Authentication setup

.pre-commit-config.yaml

@@ -1,20 +1,20 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.3.0
+    rev: v4.5.0
     hooks:
       - id: check-yaml
       - id: end-of-file-fixer
       - id: trailing-whitespace
   - repo: https://github.com/psf/black
-    rev: 22.10.0
+    rev: 23.11.0
     hooks:
       - id: black
   - repo: https://github.com/pycqa/isort
-    rev: 5.11.2
+    rev: 5.12.0
     hooks:
       - id: isort
         name: isort (python)
   - repo: https://github.com/pycqa/flake8
-    rev: 5.0.4
+    rev: 6.1.0
     hooks:
     - id: flake8

requirements.txt

@@ -33,3 +33,5 @@ SQLAlchemy-Utils==0.38.3
 pydantic==1.10.2
 Werkzeug==2.2.3
 greenlet==3.0.1
+Authlib==1.0.1
+python-jose==3.1.0

src/cnaas_nms/api/app.py

@@ -6,11 +6,12 @@
 from engineio.payload import Payload
 from flask import Flask, jsonify, request
 from flask_cors import CORS
-from flask_jwt_extended import JWTManager, decode_token
+from flask_jwt_extended import JWTManager
 from flask_jwt_extended.exceptions import InvalidHeaderError, NoAuthorizationError
 from flask_restx import Api
 from flask_socketio import SocketIO, join_room
-from jwt.exceptions import DecodeError, InvalidSignatureError, InvalidTokenError
+from jwt.exceptions import DecodeError, InvalidSignatureError, InvalidTokenError, ExpiredSignatureError, InvalidKeyError
+from authlib.integrations.flask_client import OAuth
 
 from cnaas_nms.api.device import (
     device_api,
@@ -24,6 +25,7 @@
     device_update_interfaces_api,
     devices_api,
 )
+from cnaas_nms.api.auth import api as auth_api
 from cnaas_nms.api.firmware import api as firmware_api
 from cnaas_nms.api.groups import api as groups_api
 from cnaas_nms.api.interface import api as interfaces_api
@@ -35,11 +37,15 @@
 from cnaas_nms.api.repository import api as repository_api
 from cnaas_nms.api.settings import api as settings_api
 from cnaas_nms.api.system import api as system_api
+
+from cnaas_nms.app_settings import auth_settings
 from cnaas_nms.app_settings import api_settings
+
 from cnaas_nms.tools.log import get_logger
-from cnaas_nms.tools.security import get_jwt_identity, jwt_required
+from cnaas_nms.tools.security import get_identity, login_required
 from cnaas_nms.version import __api_version__
 
+
 logger = get_logger()
 
 
@@ -52,31 +58,51 @@
     }
 }
 
-jwt_query_r = re.compile(r"jwt=[^ &]+")
+jwt_query_r = re.compile(r"code=[^ &]+")
 
 
 class CnaasApi(Api):
     def handle_error(self, e):
         if isinstance(e, DecodeError):
             data = {"status": "error", "data": "Could not decode JWT token"}
+        elif isinstance(e, InvalidKeyError):
+            data = {"status": "error", "data": "Invalid keys {}".format(e)}
         elif isinstance(e, InvalidTokenError):
             data = {"status": "error", "data": "Invalid authentication header: {}".format(e)}
         elif isinstance(e, InvalidSignatureError):
             data = {"status": "error", "data": "Invalid token signature"}
         elif isinstance(e, IndexError):
-            # We might catch IndexErrors which are not cuased by JWT,
+            # We might catch IndexErrors which are not caused by JWT,
             # but this is better than nothing.
             data = {"status": "error", "data": "JWT token missing?"}
         elif isinstance(e, NoAuthorizationError):
             data = {"status": "error", "data": "JWT token missing?"}
         elif isinstance(e, InvalidHeaderError):
             data = {"status": "error", "data": "Invalid header, JWT token missing? {}".format(e)}
+        elif isinstance(e, ExpiredSignatureError):
+            data = {"status": "error", "data": "The JWT token is expired"}
         else:
             return super(CnaasApi, self).handle_error(e)
         return jsonify(data), 401
 
 
 app = Flask(__name__)
+
+# To register the OAuth client
+oauth = OAuth(app)
+client = oauth.register(
+    "connext",
+    server_metadata_url=auth_settings.OIDC_CONF_WELL_KNOWN_URL,
+    client_id=auth_settings.OIDC_CLIENT_ID,
+    client_secret=auth_settings.OIDC_CLIENT_SECRET,
+    client_kwargs={"scope": "openid"},
+    response_type="code",
+    response_mode="query",
+)
+
+if api_settings.JWT_ENABLED:
+    app.config["SECRET_KEY"] = os.urandom(128)
+
 app.config["RESTX_JSON"] = {"cls": CNaaSJSONEncoder}
 
 # TODO: make origins configurable
@@ -88,14 +114,16 @@ def handle_error(self, e):
 Payload.max_decode_packets = 500
 socketio = SocketIO(app, cors_allowed_origins="*")
 
+
+if api_settings.JWT_ENABLED or auth_settings.OIDC_ENABLED:
+    app.config["SECRET_KEY"] = os.urandom(128)
 if api_settings.JWT_ENABLED:
     try:
         jwt_pubkey = open(api_settings.JWT_CERT).read()
     except Exception as e:
         print("Could not load public JWT cert from api.yml config: {}".format(e))
         sys.exit(1)
 
-    app.config["SECRET_KEY"] = os.urandom(128)
     app.config["JWT_PUBLIC_KEY"] = jwt_pubkey
     app.config["JWT_IDENTITY_CLAIM"] = "sub"
     app.config["JWT_ALGORITHM"] = "ES256"
@@ -108,6 +136,7 @@ def handle_error(self, e):
     app, prefix="/api/{}".format(__api_version__), authorizations=authorizations, security="apikey", doc="/api/doc/"
 )
 
+api.add_namespace(auth_api)
 api.add_namespace(device_api)
 api.add_namespace(devices_api)
 api.add_namespace(device_init_api)
@@ -136,9 +165,9 @@ def handle_error(self, e):
 
 # SocketIO on connect
 @socketio.on("connect")
-@jwt_required
+@login_required
 def socketio_on_connect():
-    user = get_jwt_identity()
+    user = get_identity()
     if user:
         logger.info("User: {} connected via socketio".format(user))
         return True
@@ -165,18 +194,20 @@ def socketio_on_events(data):
 # Log all requests, include username etc
 @app.after_request
 def log_request(response):
-    try:
-        token = request.headers.get("Authorization").split(" ")[-1]
-        user = decode_token(token).get("sub")
-    except Exception:
-        user = "unknown"
     try:
         url = re.sub(jwt_query_r, "", request.url)
-        logger.info(
-            "User: {}, Method: {}, Status: {}, URL: {}, JSON: {}".format(
-                user, request.method, response.status_code, url, request.json
+        if request.headers.get('content-type') == 'application/json':
+            logger.info(
+                "Method: {}, Status: {}, URL: {}, JSON: {}".format(
+                    request.method, response.status_code, url, request.json
+                )
+            )
+        else:
+            logger.info(
+                "Method: {}, Status: {}, URL: {}".format(
+                    request.method, response.status_code, url
+                )
             )
-        )
     except Exception:
         pass
     return response

src/cnaas_nms/api/auth.py

@@ -0,0 +1,85 @@
+from authlib.integrations.base_client.errors import MismatchingStateError
+from flask import current_app, redirect, url_for
+from flask_restx import Namespace, Resource
+from requests.models import PreparedRequest
+
+from cnaas_nms.api.generic import empty_result
+from cnaas_nms.app_settings import auth_settings
+from cnaas_nms.tools.log import get_logger
+from cnaas_nms.tools.security import get_identity, login_required
+from cnaas_nms.version import __api_version__
+
+logger = get_logger()
+api = Namespace("auth", description="API for handling auth", prefix="/api/{}".format(__api_version__))
+
+
+class LoginApi(Resource):
+    def get(self):
+        """Function to initiate a login of the user.
+        The user will be sent to the page to login.
+        Our client info will also be checked.
+
+        Note:
+            We also discussed adding state to this function.
+            That way you could be sent to the same page once you logged in.
+            We would put the relevant information in a dictionary,
+            base64 encode it and sent it around as a parameter.
+            For now the application is small and it didn't seem needed.
+
+        Returns:
+            A HTTP redirect response to OIDC_CONF_WELL_KNOWN_URL we have defined.
+            We give the auth call as a parameter to redirect after login is successfull.
+
+        """
+        if not auth_settings.OIDC_ENABLED:
+            return empty_result(status="error", data="Can't login when OIDC disabled"), 500
+        oauth_client = current_app.extensions["authlib.integrations.flask_client"]
+        redirect_uri = url_for("auth_auth_api", _external=True)
+
+        return oauth_client.connext.authorize_redirect(redirect_uri)
+
+
+class AuthApi(Resource):
+    def get(self):
+        """Function to authenticate the user.
+        This API call is called by the OAUTH login after the user has logged in.
+        We get the users token and redirect them to right page in the frontend.
+
+        Returns:
+            A HTTP redirect response to the url in the frontend that handles the repsonse after login.
+            The access token is a parameter in the url
+
+        """
+
+        oauth_client = current_app.extensions["authlib.integrations.flask_client"]
+
+        try:
+            token = oauth_client.connext.authorize_access_token()
+        except MismatchingStateError as e:
+            logger.error("Exception during authorization of the access token: {}".format(str(e)))
+            return (
+                empty_result(
+                    status="error",
+                    data="Exception during authorization of the access token. Please try to login again.",
+                ),
+                502,
+            )
+
+        url = auth_settings.FRONTEND_CALLBACK_URL
+        parameters = {"token": token["access_token"]}
+
+        req = PreparedRequest()
+        req.prepare_url(url, parameters)
+        return redirect(req.url, code=302)
+
+
+class IdentityApi(Resource):
+    @login_required
+    def get(self):
+        identity = get_identity()
+        return identity
+
+
+api.add_resource(LoginApi, "/login")
+api.add_resource(AuthApi, "/auth")
+api.add_resource(IdentityApi, "/identity")