Merge branch 'master' into remove_mistral

Author: amanda11

Makefile

@@ -564,6 +564,12 @@ requirements: virtualenv .requirements .sdist-requirements install-runners insta
 	# make targets. This speeds up the build
 	(cd ${ROOT_DIR}/st2common; ${ROOT_DIR}/$(VIRTUALENV_DIR)/bin/python setup.py develop --no-deps)
 
+	# Install st2auth to register SSO drivers
+	# NOTE: We pass --no-deps to the script so we don't install all the
+	# package dependencies which are already installed as part of "requirements"
+	# make targets. This speeds up the build
+	(cd ${ROOT_DIR}/st2auth; ${ROOT_DIR}/$(VIRTUALENV_DIR)/bin/python setup.py develop --no-deps)
+
 	# Some of the tests rely on submodule so we need to make sure submodules are check out
 	git submodule update --recursive --remote
 

OWNERS.md

@@ -12,8 +12,6 @@ This page lists active project maintainers and their areas of expertise. This ca
 Responsible for Project Strategy, External Relations, Organizational aspects, Partnerships and Future.
 * Dmitri Zimine ([@dzimine](https://github.com/dzimine/)) <<dzimine@stackstorm.com>>
   - StackStorm co-founder. External Relations, Leadership.
-* Lindsay Hill ([@LindsayHill](https://github.com/LindsayHill)) <<lindsay@stackstorm.com>>
-  - External Relations, Plans, Documentation, Community.
 
 # Senior Maintainers **
 ###### 2 vote points
@@ -48,11 +46,13 @@ Being part of Technical Steering Committee (TSC) [@StackStorm/maintainers](https
 Contributors are using and occasionally contributing back to the project, might be active in conversations or express their opinion on the project’s direction.
 They're not part of the TSC voting process, but appreciated for their contribution, involvement and may become Maintainers in the future depending on their effort and involvement. See [How to become a Maintainer?](https://github.com/StackStorm/st2/blob/master/GOVERNANCE.md#how-to-become-a-maintainer)
 [@StackStorm/contributors](https://github.com/orgs/StackStorm/teams/contributors) are invited to StackStorm Github organization and have permissions to help triage the Issues and review PRs.
+* AJ Jonen ([@guzzijones](https://github.com/guzzijones)) - ST2 Web UI, Orquesta, Core.
 * Carlos ([@nzlosh](https://github.com/nzlosh)) - Chatops, Errbot, Community, Discussions, StackStorm Exchange.
 * Hiroyasu Ohyama ([@userlocalhost](https://github.com/userlocalhost)) - Orquesta, Workflows, st2 Japan Community. [Case Study](https://stackstorm.com/case-study-dmm/).
 * Jon Middleton ([@jjm](https://github.com/jjm)) - StackStorm Exchange, Core, Discussions.
-* Tristan Struthers ([@trstruth](https://github.com/trstruth)) - Docker, K8s, Orquesta, Community.
 * Marcel Weinberg ([@winem](https://github.com/winem)) - Community, Docker, Core.
+* Sheshagiri Rao Mallipedhi ([@sheshagiri](https://github.com/sheshagiri)) - Docker, Core, StackStorm Exchange.
+* Tristan Struthers ([@trstruth](https://github.com/trstruth)) - Docker, K8s, Orquesta, Community.
 
 # Friends
 People that are currently not very active maintainers/contributors but who participated in and formed the project we have today.
@@ -73,6 +73,7 @@ Thank you, Friends!
 * Johan Dahlberg ([@johandahlberg](https://github.com/johandahlberg)) - Using st2 for Bioinformatics/Science project, providing feedback & contributions in Ansible, Community, Workflows. [Case Study](https://stackstorm.com/case-study-scilifelab/).
 * Johan Hermansson ([@johanherman](https://github.com/johanherman)) - Using st2 for Bioinformatics/Science project, feedback & contributions in Ansible, Community, Workflows. [Case Study](https://stackstorm.com/case-study-scilifelab/).
 * Lakshmi Kannan ([@lakshmi-kannan](https://github.com/lakshmi-kannan)) - early Stormer. Initial Core platform architecture, scalability, reliability, Team Leadership during the project hard times.
+* Lindsay Hill ([@LindsayHill](https://github.com/LindsayHill)) - ex StackStorm product manager that made a significant impact building an ecosystem we see today. 
 * Manas Kelshikar ([@manasdk](https://github.com/manasdk)) - ex Stormer. Developed (well) early core platform features.
 * Vineesh Jain ([@VineeshJain](https://github.com/VineeshJain)) - ex Stormer. Community, Tests, Core, QA.
 * Warren Van Winckel ([@warrenvw](https://github.com/warrenvw)) - ex Stormer. Docker, Kubernetes, Vagrant, Infrastructure.

conf/st2.conf.sample

@@ -53,6 +53,8 @@ port = 9101
 # Common option - options below apply in both scenarios - when auth service is running as a WSGI
 # service (e.g. under Apache or Nginx) and when it's running in the standalone mode.
 
