def get_client(self, version=None, session=None):
     version = version or self.VERSION
     session = session or keystone_session.Session()
     adapted = AdapterWithTimeout(
         session=session, endpoint_override=self.get_base())
     return client.Client(version, session=adapted)
Beispiel #2
0
redirect_uri = 'https://testuri.com'
scope = 'all_info'
scopes = [scope]

#create a consumer
consumer = keystone.oauth2.consumers.create(client_type='confidential',
                                            redirect_uris=[redirect_uri],
                                            grant_type='authorization_code',
                                            scopes=scopes)
consumer_id = consumer.id
consumer_secret = consumer.secret

#store credentials
keystone.oauth2.authorization_codes.request_authorization(
    consumer=consumer_id, redirect_uri=redirect_uri, scope=scope)
#grant authorization
authorization_code = keystone.oauth2.authorization_codes.authorize(
    consumer=consumer_id, scopes=scopes)
#get an access token
access_token = keystone.oauth2.access_tokens.create(
    consumer_id=consumer_id,
    authorization_code=authorization_code.code,
    redirect_uri=redirect_uri,
    consumer_secret=consumer_secret)
# log in and get a keystone token
a = auth.OAuth2(url, access_token=access_token.access_token)
s = session.Session(auth=a)
keystone = client.Client(session=s)
keystone.users.list()
Beispiel #3
0
def create_keystone_session(cacert, insecure, **kwargs):
    auth = auth_v2.Password(**kwargs)
    return session.Session(auth=auth, cert=cacert, verify=not insecure)
Beispiel #4
0
 def test_no_redirect(self):
     session = client_session.Session(redirect=False)
     self.setup_redirects()
     resp = session.get(self.REDIRECT_CHAIN[0])
     self.assertEqual(resp.status_code, 305)
     self.assertEqual(resp.url, self.REDIRECT_CHAIN[0])
Beispiel #5
0
 def test_service_url_raises_if_no_url_returned(self):
     sess = client_session.Session(auth=AuthPlugin())
     self.assertRaises(exceptions.EndpointNotFound,
                       sess.get, '/path',
                       endpoint_filter={'service_type': 'unknown',
                                        'interface': 'public'})
Beispiel #6
0
 def test_does_not_set_tcp_keepalive_on_custom_sessions(self):
     mock_session = mock.Mock()
     client_session.Session(session=mock_session)
     self.assertFalse(mock_session.mount.called)
Beispiel #7
0
 def test_basic_post_keeps_correct_method(self):
     session = client_session.Session()
     self.setup_redirects(method='POST', status_code=301)
     resp = session.post(self.REDIRECT_CHAIN[-2])
     self.assertResponse(resp)
 def test_no_reauthenticate(self):
     a = self._create_expired_auth_plugin(reauthenticate=False)
     expired_auth_ref = a.auth_ref
     s = session.Session(auth=a)
     self.assertIs(expired_auth_ref, a.get_access(s))
    def test_get_auth_properties(self):
        a = self.create_auth_plugin()
        s = session.Session()

        self.assertEqual(self.user_id, a.get_user_id(s))
        self.assertEqual(self.project_id, a.get_project_id(s))
ks_username = config.get('os_username')
ks_password = config.get('os_password')
project_name = config.get('os_project_name')
yaml_file = config.get('flavor_yaml_file')
ca_bundle = config.get('ca_bundle_file')

with open(yaml_file) as f:
    flavors = yaml.safe_load(f)
    f.close()

auth = v2.Password(auth_url=auth_url,
                   username=ks_username,
                   password=ks_password,
                   tenant_name=project_name)

sess = session.Session(auth=auth, verify=ca_bundle)

nova = client.Client("2", session=sess)

current = []
for f in nova.flavors.list(is_public=False):
    current.append(f.name)

inyaml = []
for f in flavors['flavors']:
    name = "%s.%sc.%sr.%sh" % (f['type'], f['cpu'], f['ram'], f['disk'])

    if name in inyaml:
        log.logger.debug(
            "flavor %s is duplicate in flavor.yaml so it will be skipped" %
            name)
def _get_keystone_session(**kwargs):
    # TODO(fabgia): the heavy lifting here should be really done by Keystone.
    # Unfortunately Keystone does not support a richer method to perform
    # discovery and return a single viable URL. A bug against Keystone has
    # been filed: https://bugs.launchpad.net/python-keystoneclient/+bug/1330677

