PageRenderTime 151ms CodeModel.GetById 27ms RepoModel.GetById 0ms app.codeStats 0ms

/app/models/mixins/authentication_mixin.rb

https://gitlab.com/aljesusg/manageiqtest
Ruby | 318 lines | 233 code | 58 blank | 27 comment | 49 complexity | f65f51b29513cf1c2540b25c04ed7d52 MD5 | raw file
    

  1. module AuthenticationMixin
    2. 

  2.   extend ActiveSupport::Concern
    3. 

  3. 

  4.   included do
    5. 

  5.     has_many :authentications, :as => :resource, :dependent => :destroy, :autosave => true
    6. 

  6. 

  7.     virtual_column :authentication_status,  :type => :string
    8. 

  8. 

  9.     def self.authentication_check_schedule
    10. 

  10.       zone = MiqServer.my_server.zone
    11. 

  11.       assoc = name.tableize
    12. 

  12.       assocs = zone.respond_to?(assoc) ? zone.send(assoc) : []
    13. 

  13.       assocs.each(&:authentication_check_types_queue)
    14. 

  14.     end
    15. 

  15.   end
    16. 

  16. 

  17.   def supported_auth_attributes
    18. 

  18.     %w(userid password)
    19. 

  19.   end
    20. 

  20. 

  21.   def default_authentication_type
    22. 

  22.     :default
    23. 

  23.   end
    24. 

  24. 

  25.   def authentication_userid_passwords
    26. 

  26.     authentications.select { |a| a.kind_of?(AuthUseridPassword) }
    27. 

  27.   end
    28. 

  28. 

  29.   def authentication_tokens
    30. 

  30.     authentications.select { |a| a.kind_of?(AuthToken) }
    31. 

  31.   end
    32. 

  32. 

  33.   def authentication_key_pairs
    34. 

  34.     authentications.select { |a| a.kind_of?(ManageIQ::Providers::Openstack::InfraManager::AuthKeyPair) }
    35. 

  35.   end
    36. 

  36. 

  37.   def authentication_for_providers
    38. 

  38.     authentications.where.not(:authtype => nil)
    39. 

  39.   end
    40. 

  40. 

  41.   def authentication_for_summary
    42. 

  42.     summary = []
    43. 

  43.     authentication_for_providers.each do |a|
    44. 

  44.       summary << {
    45. 

  45.         :authtype       => a.authtype,
    46. 

  46.         :status         => a.status,
    47. 

  47.         :status_details => a.status_details
    48. 

  48.       }
    49. 

  49.     end
    50. 

  50.     summary
    51. 

  51.   end
    52. 

  52. 

  53.   def has_authentication_type?(type)
    54. 

  54.     authentication_types.include?(type)
    55. 

  55.   end
    56. 

  56. 

  57.   def authentication_userid(type = nil)
    58. 

  58.     authentication_component(type, :userid)
    59. 

  59.   end
    60. 

  60. 

  61.   def authentication_password(type = nil)
    62. 

  62.     authentication_component(type, :password)
    63. 

  63.   end
    64. 

  64. 

  65.   def authentication_key(type = nil)
    66. 

  66.     authentication_component(type, :auth_key)
    67. 

  67.   end
    68. 

  68. 

  69.   def authentication_token(type = nil)
    70. 

  70.     authentication_component(type, :auth_key)
    71. 

  71.   end
    72. 

  72. 

  73.   def authentication_password_encrypted(type = nil)
    74. 

  74.     authentication_component(type, :password_encrypted)
    75. 

  75.   end
    76. 

  76. 

  77.   def authentication_service_account(type = nil)
    78. 

  78.     authentication_component(type, :service_account)
    79. 

  79.   end
    80. 

  80. 

  81.   def required_credential_fields(type)
    82. 

  82.     case type.to_s
    83. 

  83.     when "bearer"
    84. 

  84.       [:auth_key]
    85. 

  85.     when "hawkular"
    86. 

  86.       []
    87. 

