mailinabox/management/auth.py

import base64, os, os.path, hmac

from flask import make_response

import utils
from mailconfig import get_mail_password, get_mail_user_privileges

DEFAULT_KEY_PATH   = '/var/lib/mailinabox/api.key'
DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'

class KeyAuthService:
	"""Generate an API key for authenticating clients

	Clients must read the key from the key file and send the key with all HTTP
	requests. The key is passed as the username field in the standard HTTP
	Basic Auth header.
	"""
	def __init__(self):
		self.auth_realm = DEFAULT_AUTH_REALM
		self.key = self._generate_key()
		self.key_path = DEFAULT_KEY_PATH

	def write_key(self):
		"""Write key to file so authorized clients can get the key

		The key file is created with mode 0640 so that additional users can be
		authorized to access the API by granting group/ACL read permissions on
		the key file.
		"""
		def create_file_with_mode(path, mode):
			# Based on answer by A-B-B: http://stackoverflow.com/a/15015748
			old_umask = os.umask(0)
			try:
				return os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, mode), 'w')
			finally:
				os.umask(old_umask)

		os.makedirs(os.path.dirname(self.key_path), exist_ok=True)

		with create_file_with_mode(self.key_path, 0o640) as key_file:
			key_file.write(self.key + '\n')

	def authenticate(self, request, env):
		"""Test if the client key passed in HTTP Authorization header matches the service key
		or if the or username/password passed in the header matches an administrator user.
		Returns a tuple of the user's email address and list of user privileges (e.g.
		('my@email', []) or ('my@email', ['admin']); raises a ValueError on login failure.
		If the user used an API key, the user's email is returned as None."""

		def decode(s):
			return base64.b64decode(s.encode('ascii')).decode('ascii')

		def parse_basic_auth(header):
			if " " not in header:
				return None, None
			scheme, credentials = header.split(maxsplit=1)
			if scheme != 'Basic':
				return None, None

			credentials = decode(credentials)
			if ":" not in credentials:
				return None, None
			username, password = credentials.split(':', maxsplit=1)
			return username, password

		header = request.headers.get('Authorization')
		if not header:
			raise ValueError("No authorization header provided.")

		username, password = parse_basic_auth(header)

		if username in (None, ""):
			raise ValueError("Authorization header invalid.")
		elif username == self.key:
			# The user passed the API key which grants administrative privs.
			return (None, ["admin"])
		else:
			# The user is trying to log in with a username and user-specific
			# API key or password. Raises or returns privs.
			return (username, self.get_user_credentials(username, password, env))

	def get_user_credentials(self, email, pw, env):
		# Validate a user's credentials. On success returns a list of
		# privileges (e.g. [] or ['admin']). On failure raises a ValueError
		# with a login error message. 

		# Sanity check.
		if email == "" or pw == "":
			raise ValueError("Enter an email address and password.")

		# The password might be a user-specific API key. create_user_key raises
		# a ValueError if the user does not exist.
		if hmac.compare_digest(self.create_user_key(email, env), pw):
			# OK.
			pass
		else:
			# Get the hashed password of the user. Raise a ValueError if the
			# email address does not correspond to a user.
			pw_hash = get_mail_password(email, env)

			# Authenticate.
			try:
				# Use 'doveadm pw' to check credentials. doveadm will return
				# a non-zero exit status if the credentials are no good,
				# and check_call will raise an exception in that case.
				utils.shell('check_call', [
					"/usr/bin/doveadm", "pw",
					"-p", pw,
					"-t", pw_hash,
					])
			except:
				# Login failed.
				raise ValueError("Invalid password.")

		# Get privileges for authorization. This call should never fail because by this
		# point we know the email address is a valid user. But on error the call will
		# return a tuple of an error message and an HTTP status code.
		privs = get_mail_user_privileges(email, env)
		if isinstance(privs, tuple): raise ValueError(privs[0])

		# Return a list of privileges.
		return privs

	def create_user_key(self, email, env):
		# Store an HMAC with the client. The hashed message of the HMAC will be the user's
		# email address & hashed password and the key will be the master API key. The user of
		# course has their own email address and password. We assume they do not have the master
		# API key (unless they are trusted anyway). The HMAC proves that they authenticated
		# with us in some other way to get the HMAC. Including the password means that when
		# a user's password is reset, the HMAC changes and they will correctly need to log
		# in to the control panel again. This method raises a ValueError if the user does
		# not exist, due to get_mail_password.
		msg = b"AUTH:" + email.encode("utf8") + b" " + get_mail_password(email, env).encode("utf8")
		return hmac.new(self.key.encode('ascii'), msg, digestmod="sha256").hexdigest()