    # first create a Keystone session
    cacert = kwargs.pop('cacert', None)
    cert = kwargs.pop('cert', None)
    key = kwargs.pop('key', None)
    insecure = kwargs.pop('insecure', False)
    auth_url = kwargs.pop('auth_url', None)
    project_id = kwargs.pop('project_id', None)
    project_name = kwargs.pop('project_name', None)

    if insecure:
        verify = False
    else:
        verify = cacert or True

    if cert and key:
        # passing cert and key together is deprecated in favour of the
        # requests lib form of having the cert and key as a tuple
        cert = (cert, key)

    # create the keystone client session
    ks_session = session.Session(verify=verify, cert=cert)
    v2_auth_url, v3_auth_url = _discover_auth_versions(ks_session, auth_url)

    username = kwargs.pop('username', None)
    user_id = kwargs.pop('user_id', None)
    user_domain_name = kwargs.pop('user_domain_name', None)
    user_domain_id = kwargs.pop('user_domain_id', None)
    project_domain_name = kwargs.pop('project_domain_name', None)
    project_domain_id = kwargs.pop('project_domain_id', None)
    auth = None

    use_domain = (user_domain_id or user_domain_name or
                  project_domain_id or project_domain_name)
    use_v3 = v3_auth_url and (use_domain or (not v2_auth_url))
    use_v2 = v2_auth_url and not use_domain

    if use_v3:
        # the auth_url as v3 specified
        # e.g. http://no.where:5000/v3
        # Keystone will return only v3 as viable option
        auth = v3_auth.Password(
            v3_auth_url,
            username=username,
            password=kwargs.pop('password', None),
            user_id=user_id,
            user_domain_name=user_domain_name,
            user_domain_id=user_domain_id,
            project_name=project_name,
            project_id=project_id,
            project_domain_name=project_domain_name,
            project_domain_id=project_domain_id)
    elif use_v2:
        # the auth_url as v2 specified
        # e.g. http://no.where:5000/v2.0
        # Keystone will return only v2 as viable option
        auth = v2_auth.Password(
            v2_auth_url,
            username,
            kwargs.pop('password', None),
            tenant_id=project_id,
            tenant_name=project_name)
    else:
        raise exc.CommandError('Unable to determine the Keystone version '
                               'to authenticate with using the given '
                               'auth_url.')

    ks_session.auth = auth
    return ks_session
Beispiel #12
0
def login(username, project_id, password, region):
    params_no_version = {
        'username': username,
        'project_id': project_id,
        'auth_url': config.os_auth_url,
        'user_domain_id': 'default',
        'tenant_name': project_id,
        'password': password,
        'project_domain_id': 'default'
    }

    request_session = requests.session()

    auth = auth_plugin.load_from_options(**params_no_version)
    session = osc_session.Session(auth=auth,
                                  session=request_session,
                                  verify=True)
    catalog = auth.get_auth_ref(session)['catalog']
    nova_catalog = [
        res for res in catalog
        if res['type'] == 'compute' and res['endpoints'][0]['region'] == region
    ]
    neutron_catalog = [
        res for res in catalog
        if res['type'] == 'network' and res['endpoints'][0]['region'] == region
    ]
    cinder_catalog = [
        res for res in catalog if res['type'] == 'volumev2'
        and res['endpoints'][0]['region'] == region
    ]

    glance_catalog = [
        res for res in catalog
        if res['type'] == 'image' and res['endpoints'][0]['region'] == region
    ]

    final_nova_catalog = []
    for res in nova_catalog:
        for r in res['endpoints']:
            if r['interface'] == 'public':
                final_nova_catalog.append(r['url'])

    final_neutron_catalog = []
    for res in neutron_catalog:
        for r in res['endpoints']:
            if r['interface'] == 'public':
                final_neutron_catalog.append(r['url'] + '/v2.0')

    final_cinder_catalog = []
    for res in cinder_catalog:
        for r in res['endpoints']:
            if r['interface'] == 'public':
                final_cinder_catalog.append(r['url'])

    final_glance_catalog = []
    for res in glance_catalog:
        for r in res['endpoints']:
            if r['interface'] == 'public':
                final_glance_catalog.append(r['url'])

    return (session.get_token(), final_nova_catalog, final_neutron_catalog,
            final_cinder_catalog, final_glance_catalog)
Beispiel #13
0
    def test_400_api_connection(self):
        """Simple api calls to check service is up and responding"""
        u.log.debug('Checking api functionality...')