  87.     else
    88. 

  88.       [:userid]
    89. 

  89.     end
    90. 

  90.   end
    91. 

  91. 

  92.   def has_credentials?(type = nil)
    93. 

  93.     required_credential_fields(type).all? { |field| authentication_component(type, field) }
    94. 

  94.   end
    95. 

  95. 

  96.   def missing_credentials?(type = nil)
    97. 

  97.     !has_credentials?(type)
    98. 

  98.   end
    99. 

  99. 

  100.   def authentication_status
    101. 

  101.     ordered_auths = authentication_for_providers.sort_by(&:status_severity)
    102. 

  102.     ordered_auths.last.try(:status) || "None"
    103. 

  103.   end
    104. 

  104. 

  105.   def authentication_status_ok?(type = nil)
    106. 

  106.     authentication_best_fit(type).try(:status) == "Valid"
    107. 

  107.   end
    108. 

  108. 

  109.   def auth_user_pwd(type = nil)
    110. 

  110.     cred = authentication_best_fit(type)
    111. 

  111.     return nil if cred.nil? || cred.userid.blank?
    112. 

  112.     [cred.userid, cred.password]
    113. 

  113.   end
    114. 

  114. 

  115.   def auth_user_token(type = nil)
    116. 

  116.     cred = authentication_best_fit(type)
    117. 

  117.     return nil if cred.nil? || cred.userid.blank?
    118. 

  118.     [cred.userid, cred.auth_key]
    119. 

  119.   end
    120. 

  120. 

  121.   def auth_user_keypair(type = nil)
    122. 

  122.     cred = authentication_best_fit(type)
    123. 

  123.     return nil if cred.nil? || cred.userid.blank?
    124. 

  124.     [cred.userid, cred.auth_key]
    125. 

  125.   end
    126. 

  126. 

  127.   def update_authentication(data, options = {})
    128. 

  128.     return if data.blank?
    129. 

  129. 

  130.     options.reverse_merge!(:save => true)
    131. 

  131. 

  132.     @orig_credentials ||= auth_user_pwd || "none"
    133. 

  133. 

  134.     # Invoke before callback
    135. 

  135.     before_update_authentication if self.respond_to?(:before_update_authentication) && options[:save]
    136. 

  136. 

  137.     data.each_pair do |type, value|
    138. 

  138.       cred = authentication_type(type)
    139. 

  139.       current = {:new => nil, :old => nil}
    140. 

  140. 

  141.       unless value.key?(:userid) && value[:userid].blank?
    142. 

  142.         current[:new] = {:user => value[:userid], :password => value[:password], :auth_key => value[:auth_key]}
    143. 

  143.       end
    144. 

  144.       current[:old] = {:user => cred.userid, :password => cred.password, :auth_key => cred.auth_key} if cred
    145. 

  145. 

  146.       # Raise an error if required fields are blank
    147. 

  147.       Array(options[:required]).each { |field| raise(ArgumentError, "#{field} is required") if value[field].blank? }
    148. 

  148. 

  149.       # If old and new are the same then there is nothing to do
    150. 

  150.       next if current[:old] == current[:new]
    151. 

  151. 

  152.       # Check if it is a delete
    153. 

  153.       if value.key?(:userid) && value[:userid].blank?
    154. 

  154.         current[:new] = nil
    155. 

  155.         next if options[:save] == false
    156. 

  156.         authentication_delete(type)
    157. 

  157.         next
    158. 

  158.       end
    159. 

  159. 

  160.       # Update or create
    161. 

  161.       if cred.nil?
    162. 

  162.         if self.kind_of?(ManageIQ::Providers::Openstack::InfraManager) && value[:auth_key]
    163. 

  163.           # TODO(lsmola) investigate why build throws an exception, that it needs to be subclass of AuthUseridPassword
    164. 

  164.           cred = ManageIQ::Providers::Openstack::InfraManager::AuthKeyPair.new(:name => "#{self.class.name} #{name}", :authtype => type.to_s,
    165. 

