Merge pull request #572 from telefonicaid/task/add_pdp_validation

Task/add pdp validation

Author: fgalan

CHANGES_NEXT_RELEASE

@@ -1,3 +1,5 @@
+- Add: allow authorize using local PDP implementation (new config.localPDP / AUTHORIZE_BY_LOCAL_PDP setting) (#571)
+- Add: get roles from keystone and cache them using role names (#571)
 - Remove node cache legacy callbacks warning
 - Fix: fill from log field with real IP
 - Upgrade NodeJS version from 16-slim to 24-bullseye-slim in Dockerfile

README.md

@@ -519,6 +519,7 @@ Account log has three modes: `all`, `matched`, `wrong`. First one `all` includes
 * `config.bypassRoleId`: ID of the role that will be considered to have administrative rights over the proxy (so being transparently proxied without validation). Valid values are Role UUIDs. E.g.: `db50362d5f264c8292bebdb5c5783741`.
 * `config.dieOnRedirectError`: this flags changes the behavior of the PEP Proxy when an error is received when redirecting a request. If the flag is true, the PEP Proxy process is shut down immediately; if it is false, the behavior is the usual: generate a 501 Code error.
 * `config.bodyLimit`: Controls the maximum request body size allowed, in bytes. Default is 1 Mb
+* `config.localPDP`: Use local implementation for validate PDP (Policy Decision Point) or not. This validation is done by the logic in pdp.js file (out of scope of this documentation). Default is false
 
 ### Authentication configuration
 * `config.authentication.checkHeaders`: when the proxy is working with the access control disabled (just user authentication), indicates whether the `fiware-service` and `fiware-servicepath` headers should be checked for existance and validity (checking: the headers exist, thy are not empty and the user is really part of the service and subservice mentioned in the header). This option is ignored when authorization is enabled, and considered to be `true` (as the headers constitute a mandatory part of the authorization process). Default value is `true`.
@@ -550,33 +551,34 @@ The environment variables provide ways of configuring the plugin without taking
 ### Configuration based on environment variables
 Some of the configuration values for the attributes above mentioned can be overriden with values in environment variables. The following table shows the environment variables and what attribute they map to.
 
-| Environment variable | Configuration attribute             |
-|:-------------------- |:----------------------------------- |
-| PROXY_PORT           | config.resource.proxy.port          | 
-| ADMIN_PORT           | config.resource.proxy.adminPort     | 
-| TARGET_HOST          | config.resource.original.host       |
-| TARGET_PORT          | config.resource.original.port       |
-| LOG_LEVEL            | config.logLevel                     |
-| ACCESS_DISABLE       | config.access.disable               |
-| ACCESS_HOST          | config.access.host                  |
-| ACCESS_PORT          | config.access.port                  |
-| ACCESS_PROTOCOL      | config.access.protocol              |
-| ACCESS_ACCOUNT       | config.access.account               |
-| ACCESS_ACCOUNTFILE   | config.access.accountFile           |
-| ACCESS_ACCOUNTMODE   | config.access.accountMode           |
-| AUTHENTICATION_HOST  | config.authentication.options.host  |
-| AUTHENTICATION_PORT  | config.authentication.options.port  |
-| AUTHENTICATION_PROTOCOL  | config.authentication.options.protocol  |
-| AUTHENTICATION_CACHE_PROJECTIDS  | config.authentication.cacheTTLs.projectIds  |
-| AUTHENTICATION_CACHE_ROLES  | config.authentication.cacheTTLs.roles  |
-| AUTHENTICATION_CACHE_USERS  | config.authentication.cacheTTLs.users  |
-| AUTHENTICATION_CACHE_VALIDATION | config.authentication.cacheTTLs.validation  |
-| PROXY_USERNAME       | config.authentication.user          |
-| PROXY_PASSWORD       | config.authentication.password      |
-| PROXY_PASSWORD       | config.authentication.password      |
-| COMPONENT_NAME       | config.componentName                |
-| COMPONENT_PLUGIN     | config.middlewares and config.componentName if no COMPONENT_NAME provided     |
-| BODY_LIMIT           | config.bodyLimit                        |
+| Environment variable            | Configuration attribute                                                   |
+|:--------------------------------|:--------------------------------------------------------------------------|
+| PROXY_PORT                      | config.resource.proxy.port                                                |
+| ADMIN_PORT                      | config.resource.proxy.adminPort                                           |
+| TARGET_HOST                     | config.resource.original.host                                             |
+| TARGET_PORT                     | config.resource.original.port                                             |
+| LOG_LEVEL                       | config.logLevel                                                           |
+| ACCESS_DISABLE                  | config.access.disable                                                     |
+| ACCESS_HOST                     | config.access.host                                                        |
+| ACCESS_PORT                     | config.access.port                                                        |
+| ACCESS_PROTOCOL                 | config.access.protocol                                                    |
+| ACCESS_ACCOUNT                  | config.access.account                                                     |
+| ACCESS_ACCOUNTFILE              | config.access.accountFile                                                 |
+| ACCESS_ACCOUNTMODE              | config.access.accountMode                                                 |
+| AUTHENTICATION_HOST             | config.authentication.options.host                                        |
+| AUTHENTICATION_PORT             | config.authentication.options.port                                        |
+| AUTHENTICATION_PROTOCOL         | config.authentication.options.protocol                                    |
+| AUTHENTICATION_CACHE_PROJECTIDS | config.authentication.cacheTTLs.projectIds                                |
+| AUTHENTICATION_CACHE_ROLES      | config.authentication.cacheTTLs.roles                                     |
+| AUTHENTICATION_CACHE_USERS      | config.authentication.cacheTTLs.users                                     |
+| AUTHENTICATION_CACHE_VALIDATION | config.authentication.cacheTTLs.validation                                |
+| PROXY_USERNAME                  | config.authentication.user                                                |
+| PROXY_PASSWORD                  | config.authentication.password                                            |
+| PROXY_PASSWORD                  | config.authentication.password                                            |
+| COMPONENT_NAME                  | config.componentName                                                      |
+| COMPONENT_PLUGIN                | config.middlewares and config.componentName if no COMPONENT_NAME provided |
+| BODY_LIMIT                      | config.bodyLimit                                                          |
+| AUTHORIZE_BY_LOCAL_PDP          | config.localPDP                                                           |
 
