2020-07-02 04:21:35 +03:00
|
|
|
# API Key Based Authorization
|
|
|
|
|
#
|
|
|
|
|
# Copyright (C) 2020 Eric Callahan <arksine.code@gmail.com>
|
|
|
|
|
#
|
|
|
|
|
# This file may be distributed under the terms of the GNU GPLv3 license
|
|
|
|
|
import base64
|
|
|
|
|
import uuid
|
|
|
|
|
import os
|
|
|
|
|
import time
|
2020-07-28 17:54:48 +03:00
|
|
|
import ipaddress
|
2020-07-02 04:21:35 +03:00
|
|
|
import logging
|
|
|
|
|
import tornado
|
|
|
|
|
from tornado.ioloop import IOLoop, PeriodicCallback
|
2020-08-06 03:49:56 +03:00
|
|
|
from utils import ServerError
|
2020-07-02 04:21:35 +03:00
|
|
|
|
|
|
|
|
TOKEN_TIMEOUT = 5
|
|
|
|
|
CONNECTION_TIMEOUT = 3600
|
|
|
|
|
PRUNE_CHECK_TIME = 300 * 1000
|
|
|
|
|
|
|
|
|
|
class Authorization:
|
2020-08-06 03:49:56 +03:00
|
|
|
def __init__(self, config):
|
|
|
|
|
api_key_file = config.get('api_key_file', "~/.moonraker_api_key")
|
|
|
|
|
self.api_key_file = os.path.expanduser(api_key_file)
|
2020-07-02 04:21:35 +03:00
|
|
|
self.api_key = self._read_api_key()
|
2020-08-06 03:49:56 +03:00
|
|
|
self.auth_enabled = config.getboolean('enabled', True)
|
2020-07-02 04:21:35 +03:00
|
|
|
self.trusted_connections = {}
|
|
|
|
|
self.access_tokens = {}
|
|
|
|
|
|
2020-08-06 03:49:56 +03:00
|
|
|
# Get Trusted Clients
|
2020-07-28 17:54:48 +03:00
|
|
|
self.trusted_ips = []
|
|
|
|
|
self.trusted_ranges = []
|
2020-08-06 03:49:56 +03:00
|
|
|
trusted_clients = config.get('trusted_clients', "")
|
|
|
|
|
trusted_clients = [c.strip() for c in trusted_clients.split('\n')
|
|
|
|
|
if c.strip()]
|
|
|
|
|
for ip in trusted_clients:
|
|
|
|
|
# Check IP address
|
2020-07-28 17:54:48 +03:00
|
|
|
try:
|
2020-08-06 03:49:56 +03:00
|
|
|
tc = ipaddress.ip_address(ip)
|
2020-07-28 17:54:48 +03:00
|
|
|
except ValueError:
|
2020-08-06 03:49:56 +03:00
|
|
|
tc = None
|
|
|
|
|
if tc is None:
|
|
|
|
|
# Check ip network
|
|
|
|
|
try:
|
|
|
|
|
tc = ipaddress.ip_network(ip)
|
|
|
|
|
except ValueError:
|
|
|
|
|
raise ServerError(
|
|
|
|
|
"Invalid option in trusted_clients: %s" % (ip))
|
|
|
|
|
self.trusted_ranges.append(tc)
|
|
|
|
|
else:
|
|
|
|
|
self.trusted_ips.append(tc)
|
|
|
|
|
|
2020-07-28 17:54:48 +03:00
|
|
|
t_clients = [str(ip) for ip in self.trusted_ips] + \
|
|
|
|
|
[str(rng) for rng in self.trusted_ranges]
|
2020-07-02 04:21:35 +03:00
|
|
|
logging.info(
|
|
|
|
|
"Authorization Configuration Loaded\n"
|
|
|
|
|
"Auth Enabled: %s\n"
|
2020-07-28 17:54:48 +03:00
|
|
|
"Trusted Clients:\n%s" %
|
|
|
|
|
(self.auth_enabled, "\n".join(t_clients)))
|
2020-07-02 04:21:35 +03:00
|
|
|
|
2020-08-06 03:49:56 +03:00
|
|
|
self.prune_handler = PeriodicCallback(
|
|
|
|
|
self._prune_conn_handler, PRUNE_CHECK_TIME)
|
|
|
|
|
self.prune_handler.start()
|
|
|
|
|
|
2020-07-02 04:21:35 +03:00
|
|
|
def register_handlers(self, app):
|
|
|
|
|
# Register Authorization Endpoints
|
|
|
|
|
app.register_local_handler(
|
|
|
|
|
"/access/api_key", None, ['GET', 'POST'],
|
|
|
|
|
self._handle_apikey_request, http_only=True)
|
|
|
|
|
app.register_local_handler(
|
|
|
|
|
"/access/oneshot_token", None, ['GET'],
|
|
|
|
|
self._handle_token_request, http_only=True)
|
|
|
|
|
|
|
|
|
|
async def _handle_apikey_request(self, path, method, args):
|
|
|
|
|
if method.upper() == 'POST':
|
|
|
|
|
self.api_key = self._create_api_key()
|
|
|
|
|
return self.api_key
|
|
|
|
|
|
|
|
|
|
async def _handle_token_request(self, path, method, args):
|
|
|
|
|
return self.get_access_token()
|
|
|
|
|
|
|
|
|
|
def _read_api_key(self):
|
2020-08-06 03:49:56 +03:00
|
|
|
if os.path.exists(self.api_key_file):
|
|
|
|
|
with open(self.api_key_file, 'r') as f:
|
2020-07-02 04:21:35 +03:00
|
|
|
api_key = f.read()
|
|
|
|
|
return api_key
|
|
|
|
|
# API Key file doesn't exist. Generate
|
|
|
|
|
# a new api key and create the file.
|
|
|
|
|
logging.info(
|
|
|
|
|
"No API Key file found, creating new one at:\n%s"
|
2020-08-06 03:49:56 +03:00
|
|
|
% (self.api_key_file))
|
2020-07-02 04:21:35 +03:00
|
|
|
return self._create_api_key()
|
|
|
|
|
|
|
|
|
|
def _create_api_key(self):
|
|
|
|
|
api_key = uuid.uuid4().hex
|
2020-08-06 03:49:56 +03:00
|
|
|
with open(self.api_key_file, 'w') as f:
|
2020-07-02 04:21:35 +03:00
|
|
|
f.write(api_key)
|
|
|
|
|
return api_key
|
|
|
|
|
|
2020-07-28 17:54:48 +03:00
|
|
|
def _check_authorized_ip(self, ip):
|
|
|
|
|
if ip in self.trusted_ips:
|
|
|
|
|
return True
|
|
|
|
|
for rng in self.trusted_ranges:
|
|
|
|
|
if ip in rng:
|
|
|
|
|
return True
|
|
|
|
|
return False
|
|
|
|
|
|
2020-07-02 04:21:35 +03:00
|
|
|
def _prune_conn_handler(self):
|
|
|
|
|
cur_time = time.time()
|
|
|
|
|
expired_conns = []
|
|
|
|
|
for ip, access_time in self.trusted_connections.items():
|
|
|
|
|
if cur_time - access_time > CONNECTION_TIMEOUT:
|
|
|
|
|
expired_conns.append(ip)
|
|
|
|
|
for ip in expired_conns:
|
2020-07-13 22:13:34 +03:00
|
|
|
self.trusted_connections.pop(ip, None)
|
2020-07-02 04:21:35 +03:00
|
|
|
logging.info(
|
|
|
|
|
"Trusted Connection Expired, IP: %s" % (ip))
|
|
|
|
|
|
|
|
|
|
def _token_expire_handler(self, token):
|
2020-07-13 22:13:34 +03:00
|
|
|
self.access_tokens.pop(token, None)
|
2020-07-02 04:21:35 +03:00
|
|
|
|
|
|
|
|
def is_enabled(self):
|
|
|
|
|
return self.auth_enabled
|
|
|
|
|
|
|
|
|
|
def get_access_token(self):
|
|
|
|
|
token = base64.b32encode(os.urandom(20)).decode()
|
|
|
|
|
ioloop = IOLoop.current()
|
|
|
|
|
self.access_tokens[token] = ioloop.call_later(
|
|
|
|
|
TOKEN_TIMEOUT, self._token_expire_handler, token)
|
|
|
|
|
return token
|
|
|
|
|
|
|
|
|
|
def _check_trusted_connection(self, ip):
|
|
|
|
|
if ip is not None:
|
|
|
|
|
if ip in self.trusted_connections:
|
|
|
|
|
self.trusted_connections[ip] = time.time()
|
|
|
|
|
return True
|
2020-07-28 17:54:48 +03:00
|
|
|
elif self._check_authorized_ip(ip):
|
2020-07-02 04:21:35 +03:00
|
|
|
logging.info(
|
2020-07-28 17:54:48 +03:00
|
|
|
"Trusted Connection Detected, IP: %s" % (ip))
|
2020-07-02 04:21:35 +03:00
|
|
|
self.trusted_connections[ip] = time.time()
|
|
|
|
|
return True
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
def _check_access_token(self, token):
|
|
|
|
|
if token in self.access_tokens:
|
2020-07-13 22:13:34 +03:00
|
|
|
token_handler = self.access_tokens.pop(token, None)
|
2020-07-02 04:21:35 +03:00
|
|
|
IOLoop.current().remove_timeout(token_handler)
|
|
|
|
|
return True
|
|
|
|
|
else:
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
def check_authorized(self, request):
|
|
|
|
|
# Authorization is disabled, request may pass
|
|
|
|
|
if not self.auth_enabled:
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
# Check if IP is trusted
|
2020-07-28 17:54:48 +03:00
|
|
|
try:
|
|
|
|
|
ip = ipaddress.ip_address(request.remote_ip)
|
|
|
|
|
except ValueError:
|
|
|
|
|
logging.exception(
|
|
|
|
|
"Unable to Create IP Address %s" % (request.remote_ip))
|
|
|
|
|
ip = None
|
2020-07-02 04:21:35 +03:00
|
|
|
if self._check_trusted_connection(ip):
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
# Check API Key Header
|
|
|
|
|
key = request.headers.get("X-Api-Key")
|
|
|
|
|
if key and key == self.api_key:
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
# Check one-shot access token
|
|
|
|
|
token = request.arguments.get('token', [b""])[0].decode()
|
|
|
|
|
if self._check_access_token(token):
|
|
|
|
|
return True
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
def close(self):
|
|
|
|
|
self.prune_handler.stop()
|
|
|
|
|
|
|
|
|
|
class AuthorizedRequestHandler(tornado.web.RequestHandler):
|
|
|
|
|
def initialize(self, server, auth):
|
|
|
|
|
self.server = server
|
|
|
|
|
self.auth = auth
|
|
|
|
|
|
|
|
|
|
def prepare(self):
|
|
|
|
|
if not self.auth.check_authorized(self.request):
|
|
|
|
|
raise tornado.web.HTTPError(401, "Unauthorized")
|
|
|
|
|
|
|
|
|
|
def set_default_headers(self):
|
|
|
|
|
if self.settings['enable_cors']:
|
|
|
|
|
self.set_header("Access-Control-Allow-Origin", "*")
|
|
|
|
|
self.set_header(
|
|
|
|
|
"Access-Control-Allow-Methods",
|
|
|
|
|
"GET, POST, PUT, DELETE, OPTIONS")
|
|
|
|
|
self.set_header(
|
|
|
|
|
"Access-Control-Allow-Headers",
|
|
|
|
|
"Origin, Accept, Content-Type, X-Requested-With, "
|
|
|
|
|
"X-CRSF-Token")
|
|
|
|
|
|
|
|
|
|
def options(self, *args, **kwargs):
|
|
|
|
|
# Enable CORS if configured
|
|
|
|
|
if self.settings['enable_cors']:
|
|
|
|
|
self.set_status(204)
|
|
|
|
|
self.finish()
|
|
|
|
|
else:
|
|
|
|
|
super(AuthorizedRequestHandler, self).options()
|
|
|
|
|
|
|
|
|
|
# Due to the way Python treats multiple inheritance its best
|
|
|
|
|
# to create a separate authorized handler for serving files
|
|
|
|
|
class AuthorizedFileHandler(tornado.web.StaticFileHandler):
|
|
|
|
|
def initialize(self, server, auth, path, default_filename=None):
|
|
|
|
|
super(AuthorizedFileHandler, self).initialize(path, default_filename)
|
|
|
|
|
self.server = server
|
|
|
|
|
self.auth = auth
|
|
|
|
|
|
|
|
|
|
def prepare(self):
|
|
|
|
|
if not self.auth.check_authorized(self.request):
|
|
|
|
|
raise tornado.web.HTTPError(401, "Unauthorized")
|
|
|
|
|
|
|
|
|
|
def set_default_headers(self):
|
|
|
|
|
if self.settings['enable_cors']:
|
|
|
|
|
self.set_header("Access-Control-Allow-Origin", "*")
|
|
|
|
|
self.set_header(
|
|
|
|
|
"Access-Control-Allow-Methods",
|
|
|
|
|
"GET, POST, PUT, DELETE, OPTIONS")
|
|
|
|
|
self.set_header(
|
|
|
|
|
"Access-Control-Allow-Headers",
|
|
|
|
|
"Origin, Accept, Content-Type, X-Requested-With, "
|
|
|
|
|
"X-CRSF-Token")
|
|
|
|
|
|
|
|
|
|
def options(self, *args, **kwargs):
|
|
|
|
|
# Enable CORS if configured
|
|
|
|
|
if self.settings['enable_cors']:
|
|
|
|
|
self.set_status(204)
|
|
|
|
|
self.finish()
|
|
|
|
|
else:
|
|
|
|
|
super(AuthorizedFileHandler, self).options()
|
