OpenKMIP
diff --git a/‎kmip/services/server/auth/__init__.py‎
Lines changed: 34 additions & 0 deletions b/‎kmip/services/server/auth/__init__.py‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎kmip/services/server/auth/api.py‎
Lines changed: 45 additions & 0 deletions b/‎kmip/services/server/auth/api.py‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎kmip/services/server/auth/slugs.py‎
Lines changed: 108 additions & 0 deletions b/‎kmip/services/server/auth/slugs.py‎
Lines changed: 108 additions & 0 deletions
diff --git a/‎kmip/services/server/auth/utils.py‎
Lines changed: 75 additions & 0 deletions b/‎kmip/services/server/auth/utils.py‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎kmip/tests/unit/services/server/auth/__init__.py‎
Lines changed: 14 additions & 0 deletions b/‎kmip/tests/unit/services/server/auth/__init__.py‎
Lines changed: 14 additions & 0 deletions
@@ -0,0 +1,34 @@
+# Copyright (c) 2018 The Johns Hopkins University/Applied Physics Laboratory
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from kmip.services.server.auth.api import AuthAPI
+from kmip.services.server.auth.slugs import SLUGSConnector
+
+from kmip.services.server.auth.utils import get_certificate_from_connection
+from kmip.services.server.auth.utils import \
+    get_client_identity_from_certificate
+from kmip.services.server.auth.utils import get_common_names_from_certificate
+from kmip.services.server.auth.utils import \
+    get_extended_key_usage_from_certificate
+
+
+__all__ = [
+    'AuthAPI',
+    'SLUGSConnector',
+    'get_certificate_from_connection',
+    'get_client_identity_from_certificate',
+    'get_common_names_from_certificate',
+    'get_extended_key_usage_from_certificate'
+]
@@ -0,0 +1,45 @@
+# Copyright (c) 2018 The Johns Hopkins University/Applied Physics Laboratory
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import abc
+import six
+
+
+@six.add_metaclass(abc.ABCMeta)
+class AuthAPI:
+    """
+    The base class for an authentication API connector.
+    """
+
+    @abc.abstractmethod
+    def authenticate(self,
+                     connection_certificate=None,
+                     connection_info=None,
+                     request_credentials=None):
+        """
+        Query the configured authentication service with the given credentials.
+
+        Args:
+            connection_certificate (cryptography.x509.Certificate): An X.509
+                certificate object obtained from the connection being
+                authenticated. Optional, defaults to None.
+            connection_info (tuple): A tuple of information pertaining to the
+                connection being authenticated, including the source IP address
+                and a timestamp (e.g., ('127.0.0.1', 1519759267.467451)).
+                Optional, defaults to None.
+            request_credentials (list): A list of KMIP Credential structures
+                containing credential information to use for authentication.
+                Optional, defaults to None.
+        """
@@ -0,0 +1,108 @@
+# Copyright (c) 2018 The Johns Hopkins University/Applied Physics Laboratory
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import requests
+import six
+
+from kmip.core import exceptions
+from kmip.services.server.auth import api
+from kmip.services.server.auth import utils
+
+
+class SLUGSConnector(api.AuthAPI):
+    """
+    An authentication API connector for a SLUGS service.
+    """
+
+    def __init__(self, url=None):
+        """
+        Construct a SLUGSConnector.
+
+        Args:
+            url (string): The base URL for the remote SLUGS instance. Optional,
+                defaults to None. Required for authentication.
+        """
+        self._url = None
+        self.users_url = None
+        self.groups_url = None
+
+        self.url = url
+
+    @property
+    def url(self):
+        return self._url
+
+    @url.setter
+    def url(self, value):
+        if value is None:
+            self._url = None
+            self.users_url = None
+            self.groups_url = None
+        elif isinstance(value, six.string_types):
+            self._url = value
+            if not self._url.endswith("/"):
+                self._url += "/"
+            self.users_url = self._url + "users/{}"
+            self.groups_url = self.users_url + "/groups"
+        else:
+            raise TypeError("URL must be a string.")
+
+    def authenticate(self,
+                     connection_certificate=None,
+                     connection_info=None,
+                     request_credentials=None):
+        """
+        Query the configured SLUGS service with the provided credentials.
+
+        Args:
+            connection_certificate (cryptography.x509.Certificate): An X.509
+                certificate object obtained from the connection being
+                authenticated. Required for SLUGS authentication.
+            connection_info (tuple): A tuple of information pertaining to the
+                connection being authenticated, including the source IP address
+                and a timestamp (e.g., ('127.0.0.1', 1519759267.467451)).
+                Optional, defaults to None. Ignored for SLUGS authentication.
+            request_credentials (list): A list of KMIP Credential structures
+                containing credential information to use for authentication.
+                Optional, defaults to None. Ignored for SLUGS authentication.
+        """
+        if (self.users_url is None) or (self.groups_url is None):
+            raise exceptions.ConfigurationError(
+                "The SLUGS URL must be specified."
+            )
+
+        user_id = utils.get_client_identity_from_certificate(
+            connection_certificate
+        )
+
+        try:
+            response = requests.get(self.users_url.format(user_id))
+        except Exception:
+            raise exceptions.ConfigurationError(
+                "A connection could not be established using the SLUGS URL."
+            )
+        if response.status_code == 404:
+            raise exceptions.PermissionDenied(
+                "Unrecognized user ID: {}".format(user_id)
+            )
+
+        response = requests.get(self.groups_url.format(user_id))
+        if response.status_code == 404:
+            raise exceptions.PermissionDenied(
+                "Group information could not be retrieved for user ID: "
+                "{}".format(user_id)
+            )
+
+        return user_id, response.json().get('groups')
@@ -0,0 +1,75 @@
+# Copyright (c) 2018 The Johns Hopkins University/Applied Physics Laboratory
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from cryptography import x509
+from cryptography.hazmat import backends
+
+from kmip.core import exceptions
+
+
+def get_certificate_from_connection(connection):
+    """
+    Extract an X.509 certificate from a socket connection.
+    """
+    certificate = connection.getpeercert(binary_form=True)
+    if certificate:
+        return x509.load_der_x509_certificate(
+            certificate,
+            backends.default_backend()
+        )
+    return None
+
+
+def get_extended_key_usage_from_certificate(certificate):
+    """
+    Given an X.509 certificate, extract and return the extendedKeyUsage
+    extension.
+    """
+    try:
+        return certificate.extensions.get_extension_for_oid(
+            x509.oid.ExtensionOID.EXTENDED_KEY_USAGE
+        ).value
+    except x509.ExtensionNotFound:
+        return None
+
+
+def get_common_names_from_certificate(certificate):
+    """
+    Given an X.509 certificate, extract and return all common names.
+    """
+
+    common_names = certificate.subject.get_attributes_for_oid(
+        x509.oid.NameOID.COMMON_NAME
+    )
+    return [common_name.value for common_name in common_names]
+
+
+def get_client_identity_from_certificate(certificate):
+    """
+    Given an X.509 certificate, extract and return the client identity.
+    """
+    client_ids = get_common_names_from_certificate(certificate)
+
+    if len(client_ids) > 0:
+        if len(client_ids) > 1:
+            raise exceptions.PermissionDenied(
+                "Multiple client identities found."
+            )
+        return client_ids[0]
+    else:
+        raise exceptions.PermissionDenied(
+            "The certificate does not define any subject common names. "
+            "Client identity unavailable."
+        )
@@ -0,0 +1,14 @@
+# Copyright (c) 2018 The Johns Hopkins University/Applied Physics Laboratory
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.