DCOS Strict security support (#6)

* Added DCOS login support for EE Strict mode

Author: gisjedi

.dockerignore

@@ -0,0 +1,6 @@
+*.pyc
+.env
+build
+
+.idea
+Dockerfile

.gitignore

@@ -90,3 +90,6 @@ ENV/
 
 # Rope project settings
 .ropeproject
+
+# Pycharm project settings
+.idea

Dockerfile-test-framework

@@ -0,0 +1,14 @@
+FROM python:2
+
+COPY requirements.txt /tmp
+RUN pip install -r /tmp/requirements.txt --no-cache 
+
+COPY . /tmp
+
+RUN cp /tmp/sample/test.py /test.py \
+	&& cd /tmp \
+	&& python setup.py install
+	
+ENV MESOS_URLS zk://leader.mesos:2181/mesos
+
+CMD ["python", "/test.py"]

README.md

@@ -15,6 +15,44 @@ See sample/test.py for example.
 
 Callbacks will "block" the mesos message treatment, so they should be short, or messages should be forwarded to a queue in an other thread/process where longer tasks will handle messages.
 
+# DCOS EE Strict
+
+Additions have been made to support login with ACS to allow access through to the master
+in a Strict security posture. The `sample/test.py` script is configured to accept the `SERVICE_SECRET` environment variable, which can be created and passed to the 
+service using the script given below:
+
+```
+dcos security org service-accounts keypair service-account-private.pem service-account-public.pem
+dcos security org service-accounts create -p service-account-public.pem -d "Service account for Scale data processing framework" service-account
+dcos security secrets create-sa-secret --strict service-account-private.pem service-account service-account-secret
+
+# Test with SUPERUSER perms on user
+dcos security org users grant service-account dcos:superuser full
+
+# Build image to test - update name in 2 commands below and marathon.json to your personal Docker Hub account name
+docker build -t gisjedi/python-mesos-http -f Dockerfile-test-framework .
+docker push gisjedi/python-mesos-http
+
+# Deploy app consuming image to marathon
+dcos marathon app add sample/marathon.json
+
+# Once success has been confirmed, more granular permissions should be applied
+dcos security org users revoke service-account dcos:superuser full
+dcos security org users grant service-account dcos:mesos:agent:task create
+dcos security org users grant service-account dcos:mesos:agent:task:app_id create
+dcos security org users grant service-account dcos:mesos:agent:task:user:nobody create
+dcos security org users grant service-account dcos:mesos:master:framework create
+dcos security org users grant service-account dcos:mesos:master:reservation create
+dcos security org users grant service-account dcos:mesos:master:reservation delete
+dcos security org users grant service-account dcos:mesos:master:reservation:principal:service_account delete
+dcos security org users grant service-account dcos:mesos:master:task create
+dcos security org users grant service-account dcos:mesos:master:task:app_id create
+dcos security org users grant service-account dcos:mesos:master:task:user:nobody create
+dcos security org users grant service-account dcos:mesos:master:volume create
+dcos security org users grant service-account dcos:mesos:master:volume delete
+dcos security org users grant service-account dcos:mesos:master:volume:principal:service_account delete
+```
+
 # About
 
 This library does not implement all options of mesos.proto and manages schedulers only (not executors). Implemented features should be enough to implement a scheduler, if something is missing, please ask, or contribute ;-)

mesoshttp/acs.py

@@ -0,0 +1,82 @@
+from time import time
+from datetime import timedelta
+
+import jwt
+import requests
+from requests.auth import AuthBase
+
+from mesoshttp.exception import ACSException
+
+
+class DCOSServiceAuth(AuthBase):
+    """Attaches a token to Request object that will allow requests to be made through DCOS Admin Router."""
+
+    def __init__(self, secret, verify=False):
+        """Take a DCOS service account secret and breaks out components needed for login flow
+
+        :param secret: dict that must include uid, private_key, scheme and login_endpoint keys
+        :param verify: `False` or path to a PEM encoded trust bundle
+        :return: :class:`DCOSServiceAuth`
+        """
+
+        # Service account
+        self._user = secret['uid']
+        self._key = secret['private_key']
+        self._scheme = secret['scheme']
+        self._acs_endpoint = secret['login_endpoint']
+        self._verify = verify
+
+        self._expiration = time()
+        self._token = None
+
+    @property
+    def principal(self):
+        """Get the service account user value which will match the principal value that must be set in Mesos
+
+        :return: service account user name
+        """
+        return self._user
+
+    @property
+    def token(self):
+        """Get the authentication token for making API calls through DCOS AdminRouter
+
+        :return: token used for authentication
+        """
+
+        if time() > self._expiration or self._token is None:
+            self._acs_login()
+
+        return self._token
+
+    def _generate_token(self, uid, private_key, scheme='RS256', expiry_seconds=180):
+        """Generate a JWT for ACS login
+
+        Updates the instance variable to track expiration
+
+        :param private_key: Service accounts PEM encoded private key
+        :param scheme: algorithm used to encode JWT
+        :param expiry_seconds: how many seconds authentication token will be good for
+        :return: login token
+        """
+        expire_time = time() + float(timedelta(seconds=expiry_seconds).seconds)
+        token = jwt.encode({'exp': expire_time, 'uid': uid}, private_key, algorithm=scheme)
+        self._expiration = expire_time
+        return token
+
+    def _acs_login(self):
+        """Login to ACS and set an authentication token on the instance
+        """
+
+        payload = {'uid': self._user, 'token': self._generate_token(self._user, self._key, self._scheme)}
+        response = requests.post(self._acs_endpoint, json=payload, verify=self._verify)
+
+        if response.status_code != 200:
+            raise ACSException('Unable to authenticate against DCOS ACS: {} {}'.format(response.status_code,
+                                                                                       response.text))
+        self._token = response.json()['token']
+
+    def __call__(self, r):
+        r.headers['Authorization'] = 'token={}'.format(self.token)
+        return r
+