Merge pull request #201 from Helene/basic_auth

Add HTTP "Basic Authentiction" support

Author: Helene

Dockerfile

@@ -28,6 +28,16 @@ ARG HTTPPROTOCOL=http
 ENV PROTOCOL=$HTTPPROTOCOL
 RUN echo "the HTTP/S protocol is set to $PROTOCOL"
 
+ARG HTTPBASICAUTH=True
+ENV BASICAUTH=$HTTPBASICAUTH
+RUN echo "the HTTP/S basic authentication is set to $BASICAUTH"
+
+ARG AUTHUSER=None
+ENV BASICAUTHUSER=$AUTHUSER
+
+ARG AUTHPASSW=NotSet
+ENV BASICAUTHPASSW=$AUTHPASSW
+
 ARG HTTPPORT=None
 ENV PORT=$HTTPPORT
 RUN echo "the OpentTSDB API HTTP/S port is set to $PORT"
@@ -129,7 +139,7 @@ RUN chown -R $UID:$GID /opt/IBM/bridge && \
 # Switch user
 USER $GID
 
-CMD ["sh", "-c", "python3 zimonGrafanaIntf.py -c 10 -s $SERVER -r $PROTOCOL -p $PORT -e $PROMETHEUS -P $SERVERPORT -t $TLSKEYPATH -l $LOGPATH --tlsKeyFile $TLSKEYFILE --tlsCertFile $TLSCERTFILE --apiKeyName $APIKEYNAME --apiKeyValue $APIKEYVALUE"]
+CMD ["sh", "-c", "python3 zimonGrafanaIntf.py -c 10 -s $SERVER -r $PROTOCOL -b $BASICAUTH -u $BASICAUTHUSER -a BASICAUTHPASSW -p $PORT -e $PROMETHEUS -P $SERVERPORT -t $TLSKEYPATH -l $LOGPATH -k $TLSKEYFILE -m $TLSCERTFILE -n $APIKEYNAME -v $APIKEYVALUE"]
 
 EXPOSE 4242 8443 9250
 

source/confParser.py

@@ -21,6 +21,8 @@
 '''
 
 import argparse
+import base64
+import binascii
 import os
 from messages import MSG
 from metaclasses import Singleton
@@ -36,14 +38,10 @@ def checkFileExists(path, filename):
 
 
 def checkTLSsettings(args):
-    if args.get('prometheus') and (not args.get('tlsKeyPath') or not
-                                   args.get('tlsKeyFile') or not
-                                   args.get('tlsCertFile')):
-        return False, MSG['MissingSSLCert']
-    elif args.get('protocol') == "https" and (not args.get('tlsKeyPath') or not
-                                              args.get('tlsKeyFile') or not
-                                              args.get('tlsCertFile')
-                                              ):
+    if args.get('protocol') == "https" and (not args.get('tlsKeyPath') or not
+                                            args.get('tlsKeyFile') or not
+                                            args.get('tlsCertFile')
+                                            ):
         return False, MSG['MissingParm']
     elif args.get('protocol') == "https" and not os.path.exists(args.get('tlsKeyPath')):
         return False, MSG['KeyPathError']
@@ -56,6 +54,23 @@ def checkTLSsettings(args):
     return True, ''
 
 
+def checkBasicAuthsettings(args):
+    if args.get('enabled') and (not args.get('username') or not
+                                args.get('password')
+                                ):
+        return False, MSG['MissingParm']
+    elif args.get('enabled') and ("/" in str(args.get('password')) and not
+                                  os.path.isfile(args.get('password'))
+                                  ):
+        return False, MSG['FileNotFound'].format(args.get('password'))
+    elif args.get('enabled') and "/" not in str(args.get('password')):
+        try:
+            base64.b64decode(args.get('password'), validate=True)
+        except binascii.Error:
+            return False, MSG['WrongFormat'].format("basic auth password")
+    return True, ''
+
+
 def checkApplicationPort(args):
     if not args.get('port', None) and not args.get('prometheus', None):
         return False, MSG['MissingPortParam']
@@ -78,7 +93,6 @@ def checkCAsettings(args):
 
 def getSettings(argv):
     settings = {}
-    msg = ''
     defaults = ConfigManager().defaults
     args, msg = parse_cmd_args(argv)
     if args and defaults:
@@ -93,6 +107,10 @@ def getSettings(argv):
         return None, msg
     # check API key settings
     valid, msg = checkAPIsettings(settings)
+    if not valid:
+        return None, msg
+    # check basic auth settings
+    valid, msg = checkBasicAuthsettings(settings)
     if not valid:
         return None, msg
     # check TLS settings
@@ -186,7 +204,10 @@ class Password(argparse.Action):
 
