Merge pull request #883 from AMWA-TV/fix-mock-auth

Fix authorization issues with mock resources

Author: jonathan-r-thorpe

nmostesting/IS10Utils.py

@@ -15,13 +15,15 @@
 from Crypto.PublicKey import RSA
 from authlib.jose import jwt, JsonWebKey
 
+import re
 import time
 import uuid
 
 from .NMOSUtils import NMOSUtils
 from OpenSSL import crypto
 from cryptography.hazmat.primitives import serialization
 from cryptography import x509
+from flask import request
 from .TestHelper import get_default_ip, get_mocks_hostname
 
 from . import Config as CONFIG
@@ -157,3 +159,36 @@ def is_any_contain(list, enum):
             if item in [e.name for e in enum]:
                 return True
         return False
+
+    @staticmethod
+    def check_authorization(auth, path, scope="x-nmos-registration", write=False):
+        def _check_path_match(path, path_wildcards):
+            path_match = False
+            for path_wildcard in path_wildcards:
+                pattern = path_wildcard.replace("*", ".*")
+                if re.search(pattern, path):
+                    path_match = True
+                    break
+            return path_match
+
+        if CONFIG.ENABLE_AUTH:
+            try:
+                if "Authorization" not in request.headers:
+                    return 400, "Authorization header not found"
+                if not request.headers["Authorization"].startswith("Bearer "):
+                    return 400, "Bearer not found in Authorization header"
+                token = request.headers["Authorization"].split(" ")[1]
+                claims = jwt.decode(token, auth.generate_jwk())
+                claims.validate()
+                if claims["iss"] != auth.make_issuer():
+                    return 401, f"Unexpected issuer, expected: {auth.make_issuer()}, actual: {claims['iss']}"
+                # TODO: Check 'aud' claim matches 'mocks.<domain>'
+                if not _check_path_match(path, claims[scope]["read"]):
+                    return 403, f"Paths mismatch for {scope} read claims"
+                if write and not _check_path_match(path, claims[scope]["write"]):
+                    return 403, f"Paths mismatch for {scope} write claims"
+            except KeyError as err:
+                return 400, f"KeyError: {err}"
+            except Exception as err:
+                return 400, f"Exception: {err}"
+        return True, ""

nmostesting/IS12Utils.py

@@ -171,6 +171,12 @@ def send_command(self, test, command_json):
             for tm in self.ncp_websocket.get_timestamped_messages():
                 parsed_message = json.loads(tm.message)
 
+                if parsed_message is None:
+                    raise NMOSTestException(test.FAIL(
+                        f"Null message received for command: {str(command_json)}",
+                        f"https://specs.amwa.tv/is-12/branches/{self.apis[CONTROL_API_KEY]['spec_branch']}"
+                        "/docs/Protocol_messaging.html#command-message-type"))
+
                 if self.message_type_to_schema_name(parsed_message.get("messageType")):
                     self._validate_is12_schema(
                         test,
@@ -230,7 +236,7 @@ def get_notifications(self):
         # Get any timestamped messages that have arrived in the interim period
         for tm in self.ncp_websocket.get_timestamped_messages():
             parsed_message = json.loads(tm.message)
-            if parsed_message["messageType"] == MessageTypes.Notification:
+            if parsed_message and parsed_message["messageType"] == MessageTypes.Notification:
                 self.notifications += [IS12Notification(n, tm.received_time)
                                        for n in parsed_message["notifications"]]
         return self.notifications

nmostesting/NMOSTesting.py

@@ -169,6 +169,7 @@
 # Primary Authorization server
 if CONFIG.ENABLE_AUTH:
     auth_app = Flask(__name__)
+    CORS(auth_app)
     auth_app.debug = False
     auth_app.config['AUTH_INSTANCE'] = 0
     auth_app.config['PORT'] = PRIMARY_AUTH.port

nmostesting/mocks/Auth.py

@@ -113,6 +113,7 @@ def __init__(self, port_increment, version="v1.0"):
             self.host = get_mocks_hostname()
         # authorization code of the authorization code flow
         self.code = None
+        self.scopes_cache = {}  # remember client scopes
 
     def make_mdns_info(self, priority=0, api_ver=None, ip=None):
         """Get an mDNS ServiceInfo object in order to create an advertisement"""
@@ -302,10 +303,6 @@ def auth_auth():
         # Recommended parameters
         #   state
 
