-
Notifications
You must be signed in to change notification settings - Fork 900
/
Copy pathauthentication_mixin.rb
368 lines (302 loc) · 11.8 KB
/
authentication_mixin.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
module AuthenticationMixin
extend ActiveSupport::Concern
included do
has_many :authentications, :as => :resource, :dependent => :destroy, :autosave => true
virtual_column :authentication_status, :type => :string
def self.authentication_check_schedule
zone = MiqServer.my_server.zone
assoc = name.tableize
assocs = zone.respond_to?(assoc) ? zone.send(assoc) : []
assocs.each { |a| a.authentication_check_types_queue(:attempt => 1) }
end
end
def supported_auth_attributes
%w(userid password)
end
def default_authentication_type
:default
end
def authentication_userid_passwords
authentications.select { |a| a.kind_of?(AuthUseridPassword) }
end
def authentication_tokens
authentications.select { |a| a.kind_of?(AuthToken) }
end
def authentication_key_pairs
authentications.select { |a| a.kind_of?(ManageIQ::Providers::Openstack::InfraManager::AuthKeyPair) }
end
def authentication_for_providers
authentications.where.not(:authtype => nil)
end
def authentication_for_summary
summary = []
authentication_for_providers.each do |a|
summary << {
:authtype => a.authtype,
:status => a.status,
:status_details => a.status_details
}
end
summary
end
def has_authentication_type?(type)
authentication_types.include?(type)
end
def authentication_userid(type = nil)
authentication_component(type, :userid)
end
def authentication_password(type = nil)
authentication_component(type, :password)
end
def authentication_key(type = nil)
authentication_component(type, :auth_key)
end
def authentication_token(type = nil)
authentication_component(type, :auth_key)
end
def authentication_password_encrypted(type = nil)
authentication_component(type, :password_encrypted)
end
def authentication_service_account(type = nil)
authentication_component(type, :service_account)
end
def required_credential_fields(_type)
[:userid]
end
def has_credentials?(type = nil)
required_credential_fields(type).all? { |field| authentication_component(type, field) }
end
def missing_credentials?(type = nil)
!has_credentials?(type)
end
def authentication_status
ordered_auths = authentication_for_providers.sort_by(&:status_severity)
ordered_auths.last.try(:status) || "None"
end
def authentication_status_ok?(type = nil)
authentication_best_fit(type).try(:status) == "Valid"
end
def auth_user_pwd(type = nil)
cred = authentication_best_fit(type)
return nil if cred.nil? || cred.userid.blank?
[cred.userid, cred.password]
end
def auth_user_token(type = nil)
cred = authentication_best_fit(type)
return nil if cred.nil? || cred.userid.blank?
[cred.userid, cred.auth_key]
end
def auth_user_keypair(type = nil)
cred = authentication_best_fit(type)
return nil if cred.nil? || cred.userid.blank?
[cred.userid, cred.auth_key]
end
def update_authentication(data, options = {})
return if data.blank?
options.reverse_merge!(:save => true)
@orig_credentials ||= auth_user_pwd || "none"
# Invoke before callback
before_update_authentication if self.respond_to?(:before_update_authentication) && options[:save]
data.each_pair do |type, value|
cred = authentication_type(type)
current = {:new => nil, :old => nil}
unless value.key?(:userid) && value[:userid].blank?
current[:new] = {:user => value[:userid], :password => value[:password], :auth_key => value[:auth_key]}
end
current[:old] = {:user => cred.userid, :password => cred.password, :auth_key => cred.auth_key} if cred
# Raise an error if required fields are blank
Array(options[:required]).each { |field| raise(ArgumentError, "#{field} is required") if value[field].blank? }
# If old and new are the same then there is nothing to do
next if current[:old] == current[:new]
# Check if it is a delete
if value.key?(:userid) && value[:userid].blank?
current[:new] = nil
next if options[:save] == false
authentication_delete(type)
next
end
# Update or create
if cred.nil?
if self.kind_of?(ManageIQ::Providers::Openstack::InfraManager) && value[:auth_key]
# TODO(lsmola) investigate why build throws an exception, that it needs to be subclass of AuthUseridPassword
cred = ManageIQ::Providers::Openstack::InfraManager::AuthKeyPair.new(:name => "#{self.class.name} #{name}", :authtype => type.to_s,
:resource_id => id, :resource_type => "ExtManagementSystem")
authentications << cred
elsif value[:auth_key]
cred = AuthToken.new(:name => "#{self.class.name} #{name}", :authtype => type.to_s,
:resource_id => id, :resource_type => "ExtManagementSystem")
authentications << cred
else
cred = authentications.build(:name => "#{self.class.name} #{name}", :authtype => type.to_s,
:type => "AuthUseridPassword")
end
end
cred.userid = value[:userid]
cred.password = value[:password]
cred.auth_key = value[:auth_key]
cred.save if options[:save] && id
end
# Invoke callback
after_update_authentication if self.respond_to?(:after_update_authentication) && options[:save]
@orig_credentials = nil if options[:save]
end
def credentials_changed?
