def setUp(self): super(TestV1PythonAPI, self).setUp() self.auth = token_endpoint.Token(endpoint='http://127.0.0.1:5050', token='token') self.session = ks_session.Session(self.auth) self.client = client.ClientV1(session=self.session) functional.cfg.CONF.set_override('store_data', 'none', 'processing')
def _create_auth_plugin(self): if self.auth_token_info: access_info = access.create(body=self.auth_token_info, auth_token=self.auth_token) return access_plugin.AccessInfoPlugin( auth_ref=access_info, auth_url=self.keystone_v3_endpoint) if self.password: # Never trust the password. Refer to keyring LOG.info("Re-determining password from keyring") self.password = keyring.get_password('CGCS', self.username) # TIS user_domain_id is blank. Use user_domain_name to lookup user user_domain_name = cfg.CONF.user_domain_name return generic.Password(username=self.username, password=self.password, project_id=self.tenant_id, user_domain_id=self.user_domain, user_domain_name=user_domain_name, auth_url=self.keystone_v3_endpoint) if self.auth_token: # FIXME(jamielennox): This is broken but consistent. If you # only have a token but don't load a service catalog then # url_for wont work. Stub with the keystone endpoint so at # least it might be right. return token_endpoint.Token(endpoint=self.keystone_v3_endpoint, token=self.auth_token) LOG.error("Keystone API connection failed, no password " "trust or auth_token!") raise exception.AuthorizationFailure()
def _create_auth_plugin(self): if self.auth_token_info: access_info = access.create(body=self.auth_token_info, auth_token=self.auth_token) return access_plugin.AccessInfoPlugin( auth_ref=access_info, auth_url=self.keystone_v3_endpoint) if self.auth_token: # FIXME(jamielennox): This is broken but consistent. If you # only have a token but don't load a service catalog then # url_for wont work. Stub with the keystone endpoint so at # least it might be right. return token_endpoint.Token(endpoint=self.keystone_v3_endpoint, token=self.auth_token) if self.password: return generic.Password(username=self.username, password=self.password, project_id=self.tenant_id, user_domain_id=self.user_domain, auth_url=self.keystone_v3_endpoint) LOG.error( _LE("Keystone API connection failed, no password " "trust or auth_token!")) raise exception.AuthorizationFailure()
def auth(profile=None, **connection_args): ''' Set up keystone credentials. Only intended to be used within Keystone-enabled modules. CLI Example: .. code-block:: bash salt '*' keystone.auth ''' kwargs = _get_kwargs(profile=profile, **connection_args) if 'token' in kwargs: auth = token_endpoint.Token(endpoint=kwargs['endpoint'], token=kwargs['token']) else: # keystoneauth1 Password class does not accept some args. Therefore remove it from args for auth. auth_connection_args = kwargs.copy() auth_connection_args.pop('region_name', None) auth_connection_args.pop('version', None) auth_connection_args.pop('insecure', None) auth = generic.Password(**auth_connection_args) if 'insecure' in kwargs: certs_verify = False else: certs_verify = True sess = session.Session(auth=auth, verify=certs_verify) keystone_client = client.Client(session=sess, **kwargs) return keystone_client
def test_token_endpoint_user_id(self): a = token_endpoint.Token(self.TEST_URL, self.TEST_TOKEN) s = session.Session() # we can't know this information about this sort of plugin self.assertIsNone(a.get_user_id(s)) self.assertIsNone(a.get_project_id(s))
def test_endpoint_data_token_endpoint_no_discover(self): plugin = token_endpoint.Token(endpoint=V3_URL, token='bogus') data = plugin.get_endpoint_data(self.session, discover_versions=False) self.assertEqual(data.api_version, (3, 0)) self.assertEqual(data.url, V3_URL) self.assertEqual(plugin.get_api_major_version(self.session), (3, 0)) self.assertEqual(plugin.get_endpoint(self.session), V3_URL)
