authservice/auth.py

import time
import connexion
from jose import JWTError, jwt, jwe
import json
import werkzeug
import os
import psycopg2
from collections import namedtuple
from pbkdf2 import crypt
from loguru import logger

DB_USER = os.environ["DB_USER"]
DB_PASS = os.environ["DB_PASS"]
DB_HOST = os.environ["DB_HOST"]
DB_NAME = os.environ["DB_NAME"]

JWT_ISSUER = os.environ["JWT_ISSUER"]


class NoUserException(Exception): 
    pass

class ManyUsersException(Exception): 
    pass

class PasswordMismatchException(Exception): 
    pass


UserEntry = namedtuple('UserEntry', ['id', 'login', 'pwhash', 'expiry', 'claims'])

JWT_PRIV_KEY = ""
try:
    JWT_PRIV_KEY = os.environ["JWT_PRIV_KEY"]
except KeyError:
    with open('/opt/app/config/authservice.key', 'r') as f:
        JWT_PRIV_KEY = f.read()

JWT_PUB_KEY = ""
try:
    JWT_PUB_KEY = os.environ["JWT_PUB_KEY"]
except KeyError:
    with open('/opt/app/config/authservice.pub', 'r') as f:
        JWT_PUB_KEY = f.read()


def getUserEntryFromDB(application: str, login: str):
    conn = None
    cur = None
    try:
        conn = psycopg2.connect(user = DB_USER, password = DB_PASS,
                                host = DB_HOST, database = DB_NAME)
        conn.autocommit = False

        userObj = None
        with conn.cursor() as cur:
            cur.execute("SELECT id, pwhash, expiry FROM user_application_v" +
                        "  WHERE application = %s AND login = %s", 
                        (application, login))
            userObj = cur.fetchone()
            logger.debug("userObj: {}".format(userObj))
            if not userObj:
                raise NoUserException()
            invObj = cur.fetchone()
            if invObj:
                raise ManyUsersException()

        claims = {}
        with conn.cursor() as cur:
            cur.execute('SELECT key, value FROM claims_for_user_v where "user" = %s and application = %s', 
                        (userObj[0], application))
            for claimObj in cur:
                logger.debug("add claim {} -> {}".format(claimObj[0], claimObj[1]))
                if claimObj[0] in claims:
                    if isinstance(claims[claimObj[0]], list):
                        claims[claimObj[0]].append(claimObj[1])
                    else:
                        claims[claimObj[0]] = [ claims[claimObj[0]] ]
                        claims[claimObj[0]].append(claimObj[1])
                else:
                    claims[claimObj[0]] = claimObj[1]
                
        userEntry = UserEntry(id=userObj[0], login=login, pwhash=userObj[1], expiry=userObj[2], claims=claims)

        return userEntry
    except psycopg2.Error as err:
        raise Exception("Error when connecting to database: {}".format(err))
    finally:
        if conn:
            conn.close()

def getUserEntry(application, login, password):
    userEntry = getUserEntryFromDB(application, login)
    if userEntry.pwhash != crypt(password, userEntry.pwhash):
        raise PasswordMismatchException()
    return userEntry

def generateToken(**args):
    try:
        body = args["body"]

        application = ""
        login = ""
        password = ""
        if (("application" in body) and
            ("login" in body) and
            ("password" in body)):
            application = body["application"]
            login = body["login"]
            password = body["password"]
        elif ("encAleTuple" in body):
            clearContent = jwe.decrypt(body["encAleTuple"], JWT_PRIV_KEY)
            clearObj = json.loads(clearContent)
            application = clearObj["application"]
            login = clearObj["login"]
            password = clearObj["password"]
        else:
            raise KeyError("Neither application, login and password nor encAleTuple given")
        
        logger.debug(f"Tuple: {application} {login} {password}")
    
        userEntry = getUserEntry(application, login, password)
    
        timestamp = int(time.time())
        payload = {
            "iss": JWT_ISSUER,
            "iat": int(timestamp),
            "exp": int(timestamp + userEntry.expiry),
            "sub": str(userEntry.id),
            "aud": application
        }
        logger.debug("claims: {}".format(userEntry.claims))
        for claim in userEntry.claims.items():
            logger.debug("add claim {}".format(claim))
            payload[claim[0]] = claim[1]

        return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256')
    except NoUserException:
        logger.error("no user found, login or application wrong")
        raise werkzeug.exceptions.Unauthorized()
    except ManyUsersException:
        logger.error("too many users found")
        raise werkzeug.exceptions.Unauthorized()
    except PasswordMismatchException:
        logger.error("wrong password")
        raise werkzeug.exceptions.Unauthorized()
    except KeyError:
        logger.error("application, login or password missing")
        raise werkzeug.exceptions.Unauthorized()
    except Exception as e:
        logger.error("unspecific exception: {}".format(str(e)))
        raise werkzeug.exceptions.Unauthorized()

def getPubKey():
    return JWT_PUB_KEY

def decodeToken(token):
    try:
        return jwt.decode(token, JWT_PUB_KEY, audience="test")
    except JWTError as e:
        logger.error("{}".format(e))
        raise werkzeug.exceptions.Unauthorized()

def testToken(user, token_info):
    return '''
    You are user_id {user} and the provided token has been signed by this issuers. Fine.'.
    Decoded token claims: {token_info}.
    '''.format(user=user, token_info=token_info)
initial 2021-01-25 21:52:52 +01:00			`import time`
			`import connexion`
support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00			`from jose import JWTError, jwt, jwe`
			`import json`
changes 2021-01-26 13:43:09 +01:00			`import werkzeug`
initial 2021-01-25 21:52:52 +01:00			`import os`
move to psycopg2 2021-05-11 15:16:13 +02:00			`import psycopg2`
changes 2021-01-26 13:43:09 +01:00			`from collections import namedtuple`
application and pwhash 2021-01-26 21:27:17 +01:00			`from pbkdf2 import crypt`
adjust for postgres 2021-05-11 16:48:02 +02:00			`from loguru import logger`
initial 2021-01-25 21:52:52 +01:00
			`DB_USER = os.environ["DB_USER"]`
			`DB_PASS = os.environ["DB_PASS"]`
			`DB_HOST = os.environ["DB_HOST"]`
			`DB_NAME = os.environ["DB_NAME"]`

schema fixes 2021-01-27 10:57:54 +01:00			`JWT_ISSUER = os.environ["JWT_ISSUER"]`
pubkey stuff 2021-05-06 16:37:32 +02:00


schema fixes 2021-01-27 10:57:54 +01:00
initial 2021-01-25 21:52:52 +01:00
application and pwhash 2021-01-26 21:27:17 +01:00			`class NoUserException(Exception):`
			`pass`

			`class ManyUsersException(Exception):`
			`pass`

			`class PasswordMismatchException(Exception):`
			`pass`

changes 2021-01-26 13:43:09 +01:00
adjust for postgres 2021-05-11 16:48:02 +02:00			`UserEntry = namedtuple('UserEntry', ['id', 'login', 'pwhash', 'expiry', 'claims'])`
jwe 2021-05-07 13:28:12 +02:00
pubkey stuff 2021-05-06 16:37:32 +02:00			`JWT_PRIV_KEY = ""`
jwe 2021-05-07 13:28:12 +02:00			`try:`
			`JWT_PRIV_KEY = os.environ["JWT_PRIV_KEY"]`
			`except KeyError:`
			`with open('/opt/app/config/authservice.key', 'r') as f:`
			`JWT_PRIV_KEY = f.read()`
pubkey stuff 2021-05-06 16:37:32 +02:00
			`JWT_PUB_KEY = ""`
jwe 2021-05-07 13:28:12 +02:00			`try:`
			`JWT_PUB_KEY = os.environ["JWT_PUB_KEY"]`
			`except KeyError:`
			`with open('/opt/app/config/authservice.pub', 'r') as f:`
			`JWT_PUB_KEY = f.read()`
changes 2021-01-26 13:43:09 +01:00

