Add API Key authentication

Starting with IBM Spectrum Scale version 5.1.1 any client querying the
performance data from the IBM Spectrum Scale cluster needs the API key
authentication.
- The default API key name for grafana_bridge set to scale_grafana
- The API key name and value could be stored in the config.ini file or
passed as input parameters(--apiKeyName, --apiKeyValue) at the
grafana-bridge start.
- The default ServerPort changed from 9084 to 9980

Author: Helene

requirements.txt

@@ -7,3 +7,5 @@ github3.py
 flake8
 six
 cherrypy
+requests
+urllib3

source/Dockerfile

@@ -3,6 +3,8 @@ FROM registry.access.redhat.com/ubi8/python-36
 RUN pip3 install --upgrade pip
 RUN pip3 install setuptools
 RUN pip3 install cherrypy
+RUN pip3 install urllib3
+RUN pip3 install requests
 
 CMD python3 -V
 CMD pip3 list
@@ -23,6 +25,10 @@ ARG HTTPPORT=4242
 ENV PORT=$HTTPPORT
 RUN echo "the HTTP/S port is set to $PORT" 
 
+ARG PERFMONPORT=9981
+ENV SERVERPORT=$PERFMONPORT
+RUN echo "the PERFMONPORT port is set to $SERVERPORT" 
+
 ARG CERTPATH=None
 ENV TLSKEYPATH=$CERTPATH
 
@@ -32,6 +38,12 @@ ENV TLSKEYFILE=$KEYFILE
 ARG CERTFILE=None
 ENV TLSCERTFILE=$CERTFILE
 
+ARG KEYNAME=None
+ENV APIKEYNAME=$KEYNAME
+
+ARG KEYVALUE=None
+ENV APIKEYVALUE=$KEYVALUE
+
 RUN if [ -z "$TLSKEYPATH" ] || [ -z "$TLSCERTFILE" ] || [ -z "$TLSKEYFILE" ] && [ "$PORT" -eq 8443 ]; then echo "TLSKEYPATH FOR SSL CONNECTION NOT SET - ERROR"; exit 1; else echo "PASS"; fi
 RUN echo "the ssl certificates path is set to $TLSKEYPATH" 
 
@@ -42,7 +54,7 @@ RUN echo "the pmcollector server ip is set to $SERVER"
 
 WORKDIR /opt/IBM/bridge
 
-ARG DEFAULTLOGPATH='/var/log/ibm_bridge_for_grafanalogs/install.log'
+ARG DEFAULTLOGPATH='/var/log/ibm_bridge_for_grafana/install.log'
 ENV LOGPATH=$DEFAULTLOGPATH
 RUN mkdir -p $(dirname $LOGPATH)
 RUN echo "the log will use $(dirname $LOGPATH)"
@@ -54,7 +66,7 @@ RUN echo "pmcollector_server: $SERVER" >> $LOGPATH
 RUN echo "ssl certificates location: $TLSKEYPATH" >> $LOGPATH
 RUN echo "HTTP/S port: $PORT" >> $LOGPATH
 
-CMD ["sh", "-c", "python3 zimonGrafanaIntf.py -c 10 -s $SERVER -p $PORT -t $TLSKEYPATH --tlsKeyFile $TLSKEYFILE --tlsCertFile $TLSCERTFILE"]
+CMD ["sh", "-c", "python3 zimonGrafanaIntf.py -c 10 -s $SERVER -p $PORT -P $SERVERPORT -t $TLSKEYPATH --tlsKeyFile $TLSKEYFILE --tlsCertFile $TLSCERTFILE --apiKeyName $APIKEYNAME --apiKeyValue $APIKEYVALUE"]
 
 EXPOSE 4242 8443
 

source/__version__.py

@@ -20,4 +20,4 @@
 @author: HWASSMAN
 '''
 
-__version__ = '6.1.2'
+__version__ = '7.0'

source/confParser.py

@@ -24,6 +24,7 @@
 import os
 from messages import MSG
 import configparser
+import getpass
 
 
 def checkFileExists(path, filename):
@@ -43,6 +44,11 @@ def checkTLSsettings(args):
             return False, MSG['CertError']
     return True, ''
 
