def get_client(session):
if settings.AUTH_TYPE == "cloudkitty-noauth":
auth = ck_auth.CloudKittyNoAuthPlugin(endpoint=settings.AUTH_URL)
client = ck_client.Client(settings.CLOUDKITTY_API_VERSION, auth=auth)
return client
elif settings.AUTH_TYPE == "keystone":
token_as_dict = json.loads(session["token"])
if token_as_dict["project"]["id"]:
auth = v3.Token(
auth_url=settings.AUTH_URL,
token=token_as_dict["unscoped_token"],
project_id=token_as_dict["project"]["id"],
reauthenticate=False,
)
else:
auth = v3.Token(
auth_url=settings.AUTH_URL,
token=token_as_dict["unscoped_token"],
user_project_name=token_as_dict["user_domain_name"],
reauthenticate=False,
)
session = ks_session.Session(auth=auth)
client = ck_client.Client("2", session=session)
return client
return None
def get_token_auth_plugin(auth_url, token, project_id=None, domain_name=None):
if domain_name:
return v3_auth.Token(auth_url=auth_url,
token=token,
domain_name=domain_name,
reauthenticate=False)
return v3_auth.Token(auth_url=auth_url,
token=token,
project_id=project_id,
reauthenticate=False)
def test_websso_login_with_auth_in_url(self):
settings.OPENSTACK_KEYSTONE_URL =\
'http://auth.openstack.org/identity/v3'
projects = [self.data.project_one, self.data.project_two]
domains = []
form_data = {'token': self.data.unscoped_access_info.auth_token}
unscoped_auth = v3_auth.Token(
auth_url=settings.OPENSTACK_KEYSTONE_URL,
token=self.data.federated_unscoped_access_info.auth_token,
project_id=None,
reauthenticate=False)
unscoped_auth.get_access(mox.IsA(session.Session)).AndReturn(
self.data.federated_unscoped_access_info)
unscoped_auth.auth_url = settings.OPENSTACK_KEYSTONE_URL
unscoped_auth.auth_url = settings.OPENSTACK_KEYSTONE_URL
client = self.ks_client_module.Client(
session=mox.IsA(session.Session),
auth=unscoped_auth)
client.auth = self.mox.CreateMockAnything()
client.auth.domains().AndReturn(domains)
unscoped_auth.auth_url = settings.OPENSTACK_KEYSTONE_URL
client = self.ks_client_module.Client(
session=mox.IsA(session.Session),
auth=unscoped_auth)
client.federation = self.mox.CreateMockAnything()
client.federation.projects = self.mox.CreateMockAnything()
client.federation.projects.list().AndReturn(projects)
plugin = v3_auth.Token(
auth_url=settings.OPENSTACK_KEYSTONE_URL,
token=self.data.unscoped_access_info.auth_token,
project_id=self.data.project_one.id,
reauthenticate=False)
self.scoped_token_auth = plugin
plugin.get_access(mox.IsA(session.Session)).AndReturn(
self.data.unscoped_access_info)
self.ks_client_module.Client(
session=mox.IsA(session.Session),
auth=plugin)
self.mox.ReplayAll()
url = reverse('websso')