 ### Component configuration
 A special environment variable, called `COMPONENT_PLUGIN` can be set with one of this values: `orion`, `perseo`, `keypass` and `rest`. This variable can be used to select what component plugin to load in order to determine the action of the incoming requests. This variable also rewrites `config.componentName` configuration paramenter.

bin/pepProxy

@@ -62,7 +62,8 @@ function loadConfiguration() {
         'COMPONENT_PLUGIN',
         'COMPONENT_NAME',
         'BODY_LIMIT',
-        'DISABLE_DOMAIN_MIDDLEWARE'
+        'DISABLE_DOMAIN_MIDDLEWARE',
+        'AUTHORIZE_BY_LOCAL_PDP'
     ];
 
     for (var i = 0; i < environmentValues.length; i++) {
@@ -152,6 +153,9 @@ function loadConfiguration() {
     if (process.env.BODY_LIMIT) {
         config.bodyLimit = process.env.BODY_LIMIT;
     }
+    if (process.env.AUTHORIZE_BY_LOCAL_PDP) {
+        config.localPDP = process.env.AUTHORIZE_BY_LOCAL_PDP == 'true';
+    }
 }
 
 loadConfiguration();

config.js

@@ -93,7 +93,7 @@ config.authentication = {
         protocol: 'http',
         host: 'localhost',
         port: 5000,
-        path: '/v3/role_assignments',
+        path: '/v3/role_assignments?include_names',
         authPath: '/v3/auth/tokens'
     }
 };
@@ -174,6 +174,11 @@ config.bypass = false;
  */
 config.bypassRoleId = '';
 
+/**
+ * Uses local PDP (policy decision point) for validate actions instead of remote PDP.
+ */
+config.localPDP = false;
+
 /**
  * Configures the maximum number of clients that can be simultaneously queued while waiting for the PEP to
  * authenticate itself against Keystone (due to an expired token).

lib/services/cacheUtils.js

@@ -121,7 +121,7 @@ function cacheAndHold(logger, cacheType, cacheKey, retrieveRequestFn, processVal
     }
 
     if (cachedValue) {
-        logger.debug('Value found in the cache [%s] for key [%s]: %s', cacheType, cacheKey, cachedValue);
+        logger.debug('Value found in the cache [%s] for key [%s]: %j', cacheType, cacheKey, cachedValue);
 
         processValueFn(cachedValue, callback);
     } else if (cache.updating[cacheType][cacheKey]) {

lib/services/keystoneAuth.js

@@ -84,15 +84,17 @@ function getRolesFromResponse(logger, rawBody, service, subservice, cacheKey) {
             if (body.role_assignments[i].scope &&
                 body.role_assignments[i].scope.domain &&
                 String(body.role_assignments[i].scope.domain.id) === String(service)) {
-                logger.debug('Role assignment [%s] accepted', body.role_assignments[i].role.id);
-                roles.push(body.role_assignments[i].role.id);
+                logger.debug('Role ID assignment [%s] accepted', body.role_assignments[i].role.id);
+                logger.debug('Role NAME assignment [%s] accepted', body.role_assignments[i].role.name);
+                roles.push({id: body.role_assignments[i].role.id, name: body.role_assignments[i].role.name});
             }
         } else {
             if (body.role_assignments[i].scope &&
                 body.role_assignments[i].scope.project &&
                 String(body.role_assignments[i].scope.project.id) === String(subservice)) {
-                logger.debug('Role assignment [%s] accepted', body.role_assignments[i].role.id);
-                roles.push(body.role_assignments[i].role.id);
+                logger.debug('Role ID assignment [%s] accepted', body.role_assignments[i].role.id);
+                logger.debug('Role NAME assignment [%s] accepted', body.role_assignments[i].role.name);
+                roles.push({id: body.role_assignments[i].role.id, name: body.role_assignments[i].role.name});
             }
         }
     }
@@ -116,6 +118,7 @@ function retrieveRoles(req, callback) {
         cacheKey = userId + ':' + subserviceId;
 
     function processValue(cachedValue, innerCb) {
+        logger.debug('Roles value processed with value: %j', cachedValue);
         innerCb(null, cachedValue);
     }
 

lib/services/pdp.js

@@ -0,0 +1,170 @@
+/*
+ * Copyright 2014 Telefonica Investigación y Desarrollo, S.A.U
+ *
+ * This file is part of fiware-pep-steelskin
+ *
+ * fiware-pep-steelskin is free software: you can redistribute it and/or
+ * modify it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the License,
+ * or (at your option) any later version.
+ *
+ * fiware-pep-steelskin is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public
+ * License along with fiware-pep-steelskin.
+ * If not, seehttp://www.gnu.org/licenses/.
+ *
+ * For those usages not covered by the GNU Affero General Public License
+ * please contact with::[iot_support@tid.es]
+ */
+
+'use strict';
+
+var cacheUtils = require('./cacheUtils');
+
+/**
+ * Allowed actions by component and role type
+ */
+const ACTION_MAP = {
+    ORION: {
+        CUSTOMER: ['read', 'subscribe', 'discover', 'subscribe-availability'],
+        ADMIN: ['read', 'create', 'update', 'delete', 'notify', 'register',
+                'discover', 'subscribe', 'subscribe-availability']
+    },
+    PERSEO: {
+        CUSTOMER: ['readRule'],
+        ADMIN: ['readRule', 'writeRule', 'notify']
+    },
+    IOTAGENT: {
+        CUSTOMER: ['read'],
+        ADMIN: ['create', 'delete', 'update', 'read']
+    },
+    STH: {
+        CUSTOMER: ['read'],
+        ADMIN: ['create', 'delete', 'update', 'read']
+    }
+};
+
+
+/**
+ * Helper para cacheo y respuesta
+ */
+function cacheAndReturn(cacheKey, decision, callback) {
+    const finalDecision = decision || 'Invalid';
+    cacheUtils.get().data.validation.set(cacheKey, finalDecision);
+    callback(null, finalDecision);
+}
+
+
+/**
+ * validation request using local PDP implementation
+ */
+function validationRequest(logger, roles, frn, action, headers, callback) {
+
+    logger.debug('pdp.validation with roles: %j, frn: %j, action: %j and headers %j',
+                 roles, frn, action, headers);
+    const cacheKey = frn + '#' + action + '#' + roles.map(r => r.name).join('-');
+
+    try {
+        // 1. parse FRN -> component, service and subservice
+        // Format example: fiware:orion:smartcity:/tourism:::
+        const frnParts = frn.split(':');
+
+        if (frnParts.length < 4) {
+            return callback(new Error('Invalid FRN format'));
+        }
+
+        const component = frnParts[1].toUpperCase();                  // ORION, PERSEO, IOTA, STH
+        const subserviceRaw = frnParts[3];                            // "/tourism", "///", etc
+        const subservice = subserviceRaw.replace(/\//g, '') || null;  // "tourism" o null
+
+        const isServiceOperation = subservice === null;
+        const isSubserviceOperation = subservice !== null;
+
+        // 2. For each role: get roleType and component
+        let matchedRole = null;
+
+        for (const role of roles) {
+            const name = role.name || '';
+            const parts = name.split('#');
+            if (parts.length !== 2) {
+                continue;
+            }
+
+            const roleInfo = parts[1];
+
+            // Try extrat type and component (i.e.: ServiceCustomerORION)
+            let match = roleInfo.match(
+                /(ServiceCustomer|ServiceAdmin|SubServiceCustomer|SubServiceAdmin)([A-Z]+)$/i
+            );
+
+            let roleType, roleComponent;
+
+            // Case 1: rol includes component
+            if (match) {
+                roleType = match[1];
+                roleComponent = match[2].toUpperCase();
+            }
+            // Caso 2: rol does NOT includes component -> apply over all components
+            else {
+                match = roleInfo.match(
+                    /^(ServiceCustomer|ServiceAdmin|SubServiceCustomer|SubServiceAdmin)$/i
+                );
+                if (!match) {
+                    continue;
+                }
+
+                roleType = match[1]; 
+                roleComponent = 'ANY';
+            }
+
+            // 1) Component matches (or ANY)
+            if (roleComponent !== 'ANY' && roleComponent !== component) {
+                continue;
+            }
+
+            // 2) Matches at service/subservice level
+            const roleIsService = roleType.startsWith('Service');
+            const roleIsSubservice = roleType.startsWith('SubService');
+
+            if (isServiceOperation && !roleIsService) {
+                continue;
+            }
+            if (isSubserviceOperation && !roleIsSubservice) {
+                continue;
+            }
+
+            matchedRole = { roleType, roleComponent };
+            break;
+        } // end for
+
+        if (!matchedRole) {
+            cacheAndReturn(cacheKey, 'Deny', callback);
+            return;
+        }
+
+        // 3. Final decision
+        const { roleType } = matchedRole;
+        const ROLE_CLASS = roleType.endsWith('Customer') ? 'CUSTOMER' : 'ADMIN';
+
+        let allowedActions = [];
+
+        if (ACTION_MAP[component] && ACTION_MAP[component][ROLE_CLASS]) {
+            allowedActions = ACTION_MAP[component][ROLE_CLASS];
+        }
+
+        const decision = allowedActions.includes(action) ? 'Permit' : 'Deny';
+
+        cacheAndReturn(cacheKey, decision, callback);
+
+    } catch (err) {
+        logger.error('Validation exception', err);
+        callback(err);
+    }
+}
+
+
+exports.validationRequest = validationRequest;