+def checkAPIsettings(args):
+    if not args.get('apiKeyName') or not args.get('apiKeyValue'):
+        return False, MSG['MissingParm']
+    return True, ''
+
 
 def getSettings(argv):
     settings = {}
@@ -55,11 +61,15 @@ def getSettings(argv):
         settings = args
     else:
         return None, msg
+    # check API key settings
+    valid, msg = checkAPIsettings(settings)
+    if not valid:
+        return None, msg
     # check TLS settings
     valid, msg = checkTLSsettings(settings)
-    if valid:
-        return settings, ''
-    return None, msg
+    if not valid:
+        return None, msg
+    return settings, ''
 
 
 def merge_defaults_and_args(defaults, args):
@@ -139,18 +149,25 @@ def parse_defaults(self):
         return defaults
 
 
+class Password(argparse.Action):
+    defaults = ConfigManager().defaults
+
+    def __call__(self, parser, namespace, values, option_string):
+        if values is None and self.defaults.get('apiKeyValue', None) == None:
+            print('no valid apiKeyValue found in the config.ini')
+            values = getpass.getpass()
+
+        setattr(namespace, self.dest, values)
+
+
 def parse_cmd_args(argv):
     '''parse input parameters'''
 
     parser = argparse.ArgumentParser('python zimonGrafanaIntf.py')
     parser.add_argument('-s', '--server', action="store", default=None,
-                        help='Host name or ip address of the ZIMon collector (Default from config.ini: 127.0.0.1) \
-                        NOTE: Per default ZIMon does not accept queries from remote machines. \
-                        To run the bridge from outside of the ZIMon collector, you need to modify ZIMon queryinterface settings (\'ZIMonCollector.cfg\')')
-    parser.add_argument('-P', '--serverPort', action="store", type=int, choices=[9084, 9094], default=None,
-                        help='ZIMon collector port number (Default from config.ini: 9084) \
-                        NOTE: In some environments, for better bridge performance the usage of the multi-threaded port 9094 could be helpful.\
-                        In this case make sure the \'query2port = \"9094\"\' is enabled in the ZIMon queryinterface settings (\'ZIMonCollector.cfg\')')
+                        help='Host name or ip address of the ZIMon collector (Default from config.ini: 127.0.0.1)')
+    parser.add_argument('-P', '--serverPort', action="store", type=int, choices=[9980, 9981], default=None,
+                        help='ZIMon collector port number (Default from config.ini: 9980)')
     parser.add_argument('-l', '--logPath', action="store", default=None, help='location path of the log file (Default from config.ini: \'/var/log/ibm_bridge_for_grafana\')')
     parser.add_argument('-f', '--logFile', action="store", default=None, help='Name of the log file (Default from config.ini: zserver.log')
     parser.add_argument('-c', '--logLevel', action="store", type=int, default=None,
@@ -159,6 +176,8 @@ def parse_cmd_args(argv):
     parser.add_argument('-t', '--tlsKeyPath', action="store", default=None, help='Directory path of tls privkey.pem and cert.pem file location (Required only for HTTPS port 8443)')
     parser.add_argument('-k', '--tlsKeyFile', action="store", default=None, help='Name of TLS key file, f.e.: privkey.pem (Required only for HTTPS port 8443)')
     parser.add_argument('-m', '--tlsCertFile', action="store", default=None, help='Name of TLS certificate file, f.e.: cert.pem (Required only for HTTPS port 8443)')
+    parser.add_argument('-n', '--apiKeyName',  action="store", default=None, help='Name of api key file (Default from config.ini: \'scale_grafana\')')
+    parser.add_argument('-v', '--apiKeyValue',  action=Password, nargs='?', dest='apiKeyValue', default=None, help='Enter your apiKey value:')
 
     args = parser.parse_args(argv)
     return args, ''

source/config.ini

@@ -22,8 +22,14 @@ port = 4242
 # The ip address to bind to, empty will bind to all interfaces
 server = localhost
 
