Source code for gateone.auth.authentication

# -*- coding: utf-8 -*-
#
#       Copyright 2013 Liftoff Software Corporation
#

# Meta
__license__ = "AGPLv3 or Proprietary (see LICENSE.txt)"
__author__ = 'Dan McDougall <daniel.mcdougall@liftoffsoftware.com>'

__doc__ = """\
.. _auth.py:

Authentication
==============
This module contains Gate One's authentication classes.  They map to Gate One's
--auth configuration option like so:

=============== ===================
--auth=none     NullAuthHandler
--auth=kerberos KerberosAuthHandler
--auth=google   GoogleAuthHandler
--auth=pam      PAMAuthHandler
--auth=api      APIAuthHandler
=============== ===================

.. note:: API authentication is handled inside of :ref:`gateone.py`

None or Anonymous
-----------------
By default Gate One will not authenticate users.  This means that user sessions
will be tied to their browser cookie and users will not be able to resume their
sessions from another computer/browser.  Most useful for situations where
session persistence and logging aren't important.

*All* users will show up as ANONYMOUS using this authentication type.

Kerberos
--------
Kerberos authentication utilizes GSSAPI for Single Sign-on (SSO) but will fall
back to HTTP Basic authentication if GSSAPI auth fails.  This authentication
type can be integrated into any Kerberos infrastructure including Windows
Active Directory.

It is great for both transparent authentication and being able to tie sessions
and logs to specific users within your organization (compliance).

.. note::

    The sso.py module itself has extensive documentation on this authentication
    type.

Google Authentication
---------------------
If you want persistent user sessions but don't care to run your own
authentication infrastructure this authentication type is for you.  Assuming,
of course, that your Gate One server and clients will have access to the
Internet.

.. note::

    This authentication type is perfect if you're using Chromebooks (Chrome OS
    devices).

API Authentication
------------------
API-based authentication is actually handled in gateone.py but we still need
*something* to exist at the /auth URL that will always return the
'unauthenticated' response.  This ensures that no one can authenticate
themselves by visiting that URL manually.

Docstrings
==========
"""

# Import stdlib stuff
import os, logging

# Import our own stuff
from gateone.core.utils import mkdir_p, generate_session_id
from gateone.core.utils import convert_to_timedelta
from gateone.core.utils import total_seconds
from gateone.core.locale import get_translation
from gateone.core.log import go_logger

# 3rd party imports
import tornado.web
import tornado.auth
import tornado.escape

# Localization support
_ = get_translation()

# Globals
GATEONE_DIR = os.path.dirname(os.path.abspath(__file__))
SETTINGS_CACHE = {} # Lists of settings files and their modification times
# The security stuff below is a work-in-progress.  Likely to change all around.

auth_log = go_logger('gateone.auth')

# Helper functions
[docs]def additional_attributes(user, settings_dir=None): """ Given a *user* dict, return a dict containing any additional attributes defined in Gate One's attribute repositories. .. note:: This function doesn't actually work yet (support for attribute repos like LDAP is forthcoming). """ # Doesn't do anything yet if not settings_dir: settings_dir = os.path.join(GATEONE_DIR, 'settings') return user # Authentication classes
[docs]class BaseAuthHandler(tornado.web.RequestHandler): """The base class for all Gate One authentication handlers.""" def set_default_headers(self): self.set_header('Server', 'GateOne')
[docs] def get_current_user(self): """Tornado standard method--implemented our way.""" expiration = self.settings.get('auth_timeout', "14d") # Need the expiration in days (which is a bit silly but whatever): expiration = ( float(total_seconds(convert_to_timedelta(expiration))) / float(86400)) user_json = self.get_secure_cookie( "gateone_user", max_age_days=expiration) if not user_json: return None user = tornado.escape.json_decode(user_json) # Add the IP attribute user['ip_address'] = self.request.remote_ip return user
[docs] def user_login(self, user): """ Called immediately after a user authenticates successfully. Saves session information in the user's directory. Expects *user* to be a dict containing a 'upn' value representing the username or userPrincipalName. e.g. 'user@REALM' or just 'someuser'. Any additional values will be attached to the user object/cookie. """ logging.debug("user_login(%s)" % user['upn']) user.update(additional_attributes(user)) # Make a directory to store this user's settings/files/logs/etc try: user_dir = os.path.join(self.settings['user_dir'], user['upn']) if not os.path.exists(user_dir): logging.info(_("Creating user directory: %s" % user_dir)) mkdir_p(user_dir) os.chmod(user_dir, 0o700) except UnicodeEncodeError: logging.error(_( "You're trying to use non-ASCII user information on a system " "that has the locale set to ASCII (or similar). Please change" "your system's locale to something that supports Unicode " "characters. ")) return session_file = os.path.join(user_dir, 'session') session_file_exists = os.path.exists(session_file) if session_file_exists: session_data = open(session_file).read() try: session_info = tornado.escape.json_decode(session_data) except ValueError: # Something wrong with the file session_file_exists = False # Overwrite it below if not session_file_exists: with open(session_file, 'w') as f: # Save it so we can keep track across multiple clients session_info = { 'session': generate_session_id(), } session_info.update(user) session_info_json = tornado.escape.json_encode(session_info) f.write(session_info_json) self.set_secure_cookie( "gateone_user", tornado.escape.json_encode(session_info))
[docs] def user_logout(self, user, redirect=None): """ Called immediately after a user logs out, cleans up the user's session information and optionally, redirects them to *redirect* (URL). """ logging.debug("user_logout(%s)" % user) if not redirect: # Try getting it from the query string redirect = self.get_argument("redirect", None) if redirect: self.write(redirect) self.finish() else: self.write(self.settings['url_prefix']) self.finish()
[docs]class NullAuthHandler(BaseAuthHandler): """ A handler for when no authentication method is chosen (i.e. --auth=none). With this handler all users will show up as "ANONYMOUS". """ @tornado.web.asynchronous
[docs] def get(self): """ Sets the 'gateone_user' cookie with a new random session ID (*go_session*) and sets *go_upn* to 'ANONYMOUS'. """ user = {'upn': 'ANONYMOUS'} check = self.get_argument("check", None) if check: # This lets any origin check if the user has been authenticated # (necessary to prevent "not allowed ..." XHR errors) self.set_header('Access-Control-Allow-Origin', '*') if not self.get_current_user(): self.user_login(user) self.write('authenticated') self.finish() return logout = self.get_argument("logout", None) if logout: self.clear_cookie('gateone_user') self.user_logout(user['upn']) return # This takes care of the user's settings dir and their session info self.user_login(user) next_url = self.get_argument("next", None) if next_url: self.redirect(next_url) else: self.redirect(self.settings['url_prefix'])
[docs] def user_login(self, user): """ This is an override of BaseAuthHandler since anonymous auth is special. Generates a unique session ID for this user and saves it in a browser cookie. This is to ensure that anonymous users can't access each other's sessions. """ logging.debug("NullAuthHandler.user_login(%s)" % user['upn']) # Make a directory to store this user's settings/files/logs/etc user_dir = os.path.join(self.settings['user_dir'], user['upn']) if not os.path.exists(user_dir): logging.info(_("Creating user directory: %s" % user_dir)) mkdir_p(user_dir) os.chmod(user_dir, 0o700) session_info = { 'session': generate_session_id() } session_info.update(user) self.set_secure_cookie( "gateone_user", tornado.escape.json_encode(session_info))
[docs]class APIAuthHandler(BaseAuthHandler): """ A handler that always reports 'unauthenticated' since API-based auth doesn't use auth handlers. """ @tornado.web.asynchronous
[docs] def get(self): """ Deletes the 'gateone_user' cookie and handles some other situations for backwards compatibility. """ # Get rid of the cookie no matter what (API auth doesn't use cookies) user = self.current_user self.clear_cookie('gateone_user') check = self.get_argument("check", None) if check: # This lets any origin check if the user has been authenticated # (necessary to prevent "not allowed ..." XHR errors) self.set_header('Access-Control-Allow-Origin', '*') logout = self.get_argument("logout", None) if logout: self.user_logout(user['upn']) return logging.debug('APIAuthHandler: user is NOT authenticated') self.write('unauthenticated') self.finish()
[docs]class GoogleAuthHandler(BaseAuthHandler, tornado.auth.GoogleMixin): """ Google authentication handler using Tornado's built-in GoogleMixin (fairly boilerplate). """ @tornado.web.asynchronous
[docs] def get(self): """ Sets the 'user' cookie with an appropriate *upn* and *session* and any other values that might be attached to the user object given to us by Google. """ check = self.get_argument("check", None) if check: self.set_header ('Access-Control-Allow-Origin', '*') user = self.get_current_user() if user: logging.debug('GoogleAuthHandler: user is authenticated') self.write('authenticated') else: logging.debug('GoogleAuthHandler: user is NOT authenticated') self.write('unauthenticated') self.finish() return logout_url = "https://accounts.google.com/Logout" logout = self.get_argument("logout", None) if logout: user = self.get_current_user()['upn'] self.clear_cookie('gateone_user') self.user_logout(user, logout_url) return if self.get_argument("openid.mode", None): self.get_authenticated_user(self._on_auth) return self.authenticate_redirect( ax_attrs=["name", "email", "language", "username"])
[docs] def _on_auth(self, user): """ Just a continuation of the get() method (the final step where it actually sets the cookie). """ if not user: raise tornado.web.HTTPError(500, _("Google auth failed")) # NOTE: Google auth 'user' will be a dict like so: # user = { # 'locale': u'en-us', # 'first_name': u'Dan', # 'last_name': u'McDougall', # 'name': u'Dan McDougall', # 'email': u'daniel.mcdougall@liftoffsoftware.com'} user['upn'] = user['email'] # Use the email for the upn self.user_login(user) next_url = self.get_argument("next", None) if next_url: self.redirect(next_url) else: self.redirect(self.settings['url_prefix'])
[docs]class SSLAuthHandler(BaseAuthHandler): """ SSL Certificate-based authentication handler. Can only be used if the ``ca_certs`` option is set along with ``ssl_auth=required`` or ``ssl_auth=optional``. """
[docs] def initialize(self): """ Print out helpful error messages if the requisite settings aren't configured. """ self.require_setting("ca_certs", "CA Certificates File") self.require_setting("ssl_auth", "SSL Authentication ('required')")
[docs] def _convert_certificate(self, cert): """ Converts the certificate format returned by get_ssl_certificate() into a format more suitable for a user dict. """ import re # Can't have any of these in the upn because we name a directory with it bad_chars = re.compile(r'[\/\\\$\;&`\!\*\?\|<>\n]') user = {'notAfter': cert['notAfter']} # This one is the most direct for item in cert['subject']: for key, value in item: user.update({key: value}) cn = user['commonName'] # Use the commonName as the UPN cn = bad_chars.sub('.', cn) # Replace bad chars with dots # Try to use the 'issuer' to add more depth to the CN if 'issuer' in cert: # This will only be there if you're using Python 3 for item in cert['issuer']: for key, value in item: if key == 'organizationName': # Yeah this can get long but that's OK (it's better than # conflicts) cn = "%s@%s" % (cn, value) break # Should wind up as something like this: # John William Smith-Doe@ACME Widget Corporation, LLC # So that would be used in the users dir like so: # /opt/gateone/users/John William Smith-Doe... etc user['upn'] = cn return user
