vmware.vapi.security package¶
Subpackages¶
Submodules¶
vmware.vapi.security.session module¶
Session Security Helper
-
class
vmware.vapi.security.session.
SessionSecurityContextParser
¶ Bases:
vmware.vapi.security.rest.SecurityContextParser
Security context parser used by the REST presentation layer that builds a security context if the REST request has session identifier either in the header or in the cookie.
Initialize SessionSecurityContextParser
-
build
(request)¶ Build the security context if the request has the header that contains the session identifier or a cookie that has the session identifier.
The method will first check for session identifier in the cookie, if it is not present, then it will check in the HTTP headers. The session security context is created based on the first session identifier it finds.
- Parameters
request (
werkzeug.wrappers.Request
) – Request object- Return type
vmware.vapi.core.SecurityContext
orNone
- Returns
Security context object
-
-
vmware.vapi.security.session.
create_session_security_context
(session_id)¶ Create a security context for Session Id based authentication scheme
- Parameters
session_id (
str
) – Session ID- Return type
- Returns
Newly created security context
vmware.vapi.security.sso module¶
SSO Security Helper
-
class
vmware.vapi.security.sso.
JSONCanonicalEncoder
(skipkeys=False, ensure_ascii=True, check_circular=True, allow_nan=True, sort_keys=False, indent=None, separators=None, default=None)¶ Bases:
json.encoder.JSONEncoder
Custom JSON Encoder class to canonicalize dictionary and list objects
Constructor for JSONEncoder, with sensible defaults.
If skipkeys is false, then it is a TypeError to attempt encoding of keys that are not str, int, float or None. If skipkeys is True, such items are simply skipped.
If ensure_ascii is true, the output is guaranteed to be str objects with all incoming non-ASCII characters escaped. If ensure_ascii is false, the output can contain non-ASCII characters.
If check_circular is true, then lists, dicts, and custom encoded objects will be checked for circular references during encoding to prevent an infinite recursion (which would cause an OverflowError). Otherwise, no such check takes place.
If allow_nan is true, then NaN, Infinity, and -Infinity will be encoded as such. This behavior is not JSON specification compliant, but is consistent with most JavaScript based encoders and decoders. Otherwise, it will be a ValueError to encode such floats.
If sort_keys is true, then the output of dictionaries will be sorted by key; this is useful for regression tests to ensure that JSON serializations can be compared on a day-to-day basis.
If indent is a non-negative integer, then JSON array elements and object members will be pretty-printed with that indent level. An indent level of 0 will only insert newlines. None is the most compact representation.
If specified, separators should be an (item_separator, key_separator) tuple. The default is (‘, ‘, ‘: ‘) if indent is
None
and (‘,’, ‘: ‘) otherwise. To get the most compact JSON representation, you should specify (‘,’, ‘:’) to eliminate whitespace.If specified, default is a function that gets called for objects that can’t otherwise be serialized. It should return a JSON encodable version of the object or raise a
TypeError
.-
encode
(o)¶ Encode a given python object
- Parameters
o (
object
) – Python object- Return type
str
- Returns
JSON string in canonicalized form
-
-
class
vmware.vapi.security.sso.
JSONCanonicalizer
¶ Bases:
object
This class is responsible for transforming JSON messages into their canonical representation.
- The canonical form is defined by the following rules:
Non-significant(1) whitespace characters MUST NOT be used
Non-significant(1) line endings MUST NOT be used
Entries (set of name/value pairs) in JSON objects MUST be sorted lexicographically(2) by their names based on UCS codepoint values
Arrays MUST preserve their initial ordering
Link to the IEFT proposal: https://datatracker.ietf.org/doc/draft-staykov-hu-json-canonical-form/
-
static
canonicalize
(input_message)¶ Canonicalize the input message
- Parameters
input_message (
str
) – Input message- Return type
str
- Returns
Canonicalized message
-
static
canonicalize_py_obj
(py_obj)¶ Canonicalize the input python object
- Parameters
input_message (
object
) – Input python object- Return type
str
- Returns
Canonicalized message
-
class
vmware.vapi.security.sso.
JSONSSOSigner
¶ Bases:
vmware.vapi.protocol.common.lib.RequestProcessor
This class is used for signing JSON request messages
-
process
(input_message)¶ Sign the input JSON request message.
The message is signed using user’s private key. The digest and saml token is then added to the security context block of the execution context. A timestamp is also added to guard against replay attacks
Sample input security context: {
‘schemeId’: ‘SAML_TOKEN’, ‘privateKey’: <PRIVATE_KEY>, ‘samlToken’: <SAML_TOKEN>, ‘signatureAlgorithm’: <ALGORITHM>,
}
Security context block before signing: {
‘schemeId’: ‘SAML_TOKEN’, ‘signatureAlgorithm’: <ALGORITHM>, ‘timestamp’: {
‘created’: ‘2012-10-26T12:24:18.941Z’, ‘expires’: ‘2012-10-26T12:44:18.941Z’,
}
}
Security context block after signing: {
‘schemeId’: ‘SAML_TOKEN’, ‘signatureAlgorithm’: <ALGORITHM>, ‘signature’: {
‘samlToken’: <SAML_TOKEN>, ‘value’: <DIGEST>
} ‘timestamp’: {
‘created’: ‘2012-10-26T12:24:18.941Z’, ‘expires’: ‘2012-10-26T12:44:18.941Z’,
}
}
-
-
class
vmware.vapi.security.sso.
JSONSSOVerifier
¶ Bases:
vmware.vapi.protocol.common.lib.RequestProcessor
This class is used to verify the authenticity of the request message by verifying the digest present in the security context block.
-
process
(input_message)¶ Verify the input JSON message.
For verification, we need 4 things:
algorithm: extracted from security context
2. certificate: public key of the principal embedded in the SAML token is used 3. digest: value field from signature block 4. canonical msg: signature block is removed from the request and the remaining part is canonicalized
Sample input security context: {
‘schemeId’: ‘SAML_TOKEN’, ‘signatureAlgorithm’: <ALGORITHM>, ‘signature’: {
‘samlToken’: <SAML_TOKEN>, ‘value’: <DIGEST>
} ‘timestamp’: {
‘created’: ‘2012-10-26T12:24:18.941Z’, ‘expires’: ‘2012-10-26T12:44:18.941Z’,
}
}
- Parameters
input_message (
str
) – Input JSON request message- Return type
str
- Returns
JSON request message after signature verification
-
-
vmware.vapi.security.sso.
create_saml_bearer_security_context
(token)¶ Create a security context for SAML bearer token based authentication scheme
- Parameters
token (
str
) – SAML Token
-
vmware.vapi.security.sso.
create_saml_security_context
(token, private_key)¶ Create a security context for SAML token based authentication scheme
- Parameters
token (
str
) – SAML Tokenprivate_key (
str
) – Absolute file path of the private key of the user
- Return type
- Returns
Newly created security context
vmware.vapi.security.user_password module¶
User password Security Helper
-
class
vmware.vapi.security.user_password.
UserPasswordSecurityContextParser
¶ Bases:
vmware.vapi.security.rest.SecurityContextParser
Security context parser used by the REST presentation layer that builds a security context if the REST request has username/password credentials in the HTTP header.
Initialize UserPasswordSecurityContextParser
-
build
(request)¶ Build the security context if the request has authorization header that contains base64 encoded string of username/password.
If the request authorization header doesn’t have the username/password, this method returns None.
- Parameters
request (
werkzeug.wrappers.Request
) – Request object- Return type
vmware.vapi.core.SecurityContext
orNone
- Returns
Security context object
-
-
vmware.vapi.security.user_password.
create_user_password_security_context
(user_name, password)¶ Create a security context for Username-Password based authentication scheme
- Parameters
user_name (
str
) – Name of the userpassword (
str
) – Password of the user
- Return type
- Returns
Newly created security context