     def __call__(self, parser, namespace, values, option_string):
         if values is None:
-            print('Enter your apiKey value')
+            if self.dest == 'password':
+                print('Enter your basic auth password')
+            else:
+                print('Enter your apiKey value')
             values = getpass.getpass()
 
         setattr(namespace, self.dest, values)
@@ -213,6 +234,12 @@ def parse_cmd_args(argv):
                         help='port number listening on OpenTSDB API HTTP(S) connections (Default from config.ini: 4242, if enabled)')
     parser.add_argument('-r', '--protocol', action="store", choices=["http", "https"], default=None,
                         help='Connection protocol HTTP/HTTPS (Default from config.ini: "http")')
+    parser.add_argument('-b', '--enabled', action="store", choices=["True", "False"], default=None,
+                        help='Controls if HTTP/S basic authentication should be enabled or not (Default from config.ini: "True")')
+    parser.add_argument('-u', '--username', action="store", default=None,
+                        help='HTTP/S basic authentication user name(Default from config.ini: \'scale_admin\')')
+    parser.add_argument('-a', '--password', action=Password, nargs='?', dest='password', default=None,
+                        help='Enter your HTTP/S basic authentication password:')
     parser.add_argument('-t', '--tlsKeyPath', action="store", default=None,
                         help='Directory path of tls privkey.pem and cert.pem file location (Required only for HTTPS ports 8443/9250)')
     parser.add_argument('-k', '--tlsKeyFile', action="store", default=None,

source/config.ini

@@ -1,5 +1,5 @@
 ##################### OpenTSDB API Connection Defaults ########################
-[connection]
+[opentsdb_plugin]
 # Port number the bridge listening on for Grafana data requests over
 # OpentTSDB plugin
 # 
@@ -8,20 +8,43 @@
 # (Default: 4242)
 # port = 4242
 
-# Protocol (http, https)
-protocol = http
-
 ##################### Prometheus Exporter API Connection Defaults #############
-# Port number the bridge listening on for Prometheus server https requests;
-# ssl cert and key configuration required
+[prometheues_exporter_plugin]
+# Port number the bridge listening on for Prometheus server requests;
 # prometheus = 9250
 
 # Sensor counters deltas will be exported by default.
 # Set True if you want export original sensor counters.
 rawCounters = True
 
+##################### API Protocol scheme #####################################
+[connection]
+# Protocol (http, https)
+protocol = http
+
+##################### API Basic Authentication ################################
+[basic_auth]
+# Basic authentication is enabled by default.
+# It is recommended to leave Basic Authentication enabled, especially when 
+# connecting via HTTP. The bridge will validate the username and password 
+# from `Authorization` header of every incoming http request.
+enabled = True
+
+# user name used for bridge api http/s basic authentication
+username = scale_admin
+
+# Base64 encoded password string used for bridge api http/s basic authentication
+# Example string encoding via cli:
+#   $ echo "MyVeryStrongPassw0rd!" |base64
+#   TXlWZXJ5U3Ryb25nUGFzc3cwcmQhCg==
+#
+# password = TXlWZXJ5U3Ryb25nUGFzc3cwcmQhCg==
+#
+# alternatively you can store a Base64 encoded string in a file
+# and specify the file location as the basic authentication password, f.e:
+#   password = /etc/bridge_auth/basic_scale-21
 
-#################################### API SSL OAuth ############################
+##################### API SSL OAuth ############################################
 [tls]
 # Directory path of tls key and cert file location
 # tlsKeyPath = /etc/bridge_ssl/certs
@@ -34,7 +57,7 @@ rawCounters = True
 
 
 
-#################################### GPFS Server ##############################
+##################### GPFS Server ###############################################
 [server]
 # The ip address to bind to, empty will bind to all interfaces
 server = localhost
@@ -63,12 +86,12 @@ apiKeyName = scale_grafana
 # caCertPath = "/etc/ssl/certs/service-ca.crt"
 caCertPath = False
 
-#################################### GPFS Server data query settings ###########
+##################### GPFS Server data query settings ############################
 [query]
 # Use or not the historical data from disk (default: no)
 includeDiskData = no
 
-#################################### Logging ###################################
+##################### Logging ####################################################
 [logging]
 # Directory where the bridge can store logs
 logPath = /var/log/ibm_bridge_for_grafana

source/messages.py

@@ -74,5 +74,7 @@
        'StopCustomThread': 'Stopped custom thread {}',
        'MetricInResults': 'Metric {} is in Collector.metrcs',
        'MetricNotInResults': 'Metric {} is not in Collector.metrcs',
-       'ConnApplications': 'Registered applications: \n {}'
+       'ConnApplications': 'Registered applications: \n {}',
+       'WrongFormat': 'The {} specified in wrong format.',
+       'AuthValidationError': 'Basic auth data not valid'
        }

source/zimonGrafanaIntf.py

@@ -43,6 +43,7 @@
 from cherrypy.lib.cpstats import StatsPage
 
 ENDPOINTS = {}
+AUTH_DICT = {}
 
 
 def processFormJSON(entity):
@@ -95,9 +96,15 @@ def setup_cherrypy_logging(args):
 
 def updateCherrypyConf(args):
 
-    globalConfig = {'global': {'error_page.default': format_default_error_page,
-                               'request.error_response': handle_error},
-                    }
+    global_settings = {'error_page.default': format_default_error_page,
+                       'request.error_response': handle_error}
+    if args.get('enabled', False):
+        global_settings.update({'tools.auth_basic.on': True,
+                                'tools.auth_basic.realm': "localhost",
+                                'tools.auth_basic.checkpassword': check_basic_auth,
+                                'tools.auth_basic.accept_charset': "UTF-8"
+                                })
+    globalConfig = {'global': global_settings}
 
     cherrypy.config.update(globalConfig)
 
@@ -107,6 +114,16 @@ def updateCherrypyConf(args):
     cherrypy.server.unsubscribe()
 
 
+def check_basic_auth(realm, username, password):
+    if (username and password
+        and username in AUTH_DICT
+            and AUTH_DICT[username] == password):
+        return True
+    logger = getBridgeLogger()
+    logger.details(MSG['AuthValidationError'])
+    return False
+
+
 def bind_opentsdb_server(args):
     opentsdb_server = cherrypy._cpserver.Server()
     opentsdb_server.socket_port = args.get('port')
@@ -125,23 +142,24 @@ def bind_prometheus_server(args):
     prometheus_server = cherrypy._cpserver.Server()
     prometheus_server.socket_port = args.get('prometheus')
     prometheus_server._socket_host = '0.0.0.0'
-    certPath = os.path.join(args.get('tlsKeyPath'), args.get('tlsCertFile'))
-    keyPath = os.path.join(args.get('tlsKeyPath'), args.get('tlsKeyFile'))
-    prometheus_server.ssl_module = 'builtin'
-    prometheus_server.ssl_certificate = certPath
-    prometheus_server.ssl_private_key = keyPath
+    if args.get('protocol') == "https":
+        certPath = os.path.join(args.get('tlsKeyPath'), args.get('tlsCertFile'))
+        keyPath = os.path.join(args.get('tlsKeyPath'), args.get('tlsKeyFile'))
+        prometheus_server.ssl_module = 'builtin'
+        prometheus_server.ssl_certificate = certPath
+        prometheus_server.ssl_private_key = keyPath
     prometheus_server.statistics = analytics.cherrypy_internal_stats
     prometheus_server.subscribe()
 
 
-def resolveAPIKeyValue(storedKey):
-    keyValue = None
-    if "/" in str(storedKey):
-        with open(storedKey) as file:
-            keyValue = file.read().rstrip()
-        return keyValue
+def resolve_path_to_value(stored_key):
+    path_value = None
+    if "/" in str(stored_key):
+        with open(stored_key) as file:
+            path_value = file.read().rstrip()
+        return path_value
     else:
-        return storedKey
+        return stored_key
 
 
 def refresh_metadata(refresh_all=False):
@@ -190,6 +208,9 @@ def main(argv):
 
     registered_apps = []
 
+    if args.get('enabled', False):
+        AUTH_DICT[args.get('username')] = resolve_path_to_value(args.get('password'))
+
     # prepare the logger
     logger = configureLogging(args.get('logPath'), args.get('logFile', None),
                               args.get('logLevel'))
@@ -210,7 +231,7 @@ def main(argv):
         mdHandler = MetadataHandler(logger=logger, server=args.get('server'),
                                     port=args.get('serverPort'),
                                     apiKeyName=args.get('apiKeyName'),
-                                    apiKeyValue=resolveAPIKeyValue(args.get('apiKeyValue')),
+                                    apiKeyValue=resolve_path_to_value(args.get('apiKeyValue')),
                                     caCertPath=args.get('caCertPath'),
                                     includeDiskData=args.get('includeDiskData'),
                                     sleepTime=args.get('retryDelay', None)