        # This handles both keystone v2 and v3.
        # For keystone v2 we need a user:
        #  - 'demo' user
        #  - has a project 'demo'
        #  - in the 'demo' project
        #  - with an 'admin' role
        # For keystone v3 we need a user:
        #  - 'default' domain
        #  - 'demo' user
        #  - 'demo' project
        #  - 'admin' role -- to be able to delete.

        # manila requires a user with creator or admin role on the project
        # when creating a secret (which this test does).  Therefore, we create
        # a demo user, demo project, and then get a demo manila client and do
        # the secret.  ensure that the default domain is created.

        if self._keystone_version == '2':
            # find or create the 'demo' tenant (project)
            tenant = self._find_or_create(
                items=self.keystone.tenants.list(),
                key=lambda t: t.name == 'demo',
                create=lambda: self.keystone.tenants.create(
                    tenant_name="demo",
                    description="Demo for testing manila",
                    enabled=True))
            # find or create the demo user
            demo_user = self._find_or_create(
                items=self.keystone.users.list(),
                key=lambda u: u.name == 'demo',
                create=lambda: self.keystone.users.create(
                    name='demo', password='******', tenant_id=tenant.id))
            # find the admin role
            # already be created - if not, then this will fail later.
            admin_role = self._find_or_create(
                items=self.keystone.roles.list(),
                key=lambda r: r.name.lower() == 'admin',
                create=lambda: None)
            # grant the role if it isn't already created.
            # now grant the creator role to the demo user.
            self._find_or_create(
                items=self.keystone.roles.roles_for_user(demo_user,
                                                         tenant=tenant),
                key=lambda r: r.name.lower() == admin_role.name.lower(),
                create=lambda: self.keystone.roles.add_user_role(
                    demo_user, admin_role, tenant=tenant))
            # now we can finally get the manila client and create the secret
            keystone_ep = self.keystone.service_catalog.url_for(
                service_type='identity', endpoint_type='publicURL')
            auth = keystone_identity.v2.Password(username=demo_user.name,
                                                 password='******',
                                                 tenant_name=tenant.name,
                                                 auth_url=keystone_ep)

        else:
            # find or create the 'default' domain
            domain = self._find_or_create(
                items=self.keystone.domains.list(),
                key=lambda u: u.name == 'default',
                create=lambda: self.keystone.domains.create(
                    "default",
                    description="domain for manila testing",
                    enabled=True))
            # find or create the 'demo' user
            demo_user = self._find_or_create(
                items=self.keystone.users.list(domain=domain.id),
                key=lambda u: u.name == 'demo',
                create=lambda: self.keystone.users.create(
                    'demo',
                    domain=domain.id,
                    description="Demo user for manila tests",
                    enabled=True,
                    email="*****@*****.**",
                    password="******"))
            # find or create the 'demo' project
            demo_project = self._find_or_create(
                items=self.keystone.projects.list(domain=domain.id),
                key=lambda x: x.name == 'demo',
                create=lambda: self.keystone.projects.create(
                    'demo',
                    domain=domain.id,
                    description='manila testing project',
                    enabled=True))
            # create the role for the user - needs to be admin so that the
            # secret can be deleted - note there is only one admin role, and it
            # should already be created - if not, then this will fail later.
            admin_role = self._find_or_create(
                items=self.keystone.roles.list(),
                key=lambda r: r.name.lower() == 'admin',
                create=lambda: None)
            # now grant the creator role to the demo user.
            try:
                self.keystone.roles.check(role=admin_role,
                                          user=demo_user,
                                          project=demo_project)
            except keystoneclient.exceptions.NotFound:
                # create it if it isn't found
                self.keystone.roles.grant(role=admin_role,
                                          user=demo_user,
                                          project=demo_project)
            # now we can finally get the manila client and create the secret
            keystone_ep = self.keystone.service_catalog.url_for(
                service_type='identity', endpoint_type='publicURL')
            auth = keystone_identity.v3.Password(
                user_domain_name=domain.name,
                username=demo_user.name,
                password='******',
                project_domain_name=domain.name,
                project_name=demo_project.name,
                auth_url=keystone_ep)

