Implement changes for API authentication and Swagger UI (#541)

* initial token-based-api login handler * add token schema and validation * initial import of pyro3d api code * basic Swagger spec support * Merge in working copy of API/Device.pm * Fix some error handling for API/Device.pm * Break out utility functions into separate file, to allow other api portions to use * Add NodeIP support. * Add nodeip plugin to config * remove double define of "plugin:" (#448) disclaimer: i did not test this is any way, came across it when looking for something else. * only AuthZ header for api use, and alway regen key on login * use RFC7235 * workaround for Swagger plugin weird response body * do not autodiscover swagger routes * code formatting only * move api util to utils area * initial full swagger spec for nodeip search * add api user role and fix api auth failure response * update version of swagger-ui to 3.20.3 * add more openapi defs * fixes to SQL and api spec * clean up subs * improvements to login/logout for API * make api logout work * add openapi tags to group operations * allow api params to be generated from DBIC schema spec * remove API calls for nodes and devices * remove some poor assumptions about api calls * tidy up * remove DDP * make login and logout similar * example of api call being handled by ajax call * make the branch authonly
2019-03-17 20:27:19 +00:00
parent df1a150f0c
commit 46d8c52a08
25 changed files with 465 additions and 20 deletions
--- a/lib/App/Netdisco/Web/Auth/Provider/DBIC.pm
+++ b/lib/App/Netdisco/Web/Auth/Provider/DBIC.pm
@@ -53,6 +53,28 @@ sub get_user_details {
    return $user;
 }

+sub validate_api_token {
+    my ($self, $token) = @_;
+    return unless defined $token;
+
+    my $settings = $self->realm_settings;
+    my $database = schema($settings->{schema_name})
+        or die "No database connection";
+
+    my $users_table  = $settings->{users_resultset}    || 'User';
+    my $token_column = $settings->{users_token_column} || 'token';
+
+    $token =~ s/^Apikey //i; # should be there but swagger-ui doesn't add it
+    my $user = try {
+      $database->resultset($users_table)->find({ $token_column => $token });
+    };
+
+    return $user->username
+      if $user and $user->in_storage and $user->token_from
+        and $user->token_from > (time - setting('api_token_lifetime'));
+    return undef;
+}
+
 sub get_user_roles {
    my ($self, $username) = @_;
    return unless defined $username;
--- a/lib/App/Netdisco/Web/AuthN.pm
+++ b/lib/App/Netdisco/Web/AuthN.pm
@@ -3,6 +3,15 @@ package App::Netdisco::Web::AuthN;
 use Dancer ':syntax';
 use Dancer::Plugin::DBIC;
 use Dancer::Plugin::Auth::Extensible;
+use Dancer::Plugin::Swagger;
+
+use MIME::Base64;
+
+sub request_is_api {
+  return (setting('api_token_lifetime')
+    and request->header('Authorization')
+    and request->accept =~ m/(?:json|javascript)/);
+}

 hook 'before' => sub {
    params->{return_url} ||= ((request->path ne uri_for('/')->path)
@@ -11,7 +20,12 @@ hook 'before' => sub {
    # from the internals of Dancer::Plugin::Auth::Extensible
    my $provider = Dancer::Plugin::Auth::Extensible::auth_provider('users');

-    if (! session('logged_in_user') && request->path ne uri_for('/login')->path) {
+    if (! session('logged_in_user')
+        and request->path ne uri_for('/login')->path
+        and request->path ne uri_for('/logout')->path
+        and request->path ne uri_for('/swagger.json')->path
+        and index(request->path, uri_for('/swagger-ui')->path) != 0) {
+
        if (setting('trust_x_remote_user')
          and scalar request->header('X-REMOTE_USER')
          and length scalar request->header('X-REMOTE_USER')) {
@@ -38,6 +52,16 @@ hook 'before' => sub {
            session(logged_in_user => 'guest');
            session(logged_in_user_realm => 'users');
        }
+        elsif (request_is_api()
+          and index(request->path, uri_for('/api')->path) == 0) {
+
+            my $token = request->header('Authorization');
+            my $user = $provider->validate_api_token($token)
+              or return;
+
+            session(logged_in_user => $user);
+            session(logged_in_user_realm => 'users');
+        }
        else {
            # user has no AuthN - force to handler for '/'
            request->path_info('/');
@@ -45,16 +69,44 @@ hook 'before' => sub {
    }
 };

+# user redirected here (POST -> GET) when login fails
 get qr{^/(?:login(?:/denied)?)?} => sub {
-    template 'index', { return_url => param('return_url') };
+    if (request_is_api()) {
+      status('unauthorized');
+      return to_json {
+        error => 'not authorized',
+        return_url => param('return_url'),
+      };
+    }
+    else {
+      template 'index', { return_url => param('return_url') };
+    }
 };

 # override default login_handler so we can log access in the database
+swagger_path {
+  description => 'Obtain an API Key using HTTP BasicAuth',
+  tags => ['Global'],
+  parameters => [],
+  responses => {
+    default => {
+      examples => {
+        'application/json' => { api_key => 'cc9d5c02d8898e5728b7d7a0339c0785' } } },
+  },
+},
 post '/login' => sub {
-    my $mode = (request->is_ajax ? 'API' : 'Web');
-    my ($success, $realm) = authenticate_user(
-        param('username'), param('password')
-    );
+    my $mode = (request_is_api() ? 'API' : 'WebUI');
+
+    # get authN data from request (HTTP BasicAuth or Form params)
+    my $authheader = request->header('Authorization');
+    if (defined $authheader and $authheader =~ /^Basic (.*)$/i) {
+        my ($u, $p) = split(m/:/, (MIME::Base64::decode($1) || ":"));
+        params->{username} = $u;
+        params->{password} = $p;
+    }
+
+    # validate authN
+    my ($success, $realm) = authenticate_user(param('username'),param('password'));

    if ($success) {
        my $user = schema('netdisco')->resultset('User')
@@ -70,10 +122,16 @@ post '/login' => sub {
          event => "Login ($mode)",
          details => param('return_url'),
        });
-
        $user->update({ last_on => \'now()' });

-        return if request->is_ajax;
+        if ($mode eq 'API') {
+            $user->update({
+              token_from => time,
+              token => \'md5(random()::text)',
+            })->discard_changes();
+            return to_json { api_key => $user->token };
+        }
+
        redirect param('return_url');
    }
    else {
@@ -86,28 +144,53 @@ post '/login' => sub {
          details => param('return_url'),
        });

-        if (request->is_ajax) {
+        if ($mode eq 'API') {
            status('unauthorized');
+            return to_json { error => 'authentication failed' };
        }
-        else {
-            vars->{login_failed}++;
-            forward uri_for('/login'),
-              { login_failed => 1, return_url => param('return_url') },
-              { method => 'GET' };
-        }
+
+        vars->{login_failed}++;
+        forward uri_for('/login'),
+          { login_failed => 1, return_url => param('return_url') },
+          { method => 'GET' };
    }
 };

+# ugh, *puke*, but D::P::Swagger has no way to set this with swagger_path
+# must be after the path is declared, above.
+Dancer::Plugin::Swagger->instance->doc->{paths}->{'/login'}
+  ->{post}->{security}->[0]->{BasicAuth} = [];
+
 # we override the default login_handler, so logout has to be handled as well
-any ['get', 'post'] => '/logout' => sub {
+swagger_path {
+  description => 'Destroy user API Key and session cookie',
+  tags => ['Global'],
+  parameters => [],
+  responses => { default => { examples => { 'application/json' => {} } } },
+},
+get '/logout' => sub {
+    my $mode = (request_is_api() ? 'API' : 'WebUI');
+
+    # clear out API token
+    my $user = schema('netdisco')->resultset('User')
+      ->find({ username => session('logged_in_user')});
+    $user->update({token => undef, token_from => undef})->discard_changes()
+      if $user and $user->in_storage;
+
+    # invalidate session cookie
+    session->destroy;
+
    schema('netdisco')->resultset('UserLog')->create({
      username => session('logged_in_user'),
      userip => request->remote_address,
-      event => "Logout",
+      event => "Logout ($mode)",
      details => '',
    });

-    session->destroy;
+    if ($mode eq 'API') {
+        return to_json {};
+    }
+
    redirect uri_for('/inventory')->path;
 };