+# JSON serialized arguments which are passed to the SSO backend.
+sso_backend_kwargs = None
 # Enable authentication middleware.
 enable = True
 # Path to the logging config.
@@ -63,10 +65,14 @@ api_url = None
 service_token_ttl = 86400
 # Access token ttl in seconds.
 token_ttl = 86400
+# Enable Single Sign On for GUI if true.
+sso = False
 # Authentication mode (proxy,standalone)
 mode = standalone
 # Specify to enable debug mode.
 debug = False
+# Single Sign On backend to use when SSO is enabled. Available backends: noop, saml2.
+sso_backend = noop
 
 # Standalone mode options - options below only apply when auth service is running in the standalone
 # mode.

st2auth/setup.py

@@ -46,5 +46,10 @@
     packages=find_packages(exclude=['setuptools', 'tests']),
     scripts=[
         'bin/st2auth'
-    ]
+    ],
+    entry_points={
+        'st2auth.sso.backends': [
+            'noop = st2auth.sso.noop:NoOpSingleSignOnBackend'
+        ]
+    }
 )

st2auth/st2auth/app.py

@@ -26,6 +26,7 @@
 from st2common.constants.system import VERSION_STRING
 from st2common.service_setup import setup as common_setup
 from st2common.util import spec_loader
+from st2common.util.monkey_patch import use_select_poll_workaround
 from st2auth import config as st2auth_config
 from st2auth.validation import validate_auth_backend_is_correctly_configured
 
@@ -61,6 +62,10 @@ def setup_app(config=None):
                      capabilities=capabilities,
                      config_args=config.get('config_args', None))
 
+        # pysaml2 uses subprocess communicate which calls communicate_with_poll
+        if cfg.CONF.auth.sso and cfg.CONF.auth.sso_backend == 'saml2':
+            use_select_poll_workaround(nose_only=False)
+
     # Additional pre-run time checks
     validate_auth_backend_is_correctly_configured()
 

st2auth/st2auth/config.py

@@ -22,8 +22,9 @@
 from st2common.constants.system import DEFAULT_CONFIG_FILE_PATH
 from st2common.constants.auth import DEFAULT_MODE
 from st2common.constants.auth import DEFAULT_BACKEND
+from st2common.constants.auth import DEFAULT_SSO_BACKEND
 from st2common.constants.auth import VALID_MODES
-from st2auth.backends import get_available_backends
+from st2auth import backends as auth_backends
 
 
 def parse_args(args=None):
@@ -45,7 +46,8 @@ def _register_common_opts():
 
 
 def _register_app_opts():
-    available_backends = get_available_backends()
+    available_backends = auth_backends.get_available_backends()
+
     auth_opts = [
         cfg.StrOpt(
             'host', default='127.0.0.1',
@@ -78,7 +80,17 @@ def _register_app_opts():
         cfg.StrOpt(
             'backend_kwargs', default=None,
             help='JSON serialized arguments which are passed to the authentication '
-                 'backend in a standalone mode.')
+                 'backend in a standalone mode.'),
+        cfg.BoolOpt(
+            'sso', default=False,
+            help='Enable Single Sign On for GUI if true.'),
+        cfg.StrOpt(
+            'sso_backend', default=DEFAULT_SSO_BACKEND,
+            help='Single Sign On backend to use when SSO is enabled. Available '
+                 'backends: noop, saml2.'),
+        cfg.StrOpt(
+            'sso_backend_kwargs', default=None,
+            help='JSON serialized arguments which are passed to the SSO backend.')
     ]
 
     cfg.CONF.register_cli_opts(auth_opts, group='auth')

st2auth/st2auth/controllers/v1/root.py

@@ -14,7 +14,9 @@
 # limitations under the License.
 
 from st2auth.controllers.v1 import auth
+from st2auth.controllers.v1 import sso as sso_auth
 
 
 class RootController(object):
     tokens = auth.TokenController()
+    sso = sso_auth.SingleSignOnController()