        # Now we carry on with common v2 and v3 code
        sess = keystone_session.Session(auth=auth)
        # Authenticate admin with manila endpoint
        manila_ep = self.keystone.service_catalog.url_for(
            service_type='key-manager', endpoint_type='publicURL')
        manila = manila_client.Client(session=sess, endpoint=manila_ep)
        # now create the secret.
        my_secret = manila.secrets.create()
        my_secret.name = u'Random plain text password'
        my_secret.payload = u'password'
        my_secret_ref = my_secret.store()
        assert (my_secret_ref is not None)
        # and now delete the secret
        my_secret.delete()
        u.log.debug('OK')
Beispiel #14
0
def getKeystoneSession(config, project):
    return keystonesession.Session(
        auth=keystoneauth.Password(auth_url=config['nova_api_url'],
                                   username=config['username'],
                                   password=config['password'],
                                   tenant_name=project))
Beispiel #15
0
 def test_not_found(self):
     session = client_session.Session()
     self.stub_url('GET', status_code=404)
     self.assertRaises(exceptions.NotFound, session.get, self.TEST_URL)
 def setUp(self):
     super(GenericAuthPluginTests, self).setUp()
     self.auth = GenericPlugin()
     self.session = session.Session(auth=self.auth)
Beispiel #17
0
 def test_server_error(self):
     session = client_session.Session()
     self.stub_url('GET', status_code=500)
     self.assertRaises(exceptions.InternalServerError,
                       session.get, self.TEST_URL)
def main():

    argparser = argparse.ArgumentParser()

    argparser.add_argument('--debug',
                           help='Turn on debug logging',
                           action='store_true')

    argparser.add_argument(
        '--project',
        default='admin-monitoring',
        help='Set project to test creation for',
    )

    argparser.add_argument(
        '--keyfile',
        default='',
        help='Path to SSH key file for verification',
    )

    argparser.add_argument(
        '--user',
        default='',
        help='Set username (Expected to be the same across all backends)',
    )

    argparser.add_argument(
        '--prepend',
        default='test-create',
        help='String to add to beginning of instance names',
    )

    argparser.add_argument(
        '--max-pool',
        default=1,
        type=int,
        help='Allow this many instances',
    )

    argparser.add_argument('--preserve-leaks',
                           help='Never delete failed VMs',
                           action='store_true')

    argparser.add_argument(
        '--keystone-url',
        default="http://cloudcontrol1003.wikimedia.org:35357/v3",
        help='Auth url for token and service discovery',
    )

    argparser.add_argument(
        '--interval',
        default=600,
        type=int,
        help='Seconds delay for daemon (default: 600 [10m])',
    )

    argparser.add_argument(
        '--creation-timeout',
        default=180,
        type=int,
        help='Allow this long for creation to succeed.',
    )

    argparser.add_argument(
        '--ssh-timeout',
        default=180,
        type=int,
        help='Allow this long for SSH to succeed.',
    )

    argparser.add_argument(
        '--puppet-timeout',
        default=120,
        type=int,
        help='Allow this long for Puppet to succeed.',
    )

    argparser.add_argument(
        '--deletion-timeout',
        default=120,
        type=int,
        help='Allow this long for delete to succeed.',
    )

    argparser.add_argument(
        '--image',
        default='debian-8.10-jessie',
        help='Image to use',
    )

    argparser.add_argument(
        '--flavor',
        default='m1.small',
        help='Flavor to use',
    )

    argparser.add_argument('--skip-puppet',
                           help='Turn off Puppet validation',
                           action='store_true')

    argparser.add_argument('--skip-dns',
                           help='Turn off DNS validation',
                           action='store_true')

    argparser.add_argument(
        '--dns-resolvers',
        help='Comma separated list of nameservers',
        default='208.80.154.143,208.80.154.24',
    )

    argparser.add_argument('--skip-ssh',
                           help='Turn off basic SSH validation',
                           action='store_true')

    argparser.add_argument('--pause-for-deletion',
                           help='Wait for user input before deletion',
                           action='store_true')

    argparser.add_argument('--skip-deletion',
                           help='Leave instance behind',
                           action='store_true')

    argparser.add_argument(
        '--virthost',
        default=None,
        help='Specify a particular host to launch on, e.g. labvirt1001.  Default'
        'behavior is to use the standard scheduling pool.',
    )

