def format_response(callable_returning_session, nonmatching_tenant_message_generator): try: session = callable_returning_session() except NonMatchingTenantError as e: request.setResponseCode(401) return json.dumps({ "unauthorized": { "code": 401, "message": nonmatching_tenant_message_generator(e) } }) else: request.setResponseCode(200) prefix_map = { # map of entry to URI prefix for that entry } def lookup(entry): return prefix_map[entry] result = get_token( session.tenant_id, entry_generator=lambda tenant_id: list(self.core.entries_for_tenant( tenant_id, prefix_map, base_uri_from_request(request))), prefix_for_endpoint=lookup, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ) return json.dumps(result)
def get_token_and_service_catalog(self, request): """ Return a service catalog consisting of nova and load balancer mocked endpoints and an api token. """ content = json.loads(request.content.read()) # tenant_id = content['auth'].get('tenantName', None) credentials = content['auth']['passwordCredentials'] session = self.core.session_for_username_password( credentials['username'], credentials['password'], content['auth'].get('tenantName', None), ) request.setResponseCode(200) prefix_map = { # map of entry to URI prefix for that entry } def lookup(entry): return prefix_map[entry] return json.dumps( get_token( session.tenant_id, entry_generator=lambda tenant_id: list( self.core.entries_for_tenant( tenant_id, prefix_map, base_uri_from_request(request)) ), prefix_for_entry=lookup, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ))
def get_token_and_service_catalog(self, request): """ Return a service catalog consisting of nova and load balancer mocked endpoints and an api token. """ content = json.loads(request.content.read()) # tenant_id = content['auth'].get('tenantName', None) credentials = content["auth"]["passwordCredentials"] session = self.core.sessions.session_for_username_password( credentials["username"], credentials["password"], content["auth"].get("tenantName", None) ) request.setResponseCode(200) prefix_map = { # map of entry to URI prefix for that entry } def lookup(entry): return prefix_map[entry] return json.dumps( get_token( session.tenant_id, entry_generator=lambda tenant_id: list( self.core.entries_for_tenant(tenant_id, prefix_map, base_uri_from_request(request)) ), prefix_for_endpoint=lookup, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ) )
def format_response(callable_returning_session, nonmatching_tenant_message_generator): try: session = callable_returning_session() except NonMatchingTenantError as e: request.setResponseCode(401) return json.dumps({ "unauthorized": { "code": 401, "message": nonmatching_tenant_message_generator(e) } }) else: request.setResponseCode(200) prefix_map = { # map of entry to URI prefix for that entry } def lookup(entry): return prefix_map[entry] result = get_token( session.tenant_id, entry_generator=lambda tenant_id: list( self.core.entries_for_tenant( tenant_id, prefix_map, base_uri_from_request(request))), prefix_for_endpoint=lookup, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ) return json.dumps(result)
def default_authentication_behavior(core, http_request, credentials): """ Default behavior in response to a server creation. This will create a session for the tenant if one does not already exist, and return the auth token for that session. In the case of :class:`PasswordCredentials`, :class:`ApiKeyCredentials`, or :class:`TokenCredentials`, also returns the service catalog. :param core: An instance of :class:`mimic.core.MimicCore` :param http_request: A twisted http request/response object :param credentials: An `mimic.model.identity.ICredentials` provider Handles setting the response code and also :return: The response body for a default authentication request. """ try: session = credentials.get_session(core.sessions) except NonMatchingTenantError as e: http_request.setResponseCode(401) if type(credentials) == TokenCredentials: message = ("Token doesn't belong to Tenant with Id/Name: " "'{0}'".format(e.desired_tenant)) else: message = ("Tenant with Name/Id: '{0}' is not valid for " "User '{1}' (id: '{2}')".format(e.desired_tenant, e.session.username, e.session.user_id)) return json.dumps({"unauthorized": {"code": 401, "message": message}}) else: if type(credentials) == ImpersonationCredentials: return json.dumps({ "access": { "token": { "id": credentials.impersonated_token, "expires": format_timestamp(session.expires) } } }) http_request.setResponseCode(200) prefix_map = { # map of entry to URI prefix for that entry } def lookup(entry): return prefix_map[entry] result = get_token( session.tenant_id, entry_generator=lambda tenant_id: list( core.entries_for_tenant(session.tenant_id, prefix_map, base_uri_from_request(http_request))), prefix_for_endpoint=lookup, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ) return json.dumps(result)