@orig_credentials ||= auth_user_pwd || "none"
new_credentials = auth_user_pwd || "none"
@orig_credentials != new_credentials
end
def authentication_type(type)
return nil if type.nil?
available_authentications.detect do |a|
a.authentication_type.to_s == type.to_s
end
end
def authentication_check_retry_deliver_on(attempt)
# Existing callers who pass no attempt will have no delay.
case attempt
when nil, 0
nil
else
Time.now.utc + exponential_delay(attempt - 1).minutes
end
end
def exponential_delay(attempt)
2**attempt
end
MAX_ATTEMPTS = 6
# The default for the schedule is every 1.hour now.
# 6 will gives us:
# A failure now and retries in 2, 4, 8, and 16 minutes, for a total of 30 minutes.
# We'll wait another 30 minutes, minus the time it takes to queue and perform the checks
# before the schedule fires again.
def authentication_check_types_queue(*args)
method_options = args.extract_options!
types = args.first
if method_options.fetch(:attempt, 0) < MAX_ATTEMPTS
force = method_options.delete(:force) { false }
message_attributes = authentication_check_attributes(types, method_options)
put_authentication_check(message_attributes, force)
end
end
def authentication_check_attributes(types, method_options)
role = authentication_check_role if self.respond_to?(:authentication_check_role)
zone = my_zone if self.respond_to?(:my_zone)
# FIXME: Via schedule, a message is created with args = [], so all authentications will be checked,
# while an authentication change will create a message with args [:default] or whatever
# authentication is changed, so you can end up with two messages for the same ci
options = {
:class_name => self.class.base_class.name,
:instance_id => id,
:method_name => 'authentication_check_types',
:args => [types.to_miq_a, method_options],
:deliver_on => authentication_check_retry_deliver_on(method_options[:attempt])
}
options[:role] = role if role
options[:zone] = zone if zone
options
end
def put_authentication_check(options, force)
if force
MiqQueue.put(options)
else
MiqQueue.create_with(options.slice(:args, :deliver_on)).put_unless_exists(options.except(:args, :deliver_on)) do |msg|
# TODO: Refactor the help in this and the ScheduleWorker#queue_work method into the merge method
help = "Check for a running server"
help << " in zone: [#{options[:zone]}]" if options[:zone]
help << " with role: [#{options[:role]}]" if options[:role]
_log.warn("Previous authentication_check_types for [#{name}] [#{id}] with opts: [#{options[:args].inspect}] is still running, skipping...#{help}") unless msg.nil?
nil
end
end
end
def authentication_check_types(*args)
options = args.extract_options!
# Let the individual classes determine what authentication(s) need to be checked
types = authentications_to_validate if respond_to?(:authentications_to_validate)
types = args.first if types.blank?
types = [nil] if types.blank?
Array(types).each do |t|
success = authentication_check(t, options.except(:attempt)).first
retry_scheduled_authentication_check(t, options) unless success
end
end
def retry_scheduled_authentication_check(auth_type, options)
return unless options[:attempt]
auth = authentication_best_fit(auth_type)
if auth.try(:retryable_status?)
options[:attempt] += 1
# Force the authentication message to be queued
authentication_check_types_queue(auth_type, options.merge(:force => true))
end
end
# Returns [boolean check_result, string details]
# check_result is true if and only if:
# * the system is reachable
# * AND we have the required authentication information
# * AND we successfully connected using the authentication
#
# details is a UI friendly message
#
# By default, the authentication's status is updated by the
# validation_successful or validation_failed callbacks.
#
# An optional :save => false can be passed to bypass these callbacks.
#
# TODO: :valid, :incomplete, and friends shouldn't be littered in here and authentication
def authentication_check(*args)
options = args.last.kind_of?(Hash) ? args.last : {}
save = options.fetch(:save, true)
auth = authentication_best_fit(args.first)
type = args.first || auth.try(:authtype)
status, details = authentication_check_no_validation(type, options)
if auth && save
status == :valid ? auth.validation_successful : auth.validation_failed(status, details)
end
return status == :valid, details
end
def default_authentication
authentication_type(default_authentication_type)
end
private
def authentication_check_no_validation(type, options)
header = "type: [#{type.inspect}] for [#{id}] [#{name}]"
status, details =
if self.missing_credentials?(type)
[:incomplete, "Missing credentials"]
else
begin
verify_credentials(type, options) ? [:valid, ""] : [:invalid, "Unknown reason"]
rescue MiqException::MiqUnreachableError => err
[:unreachable, err]
rescue MiqException::MiqInvalidCredentialsError, MiqException::MiqEVMLoginError => err
[:invalid, err]
rescue => err
[:error, err]
end
end
details &&= details.to_s.truncate(200)
_log.warn("#{header} Validation failed: #{status}, #{details}") unless status == :valid
return status, details
end
def authentication_best_fit(type = nil)
# Look for the supplied type and if that is not found return the default credentials
authentication_type(type) || authentication_type(default_authentication_type)
end
def authentication_component(type, method)
cred = authentication_best_fit(type)
return nil if cred.nil?
value = cred.public_send(method)
value.blank? ? nil : value
end
def available_authentications
authentication_userid_passwords + authentication_key_pairs + authentication_tokens
end
def authentication_types
available_authentications.collect(&:authentication_type).uniq
end
def authentication_delete(type)
a = authentication_type(type)
authentications.destroy(a) unless a.nil?
a
end
end