Merge pull request #4765 from StackStorm/st2auth-sso

Implement SSO plugin for user authentication in StackStorm

Author: m4dcoder

Makefile

@@ -567,6 +567,12 @@ requirements: virtualenv .requirements .sdist-requirements install-runners
 	# make targets. This speeds up the build
 	(cd ${ROOT_DIR}/st2common; ${ROOT_DIR}/$(VIRTUALENV_DIR)/bin/python setup.py develop --no-deps)
 
+	# Install st2auth to register SSO drivers
+	# NOTE: We pass --no-deps to the script so we don't install all the
+	# package dependencies which are already installed as part of "requirements"
+	# make targets. This speeds up the build
+	(cd ${ROOT_DIR}/st2auth; ${ROOT_DIR}/$(VIRTUALENV_DIR)/bin/python setup.py develop --no-deps)
+
 	# Some of the tests rely on submodule so we need to make sure submodules are check out
 	git submodule update --recursive --remote
 

conf/st2.conf.sample

@@ -53,6 +53,8 @@ port = 9101
 # Common option - options below apply in both scenarios - when auth service is running as a WSGI
 # service (e.g. under Apache or Nginx) and when it's running in the standalone mode.
 
+# JSON serialized arguments which are passed to the SSO backend.
+sso_backend_kwargs = None
 # Enable authentication middleware.
 enable = True
 # Path to the logging config.
@@ -63,10 +65,14 @@ api_url = None
 service_token_ttl = 86400
 # Access token ttl in seconds.
 token_ttl = 86400
+# Enable Single Sign On for GUI if true.
+sso = False
 # Authentication mode (proxy,standalone)
 mode = standalone
 # Specify to enable debug mode.
 debug = False
+# Single Sign On backend to use when SSO is enabled. Available backends: noop, saml2.
+sso_backend = noop
 
 # Standalone mode options - options below only apply when auth service is running in the standalone
 # mode.

st2auth/setup.py

@@ -46,5 +46,10 @@
     packages=find_packages(exclude=['setuptools', 'tests']),
     scripts=[
         'bin/st2auth'
-    ]
+    ],
+    entry_points={
+        'st2auth.sso.backends': [
+            'noop = st2auth.sso.noop:NoOpSingleSignOnBackend'
+        ]
+    }
 )

st2auth/st2auth/app.py

@@ -26,6 +26,7 @@
 from st2common.constants.system import VERSION_STRING
 from st2common.service_setup import setup as common_setup
 from st2common.util import spec_loader
+from st2common.util.monkey_patch import use_select_poll_workaround
 from st2auth import config as st2auth_config
 from st2auth.validation import validate_auth_backend_is_correctly_configured
 
@@ -61,6 +62,10 @@ def setup_app(config=None):
                      capabilities=capabilities,
                      config_args=config.get('config_args', None))
 
+        # pysaml2 uses subprocess communicate which calls communicate_with_poll
+        if cfg.CONF.auth.sso and cfg.CONF.auth.sso_backend == 'saml2':
+            use_select_poll_workaround(nose_only=False)
+
     # Additional pre-run time checks
     validate_auth_backend_is_correctly_configured()
 

st2auth/st2auth/config.py

@@ -22,8 +22,9 @@
 from st2common.constants.system import DEFAULT_CONFIG_FILE_PATH
 from st2common.constants.auth import DEFAULT_MODE
 from st2common.constants.auth import DEFAULT_BACKEND
+from st2common.constants.auth import DEFAULT_SSO_BACKEND
 from st2common.constants.auth import VALID_MODES
-from st2auth.backends import get_available_backends
+from st2auth import backends as auth_backends
 
 
 def parse_args(args=None):
@@ -45,7 +46,8 @@ def _register_common_opts():
 
