def _emit_warning():
if not self._enforcer._warning_emitted:
LOG.warning("Deprecated policy rules found. Use "
"oslopolicy-policy-generator and "
"oslopolicy-policy-upgrade to detect and resolve "
"deprecated policies in your configuration.")
self._enforcer._warning_emitted = True
registered_rule = self._enforcer.registered_rules.get(action)
if not registered_rule:
return
if (_name_is_changing(registered_rule) or
_check_str_is_changing(registered_rule) or
_is_deprecated_for_removal(registered_rule)):
_emit_warning()
def _enforce(self, credentials, action, target, do_raise=True):
"""Verify that the action is valid on the target in this context.
This method is for cases that exceed the base enforcer
functionality (notably for compatibility with `@protected` style
decorators.
:param credentials: user credentials
:param action: string representing the action to be checked, which
should be colon separated for clarity.
:param target: dictionary representing the object of the action for
object creation this should be a dictionary
representing the location of the object e.g.
{'project_id': object.project_id}
:raises keystone.exception.Forbidden: If verification fails.
Actions should be colon separated for clarity. For example:
* identity:list_users
"""
# Add the exception arguments if asked to do a raise
extra = {}
if do_raise:
extra.update(exc=exception.ForbiddenAction, action=action,
do_raise=do_raise)
try:
result = self._enforcer.enforce(
rule=action, target=target, creds=credentials, **extra)
self._check_deprecated_rule(action)
return result
except common_policy.InvalidScope:
raise exception.ForbiddenAction(action=action)
def _reset(self):
# NOTE(morgan): Used for TEST purposes only.
self.__ENFORCER = None
@property
def _enforcer(self):
# The raw oslo-policy enforcer object
if self.__ENFORCER is None:
self.__ENFORCER = common_policy.Enforcer(CONF)
# NOTE(cmurphy) when running in the keystone server, suppress
# deprecation warnings for individual policy rules. Instead, we log
# a single notification at enforcement time indicating the
# oslo.policy tools the operator can use to detect and resolve
# deprecated policies. If there is no request context here, that
# means external tooling such as the oslo.policy tools are running
# this code, in which case we do want the full deprecation warnings
# emitted for individual polcy rules.
if flask.has_request_context():
self.__ENFORCER.suppress_deprecation_warnings = True
# NOTE(cmurphy) Tests may explicitly disable these warnings to
# prevent an explosion of test logs
if self.suppress_deprecation_warnings:
self.__ENFORCER.suppress_deprecation_warnings = True
self.register_rules(self.__ENFORCER)
self.__ENFORCER._warning_emitted = False
return self.__ENFORCER
@staticmethod
def _extract_filter_values(filters):
"""Extract filter data from query params for RBAC enforcement."""
filters = filters or []
target = {i: flask.request.args[i] for
i in filters if i in flask.request.args}
if target:
if LOG.logger.getEffectiveLevel() <= log.DEBUG:
LOG.debug(
'RBAC: Adding query filter params (%s)',
', '.join(['%s=%s' % (k, v) for k, v in target.items()]))
return target
@staticmethod
def _extract_member_target_data(member_target_type, member_target):
"""Build some useful target data.
:param member_target_type: what type of target, e.g. 'user'
:type member_target_type: str or None
:param member_target: reference of the target data
:type member_target: dict or None
:returns: constructed target dict or empty dict
:rtype: dict
"""
ret_dict = {}
if ((member_target is not None and member_target_type is None) or
(member_target is None and member_target_type is not None)):
LOG.warning('RBAC: Unknown target type or target reference. '
'Rejecting as unauthorized. '
'(member_target_type=%(target_type)r, '
'member_target=%(target_ref)r)',
{'target_type': member_target_type,
'target_ref': member_target})
# Fast exit.
return ret_dict
if member_target is not None and member_target_type is not None:
ret_dict['target'] = {member_target_type: member_target}
else:
# Try and do some magic loading based upon the resource we've
# matched in our route. This is mostly so we can have a level of
# automatic pulling in the resource; strictly for some added
# DRY capabilities. In an ideal world the target is always passed
# in explicitly.
if flask.request.endpoint:
# This only works for cases of Flask-RESTful, or carefully
# crafted endpoints that live on a class. Ultimately, there
# should be more protection against something wonky
# here.
resource = flask.current_app.view_functions[
flask.request.endpoint].view_class
try:
member_name = getattr(resource, 'member_key', None)
except ValueError:
# NOTE(morgan): In the case that the ResourceBase keystone
# class is used, we raise a value error when member_key
# has not been set on the class. This is perfectly
# normal and acceptable. Set member_name to None as though
# it wasn't set.
member_name = None
func = getattr(
resource, 'get_member_from_driver', None)
if member_name is not None and callable(func):
key = '%s_id' % member_name
if key in (flask.request.view_args or {}):
