def fake_keystone(version=3, requires_email=True):
"""
Context manager which instantiates and runs a webserver with a fake Keystone implementation,
until the result is yielded.
Usage:
with fake_keystone(version) as keystone_auth:
# Make keystone_auth requests.
"""
keystone_app, port = _create_app(requires_email)
server_url = "http://" + keystone_app.config["SERVER_HOSTNAME"]
endpoint_url = server_url + "/v3"
if version == 2:
endpoint_url = server_url + "/v2.0/auth"
keystone_auth = get_keystone_users(
version,
endpoint_url,
"adminuser",
"adminpass",
"admintenant",
requires_email=requires_email,
)
with liveserver_app(keystone_app, port):
yield keystone_auth
def get_users_handler(config, _, override_config_dir):
""" Returns a users handler for the authentication configured in the given config object. """
authentication_type = config.get('AUTHENTICATION_TYPE', 'Database')
if authentication_type == 'Database':
return DatabaseUsers()
if authentication_type == 'LDAP':
ldap_uri = config.get('LDAP_URI', 'ldap://localhost')
base_dn = config.get('LDAP_BASE_DN')
admin_dn = config.get('LDAP_ADMIN_DN')
admin_passwd = config.get('LDAP_ADMIN_PASSWD')
user_rdn = config.get('LDAP_USER_RDN', [])
uid_attr = config.get('LDAP_UID_ATTR', 'uid')
email_attr = config.get('LDAP_EMAIL_ATTR', 'mail')
secondary_user_rdns = config.get('LDAP_SECONDARY_USER_RDNS', [])
timeout = config.get('LDAP_TIMEOUT')
network_timeout = config.get('LDAP_NETWORK_TIMEOUT')
allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False)
return LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
allow_tls_fallback, secondary_user_rdns=secondary_user_rdns,
requires_email=features.MAILING, timeout=timeout,
network_timeout=network_timeout)
if authentication_type == 'JWT':
verify_url = config.get('JWT_VERIFY_ENDPOINT')
issuer = config.get('JWT_AUTH_ISSUER')
max_fresh_s = config.get('JWT_AUTH_MAX_FRESH_S', 300)
query_url = config.get('JWT_QUERY_ENDPOINT', None)
getuser_url = config.get('JWT_GETUSER_ENDPOINT', None)
return ExternalJWTAuthN(verify_url, query_url, getuser_url, issuer, override_config_dir,
config['HTTPCLIENT'], max_fresh_s,
requires_email=features.MAILING)
if authentication_type == 'Keystone':
auth_url = config.get('KEYSTONE_AUTH_URL')
auth_version = int(config.get('KEYSTONE_AUTH_VERSION', 2))
timeout = config.get('KEYSTONE_AUTH_TIMEOUT')
keystone_admin_username = config.get('KEYSTONE_ADMIN_USERNAME')
keystone_admin_password = config.get('KEYSTONE_ADMIN_PASSWORD')
keystone_admin_tenant = config.get('KEYSTONE_ADMIN_TENANT')
return get_keystone_users(auth_version, auth_url, keystone_admin_username,
keystone_admin_password, keystone_admin_tenant, timeout,
requires_email=features.MAILING)
if authentication_type == 'AppToken':
if features.DIRECT_LOGIN:
raise Exception('Direct login feature must be disabled to use AppToken internal auth')
if not features.APP_SPECIFIC_TOKENS:
raise Exception('AppToken internal auth requires app specific token support to be enabled')
return AppTokenInternalAuth()
raise RuntimeError('Unknown authentication type: %s' % authentication_type)
def validate(cls, validator_context):
"""
Validates the Keystone authentication system.
"""
config = validator_context.config
if config.get("AUTHENTICATION_TYPE", "Database") != "Keystone":
return
auth_url = config.get("KEYSTONE_AUTH_URL")
auth_version = int(config.get("KEYSTONE_AUTH_VERSION", 2))
admin_username = config.get("KEYSTONE_ADMIN_USERNAME")
admin_password = config.get("KEYSTONE_ADMIN_PASSWORD")
admin_tenant = config.get("KEYSTONE_ADMIN_TENANT")
if not auth_url:
raise ConfigValidationException("Missing authentication URL")
if not admin_username:
raise ConfigValidationException("Missing admin username")
if not admin_password:
raise ConfigValidationException("Missing admin password")
if not admin_tenant:
raise ConfigValidationException("Missing admin tenant")
requires_email = config.get("FEATURE_MAILING", True)
users = get_keystone_users(auth_version, auth_url, admin_username,
admin_password, admin_tenant,
requires_email)
