def _authenticate(self, validate, user_id, tenant_id=None):
if tenant_id:
duser = api.USER.get_by_tenant(user_id, tenant_id)
if duser == None:
raise fault.UnauthorizedFault("Unauthorized on this tenant")
else:
duser = api.USER.get(user_id)
if duser == None:
raise fault.UnauthorizedFault("Unauthorized")
if not duser.enabled:
raise fault.UserDisabledFault("Your account has been disabled")
if not validate(duser):
raise fault.UnauthorizedFault("Unauthorized")
# use user's default tenant_id if one is not specified
tenant_id = tenant_id or duser.tenant_id
# check for an existing token
dtoken = api.TOKEN.get_for_user_by_tenant(duser.id, tenant_id)
if not dtoken or dtoken.expires < datetime.now():
# Create new token
dtoken = models.Token()
dtoken.id = str(uuid.uuid4())
dtoken.user_id = duser.id
dtoken.tenant_id = tenant_id
dtoken.expires = datetime.now() + timedelta(days=1)
api.TOKEN.create(dtoken)
return self.__get_auth_data(dtoken)
def authenticate_ec2(self, credentials):
# Check credentials
if not isinstance(credentials, auth.Ec2Credentials):
raise fault.BadRequestFault("Expecting Ec2 Credentials!")
creds = api.CREDENTIALS.get_by_access(credentials.access)
if not creds:
raise fault.UnauthorizedFault("No credentials found for %s" %
credentials.access)
def validate(duser):
signer = Signer(creds.secret)
signature = signer.generate(credentials)
if signature == credentials.signature:
return True
# NOTE(vish): Some libraries don't use the port when signing
# requests, so try again without port.
if ':' in credentials.host:
hostname, _port = credentials.host.split(":")
credentials.host = hostname
signature = signer.generate(credentials)
return signature == credentials.signature
return False
return self._authenticate(validate, creds.user_id, creds.tenant_id)
def __validate_service_or_keystone_admin_token(self, token_id):
(token, user) = self.__validate_token(token_id)
if backends.ADMIN_ROLE_ID is None:
role = api.ROLE.get_by_name(backends.ADMIN_ROLE_NAME)
if role:
backends.ADMIN_ROLE_ID = role.id
else:
LOG.error('Admin role is missing.')
if backends.SERVICE_ADMIN_ROLE_ID is None:
role = api.ROLE.get_by_name(backends.SERVICE_ADMIN_ROLE_NAME)
if role:
backends.SERVICE_ADMIN_ROLE_ID = role.id
else:
LOG.warn('No service admin role is defined.')
for role_ref in api.ROLE.ref_get_all_global_roles(user.id):
if (role_ref.role_id == backends.ADMIN_ROLE_ID or \
role_ref.role_id == backends.SERVICE_ADMIN_ROLE_ID) \
and role_ref.tenant_id is None:
return (token, user)
raise fault.UnauthorizedFault(
"You are not authorized to make this call")
def __validate_tenant_by_name(self, tenant_name):
if not tenant_name:
raise fault.UnauthorizedFault("Missing tenant name")
dtenant = api.TENANT.get_by_name(name=tenant_name)
return self.__validate_tenant(dtenant)
def __validate_tenant_by_id(self, tenant_id):
if not tenant_id:
raise fault.UnauthorizedFault("Missing tenant id")
dtenant = api.TENANT.get(tenant_id)
return self.__validate_tenant(dtenant)
def __validate_tenant(self, dtenant):
if not dtenant:
raise fault.UnauthorizedFault("Tenant not found")
if not dtenant.enabled:
raise fault.TenantDisabledFault("Tenant %s has been disabled!" %
dtenant.id)
return dtenant
def get_token_by(self, req):
try:
cred = utils.get_normalized_request_content(token_by.TokenBy, req)
if cred.by_type == 'email':
return self.get_token_by_email(req, cred.key)
elif cred.by_type == 'eppn':
return self.get_token_by_eppn(req, cred.key)
except KeyError:
raise fault.UnauthorizedFault("bad request email or eppn")
def __validate_token(self, token_id, belongs_to=None, is_check_token=None):
"""
Method to validate a token.
token_id -- value of actual token that need to be validated.
belngs_to -- optional tenant_id to check whether the token is
mapped to a specific tenant.
is_check_token -- optional argument that tells whether
we check the existence of a Token using another Token
to authenticate.This value decides the faults that are to be thrown.
"""
if not token_id:
raise fault.UnauthorizedFault("Missing token")
(token, user) = self.__get_dauth_data(token_id)
if not token:
if is_check_token:
raise fault.ItemNotFoundFault("Token does not exist.")
else:
raise fault.UnauthorizedFault(
"Bad token, please reauthenticate")
if token.expires < datetime.now():
if is_check_token:
raise fault.ItemNotFoundFault("Token expired, please renew.")
else:
raise fault.ForbiddenFault("Token expired, please renew.")
if not user.enabled:
raise fault.UserDisabledFault("User %s has been disabled!" %
user.id)
if user.tenant_id:
self.__validate_tenant_by_id(user.tenant_id)
if token.tenant_id:
self.__validate_tenant_by_id(token.tenant_id)
if belongs_to and unicode(token.tenant_id) != unicode(belongs_to):
raise fault.UnauthorizedFault("Unauthorized on this tenant")
return (token, user)
def __validate_admin_token(self, token_id):
(token, user) = self.__validate_token(token_id)
if backends.ADMIN_ROLE_ID is None:
role = api.ROLE.get_by_name(backends.ADMIN_ROLE_NAME)
backends.ADMIN_ROLE_ID = role.id
for role_ref in api.ROLE.ref_get_all_global_roles(user.id):
if role_ref.role_id == backends.ADMIN_ROLE_ID and \
role_ref.tenant_id is None:
return (token, user)
raise fault.UnauthorizedFault(
"You are not authorized to make this call")
def authenticate_s3(self, credentials):
# Check credentials
if not isinstance(credentials, auth.S3Credentials):
raise fault.BadRequestFault("Expecting S3 Credentials!")
creds = api.CREDENTIALS.get_by_access(credentials.access)
if not creds:
raise fault.UnauthorizedFault("No credentials found for %s" %
credentials.access)
def validate(duser):
signer = Signer(creds.secret)
signature = signer.generate(credentials, s3=True)
if signature == credentials.signature:
return True
return False
return self._authenticate(validate, creds.user_id, creds.tenant_id)
def authenticate(self, auth_request):
# Check auth_with_password_credentials
if not isinstance(auth_request, auth.AuthWithPasswordCredentials):
raise fault.BadRequestFault(
"Expecting auth_with_password_credentials!")
def validate(duser):
return api.USER.check_password(duser, auth_request.password)
if auth_request.tenant_name:
dtenant = self.__validate_tenant_by_name(auth_request.tenant_name)
auth_request.tenant_id = dtenant.id
elif auth_request.tenant_id:
dtenant = self.__validate_tenant_by_id(auth_request.tenant_id)
user = api.USER.get_by_name(auth_request.username)
if not user:
raise fault.UnauthorizedFault("Unauthorized")
return self._authenticate(validate, user.id, auth_request.tenant_id)
