Merge develop into feature/traefikIntegration

Author: Johannes Duesing

OpenAPISpecification.yaml

@@ -20,6 +20,8 @@ tags:
       containers
   - name: Docker Operations
     description: Operations on instances that are running in a docker container
+  - name: User Management
+    description: Operations related to the user database of Delphi-Management
 schemes:
   - https
   - http
@@ -43,6 +45,81 @@ paths:
               TraefikProxyUri:
                 type: string
                 example: "172.0.2.1:80"
+  /users/authenticate:
+    post:
+      tags:
+        - User Management
+      summary: Authenticates a user and returns a valid JWT
+      description: >- 
+        This endpoints validates the username and password that must 
+        be supplied in the Authorization header (using HTTP Basic Authentication).
+        If valid, a JSON Web Token will be generated and returned, that may be used 
+        to authenticate the user for subsequent requests.
+      operationId: authenticate
+      parameters:
+        - in: header
+          name: Delphi-Authorization
+          description: >-
+            Valid JWT that autenticates the calling entity.
+          type: string
+          required: true
+        - in: header
+          name: Authorization
+          description: >- 
+            HTTP Basic Authentication following the schema 'Basic <User:Password>
+            where the concatination of username and password is Base64-Encoded.
+          type: string
+          required: true
+      responses:
+        '200':
+          description: Supplied data is valid, a JWT is returned
+          schema:
+            type: string
+            example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
+        '401':
+          description: Unauthorized, invalid username / password supplied.
+  /users/add:
+    post:
+      tags:
+        - User Management
+      summary: Adds a new users for the registry
+      description: >-
+        Adds a new user that is passed in the requests entity. The id of the user
+        will be returned.
+      operationId: addUser
+      parameters:
+        - in: body
+          name: DelphiUser
+          description: The user to add
+          required: true
+          schema:
+            type: object
+            required:
+              - userName
+              - secret
+              - userType
+            properties:
+              userName:
+                type: string
+                example: MyUser
+              secret:
+                type: string
+                example: 123Pass
+              userType:
+                type: string
+                enum:
+                  - Admin
+                  - User
+                  - Component
+      responses:
+        '200':
+          description: OK, user has been added, id is returned
+          schema:
+            type: integer
+            format: int64
+            example: 42
+        '400':
+          description: Bad request, name already exists
   /instances/register:
     post:
       tags:

README.md

@@ -77,12 +77,19 @@ Before you can start the application, you have to make sure your configuration f
 |```dockerOperationTimeout``` | ```Timeout``` | ```Timeout(20 seconds)``` | Default timeout for docker operations. If any of the async Docker operations (deploy, stop, pause, ..) takes longer than this, it will be aborted.|
 |```dockerUri``` | ```String``` | ```http://localhost:9095``` | Default uri to connect to docker. It will be used if the environment variable ```DELPHI_DOCKER_HOST``` is not specified.|
 |```jwtSecretKey``` | ```String``` | ```changeme``` | Secret key to use for JWT signature (HS256). This setting can be overridden by specifying the ```JWT_SECRET``` environment variable.|
-|```useInMemoryDB``` | ```Boolean``` | ```true``` | If set to true, all instance data will be kept in memory instead of using a MySQL database.|
-|```databaseHost``` | ```String``` | ```"jdbc:mysql://localhost/"``` | Host that the MySQL database is reachable at (only necessary if *useInMemoryDB* is false).|
-|```databaseName``` | ```String``` | ```""``` | Name of the MySQL database to use (only necessary if *useInMemoryDB* is false).|
-|```databaseDriver``` | ```String``` | ```"com.mysql.jdbc.Driver"``` | Driver to use for the MySQL connection (only necessary if *useInMemoryDB* is false).|
-|```databaseUsername``` | ```String``` | ```""``` | Username to use for the MySQL connection (only necessary if *useInMemoryDB* is false).|
-|```databasePassword``` | ```String``` | ```""``` | Password to use for the MySQL connection (only necessary if *useInMemoryDB* is false).|
+|```useInMemoryInstanceDB``` | ```Boolean``` | ```true``` | If set to true, all instance data will be kept in memory instead of using a MySQL database.|
+|```instanceDatabaseHost``` | ```String``` | ```"jdbc:mysql://localhost/"``` | Host that the MySQL instance database is reachable at (only necessary if *useInMemoryInstanceDB* is false).|
+|```instanceDatabaseName``` | ```String``` | ```""``` | Name of the MySQL instance database to use (only necessary if *useInMemoryInstanceDB* is false).|
+|```instanceDatabaseDriver``` | ```String``` | ```"com.mysql.jdbc.Driver"``` | Driver to use for the MySQL connection (only necessary if *useInMemoryInstanceDB* is false).|
+|```instanceDatabaseUsername``` | ```String``` | ```""``` | Username to use for the MySQL instance DB connection (only necessary if *useInMemoryInstanceDB* is false).|
+|```instanceDatabasePassword``` | ```String``` | ```""``` | Password to use for the MySQL instance DB connection (only necessary if *useInMemoryInstanceDB* is false).|
+|```useInMemoryAuthDB``` | ```Boolean``` | ```true``` | If set to true, all user data will be kept in memory instead of using a MySQL database.|
+|```authDatabaseHost``` | ```String``` | ```"jdbc:mysql://localhost/"``` | Host that the MySQL users database is reachable at (only necessary if *useInMemoryAuthDB* is false).|
+|```authDatabaseName``` | ```String``` | ```""``` | Name of the MySQL user database to use (only necessary if *useInMemoryAuthDB* is false).|
+|```authDatabaseDriver``` | ```String``` | ```"com.mysql.jdbc.Driver"``` | Driver to use for the MySQL users DB connection (only necessary if *useInMemoryAuthDB* is false).|
+|```authDatabaseUsername``` | ```String``` | ```""``` | Username to use for the MySQL users DB connection (only necessary if *useInMemoryAuthDB* is false).|
+|```authDatabasePassword``` | ```String``` | ```""``` | Password to use for the MySQL users DB connection (only necessary if *useInMemoryAuthDB* is false).|
+|```authenticationValidFor``` | ```Int``` | ```30``` | Default duration that user tokens are valid for (in minutes).|
 |```maxTotalNoRequest``` | ```Int``` | ```2000``` | Maximum number of requests that are allowed to be executed during the current refresh period regardless of their origin.|
 |```maxIndividualIpReq``` | ```Int``` | ```200``` | Maximum number of requests that are allowed to be executed during the current refresh period for one specific origin ip.|
 |```ipLogRefreshRate``` | ```FiniteDuration``` | ```2.minutes``` | Duration of the log refresh period.|
@@ -157,7 +164,7 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1NDcxMDYzOTksIm5iZiI6MTU0NzEwNjM
 Using the above token, a valid call to the registry at ```localhost:8087``` using *curl* looks like this:
 
 ```
-curl -X POST -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1NDcxMDYzOTksIm5iZiI6MTU0NzEwNjM5OSwiZXhwIjoxNTU0MDE0Nzk5LCJ1c2VyX2lkIjoiRGVidWdVc2VyIiwidXNlcl90eXBlIjoiQWRtaW4ifQ.TeDa8JkFANVEufPaxXv3AXSojcaiKdOlBKeU5cLaHpg" localhost:8087/deploy?ComponentType=WebApi
+curl -X POST -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1NDcxMDYzOTksIm5iZiI6MTU0NzEwNjM5OSwiZXhwIjoxNTU0MDE0Nzk5LCJ1c2VyX2lkIjoiRGVidWdVc2VyIiwidXNlcl90eXBlIjoiQWRtaW4ifQ.TeDa8JkFANVEufPaxXv3AXSojcaiKdOlBKeU5cLaHpg" -H "Content-type: application/json" -d '{"ComponentType":"WebApi"}' localhost:8087/instances/deploy
 ```
 
 ## Contributing

src/main/scala/de/upb/cs/swt/delphi/instanceregistry/Configuration.scala

@@ -42,12 +42,23 @@ class Configuration( ) {
   val jwtSecretKey: String = sys.env.getOrElse("JWT_SECRET", "changeme")
 
   //Database configurations
-  val useInMemoryDB = true
-  val databaseHost = "jdbc:mysql://localhost/"
-  val databaseName = ""
-  val databaseDriver = "com.mysql.jdbc.Driver"
-  val databaseUsername = ""
-  val databasePassword = ""
+  val useInMemoryInstanceDB = true
+  val instanceDatabaseHost = "jdbc:mysql://localhost/"
+  val instanceDatabaseName = ""
+  val instanceDatabaseDriver = "com.mysql.jdbc.Driver"
+  val instanceDatabaseUsername = ""
+  val instanceDatabasePassword = ""
+
+  //Auth database configuration
+  val useInMemoryAuthDB = true
+  val authDatabaseHost = "jdbc:mysql://localhost/"
+  val authDatabaseName = ""
+  val authDatabaseDriver = "com.mysql.jdbc.Driver"
+  val authDatabaseUsername = ""
+  val authDatabasePassword = ""
+
+  //Authentication valid for the time
+  val authenticationValidFor = 30 //minutes
 