# NOTE(morgan): For most correct setup, instantiate the
# view_class. There is no current support for passing
# extra args to the constructor of the view_class like
# .as_view() method would actually do. In this case
# perform a simple instantiation to represent the
# `self` pass to the unbound method.
#
# TODO(morgan): add (future) support for passing class
# instantiation args.
ret_dict['target'] = {
member_name: func(flask.request.view_args[key])
}
return ret_dict
@staticmethod
def _extract_policy_check_credentials():
# Pull out the auth context
return flask.request.environ.get(authorization.AUTH_CONTEXT_ENV, {})
@classmethod
def _extract_subject_token_target_data(cls):
ret_dict = {}
window_seconds = 0
# NOTE(morgan): Populate the subject token data into
# the policy dict at "target.token". In all liklyhood
# it is un-interesting to populate this data outside
# of the auth paths.
target = 'token'
subject_token = flask.request.headers.get('X-Subject-Token')
access_rules_support = flask.request.headers.get(
authorization.ACCESS_RULES_HEADER)
if subject_token is not None:
allow_expired = (strutils.bool_from_string(
flask.request.args.get('allow_expired', False),
default=False))
if allow_expired:
window_seconds = CONF.token.allow_expired_window
token = PROVIDER_APIS.token_provider_api.validate_token(
subject_token,
window_seconds=window_seconds,
access_rules_support=access_rules_support
)
# TODO(morgan): Expand extracted data from the subject token.
ret_dict[target] = {}
ret_dict[target]['user_id'] = token.user_id
try:
user_domain_id = token.user['domain_id']
except exception.UnexpectedError:
user_domain_id = None
if user_domain_id:
ret_dict[target].setdefault('user', {})
ret_dict[target]['user'].setdefault('domain', {})
ret_dict[target]['user']['domain']['id'] = user_domain_id
return ret_dict
@staticmethod
def _get_oslo_req_context():
return flask.request.environ.get(context.REQUEST_CONTEXT_ENV, None)
@classmethod
def _assert_is_authenticated(cls):
ctx = cls._get_oslo_req_context()
if ctx is None:
LOG.warning('RBAC: Error reading the request context generated by '
'the Auth Middleware (there is no context). Rejecting '
'request as unauthorized.')
raise exception.Unauthorized(
_('Internal error processing authentication and '
'authorization.'))
if not ctx.authenticated:
raise exception.Unauthorized(
_('auth_context did not decode anything useful'))
@classmethod
def _shared_admin_auth_token_set(cls):
ctx = cls._get_oslo_req_context()
return getattr(ctx, 'is_admin', False)
@classmethod
def enforce_call(cls, enforcer=None, action=None, target_attr=None,
member_target_type=None, member_target=None,
filters=None, build_target=None):
"""Enforce RBAC on the current request.
This will do some legwork and then instantiate the Enforcer if an
enforcer is not passed in.
:param enforcer: A pre-instantiated Enforcer object (optional)
:type enforcer: :class:`RBACEnforcer`
:param action: the name of the rule/policy enforcement to be checked
against, e.g. `identity:get_user` (optional may be
replaced by decorating the method/function with
`policy_enforcer_action`.
:type action: str
:param target_attr: complete override of the target data. This will
replace all other generated target data meaning
`member_target_type` and `member_target` are
ignored. This will also prevent extraction of
data from the X-Subject-Token. The `target` dict
should contain a series of key-value pairs such
as `{'user': user_ref_dict}`.
:type target_attr: dict
:param member_target_type: the type of the target, e.g. 'user'. Both
this and `member_target` must be passed if
either is passed.
:type member_target_type: str
:param member_target: the (dict form) reference of the member object.
Both this and `member_target_type` must be passed
if either is passed.
:type member_target: dict
:param filters: A variable number of optional string filters, these are
used to extract values from the query params. The
filters are added to the request data that is passed to
the enforcer and may be used to determine policy
action. In practice these are mainly supplied in the
various "list" APIs and are un-used in the default
supplied policies.
:type filters: iterable
:param build_target: A function to build the target for enforcement.
This is explicitly done after authentication
in order to not leak existance data before
auth.