def default_authentication_behavior(core, http_request, credentials): """ Default behavior in response to a server creation. This will create a session for the tenant if one does not already exist, and return the auth token for that session. In the case of :class:`PasswordCredentials`, :class:`ApiKeyCredentials`, or :class:`TokenCredentials`, also returns the service catalog. :param core: An instance of :class:`mimic.core.MimicCore` :param http_request: A twisted http request/response object :param credentials: An `mimic.model.identity.ICredentials` provider Handles setting the response code and also :return: The response body for a default authentication request. """ try: session = credentials.get_session(core.sessions) except NonMatchingTenantError as e: http_request.setResponseCode(401) if type(credentials) == TokenCredentials: message = "Token doesn't belong to Tenant with Id/Name: " "'{0}'".format(e.desired_tenant) else: message = "Tenant with Name/Id: '{0}' is not valid for " "User '{1}' (id: '{2}')".format( e.desired_tenant, e.session.username, e.session.user_id ) return json.dumps({"unauthorized": {"code": 401, "message": message}}) else: if type(credentials) == ImpersonationCredentials: return json.dumps( { "access": { "token": {"id": credentials.impersonated_token, "expires": format_timestamp(session.expires)} } } ) http_request.setResponseCode(200) prefix_map = { # map of entry to URI prefix for that entry } def lookup(entry): return prefix_map[entry] result = get_token( session.tenant_id, entry_generator=lambda tenant_id: list( core.entries_for_tenant(session.tenant_id, prefix_map, base_uri_from_request(http_request)) ), prefix_for_endpoint=lookup, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ) return json.dumps(result)
def get_service_catalog_and_token(self, request): """ Return a service catalog consisting of nova and load balancer mocked endpoints and an api token. """ content = json.loads(request.content.read()) try: tenant_id = content['auth']['tenantName'] except KeyError: tenant_id = 'test' request.setResponseCode(200) return json.dumps(get_token(tenant_id))
def get_token_and_service_catalog(self, request): """ Return a service catalog consisting of all plugin endpoints and an api token. """ try: content = json.loads(request.content.read()) except ValueError: request.setResponseCode(400) return json.dumps(invalid_resource("Invalid JSON request body")) tenant_id = (content['auth'].get('tenantName', None) or content['auth'].get('tenantId', None)) if content['auth'].get('passwordCredentials'): username = content['auth']['passwordCredentials']['username'] password = content['auth']['passwordCredentials']['password'] session = self.core.sessions.session_for_username_password( username, password, tenant_id) elif content['auth'].get('RAX-KSKEY:apiKeyCredentials'): username = content['auth']['RAX-KSKEY:apiKeyCredentials'][ 'username'] api_key = content['auth']['RAX-KSKEY:apiKeyCredentials']['apiKey'] session = self.core.sessions.session_for_api_key( username, api_key, tenant_id) elif content['auth'].get('token') and tenant_id: session = self.core.sessions.session_for_token( content['auth']['token']['id'], tenant_id) else: request.setResponseCode(400) return json.dumps(invalid_resource("Invalid JSON request body")) request.setResponseCode(200) prefix_map = { # map of entry to URI prefix for that entry } def lookup(entry): return prefix_map[entry] return json.dumps( get_token( session.tenant_id, entry_generator=lambda tenant_id: list( self.core.entries_for_tenant( tenant_id, prefix_map, base_uri_from_request(request)) ), prefix_for_endpoint=lookup, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ))
def get_token_and_service_catalog(self, request): """ Return a service catalog consisting of all plugin endpoints and an api token. """ try: content = json.loads(request.content.read()) except ValueError: request.setResponseCode(400) return json.dumps(invalid_resource("Invalid JSON request body")) tenant_id = (content['auth'].get('tenantName', None) or content['auth'].get('tenantId', None)) if content['auth'].get('passwordCredentials'): username = content['auth']['passwordCredentials']['username'] password = content['auth']['passwordCredentials']['password'] session = self.core.sessions.session_for_username_password( username, password, tenant_id) elif content['auth'].get('RAX-KSKEY:apiKeyCredentials'): username = content['auth']['RAX-KSKEY:apiKeyCredentials']['username'] api_key = content['auth']['RAX-KSKEY:apiKeyCredentials']['apiKey'] session = self.core.sessions.session_for_api_key( username, api_key, tenant_id) elif content['auth'].get('token') and tenant_id: session = self.core.sessions.session_for_token( content['auth']['token']['id'], tenant_id) else: request.setResponseCode(400) return json.dumps(invalid_resource("Invalid JSON request body")) request.setResponseCode(200) prefix_map = { # map of entry to URI prefix for that entry } def lookup(entry): return prefix_map[entry] return json.dumps( get_token( session.tenant_id, entry_generator=lambda tenant_id: list(self.core.entries_for_tenant( tenant_id, prefix_map, base_uri_from_request(request))), prefix_for_endpoint=lookup, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ) )
