security Package

security Package

authentication_filter Module

Authentication API Provider filter

class vmware.vapi.security.authentication_filter.AuthenticationFilter(next_provider=None)[source]

Bases: vmware.vapi.provider.filter.ApiProviderFilter

AuthenticationFilter in API Provider chain enforces the authentication schemes specified in the authentication metadata file

Initialize AuthenticationFilter

Parameters:next_provider (vmware.vapi.core.ApiProvider or None) – API Provider to invoke the requests
invoke(service_id, operation_id, input_value, ctx)[source]

Invoke an API request

Parameters:
Return type:

vmware.vapi.core.MethodResult

Returns:

Result of the method invocation

vmware.vapi.security.authentication_filter.get_provider()[source]

Returns the singleton AuthenticationFilter instance

Return type:vmware.vapi.security.authentication_filter.AuthenticationFilter
Returns:AuthenticationFilter instance
vmware.vapi.security.authentication_filter.load_authn_cfg()[source]

Load the authn config

Return type:dict
Returns:Authentication handlers list

authentication_handler Module

Authentication Handler interface

class vmware.vapi.security.authentication_handler.AuthenticationHandler[source]

Bases: object

The AuthenticationHandler interface is used to verify the authentication data provided in the security context against an identity source.

authenticate(ctx)[source]

Verifies the provided authentication data against the relevant identity source.

Parameters:ctx (vmware.vapi.core.SecurityContext) – Security context for the method
Return type:vmware.vapi.security.user_identity.UserIdentity
Returns:Authentication Identity for successful authentication, False for failed authentication and None for invalid handler.
get_supported_scheme()[source]

Get the scheme supported by this handler

authorization_filter Module

Authorization API Provider filter

class vmware.vapi.security.authorization_filter.AuthorizationFilter(next_provider=None)[source]

Bases: vmware.vapi.provider.filter.ApiProviderFilter

AuthorizationFilter in API Provider chain enforces the authorization schemes specified in the authorization metadata file

Initialize AuthorizationFilter

invoke(service_id, operation_id, input_value, ctx)[source]

Invoke an API request

Parameters:
Return type:

vmware.vapi.core.MethodResult

Returns:

Result of the method invocation

vmware.vapi.security.authorization_filter.get_provider()[source]

Returns the singleton AuthorizationFilter instance

Return type:vmware.vapi.security.authorization_filter.AuthorizationFilter
Returns:AuthorizationFilter instance
vmware.vapi.security.authorization_filter.load_metadata()[source]

Load the metadata from the json file

Return type:dict
Returns:Authorization metadata

authorization_handler Module

Authorization Handler interface

class vmware.vapi.security.authorization_handler.AuthorizationHandler[source]

Bases: object

The AuthorizationHandler interface is used to verify the authentication data provided in the security context against an identity source.

authorize(service_id, operation_id, ctx)[source]

Verifies the provided authentication data against the relevant identity source.

Parameters:ctx (vmware.vapi.core.SecurityContext) – Security context for the method
Return type:bool
Returns:True if authorization was successful

chain Module

AuthenticationChain processor

class vmware.vapi.security.chain.AuthenticationChain[source]

Bases: object

Implementations of this interface are used to chain authentication when there is intermediary between the client and the server i.e. an aggregator node.

next_context(ctx)[source]

Returns the next security context based on the current context

Parameters:ctx (vmware.vapi.core.SecurityContext) – Current security context
Return type:vmware.vapi.core.SecurityContext
Returns:Next security context

lib Module

AuthenticationChain processor lib

vmware.vapi.security.lib.next_security_context(ctx)[source]

Returns the next security context based on the current context

Parameters:ctx (vmware.vapi.core.SecurityContext) – Current security context
Return type:vmware.vapi.core.SecurityContext
Returns:Next security context

oauth Module

rest Module

Security context parser interface for REST presentation layer

class vmware.vapi.security.rest.SecurityContextParser[source]

Bases: object

Base class for all security context builders

build(request)[source]

Build the security context based on the authentication information in the request.