def __init__(self, api_version, inspector_url=None, auth_token=None, session=None, service_type='baremetal-introspection', interface=None, region_name=None): """Create a client. :param api_version: minimum API version that must be supported by the server :param inspector_url: *Ironic Inspector* URL in form: http://host:port[/ver]. When session is provided, defaults to service URL from the catalog. As a last resort defaults to ``http://<current host>:5050/v<MAJOR>``. :param auth_token: authentication token (deprecated, use session) :param session: existing keystone session :param service_type: service type to use when looking up the URL :param interface: interface type (public, internal, etc) to use when looking up the URL :param region_name: region name to use when looking up the URL """ self._base_url = inspector_url or _DEFAULT_URL self._auth_token = auth_token if session is None: if auth_token: LOG.warning( _LW('Passing auth_token to client objects ' 'is deprecated, please pass session instead')) auth = token_endpoint.Token(endpoint=self._base_url, token=auth_token) else: auth = None self._session = ks_session.Session(auth) else: self._session = session if not inspector_url: try: self._base_url = session.get_endpoint( service_type=service_type, interface=interface, region_name=region_name) or _DEFAULT_URL except ks_exc.EndpointNotFound: LOG.warning( _LW('Endpoint for service %s was not found, ' 'falling back to local host on port 5050'), service_type) self._base_url = self._base_url.rstrip('/') self._api_version = self._check_api_version(api_version) self._version_str = '%d.%d' % self._api_version ver_postfix = '/v%d' % self._api_version[0] if not self._base_url.endswith(ver_postfix): self._base_url += ver_postfix
def __init__(self, auth_host, auth_port, auth_protocol, auth_admin_prefix, admin_user, admin_password, admin_tenant_name, admin_token, identity_uri, log): log.warning( "Use of the auth_admin_prefix, auth_host, auth_port, " "auth_protocol, identity_uri, admin_token, admin_user, " "admin_password, and admin_tenant_name configuration options was " "deprecated in the Mitaka release in favor of an auth_plugin and " "its related options. This class may be removed in a future " "release.") # NOTE(jamielennox): it does appear here that our default arguments # are backwards. We need to do it this way so that we can handle the # same deprecation strategy for CONF and the conf variable. if not identity_uri: log.warning('Configuring admin URI using auth fragments was ' 'deprecated in the Kilo release, and will be ' 'removed in the Newton release, ' 'use \'identity_uri\ instead.') if ':' in auth_host: # Note(dzyu) it is an IPv6 address, so it needs to be wrapped # with '[]' to generate a valid IPv6 URL, based on # http://www.ietf.org/rfc/rfc2732.txt auth_host = '[%s]' % auth_host identity_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port) if auth_admin_prefix: identity_uri = '%s/%s' % (identity_uri, auth_admin_prefix.strip('/')) self._identity_uri = identity_uri.rstrip('/') # FIXME(jamielennox): Yes. This is wrong. We should be determining the # plugin to use based on a combination of discovery and inputs. Much # of this can be changed when we get keystoneclient 0.10. For now this # hardcoded path is EXACTLY the same as the original auth_token did. auth_url = '%s/v2.0' % self._identity_uri if admin_token: log.warning( "The admin_token option in auth_token middleware was " "deprecated in the Kilo release, and will be removed in the " "Newton release, use admin_user and admin_password instead.") self._plugin = token_endpoint.Token(auth_url, admin_token) else: self._plugin = v2.Password(auth_url, username=admin_user, password=admin_password, tenant_name=admin_tenant_name) self._LOG = log self._discover = None