 
 def _register_app_opts():
-    available_backends = get_available_backends()
+    available_backends = auth_backends.get_available_backends()
+
     auth_opts = [
         cfg.StrOpt(
             'host', default='127.0.0.1',
@@ -78,7 +80,17 @@ def _register_app_opts():
         cfg.StrOpt(
             'backend_kwargs', default=None,
             help='JSON serialized arguments which are passed to the authentication '
-                 'backend in a standalone mode.')
+                 'backend in a standalone mode.'),
+        cfg.BoolOpt(
+            'sso', default=False,
+            help='Enable Single Sign On for GUI if true.'),
+        cfg.StrOpt(
+            'sso_backend', default=DEFAULT_SSO_BACKEND,
+            help='Single Sign On backend to use when SSO is enabled. Available '
+                 'backends: noop, saml2.'),
+        cfg.StrOpt(
+            'sso_backend_kwargs', default=None,
+            help='JSON serialized arguments which are passed to the SSO backend.')
     ]
 
     cfg.CONF.register_cli_opts(auth_opts, group='auth')

st2auth/st2auth/controllers/v1/root.py

@@ -14,7 +14,9 @@
 # limitations under the License.
 
 from st2auth.controllers.v1 import auth
+from st2auth.controllers.v1 import sso as sso_auth
 
 
 class RootController(object):
     tokens = auth.TokenController()
+    sso = sso_auth.SingleSignOnController()

st2auth/st2auth/controllers/v1/sso.py

@@ -0,0 +1,144 @@
+# Copyright 2019 Extreme Networks, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import datetime
+import json
+
+from oslo_config import cfg
+from six.moves import http_client
+from six.moves import urllib
+
+import st2auth.handlers as handlers
+
+from st2auth import sso as st2auth_sso
+from st2common.exceptions import auth as auth_exc
+from st2common import log as logging
+from st2common import router
+
+
+LOG = logging.getLogger(__name__)
+SSO_BACKEND = st2auth_sso.get_sso_backend()
+
+
+class IdentityProviderCallbackController(object):
+
+    def __init__(self):
+        self.st2_auth_handler = handlers.ProxyAuthHandler()
+
+    def post(self, response, **kwargs):
+        try:
+            verified_user = SSO_BACKEND.verify_response(response)
+
+            st2_auth_token_create_request = {'user': verified_user['username'], 'ttl': None}
+
+            st2_auth_token = self.st2_auth_handler.handle_auth(
+                request=st2_auth_token_create_request,
+                remote_addr=verified_user['referer'],
+                remote_user=verified_user['username'],
+                headers={}
+            )
+
+            return process_successful_authn_response(verified_user['referer'], st2_auth_token)
+        except NotImplementedError as e:
+            return process_failure_response(http_client.INTERNAL_SERVER_ERROR, e)
+        except auth_exc.SSOVerificationError as e:
+            return process_failure_response(http_client.UNAUTHORIZED, e)
+        except Exception as e:
+            raise e
+
+
+class SingleSignOnRequestController(object):
+
+    def get(self, referer):
+        try:
+            response = router.Response(status=http_client.TEMPORARY_REDIRECT)
+            response.location = SSO_BACKEND.get_request_redirect_url(referer)
+            return response
+        except NotImplementedError as e:
+            return process_failure_response(http_client.INTERNAL_SERVER_ERROR, e)
+        except Exception as e:
+            raise e
+
+
+class SingleSignOnController(object):
+    request = SingleSignOnRequestController()
+    callback = IdentityProviderCallbackController()
+
+    def _get_sso_enabled_config(self):
+        return {'enabled': cfg.CONF.auth.sso}
+
+    def get(self):
+        try:
+            result = self._get_sso_enabled_config()
+            return process_successful_response(http_client.OK, result)
+        except Exception:
+            LOG.exception('Error encountered while getting SSO configuration.')
+            result = {'enabled': False}
+            return process_successful_response(http_client.OK, result)
+
+
+CALLBACK_SUCCESS_RESPONSE_BODY = """
+<html>
+    <script>
+        function getCookie(name) {
+            var v = document.cookie.match('(^|;) ?' + name + '=([^;]*)(;|$)');
+            return v ? v[2] : null;
+        }
+
+        data = JSON.parse(window.localStorage.getItem('st2Session'));
+        data['token'] = JSON.parse(decodeURIComponent(getCookie('st2-auth-token')));
+        window.localStorage.setItem('st2Session', JSON.stringify(data));
+        window.location.replace("%s");
+    </script>
+</html>
+"""
+
+
+def process_successful_authn_response(referer, token):
+    token_json = {
+        'id': str(token.id),
+        'user': token.user,
+        'token': token.token,
+        'expiry': str(token.expiry),
+        'service': False,
+        'metadata': {}
+    }
+
+    body = CALLBACK_SUCCESS_RESPONSE_BODY % referer
+    resp = router.Response(body=body)
+    resp.headers['Content-Type'] = 'text/html'
+
+    resp.set_cookie(
+        'st2-auth-token',
+        value=urllib.parse.quote(json.dumps(token_json)),
+        expires=datetime.timedelta(seconds=60),
+        overwrite=True
+    )
+
+    return resp
+
+
+def process_successful_response(status_code, json_body):
+    return router.Response(status_code=status_code, json_body=json_body)
+
+
+def process_failure_response(status_code, exception):
+    LOG.error(str(exception))
+    json_body = {'faultstring': str(exception)}
+    return router.Response(status_code=status_code, json_body=json_body)
+
+
+sso_controller = SingleSignOnController()
+sso_request_controller = SingleSignOnRequestController()
+idp_callback_controller = IdentityProviderCallbackController()

st2auth/st2auth/sso/__init__.py

@@ -0,0 +1,76 @@
+# Copyright 2019 Extreme Networks, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import
+
+import json
+import six
+import traceback
+
+from oslo_config import cfg
+
+from st2common import log as logging
+
+from st2common.util import driver_loader
+
+
+__all__ = [
+    'get_available_backends',
+    'get_backend_instance',
+    'get_sso_backend'
+]
+
+LOG = logging.getLogger(__name__)
+
+BACKENDS_NAMESPACE = 'st2auth.sso.backends'
+
+
+def get_available_backends():
+    return driver_loader.get_available_backends(namespace=BACKENDS_NAMESPACE)
+
+
+def get_backend_instance(name):
+    sso_backend_cls = driver_loader.get_backend_driver(namespace=BACKENDS_NAMESPACE, name=name)
+
+    kwargs = {}
+    sso_backend_kwargs = cfg.CONF.auth.sso_backend_kwargs
+
+    if sso_backend_kwargs:
+        try:
+            kwargs = json.loads(sso_backend_kwargs)
+        except ValueError as e:
+            raise ValueError(
+                'Failed to JSON parse backend settings for backend "%s": %s' %
+                (name, six.text_type(e))
+            )
+
+    try:
+        sso_backend = sso_backend_cls(**kwargs)
+    except Exception as e:
+        tb_msg = traceback.format_exc()
+        class_name = sso_backend_cls.__name__
+        msg = ('Failed to instantiate SSO backend "%s" (class %s) with backend settings '
+               '"%s": %s' % (name, class_name, str(kwargs), six.text_type(e)))
+        msg += '\n\n' + tb_msg
+        exc_cls = type(e)
+        raise exc_cls(msg)
+
+    return sso_backend
+
+
+def get_sso_backend():
+    """
+    Return SingleSignOnBackend class instance.
+    """
+    return get_backend_instance(cfg.CONF.auth.sso_backend)

st2auth/st2auth/sso/base.py

@@ -0,0 +1,36 @@
+# Copyright 2019 Extreme Networks, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import abc
+import six
+
+
+__all__ = [
+    'BaseSingleSignOnBackend'
+]
+
+
+@six.add_metaclass(abc.ABCMeta)
+class BaseSingleSignOnBackend(object):
+    """
+    Base single sign on authentication class.
+    """
+
+    def get_request_redirect_url(self, referer):
+        msg = 'The function "get_request_redirect_url" is not implemented in the base SSO backend.'
+        raise NotImplementedError(msg)
+
+    def verify_response(self, response):
+        msg = 'The function "verify_response" is not implemented in the base SSO backend.'
+        raise NotImplementedError(msg)