# POST to the page to log in.
response = self.client.post(url, form_data)
self.assertRedirects(response, settings.LOGIN_REDIRECT_URL)
def __init__(self, auth_ref=None):
"""
auth_ref = Lớp chung cho cả Auth_Password và Auth_Token. Sử dụng tính chất đa hình Python OOP
"""
self.auth_url = auth_ref.auth_url
self.region_site = auth_ref.region_site
self.project_domain_id = auth_ref.project_domain_id
self.project_domain_name = auth_ref.project_domain_name
self.project_id = auth_ref.project_id
self.project_name = auth_ref.project_name
if auth_ref.authenticate_type() == 'Token':
self.session_auth = v3.Token(
auth_url=self.auth_url,
token=auth_ref.token_string,
project_id=self.project_id,
project_name=self.project_name,
project_domain_name=self.project_domain_name,
)
elif auth_ref.authenticate_type() == 'Password':
self.session_auth = v3.Password(
auth_url=self.auth_url,
username=auth_ref.user_name,
password=auth_ref.user_password,
project_id=self.project_id,
project_name=self.project_name,
project_domain_name=self.project_domain_name,
user_domain_name=auth_ref.user_domain_name)
def setUp(self):
super(TestRequestId, self).setUp()
auth = v3.Token(auth_url='http://127.0.0.1:5000',
token=self.TEST_TOKEN)
session_ = session.Session(auth=auth)
self.client = client.Client(session=session_,
include_metadata='True')._adapter
def loginTenant(request, tenant_name):
"""
Create keystone, nova, and glance clients for tenant; on tenant selection
"""
username = request.session['username']
password = request.session['password']
auth_url = 'https://engage1.massopencloud.org:5000/v3/'
print 'lucas-test-auth-loginTenant'
unscoped_auth = v3.Password(auth_url=auth_url,
username=username,
password=password,
user_domain_name="Default",
unscoped=True)
unscoped_sess = session.Session(auth=unscoped_auth)
unscoped_token = unscoped_sess.get_token()
auth = v3.Token(auth_url=auth_url, token=unscoped_token)
sess = session.Session(auth=auth)
#scoped_token=sess.get_token()
keystone = ksclient.Client(session=sess)
# keystone = ksclient.Client(auth_url = 'https://engage1.massopencloud.org:5000/v2.0/', username = username,
# password = password, tenant_name = tenant_name)
print 'lucas-test-auth-loginTenant-succesfully'
# nova = nvclient.Client('2', auth_url = 'https://engage1.massopencloud.org:5000/v2.0/',
# username = username,
# api_key = password,
# project_id = tenant_name)
nova = nvclient.Client('2', session=sess)
glance = glclient.Client('2', session=sess)
return {'keystone': keystone, 'nova': nova, 'glance': glance}
def _create_client(self, context):
LOG.debug("Senlin action security context: %s", context)
keystone_endpoint = keystone_utils.get_keystone_endpoint()
senlin_endpoint = self.get_service_endpoint()
if context.is_trust_scoped and keystone_utils.is_token_trust_scoped(
context.auth_token):
if context.trust_id is None:
raise Exception(
"'trust_id' must be provided in the admin context.")
auth = ks_identity_v3.Password(
auth_url=keystone_endpoint.url,
trust_id=context.trust_id,
username=CONF.keystone_authtoken.username,
password=CONF.keystone_authtoken.password,
user_domain_name=CONF.keystone_authtoken.user_domain_name)
else:
auth = ks_identity_v3.Token(auth_url=keystone_endpoint.url,
token=context.auth_token,
project_id=context.project_id)
return self._get_client_class()(endpoint_url=senlin_endpoint.url,
session=ks_session.Session(auth=auth),
tenant_id=context.project_id,
region_name=senlin_endpoint.region,
auth_url=keystone_endpoint.url,
insecure=context.insecure)
def initiate_os_session(
unscoped: str,
project: str
) -> keystoneauth1.session.Session:
"""
Create a new openstack session with the unscoped token and project id.
Params:
unscoped: str
project: str
Returns:
A usable keystone session object for OS client connections
Return type:
object(keystoneauth1.session.Session)
"""
os_auth = v3.Token(
auth_url=setd['auth_endpoint_url'],
token=unscoped,
project_id=project
)
return keystoneauth1.session.Session(
auth=os_auth,
verify=False,
)
def __init__(self, OS_USERNAME: str = "", OS_PASSWORD: str = ""):
OS_USERNAME = OS_USERNAME or os.environ["OS_USERNAME"]
OS_PASSWORD = OS_PASSWORD or os.environ["OS_PASSWORD"]
OS_PROJECT_ID = "2dc0b65279674a42833a064ce3677297"
# from https://user.cscs.ch/storage/object_storage/usage_examples/tokens/
from keystoneauth1.identity import v3
from keystoneauth1 import session
from keystoneauth1.extras._saml2 import V3Saml2Password
from keystoneclient.v3 import client
saml_auth = V3Saml2Password(auth_url='https://pollux.cscs.ch:13000/v3',
identity_provider='cscskc',
protocol='mapped',
identity_provider_url='https://auth.cscs.ch/auth/realms/cscs/protocol/saml/',
username=OS_USERNAME,
password=OS_PASSWORD)
unscoped_sess = session.Session(auth=saml_auth)
kc_token = unscoped_sess.get_token()
#With the project id you can now request to the Keystone service a scoped token for project :
auth = v3.Token(auth_url=saml_auth.auth_url,
token=kc_token,
project_id=OS_PROJECT_ID)
scoped_sess = session.Session(auth=auth)
super().__init__(
OS_AUTH_TOKEN=scoped_sess.get_token(),
OS_STORAGE_URL=f"https://object.cscs.ch/v1/AUTH_{OS_PROJECT_ID}",
OS_IDENTITY_PROVIDER_URL=saml_auth.identity_provider_url,
OS_AUTH_URL=saml_auth.auth_url,
OS_PROTOCOL=saml_auth.protocol,
OS_IDENTITY_API_VERSION="3",
OS_AUTH_TYPE="token",
OS_IDENTITY_PROVIDER=saml_auth.identity_provider,
OS_INTERFACE="public",
OS_PROJECT_ID=OS_PROJECT_ID
)
def __init__(self, username, token=None):
self.username = username
if token:
auth = v3.Token(auth_url=OS_AUTH_URL, token=token)
else:
pwd = os.environ.get('CSCS_PASS')
if not pwd:
pwd = getpass.getpass("Password: "******"Couldn't authenticate! Incorrect username.")
