[Notes] [Git][BuildGrid/buildgrid][mablanch/144-jwt-authentication] 3 co

Martin Blanchard pushed to branch mablanch/144-jwt-authentication at BuildGrid / buildgrid

Commits:

b54bde67

by Martin Blanchard at 2018-11-28T15:32:28Z

setup.py: Introduce pyjwt dependency

Hosted at: https://github.com/jpadilla/pyjwt

a65557a5

by Martin Blanchard at 2018-11-28T15:59:36Z

server/_authentication.py: New JWT based gRPC interceptor

2fd6ebad

by Martin Blanchard at 2018-11-28T15:59:41Z

server/instance.py: Register authentication gRPC interceptor

Changes:

.pylintrc

@@ -460,6 +460,7 @@ known-third-party=boto3,
                    enchant,
                    google,
                    grpc,
 +                  jwt,
                    moto,
                    yaml
@@ -523,4 +524,4 @@ valid-metaclass-classmethod-first-arg=mcs
  # Exceptions that will emit a warning when being caught. Defaults to
  # "Exception"
 -overgeneral-exceptions=Exception
 +overgeneral-exceptions=Exception
 \ No newline at end of file

buildgrid/server/_authentication.py

 +# Copyright (C) 2018 Bloomberg LP
 +#
 +# Licensed under the Apache License, Version 2.0 (the "License");
 +# you may not use this file except in compliance with the License.
 +# You may obtain a copy of the License at
 +#
 +#  <http://www.apache.org/licenses/LICENSE-2.0>
 +#
 +# Unless required by applicable law or agreed to in writing, software
 +# distributed under the License is distributed on an "AS IS" BASIS,
 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +# See the License for the specific language governing permissions and
 +# limitations under the License.
++
++
 +from datetime import datetime
 +from enum import Enum
++
 +import grpc
 +import jwt
++
 +from buildgrid._exceptions import InvalidArgumentError
++
++
 +class JwtAlgorithm(Enum):
 +    # HMAC algorithms:
 +    HS256 = 'HS256'
 +    HS384 = 'HS384'
 +    HS512 = 'HS512'
++
 +    # RSASSA-PKCS algorithms:
 +    RS256 = 'RS256'
 +    RS384 = 'RS384'
 +    RS512 = 'RS512'
++
 +    # RSASSA-PSS algorithms:
 +    PS256 = 'PS256'
 +    PS384 = 'PS384'
 +    PS512 = 'PS512'
++
 +    # ECDSA algorithms:
 +    ES256 = 'ES256'
 +    ES384 = 'ES384'
 +    ES521 = 'ES521'
 +    ES512 = 'ES512'
++
++
 +class JwtAuthMetadataInterceptor(grpc.ServerInterceptor):
++
 +    __auth_errors = {
 +        'missing-bearer': 'Missing authentication header field.',
 +        'invalid-bearer': 'Invalid authentication header field.',
 +        'invalid-token': 'Invalid authentication token.',
 +        'expired-token': 'Expired authentication token.',
 +        'unbounded-token': 'Unbounded authentication token.',
 +    }
++
 +    def __init__(self, secret, algorithm):
 +        """Initialises a new :class:`JwtAuthMetadataInterceptor`.
++
 +        Args:
 +            secret (str): Symetric secret key or asymetric public key.
 +            algorithm (JwtAlgorithm): Algorithm used to encode `secret`.
++
 +        Raises:
 +            InvalidArgumentError: If `algorithm` is not supported.
 +        """
 +        self.__bearer_cache = {}
 +        self.__terminators = {}
 +        self.__secret = secret
++
 +        self._algorithm = algorithm.value
++
 +        try:
 +            jwt.register_algorithm(self._algorithm, None)
++
 +        except TypeError:
 +            raise InvalidArgumentError('Algorithm not supported for JWT decoding: [{}]'
 +                                       .format(self._algorithm))
++
 +        except ValueError:
 +            pass
++
 +        for code, message in self.__auth_errors.items():
 +            self.__terminators[code] = _unary_unary_rpc_terminator(message)
++
 +    @property
 +    def algorithm(self):
 +        return JwtAlgorithm(self._algorithm)
++
 +    def intercept_service(self, continuation, handler_call_details):
 +        try:
 +            # Reject requests not carrying a token:
 +            bearer = dict(handler_call_details.invocation_metadata)['Authorization']
++
 +        except KeyError:
 +            return self.__terminators['missing-bearer']  # Rejected
++
 +        # Reject requests with malformated bearer:
 +        if not bearer.startswith('Bearer '):
 +            return self.__terminators['invalid-bearer']  # Rejected
++
 +        try:
 +            # Hit the cache for already validated token:
 +            expiration_time = self.__bearer_cache[bearer]
++
 +            # Accept request if cached token hasn't expired yet:
 +            if expiration_time < datetime.utcnow():
 +                return continuation(handler_call_details)  # Accepted
++
 +        except KeyError:
 +            pass
++
 +        try:
 +            # Decode and validate the new token:
 +            payload = jwt.decode(bearer[7:], self.__secret, algorithm=self._algorithm)
++
 +        except jwt.exceptions.ExpiredSignatureError:
 +            return self.__terminators['expired-token']  # Rejected
++
 +        except jwt.exceptions.InvalidTokenError:
 +            return self.__terminators['invalid-token']  # Rejected
++
 +        # Do not accept token without an expiration time:
 +        if 'exp' not in payload or not isinstance(payload['exp'], int):
 +            return self.__terminators['unbounded-token']  # Rejected
++
 +        # Cache the validated token and store expiration time:
 +        self.__bearer_cache[bearer] = datetime.fromtimestamp(payload['exp'])
++
 +        return continuation(handler_call_details)  # Accepted
++
++
 +def _unary_unary_rpc_terminator(details):
++
 +    def terminate(ignored_request, context):
 +        context.abort(grpc.StatusCode.UNAUTHENTICATED, details)
++
 +    return grpc.unary_unary_rpc_method_handler(terminate)

buildgrid/server/instance.py

@@ -22,6 +22,7 @@ import signal
  import grpc
  from buildgrid.server.actioncache.service import ActionCacheService
 +from buildgrid.server._authentication import JwtAlgorithm, JwtAuthMetadataInterceptor
  from buildgrid.server.bots.service import BotsService
  from buildgrid.server.cas.service import ByteStreamService, ContentAddressableStorageService
  from buildgrid.server.execution.service import ExecutionService
@@ -52,7 +53,9 @@ class BuildGridServer:
              max_workers = (os.cpu_count() or 1) * 5
          self.__grpc_executor = futures.ThreadPoolExecutor(max_workers)
 -        self.__grpc_server = grpc.server(self.__grpc_executor)
 +        self.__grpc_auth_interceptor = JwtAuthMetadataInterceptor('your-256-bit-secret', JwtAlgorithm.HS256)
 +        self.__grpc_server = grpc.server(
 +            self.__grpc_executor, interceptors=(self.__grpc_auth_interceptor,))
          self.__main_loop = asyncio.get_event_loop()
          self.__monitoring_bus = None

setup.py

@@ -116,6 +116,7 @@ setup(
          'protobuf',
          'grpcio',
          'Click',
 +        'pyjwt',
          'PyYAML',
          'boto3 < 1.8.0',
          'botocore < 1.11.0',

[Notes] [Git][BuildGrid/buildgrid][mablanch/144-jwt-authentication] 3 commits: setup.py: Introduce pyjwt dependency

Martin Blanchard pushed to branch mablanch/144-jwt-authentication at BuildGrid / buildgrid

Commits:

4 changed files:

Changes: