def test_no_auth_plugin_parameters(self):
# auth plugin (password / token) may not be present.
post_data = {
'identity': {
'methods': ['password'],
},
}
schema.validate_issue_token_auth(post_data)
def test_no_auth_plugin_parameters(self):
# auth plugin (password / token) may not be present.
post_data = {
'identity': {
'methods': ['password'],
},
}
schema.validate_issue_token_auth(post_data)
def test_token(self):
# valid token auth plugin data is supported.
p = {
'identity': {
'methods': ['token'],
'token': {
'id': 'something',
},
},
}
schema.validate_issue_token_auth(p)
def test_token(self):
# valid token auth plugin data is supported.
p = {
'identity': {
'methods': ['token'],
'token': {
'id': 'something',
},
},
}
schema.validate_issue_token_auth(p)
def post(self):
"""Issue a token.
POST /v3/auth/tokens
"""
include_catalog = 'nocatalog' not in flask.request.args
auth_data = self.request_body_json.get('auth')
auth_schema.validate_issue_token_auth(auth_data)
token = authentication.authenticate_for_token(auth_data)
resp_data = render_token.render_token_response_from_model(
token, include_catalog=include_catalog)
resp_body = jsonutils.dumps(resp_data)
response = flask.make_response(resp_body, http_client.CREATED)
response.headers['X-Subject-Token'] = token.id
response.headers['Content-Type'] = 'application/json'
return response
def test_two_methods(self):
post_data = {
'identity': {
'methods': ['password', 'mapped'],
'password': {
'user': {
'name': 'admin',
'domain': {
'name': 'Default',
},
'password': '******',
},
},
},
}
schema.validate_issue_token_auth(post_data)
def test_two_methods(self):
post_data = {
'identity': {
'methods': ['password', 'mapped'],
'password': {
'user': {
'name': 'admin',
'domain': {
'name': 'Default',
},
'password': '******',
},
},
},
}
schema.validate_issue_token_auth(post_data)
def post(self):
"""Issue a token.
POST /v3/auth/tokens
"""
include_catalog = 'nocatalog' not in flask.request.args
auth_data = self.request_body_json.get('auth')
auth_schema.validate_issue_token_auth(auth_data)
token = authentication.authenticate_for_token(auth_data)
resp_data = render_token.render_token_response_from_model(
token, include_catalog=include_catalog
)
resp_body = jsonutils.dumps(resp_data)
response = flask.make_response(resp_body, http_client.CREATED)
response.headers['X-Subject-Token'] = token.id
response.headers['Content-Type'] = 'application/json'
return response
def test_additional_properties(self):
# Everything can have extra properties and they're ignored.
p = {
'identity': {
'methods': ['password'],
'password': {
'user': {
'id': 'whatever',
'extra4': 'whatever4',
'domain': {
'id': 'whatever',
'extra5': 'whatever5',
},
},
'extra3': 'whatever3',
},
'token': {
'id': 'something',
'extra9': 'whatever9',
},
'extra4': 'whatever4',
},
'scope': {
'project': {
'id': 'something',
'domain': {
'id': 'something',
'extra8': 'whatever8',
},
'extra7': 'whatever7',
},
'domain': {
'id': 'something',
'extra9': 'whatever9',
},
'extra6': 'whatever6',
},
'extra2': 'whatever2',
}
schema.validate_issue_token_auth(p)
def test_additional_properties(self):
# Everything can have extra properties and they're ignored.
p = {
'identity': {
'methods': ['password'],
'password': {
'user': {
'id': 'whatever',
'extra4': 'whatever4',
'domain': {
'id': 'whatever',
'extra5': 'whatever5',
},
},
'extra3': 'whatever3',
},
'token': {
'id': 'something',
'extra9': 'whatever9',
},
'extra4': 'whatever4',
},
'scope': {
'project': {
'id': 'something',
'domain': {
'id': 'something',
'extra8': 'whatever8',
},
'extra7': 'whatever7',
},
'domain': {
'id': 'something',
'extra9': 'whatever9',
},
'extra6': 'whatever6',
},
'extra2': 'whatever2',
}
schema.validate_issue_token_auth(p)
def test_project_scoped(self):
post_data = {
'identity': {
'methods': ['password'],
'password': {
'user': {
'name': 'admin',
'domain': {
'name': 'Default',
},
'password': '******',
},
},
},
'scope': {
'project': {
'name': 'demo',
'domain': {
'name': 'Default',
},
},
},
}
schema.validate_issue_token_auth(post_data)
def test_project_scoped(self):
post_data = {
'identity': {
'methods': ['password'],
'password': {
'user': {
'name': 'admin',
'domain': {
'name': 'Default',
},
'password': '******',
},
},
},
'scope': {
'project': {
'name': 'demo',
'domain': {
'name': 'Default',
},
},
},
}
schema.validate_issue_token_auth(post_data)
def authenticate_for_token(self, request, auth=None):
"""Authenticate user and issue a token."""
include_catalog = 'nocatalog' not in request.params
schema.validate_issue_token_auth(auth)
try:
auth_info = core.AuthInfo.create(auth=auth)
auth_context = core.AuthContext(method_names=[], bind={})
self.authenticate(request, auth_info, auth_context)
if auth_context.get('access_token_id'):
auth_info.set_scope(None, auth_context['project_id'], None)
self._check_and_set_default_scoping(auth_info, auth_context)
(domain_id, project_id, trust, unscoped,
system) = (auth_info.get_scope())
trust_id = trust.get('id') if trust else None
# NOTE(notmorgan): only methods that actually run and succeed will
# be in the auth_context['method_names'] list. Do not blindly take
# the values from auth_info, look at the authoritative values. Make
# sure the set is unique.
method_names_set = set(auth_context.get('method_names', []))
method_names = list(method_names_set)
app_cred_id = None
if 'application_credential' in method_names:
token_auth = auth_info.auth['identity']
app_cred_id = token_auth['application_credential']['id']
# Do MFA Rule Validation for the user
if not self._mfa_rules_validator.check_auth_methods_against_rules(
auth_context['user_id'], method_names_set):
raise exception.InsufficientAuthMethods(
user_id=auth_context['user_id'],
methods='[%s]' % ','.join(auth_info.get_method_names()))
expires_at = auth_context.get('expires_at')
token_audit_id = auth_context.get('audit_id')
token = PROVIDERS.token_provider_api.issue_token(
auth_context['user_id'],
method_names,
expires_at=expires_at,
system=system,
project_id=project_id,
domain_id=domain_id,
auth_context=auth_context,
trust_id=trust_id,
app_cred_id=app_cred_id,
parent_audit_id=token_audit_id)
token_reference = controller.render_token_response_from_model(
token, include_catalog=include_catalog)
# NOTE(wanghong): We consume a trust use only when we are using
# trusts and have successfully issued a token.
if trust:
PROVIDERS.trust_api.consume_use(token.trust_id)
return render_token_data_response(token.id,
token_reference,
created=True)
except exception.TrustNotFound as e:
LOG.warning(six.text_type(e))
raise exception.Unauthorized(e)