except IndexError:
raise Exception("Couldn't authenticate! Incorrect password.")
self._ks_projects = {ksprj.name: ksprj
for ksprj in self._client.projects.list(user=self.user_id)}
self._projects = None
def get_domain_scoped_auth(self, unscoped_auth_ref, domains):
domain_auth = None
domain_auth_ref = None
session = self.get_session()
for domain in domains:
token = unscoped_auth_ref.auth_token
domain_auth = v3.Token(
auth_url=settings.AUTH_URL,
token=token,
domain_name=domain,
reauthentificate=False,
)
try:
domain_auth_ref = domain_auth.get_access(session)
except (
ks_exceptions.ClientException,
ks_exceptions.AuthorizationFailure,
):
LOG.info(
"Attempted scope to domain %s failed, will attempt "
"to scope to another domain.",
domain,
)
else:
if len(domains) > 1:
LOG.info(
"More than one valid domain found for user %s,"
" scoping to %s",
unscoped_auth_ref.user_id,
domain,
)
break
return domain_auth, domain_auth_ref
def designateclient(request):
token = request.user.token.id
if keystone.get_version() < 3:
tenant_id = request.user.tenant_id
logwrap_info("using keystone v2.")
# keystone auth object
auth = v2_plugin.Token(auth_url="https://%s:5000/v2.0" %
settings.OPENSTACK_HOST,
tenant_id=tenant_id,
token=token)
else:
project_id = request.user.project_id
project_domain_id = request.session.get('domain_context')
logwrap_info("using keystone v3.")
auth = v3_plugin.Token(auth_url="https://%s:5000/v3" %
settings.OPENSTACK_HOST,
token=token,
project_id=project_id,
project_domain_id=project_domain_id)
# create a session
ks_session = keystone_session.Session(auth=auth)
# spawn designate client object
dns_client = designate_client.Client(session=ks_session)
logwrap_info("Created a new DNSaaS API Client Object.")
return dns_client
def _get_auth(self):
if self.context.is_admin:
try:
auth = ka_loading.load_auth_from_conf_options(
CONF, ksconf.CFG_GROUP)
except ka_exception.MissingRequiredOptions:
auth = self._get_legacy_auth()
elif self.context.auth_token_info:
access_info = ka_access.create(body=self.context.auth_token_info,
auth_token=self.context.auth_token)
auth = ka_access_plugin.AccessInfoPlugin(access_info)
elif self.context.auth_token:
auth = ka_v3.Token(auth_url=self.auth_url,
token=self.context.auth_token)
elif self.context.trust_id:
auth_info = {
'auth_url': self.auth_url,
'username': self.context.user_name,
'password': self.context.password,
'user_domain_id': self.context.user_domain_id,
'user_domain_name': self.context.user_domain_name,
'trust_id': self.context.trust_id
}
auth = ka_v3.Password(**auth_info)
else:
LOG.error(
_LE('Keystone API connection failed: no password, '
'trust_id or token found.'))