def test_basic_case(self): self.requests_mock.get(self.TEST_URL, text='body') a = token_endpoint.Token(self.TEST_URL, self.TEST_TOKEN) s = session.Session(auth=a) data = s.get(self.TEST_URL, authenticated=True) self.assertEqual(data.text, 'body') self.assertRequestHeaderEqual('X-Auth-Token', self.TEST_TOKEN)
def test_endpoint_data_token_endpoint_discover(self): mock = self.requests_mock.get( V3_URL, status_code=200, json=V3_VERSION_ENTRY) plugin = token_endpoint.Token(endpoint=V3_URL, token='bogus') data = plugin.get_endpoint_data(self.session) self.assertEqual(data.api_version, (3, 0)) self.assertEqual(data.url, V3_URL) self.assertEqual(plugin.get_api_major_version(self.session), (3, 0)) self.assertEqual(plugin.get_endpoint(self.session), V3_URL) self.assertTrue(mock.called_once)
def test_basic_endpoint_case(self): self.stub_url('GET', ['p'], text='body') a = token_endpoint.Token(self.TEST_URL, self.TEST_TOKEN) s = session.Session(auth=a) data = s.get('/p', authenticated=True, endpoint_filter={'service': 'identity'}) self.assertEqual(self.TEST_URL, a.get_endpoint(s)) self.assertEqual('body', data.text) self.assertRequestHeaderEqual('X-Auth-Token', self.TEST_TOKEN)
def _mock_client_delete_token(self, user, token, url=None): if not url: url = settings.OPENSTACK_KEYSTONE_URL plugin = token_endpoint.Token( endpoint=url, token=self.data.unscoped_access_info.auth_token) client = self.ks_client_module.Client(session=mox.IsA(session.Session), auth=plugin) client.tokens = self.mox.CreateMockAnything() client.tokens.delete(token=token) return client
def get_service_auth(endpoint, auth_token, service_auth): """Create auth plugin wrapping both user and service auth. When properly configured and using auth_token middleware, requests with valid service auth will not fail if the user token is expired. Ideally we would use the plugin provided by auth_token middleware however this plugin isn't serialized yet. """ user_auth = token_endpoint.Token(endpoint, auth_token) return service_token.ServiceTokenAuthWrapper(user_auth=user_auth, service_auth=service_auth)
def test_request_id_header_session_client(self): global_id = "req-%s" % uuid.uuid4() kwargs = {'global_request_id': global_id} auth = token_endpoint.Token(self.endpoint, self.token) sess = session.Session(auth=auth) http_client = http.SessionClient(sess, **kwargs) path = '/v2/images/my-image' self.mock.get(self.endpoint + path) http_client.get(path) headers = self.mock.last_request.headers self.assertEqual(global_id, headers['X-OpenStack-Request-ID'])
def get_session(auth_url, endpoint, domain_id, domain_name, project_id, project_name, project_domain_name, project_domain_id, username, user_id, password, user_domain_id, user_domain_name, token, insecure, cacert, all_tenants=False, edit_managed=False): # NOTE: all_tenants and edit_managed are here for backwards compat # reasons, do not add additional modifiers here. session = ks_session.Session() # Build + Attach Authentication Plugin auth_args = { 'auth_url': auth_url, 'domain_id': domain_id, 'domain_name': domain_name, 'project_id': project_id, 'project_name': project_name, 'project_domain_name': project_domain_name, 'project_domain_id': project_domain_id, } if token and endpoint: session.auth = token_endpoint.Token(endpoint, token) elif token: auth_args.update({ 'token': token }) session.auth = generic.Token(**auth_args) else: auth_args.update({ 'username': username, 'user_id': user_id, 'password': password, 'user_domain_id': user_domain_id, 'user_domain_name': user_domain_name, }) session.auth = generic.Password(**auth_args) # SSL/TLS Server Cert Verification if insecure is True: session.verify = False else: session.verify = cacert # NOTE: all_tenants and edit_managed are here for backwards compat # reasons, do not add additional modifiers here. session.all_tenants = all_tenants session.edit_managed = edit_managed return session
