def get_system_access(user_id, auth_url, token, is_federated): session = get_session() auth_url, _ = fix_auth_url_version_prefix(auth_url) auth = token_endpoint.Token(auth_url, token) client = get_keystone_client().Client(session=session, auth=auth) # Old versions of keystoneclient don't have auth.system endpoint yet. auth_system = getattr(client.auth, 'system', None) if auth_system is not None: return 'all' in auth_system() # Fall back to trying to get the system scope token. try: auth = get_token_auth_plugin(auth_url=auth_url, token=token, system_scope='all') auth.get_access(session) except keystone_exceptions.ClientException: return False return True
def switch(request, tenant_id, redirect_field_name=auth.REDIRECT_FIELD_NAME): """Switches an authenticated user from one project to another.""" LOG.debug('Switching to tenant %s for user "%s".' % (tenant_id, request.user.username)) endpoint = utils.fix_auth_url_version(request.user.endpoint) session = utils.get_session() # Keystone can be configured to prevent exchanging a scoped token for # another token. Always use the unscoped token for requesting a # scoped token. unscoped_token = request.user.unscoped_token auth = utils.get_token_auth_plugin(auth_url=endpoint, token=unscoped_token, project_id=tenant_id) try: auth_ref = auth.get_access(session) msg = 'Project switch successful for user "%(username)s".' % \ {'username': request.user.username} LOG.info(msg) except keystone_exceptions.ClientException: msg = ( _('Project switch failed for user "%(username)s".') % {'username': request.user.username}) messages.error(request, msg) auth_ref = None LOG.exception('An error occurred while switching sessions.') # Ensure the user-originating redirection url is safe. # Taken from django.contrib.auth.views.login() redirect_to = request.REQUEST.get(redirect_field_name, '') if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = settings.LOGIN_REDIRECT_URL if auth_ref: old_endpoint = request.session.get('region_endpoint') old_token = request.session.get('token') if old_token and old_endpoint and old_token.id != auth_ref.auth_token: delete_token(endpoint=old_endpoint, token_id=old_token.id) user = auth_user.create_user_from_token( request, auth_user.Token(auth_ref, unscoped_token=unscoped_token), endpoint) auth_user.set_session_from_user(request, user) message = ( _('Switch to project "%(project_name)s" successful.') % {'project_name': request.user.project_name}) messages.success(request, message) response = shortcuts.redirect(redirect_to) utils.set_response_cookie(response, 'recent_project', request.user.project_id) return response
def switch(request, project_id=None): if not project_id: data = json.loads(request.body) tenant_id = data['project_id'] else: tenant_id = project_id LOG.debug('Switching to tenant %s for user "%s".', tenant_id, request.user.username) endpoint, __ = utils.fix_auth_url_version_prefix(request.user.endpoint) session = utils.get_session() unscoped_token = request.user.unscoped_token auth = utils.get_token_auth_plugin(auth_url=endpoint, token=unscoped_token, project_id=tenant_id) try: auth_ref = auth.get_access(session) msg = 'Project switch successful for user "%(username)s".' % \ {'username': request.user.username} LOG.info(msg) except keystone_exceptions.ClientException: msg = (_('Project switch failed for user "%(username)s".') % { 'username': request.user.username }) messages.error(request, msg) auth_ref = None LOG.exception('An error occurred while switching sessions.') if auth_ref: user = auth_user.create_user_from_token( request, auth_user.Token(auth_ref, unscoped_token=unscoped_token), endpoint) auth_user.set_session_from_user(request, user) message = (_('Switch to project "%(project_name)s" successful.') % { 'project_name': request.user.project_name }) messages.success(request, message) # utils.set_response_cookie(response, 'recent_project', # request.user.project_id) print({ "tenant_id": request.user.tenant_id, "tenant_name": request.user.tenant_name, "username": request.user.username }) return JsonResponse("success", safe=False) else: return JsonResponse("failed", status=400, safe=False)
def switch_system_scope(request, redirect_field_name=auth.REDIRECT_FIELD_NAME): """Switches an authenticated user from one system to another.""" LOG.debug('Switching to system scope for user "%s".', request.user.username) endpoint, __ = utils.fix_auth_url_version_prefix(request.user.endpoint) session = utils.get_session() # Keystone can be configured to prevent exchanging a scoped token for # another token. Always use the unscoped token for requesting a # scoped token. unscoped_token = request.user.unscoped_token auth = utils.get_token_auth_plugin(auth_url=endpoint, token=unscoped_token, system_scope='all') try: auth_ref = auth.get_access(session) except keystone_exceptions.ClientException: msg = (_('System switch failed for user "%(username)s".') % { 'username': request.user.username }) messages.error(request, msg) auth_ref = None LOG.exception('An error occurred while switching sessions.') else: msg = 'System switch successful for user "%(username)s".' % \ {'username': request.user.username} LOG.info(msg) # Ensure the user-originating redirection url is safe. # Taken from django.contrib.auth.views.login() redirect_to = request.GET.get(redirect_field_name, '') if not http.is_safe_url(url=redirect_to, allowed_hosts=[request.get_host()]): redirect_to = settings.LOGIN_REDIRECT_URL if auth_ref: user = auth_user.create_user_from_token( request, auth_user.Token(auth_ref, unscoped_token=unscoped_token), endpoint) auth_user.set_session_from_user(request, user) message = _('Switch to system scope successful.') messages.success(request, message) response = shortcuts.redirect(redirect_to) return response