app/api/middleware/authentication.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

###############################################################################
# Copyright (c) 2017 Koren Lev (Cisco Systems), Yaron Yogev (Cisco Systems)   #
# and others                                                                  #
#                                                                             #
# All rights reserved. This program and the accompanying materials            #
# are made available under the terms of the Apache License, Version 2.0       #
# which accompanies this distribution, and is available at                    #
# http://www.apache.org/licenses/LICENSE-2.0                                  #
###############################################################################
import base64

from api.responders.responder_base import ResponderBase
from api.auth.auth import Auth
from api.auth.token import Token


class AuthenticationMiddleware(ResponderBase):
    def __init__(self):
        super().__init__()
        self.auth = Auth()
        self.BASIC_AUTH = "AUTHORIZATION"
        self.EXCEPTION_ROUTES = ['/auth/tokens']

    def process_request(self, req, resp):
        if req.path in self.EXCEPTION_ROUTES:
            return

        self.log.debug("Authentication middleware is processing the request")
        headers = self.change_dict_naming_convention(req.headers,
                                                     lambda s: s.upper())
        auth_error = None
        if self.BASIC_AUTH in headers:
            # basic authentication
            self.log.debug("Authenticating the basic credentials")
            basic = headers[self.BASIC_AUTH]
            auth_error = self.authenticate_with_basic_auth(basic)
        elif Token.FIELD in headers:
            # token authentication
            self.log.debug("Authenticating token")
            token = headers[Token.FIELD]
            auth_error = self.auth.validate_token(token)
        else:
            auth_error = "Authentication required"

        if auth_error:
            self.unauthorized(auth_error)

    def authenticate_with_basic_auth(self, basic):
        error = None
        if not basic or not basic.startswith("Basic"):
            error = "Credentials not provided"
        else:
            # get username and password
            credential = basic.lstrip("Basic").lstrip()
            username_password = base64.b64decode(credential).decode("utf-8")
            credentials = username_password.split(":")
            if not self.auth.validate_credentials(credentials[0], credentials[1]):
                self.log.info("Authentication for {0} failed".format(credentials[0]))
                error = "Authentication failed"
            else:
                self.log.info("Authentication for {0} succeeded".format(credentials[0]))

        return error