	def _generate_key(self):
		raw_key = os.urandom(32)
		return base64.b64encode(raw_key).decode('ascii')
/admin login now issues a user-specific key for future calls (rather than providing the system-wide API key or passing the password on each request) 2014-12-01 19:20:46 +00:00			`import base64, os, os.path, hmac`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00
			`from flask import make_response`

web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`import utils`
split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism This was done to pave the way for two-factor authentication, but that's still a ways off. 2014-11-30 15:43:07 +00:00			`from mailconfig import get_mail_password, get_mail_user_privileges`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00			`DEFAULT_KEY_PATH = '/var/lib/mailinabox/api.key'`
			`DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'`

			`class KeyAuthService:`
			`"""Generate an API key for authenticating clients`

			`Clients must read the key from the key file and send the key with all HTTP`
			`requests. The key is passed as the username field in the standard HTTP`
			`Basic Auth header.`
			`"""`
Cleanup: remove env dependency 2014-06-22 12:55:19 +00:00			`def __init__(self):`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00			`self.auth_realm = DEFAULT_AUTH_REALM`
			`self.key = self._generate_key()`
Remove API_KEY_FILE setting 2014-06-22 12:45:29 +00:00			`self.key_path = DEFAULT_KEY_PATH`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00
			`def write_key(self):`
			`"""Write key to file so authorized clients can get the key`

			`The key file is created with mode 0640 so that additional users can be`
			`authorized to access the API by granting group/ACL read permissions on`
			`the key file.`
			`"""`
			`def create_file_with_mode(path, mode):`
			`# Based on answer by A-B-B: http://stackoverflow.com/a/15015748`
			`old_umask = os.umask(0)`
			`try:`
			`return os.fdopen(os.open(path, os.O_WRONLY \| os.O_CREAT, mode), 'w')`
			`finally:`
			`os.umask(old_umask)`

			`os.makedirs(os.path.dirname(self.key_path), exist_ok=True)`

			`with create_file_with_mode(self.key_path, 0o640) as key_file:`
			`key_file.write(self.key + '\n')`

split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism This was done to pave the way for two-factor authentication, but that's still a ways off. 2014-11-30 15:43:07 +00:00			`def authenticate(self, request, env):`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`"""Test if the client key passed in HTTP Authorization header matches the service key`
			`or if the or username/password passed in the header matches an administrator user.`
/admin login now issues a user-specific key for future calls (rather than providing the system-wide API key or passing the password on each request) 2014-12-01 19:20:46 +00:00			`Returns a tuple of the user's email address and list of user privileges (e.g.`
			`('my@email', []) or ('my@email', ['admin']); raises a ValueError on login failure.`
			`If the user used an API key, the user's email is returned as None."""`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00
			`def decode(s):`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`return base64.b64decode(s.encode('ascii')).decode('ascii')`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`def parse_basic_auth(header):`
management: dont raise an exception on a poorly formatted authentication header 2014-08-08 19:36:00 +00:00			`if " " not in header:`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`return None, None`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00			`scheme, credentials = header.split(maxsplit=1)`
			`if scheme != 'Basic':`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`return None, None`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00
management: dont raise an exception on a poorly formatted authentication header 2014-08-08 19:36:00 +00:00			`credentials = decode(credentials)`
			`if ":" not in credentials:`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`return None, None`
management: dont raise an exception on a poorly formatted authentication header 2014-08-08 19:36:00 +00:00			`username, password = credentials.split(':', maxsplit=1)`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`return username, password`

			`header = request.headers.get('Authorization')`
			`if not header:`
split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism This was done to pave the way for two-factor authentication, but that's still a ways off. 2014-11-30 15:43:07 +00:00			`raise ValueError("No authorization header provided.")`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00
			`username, password = parse_basic_auth(header)`

			`if username in (None, ""):`
split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism This was done to pave the way for two-factor authentication, but that's still a ways off. 2014-11-30 15:43:07 +00:00			`raise ValueError("Authorization header invalid.")`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`elif username == self.key:`
split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism This was done to pave the way for two-factor authentication, but that's still a ways off. 2014-11-30 15:43:07 +00:00			`# The user passed the API key which grants administrative privs.`
/admin login now issues a user-specific key for future calls (rather than providing the system-wide API key or passing the password on each request) 2014-12-01 19:20:46 +00:00			`return (None, ["admin"])`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`else:`
/admin login now issues a user-specific key for future calls (rather than providing the system-wide API key or passing the password on each request) 2014-12-01 19:20:46 +00:00			`# The user is trying to log in with a username and user-specific`
			`# API key or password. Raises or returns privs.`
			`return (username, self.get_user_credentials(username, password, env))`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00
split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism This was done to pave the way for two-factor authentication, but that's still a ways off. 2014-11-30 15:43:07 +00:00			`def get_user_credentials(self, email, pw, env):`
			`# Validate a user's credentials. On success returns a list of`
			`# privileges (e.g. [] or ['admin']). On failure raises a ValueError`
			`# with a login error message.`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00
			`# Sanity check.`
			`if email == "" or pw == "":`
split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism This was done to pave the way for two-factor authentication, but that's still a ways off. 2014-11-30 15:43:07 +00:00			`raise ValueError("Enter an email address and password.")`