    argparser.add_argument(
        '--adhoc-command',
        default='',
        help='Specify a command over SSH prior to deletion',
    )

    argparser.add_argument(
        '--network',
        default='',
        help='Specify a Neutron network for VMs',
    )

    argparser.add_argument(
        '--statsd',
        default='statsd.eqiad.wmnet',
        help='Send statistics to statsd endpoint',
    )

    args = argparser.parse_args()

    logging.basicConfig(format='%(asctime)s %(levelname)s %(message)s',
                        level=logging.DEBUG if args.debug else logging.INFO)

    if args.adhoc_command and args.skip_ssh:
        logging.error("cannot skip SSH with adhoc command specified")
        sys.exit(1)

    try:
        with open(args.keyfile, 'r') as f:
            f.read()
    except:
        logging.error("keyfile {} cannot be read".format(args.keyfile))
        sys.exit(1)

    pw = os.environ.get('OS_PASSWORD')
    region = os.environ.get('OS_REGION_NAME')
    user = os.environ.get('OS_USERNAME') or args.user
    project = os.environ.get('OS_PROJECT_ID') or args.project
    if not all([user, pw, project]):
        logging.error('Set username and password environment variables')
        sys.exit(1)

    def stat(metric, value):
        metric_prepend = 'servers.{}.nova'.format(socket.gethostname())
        submit_stat(args.statsd, 8125, metric_prepend, metric, value)

    while True:

        loop_start = round(time.time(), 2)

        auth = generic.Password(auth_url=args.keystone_url,
                                username=user,
                                password=pw,
                                user_domain_name='Default',
                                project_domain_name='Default',
                                project_name=project)

        sess = keystone_session.Session(auth=auth)
        nova_conn = nova_client.Client('2', session=sess, region_name=region)

        prepend = args.prepend
        epoch = int(time.time())
        name = '{}-{}'.format(prepend, epoch)

        exist = nova_conn.servers.list()
        logging.debug(exist)
        prependinstances = [
            server for server in exist if server.human_id.startswith(prepend)
        ]
        pexist_count = len(prependinstances)

        stat('instances.count', pexist_count)
        stat('instances.max', args.max_pool)

        # If we're pushing up against max_pool, delete the oldest server
        if not args.preserve_leaks and pexist_count >= args.max_pool - 1:
            logging.warning("There are {} leaked instances with prepend {}; "
                            "cleaning up".format(pexist_count, prepend))
            servers = sorted(prependinstances,
                             key=lambda server: server.human_id)
            servers[0].delete()

        if pexist_count >= args.max_pool:
            # If the cleanup in the last two cycles didn't get us anywhere,
            #  best to just bail out so we stop trampling on the API.
            logging.error(
                "max server(s) with prepend {} -- skipping creation".format(
                    prepend))
            continue

        cimage = nova_conn.images.find(name=args.image)
        cflavor = nova_conn.flavors.find(name=args.flavor)

        try:
            vc, server = verify_create(nova_conn, name, cimage, cflavor,
                                       args.creation_timeout, args.network,
                                       args.virthost)
            stat('verify.creation', vc)

            if 'public' in server.addresses:
                addr = server.addresses['public'][0]['addr']
                if not addr.startswith('10.'):
                    raise Exception("Bad address of {}".format(addr))
            else:
                addr = server.addresses['lan-flat-cloudinstances2b'][0]['addr']
                if not addr.startswith('172.'):
                    raise Exception("Bad address of {}".format(addr))

            if not args.skip_dns:
                host = '{}.{}.eqiad.wmnet'.format(server.name,
                                                  server.tenant_id)
                dnsd = args.dns_resolvers.split(',')
                vdns = verify_dns(host, dnsd, timeout=2.0)
                stat('verify.dns', vdns)

            if not args.skip_ssh:
                vs = verify_ssh(addr, user, args.keyfile, args.ssh_timeout)

                stat('verify.ssh', vs)
                if args.adhoc_command:
                    sshout = run_remote(addr,
                                        user,
                                        args.keyfile,
                                        args.adhoc_command,
                                        debug=args.debug)
                    logging.debug(sshout)

            if not args.skip_puppet:
                ps, puppetrun = verify_puppet(addr, user, args.keyfile,
                                              args.puppet_timeout)
                stat('verify.puppet', ps)

