Merge branch 'master' into dependabot/npm_and_yarn/ui/webpack-dev-server-5.2.1

Author: JohnGarbutt

api/azimuth/authentication.py

@@ -41,7 +41,7 @@ def authenticate(self, request):
             session = cloud_settings.PROVIDER.from_auth_session(auth_session)
         except errors.AuthenticationError as exc:
             # If a session cannot be resolved from the token, then it has expired
-            logger.exception('Authentication failed: %s', str(exc))
+            logger.warning('Authentication failed: %s', str(exc))
             raise AuthenticationFailed(str(exc))
         else:
             # If the token resolved, return an authenticated user

api/azimuth/keystore/provider.py

@@ -3,13 +3,12 @@
 to store public keys.
 """
 
-from ..provider.errors import ObjectNotFoundError
+from ..provider import errors as provider_errors
 
-from .base import KeyStore
-from .errors import KeyNotFound
+from . import base, errors
 
 
-class ProviderKeyStore(KeyStore):
+class ProviderKeyStore(base.KeyStore):
     """
     Key store implementation that consumes keypairs using provider functionality.
     """
@@ -19,8 +18,10 @@ def get_key(self, username, *, unscoped_session, **kwargs):
         # Just return the SSH public key from the provider session
         try:
             return unscoped_session.ssh_public_key()
-        except ObjectNotFoundError:
-            raise KeyNotFound(username)
+        except provider_errors.UnsupportedOperationError as exc:
+            raise errors.UnsupportedOperation(str(exc))
+        except provider_errors.ObjectNotFoundError:
+            raise errors.KeyNotFound(username)
 
     def update_key(self, username, public_key, *, unscoped_session, **kwargs):
         # Just use the provider session to update the public key

api/azimuth/provider/base.py

@@ -31,6 +31,8 @@ def wrapper(*args, **kwargs):
             raise errors.ObjectNotFoundError(str(exc))
         except auth_errors.InvalidOperationError as exc:
             raise errors.InvalidOperationError(str(exc))
+        except auth_errors.UnsupportedOperationError as exc:
+            raise errors.UnsupportedOperationError(str(exc))
         except auth_errors.CommunicationError as exc:
             raise errors.CommunicationError(str(exc)) from exc
         except auth_errors.Error as exc:
@@ -129,7 +131,7 @@ def _scoped_session(
         self,
         auth_user: auth_dto.User,
         tenancy: dto.Tenancy,
-        credential_data: Any
+        credential_data: str
     ) -> 'ScopedSession':
         """
         Private method that creates a scoped session for the given tenancy.
@@ -152,11 +154,12 @@ def scoped_session(self, tenancy: Union[dto.Tenancy, str]) -> 'ScopedSession':
                 raise errors.ObjectNotFoundError(
                     "Could not find tenancy with ID {}.".format(tenancy)
                 )
-        # Get the credential from the auth session
-        credential = self.auth_session.credential(tenancy.id)
-        # Verify that the provider matches this provider
-        if credential.provider != self.provider_name:
-            raise errors.InvalidOperationError("credential is for a different provider")
+        # Get the credential from the auth session for this provider
+        credential = self.auth_session.credential(tenancy.id, self.provider_name)
+        # If the auth session is unable to supply a credential for the provider, bail
+        if not credential:
+            msg = f"no credentials available for {self.provider_name} provider"
+            raise errors.InvalidOperationError(msg)
         return self._scoped_session(self.auth_user, tenancy, credential.data)
 
     def close(self):

api/azimuth/provider/openstack/api/core.py

@@ -265,13 +265,31 @@ def from_clouds(cls, data):
             token = cloud_data["auth"]["token"]
             response = requests.get(
                 f"{auth_url}/auth/tokens",
-                headers = {"X-Auth-Token": token, "X-Subject-Token": token}
+                headers = {"X-Auth-Token": token, "X-Subject-Token": token},
+                verify = verify
             )
             response.raise_for_status()
             token_data = response.json()["token"]
+        elif cloud_data["auth_type"] == "v3applicationcredential":
+            response = requests.post(
+                f"{auth_url}/auth/tokens",
+                json = {
+                    "auth": {
+                        "identity": {
+                            "methods": ["application_credential"],
+                            "application_credential": {
+                                "id": cloud_data["auth"]["application_credential_id"],
+                                "secret": cloud_data["auth"]["application_credential_secret"],
+                            },
+                        },
+                    },
+                },
+                verify = verify
+            )
+            response.raise_for_status()
+            token = response.headers["X-Subject-Token"]
+            token_data = response.json()["token"]
         else:
-            # TODO(mkjpryor)
-            # For other credential types, exchange the credential for a token
             raise UnsupportedAuthType(cloud_data["auth_type"])
         # Extract the endpoints from the catalog for the correct interface and region
         endpoints = {}

api/azimuth/provider/openstack/provider.py

@@ -214,7 +214,7 @@ def _scoped_session(self, auth_user, tenancy, credential_data):
         return ScopedSession(
             auth_user,
             tenancy,
-            api.Connection.from_clouds(credential_data),
+            api.Connection.from_clouds(yaml.safe_load(credential_data)),
             self._metadata_prefix,
             self._internal_net_template,
             self._external_net_template,

api/azimuth/settings.py

@@ -169,9 +169,8 @@ class ZenithSetting(Setting):
     def __init__(self):
         super().__init__(dict)
 
-    def __get__(self, instance, owner):
-        user_settings = super().__get__(instance, owner)
-        apps_settings = AppsSettings(self.name, user_settings)
+    def _transform(self, instance, value):
+        apps_settings = AppsSettings(self.name, value)
         if apps_settings.ENABLED:
             return Zenith(
                 apps_settings.BASE_DOMAIN,

api/azimuth/utils.py

@@ -1,3 +1,4 @@
+import itertools
 import logging
 import re
 
@@ -7,12 +8,22 @@
 
 
 MANAGED_BY_LABEL = "app.kubernetes.io/managed-by"
-TENANCY_ID_LABEL = "azimuth.stackhpc.com/tenant-id"
+# A legacy stackhpc.com label and a new-style azimuth-cloud.io label are both supported
+TENANCY_ID_LABEL = "tenant.azimuth-cloud.io/id"
+TENANCY_ID_LABEL_LEGACY = "azimuth.stackhpc.com/tenant-id"
 
 
 logger = logging.getLogger(__name__)
 
 
+class DuplicateTenancyIDError(Exception):
+    """
+    Raised when there are multiple namespaces with the same tenancy ID.
+    """
+    def __init__(self, tenancy_id: str):
+        super().__init__(f"multiple tenancy namespaces found with ID '{tenancy_id}'")
+
+
 class NamespaceOwnershipError(Exception):
     """
     Raised when there is a conflict in the namespace ownership.
@@ -31,6 +42,28 @@ def sanitise(value):
     return re.sub(r"[^a-z0-9]+", "-", str(value).lower()).strip("-")
 
 
+def unique_namespaces(ekresource, tenancy_id):
+    """
+    Returns an iterator over the unique namespaces for the given tenancy ID.
+    """
+    seen_namespaces = set()
+    for namespace in ekresource.list(labels = {TENANCY_ID_LABEL: tenancy_id}):
+        # We won't see any duplicate namespaces in this first loop
+        seen_namespaces.add(namespace["metadata"]["name"])
+        yield namespace
+    for namespace in ekresource.list(labels = {TENANCY_ID_LABEL_LEGACY: tenancy_id}):
+        # We might see namespaces in this loop that appeared in the previous loop, if a
+        # namespace has both labels
+        ns_name = namespace["metadata"]["name"]
+        if ns_name in seen_namespaces:
+            logger.warning(
+                f"namespace '{ns_name}' has both new-style and legacy tenancy ID labels"
+            )
+            continue
+        else:
+            yield namespace
+
+
 def get_namespace(ekclient, tenancy: dto.Tenancy) -> str:
     """
     Returns the correct namespace to use for the given tenancy.
@@ -40,19 +73,21 @@ def get_namespace(ekclient, tenancy: dto.Tenancy) -> str:
     ekresource = ekclient.api("v1").resource("namespaces")
     expected_namespace = f"az-{tenancy_name}"
     # Try to find the namespace that is labelled with the tenant ID
-    try:
-        namespace = next(ekresource.list(labels = {TENANCY_ID_LABEL: tenancy_id}))
-    except StopIteration:
-        pass
-    else:
-        found_namespace = namespace["metadata"]["name"]
+    # We require that the namespace is unique
+    namespaces = list(unique_namespaces(ekresource, tenancy_id))
+    # If there is exactly one namespace, return it
+    if len(namespaces) == 1:
+        found_namespace = namespaces[0]["metadata"]["name"]
         logger.info(f"using namespace '{found_namespace}' for tenant '{tenancy_id}'")
         if found_namespace != expected_namespace:
-            logger.warn(
+            logger.warning(
                 f"expected namespace '{expected_namespace}' for "
                 f"tenant '{tenancy_id}', but found '{found_namespace}'"
             )
         return found_namespace
+    # If there are multiple namespaces with the ID, bail
+    elif len(namespaces) > 1:
+        raise DuplicateTenancyIDError(tenancy_id)
     # If there is no namespace labelled with the tenant ID, find the namespace
     # that uses the standard naming convention
     try:
@@ -65,7 +100,8 @@ def get_namespace(ekclient, tenancy: dto.Tenancy) -> str:
         else:
             raise
     # Before returning it, verify that it isn't labelled with another tenancy ID
-    owner_id = namespace["metadata"].get("labels", {}).get(TENANCY_ID_LABEL)
+    labels = namespace["metadata"].get("labels", {})
+    owner_id = labels.get(TENANCY_ID_LABEL, labels.get(TENANCY_ID_LABEL_LEGACY))
     if not owner_id or owner_id == tenancy_id:
         logger.info(f"using namespace '{expected_namespace}' for tenant '{tenancy_id}'")
         return expected_namespace