st2auth/st2auth/controllers/v1/sso.py

@@ -0,0 +1,144 @@
+# Copyright 2019 Extreme Networks, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import datetime
+import json
+
+from oslo_config import cfg
+from six.moves import http_client
+from six.moves import urllib
+
+import st2auth.handlers as handlers
+
+from st2auth import sso as st2auth_sso
+from st2common.exceptions import auth as auth_exc
+from st2common import log as logging
+from st2common import router
+
+
+LOG = logging.getLogger(__name__)
+SSO_BACKEND = st2auth_sso.get_sso_backend()
+
+
+class IdentityProviderCallbackController(object):
+
+    def __init__(self):
+        self.st2_auth_handler = handlers.ProxyAuthHandler()
+
+    def post(self, response, **kwargs):
+        try:
+            verified_user = SSO_BACKEND.verify_response(response)
+
+            st2_auth_token_create_request = {'user': verified_user['username'], 'ttl': None}
+
+            st2_auth_token = self.st2_auth_handler.handle_auth(
+                request=st2_auth_token_create_request,
+                remote_addr=verified_user['referer'],
+                remote_user=verified_user['username'],
+                headers={}
+            )
+
+            return process_successful_authn_response(verified_user['referer'], st2_auth_token)
+        except NotImplementedError as e:
+            return process_failure_response(http_client.INTERNAL_SERVER_ERROR, e)
+        except auth_exc.SSOVerificationError as e:
+            return process_failure_response(http_client.UNAUTHORIZED, e)
+        except Exception as e:
+            raise e
+
+
+class SingleSignOnRequestController(object):
+
+    def get(self, referer):
+        try:
+            response = router.Response(status=http_client.TEMPORARY_REDIRECT)
+            response.location = SSO_BACKEND.get_request_redirect_url(referer)
+            return response
+        except NotImplementedError as e:
+            return process_failure_response(http_client.INTERNAL_SERVER_ERROR, e)
+        except Exception as e:
+            raise e
+
+
+class SingleSignOnController(object):
+    request = SingleSignOnRequestController()
+    callback = IdentityProviderCallbackController()
+
+    def _get_sso_enabled_config(self):
+        return {'enabled': cfg.CONF.auth.sso}
+
+    def get(self):
+        try:
+            result = self._get_sso_enabled_config()
+            return process_successful_response(http_client.OK, result)
+        except Exception:
+            LOG.exception('Error encountered while getting SSO configuration.')
+            result = {'enabled': False}
+            return process_successful_response(http_client.OK, result)
+
+
+CALLBACK_SUCCESS_RESPONSE_BODY = """
+<html>
+    <script>
+        function getCookie(name) {
+            var v = document.cookie.match('(^|;) ?' + name + '=([^;]*)(;|$)');
+            return v ? v[2] : null;
+        }
+
+        data = JSON.parse(window.localStorage.getItem('st2Session'));
+        data['token'] = JSON.parse(decodeURIComponent(getCookie('st2-auth-token')));
+        window.localStorage.setItem('st2Session', JSON.stringify(data));
+        window.location.replace("%s");
+    </script>
+</html>
+"""
+
+
+def process_successful_authn_response(referer, token):
+    token_json = {
+        'id': str(token.id),
+        'user': token.user,
+        'token': token.token,
+        'expiry': str(token.expiry),
+        'service': False,
+        'metadata': {}
+    }
+
+    body = CALLBACK_SUCCESS_RESPONSE_BODY % referer
+    resp = router.Response(body=body)
+    resp.headers['Content-Type'] = 'text/html'
+
+    resp.set_cookie(
+        'st2-auth-token',
+        value=urllib.parse.quote(json.dumps(token_json)),
+        expires=datetime.timedelta(seconds=60),
+        overwrite=True
+    )
+
+    return resp
+
+
+def process_successful_response(status_code, json_body):
+    return router.Response(status_code=status_code, json_body=json_body)
+
+
+def process_failure_response(status_code, exception):
+    LOG.error(str(exception))
+    json_body = {'faultstring': str(exception)}
+    return router.Response(status_code=status_code, json_body=json_body)
+
+
+sso_controller = SingleSignOnController()
+sso_request_controller = SingleSignOnRequestController()
+idp_callback_controller = IdentityProviderCallbackController()

st2auth/st2auth/sso/__init__.py

@@ -0,0 +1,76 @@
+# Copyright 2019 Extreme Networks, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import
+
+import json
+import six
+import traceback
+
+from oslo_config import cfg
+
+from st2common import log as logging
+
+from st2common.util import driver_loader
+
+
+__all__ = [
+    'get_available_backends',
+    'get_backend_instance',
+    'get_sso_backend'
+]
+
+LOG = logging.getLogger(__name__)
+
+BACKENDS_NAMESPACE = 'st2auth.sso.backends'
+
+
+def get_available_backends():
+    return driver_loader.get_available_backends(namespace=BACKENDS_NAMESPACE)
+
+
+def get_backend_instance(name):
+    sso_backend_cls = driver_loader.get_backend_driver(namespace=BACKENDS_NAMESPACE, name=name)
+
+    kwargs = {}
+    sso_backend_kwargs = cfg.CONF.auth.sso_backend_kwargs
+
+    if sso_backend_kwargs:
+        try:
+            kwargs = json.loads(sso_backend_kwargs)
+        except ValueError as e:
+            raise ValueError(
+                'Failed to JSON parse backend settings for backend "%s": %s' %
+                (name, six.text_type(e))
+            )
+
+    try:
+        sso_backend = sso_backend_cls(**kwargs)
+    except Exception as e:
+        tb_msg = traceback.format_exc()
+        class_name = sso_backend_cls.__name__
+        msg = ('Failed to instantiate SSO backend "%s" (class %s) with backend settings '
+               '"%s": %s' % (name, class_name, str(kwargs), six.text_type(e)))
+        msg += '\n\n' + tb_msg
+        exc_cls = type(e)
+        raise exc_cls(msg)
+
+    return sso_backend
+
+
+def get_sso_backend():
+    """
+    Return SingleSignOnBackend class instance.
+    """
+    return get_backend_instance(cfg.CONF.auth.sso_backend)