crypt and adduser tool 2021-01-26 22:06:39 +01:00			`def getUserEntryFromDB(application: str, login: str):`
initial 2021-01-25 21:52:52 +01:00			`conn = None`
			`cur = None`
			`try:`
move to psycopg2 2021-05-11 15:16:13 +02:00			`conn = psycopg2.connect(user = DB_USER, password = DB_PASS,`
			`host = DB_HOST, database = DB_NAME)`
initial 2021-01-25 21:52:52 +01:00			`conn.autocommit = False`

adjust for postgres 2021-05-11 16:48:02 +02:00			`userObj = None`
			`with conn.cursor() as cur:`
			`cur.execute("SELECT id, pwhash, expiry FROM user_application_v" +`
			`" WHERE application = %s AND login = %s",`
			`(application, login))`
			`userObj = cur.fetchone()`
support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00			`logger.debug("userObj: {}".format(userObj))`
adjust for postgres 2021-05-11 16:48:02 +02:00			`if not userObj:`
			`raise NoUserException()`
			`invObj = cur.fetchone()`
			`if invObj:`
			`raise ManyUsersException()`

changes 2021-01-26 13:43:09 +01:00			`claims = {}`
adjust for postgres 2021-05-11 16:48:02 +02:00			`with conn.cursor() as cur:`
			`cur.execute('SELECT key, value FROM claims_for_user_v where "user" = %s and application = %s',`
			`(userObj[0], application))`
			`for claimObj in cur:`
support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00			`logger.debug("add claim {} -> {}".format(claimObj[0], claimObj[1]))`
adjust for postgres 2021-05-11 16:48:02 +02:00			`if claimObj[0] in claims:`
			`if isinstance(claims[claimObj[0]], list):`
			`claims[claimObj[0]].append(claimObj[1])`
			`else:`
			`claims[claimObj[0]] = [ claims[claimObj[0]] ]`
			`claims[claimObj[0]].append(claimObj[1])`
changes 2021-01-26 13:43:09 +01:00			`else:`
adjust for postgres 2021-05-11 16:48:02 +02:00			`claims[claimObj[0]] = claimObj[1]`
changes 2021-01-26 13:43:09 +01:00
adjust for postgres 2021-05-11 16:48:02 +02:00			`userEntry = UserEntry(id=userObj[0], login=login, pwhash=userObj[1], expiry=userObj[2], claims=claims)`
initial 2021-01-25 21:52:52 +01:00
adjust for postgres 2021-05-11 16:48:02 +02:00			`return userEntry`
			`except psycopg2.Error as err:`
initial 2021-01-25 21:52:52 +01:00			`raise Exception("Error when connecting to database: {}".format(err))`
			`finally:`
			`if conn:`
			`conn.close()`

crypt and adduser tool 2021-01-26 22:06:39 +01:00			`def getUserEntry(application, login, password):`
adjust for postgres 2021-05-11 16:48:02 +02:00			`userEntry = getUserEntryFromDB(application, login)`
			`if userEntry.pwhash != crypt(password, userEntry.pwhash):`
application and pwhash 2021-01-26 21:27:17 +01:00			`raise PasswordMismatchException()`
crypt and adduser tool 2021-01-26 22:06:39 +01:00			`return userEntry`
initial 2021-01-25 21:52:52 +01:00
changes 2021-01-26 13:43:09 +01:00			`def generateToken(**args):`
initial 2021-01-25 21:52:52 +01:00			`try:`
changes 2021-01-26 13:43:09 +01:00			`body = args["body"]`
support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00
			`application = ""`
			`login = ""`
			`password = ""`
			`if (("application" in body) and`
			`("login" in body) and`
			`("password" in body)):`
			`application = body["application"]`
			`login = body["login"]`
			`password = body["password"]`
			`elif ("encAleTuple" in body):`
			`clearContent = jwe.decrypt(body["encAleTuple"], JWT_PRIV_KEY)`
			`clearObj = json.loads(clearContent)`
			`application = clearObj["application"]`
			`login = clearObj["login"]`
			`password = clearObj["password"]`
			`else:`
			`raise KeyError("Neither application, login and password nor encAleTuple given")`