def get_project_list(*args, **kwargs): is_federated = kwargs.get('is_federated', False) sess = kwargs.get('session') or get_session() auth_url, _ = fix_auth_url_version_prefix(kwargs['auth_url']) auth = token_endpoint.Token(auth_url, kwargs['token']) client = get_keystone_client().Client(session=sess, auth=auth) if is_federated: projects = client.federation.projects.list() else: projects = client.projects.list(user=kwargs.get('user_id')) projects.sort(key=lambda project: project.name.lower()) return projects
def get_ksa_client(context): """Returns a keystoneauth Adapter using token from context. This will return a simple keystoneauth adapter that can be used to make requests against a remote service using the token provided (and already authenticated) from the user and stored in a RequestContext. :param context: User request context :returns: keystoneauth1 Adapter object """ auth = token_endpoint.Token(CONF.keystone_authtoken.identity_uri, context.auth_token) return session.Session(auth=auth)
def test_endpoint_data_token_endpoint_adapter(self): mock = self.requests_mock.get( V3_URL, status_code=200, json=V3_VERSION_ENTRY) plugin = token_endpoint.Token(endpoint=V3_URL, token='bogus') client = adapter.Adapter(session.Session(plugin)) data = client.get_endpoint_data() self.assertEqual(data.api_version, (3, 0)) self.assertEqual(data.url, V3_URL) self.assertEqual(client.get_api_major_version(), (3, 0)) self.assertEqual(client.get_endpoint(), V3_URL) self.assertTrue(mock.called_once)
def get_clients(context): global _SESSION if not _SESSION: _SESSION = session.Session() auth = token_endpoint.Token(CONF.designate.url, context.auth_token) client = d_client.Client(session=_SESSION, auth=auth) admin_auth = password.Password( auth_url=CONF.designate.admin_auth_url, username=CONF.designate.admin_username, password=CONF.designate.admin_password, tenant_name=CONF.designate.admin_tenant_name, tenant_id=CONF.designate.admin_tenant_id) admin_client = d_client.Client(session=_SESSION, auth=admin_auth) return client, admin_client
def delete_token(endpoint, token_id): """Delete a token.""" try: endpoint = utils.fix_auth_url_version(endpoint) session = utils.get_session() auth_plugin = token_endpoint.Token(endpoint=endpoint, token=token_id) client = utils.get_keystone_client().Client(session=session, auth=auth_plugin) if utils.get_keystone_version() >= 3: client.tokens.revoke_token(token=token_id) else: client.tokens.delete(token=token_id) LOG.info('Deleted token %s' % token_id) except keystone_exceptions.ClientException: LOG.info('Could not delete token')
def get_system_access(user_id, auth_url, token, is_federated): session = get_session() auth_url, _ = fix_auth_url_version_prefix(auth_url) auth = token_endpoint.Token(auth_url, token) client = get_keystone_client().Client(session=session, auth=auth) # Old versions of keystoneclient don't have auth.system endpoint yet. auth_system = getattr(client.auth, 'system', None) if auth_system is not None: return 'all' in auth_system() # Fall back to trying to get the system scope token. try: auth = get_token_auth_plugin(auth_url=auth_url, token=token, system_scope='all') auth.get_access(session) except keystone_exceptions.ClientException: return False return True
def __init__(self, **kwargs): """Description We suppose that in future we may want to use CNC in some places where context will be available, so we create 2 different ways of creating client from context(future) and kwargs(we use it now). :param version: service client version which we will use :type version: str :param auth_token: keystone auth token :type auth_token: str :param endpoint_override: endpoint url which we will use :type endpoint_override: str """ ctx = kwargs.pop('ctx', None) auth_token = kwargs.pop('auth_token', None) endpoint_override = kwargs.pop('endpoint_override', None) version = kwargs.pop('version', cfg.CONF.nova_client_version) if ctx is None: try: ctx = context.current() except RuntimeError: pass if ctx is not None: auth_token = auth_token or ctx.auth_token endpoint_override = endpoint_override or \ base.url_for(ctx.service_catalog, CONF.compute_service) auth = token_endpoint.Token(endpoint_override, auth_token) sess = session.Session(auth=auth) kwargs.setdefault('endpoint_override', endpoint_override) kwargs.setdefault('session', sess) kwargs.setdefault('version', version) self.nova = nova_client.Client(**kwargs) self.nova.servers = ServerManager(self.nova) self.exceptions = nova_exception