# Verify that the superuser exists. If not, raise an exception.
(result, err_msg) = users.at_least_one_user_exists()
if not result:
msg = (
"Verification that users exist failed: %s. \n\nNo users exist "
+ "in the admin tenant/project " +
"in the remote authentication system " +
"OR Keystone auth is misconfigured.") % err_msg
raise ConfigValidationException(msg)
def validate(cls, validator_context):
""" Validates the Keystone authentication system. """
config = validator_context.config
if config.get('AUTHENTICATION_TYPE', 'Database') != 'Keystone':
return
auth_url = config.get('KEYSTONE_AUTH_URL')
auth_version = int(config.get('KEYSTONE_AUTH_VERSION', 2))
admin_username = config.get('KEYSTONE_ADMIN_USERNAME')
admin_password = config.get('KEYSTONE_ADMIN_PASSWORD')
admin_tenant = config.get('KEYSTONE_ADMIN_TENANT')
if not auth_url:
raise ConfigValidationException('Missing authentication URL')
if not admin_username:
raise ConfigValidationException('Missing admin username')
if not admin_password:
raise ConfigValidationException('Missing admin password')
if not admin_tenant:
raise ConfigValidationException('Missing admin tenant')
requires_email = config.get('FEATURE_MAILING', True)
users = get_keystone_users(auth_version, auth_url, admin_username,
admin_password, admin_tenant,
requires_email)
# Verify that the superuser exists. If not, raise an exception.
(result, err_msg) = users.at_least_one_user_exists()
if not result:
msg = (
'Verification that users exist failed: %s. \n\nNo users exist '
+ 'in the admin tenant/project ' +
'in the remote authentication system ' +
'OR Keystone auth is misconfigured.') % err_msg
raise ConfigValidationException(msg)
def get_users_handler(config, _, override_config_dir):
"""
Returns a users handler for the authentication configured in the given config object.
"""
authentication_type = config.get("AUTHENTICATION_TYPE", "Database")
if authentication_type == "Database":
return DatabaseUsers()
if authentication_type == "LDAP":
ldap_uri = config.get("LDAP_URI", "ldap://localhost")
base_dn = config.get("LDAP_BASE_DN")
admin_dn = config.get("LDAP_ADMIN_DN")
admin_passwd = config.get("LDAP_ADMIN_PASSWD")
user_rdn = config.get("LDAP_USER_RDN", [])
uid_attr = config.get("LDAP_UID_ATTR", "uid")
email_attr = config.get("LDAP_EMAIL_ATTR", "mail")
secondary_user_rdns = config.get("LDAP_SECONDARY_USER_RDNS", [])
timeout = config.get("LDAP_TIMEOUT")
network_timeout = config.get("LDAP_NETWORK_TIMEOUT")
ldap_user_filter = config.get("LDAP_USER_FILTER", None)
allow_tls_fallback = config.get("LDAP_ALLOW_INSECURE_FALLBACK", False)
return LDAPUsers(
ldap_uri,
base_dn,
admin_dn,
admin_passwd,
user_rdn,
uid_attr,
email_attr,
allow_tls_fallback,
secondary_user_rdns=secondary_user_rdns,
requires_email=features.MAILING,
timeout=timeout,
network_timeout=network_timeout,
ldap_user_filter=ldap_user_filter,
)
if authentication_type == "JWT":
verify_url = config.get("JWT_VERIFY_ENDPOINT")
issuer = config.get("JWT_AUTH_ISSUER")
max_fresh_s = config.get("JWT_AUTH_MAX_FRESH_S", 300)
query_url = config.get("JWT_QUERY_ENDPOINT", None)
getuser_url = config.get("JWT_GETUSER_ENDPOINT", None)
return ExternalJWTAuthN(
verify_url,
query_url,
getuser_url,
issuer,
override_config_dir,
config["HTTPCLIENT"],
max_fresh_s,
requires_email=features.MAILING,
)
if authentication_type == "Keystone":
auth_url = config.get("KEYSTONE_AUTH_URL")
auth_version = int(config.get("KEYSTONE_AUTH_VERSION", 2))
timeout = config.get("KEYSTONE_AUTH_TIMEOUT")
keystone_admin_username = config.get("KEYSTONE_ADMIN_USERNAME")
keystone_admin_password = config.get("KEYSTONE_ADMIN_PASSWORD")
keystone_admin_tenant = config.get("KEYSTONE_ADMIN_TENANT")
return get_keystone_users(
auth_version,
auth_url,
keystone_admin_username,
keystone_admin_password,
keystone_admin_tenant,
timeout,
requires_email=features.MAILING,
)
if authentication_type == "AppToken":
if features.DIRECT_LOGIN:
raise Exception(
"Direct login feature must be disabled to use AppToken internal auth"
)
if not features.APP_SPECIFIC_TOKENS:
raise Exception(
"AppToken internal auth requires app specific token support to be enabled"
)
return AppTokenInternalAuth()
raise RuntimeError("Unknown authentication type: %s" % authentication_type)