  165.                                                :resource_id => id, :resource_type => "ExtManagementSystem")
    166. 

  166.           authentications << cred
    167. 

  167.         elsif value[:auth_key]
    168. 

  168.           cred = AuthToken.new(:name => "#{self.class.name} #{name}", :authtype => type.to_s,
    169. 

  169.                                                :resource_id => id, :resource_type => "ExtManagementSystem")
    170. 

  170.           authentications << cred
    171. 

  171.         else
    172. 

  172.           cred = authentications.build(:name => "#{self.class.name} #{name}", :authtype => type.to_s,
    173. 

  173.                                             :type => "AuthUseridPassword")
    174. 

  174.         end
    175. 

  175.       end
    176. 

  176.       cred.userid = value[:userid]
    177. 

  177.       cred.password = value[:password]
    178. 

  178.       cred.auth_key = value[:auth_key]
    179. 

  179. 

  180.       cred.save if options[:save] && id
    181. 

  181.     end
    182. 

  182. 

  183.     # Invoke callback
    184. 

  184.     after_update_authentication if self.respond_to?(:after_update_authentication) && options[:save]
    185. 

  185.     @orig_credentials = nil if options[:save]
    186. 

  186.   end
    187. 

  187. 

  188.   def credentials_changed?
    189. 

  189.     @orig_credentials ||= auth_user_pwd || "none"
    190. 

  190.     new_credentials = auth_user_pwd || "none"
    191. 

  191.     @orig_credentials != new_credentials
    192. 

  192.   end
    193. 

  193. 

  194.   def authentication_type(type)
    195. 

  195.     return nil if type.nil?
    196. 

  196.     available_authentications.detect do |a|
    197. 

  197.       a.authentication_type.to_s == type.to_s
    198. 

  198.     end
    199. 

  199.   end
    200. 

  200. 

  201.   def authentication_check_types_queue(*args)
    202. 

  202.     options = args.extract_options!
    203. 

  203.     types = args.first
    204. 

  204.     role = authentication_check_role if self.respond_to?(:authentication_check_role)
    205. 

  205.     zone = my_zone if self.respond_to?(:my_zone)
    206. 

  206. 

  207.     # FIXME: Via schedule, a message is created with args = [], so all authentications will be checked,
    208. 

  208.     # while an authentication change will create a message with args [:default] or whatever
    209. 

  209.     # authentication is changed, so you can end up with two messages for the same ci
    210. 

  210.     options = {
    211. 

  211.       :class_name  => self.class.base_class.name,
    212. 

  212.       :instance_id => id,
    213. 

  213.       :method_name => 'authentication_check_types',
    214. 

  214.       :args        => [types.to_miq_a, options]
    215. 

  215.     }
    216. 

  216. 

  217.     options[:role] = role if role
    218. 

  218.     options[:zone] = zone if zone
    219. 

  219. 

  220.     MiqQueue.put_unless_exists(options) do |msg|
    221. 

  221.       # TODO: Refactor the help in this and the ScheduleWorker#queue_work method into the merge method
    222. 

  222.       help = "Check for a running server"
    223. 

  223.       help << " in zone: [#{options[:zone]}]"   if options[:zone]
    224. 

  224.       help << " with role: [#{options[:role]}]" if options[:role]
    225. 

  225.       _log.warn("Previous authentication_check_types for [#{name}] [#{id}] with opts: [#{options[:args].inspect}] is still running, skipping...#{help}") unless msg.nil?
    226. 

  226.     end
    227. 

  227.   end
    228. 

  228. 

  229.   def authentication_check_types(*args)
    230. 

  230.     options = args.extract_options!
    231. 

  231.     types = args.first
    232. 

  232. 

  233.     # Let the individual classes determine what authentication(s) need to be checked
    234. 

  234.     types = authentications_to_validate if self.respond_to?(:authentications_to_validate) && types.nil?
    235. 

  235.     types = [nil] if types.blank?
    236. 