def get_clients(context): global _SESSION if not _SESSION: _SESSION = loading.load_session_from_conf_options(CONF, 'designate') auth = token_endpoint.Token(CONF.designate.url, context.auth_token) client = d_client.Client(session=_SESSION, auth=auth) if CONF.designate.auth_type: admin_auth = loading.load_auth_from_conf_options(CONF, 'designate') else: admin_auth = password.Password( auth_url=CONF.designate.admin_auth_url, username=CONF.designate.admin_username, password=CONF.designate.admin_password, tenant_name=CONF.designate.admin_tenant_name, tenant_id=CONF.designate.admin_tenant_id) admin_client = d_client.Client(session=_SESSION, auth=admin_auth) return client, admin_client
def get_clients(context): global _SESSION if not _SESSION: if CONF.designate.insecure: verify = False else: verify = CONF.designate.ca_cert or True _SESSION = session.Session(verify=verify) auth = token_endpoint.Token(CONF.designate.url, context.auth_token) client = d_client.Client(session=_SESSION, auth=auth) admin_auth = password.Password( auth_url=CONF.designate.admin_auth_url, username=CONF.designate.admin_username, password=CONF.designate.admin_password, tenant_name=CONF.designate.admin_tenant_name, tenant_id=CONF.designate.admin_tenant_id) admin_client = d_client.Client(session=_SESSION, auth=admin_auth) return client, admin_client
def get_ironic_client(context=None): session = ks_loading.load_session_from_conf_options(CONF, 'ironic') service_auth = ks_loading.load_auth_from_conf_options(CONF, 'ironic') # use user context if provided user_auth = None if context: endpoint = ks_loading.load_adapter_from_conf_options( CONF, 'ironic', session=session, auth=service_auth).get_endpoint() user_auth = service_token.ServiceTokenAuthWrapper( user_auth=token_endpoint.Token(endpoint, context.auth_token), service_auth=service_auth) sess = ks_loading.load_session_from_conf_options(CONF, 'ironic', auth=user_auth or service_auth) kwargs = {'os_ironic_api_version': '1.65'} cli = ironic_client.get_client(1, session=sess, **kwargs) return cli
def get_session(auth_url, endpoint, domain_id, domain_name, project_id, project_name, project_domain_name, project_domain_id, username, user_id, password, user_domain_id, user_domain_name, token, insecure, cacert): session = ks_session.Session() # Build + Attach Authentication Plugin auth_args = { 'auth_url': auth_url, 'domain_id': domain_id, 'domain_name': domain_name, 'project_id': project_id, 'project_name': project_name, 'project_domain_name': project_domain_name, 'project_domain_id': project_domain_id, } if token and endpoint: session.auth = token_endpoint.Token(endpoint, token) elif token: auth_args.update({'token': token}) session.auth = generic.Token(**auth_args) else: auth_args.update({ 'username': username, 'user_id': user_id, 'password': password, 'user_domain_id': user_domain_id, 'user_domain_name': user_domain_name, }) session.auth = generic.Password(**auth_args) # SSL/TLS Server Cert Verification if insecure is True: session.verify = False else: session.verify = cacert return session
