def _create_auth_plugin(self):
if self.auth_token_info:
auth_ref = access.AccessInfo.factory(body=self.auth_token_info,
auth_token=self.auth_token)
return access_plugin.AccessInfoPlugin(
auth_url=self.keystone_v3_endpoint,
auth_ref=auth_ref)
if self.auth_token:
# FIXME(jamielennox): This is broken but consistent. If you
# only have a token but don't load a service catalog then
# url_for wont work. Stub with the keystone endpoint so at
# least it might be right.
return token_endpoint.Token(endpoint=self.keystone_v3_endpoint,
token=self.auth_token)
if self.password:
return v3.Password(username=self.username,
password=self.password,
project_id=self.tenant_id,
user_domain_id='default',
auth_url=self.keystone_v3_endpoint)
LOG.error(_LE("Keystone v3 API connection failed, no password "
"trust or auth_token!"))
raise exception.AuthorizationFailure()
def _plugin(self, **kwargs):
token = fixture.V3Token()
s = token.add_service('identity')
s.add_standard_endpoints(public=self.TEST_ROOT_URL)
auth_ref = access.AccessInfo.factory(body=token,
auth_token=self.auth_token)
return access_plugin.AccessInfoPlugin(auth_ref, **kwargs)
def __call__(self, req):
request_id = common_context.generate_request_id()
# NOTE(alevine) We need to calculate the hash here because
# subsequent access to request modifies the req.body so the hash
# calculation will yield invalid results.
body_hash = hashlib.sha256(req.body).hexdigest()
signature = self._get_signature(req)
if not signature:
msg = _("Signature not provided")
return faults.ec2_error_response(request_id,
"AuthFailure",
msg,
status=400)
access = self._get_access(req)
if not access:
msg = _("Access key not provided")
return faults.ec2_error_response(request_id,
"AuthFailure",
msg,
status=400)
if 'X-Amz-Signature' in req.params or 'Authorization' in req.headers:
params = {}
else:
# Make a copy of args for authentication and signature verification
params = dict(req.params)
# Not part of authentication args
params.pop('Signature', None)
cred_dict = {
'access': access,
'signature': signature,
'host': req.host,
'verb': req.method,
'path': req.path,
'params': params,
# python3 takes only keys for json from headers object
'headers': {k: req.headers[k]
for k in req.headers},
'body_hash': body_hash
}
token_url = CONF.keystone_ec2_tokens_url
if "ec2" in token_url:
creds = {'ec2Credentials': cred_dict}
else:
creds = {'auth': {'OS-KSEC2:ec2Credentials': cred_dict}}
creds_json = jsonutils.dumps(creds)
headers = {'Content-Type': 'application/json'}
params = {'data': creds_json, 'headers': headers}
clients.update_request_params_with_ssl(params)
response = requests.request('POST', token_url, **params)
status_code = response.status_code
if status_code != 200:
msg = response.reason
return faults.ec2_error_response(request_id,
"AuthFailure",
msg,
status=status_code)
try:
auth_ref = keystone_access.AccessInfo.factory(resp=response,
body=response.json())
except (NotImplementedError, KeyError):
LOG.exception("Keystone failure")
msg = _("Failure communicating with keystone")
return faults.ec2_error_response(request_id,
"AuthFailure",
msg,
status=400)
auth = keystone_identity_access.AccessInfoPlugin(auth_ref)
params = {'auth': auth}
clients.update_request_params_with_ssl(params)
session = keystone_session.Session(**params)
remote_address = req.remote_addr
if CONF.use_forwarded_for:
remote_address = req.headers.get('X-Forwarded-For', remote_address)
ctxt = context.RequestContext(auth_ref.user_id,
auth_ref.project_id,
request_id=request_id,
user_name=auth_ref.username,
project_name=auth_ref.project_name,
remote_address=remote_address,
session=session,
api_version=req.params.get('Version'))
req.environ['ec2api.context'] = ctxt
return self.application
def factory(keystone_client, auth_token):
auth = access.AccessInfoPlugin(keystone_client.auth_ref)
session = keystoneclient.session.Session(auth=auth)
return congress_client.Client(session=session,
service_type='policy')