the control panel auth hmac message should also include the user's password so that resetting a password in the database forces that user to log in to the control panel again; also use a sha256 hmac 2015-06-06 12:33:31 +00:00			`# The password might be a user-specific API key. create_user_key raises`
			`# a ValueError if the user does not exist.`
			`if hmac.compare_digest(self.create_user_key(email, env), pw):`
/admin login now issues a user-specific key for future calls (rather than providing the system-wide API key or passing the password on each request) 2014-12-01 19:20:46 +00:00			`# OK.`
			`pass`
			`else:`
			`# Get the hashed password of the user. Raise a ValueError if the`
			`# email address does not correspond to a user.`
			`pw_hash = get_mail_password(email, env)`

			`# Authenticate.`
			`try:`
			`# Use 'doveadm pw' to check credentials. doveadm will return`
			`# a non-zero exit status if the credentials are no good,`
			`# and check_call will raise an exception in that case.`
			`utils.shell('check_call', [`
			`"/usr/bin/doveadm", "pw",`
			`"-p", pw,`
			`"-t", pw_hash,`
			`])`
			`except:`
			`# Login failed.`
			`raise ValueError("Invalid password.")`
split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism This was done to pave the way for two-factor authentication, but that's still a ways off. 2014-11-30 15:43:07 +00:00
the control panel auth hmac message should also include the user's password so that resetting a password in the database forces that user to log in to the control panel again; also use a sha256 hmac 2015-06-06 12:33:31 +00:00			`# Get privileges for authorization. This call should never fail because by this`
			`# point we know the email address is a valid user. But on error the call will`
			`# return a tuple of an error message and an HTTP status code.`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00			`privs = get_mail_user_privileges(email, env)`
if you make an API call with a user-specific API key (e.g. from control panel) but your account no longer exists on the system, there was an unhandled error see 1039a08be6d0b811df18c946c57afb445868b971 2015-04-28 11:05:49 +00:00			`if isinstance(privs, tuple): raise ValueError(privs[0])`
web-based administrative UI closes #19 2014-08-17 22:43:57 +00:00
split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism This was done to pave the way for two-factor authentication, but that's still a ways off. 2014-11-30 15:43:07 +00:00			`# Return a list of privileges.`
			`return privs`
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00
the control panel auth hmac message should also include the user's password so that resetting a password in the database forces that user to log in to the control panel again; also use a sha256 hmac 2015-06-06 12:33:31 +00:00			`def create_user_key(self, email, env):`
			`# Store an HMAC with the client. The hashed message of the HMAC will be the user's`
			`# email address & hashed password and the key will be the master API key. The user of`
			`# course has their own email address and password. We assume they do not have the master`
			`# API key (unless they are trusted anyway). The HMAC proves that they authenticated`
			`# with us in some other way to get the HMAC. Including the password means that when`
			`# a user's password is reset, the HMAC changes and they will correctly need to log`
			`# in to the control panel again. This method raises a ValueError if the user does`
			`# not exist, due to get_mail_password.`
			`msg = b"AUTH:" + email.encode("utf8") + b" " + get_mail_password(email, env).encode("utf8")`
			`return hmac.new(self.key.encode('ascii'), msg, digestmod="sha256").hexdigest()`
/admin login now issues a user-specific key for future calls (rather than providing the system-wide API key or passing the password on each request) 2014-12-01 19:20:46 +00:00
Add key-based authentication to management service Intended to be the simplest auth possible: every time the service starts, a random key is written to `/var/lib/mailinabox/api.key`. In order to authenticate to the service, the client must pass the contents of `api.key` in an HTTP basic auth header. In this way, users who do not have read access to that file are not able to communicate with the service. 2014-06-21 23:42:48 +00:00			`def _generate_key(self):`
			`raw_key = os.urandom(32)`
			`return base64.b64encode(raw_key).decode('ascii')`