def get_clients(context): global _SESSION if not _SESSION: _SESSION = loading.load_session_from_conf_options(CONF, 'designate') auth = token_endpoint.Token(CONF.designate.url, context.auth_token) client = d_client.Client(session=_SESSION, auth=auth) if CONF.designate.auth_type: admin_auth = loading.load_auth_from_conf_options(CONF, 'designate') else: # TODO(tkajinam): Make this fail when admin_* parameters are removed. admin_auth = password.Password( auth_url=CONF.designate.admin_auth_url, username=CONF.designate.admin_username, password=CONF.designate.admin_password, tenant_name=CONF.designate.admin_tenant_name, tenant_id=CONF.designate.admin_tenant_id) admin_client = d_client.Client(session=_SESSION, auth=admin_auth, endpoint_override=CONF.designate.url) return client, admin_client
def test_endpoint_override_fails_to_replace_if_none(self): # The token_endpoint plugin doesn't know user_id or project_id auth = token_endpoint.Token(uuid.uuid4().hex, uuid.uuid4().hex) sess = client_session.Session(auth=auth) override_base = 'http://mytest/%(project_id)s' e = self.assertRaises(ValueError, sess.get, '/path', endpoint_override=override_base, endpoint_filter={'service_type': 'identity'}) self.assertIn('project_id', str(e)) override_base = 'http://mytest/%(user_id)s' e = self.assertRaises(ValueError, sess.get, '/path', endpoint_override=override_base, endpoint_filter={'service_type': 'identity'}) self.assertIn('user_id', str(e))
def keystoneclient(request, admin=False): """Returns a client connected to the Keystone backend. Several forms of authentication are supported: * Username + password -> Unscoped authentication * Username + password + tenant id -> Scoped authentication * Unscoped token -> Unscoped authentication * Unscoped token + tenant id -> Scoped authentication * Scoped token -> Scoped authentication Available services and data from the backend will vary depending on whether the authentication was scoped or unscoped. Lazy authentication if an ``endpoint`` parameter is provided. Calls requiring the admin endpoint should have ``admin=True`` passed in as a keyword argument. The client is cached so that subsequent API calls during the same request/response cycle don't have to be re-authenticated. """ client_version = VERSIONS.get_active_version() user = request.user token_id = user.token.id if is_multi_domain_enabled(): is_domain_context_specified = bool( request.session.get("domain_context")) # If user is Cloud Admin, Domain Admin or Mixed Domain Admin and there # is no domain context specified, use domain scoped token if is_domain_admin(request) and not is_domain_context_specified: domain_token = request.session.get('domain_token') if domain_token: token_id = getattr(domain_token, 'auth_token', None) if admin: if not policy.check((("identity", "admin_required"),), request): raise exceptions.NotAuthorized endpoint_type = 'adminURL' else: endpoint_type = settings.OPENSTACK_ENDPOINT_TYPE # Take care of client connection caching/fetching a new client. # Admin vs. non-admin clients are cached separately for token matching. cache_attr = "_keystoneclient_admin" if admin \ else backend.KEYSTONE_CLIENT_ATTR if (hasattr(request, cache_attr) and (not user.token.id or getattr(request, cache_attr).auth_token == user.token.id)): conn = getattr(request, cache_attr) else: endpoint = _get_endpoint_url(request, endpoint_type) verify = not settings.OPENSTACK_SSL_NO_VERIFY cacert = settings.OPENSTACK_SSL_CACERT verify = verify and cacert LOG.debug("Creating a new keystoneclient connection to %s.", endpoint) remote_addr = request.environ.get('REMOTE_ADDR', '') token_auth = token_endpoint.Token(endpoint=endpoint, token=token_id) keystone_session = session.Session(auth=token_auth, original_ip=remote_addr, verify=verify) conn = client_version['client'].Client(session=keystone_session, debug=settings.DEBUG) setattr(request, cache_attr, conn) return conn
def _mock_unscoped_client_with_token(self, user, unscoped): plugin = token_endpoint.Token(settings.OPENSTACK_KEYSTONE_URL, unscoped.auth_token) return self.ks_client_module.Client(session=mox.IsA(session.Session), auth=plugin)