@tornado.web.asynchronous
[docs] def get(self): """ Sets the 'user' cookie with an appropriate *upn* and *session* and any other values that might be attached to the user's client SSL certificate. """ check = self.get_argument("check", None) if check: self.set_header ('Access-Control-Allow-Origin', '*') user = self.get_current_user() if user: logging.debug('SSLAuthHandler: user is authenticated') self.write('authenticated') else: logging.debug('SSLAuthHandler: user is NOT authenticated') self.write('unauthenticated') self.finish() return logout = self.get_argument("logout", None) if logout: user = self.get_current_user()['upn'] self.clear_cookie('gateone_user') self.user_logout(user) return # Extract the user's information from their certificate cert = self.request.get_ssl_certificate() bincert = self.request.get_ssl_certificate(binary_form=True) open('/tmp/cert.der', 'w').write(bincert) user = self._convert_certificate(cert) # This takes care of the user's settings dir and their session info self.user_login(user) next_url = self.get_argument("next", None) if next_url: self.redirect(next_url) else: self.redirect(self.settings['url_prefix']) # Add our KerberosAuthHandler if sso is available
KerberosAuthHandler = None try: from gateone.auth.sso import KerberosAuthMixin
[docs] class KerberosAuthHandler(BaseAuthHandler, KerberosAuthMixin): """ Handles authenticating users via Kerberos/GSSAPI/SSO. """ @tornado.web.asynchronous
[docs] def get(self): """ Checks the user's request header for the proper Authorization data. If it checks out the user will be logged in via _on_auth(). If not, the browser will be redirected to login. """ check = self.get_argument("check", None) self.set_header('Access-Control-Allow-Origin', '*') if check: user = self.get_current_user() if user: logging.debug('KerberosAuthHandler: user is authenticated') self.write('authenticated') else: logging.debug('KerberosAuthHandler: user is NOT authenticated') self.write('unauthenticated') self.finish() return logout = self.get_argument("logout", None) if logout: user = self.get_current_user() self.clear_cookie('gateone_user') self.user_logout(user) return auth_header = self.request.headers.get('Authorization') if auth_header: self.get_authenticated_user(self._on_auth) return self.authenticate_redirect()
def _on_auth(self, user): if not user: raise tornado.web.HTTPError(500, _("Kerberos auth failed")) logging.debug(_("KerberosAuthHandler user: %s" % user)) user = {'upn': user} # This takes care of the user's settings dir and their session info self.user_login(user) # TODO: Add some LDAP or local DB lookups here to add more detail to user objects next_url = self.get_argument("next", None) if next_url: self.redirect(next_url) else: self.redirect(self.settings['url_prefix'])
except ImportError: pass # No SSO available. # Add our PAMAuthHandler if it's available PAMAuthHandler = None try: from gateone.auth.pam import PAMAuthMixin
[docs] class PAMAuthHandler(BaseAuthHandler, PAMAuthMixin): """ Handles authenticating users via PAM. """ @tornado.web.asynchronous
[docs] def get(self): """ Checks the user's request header for the proper Authorization data. If it checks out the user will be logged in via _on_auth(). If not, the browser will be redirected to login. """ check = self.get_argument("check", None) self.set_header('Access-Control-Allow-Origin', '*') if check: user = self.get_current_user() if user: logging.debug('PAMAuthHandler: user is authenticated') self.write('authenticated') else: logging.debug('PAMAuthHandler: user is NOT authenticated') self.write('unauthenticated') self.get_authenticated_user(self._on_auth) self.finish() return logout = self.get_argument("logout", None) if logout: user = self.get_current_user() self.clear_cookie('gateone_user') self.user_logout(user) return auth_header = self.request.headers.get('Authorization') if auth_header: self.get_authenticated_user(self._on_auth) return self.authenticate_redirect()
def _on_auth(self, user): if not user: raise tornado.web.HTTPError(500, _("PAM auth failed")) user = {'upn': user} # This takes care of the user's settings dir and their session info self.user_login(user) logging.debug(_("PAMAuthHandler user: %s" % user)) next_url = self.get_argument("next", None) if next_url: self.redirect(next_url) else: self.redirect(self.settings['url_prefix'])
except ImportError: pass # No PAM auth available.