Parameters:request (werkzeug.wrappers.Request) – Request object
Return type:vmware.vapi.core.SecurityContext
Returns:Security context object

session Module

Session Security Helper

class vmware.vapi.security.session.SessionSecurityContextParser[source]

Bases: vmware.vapi.security.rest.SecurityContextParser

Security context parser used by the REST presentation layer that builds a security context if the REST request has session identifier either in the header or in the cookie.

Initialize SessionSecurityContextParser

build(request)[source]

Build the security context if the request has the header that contains the session identifier or a cookie that has the session identifier.

The method will first check for session identifier in the cookie, if it is not present, then it will check in the HTTP headers. The session security context is created based on the first session identifier it finds.

Parameters:request (werkzeug.wrappers.Request) – Request object
Return type:vmware.vapi.core.SecurityContext or None
Returns:Security context object
vmware.vapi.security.session.create_session_security_context(session_id)[source]

Create a security context for Session Id based authentication scheme

Parameters:session_id (str) – Session ID
Return type:vmware.vapi.core.SecurityContext
Returns:Newly created security context

sso Module

SSO Security Helper

class vmware.vapi.security.sso.JSONCanonicalEncoder(skipkeys=False, ensure_ascii=True, check_circular=True, allow_nan=True, sort_keys=False, indent=None, separators=None, encoding='utf-8', default=None)[source]

Bases: json.encoder.JSONEncoder

Custom JSON Encoder class to canonicalize dictionary and list objects

Constructor for JSONEncoder, with sensible defaults.

If skipkeys is False, then it is a TypeError to attempt encoding of keys that are not str, int, long, float or None. If skipkeys is True, such items are simply skipped.

If ensure_ascii is True, the output is guaranteed to be str objects with all incoming unicode characters escaped. If ensure_ascii is false, the output will be unicode object.

If check_circular is True, then lists, dicts, and custom encoded objects will be checked for circular references during encoding to prevent an infinite recursion (which would cause an OverflowError). Otherwise, no such check takes place.

If allow_nan is True, then NaN, Infinity, and -Infinity will be encoded as such. This behavior is not JSON specification compliant, but is consistent with most JavaScript based encoders and decoders. Otherwise, it will be a ValueError to encode such floats.

If sort_keys is True, then the output of dictionaries will be sorted by key; this is useful for regression tests to ensure that JSON serializations can be compared on a day-to-day basis.

If indent is a non-negative integer, then JSON array elements and object members will be pretty-printed with that indent level. An indent level of 0 will only insert newlines. None is the most compact representation.

If specified, separators should be a (item_separator, key_separator) tuple. The default is (‘, ‘, ‘: ‘). To get the most compact JSON representation you should specify (‘,’, ‘:’) to eliminate whitespace.

If specified, default is a function that gets called for objects that can’t otherwise be serialized. It should return a JSON encodable version of the object or raise a TypeError.

If encoding is not None, then all input strings will be transformed into unicode using that encoding prior to JSON-encoding. The default is UTF-8.

encode(o)[source]

Encode a given python object

Parameters:o (object) – Python object
Return type:str
Returns:JSON string in canonicalized form
class vmware.vapi.security.sso.JSONCanonicalizer[source]

Bases: object

This class is responsible for transforming JSON messages into their canonical representation.

The canonical form is defined by the following rules:
  1. Non-significant(1) whitespace characters MUST NOT be used
  2. Non-significant(1) line endings MUST NOT be used
  3. Entries (set of name/value pairs) in JSON objects MUST be sorted lexicographically(2) by their names based on UCS codepoint values
  4. Arrays MUST preserve their initial ordering

Link to the IEFT proposal: https://datatracker.ietf.org/doc/draft-staykov-hu-json-canonical-form/

static canonicalize(input_message)[source]

Canonicalize the input message

Parameters:input_message (str) – Input message
Return type:str
Returns:Canonicalized message
static canonicalize_py_obj(py_obj)[source]

Canonicalize the input python object

Parameters:input_message (object) – Input python object
Return type:str
Returns:Canonicalized message
class vmware.vapi.security.sso.JSONSSOSigner[source]

Bases: vmware.vapi.protocol.common.lib.RequestProcessor

This class is used for signing JSON request messages

process(input_message)[source]

Sign the input JSON request message.

The message is signed using user’s private key. The digest and saml token is then added to the security context block of the execution context. A timestamp is also added to guard against replay attacks

Sample input security context: {

‘schemeId’: ‘SAML_TOKEN’, ‘privateKey’: <PRIVATE_KEY>, ‘samlToken’: <SAML_TOKEN>, ‘signatureAlgorithm’: <ALGORITHM>,

}

Security context block before signing: {

‘schemeId’: ‘SAML_TOKEN’, ‘signatureAlgorithm’: <ALGORITHM>, ‘timestamp’: {

‘created’: ‘2012-10-26T12:24:18.941Z’, ‘expires’: ‘2012-10-26T12:44:18.941Z’,

}

}

Security context block after signing: {

‘schemeId’: ‘SAML_TOKEN’, ‘signatureAlgorithm’: <ALGORITHM>, ‘signature’: {

‘samlToken’: <SAML_TOKEN>, ‘value’: <DIGEST>

} ‘timestamp’: {

‘created’: ‘2012-10-26T12:24:18.941Z’, ‘expires’: ‘2012-10-26T12:44:18.941Z’,

}

}

class vmware.vapi.security.sso.JSONSSOVerifier[source]

Bases: vmware.vapi.protocol.common.lib.RequestProcessor

This class is used to verify the authenticity of the request message by verifying the digest present in the security context block.

process(input_message)[source]

Verify the input JSON message.

For verification, we need 4 things:

  1. algorithm: extracted from security context

2. certificate: public key of the principal embedded in the SAML token is used 3. digest: value field from signature block 4. canonical msg: signature block is removed from the request and the remaining part is canonicalized

Sample input security context: {

‘schemeId’: ‘SAML_TOKEN’, ‘signatureAlgorithm’: <ALGORITHM>, ‘signature’: {

‘samlToken’: <SAML_TOKEN>, ‘value’: <DIGEST>

} ‘timestamp’: {

‘created’: ‘2012-10-26T12:24:18.941Z’, ‘expires’: ‘2012-10-26T12:44:18.941Z’,

}

}

Parameters:input_message (str) – Input JSON request message
Return type:str
Returns:JSON request message after signature verification
vmware.vapi.security.sso.create_saml_bearer_security_context(token)[source]

Create a security context for SAML bearer token based authentication scheme

Parameters:token (str) – SAML Token
vmware.vapi.security.sso.create_saml_security_context(token, private_key)[source]

Create a security context for SAML token based authentication scheme

Parameters:
  • token (str) – SAML Token
  • private_key (str) – Absolute file path of the private key of the user
Return type:

vmware.vapi.core.SecurityContext

Returns:

Newly created security context

vmware.vapi.security.sso.setup_saml_token_processors()[source]

If SAML token based authentication scheme is used, this operation should be invoked by the client to setup the request processors that does the request signing using the token.

user_identity Module

User Identity class

class vmware.vapi.security.user_identity.UserIdentity(username, domain=None)[source]

Bases: object

User Identity class represents result for Authentication Handler authenticate method.

Initialize User Identity

get_domain()[source]

Return domain name

Return type:str
Returns:Domain name
get_username()[source]

Return user name

Return type:str
Returns:Username

user_password Module

User password Security Helper

class vmware.vapi.security.user_password.UserPasswordSecurityContextParser[source]

Bases: vmware.vapi.security.rest.SecurityContextParser

Security context parser used by the REST presentation layer that builds a security context if the REST request has username/password credentials in the HTTP header.

Initialize UserPasswordSecurityContextParser

build(request)[source]

Build the security context if the request has authorization header that contains base64 encoded string of username/password.

If the request authorization header doesn’t have the username/password, this method returns None.

Parameters:request (werkzeug.wrappers.Request) – Request object
Return type:vmware.vapi.core.SecurityContext or None
Returns:Security context object
vmware.vapi.security.user_password.create_user_password_security_context(user_name, password)[source]

Create a security context for Username-Password based authentication scheme

Parameters:
  • user_name (str) – Name of the user
  • password (str) – Password of the user
Return type:

vmware.vapi.core.SecurityContext

Returns:

Newly created security context

Subpackages