raise exception.AuthorizationFailure()
return auth
def get_auth_plugin(opts):
auth_version = guess_auth_version(opts)
if opts.os_username:
if auth_version == '3':
return v3.Password(auth_url=opts.os_auth_url,
username=opts.os_username,
password=opts.os_password,
project_name=opts.os_project_name,
user_domain_name=opts.os_user_domain_name,
project_domain_name=opts.os_project_domain_name)
elif auth_version == '2.0':
return v2.Password(auth_url=opts.os_auth_url,
username=opts.os_username,
password=opts.os_password,
tenant_name=opts.os_tenant_name)
elif opts.os_token:
if auth_version == '3':
return v3.Token(auth_url=opts.os_auth_url,
token=opts.os_token,
project_name=opts.os_project_name,
project_domain_name=opts.os_project_domain_name)
elif auth_version == '2.0':
return v2.Token(auth_url=opts.os_auth_url,
token=opts.os_token,
tenant_name=opts.os_tenant_name)
raise Exception('Unable to determine correct auth method, please provide'
' either username or token')
def recover(cls, session, verify_ssl=False):
if not isinstance(session, dict) or not session.get('auth_ref'):
raise OpenStackBackendError('Invalid OpenStack session')
args = {
'auth_url': session['auth_url'],
'token': session['auth_ref'].auth_token,
}
if session.get('project_id'):
args['project_id'] = session['project_id']
elif session.get('project_name') and session.get(
'project_domain_name'):
args['project_name'] = session['project_name']
args['project_domain_name'] = session['project_domain_name']
auth_method = v3.Token(**args)
auth_data = {
'auth_token': session['auth_ref'].auth_token,
'body': session['auth_ref']._data
}
auth_state = json.dumps(auth_data)
auth_method.set_auth_state(auth_state)
ks_session = keystone_session.Session(auth=auth_method,
verify=verify_ssl)
return cls(ks_session=ks_session)
def glance_client(context, region_name=None):
# We should allow glance to get the endpoint from the service
# catalog, but to do so we would need to be able to specify
# the endpoint_filter on the API calls, but glance
# doesn't currently allow that. As a result, we must
# specify the endpoint explicitly.
if CONF.glance_url:
endpoint_url = '%(url)s%(tenant)s' % {
'url': normalize_url(CONF.glance_url),
'tenant': context.tenant
}
else:
endpoint_url = get_endpoint(context.service_catalog,
service_type=CONF.glance_service_type,
endpoint_region=region_name
or CONF.os_region_name,
endpoint_type=CONF.glance_endpoint_type)
auth = v3.Token(CONF.trove_auth_url, context.auth_token)
session = ka_session.Session(auth=auth)
return Client(CONF.glance_client_version,
endpoint=endpoint_url,
session=session)
def __init__(self,
auth_url,
username=None,
password=None,
token=None,
user_domain_id='default',
log=None):
self.auth_url = auth_url
if log is not None:
self.log = log
else:
self.log = logging.getLogger(__name__)
if token is not None:
auth = v3.Token(auth_url=self.auth_url, token=token, unscoped=True)
elif (username is not None and password is not None):
auth = v3.Password(auth_url=self.auth_url,
username=username,
password=password,
user_domain_id=user_domain_id,
unscoped=True)
else:
raise ValueError(
'Must provide either auth_state or username/password')
self.session = session.Session(auth=auth)
def __init__(self, username=None, password=None, project_name=None, token=None, admin=False):
self.ops = Ops.objects.all()[0]
if admin:
self.info = {
'auth_url': 'http://%s:5000/v3' % self.ops.ip,
'username': self.ops.username,
'password': self.ops.password,
'project_domain_name': self.ops.projectdomain,
'user_domain_name': self.ops.userdomain,
'project_name': self.ops.project
}
self.auth = v3.Password(**self.info)
elif token is None:
self.info = {
'auth_url': 'http://%s:5000/v3' % self.ops.ip,
'username': username,
'password': password,
'project_domain_name': self.ops.projectdomain,
'user_domain_name': self.ops.userdomain,
'project_name': project_name
}
self.auth = v3.Password(**self.info)
else:
self.info = {
'auth_url': 'http://%s:5000/v3' % self.ops.ip,
'token': token,
'project_name': project_name,
'project_domain_name': self.ops.projectdomain,
'reauthenticate': False
}
self.auth = v3.Token(**self.info)
self.sess = session.Session(self.auth)
def connect(self):
self.__reset_attributes()
if 'OS_TOKEN' in os.environ:
# We've already been authenticated. We can just set the right variables
self.__env['OS_TOKEN'] = os.environ['OS_TOKEN']
self.__env['OS_USERNAME'] = os.environ['OS_USERNAME']
self.__auth = v3.Token(auth_url=self.__env['OS_AUTH_URL'],
token=self.__env['OS_TOKEN'])
else:
### Authenticate user:
self.__env['OS_USERNAME'] = os.environ[
'OS_USERNAME'] if 'OS_USERNAME' in os.environ else input(
'Username: '******'OS_PASSWORD'] if 'OS_PASSWORD' in os.environ else getpass.getpass(
)
self.__auth = V3OidcPassword(
auth_url=self.__env['OS_AUTH_URL'],
identity_provider=self.__env['OS_IDENTITY_PROVIDER'],
protocol=self.__env['OS_PROTOCOL'],
client_id=self.__env['OS_CLIENT_ID'],
client_secret=self.__env['OS_CLIENT_SECRET'],
discovery_endpoint=self.__env['OS_DISCOVERY_ENDPOINT'],
username=self.__env['OS_USERNAME'],
password=self.__pw)
self.__ks_session = keystone_session.Session(auth=self.__auth)
def get_token_auth_plugin(auth_url, token, project_id=None, domain_name=None):
if get_keystone_version() >= 3:
if domain_name:
return v3_auth.Token(auth_url=auth_url,
token=token,
domain_name=domain_name,
reauthenticate=False)
else:
return v3_auth.Token(auth_url=auth_url,
token=token,
project_id=project_id,
reauthenticate=False)
else:
return v2_auth.Token(auth_url=auth_url,
token=token,
tenant_id=project_id,
reauthenticate=False)
def get_scoped_auth(self, unscoped_token, project_id):
scoped_auth = v3.Token(
auth_url=settings.AUTH_URL,
token=unscoped_token,
project_id=project_id,
reauthenticate=False,
)
return scoped_auth
def _refresh_trustee_client(self):
trustee_token = self.trustee_user_client.session.get_token()
trustee_auth = v3.Token(
trust_id=self.trust_id,
token=trustee_token,
auth_url=self.auth_url
)
return self._load_client(trustee_auth, self.ssl_settings)
def get_plugin(self, auth_url=None, token=None, project_id=None, **kwargs):
if not all((auth_url, token)):
return None
return v3_auth.Token(auth_url=auth_url,
token=token,
project_id=project_id,
reauthenticate=False)
def _create_token_auth(self, project_id, token=None, url=None,
domain_name=None):
if not token:
token = self.data.unscoped_access_info.auth_token
if not url:
url = settings.OPENSTACK_KEYSTONE_URL
if domain_name:
return v3_auth.Token(auth_url=url,
token=token,
domain_name=domain_name,
reauthenticate=False)
else:
return v3_auth.Token(auth_url=url,
token=token,
project_id=project_id,
reauthenticate=False)
def __init__(self, token=None, auth_url=None, endpoint=None):
if not token and not auth_url:
raise ValueError("No usable token supplied")
self.token = token
self.auth_url = auth_url
self.endpoint = endpoint
auth = v3.Token(auth_url=auth_url, token=token)
self._get_session(auth)
def _get_user_session(self, token):
# Get user session from token
auth = v3.Token(auth_url=CONF.auth_url,
project_name=CONF.project_name,
project_domain_name=CONF.project_domain_name,
token=token)
return session.Session(auth=auth)
def _get_user_keystone_session():
ctx = context.get_ctx()
auth = v3.Token(
auth_url=CONF.keystone_authtoken.www_authenticate_uri,
token=ctx.auth_token,
)
return session.Session(auth=auth, verify=False)
def validate_token(auth_url=None, token=None):
try:
auth = auth_identity.Token(
auth_url=auth_url, token=token, unscoped=True)
sess = session.Session(auth=auth)
c = client.Client(session=sess)
return c
except Unauthorized:
# Take their error and resend it as mine
raise AuthenticationError('Authentication required: Invalid token')
def connection_token(self, **kwargs):
"""
Make a connection with a token
:param auth_url: str Authentication url
:param token: str Authentication token
"""
self._authentication = v3.Token(auth_url=kwargs['auth_url'],
token=kwargs['token'])
self._init_session_access_catalog()
def _create_token_auth(self, project_id=None, token=None, url=None):
if not token:
token = self.data.federated_unscoped_access_info.auth_token
if not url:
url = settings.OPENSTACK_KEYSTONE_URL
return v3_auth.Token(auth_url=url,
token=token,
project_id=project_id,
reauthenticate=False)