api/azimuth/views.py

@@ -1171,7 +1171,10 @@ def clusters(request, tenant):
                         unscoped_session = request.auth,
                         scoped_session = session
                     )
-                except keystore_errors.KeyNotFound:
+                except (
+                    keystore_errors.UnsupportedOperation,
+                    keystore_errors.KeyNotFound
+                ):
                     ssh_key = None
                 cluster = cluster_manager.create_cluster(
                     input_serializer.validated_data["name"],

api/azimuth_auth/authenticator/oidc.py

@@ -0,0 +1,129 @@
+import base64
+import json
+import logging
+import urllib.parse
+
+import httpx
+
+import oauthlib.common
+import oauthlib.oauth2
+
+from . import redirect
+
+
+class AuthorizationCodeAuthenticator(redirect.RedirectAuthenticator):
+    """
+    Authenticator that uses the OIDC authorization flow to obtain a token.
+
+    The OAuth2 flow is implemented here rather than using an ingress auth callout with
+    oauth2-proxy primarily because we need to be able to have some requests that are
+    "optionally authenticated".
+
+    This makes it possible to do things like render the Azimuth homepage to unauthenticated
+    users so that they can discover docs on how to register while also understanding when a
+    user is authenticated, and to present nicer messages to API consumers when unauthenticated
+    requests are made.
+
+    This kind of optional authentication is extremely difficult to configure with the ingress
+    callout as implemented by the NGINX ingress controller.
+
+    Potential issues with writing our own authentication code are mitigated by using the
+    oauthlib library to generate OAuth2 request URIs/bodies and to parse the responses.
+    """
+    authenticator_type = "oidc_authcode"
+
+    def __init__(
+        self,
+        authorization_url,
+        token_url,
+        client_id,
+        client_secret,
+        scope,
+        state_session_key,
+        verify_ssl
+    ):
+        self.authorization_url = authorization_url
+        self.token_url = token_url
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.scope = scope
+        self.state_session_key = state_session_key
+        self.verify_ssl = verify_ssl
+        self.logger = logging.getLogger(__name__)
+
+    def prepare_redirect_url(self, redirect_url):
+        # Strip parameters from the URL
+        components = urllib.parse.urlsplit(redirect_url)
+        components = components._replace(query = "", fragment = "")
+        return urllib.parse.urlunsplit(components)
+
+    def get_redirect_to(self, request, auth_complete_url, selected_option = None):
+        client = oauthlib.oauth2.WebApplicationClient(self.client_id)
+        # Generate new state parameter and stash it in the session
+        state = request.session[self.state_session_key] = oauthlib.common.generate_token()
+        # Generate the full authorization URL with parameters
+        return client.prepare_request_uri(
+            self.authorization_url,
+            redirect_uri = self.prepare_redirect_url(auth_complete_url),
+            scope = self.scope,
+            state = state
+        )
+
+    def auth_complete(self, request, selected_option = None):
+        client = oauthlib.oauth2.WebApplicationClient(self.client_id)
+        # Pull the state from the session
+        # If it fails, log the error and try again
+        try:
+            state = request.session.pop(self.state_session_key)
+        except KeyError:
+            self.logger.warning("no OIDC state in session")
+            return None
+        # Extract the code from the URL
+        # If it fails, log the error and try again
+        request_uri = request.build_absolute_uri()
+        try:
+            code = client.parse_request_uri_response(request_uri, state)["code"]
+        except (oauthlib.oauth2.OAuth2Error, KeyError):
+            self.logger.exception("error extracting authcode")
+            return None
+        # Make the token request
+        # If it fails, log the error and try again
+        try:
+            response = httpx.post(
+                self.token_url,
+                data = dict(
+                    oauthlib.common.urldecode(
+                        client.prepare_request_body(
+                            code,
+                            self.prepare_redirect_url(request_uri),
+                            include_client_id = True,
+                            client_secret = self.client_secret
+                        )
+                    )
+                ),
+                headers = {
+                    "Accept": "application/json",
+                    "Content-Type": "application/x-www-form-urlencoded",
+                },
+                verify = self.verify_ssl
+            )
+        except httpx.RequestError:
+            self.logger.exception("error fetching token")
+            return None
+        if not response.is_success:
+            self.logger.error(
+                f"error fetching token "
+                f"\"{response.status_code} {response.reason_phrase}\" "
+                f"{response.text}"
+            )
+            return None
+        # Parse the token from the response
+        # If it fails, log the error and try again
+        try:
+            token_data = client.parse_request_body_response(response.text, scope = self.scope)
+        except oauthlib.oauth2.OAuth2Error:
+            self.logger.exception("error extracting token from response")
+            return None
+        # The token that we return is a base64-encoded JSON dump of the token data
+        # This means that the OIDC session can consume both the access and refresh tokens
+        return base64.b64encode(json.dumps(token_data).encode()).decode()