def validate_token(self, request, token_id): """ Creates a new session for the given tenant_id and token_id and always returns response code 200. Docs: http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken # noqa """ request.setResponseCode(200) session = None # Attempt to get the session based on tenant_id+token if the optional # tenant_id is provided; if tenant_id is not provided, then just look # it up based on the token. tenant_id = request.args.get(b'belongsTo') if tenant_id is not None: tenant_id = tenant_id[0].decode("utf-8") session = self.core.sessions.session_for_tenant_id( tenant_id, token_id) else: session = self.core.sessions.session_for_token( token_id ) response = get_token( session.tenant_id, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ) if session.impersonator_session_for_token(token_id) is not None: impersonator_session = session.impersonator_session_for_token(token_id) response["access"]["RAX-AUTH:impersonator"] = impersonator_user_role( impersonator_session.user_id, impersonator_session.username) if token_id in get_presets["identity"]["token_fail_to_auth"]: request.setResponseCode(401) return json.dumps({'itemNotFound': {'code': 401, 'message': 'Invalid auth token'}}) imp_token = get_presets["identity"]["maas_admin_roles"] racker_token = get_presets["identity"]["racker_token"] if token_id in imp_token: response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{"id": "123", "name": "monitoring:service-admin"}, {"id": "234", "name": "object-store:admin"}]} if token_id in racker_token: response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{"id": "9", "name": "Racker"}]} if tenant_id in get_presets["identity"]["observer_role"]: response["access"]["user"]["roles"] = [ {"id": "observer", "description": "Global Observer Role.", "name": "observer"}] if tenant_id in get_presets["identity"]["creator_role"]: response["access"]["user"]["roles"] = [ {"id": "creator", "description": "Global Creator Role.", "name": "creator"}] if tenant_id in get_presets["identity"]["admin_role"]: response["access"]["user"]["roles"] = [ {"id": "admin", "description": "Global Admin Role.", "name": "admin"}, {"id": "observer", "description": "Global Observer Role.", "name": "observer"}] # Canned responses to be removed ... if token_id in get_presets["identity"]["non_dedicated_observer"]: response["access"]["token"]["tenant"] = { "id": "135790", "name": "135790", } response["access"]["user"] = { "id": "12", "name": "OneTwo", "roles": [{"id": "1", "name": "monitoring:observer", "description": "Monitoring Observer"}] } if token_id in get_presets["identity"]["non_dedicated_admin"]: response["access"]["token"]["tenant"] = { "id": "135790", "name": "135790", } response["access"]["user"] = { "id": "34", "name": "ThreeFour", "roles": [{"id": "1", "name": "monitoring:admin", "description": "Monitoring Admin"}, {"id": "2", "name": "admin", "description": "Admin"}] } if token_id in get_presets["identity"]["non_dedicated_impersonator"]: response["access"]["token"]["tenant"] = { "id": "135790", "name": "135790", } response["access"]["user"] = { "id": "34", "name": "ThreeFour", "roles": [{"id": "1", "name": "identity:nobody", "description": "Nobody"}] } response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{"id": "1", "name": "monitoring:service-admin"}, {"id": "2", "name": "object-store:admin"}] } if token_id in get_presets["identity"]["non_dedicated_racker"]: response["access"]["token"]["tenant"] = { "id": "135790", "name": "135790", } response["access"]["user"] = { "id": "34", "name": "ThreeFour", "roles": [{"id": "1", "name": "identity:nobody", "description": "Nobody"}] } response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{"id": "1", "name": "Racker"}] } if token_id in get_presets["identity"]["dedicated_full_device_permission_holder"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "12", "name": "HybridOneTwo", "roles": [{"id": "1", "name": "monitoring:observer", "tenantId": "hybrid:123456"}], "RAX-AUTH:contactId": "12" } if token_id in get_presets["identity"]["dedicated_account_permission_holder"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "34", "name": "HybridThreeFour", "roles": [{"id": "1", "name": "monitoring:creator", "description": "Monitoring Creator"}, {"id": "2", "name": "creator", "description": "Creator"}], "RAX-AUTH:contactId": "34" } if token_id in get_presets["identity"]["dedicated_limited_device_permission_holder"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "56", "name": "HybridFiveSix", "roles": [{"id": "1", "name": "monitoring:observer", "description": "Monitoring Observer"}, {"id": "2", "name": "observer", "description": "Observer"}], "RAX-AUTH:contactId": "56" } if token_id in get_presets["identity"]["dedicated_racker"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "12", "name": "HybridOneTwo", "roles": [{"id": "1", "name": "identity:nobody", "description": "Nobody"}], "RAX-AUTH:contactId": "12" } response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{"id": "1", "name": "Racker"}] } if token_id in get_presets["identity"]["dedicated_impersonator"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "34", "name": "HybridThreeFour", "roles": [{"id": "1", "name": "identity:nobody", "description": "Nobody"}], "RAX-AUTH:contactId": "34" } response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{"id": "1", "name": "monitoring:service-admin"}] } if token_id in get_presets["identity"]["dedicated_non_permission_holder"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "78", "name": "HybridSevenEight", "roles": [{"id": "1", "name": "identity:user-admin", "description": "User admin"}], "RAX-AUTH:contactId": "78" } if token_id in get_presets["identity"]["dedicated_quasi_user_impersonator"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "90", "name": "HybridNineZero", "roles": [{"id": "1", "name": "identity:user-admin", "description": "Admin"}, {"id": "3", "name": "hybridRole", "description": "Hybrid Admin", "tenantId": "hybrid:123456"}] } response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{"id": "1", "name": "monitoring:service-admin"}] } return json.dumps(response)
def test_tokens_response(self): """ :func:`get_token` returns JSON-serializable data in the format presented by a ``POST /v2.0/tokens`` API request; i.e. the normal user-facing service catalog generation. """ tenant_id = 'abcdefg' self.assertEqual( get_token( tenant_id=tenant_id, timestamp=lambda dt: "<<<timestamp>>>", entry_generator=example_endpoints(lambda: 1), prefix_for_endpoint=lambda e: 'prefix' ), { "access": { "token": { "id": HARD_CODED_TOKEN, "expires": "<<<timestamp>>>", "tenant": { "id": tenant_id, "name": tenant_id, # TODO: parameterize later }, "RAX-AUTH:authenticatedBy": [ "PASSWORD", ] }, "serviceCatalog": [ { "name": "something", "type": "compute", "endpoints": [ { "region": "EXAMPLE_1", "tenantId": "abcdefg_1", "publicURL": "http://ok_1" }, { "region": "EXAMPLE_2", "tenantId": "abcdefg_2", "publicURL": "http://ok_2" } ] }, { "name": "something_else", "type": "compute", "endpoints": [ { "region": "EXAMPLE_1", "tenantId": "abcdefg_1", "publicURL": "http://ok_1" }, { "region": "EXAMPLE_2", "tenantId": "abcdefg_2", "publicURL": "http://ok_2" } ] } ], "user": { "id": HARD_CODED_USER_ID, "name": HARD_CODED_USER_NAME, "roles": HARD_CODED_ROLES, } } } )
def validate_token(self, request, token_id): """ Creates a new session for the given tenant_id and token_id and always returns response code 200. Docs: http://developer.openstack.org/api-ref-identity-v2.html#admin-tokens """ request.setResponseCode(200) tenant_id = request.args.get('belongsTo') if tenant_id is not None: tenant_id = tenant_id[0] session = self.core.sessions.session_for_tenant_id(tenant_id, token_id) response = get_token( session.tenant_id, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ) if session.impersonator_session_for_token(token_id) is not None: impersonator_session = session.impersonator_session_for_token( token_id) response["access"][ "RAX-AUTH:impersonator"] = impersonator_user_role( impersonator_session.user_id, impersonator_session.username) if token_id in get_presets["identity"]["token_fail_to_auth"]: request.setResponseCode(401) return json.dumps({ 'itemNotFound': { 'code': 401, 'message': 'Invalid auth token' } }) imp_token = get_presets["identity"]["maas_admin_roles"] racker_token = get_presets["identity"]["racker_token"] if token_id in imp_token: response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{ "id": "123", "name": "monitoring:service-admin" }, { "id": "234", "name": "object-store:admin" }] } if token_id in racker_token: response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{ "id": "9", "name": "Racker" }] } if tenant_id in get_presets["identity"]["observer_role"]: response["access"]["user"]["roles"] = [{ "id": "observer", "description": "Global Observer Role.", "name": "observer" }] if tenant_id in get_presets["identity"]["creator_role"]: response["access"]["user"]["roles"] = [{ "id": "creator", "description": "Global Creator Role.", "name": "creator" }] if tenant_id in get_presets["identity"]["admin_role"]: response["access"]["user"]["roles"] = [{ "id": "admin", "description": "Global Admin Role.", "name": "admin" }, { "id": "observer", "description": "Global Observer Role.", "name": "observer" }] if token_id in get_presets["identity"]["non_dedicated_observer"]: response["access"]["token"]["tenant"] = { "id": "135790", "name": "135790", } response["access"]["user"] = { "name": "OneTwo", "roles": [{ "id": "1", "name": "monitoring:observer", "description": "Monitoring Observer" }] } if token_id in get_presets["identity"]["non_dedicated_admin"]: response["access"]["token"]["tenant"] = { "id": "135790", "name": "135790", } response["access"]["user"] = { "name": "ThreeFour", "roles": [{ "id": "1", "name": "monitoring:admin", "description": "Monitoring Admin" }, { "id": "2", "name": "admin", "description": "Admin" }] } if token_id in get_presets["identity"][ "dedicated_full_device_permission_holder"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "12", "name": "HybridOneTwo", "roles": [{ "id": "1", "name": "monitoring:observer", "description": "Monitoring Observer" }, { "id": "3", "name": "hybridRole", "description": "Hybrid Admin", "tenantId": "hybrid:123456" }], "RAX-AUTH:contactId": "12" } if token_id in get_presets["identity"][ "dedicated_account_permission_holder"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "34", "name": "HybridThreeFour", "roles": [{ "id": "1", "name": "monitoring:creator", "description": "Monitoring Creator" }, { "id": "2", "name": "creator", "description": "Creator" }], "RAX-AUTH:contactId": "34" } if token_id in get_presets["identity"][ "dedicated_limited_device_permission_holder"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "56", "name": "HybridFiveSix", "roles": [{ "id": "1", "name": "monitoring:observer", "description": "Monitoring Observer" }, { "id": "2", "name": "observer", "description": "Observer" }], "RAX-AUTH:contactId": "56" } if token_id in get_presets["identity"][ "dedicated_other_account_observer"]: response["access"]["token"]["tenant"] = { "id": "hybrid:654321", "name": "hybrid:654321", } response["access"]["user"] = { "id": "78", "name": "HybridSevenEight", "roles": [{ "id": "1", "name": "monitoring:observer", "description": "Observer" }, { "id": "2", "name": "observer", "description": "Observer" }], "RAX-AUTH:contactId": "78" } if token_id in get_presets["identity"][ "dedicated_other_account_admin"]: response["access"]["token"]["tenant"] = { "id": "hybrid:654321", "name": "hybrid:654321", } response["access"]["user"] = { "id": "90", "name": "HybridNineZero", "roles": [{ "id": "1", "name": "monitoring:admin", "description": "Admin" }, { "id": "2", "name": "admin", "description": "Admin" }], "RAX-AUTH:contactId": "90" } return json.dumps(response)
def validate_token(self, request, token_id): """ Creates a new session for the given tenant_id and token_id and always returns response code 200. Docs: http://developer.openstack.org/api-ref-identity-v2.html#admin-tokens """ request.setResponseCode(200) tenant_id = request.args.get('belongsTo') if tenant_id is not None: tenant_id = tenant_id[0] session = self.core.sessions.session_for_tenant_id(tenant_id, token_id) response = get_token( session.tenant_id, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ) if session.impersonator_session_for_token(token_id) is not None: impersonator_session = session.impersonator_session_for_token(token_id) response["access"]["RAX-AUTH:impersonator"] = impersonator_user_role( impersonator_session.user_id, impersonator_session.username) if token_id in get_presets["identity"]["token_fail_to_auth"]: request.setResponseCode(401) return json.dumps({'itemNotFound': {'code': 401, 'message': 'Invalid auth token'}}) imp_token = get_presets["identity"]["maas_admin_roles"] racker_token = get_presets["identity"]["racker_token"] if token_id in imp_token: response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{"id": "123", "name": "monitoring:service-admin"}, {"id": "234", "name": "object-store:admin"}]} if token_id in racker_token: response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{"id": "9", "name": "Racker"}]} if tenant_id in get_presets["identity"]["observer_role"]: response["access"]["user"]["roles"] = [ {"id": "observer", "description": "Global Observer Role.", "name": "observer"}] if tenant_id in get_presets["identity"]["creator_role"]: response["access"]["user"]["roles"] = [ {"id": "creator", "description": "Global Creator Role.", "name": "creator"}] if tenant_id in get_presets["identity"]["admin_role"]: response["access"]["user"]["roles"] = [ {"id": "admin", "description": "Global Admin Role.", "name": "admin"}, {"id": "observer", "description": "Global Observer Role.", "name": "observer"}] return json.dumps(response)
def validate_token(self, request, token_id): """ Creates a new session for the given tenant_id and token_id and always returns response code 200. Docs: http://developer.openstack.org/api-ref-identity-v2.html#admin-tokens """ request.setResponseCode(200) tenant_id = request.args.get("belongsTo") if tenant_id is not None: tenant_id = tenant_id[0] session = self.core.sessions.session_for_tenant_id(tenant_id, token_id) response = get_token( session.tenant_id, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ) if session.impersonator_session_for_token(token_id) is not None: impersonator_session = session.impersonator_session_for_token(token_id) response["access"]["RAX-AUTH:impersonator"] = impersonator_user_role( impersonator_session.user_id, impersonator_session.username ) if token_id in get_presets["identity"]["token_fail_to_auth"]: request.setResponseCode(401) return json.dumps({"itemNotFound": {"code": 401, "message": "Invalid auth token"}}) imp_token = get_presets["identity"]["maas_admin_roles"] racker_token = get_presets["identity"]["racker_token"] if token_id in imp_token: response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [ {"id": "123", "name": "monitoring:service-admin"}, {"id": "234", "name": "object-store:admin"}, ], } if token_id in racker_token: response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{"id": "9", "name": "Racker"}], } if tenant_id in get_presets["identity"]["observer_role"]: response["access"]["user"]["roles"] = [ {"id": "observer", "description": "Global Observer Role.", "name": "observer"} ] if tenant_id in get_presets["identity"]["creator_role"]: response["access"]["user"]["roles"] = [ {"id": "creator", "description": "Global Creator Role.", "name": "creator"} ] if tenant_id in get_presets["identity"]["admin_role"]: response["access"]["user"]["roles"] = [ {"id": "admin", "description": "Global Admin Role.", "name": "admin"}, {"id": "observer", "description": "Global Observer Role.", "name": "observer"}, ] if token_id in get_presets["identity"]["non_dedicated_observer"]: response["access"]["token"]["tenant"] = {"id": "135790", "name": "135790"} response["access"]["user"] = { "name": "OneTwo", "roles": [{"id": "1", "name": "monitoring:observer", "description": "Monitoring Observer"}], } if token_id in get_presets["identity"]["non_dedicated_admin"]: response["access"]["token"]["tenant"] = {"id": "135790", "name": "135790"} response["access"]["user"] = { "name": "ThreeFour", "roles": [ {"id": "1", "name": "monitoring:admin", "description": "Monitoring Admin"}, {"id": "2", "name": "admin", "description": "Admin"}, ], } if token_id in get_presets["identity"]["dedicated_full_device_permission_holder"]: response["access"]["token"]["tenant"] = {"id": "hybrid:123456", "name": "hybrid:123456"} response["access"]["user"] = { "id": "12", "name": "HybridOneTwo", "roles": [ {"id": "1", "name": "monitoring:observer", "description": "Monitoring Observer"}, {"id": "3", "name": "hybridRole", "description": "Hybrid Admin", "tenantId": "hybrid:123456"}, ], "RAX-AUTH:contactId": "12", } if token_id in get_presets["identity"]["dedicated_account_permission_holder"]: response["access"]["token"]["tenant"] = {"id": "hybrid:123456", "name": "hybrid:123456"} response["access"]["user"] = { "id": "34", "name": "HybridThreeFour", "roles": [ {"id": "1", "name": "monitoring:creator", "description": "Monitoring Creator"}, {"id": "2", "name": "creator", "description": "Creator"}, ], "RAX-AUTH:contactId": "34", } if token_id in get_presets["identity"]["dedicated_limited_device_permission_holder"]: response["access"]["token"]["tenant"] = {"id": "hybrid:123456", "name": "hybrid:123456"} response["access"]["user"] = { "id": "56", "name": "HybridFiveSix", "roles": [ {"id": "1", "name": "monitoring:observer", "description": "Monitoring Observer"}, {"id": "2", "name": "observer", "description": "Observer"}, ], "RAX-AUTH:contactId": "56", } if token_id in get_presets["identity"]["dedicated_other_account_observer"]: response["access"]["token"]["tenant"] = {"id": "hybrid:654321", "name": "hybrid:654321"} response["access"]["user"] = { "id": "78", "name": "HybridSevenEight", "roles": [ {"id": "1", "name": "monitoring:observer", "description": "Observer"}, {"id": "2", "name": "observer", "description": "Observer"}, ], "RAX-AUTH:contactId": "78", } if token_id in get_presets["identity"]["dedicated_other_account_admin"]: response["access"]["token"]["tenant"] = {"id": "hybrid:654321", "name": "hybrid:654321"} response["access"]["user"] = { "id": "90", "name": "HybridNineZero", "roles": [ {"id": "1", "name": "monitoring:admin", "description": "Admin"}, {"id": "2", "name": "admin", "description": "Admin"}, ], "RAX-AUTH:contactId": "90", } return json.dumps(response)
def validate_token(self, request, token_id): """ Creates a new session for the given tenant_id and token_id and always returns response code 200. Docs: http://developer.openstack.org/api-ref-identity-v2.html#admin-tokens """ request.setResponseCode(200) tenant_id = request.args.get('belongsTo') if tenant_id is not None: tenant_id = tenant_id[0] session = self.core.sessions.session_for_tenant_id(tenant_id, token_id) response = get_token( session.tenant_id, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ) if session.impersonator_session_for_token(token_id) is not None: impersonator_session = session.impersonator_session_for_token( token_id) response["access"][ "RAX-AUTH:impersonator"] = impersonator_user_role( impersonator_session.user_id, impersonator_session.username) if token_id in get_presets["identity"]["token_fail_to_auth"]: request.setResponseCode(401) return json.dumps({ 'itemNotFound': { 'code': 401, 'message': 'Invalid auth token' } }) imp_token = get_presets["identity"]["maas_admin_roles"] racker_token = get_presets["identity"]["racker_token"] if token_id in imp_token: response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{ "id": "123", "name": "monitoring:service-admin" }, { "id": "234", "name": "object-store:admin" }] } if token_id in racker_token: response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{ "id": "9", "name": "Racker" }] } if tenant_id in get_presets["identity"]["observer_role"]: response["access"]["user"]["roles"] = [{ "id": "observer", "description": "Global Observer Role.", "name": "observer" }] if tenant_id in get_presets["identity"]["creator_role"]: response["access"]["user"]["roles"] = [{ "id": "creator", "description": "Global Creator Role.", "name": "creator" }] if tenant_id in get_presets["identity"]["admin_role"]: response["access"]["user"]["roles"] = [{ "id": "admin", "description": "Global Admin Role.", "name": "admin" }, { "id": "observer", "description": "Global Observer Role.", "name": "observer" }] return json.dumps(response)
def validate_token(self, request, token_id): """ Creates a new session for the given tenant_id and token_id and always returns response code 200. `OpenStack Identity v2 Admin Validate Token <http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken>`_ """ request.setResponseCode(200) session = None # Attempt to get the session based on tenant_id+token if the optional # tenant_id is provided; if tenant_id is not provided, then just look # it up based on the token. tenant_id = request.args.get(b'belongsTo') if tenant_id is not None: tenant_id = tenant_id[0].decode("utf-8") session = self.core.sessions.session_for_tenant_id( tenant_id, token_id) else: session = self.core.sessions.session_for_token(token_id) response = get_token( session.tenant_id, response_token=session.token, response_user_id=session.user_id, response_user_name=session.username, ) if session.impersonator_session_for_token(token_id) is not None: impersonator_session = session.impersonator_session_for_token( token_id) response["access"][ "RAX-AUTH:impersonator"] = impersonator_user_role( impersonator_session.user_id, impersonator_session.username) if token_id in get_presets["identity"]["token_fail_to_auth"]: # This is returning a 401 Unauthorized message but in a 404 not_found # JSON data format. Is there a reason for this? An old OpenStack bug? request.setResponseCode(401) return json.dumps({ 'itemNotFound': { 'code': 401, 'message': 'Invalid auth token' } }) imp_token = get_presets["identity"]["maas_admin_roles"] racker_token = get_presets["identity"]["racker_token"] if token_id in imp_token: response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{ "id": "123", "name": "monitoring:service-admin" }, { "id": "234", "name": "object-store:admin" }] } if token_id in racker_token: response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{ "id": "9", "name": "Racker" }] } if tenant_id in get_presets["identity"]["observer_role"]: response["access"]["user"]["roles"] = [{ "id": "observer", "description": "Global Observer Role.", "name": "observer" }] if tenant_id in get_presets["identity"]["creator_role"]: response["access"]["user"]["roles"] = [{ "id": "creator", "description": "Global Creator Role.", "name": "creator" }] if tenant_id in get_presets["identity"]["admin_role"]: response["access"]["user"]["roles"] = [{ "id": "admin", "description": "Global Admin Role.", "name": "admin" }, { "id": "observer", "description": "Global Observer Role.", "name": "observer" }] # Canned responses to be removed ... if token_id in get_presets["identity"]["non_dedicated_observer"]: response["access"]["token"]["tenant"] = { "id": "135790", "name": "135790", } response["access"]["user"] = { "id": "12", "name": "OneTwo", "roles": [{ "id": "1", "name": "monitoring:observer", "description": "Monitoring Observer" }] } if token_id in get_presets["identity"]["non_dedicated_admin"]: response["access"]["token"]["tenant"] = { "id": "135790", "name": "135790", } response["access"]["user"] = { "id": "34", "name": "ThreeFour", "roles": [{ "id": "1", "name": "monitoring:admin", "description": "Monitoring Admin" }, { "id": "2", "name": "admin", "description": "Admin" }] } if token_id in get_presets["identity"]["non_dedicated_impersonator"]: response["access"]["token"]["tenant"] = { "id": "135790", "name": "135790", } response["access"]["user"] = { "id": "34", "name": "ThreeFour", "roles": [{ "id": "1", "name": "identity:nobody", "description": "Nobody" }] } response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{ "id": "1", "name": "monitoring:service-admin" }, { "id": "2", "name": "object-store:admin" }] } if token_id in get_presets["identity"]["non_dedicated_racker"]: response["access"]["token"]["tenant"] = { "id": "135790", "name": "135790", } response["access"]["user"] = { "id": "34", "name": "ThreeFour", "roles": [{ "id": "1", "name": "identity:nobody", "description": "Nobody" }] } response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{ "id": "1", "name": "Racker" }] } if token_id in get_presets["identity"][ "dedicated_full_device_permission_holder"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "12", "name": "HybridOneTwo", "roles": [{ "id": "1", "name": "monitoring:observer", "tenantId": "hybrid:123456" }], "RAX-AUTH:contactId": "12" } if token_id in get_presets["identity"][ "dedicated_account_permission_holder"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "34", "name": "HybridThreeFour", "roles": [{ "id": "1", "name": "monitoring:creator", "description": "Monitoring Creator" }, { "id": "2", "name": "creator", "description": "Creator" }], "RAX-AUTH:contactId": "34" } if token_id in get_presets["identity"][ "dedicated_limited_device_permission_holder"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "56", "name": "HybridFiveSix", "roles": [{ "id": "1", "name": "monitoring:observer", "description": "Monitoring Observer" }, { "id": "2", "name": "observer", "description": "Observer" }], "RAX-AUTH:contactId": "56" } if token_id in get_presets["identity"]["dedicated_racker"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "12", "name": "HybridOneTwo", "roles": [{ "id": "1", "name": "identity:nobody", "description": "Nobody" }], "RAX-AUTH:contactId": "12" } response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{ "id": "1", "name": "Racker" }] } if token_id in get_presets["identity"]["dedicated_impersonator"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "34", "name": "HybridThreeFour", "roles": [{ "id": "1", "name": "identity:nobody", "description": "Nobody" }], "RAX-AUTH:contactId": "34" } response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{ "id": "1", "name": "monitoring:service-admin" }] } if token_id in get_presets["identity"][ "dedicated_non_permission_holder"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "78", "name": "HybridSevenEight", "roles": [{ "id": "1", "name": "identity:user-admin", "description": "User admin" }], "RAX-AUTH:contactId": "78" } if token_id in get_presets["identity"][ "dedicated_quasi_user_impersonator"]: response["access"]["token"]["tenant"] = { "id": "hybrid:123456", "name": "hybrid:123456", } response["access"]["user"] = { "id": "90", "name": "HybridNineZero", "roles": [{ "id": "1", "name": "identity:user-admin", "description": "Admin" }, { "id": "3", "name": "hybridRole", "description": "Hybrid Admin", "tenantId": "hybrid:123456" }] } response["access"]["RAX-AUTH:impersonator"] = { "id": response["access"]["user"]["id"], "name": response["access"]["user"]["name"], "roles": [{ "id": "1", "name": "monitoring:service-admin" }] } return json.dumps(response)
def test_tokens_response(self): """ :func:`get_token` returns JSON-serializable data in the format presented by a ``POST /v2.0/tokens`` API request; i.e. the normal user-facing service catalog generation. """ tenant_id = 'abcdefg' self.assertEqual( get_token(tenant_id=tenant_id, timestamp=lambda dt: "<<<timestamp>>>", entry_generator=example_endpoints(lambda: 1), prefix_for_endpoint=lambda e: 'prefix'), { "access": { "token": { "id": HARD_CODED_TOKEN, "expires": "<<<timestamp>>>", "tenant": { "id": tenant_id, "name": tenant_id, # TODO: parameterize later }, "RAX-AUTH:authenticatedBy": [ "PASSWORD", ] }, "serviceCatalog": [{ "name": "something", "type": "compute", "endpoints": [{ "region": "EXAMPLE_1", "tenantId": "abcdefg_1", "publicURL": "http://ok_1" }, { "region": "EXAMPLE_2", "tenantId": "abcdefg_2", "publicURL": "http://ok_2" }] }, { "name": "something_else", "type": "compute", "endpoints": [{ "region": "EXAMPLE_1", "tenantId": "abcdefg_1", "publicURL": "http://ok_1" }, { "region": "EXAMPLE_2", "tenantId": "abcdefg_2", "publicURL": "http://ok_2" }] }], "user": { "id": HARD_CODED_USER_ID, "name": HARD_CODED_USER_NAME, "roles": HARD_CODED_ROLES, } } })