  236.     types.to_miq_a.each { |t| authentication_check(t, options) }
    237. 

  237.   end
    238. 

  238. 

  239.   # Returns [boolean check_result, string details]
    240. 

  240.   # check_result is true if and only if:
    241. 

  241.   #   * the system is reachable
    242. 

  242.   #   * AND we have the required authentication information
    243. 

  243.   #   * AND we successfully connected using the authentication
    244. 

  244.   #
    245. 

  245.   # details is a UI friendly message
    246. 

  246.   #
    247. 

  247.   # By default, the authentication's status is updated by the
    248. 

  248.   # validation_successful or validation_failed callbacks.
    249. 

  249.   #
    250. 

  250.   # An optional :save => false can be passed to bypass these callbacks.
    251. 

  251.   #
    252. 

  252.   # TODO: :valid, :incomplete, and friends shouldn't be littered in here and authentication
    253. 

  253.   def authentication_check(*args)
    254. 

  254.     options         = args.last.kind_of?(Hash) ? args.last : {}
    255. 

  255.     save            = options.fetch(:save, true)
    256. 

  256.     type            = args.first
    257. 

  257.     auth            = authentication_best_fit(type)
    258. 

  258.     status, details = authentication_check_no_validation(type || auth.authtype, options)
    259. 

  259. 

  260.     if save
    261. 

  261.       status == :valid ? auth.validation_successful : auth.validation_failed(status, details)
    262. 

  262.     end
    263. 

  263. 

  264.     return status == :valid, details
    265. 

  265.   end
    266. 

  266. 

  267.   private
    268. 

  268. 

  269.   def authentication_check_no_validation(type, options)
    270. 

  270.     header  = "type: [#{type.inspect}] for [#{id}] [#{name}]"
    271. 

  271.     status, details =
    272. 

  272.       if self.missing_credentials?(type)
    273. 

  273.         [:incomplete, "Missing credentials"]
    274. 

  274.       else
    275. 

  275.         begin
    276. 

  276.           verify_credentials(type, options) ? [:valid, ""] : [:invalid, "Unknown reason"]
    277. 

  277.         rescue MiqException::MiqUnreachableError => err
    278. 

  278.           [:unreachable, err]
    279. 

  279.         rescue MiqException::MiqInvalidCredentialsError, MiqException::MiqEVMLoginError => err
    280. 

  280.           [:invalid, err]
    281. 

  281.         rescue => err
    282. 

  282.           [:error, err]
    283. 

  283.         end
    284. 

  284.       end
    285. 

  285. 

  286.     details &&= details.to_s.truncate(200)
    287. 

  287. 

  288.     _log.warn("#{header} Validation failed: #{status}, #{details}") unless status == :valid
    289. 

  289.     return status, details
    290. 

  290.   end
    291. 

  291. 

  292.   def authentication_best_fit(type = nil)
    293. 

  293.     # Look for the supplied type and if that is not found return the default credentials
    294. 

  294.     authentication_type(type) || authentication_type(default_authentication_type)
    295. 

  295.   end
    296. 

  296. 

  297.   def authentication_component(type, method)
    298. 

  298.     cred = authentication_best_fit(type)
    299. 

  299.     return nil if cred.nil?
    300. 

  300. 

  301.     value = cred.public_send(method)
    302. 

  302.     value.blank? ? nil : value
    303. 

  303.   end
    304. 

  304. 

  305.   def available_authentications
    306. 

  306.     authentication_userid_passwords + authentication_key_pairs + authentication_tokens
    307. 

  307.   end
    308. 

  308. 

  309.   def authentication_types
    310. 

  310.     available_authentications.collect(&:authentication_type).uniq
    311. 

  311.   end
    312. 

  312. 

  313.   def authentication_delete(type)
    314. 

  314.     a = authentication_type(type)
    315. 

  315.     authentications.destroy(a) unless a.nil?
    316. 

  316.     a
    317. 

  317.   end
    318. 

  318. end
    319. 

  319.