                categories = ['changes', 'events', 'resources', 'time']

                for d in categories:
                    for k, v in puppetrun[d].iteritems():
                        stat('puppet.{}.{}'.format(d, k), v)

            if args.pause_for_deletion:
                logging.info("Pausing for deletion")
                get_verify('continue with deletion', 'Not a valid response',
                           ['y'])

            if not args.skip_deletion:
                vd = verify_deletion(nova_conn, server, args.deletion_timeout)

            if not args.pause_for_deletion:
                stat('verify.deletion', vd)
                loop_end = time.time()
                stat('verify.fullstack', round(loop_end - loop_start, 2))

            if not args.interval:
                return

            stat('verify.success', 1)
        except:
            logging.exception("{} failed, leaking".format(name))
            stat('verify.success', 0)

        time.sleep(args.interval)
Beispiel #19
0
 def test_basic_get(self):
     session = client_session.Session()
     self.setup_redirects()
     resp = session.get(self.REDIRECT_CHAIN[-2])
     self.assertResponse(resp)
        help='datacenter for operations, to calculate FQDNs. Default is eqiad',
        default="eqiad"
    )

    args = argparser.parse_args()

    config = ScriptConfig(args.datacenter, args.destination, args.mysql_password,
                          args.nova_db_server, args.nova_db)
    logging.basicConfig(format="%(filename)s: %(levelname)s: %(message)s",
                        level=logging.INFO, stream=sys.stdout)

    sshargs = ["ssh", "-i", "/root/.ssh/compute-hosts-key",
               "nova@%s" % config.destination_fqdn, "true"]
    r = subprocess.call(sshargs)
    if r:
        logging.error("remote execution failed; this whole enterprise is doomed.")
        exit(1)

    auth = generic.Password(
        auth_url=args.nova_url,
        username=args.nova_user,
        password=args.nova_pass,
        user_domain_name='Default',
        project_domain_name='Default',
        project_name='admin')
    session = keystone_session.Session(auth=auth)

    instance = NovaInstance(session, args.instanceid, region=args.region)
    instance.migrate(config)
    logging.shutdown()
Beispiel #21
0
 def test_redirect_forever(self):
     session = client_session.Session(redirect=True)
     self.setup_redirects()
     resp = session.get(self.REDIRECT_CHAIN[0])
     self.assertResponse(resp)
     self.assertTrue(len(resp.history), len(self.REDIRECT_CHAIN))
Beispiel #22
0
 def new_client(self):
     self.session = session.Session()
     self.session.auth = v2.Password(self.identity_url, 'xx', 'xx')
     return v3client.Client(session=self.session)
Beispiel #23
0
 def test_service_url_raises_if_no_auth_plugin(self):
     sess = client_session.Session()
     self.assertRaises(exceptions.MissingAuthPlugin,
                       sess.get, '/path',
                       endpoint_filter={'service_type': 'compute',
                                        'interface': 'public'})
Beispiel #24
0
def get_keystone_session():
    cred = get_keystone_creds()
    auth = v3.Password(**cred)
    return ksc_session.Session(auth=auth)
Beispiel #25
0
    def test_user_and_project_id(self):
        auth = AuthPlugin()
        sess = client_session.Session(auth=auth)

        self.assertEqual(auth.TEST_USER_ID, sess.get_user_id())
        self.assertEqual(auth.TEST_PROJECT_ID, sess.get_project_id())
Beispiel #26
0
def get_session(auth_url,
                endpoint,
                domain_id,
                domain_name,
                project_id,
                project_name,
                project_domain_name,
                project_domain_id,
                username,
                user_id,
                password,
                user_domain_id,
                user_domain_name,
                token,
                insecure,
                cacert,
                all_tenants=False,
                edit_managed=False):
    # NOTE: all_tenants and edit_managed are here for backwards compat
    #       reasons, do not add additional modifiers here.

    session = ks_session.Session()

    # Build + Attach Authentication Plugin
    auth_args = {
        'auth_url': auth_url,
        'domain_id': domain_id,
        'domain_name': domain_name,
        'project_id': project_id,
        'project_name': project_name,
        'project_domain_name': project_domain_name,
        'project_domain_id': project_domain_id,
    }

    if token and endpoint:
        session.auth = token_endpoint.Token(endpoint, token)

    elif token:
        auth_args.update({'token': token})
        session.auth = generic.Token(**auth_args)

    else:
        auth_args.update({
            'username': username,
            'user_id': user_id,
            'password': password,
            'user_domain_id': user_domain_id,
            'user_domain_name': user_domain_name,
        })
        session.auth = generic.Password(**auth_args)

    # SSL/TLS Server Cert Verification
    if insecure is True:
        session.verify = False
    else:
        session.verify = cacert

    # NOTE: all_tenants and edit_managed are here for backwards compat
    #       reasons, do not add additional modifiers here.
    session.all_tenants = all_tenants
    session.edit_managed = edit_managed

    return session
Beispiel #27
0
 def _create_session_client(self):
     auth = token_endpoint.Token(self.endpoint, self.token)
     sess = session.Session(auth=auth)
     return http.SessionClient(sess)
Beispiel #28
0
 def get_insecure_session(self):
     session = self._sessions.get(SESSION_TYPE_INSECURE)
     if not session:
         session = keystone.Session(verify=False)
         self._set_session(SESSION_TYPE_INSECURE, session)
     return session
 def setUp(self):
     super(TestObjectAPIv1, self).setUp()
     sess = session.Session()
     self.api = object_store.APIv1(session=sess, endpoint=FAKE_URL)
     self.requests_mock = self.useFixture(fixture.Fixture())
Beispiel #30
0
    def __call__(self, req):
        request_id = common_context.generate_request_id()

        # NOTE(alevine) We need to calculate the hash here because
        # subsequent access to request modifies the req.body so the hash
        # calculation will yield invalid results.
        body_hash = hashlib.sha256(req.body).hexdigest()

        signature = self._get_signature(req)
        if not signature:
            msg = _("Signature not provided")
            return faults.ec2_error_response(request_id,
                                             "AuthFailure",
                                             msg,
                                             status=400)
        access = self._get_access(req)
        if not access:
            msg = _("Access key not provided")
            return faults.ec2_error_response(request_id,
                                             "AuthFailure",
                                             msg,
                                             status=400)

        if 'X-Amz-Signature' in req.params or 'Authorization' in req.headers:
            params = {}
        else:
            # Make a copy of args for authentication and signature verification
            params = dict(req.params)
            # Not part of authentication args
            params.pop('Signature', None)

        cred_dict = {
            'access': access,
            'signature': signature,
            'host': req.host,
            'verb': req.method,
            'path': req.path,
            'params': params,
            # python3 takes only keys fo json from headers object
            'headers': {k: req.headers[k]
                        for k in req.headers},
            'body_hash': body_hash
        }

        token_url = CONF.keystone_ec2_tokens_url
        if "ec2" in token_url:
            creds = {'ec2Credentials': cred_dict}
        else:
            creds = {'auth': {'OS-KSEC2:ec2Credentials': cred_dict}}
        creds_json = jsonutils.dumps(creds)
        headers = {'Content-Type': 'application/json'}

        response = requests.request('POST',
                                    token_url,
                                    data=creds_json,
                                    headers=headers)
        status_code = response.status_code
        if status_code != 200:
            msg = response.reason
            return faults.ec2_error_response(request_id,
                                             "AuthFailure",
                                             msg,
                                             status=status_code)

        try:
            auth_ref = keystone_access.AccessInfo.factory(resp=response,
                                                          body=response.json())
        except (NotImplementedError, KeyError):
            LOG.exception(_("Keystone failure"))
            msg = _("Failure communicating with keystone")
            return faults.ec2_error_response(request_id,
                                             "AuthFailure",
                                             msg,
                                             status=400)
        auth = keystone_identity_access.AccessInfoPlugin(auth_ref)
        session = keystone_session.Session(auth=auth)
        remote_address = req.remote_addr
        if CONF.use_forwarded_for:
            remote_address = req.headers.get('X-Forwarded-For', remote_address)

        ctxt = context.RequestContext(auth_ref.user_id,
                                      auth_ref.project_id,
                                      request_id=request_id,
                                      user_name=auth_ref.username,
                                      project_name=auth_ref.project_name,
                                      remote_address=remote_address,
                                      session=session,
                                      api_version=req.params.get('Version'))

        req.environ['ec2api.context'] = ctxt

        return self.application