			`logger.debug(f"Tuple: {application} {login} {password}")`
application and pwhash 2021-01-26 21:27:17 +01:00
crypt and adduser tool 2021-01-26 22:06:39 +01:00			`userEntry = getUserEntry(application, login, password)`
application and pwhash 2021-01-26 21:27:17 +01:00
changes 2021-01-26 13:43:09 +01:00			`timestamp = int(time.time())`
			`payload = {`
schema fixes 2021-01-27 10:57:54 +01:00			`"iss": JWT_ISSUER,`
changes 2021-01-26 13:43:09 +01:00			`"iat": int(timestamp),`
			`"exp": int(timestamp + userEntry.expiry),`
add application as aud in token 2021-05-07 14:40:40 +02:00			`"sub": str(userEntry.id),`
			`"aud": application`
changes 2021-01-26 13:43:09 +01:00			`}`
adjust for postgres 2021-05-11 16:48:02 +02:00			`logger.debug("claims: {}".format(userEntry.claims))`
changes 2021-01-26 13:43:09 +01:00			`for claim in userEntry.claims.items():`
support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00			`logger.debug("add claim {}".format(claim))`
remove x from private claims 2021-01-27 13:31:34 +01:00			`payload[claim[0]] = claim[1]`
changes 2021-01-26 13:43:09 +01:00
pubkey stuff 2021-05-06 16:37:32 +02:00			`return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256')`
changes 2021-01-26 13:43:09 +01:00			`except NoUserException:`
support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00			`logger.error("no user found, login or application wrong")`
changes 2021-01-26 13:43:09 +01:00			`raise werkzeug.exceptions.Unauthorized()`
			`except ManyUsersException:`
support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00			`logger.error("too many users found")`
changes 2021-01-26 13:43:09 +01:00			`raise werkzeug.exceptions.Unauthorized()`
application and pwhash 2021-01-26 21:27:17 +01:00			`except PasswordMismatchException:`
support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00			`logger.error("wrong password")`
application and pwhash 2021-01-26 21:27:17 +01:00			`raise werkzeug.exceptions.Unauthorized()`
changes 2021-01-26 13:43:09 +01:00			`except KeyError:`
support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00			`logger.error("application, login or password missing")`
changes 2021-01-26 13:43:09 +01:00			`raise werkzeug.exceptions.Unauthorized()`
			`except Exception as e:`
support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00			`logger.error("unspecific exception: {}".format(str(e)))`
changes 2021-01-26 13:43:09 +01:00			`raise werkzeug.exceptions.Unauthorized()`
pubkey stuff 2021-05-06 16:37:32 +02:00
			`def getPubKey():`
			`return JWT_PUB_KEY`
adjust for postgres 2021-05-11 16:48:02 +02:00
			`def decodeToken(token):`
			`try:`
			`return jwt.decode(token, JWT_PUB_KEY, audience="test")`
			`except JWTError as e:`
support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00			`logger.error("{}".format(e))`
adjust for postgres 2021-05-11 16:48:02 +02:00			`raise werkzeug.exceptions.Unauthorized()`

support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00			`def testToken(user, token_info):`
adjust for postgres 2021-05-11 16:48:02 +02:00			`return '''`
support handover of cleartext and encrypted credentials, refactor naming of methods 2021-06-15 23:13:18 +02:00			`You are user_id {user} and the provided token has been signed by this issuers. Fine.'.`
adjust for postgres 2021-05-11 16:48:02 +02:00			`Decoded token claims: {token_info}.`
			`'''.format(user=user, token_info=token_info)`