-# The http port to use
-serverPort = 9084
+# The https port to use
+serverPort = 9980
+
+# The name of REST HTTPS API key name
+apiKeyName = scale_grafana
+
+# The REST HTTPS API key value, f.e:
+# 	apiKeyValue = e40960c9-de0a-4c75-bc71-0bcae6db23b2
 
 #################################### Logging ##################################
 [logging]

source/messages.py

@@ -30,7 +30,7 @@
        'MissingParm': 'Missing mandatory parameters, quitting',
        'KeyPathError': 'KeyPath directory not found, quitting',
        'CertError': 'Missing certificates in tht specified keyPath directory, quitting',
-       'CollectorErr': 'Failed to initialize connection to pmcollector, quitting',
+       'CollectorErr': 'Failed to initialize connection to pmcollector: {}, quitting',
        'MetaError': 'Metadata could not be retrieved. Check log file for more details, quitting',
        'MetaSuccess': 'Successfully retrieved MetaData',
        'QueryError': 'Query request could not be proceed. Reason: {}',

source/queryHandler/PerfmonRESTclient.py

@@ -0,0 +1,105 @@
+'''
+##############################################################################
+# Copyright 2021 IBM Corp.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##############################################################################
+
+Created on Jan 28, 2021
+
+@author: HWASSMAN
+'''
+
+# catch import failure on AIX since we will not be shipping our third-party libraries on AIX
+try:
+    import requests
+    import urllib3
+    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+except Exception:
+    pass
+
+
+
+DEFAULT_HEADERS = {
+            "Accept": "application/json",
+            "Content-type": "application/json"
+        }
+
+
+def getAuthHandler(keyName, keyValue):
+    if not isinstance(keyName, bytes):
+        keyName = bytes(keyName, 'utf-8')
+    if not isinstance(keyValue, bytes):
+        keyValue = bytes(keyValue, 'utf-8')
+    return requests.auth.HTTPBasicAuth(keyName,keyValue)
+
+
+def createRequestDataObj(logger, method, endpoint, host, port, auth, headers=None, files=None, json=None, params=None, data=None, cookies=None, hooks=None):
+    '''This method is used to prepare an instance of the class: <requests.Request>, which will be sent to the server. '''
+
+    if method.upper() not in ['GET', 'DELETE']:
+        logger.error('createRequestDataObj __ request METHOD {} not allowed'.format(method))
+        return None
+    if not host or not port or not endpoint or not auth:
+        logger.error('createRequestDataObj __ missing mandatory parameters')
+        return None
+    url = f'https://{host}:{port}/sysmon/v1/{endpoint}'
+    # Create the Request.
+    req = requests.Request(method=method.upper(),
+        url=url,
+        headers=headers or DEFAULT_HEADERS,
+        files=files,
+        data=data or {},
+        json=json,
+        params=params or {},
+        auth=auth,
+        cookies=cookies,
+        hooks=hooks,
+        )
+    logger.debug('createRequestDataObj __ created request')
+    return req
+
+
+class perfHTTPrequestHelper(object):
+    """
+    REST communication handler / dispatcher for the QueryHandler
+    1. does send a prepared Request object to a server
+    2. waits until  the server response, finally forwards a result to the QueryHandler
+    """
+
+    def __init__(self, logger, reqdata=None, session=None):
+        self.session = session or requests.Session() 
+        self.requestData = reqdata
+        self.logger = logger
+
+    def doRequest(self):
+        if self.requestData and isinstance(self.requestData, requests.Request):
+            _prepRequest = self.session.prepare_request(self.requestData)
+            try:
+                res = self.session.send(_prepRequest)
+                return res
+            except requests.exceptions.ConnectionError:
+                res = requests.Response()
+                res.status_code = 503
+                res.reason = "Connection refused from server"
+                res.content = None
+                return res
+            except requests.exceptions.RequestException as e:
+                self.logger.debug('doRequest __ RequestException. Request data: {}, Response data: {}'.format(e.request, e.response))
+                res = requests.Response()
+                res.status_code = 404
+                res.reason = "The request could not be processed from server"
+                res.content = None
+                return res
+        else:
+            raise TypeError('doRequest __ Error: request data wrong format')