mailinabox/management/auth.py

import base64, os, os.path

from flask import make_response

import utils
from mailconfig import get_mail_user_privileges

DEFAULT_KEY_PATH   = '/var/lib/mailinabox/api.key'
DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'

class KeyAuthService:
	"""Generate an API key for authenticating clients

	Clients must read the key from the key file and send the key with all HTTP
	requests. The key is passed as the username field in the standard HTTP
	Basic Auth header.
	"""
	def __init__(self):
		self.auth_realm = DEFAULT_AUTH_REALM
		self.key = self._generate_key()
		self.key_path = DEFAULT_KEY_PATH

	def write_key(self):
		"""Write key to file so authorized clients can get the key

		The key file is created with mode 0640 so that additional users can be
		authorized to access the API by granting group/ACL read permissions on
		the key file.
		"""
		def create_file_with_mode(path, mode):
			# Based on answer by A-B-B: http://stackoverflow.com/a/15015748
			old_umask = os.umask(0)
			try:
				return os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, mode), 'w')
			finally:
				os.umask(old_umask)

		os.makedirs(os.path.dirname(self.key_path), exist_ok=True)

		with create_file_with_mode(self.key_path, 0o640) as key_file:
			key_file.write(self.key + '\n')

	def is_authenticated(self, request, env):
		"""Test if the client key passed in HTTP Authorization header matches the service key
		or if the or username/password passed in the header matches an administrator user.
		Returns 'OK' if the key is good or the user is an administrator, otherwise an error message."""

		def decode(s):
			return base64.b64decode(s.encode('ascii')).decode('ascii')

		def parse_basic_auth(header):
			if " " not in header:
				return None, None
			scheme, credentials = header.split(maxsplit=1)
			if scheme != 'Basic':
				return None, None

			credentials = decode(credentials)
			if ":" not in credentials:
				return None, None
			username, password = credentials.split(':', maxsplit=1)
			return username, password

		header = request.headers.get('Authorization')
		if not header:
			return "No authorization header provided."

		username, password = parse_basic_auth(header)

		if username in (None, ""):
			return "Authorization header invalid."
		elif username == self.key:
			return "OK"
		else:
			return self.check_imap_login( username, password, env)

	def check_imap_login(self, email, pw, env):
		# Validate a user's credentials.

		# Sanity check.
		if email == "" or pw == "":
			return "Enter an email address and password."

		# Authenticate.
		try:
			# Use doveadm to check credentials. doveadm will return
			# a non-zero exit status if the credentials are no good,
			# and check_call will raise an exception in that case.
			utils.shell('check_call', [
				"/usr/bin/doveadm",
				"auth", "test",
				email, pw
				])
		except:
			# Login failed.
			return "Invalid email address or password."

		# Authorize.
		# (This call should never fail on a valid user.)
		privs = get_mail_user_privileges(email, env)
		if isinstance(privs, tuple): raise Exception("Error getting privileges.")
		if "admin" not in privs:
			return "You are not an administrator for this system."

		return "OK"

	def _generate_key(self):
		raw_key = os.urandom(32)
		return base64.b64encode(raw_key).decode('ascii')
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00			`import base64, os, os.path`

			`from flask import make_response`

web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`import utils`
			`from mailconfig import get_mail_user_privileges`

Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00			`DEFAULT_KEY_PATH = '/var/lib/mailinabox/api.key'`
			`DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'`

			`class KeyAuthService:`
			`"""Generate an API key for authenticating clients`

			`Clients must read the key from the key file and send the key with all HTTP`
			`requests. The key is passed as the username field in the standard HTTP`
			`Basic Auth header.`
			`"""`
Cleanup: remove env dependency 2014-06-22 12:55:19 +00:00			`def __init__(self):`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00			`self.auth_realm = DEFAULT_AUTH_REALM`
			`self.key = self._generate_key()`
Remove API_KEY_FILE setting 2014-06-22 12:45:29 +00:00			`self.key_path = DEFAULT_KEY_PATH`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00
			`def write_key(self):`
			`"""Write key to file so authorized clients can get the key`

			`The key file is created with mode 0640 so that additional users can be`
			`authorized to access the API by granting group/ACL read permissions on`
			`the key file.`
			`"""`
			`def create_file_with_mode(path, mode):`
			`# Based on answer by A-B-B: http://stackoverflow.com/a/15015748`
			`old_umask = os.umask(0)`
			`try:`
			`return os.fdopen(os.open(path, os.O_WRONLY \| os.O_CREAT, mode), 'w')`
			`finally:`
			`os.umask(old_umask)`

			`os.makedirs(os.path.dirname(self.key_path), exist_ok=True)`

			`with create_file_with_mode(self.key_path, 0o640) as key_file:`
			`key_file.write(self.key + '\n')`

web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`def is_authenticated(self, request, env):`
			`"""Test if the client key passed in HTTP Authorization header matches the service key`
			`or if the or username/password passed in the header matches an administrator user.`
			`Returns 'OK' if the key is good or the user is an administrator, otherwise an error message."""`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00
			`def decode(s):`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`return base64.b64decode(s.encode('ascii')).decode('ascii')`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`def parse_basic_auth(header):`
management: dont raise an exception on a poorly formatted authentication header 2014-08-08 19:36:00 +00:00			`if " " not in header:`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`return None, None`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00			`scheme, credentials = header.split(maxsplit=1)`
			`if scheme != 'Basic':`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`return None, None`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00
management: dont raise an exception on a poorly formatted authentication header 2014-08-08 19:36:00 +00:00			`credentials = decode(credentials)`
			`if ":" not in credentials:`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`return None, None`
management: dont raise an exception on a poorly formatted authentication header 2014-08-08 19:36:00 +00:00			`username, password = credentials.split(':', maxsplit=1)`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`return username, password`

			`header = request.headers.get('Authorization')`
			`if not header:`
			`return "No authorization header provided."`

			`username, password = parse_basic_auth(header)`

			`if username in (None, ""):`
			`return "Authorization header invalid."`
			`elif username == self.key:`
			`return "OK"`
			`else:`
			`return self.check_imap_login( username, password, env)`

			`def check_imap_login(self, email, pw, env):`
			`# Validate a user's credentials.`

			`# Sanity check.`
			`if email == "" or pw == "":`
			`return "Enter an email address and password."`

			`# Authenticate.`
			`try:`
			`# Use doveadm to check credentials. doveadm will return`
			`# a non-zero exit status if the credentials are no good,`
			`# and check_call will raise an exception in that case.`
			`utils.shell('check_call', [`
			`"/usr/bin/doveadm",`
			`"auth", "test",`
			`email, pw`
			`])`
			`except:`
			`# Login failed.`
			`return "Invalid email address or password."`

			`# Authorize.`
			`# (This call should never fail on a valid user.)`
			`privs = get_mail_user_privileges(email, env)`
			`if isinstance(privs, tuple): raise Exception("Error getting privileges.")`
			`if "admin" not in privs:`
			`return "You are not an administrator for this system."`

			`return "OK"`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00
			`def _generate_key(self):`
			`raw_key = os.urandom(32)`
			`return base64.b64encode(raw_key).decode('ascii')`