clearml-server/apiserver/service_repo/auth/auth.py

import base64
from datetime import datetime

import bcrypt
import jwt
from mongoengine import Q

from apiserver.apierrors import errors
from apiserver.config_repo import config
from apiserver.database.errors import translate_errors_context
from apiserver.database.model.auth import User, Entities, Credentials
from apiserver.database.model.company import Company
from apiserver.database.utils import get_options
from apiserver.timing_context import TimingContext
from .fixed_user import FixedUser
from .identity import Identity
from .payload import Payload, Token, Basic, AuthType

log = config.logger(__file__)

entity_keys = set(get_options(Entities))

verify_user_tokens = config.get("apiserver.auth.verify_user_tokens", True)


def get_auth_func(auth_type):
    if auth_type == AuthType.bearer_token:
        return authorize_token
    elif auth_type == AuthType.basic:
        return authorize_credentials
    raise errors.unauthorized.BadAuthType()


def authorize_token(jwt_token, *_, **__):
    """Validate token against service/endpoint and requests data (dicts).
    Returns a parsed token object (auth payload)
    """
    try:
        return Token.from_encoded_token(jwt_token)

    except jwt.exceptions.InvalidKeyError as ex:
        raise errors.unauthorized.InvalidToken(
            "jwt invalid key error", reason=ex.args[0]
        )
    except jwt.InvalidTokenError as ex:
        raise errors.unauthorized.InvalidToken("invalid jwt token", reason=ex.args[0])
    except ValueError as ex:
        log.exception("Failed while processing token: %s" % ex.args[0])
        raise errors.unauthorized.InvalidToken(
            "failed processing token", reason=ex.args[0]
        )


def authorize_credentials(auth_data, service, action, call_data_items):
    """Validate credentials against service/action and request data (dicts).
    Returns a new basic object (auth payload)
    """
    try:
        access_key, _, secret_key = (
            base64.b64decode(auth_data.encode()).decode("latin-1").partition(":")
        )
    except Exception as e:
        log.exception("malformed credentials")
        raise errors.unauthorized.BadCredentials(str(e))

    query = Q(credentials__match=Credentials(key=access_key, secret=secret_key))

    fixed_user = None

    if FixedUser.enabled():
        fixed_user = FixedUser.get_by_username(access_key)
        if fixed_user:
            if FixedUser.pass_hashed():
                if not compare_secret_key_hash(secret_key, fixed_user.password):
                    raise errors.unauthorized.InvalidCredentials(
                        "bad username or password"
                    )
            else:
                if secret_key != fixed_user.password:
                    raise errors.unauthorized.InvalidCredentials(
                        "bad username or password"
                    )

            if fixed_user.is_guest and not FixedUser.is_guest_endpoint(service, action):
                raise errors.unauthorized.InvalidCredentials(
                    "endpoint not allowed for guest"
                )

            query = Q(id=fixed_user.user_id)

    with TimingContext("mongo", "user_by_cred"), translate_errors_context(
        "authorizing request"
    ):
        user = User.objects(query).first()
        if not user:
            raise errors.unauthorized.InvalidCredentials(
                "failed to locate provided credentials"
            )

        if not fixed_user:
            # In case these are proper credentials, update last used time
            User.objects(id=user.id, credentials__key=access_key).update(
                **{"set__credentials__$__last_used": datetime.utcnow()}
            )

    with TimingContext("mongo", "company_by_id"):
        company = Company.objects(id=user.company).only("id", "name").first()

    if not company:
        raise errors.unauthorized.InvalidCredentials("invalid user company")

    identity = Identity(
        user=user.id,
        company=user.company,
        role=user.role,
        user_name=user.name,
        company_name=company.name,
    )

    basic = Basic(user_key=access_key, identity=identity)

    return basic


def authorize_impersonation(user, identity, service, action, call):
    """ Returns a new basic object (auth payload)"""
    if not user:
        raise ValueError("missing user")

    company = Company.objects(id=user.company).only("id", "name").first()
    if not company:
        raise errors.unauthorized.InvalidCredentials("invalid user company")

    return Payload(auth_type=None, identity=identity)


def compare_secret_key_hash(secret_key: str, hashed_secret: str) -> bool:
    """
    Compare hash for the passed secret key with the passed hash
    :return: True if equal. Otherwise False
    """
    return bcrypt.checkpw(
        secret_key.encode(), base64.b64decode(hashed_secret.encode("ascii"))
    )
Initial commit 2019-06-10 21:24:35 +00:00			`import base64`
Add Artifacts support, changed tags to system_tags and added user tags Add hyper parameter sorting Add min/max value for all time series metrics 2019-09-24 18:34:35 +00:00			`from datetime import datetime`

Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00			`import bcrypt`
Initial commit 2019-06-10 21:24:35 +00:00			`import jwt`
Add fixed user list support 2019-07-08 21:04:43 +00:00			`from mongoengine import Q`
Initial commit 2019-06-10 21:24:35 +00:00
Use apiserver namespace 2021-01-05 14:28:49 +00:00			`from apiserver.apierrors import errors`
Add configuration loader 2021-01-05 14:44:31 +00:00			`from apiserver.config_repo import config`
Use apiserver namespace 2021-01-05 14:28:49 +00:00			`from apiserver.database.errors import translate_errors_context`
			`from apiserver.database.model.auth import User, Entities, Credentials`
			`from apiserver.database.model.company import Company`
			`from apiserver.database.utils import get_options`
			`from apiserver.timing_context import TimingContext`
Add fixed user list support 2019-07-08 21:04:43 +00:00			`from .fixed_user import FixedUser`
Add Artifacts support, changed tags to system_tags and added user tags Add hyper parameter sorting Add min/max value for all time series metrics 2019-09-24 18:34:35 +00:00			`from .identity import Identity`
			`from .payload import Payload, Token, Basic, AuthType`
Initial commit 2019-06-10 21:24:35 +00:00
			`log = config.logger(__file__)`

			`entity_keys = set(get_options(Entities))`

			`verify_user_tokens = config.get("apiserver.auth.verify_user_tokens", True)`


			`def get_auth_func(auth_type):`
			`if auth_type == AuthType.bearer_token:`
			`return authorize_token`
			`elif auth_type == AuthType.basic:`
			`return authorize_credentials`
			`raise errors.unauthorized.BadAuthType()`


			`def authorize_token(jwt_token, _, *__):`
Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00			`"""Validate token against service/endpoint and requests data (dicts).`
			`Returns a parsed token object (auth payload)`
Initial commit 2019-06-10 21:24:35 +00:00			`"""`
			`try:`
			`return Token.from_encoded_token(jwt_token)`

			`except jwt.exceptions.InvalidKeyError as ex:`
Add Artifacts support, changed tags to system_tags and added user tags Add hyper parameter sorting Add min/max value for all time series metrics 2019-09-24 18:34:35 +00:00			`raise errors.unauthorized.InvalidToken(`
			`"jwt invalid key error", reason=ex.args[0]`
			`)`
Initial commit 2019-06-10 21:24:35 +00:00			`except jwt.InvalidTokenError as ex:`
Add Artifacts support, changed tags to system_tags and added user tags Add hyper parameter sorting Add min/max value for all time series metrics 2019-09-24 18:34:35 +00:00			`raise errors.unauthorized.InvalidToken("invalid jwt token", reason=ex.args[0])`
Initial commit 2019-06-10 21:24:35 +00:00			`except ValueError as ex:`
Add Artifacts support, changed tags to system_tags and added user tags Add hyper parameter sorting Add min/max value for all time series metrics 2019-09-24 18:34:35 +00:00			`log.exception("Failed while processing token: %s" % ex.args[0])`
			`raise errors.unauthorized.InvalidToken(`
			`"failed processing token", reason=ex.args[0]`
			`)`
Initial commit 2019-06-10 21:24:35 +00:00

			`def authorize_credentials(auth_data, service, action, call_data_items):`
Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00			`"""Validate credentials against service/action and request data (dicts).`
			`Returns a new basic object (auth payload)`
Initial commit 2019-06-10 21:24:35 +00:00			`"""`
			`try:`
Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00			`access_key, _, secret_key = (`
			`base64.b64decode(auth_data.encode()).decode("latin-1").partition(":")`
			`)`
Initial commit 2019-06-10 21:24:35 +00:00			`except Exception as e:`
Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00			`log.exception("malformed credentials")`
Initial commit 2019-06-10 21:24:35 +00:00			`raise errors.unauthorized.BadCredentials(str(e))`

Add fixed user list support 2019-07-08 21:04:43 +00:00			`query = Q(credentials__match=Credentials(key=access_key, secret=secret_key))`

Add API version 2.4 with new trains-server capabilities including DevOps and scheduling 2019-10-25 12:36:58 +00:00			`fixed_user = None`

Add fixed user list support 2019-07-08 21:04:43 +00:00			`if FixedUser.enabled():`
			`fixed_user = FixedUser.get_by_username(access_key)`
			`if fixed_user:`
Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00			`if FixedUser.pass_hashed():`
			`if not compare_secret_key_hash(secret_key, fixed_user.password):`
			`raise errors.unauthorized.InvalidCredentials(`
			`"bad username or password"`
			`)`
			`else:`
			`if secret_key != fixed_user.password:`
			`raise errors.unauthorized.InvalidCredentials(`
			`"bad username or password"`
			`)`
Move to ElasticSearch 7 Add initial support for project ordering Add support for sortable task duration (used by the UI in the experiment's table) Add support for project name in worker's current task info Add support for results and artifacts in pre-populates examples Add demo server features 2020-08-10 05:30:40 +00:00
			`if fixed_user.is_guest and not FixedUser.is_guest_endpoint(service, action):`
Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00			`raise errors.unauthorized.InvalidCredentials(`
			`"endpoint not allowed for guest"`
			`)`
Move to ElasticSearch 7 Add initial support for project ordering Add support for sortable task duration (used by the UI in the experiment's table) Add support for project name in worker's current task info Add support for results and artifacts in pre-populates examples Add demo server features 2020-08-10 05:30:40 +00:00
Add fixed user list support 2019-07-08 21:04:43 +00:00			`query = Q(id=fixed_user.user_id)`

Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00			`with TimingContext("mongo", "user_by_cred"), translate_errors_context(`
			`"authorizing request"`
			`):`
Add fixed user list support 2019-07-08 21:04:43 +00:00			`user = User.objects(query).first()`
Add Artifacts support, changed tags to system_tags and added user tags Add hyper parameter sorting Add min/max value for all time series metrics 2019-09-24 18:34:35 +00:00			`if not user:`
Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00			`raise errors.unauthorized.InvalidCredentials(`
			`"failed to locate provided credentials"`
			`)`
Initial commit 2019-06-10 21:24:35 +00:00
Add API version 2.4 with new trains-server capabilities including DevOps and scheduling 2019-10-25 12:36:58 +00:00			`if not fixed_user:`
Add Artifacts support, changed tags to system_tags and added user tags Add hyper parameter sorting Add min/max value for all time series metrics 2019-09-24 18:34:35 +00:00			`# In case these are proper credentials, update last used time`
			`User.objects(id=user.id, credentials__key=access_key).update(`
			`**{"set__credentials__$__last_used": datetime.utcnow()}`
			`)`
Initial commit 2019-06-10 21:24:35 +00:00
			`with TimingContext("mongo", "company_by_id"):`
Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00			`company = Company.objects(id=user.company).only("id", "name").first()`
Initial commit 2019-06-10 21:24:35 +00:00
			`if not company:`
Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00			`raise errors.unauthorized.InvalidCredentials("invalid user company")`
Initial commit 2019-06-10 21:24:35 +00:00
Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00			`identity = Identity(`
			`user=user.id,`
			`company=user.company,`
			`role=user.role,`
			`user_name=user.name,`
			`company_name=company.name,`
			`)`
Initial commit 2019-06-10 21:24:35 +00:00
			`basic = Basic(user_key=access_key, identity=identity)`

			`return basic`


Add Artifacts support, changed tags to system_tags and added user tags Add hyper parameter sorting Add min/max value for all time series metrics 2019-09-24 18:34:35 +00:00			`def authorize_impersonation(user, identity, service, action, call):`
Initial commit 2019-06-10 21:24:35 +00:00			`""" Returns a new basic object (auth payload)"""`
			`if not user:`
Add Artifacts support, changed tags to system_tags and added user tags Add hyper parameter sorting Add min/max value for all time series metrics 2019-09-24 18:34:35 +00:00			`raise ValueError("missing user")`
Initial commit 2019-06-10 21:24:35 +00:00
Add Artifacts support, changed tags to system_tags and added user tags Add hyper parameter sorting Add min/max value for all time series metrics 2019-09-24 18:34:35 +00:00			`company = Company.objects(id=user.company).only("id", "name").first()`
Initial commit 2019-06-10 21:24:35 +00:00			`if not company:`
Add Artifacts support, changed tags to system_tags and added user tags Add hyper parameter sorting Add min/max value for all time series metrics 2019-09-24 18:34:35 +00:00			`raise errors.unauthorized.InvalidCredentials("invalid user company")`
Initial commit 2019-06-10 21:24:35 +00:00
			`return Payload(auth_type=None, identity=identity)`
Add bcrypt support to fixed user password 2021-05-03 14:52:25 +00:00

			`def compare_secret_key_hash(secret_key: str, hashed_secret: str) -> bool:`
			`"""`
			`Compare hash for the passed secret key with the passed hash`
			`:return: True if equal. Otherwise False`
			`"""`
			`return bcrypt.checkpw(`
			`secret_key.encode(), base64.b64decode(hashed_secret.encode("ascii"))`
			`)`