lib/services/validation.js

@@ -35,6 +35,7 @@ var request = require('request'),
     fs = require('fs'),
     path = require('path'),
     cacheUtils = require('./cacheUtils'),
+    pdp = require('./pdp'),
     requestTemplate,
     roleTemplate;
 
@@ -46,7 +47,7 @@ var request = require('request'),
  * @param {String} roles                 List of the roles of the user.
  * @param {String} organization          Name of the organization with the frn format.
  * @param {String} action                Name of the action the request is trying to execute.
- g */
+ */
 function createAccessRequest(logger, roles, organization, action, callback) {
     var parameters = {
         organization: organization,
@@ -219,7 +220,12 @@ function validationProcess(req, res, next) {
         if (req.corr) {
             req.headers[constants.CORRELATOR_HEADER] = req.corr;
         }
-        validationRequest(logger, req.roles, req.frn, req.action, req.headers, handleValidation);
+        if (config.localPDP) {
+            pdp.validationRequest(logger, req.roles, req.frn, req.action, req.headers, handleValidation);
+        } else {
+            var rolesId = req.roles.map(r => r.id);
+            validationRequest(logger, rolesId, req.frn, req.action, req.headers, handleValidation);
+        }
     }
 }
 
@@ -255,7 +261,7 @@ function loadTemplates(callback) {
 function checkBypass(req, res, next) {
     if (config.bypass && config.bypassRoleId && req.roles) {
         for (var i = 0; i < req.roles.length; i++) {
-            if (req.roles[i] === config.bypassRoleId) {
+            if (req.roles[i].id === config.bypassRoleId) {
                 req.bypass = true;
             }
         }

test/keystoneResponses/rolesOfUser.json

@@ -7,7 +7,8 @@
                 }
             },
             "role": {
-                "id": 8907
+                "id": 8907,
+                "name": "ServiceAdmin"
             },
             "user": {
                 "id": 2836
@@ -22,4 +23,4 @@
         "previous": null,
         "next": null
     }
-}
+}