def validate(cls, validator_context, public_key_path=None):
"""
Validates the JWT authentication system.
"""
config = validator_context.config
http_client = validator_context.http_client
jwt_auth_max = validator_context.jwt_auth_max
config_provider = validator_context.config_provider
if config.get("AUTHENTICATION_TYPE", "Database") != "JWT":
return
verify_endpoint = config.get("JWT_VERIFY_ENDPOINT")
query_endpoint = config.get("JWT_QUERY_ENDPOINT", None)
getuser_endpoint = config.get("JWT_GETUSER_ENDPOINT", None)
issuer = config.get("JWT_AUTH_ISSUER")
if not verify_endpoint:
raise ConfigValidationException("Missing JWT Verification endpoint")
if not issuer:
raise ConfigValidationException("Missing JWT Issuer ID")
override_config_directory = config_provider.get_config_dir_path()
# Try to instatiate the JWT authentication mechanism. This will raise an exception if
# the key cannot be found.
users = ExternalJWTAuthN(
verify_endpoint,
query_endpoint,
getuser_endpoint,
issuer,
override_config_directory,
http_client,
jwt_auth_max,
public_key_path=public_key_path,
requires_email=config.get("FEATURE_MAILING", True),
)
# Verify that we can reach the jwt server
(result, err_msg) = users.ping()
if not result:
msg = (
"Verification of JWT failed: %s. \n\nWe cannot reach the JWT server"
+ "OR JWT auth is misconfigured"
) % err_msg
raise ConfigValidationException(msg)
def get_users_handler(config, _, override_config_dir):
""" Returns a users handler for the authentication configured in the given config object. """
authentication_type = config.get('AUTHENTICATION_TYPE', 'Database')
if authentication_type == 'Database':
return DatabaseUsers()
if authentication_type == 'LDAP':
ldap_uri = config.get('LDAP_URI', 'ldap://localhost')
base_dn = config.get('LDAP_BASE_DN')
admin_dn = config.get('LDAP_ADMIN_DN')
admin_passwd = config.get('LDAP_ADMIN_PASSWD')
user_rdn = config.get('LDAP_USER_RDN', [])
uid_attr = config.get('LDAP_UID_ATTR', 'uid')
email_attr = config.get('LDAP_EMAIL_ATTR', 'mail')
secondary_user_rdns = config.get('LDAP_SECONDARY_USER_RDNS', [])
timeout = config.get('LDAP_TIMEOUT')
network_timeout = config.get('LDAP_NETWORK_TIMEOUT')
allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False)
return LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
allow_tls_fallback, secondary_user_rdns=secondary_user_rdns,
requires_email=features.MAILING, timeout=timeout,
network_timeout=network_timeout)
if authentication_type == 'JWT':
verify_url = config.get('JWT_VERIFY_ENDPOINT')
issuer = config.get('JWT_AUTH_ISSUER')
max_fresh_s = config.get('JWT_AUTH_MAX_FRESH_S', 300)
query_url = config.get('JWT_QUERY_ENDPOINT', None)
getuser_url = config.get('JWT_GETUSER_ENDPOINT', None)
return ExternalJWTAuthN(verify_url, query_url, getuser_url, issuer, override_config_dir,
config['HTTPCLIENT'], max_fresh_s,
requires_email=features.MAILING)
if authentication_type == 'Keystone':
auth_url = config.get('KEYSTONE_AUTH_URL')
auth_version = int(config.get('KEYSTONE_AUTH_VERSION', 2))
timeout = config.get('KEYSTONE_AUTH_TIMEOUT')
keystone_admin_username = config.get('KEYSTONE_ADMIN_USERNAME')
keystone_admin_password = config.get('KEYSTONE_ADMIN_PASSWORD')
keystone_admin_tenant = config.get('KEYSTONE_ADMIN_TENANT')
return get_keystone_users(auth_version, auth_url, keystone_admin_username,
keystone_admin_password, keystone_admin_tenant, timeout,
requires_email=features.MAILING)
if authentication_type == 'AppToken':
if features.DIRECT_LOGIN:
raise Exception('Direct login feature must be disabled to use AppToken internal auth')
if not features.APP_SPECIFIC_TOKENS:
raise Exception('AppToken internal auth requires app specific token support to be enabled')
return AppTokenInternalAuth()
raise RuntimeError('Unknown authentication type: %s' % authentication_type)
def get_users_handler(config, _, override_config_dir):
"""
Returns a users handler for the authentication configured in the given config object.
"""
authentication_type = config.get("AUTHENTICATION_TYPE", "Database")
if authentication_type == "Database":
return DatabaseUsers()
if authentication_type == "LDAP":
ldap_uri = config.get("LDAP_URI", "ldap://localhost")
base_dn = config.get("LDAP_BASE_DN")
admin_dn = config.get("LDAP_ADMIN_DN")
admin_passwd = config.get("LDAP_ADMIN_PASSWD")
user_rdn = config.get("LDAP_USER_RDN", [])
uid_attr = config.get("LDAP_UID_ATTR", "uid")
email_attr = config.get("LDAP_EMAIL_ATTR", "mail")
secondary_user_rdns = config.get("LDAP_SECONDARY_USER_RDNS", [])
timeout = config.get("LDAP_TIMEOUT")
network_timeout = config.get("LDAP_NETWORK_TIMEOUT")
ldap_user_filter = config.get("LDAP_USER_FILTER", None)
allow_tls_fallback = config.get("LDAP_ALLOW_INSECURE_FALLBACK", False)
return LDAPUsers(
ldap_uri,
base_dn,
admin_dn,
admin_passwd,
user_rdn,
uid_attr,
email_attr,
allow_tls_fallback,
secondary_user_rdns=secondary_user_rdns,
requires_email=features.MAILING,
timeout=timeout,
network_timeout=network_timeout,
ldap_user_filter=ldap_user_filter,
)
if authentication_type == "JWT":
verify_url = config.get("JWT_VERIFY_ENDPOINT")
issuer = config.get("JWT_AUTH_ISSUER")
max_fresh_s = config.get("JWT_AUTH_MAX_FRESH_S", 300)
query_url = config.get("JWT_QUERY_ENDPOINT", None)
getuser_url = config.get("JWT_GETUSER_ENDPOINT", None)
return ExternalJWTAuthN(
verify_url,
query_url,
getuser_url,
issuer,
override_config_dir,
config["HTTPCLIENT"],
max_fresh_s,
requires_email=features.MAILING,
)
if authentication_type == "Keystone":
auth_url = config.get("KEYSTONE_AUTH_URL")
auth_version = int(config.get("KEYSTONE_AUTH_VERSION", 2))
timeout = config.get("KEYSTONE_AUTH_TIMEOUT")
keystone_admin_username = config.get("KEYSTONE_ADMIN_USERNAME")
keystone_admin_password = config.get("KEYSTONE_ADMIN_PASSWORD")
keystone_admin_tenant = config.get("KEYSTONE_ADMIN_TENANT")
return get_keystone_users(
auth_version,
auth_url,
keystone_admin_username,
keystone_admin_password,
keystone_admin_tenant,
timeout,
requires_email=features.MAILING,
)
if authentication_type == "AppToken":
if features.DIRECT_LOGIN:
raise Exception(
"Direct login feature must be disabled to use AppToken internal auth"
)
if not features.APP_SPECIFIC_TOKENS:
raise Exception(
"AppToken internal auth requires app specific token support to be enabled"
)
return AppTokenInternalAuth()
raise RuntimeError("Unknown authentication type: %s" % authentication_type)