-        ctype_valid, ctype_message = check_content_type(request.headers, "application/x-www-form-urlencoded")
-        if not ctype_valid:
-            raise AuthException("invalid_request", ctype_message)
-
         # hmm, no client authorization done, just redirects a random authorization code back to the client
         # TODO: add web pages for client authorization for the future
 
@@ -342,6 +339,8 @@ def auth_auth():
             if not scope_found:
                 error = "invalid_request"
                 error_description = "scope: {} are not supported".format(scopes)
+            # cache the client scopes
+            auth.scopes_cache[request.args["client_id"]] = scopes
 
         vars = {}
         if error:
@@ -370,7 +369,6 @@ def auth_auth():
 def auth_token():
     auth = AUTHS[flask.current_app.config["AUTH_INSTANCE"]]
     try:
-        auth_header_required = False
         scopes = []
 
         ctype_valid, ctype_message = check_content_type(request.headers, "application/x-www-form-urlencoded")
@@ -395,7 +393,13 @@ def auth_token():
 
             refresh_token = query["refresh_token"][0] if "refresh_token" in query else None
 
-            scopes = query["scope"][0].split() if "scope" in query else SCOPE.split() if SCOPE else []
+            # Scope query parameter is OPTIONAL
+            # see https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2
+            # and https://datatracker.ietf.org/doc/html/rfc6749#section-6
+            # Use scopes cached from when the token was created if not provided in query
+            cached_scopes = auth.scopes_cache[client_id] if client_id in auth.scopes_cache else []
+            scopes = query["scope"][0].split() if "scope" in query else cached_scopes \
+                if len(cached_scopes) else SCOPE.split() if SCOPE else []
             if scopes:
                 scope_found = IS10Utils.is_any_contain(scopes, SCOPES)
                 if not scope_found:
@@ -484,8 +488,6 @@ def auth_token():
                 else:
                     raise AuthException("unsupported_grant_type",
                                         "missing client_assertion_type used for private_key_jwt client authentication")
-            else:
-                auth_header_required = True
 
         # for the Confidential client, client_id and client_secret are embedded in the Authorization header
         auth_header = request.headers.get("Authorization", None)
@@ -504,8 +506,6 @@ def auth_token():
                                         "missing client_id or client_secret from authorization header")
             else:
                 raise AuthException("invalid_client", "invalid authorization header")
-        elif auth_header_required:
-            raise AuthException("invalid_client", "invalid authorization header", HTTPStatus.UNAUTHORIZED)
 
         # client_id MUST be provided by all types of client
         if not client_id:

nmostesting/mocks/Node.py

@@ -24,6 +24,8 @@
 from .. import Config as CONFIG
 from ..TestHelper import get_default_ip, do_request
 from ..IS04Utils import IS04Utils
+from ..IS10Utils import IS10Utils
+from .Auth import PRIMARY_AUTH
 
 
 class Node(object):
@@ -39,6 +41,7 @@ def reset(self):
         self.receivers = {}
         self.senders = {}
         self.patched_sdp = {}
+        self.auth_cache = {}
 
     def get_sender(self, media_type="video/raw", version="v1.3"):
         protocol = "http"
@@ -360,11 +363,49 @@ def patch_staged(self, resource, resource_id, request_json):
 
         return response_data, response_code
 
+    def check_authorization(self, auth, path, scope, write=False):
+        if not CONFIG.ENABLE_AUTH:
+            return True, ""
+
+        if "Authorization" in request.headers and request.headers["Authorization"].startswith("Bearer ") \
+                and scope in self.auth_cache and \
+                ((write and self.auth_cache[scope]["Write"]) or self.auth_cache[scope]["Read"]):
+            return True, ""
+
+        authorized, error_message = IS10Utils.check_authorization(auth,
+                                                                  path,
+                                                                  scope=scope,
+                                                                  write=write)
+        if authorized:
+            if scope not in self.auth_cache:
+                self.auth_cache[scope] = {"Read": True, "Write": write}
+            else:
+                self.auth_cache[scope]["Read"] = True
+                self.auth_cache[scope]["Write"] = self.auth_cache[scope]["Write"] or write
+        return authorized, error_message
+
 
 NODE = Node(1)
 NODE_API = Blueprint('node_api', __name__)
 
 
+# Authorization decorator
+def check_authorization(func):
+    def wrapper(*args, **kwargs):
+        write = (request.method == 'PATCH')
+        authorized, error_message = NODE.check_authorization(PRIMARY_AUTH,
+                                                             request.path,
+                                                             scope="x-nmos-connection",
+                                                             write=write)
+        if authorized is not True:
+            abort(authorized, description=error_message)
+
+        return func(*args, **kwargs)
+    # Rename wrapper to allow decoration of decorator
+    wrapper.__name__ = func.__name__
+    return wrapper
+
+
 @NODE_API.route('/x-nmos', methods=['GET'], strict_slashes=False)
 def x_nmos_root():
     base_data = ['connection/']
@@ -373,27 +414,31 @@ def x_nmos_root():
 
 
 @NODE_API.route('/x-nmos/connection', methods=['GET'], strict_slashes=False)
+@check_authorization
 def connection_root():
     base_data = ['v1.0/', 'v1.1/']
 
     return make_response(Response(json.dumps(base_data), mimetype='application/json'))
 
 
 @NODE_API.route('/x-nmos/connection/<version>', methods=['GET'], strict_slashes=False)
+@check_authorization
 def version(version):
     base_data = ['bulk/', 'single/']
 
     return make_response(Response(json.dumps(base_data), mimetype='application/json'))
 
 
 @NODE_API.route('/x-nmos/connection/<version>/single', methods=['GET'], strict_slashes=False)
+@check_authorization
 def single(version):
     base_data = ['senders/', 'receivers/']
 
     return make_response(Response(json.dumps(base_data), mimetype='application/json'))
 
 
 @NODE_API.route('/x-nmos/connection/<version>/single/<resource>/', methods=["GET"], strict_slashes=False)
+@check_authorization
 def resources(version, resource):
     if resource == 'senders':
         base_data = [r + '/' for r in [*NODE.senders]]
@@ -404,6 +449,7 @@ def resources(version, resource):
 
 
 @NODE_API.route('/x-nmos/connection/<version>/single/<resource>/<resource_id>', methods=["GET"], strict_slashes=False)
+@check_authorization
 def connection(version, resource, resource_id):
     if resource != 'senders' and resource != 'receivers':
         abort(404)
@@ -440,6 +486,7 @@ def _get_constraints(resource):
 
 @NODE_API.route('/x-nmos/connection/<version>/single/<resource>/<resource_id>/constraints',
                 methods=["GET"], strict_slashes=False)
+@check_authorization
 def constraints(version, resource, resource_id):
     base_data = [_get_constraints(resource)]
 
@@ -472,6 +519,7 @@ def _check_constraint(constraint, transport_param):
 
 @NODE_API.route('/x-nmos/connection/<version>/single/<resource>/<resource_id>/staged',
                 methods=["GET", "PATCH"], strict_slashes=False)
+@check_authorization
 def staged(version, resource, resource_id):
     """
     GET returns current staged data for given resource
@@ -515,6 +563,7 @@ def staged(version, resource, resource_id):
 
 @NODE_API.route('/x-nmos/connection/<version>/single/<resource>/<resource_id>/active',
                 methods=["GET"], strict_slashes=False)
+@check_authorization
 def active(version, resource, resource_id):
     try:
         if resource == 'senders':
@@ -529,6 +578,7 @@ def active(version, resource, resource_id):
 
 @NODE_API.route('/x-nmos/connection/<version>/single/<resource>/<resource_id>/transporttype',
                 methods=["GET"], strict_slashes=False)
+@check_authorization
 def transport_type(version, resource, resource_id):
     # TODO fetch from resource info
     base_data = "urn:x-nmos:transport:rtp"
@@ -583,6 +633,7 @@ def node_sdp(media_type, media_subtype):
 
 @NODE_API.route('/x-nmos/connection/<version>/single/<resource>/<resource_id>/transportfile',
                 methods=["GET"], strict_slashes=False)
+@check_authorization
 def transport_file(version, resource, resource_id):
     # GET should either redirect to the location of the transport file or return it directly
     try: