Fair warning: This post documents a recent work project — it contains neither lush landscape photos nor close-ups of underwater creatures.<\/p>\n
—<\/p>\n
For a couple of years now the Wikimedia Labs<\/a> team has had ambitions to deprecate our homemade OpenStack web interface in favor of the official OpenStack user interface, Horizon<\/a>. There are dozens of issues to overcome in this transition, but one of the biggest is security: We require two-factor authentication to access all potentially-destructive web interfaces in Labs; Horizon (and, until recently, Keystone) had no support for anything beyond simple username\/password logins.<\/p>\n A stock install of Horizon has been publicly available and attached to the backend Labs services for quite a while, but most features were intentionally disabled. Many, many volunteers have rights to manipulate VMs in labs, and I can’t run the risk of of a random stranger logging in with the password ‘password’ and deleting a dozen instances.<\/p>\n Our second factor is standard totp token, enforced on our current UI by the OATHAuth mediawiki extension<\/a>. Since the migration to Horizon could take a year or more, I want users to be able to use the same credentials on both systems. That means we needed a Keystone plugin that used the same keys that are currently used on our existing system. At my request, security engineer Chris Steipp<\/a> set up a devstack instance and quickly rattled off a Keystone plugin that works in OpenStack Kilo and Liberty and can authenticate against our existing keys. Here’s the good bit:<\/p>\n method = METHOD_NAME<\/p>\n def authenticate(self, context, auth_payload, auth_context): try: # Password auth succeeded, check two-factor if secret: auth_context['user_id'] = user_info.user_id Rather than build a new Keystone package with the plugin included, I just wrote a puppet patch<\/a> to drop it into a strategic location. That turns out to be easy because Keystone is designed with this kind of extensibility in mind. (Extensibility patterns tend to change with every release, but that’s a rant for another day.)<\/p>\n The current trunk of Keystone includes a plugin called ‘totp.py’ which I haven’t read but which surely duplicates some or all of Chris’s plugin. As we draw nearer to running Newton we’ll investigate whether or not our custom code can be reduced.<\/p>\n Next post: Getting that OTP from the user and handling it in Horizon.<\/p>\n","protected":false},"excerpt":{"rendered":" Fair warning: This post documents a recent work project — it contains neither lush landscape photos nor close-ups of underwater creatures. — For a couple of years now the Wikimedia Labs team has had ambitions to deprecate our homemade OpenStack … Continue reading
\n@dependency.requires('identity_api')
\nclass Wmtotp(auth.AuthMethodHandler):<\/p>\n
\n \"\"\"Try to authenticate against the identity backend.\"\"\"
\n user_info = auth_plugins.UserAuthInfo.create(auth_payload, self.method)<\/p>\n
\n self.identity_api.authenticate(
\n context,
\n user_id=user_info.user_id,
\n password=user_info.password)
\n except AssertionError:
\n # authentication failed because of invalid username or password
\n msg = _('Invalid username or password')
\n raise exception.Unauthorized(msg)<\/p>\n
\n # LOG.debug(\"OATH: Doing 2FA for user_info \" +
\n # ( \"%s(%r)\" % (user_info.__class__, user_info.__dict__) ) )
\n # LOG.debug(\"OATH: Doing 2FA for auth_payload \" +
\n # ( \"%s(%r)\" % (auth_payload.__class__, auth_payload) ) )
\n cnx = mysql.connector.connect(
\n user=CONF.oath.dbuser,
\n password=CONF.oath.dbpass,
\n database=CONF.oath.dbname,
\n host=CONF.oath.dbhost)
\n cur = cnx.cursor(buffered=True)
\n sql = ('SELECT oath.secret as secret from user '
\n 'left join oathauth_users as oath on oath.id = user.user_id '
\n 'where user.user_name = %s LIMIT 1')
\n cur.execute(sql, (user_info.user_ref['name'], ))
\n secret = cur.fetchone()[0]<\/p>\n
\n if 'totp' in auth_payload['user']:
\n (p, d) = oath.accept_totp(
\n base64.b16encode(base64.b32decode(secret)),
\n auth_payload['user']['totp'])
\n if p:
\n LOG.debug(\"OATH: 2FA passed\")
\n else:
\n LOG.debug(\"OATH: 2FA failed\")
\n msg = _('Invalid two-factor token')
\n raise exception.Unauthorized(msg)
\n else:
\n LOG.debug(\"OATH: 2FA failed, missing totp param\")
\n msg = _('Missing two-factor token')
\n raise exception.Unauthorized(msg)
\n else:
\n LOG.debug(\"OATH: user '%s' does not have 2FA enabled.\",
\n user_info.user_ref['name'])<\/p>\n
\n<\/code><\/p>\n