   //Request Limiter
   val maxTotalNoRequest: Int = 2000

src/main/scala/de/upb/cs/swt/delphi/instanceregistry/Registry.scala

@@ -4,7 +4,7 @@ import akka.actor.ActorSystem
 import akka.stream.ActorMaterializer
 import de.upb.cs.swt.delphi.instanceregistry.Docker._
 import de.upb.cs.swt.delphi.instanceregistry.connection.Server
-import de.upb.cs.swt.delphi.instanceregistry.daos.{DatabaseInstanceDAO, DynamicInstanceDAO, InstanceDAO}
+import de.upb.cs.swt.delphi.instanceregistry.daos._
 
 import scala.concurrent.ExecutionContext
 import scala.language.postfixOps
@@ -18,14 +18,22 @@ object Registry extends AppLogging {
   val configuration = new Configuration()
 
   private val dao : InstanceDAO  = {
-    if (configuration.useInMemoryDB) {
+    if (configuration.useInMemoryInstanceDB) {
       new DynamicInstanceDAO(configuration)
     } else {
       new DatabaseInstanceDAO(configuration)
     }
   }
 
-  private val requestHandler = new RequestHandler(configuration, dao, DockerConnection.fromEnvironment(configuration))
+  private val authDao: AuthDAO = {
+    if (configuration.useInMemoryAuthDB) {
+      new DynamicAuthDAO(configuration)
+    } else {
+      new DatabaseAuthDAO(configuration)
+    }
+  }
+
+  private val requestHandler = new RequestHandler(configuration, authDao, dao, DockerConnection.fromEnvironment(configuration))
 
   private val server: Server = new Server(requestHandler)
 

src/main/scala/de/upb/cs/swt/delphi/instanceregistry/RequestHandler.scala

@@ -9,8 +9,9 @@ import akka.stream.{ActorMaterializer, Materializer, OverflowStrategy}
 import akka.util.Timeout
 import de.upb.cs.swt.delphi.instanceregistry.Docker.DockerActor._
 import de.upb.cs.swt.delphi.instanceregistry.Docker.{ContainerAlreadyStoppedException, DockerActor, DockerConnection}
+import de.upb.cs.swt.delphi.instanceregistry.authorization.AuthProvider
 import de.upb.cs.swt.delphi.instanceregistry.connection.RestClient
-import de.upb.cs.swt.delphi.instanceregistry.daos.InstanceDAO
+import de.upb.cs.swt.delphi.instanceregistry.daos.{AuthDAO, InstanceDAO}
 import de.upb.cs.swt.delphi.instanceregistry.io.swagger.client.model.InstanceEnums.{ComponentType, InstanceState}
 import de.upb.cs.swt.delphi.instanceregistry.io.swagger.client.model.LinkEnums.LinkState
 import de.upb.cs.swt.delphi.instanceregistry.io.swagger.client.model._
@@ -20,13 +21,15 @@ import scala.concurrent.{Await, ExecutionContext, Future}
 import scala.language.postfixOps
 import scala.util.{Failure, Success, Try}
 
-class RequestHandler(configuration: Configuration, instanceDao: InstanceDAO, connection: DockerConnection) extends AppLogging {
+class RequestHandler(configuration: Configuration, authDao: AuthDAO, instanceDao: InstanceDAO, connection: DockerConnection) extends AppLogging {
 
 
   implicit val system: ActorSystem = Registry.system
   implicit val materializer: Materializer = ActorMaterializer()
   implicit val ec: ExecutionContext = system.dispatcher
 
+  val authProvider: AuthProvider = new AuthProvider(authDao)
+
   val (eventActor, eventPublisher) = Source.actorRef[RegistryEvent](10, OverflowStrategy.dropNew)
     .toMat(Sink.asPublisher(fanout = true))(Keep.both)
     .run()
@@ -35,6 +38,7 @@ class RequestHandler(configuration: Configuration, instanceDao: InstanceDAO, con
   def initialize(): Unit = {
     log.info("Initializing request handler...")
     instanceDao.initialize()
+    authDao.initialize()
     if (!instanceDao.allInstances().exists(instance => instance.name.equals("Default ElasticSearch Instance"))) {
       //Add default ES instance
       handleRegister(Instance(None,
@@ -54,6 +58,7 @@ class RequestHandler(configuration: Configuration, instanceDao: InstanceDAO, con
   def shutdown(): Unit = {
     eventActor ! PoisonPill
     instanceDao.shutdown()
+    authDao.shutdown()
   }
 
   /**
@@ -944,6 +949,24 @@ class RequestHandler(configuration: Configuration, instanceDao: InstanceDAO, con
     }
   }
 
+  /**
+    * Add user to user database
+    *
+    * @param user
+    * @return
+    */
+  def handleAddUser(user: DelphiUser): Try[Long] = {
+
+    val noIdUser = DelphiUser(id = None, userName = user.userName, secret = user.secret, userType = user.userType)
+
+    authDao.addUser(noIdUser) match {
+      case Success(id) =>
+        log.info(s"Successfully handled create user request")
+        Success(id)
+      case Failure(x) => Failure(x)
+    }
+  }
+
 
   def isInstanceIdPresent(id: Long): Boolean = {
     instanceDao.hasInstance(id)

src/main/scala/de/upb/cs/swt/delphi/instanceregistry/authorization/AccessToken.scala

@@ -9,6 +9,7 @@ final case class AccessToken(userId: String,
                              issuedAt: DateTime,
                              notBefore: DateTime)
 
+
 object AccessTokenEnums {
 
   type UserType = UserType.Value

src/main/scala/de/upb/cs/swt/delphi/instanceregistry/authorization/AuthProvider.scala

@@ -1,19 +1,82 @@
 package de.upb.cs.swt.delphi.instanceregistry.authorization
 
+import java.nio.charset.StandardCharsets
+import java.security.MessageDigest
 import akka.actor.ActorSystem
 import akka.http.scaladsl.model.DateTime
 import akka.http.scaladsl.server.directives.Credentials
 import de.upb.cs.swt.delphi.instanceregistry.authorization.AccessTokenEnums.UserType
-import pdi.jwt.{Jwt, JwtAlgorithm}
+import de.upb.cs.swt.delphi.instanceregistry.daos.{AuthDAO, DatabaseAuthDAO}
+import pdi.jwt.{Jwt, JwtAlgorithm, JwtClaim}
 import de.upb.cs.swt.delphi.instanceregistry.{AppLogging, Registry}
 import spray.json._
 
 import scala.util.{Failure, Success, Try}
 
-object AuthProvider extends AppLogging {
+class AuthProvider(authDAO: AuthDAO) extends AppLogging {
 
   implicit val system : ActorSystem = Registry.system
 
+  def authenticateBasicJWT(credentials: Credentials) : Option[String] = {
+    credentials match {
+      case p @ Credentials.Provided(userName)  => {
+        if (getSecretForUser(userName).isEmpty) {
+          None
+        } else if(p.verify(getSecretForUser(userName).get, hashString)){
+          Some(userName)
+        } else {
+          None
+        }
+      }
+      case _ => None
+    }
+  }
+
+  def hashString: String => String = { secret: String =>
+    MessageDigest.getInstance("SHA-256").digest(secret.getBytes(StandardCharsets.UTF_8)).map("%02x".format(_)).mkString("")
+  }
+
+  private def getSecretForUser(userName: String): Option[String] ={
+    val user = authDAO.getUserWithUsername(userName)
+    if(user.isDefined){
+      Some(user.get.secret)
+    } else {
+      None
+    }
+  }
+
+  def isValidDelphiToken(token: String): Boolean ={
+    Jwt.decodeRawAll(token, Registry.configuration.jwtSecretKey, Seq(JwtAlgorithm.HS256)) match {
+      case Success((_, payload, _)) =>
+        parseDelphiTokenPayload(payload) match {
+          case Success(user_type) =>
+            log.info(s"Successfully parsed Delphi Authorization token")
+            true
+          case Failure(ex) =>
+            log.error(ex, s"Failed to parse Delphi Authorization with message ${ex.getMessage}")
+            false
+        }
+      case Failure(ex) =>
+        log.warning(s"Failed to validate jwt token with message ${ex.getMessage}")
+        false
+    }
+  }
+
+  def generateJwt(userName: String): String = {
+    val validFor: Long = Registry.configuration.authenticationValidFor
+    val user = authDAO.getUserWithUsername(userName)
+
+    val claim = JwtClaim()
+      .issuedNow
+      .expiresIn(validFor * 60)
+      .startsNow
+      . + ("user_id", user.get.userName)
+      . + ("user_type", user.get.userType)
+
+    val secretKey = Registry.configuration.jwtSecretKey
+    Jwt.encode(claim, secretKey, JwtAlgorithm.HS256)
+  }
+
   def authenticateOAuth(credentials: Credentials) : Option[AccessToken] = {
     credentials match {
       case _ @ Credentials.Provided(tokenString) =>
@@ -77,6 +140,17 @@ object AuthProvider extends AppLogging {
     }
   }
 
+  private def parseDelphiTokenPayload(jwtPayload: String) : Try[(String, String)] = {
+    Try[(String, String)] {
+      val json = jwtPayload.parseJson.asJsObject
+
+      val user_id = json.fields("user_id").asInstanceOf[JsString].value
+      val user_type = json.fields("user_type").asInstanceOf[JsString].value
+
+      (user_id, user_type)
+    }
+  }
+
   private def canAccess(tokenType: UserType, requiredType: UserType) = {
     if(tokenType == UserType.Admin){
       true