:type build_target: function
"""
# NOTE(morgan) everything in the policy_dict may be used by the policy
# DSL to action on RBAC and request information/response data.
policy_dict = {}
# If "action" has not explicitly been overridden, see if it is set in
# Flask.g app-context (per-request thread local) meaning the
# @policy_enforcer_action decorator was used.
action = action or getattr(flask.g, cls.ACTION_STORE_ATTR, None)
if action not in _POSSIBLE_TARGET_ACTIONS:
LOG.warning('RBAC: Unknown enforcement action name `%s`. '
'Rejecting as Forbidden, this is a programming error '
'and a bug should be filed with as much information '
'about the request that caused this as possible.',
action)
# NOTE(morgan): While this is an internal error, a 500 is never
# desirable, we have handled the case and the most appropriate
# response here is to issue a 403 (FORBIDDEN) to any API calling
# enforce_call with an inappropriate action/name to look up the
# policy rule. This is simply a short-circuit as the enforcement
# code raises a 403 on an unknown action (in keystone) by default.
raise exception.Forbidden(
message=_(
'Internal RBAC enforcement error, invalid rule (action) '
'name.'))
# Mark flask.g as "enforce_call" has been called. This should occur
# before anything except the "is this a valid action" check, ensuring
# all proper "after request" checks pass, showing that the API has
# enforcement.
setattr(flask.g, _ENFORCEMENT_CHECK_ATTR, True)
# Assert we are actually authenticated
cls._assert_is_authenticated()
# Check if "is_admin", this is in support of the old "admin auth token"
# middleware with a shared "admin" token for auth
if cls._shared_admin_auth_token_set():
LOG.warning('RBAC: Bypassing authorization')
return
# NOTE(morgan): !!! ORDER OF THESE OPERATIONS IS IMPORTANT !!!
# The lowest priority values are set first and the highest priority
# values are set last.
# Populate the input attributes (view args) directly to the policy
# dict. This is to allow the policy engine to have access to the
# view args for substitution. This is to mirror the old @protected
# mechanism and ensure current policy files continue to work as
# expected.
policy_dict.update(flask.request.view_args)
# Get the Target Data Set.
if target_attr is None and build_target is None:
try:
policy_dict.update(cls._extract_member_target_data(
member_target_type, member_target))
except exception.NotFound:
# DEBUG LOG and bubble up the 404 error. This is expected
# behavior. This likely should be specific in each API. This
# should be revisited in the future and each API should make
# the explicit "existence" checks before enforcement.
LOG.debug('Extracting inferred target data resulted in '
'"NOT FOUND (404)".')
raise
except Exception as e: # nosec
# NOTE(morgan): Errors should never bubble up at this point,
# if there is an error getting the target, log it and move
# on. Raise an explicit 403, we have failed policy checks.
LOG.warning('Unable to extract inferred target data during '
'enforcement')
LOG.debug(e, exc_info=True)
raise exception.ForbiddenAction(action=action)
# Special Case, extract and add subject_token data.
subj_token_target_data = cls._extract_subject_token_target_data()
if subj_token_target_data:
policy_dict.setdefault('target', {}).update(
subj_token_target_data)
else:
if target_attr and build_target:
raise ValueError('Programming Error: A target_attr or '
'build_target must be provided, but not both')
policy_dict['target'] = target_attr or build_target()
# Pull the data from the submitted json body to generate
# appropriate input/target attributes, we take an explicit copy here
# to ensure we're not somehow corrupting
json_input = flask.request.get_json(force=True, silent=True) or {}
policy_dict.update(json_input.copy())
# Generate the filter_attr dataset.
policy_dict.update(cls._extract_filter_values(filters))
flattened = utils.flatten_dict(policy_dict)
if LOG.logger.getEffectiveLevel() <= log.DEBUG:
# LOG the Args
args_str = ', '.join(
['%s=%s' % (k, v) for
k, v in (flask.request.view_args or {}).items()])
args_str = strutils.mask_password(args_str)
LOG.debug('RBAC: Authorizing `%(action)s(%(args)s)`',
{'action': action, 'args': args_str})
ctxt = cls._get_oslo_req_context()
# Instantiate the enforcer object if needed.
enforcer_obj = enforcer or cls()
enforcer_obj._enforce(
credentials=ctxt, action=action, target=flattened)
LOG.debug('RBAC: Authorization granted')
@classmethod
def policy_enforcer_action(cls, action):
"""Decorator to set policy enforcement action name."""
if action not in _POSSIBLE_TARGET_ACTIONS:
raise ValueError('PROGRAMMING ERROR: Action must reference a '
'valid Keystone policy enforcement name.')
def wrapper(f):
@functools.wraps(f)
def inner(*args, **kwargs):
# Set the action in g on a known attr so we can reference it
# later.
setattr(flask.g, cls.ACTION_STORE_ATTR, action)
return f(*args, **kwargs)
return inner
return wrapper
@staticmethod
def register_rules(enforcer):
enforcer.register_defaults(policies.list_rules())
|
