def get_auth_ref(self, session, **kwargs): headers = {'Accept': 'application/json'} url = self.auth_url.rstrip('/') + '/tokens' params = {'auth': self.get_auth_data(headers)} if self.tenant_id: params['auth']['tenantId'] = self.tenant_id elif self.tenant_name: params['auth']['tenantName'] = self.tenant_name if self.trust_id: params['auth']['trust_id'] = self.trust_id _logger.debug('Making authentication request to %s', url) resp = session.post(url, json=params, headers=headers, authenticated=False, log=False) try: resp_data = resp.json() except ValueError: raise exceptions.InvalidResponse(response=resp) if 'access' not in resp_data: raise exceptions.InvalidResponse(response=resp) return access.AccessInfoV2(resp_data)
def get_auth_ref(self, session, **kwargs): """Obtain a token from a v1 endpoint. This function should not be called independently and is expected to be invoked via the do_authenticate function. This function will be invoked if the AcessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access. :param session: A session object that can be used for communication. :returns: Token access information. """ headers = {'X-Auth-User': self.user, 'X-Auth-Key': self.key} resp = session.get(self.auth_url, headers=headers, authenticated=False, log=False) if resp.status_code // 100 != 2: raise exceptions.InvalidResponse(response=resp) if 'X-Storage-Url' not in resp.headers: raise exceptions.InvalidResponse(response=resp) if 'X-Auth-Token' not in resp.headers and \ 'X-Storage-Token' not in resp.headers: raise exceptions.InvalidResponse(response=resp) token = resp.headers.get('X-Storage-Token', resp.headers.get('X-Auth-Token')) return AccessInfoV1( auth_url=self.auth_url, storage_url=resp.headers['X-Storage-Url'], account=self.account, username=self.user, auth_token=token, token_life=resp.headers.get('X-Auth-Token-Expires'))
def _get_ecp_assertion(self, session): body = { 'auth': { 'identity': { 'methods': ['token'], 'token': { 'id': self._local_cloud_plugin.get_token(session) } }, 'scope': { 'service_provider': { 'id': self._sp_id } } } } endpoint_filter = { 'version': (3, 0), 'interface': plugin.AUTH_INTERFACE } headers = {'Accept': 'application/json'} resp = session.post(self.REQUEST_ECP_URL, json=body, auth=self._local_cloud_plugin, endpoint_filter=endpoint_filter, headers=headers, authenticated=False, raise_exc=False) # NOTE(marek-denis): I am not sure whether disabling exceptions in the # Session object and testing if resp.ok is sufficient. An alternative # would be catching locally all exceptions and reraising with custom # warning. if not resp.ok: msg = ("Error while requesting ECP wrapped assertion: response " "exit code: %(status_code)d, reason: %(err)s") msg = msg % {'status_code': resp.status_code, 'err': resp.reason} raise exceptions.AuthorizationFailure(msg) if not resp.text: raise exceptions.InvalidResponse(resp) return six.text_type(resp.text)
def _get_ecp_assertion(self, session): url = self._local_cloud_plugin.get_endpoint( session, interface=plugin.AUTH_INTERFACE) body = self._ecp_assertion_request(session) resp = session.post(url=url + self.REQUEST_ECP_URL, json=body, raise_exc=False) # NOTE(marek-denis): I am not sure whether disabling exceptions in the # Session object and testing if resp.ok is sufficient. An alternative # would be catching locally all exceptions and reraising with custom # warning. if not resp.ok: msg = ("Error while requesting ECP wrapped assertion: response " "exit code: %(status_code)d, reason: %(err)s") msg = msg % {'status_code': resp.status_code, 'err': resp.reason} raise exceptions.AuthorizationFailure(msg) if not resp.text: raise exceptions.InvalidResponse(resp) return six.text_type(resp.text)
def get_auth_ref(self, session, **kwargs): headers = {'Accept': 'application/json'} body = {'auth': {'identity': {}}} ident = body['auth']['identity'] rkwargs = {} for method in self.auth_methods: name, auth_data = method.get_auth_data(session, self, headers, request_kwargs=rkwargs) ident.setdefault('methods', []).append(name) ident[name] = auth_data if not ident: raise exceptions.AuthorizationFailure( 'Authentication method required (e.g. password)') mutual_exclusion = [ bool(self.domain_id or self.domain_name), bool(self.project_id or self.project_name), bool(self.trust_id), bool(self.unscoped) ] if sum(mutual_exclusion) > 1: raise exceptions.AuthorizationFailure( 'Authentication cannot be scoped to multiple targets. Pick ' 'one of: project, domain, trust or unscoped') if self.domain_id: body['auth']['scope'] = {'domain': {'id': self.domain_id}} elif self.domain_name: body['auth']['scope'] = {'domain': {'name': self.domain_name}} elif self.project_id: body['auth']['scope'] = {'project': {'id': self.project_id}} elif self.project_name: scope = body['auth']['scope'] = {'project': {}} scope['project']['name'] = self.project_name if self.project_domain_id: scope['project']['domain'] = {'id': self.project_domain_id} elif self.project_domain_name: scope['project']['domain'] = {'name': self.project_domain_name} elif self.trust_id: body['auth']['scope'] = {'OS-TRUST:trust': {'id': self.trust_id}} elif self.unscoped: body['auth']['scope'] = {'unscoped': {}} # NOTE(jamielennox): we add nocatalog here rather than in token_url # directly as some federation plugins require the base token_url token_url = self.token_url if not self.include_catalog: token_url += '?nocatalog' _logger.debug('Making authentication request to %s', token_url) resp = session.post(token_url, json=body, headers=headers, authenticated=False, log=False, **rkwargs) try: _logger.debug(json.dumps(resp.json())) resp_data = resp.json() except ValueError: raise exceptions.InvalidResponse(response=resp) if 'token' not in resp_data: raise exceptions.InvalidResponse(response=resp) return access.AccessInfoV3(auth_token=resp.headers['X-Subject-Token'], body=resp_data)
def get_auth_ref(self, session, **kwargs): headers = {'Accept': 'application/json'} body = {'auth': {'identity': {}}} ident = body['auth']['identity'] rkwargs = {} for method in self.auth_methods: name, auth_data = method.get_auth_data(session, self, headers, request_kwargs=rkwargs) ident.setdefault('methods', []).append(name) ident[name] = auth_data if not ident: raise exceptions.AuthorizationFailure( 'Authentication method required (e.g. password)') mutual_exclusion = [ bool(self.domain_id or self.domain_name), bool(self.project_id or self.project_name), bool(self.trust_id), bool(self.unscoped) ] if sum(mutual_exclusion) > 1: raise exceptions.AuthorizationFailure( 'Authentication cannot be scoped to multiple targets. Pick ' 'one of: project, domain, trust or unscoped') if self.domain_id: body['auth']['scope'] = {'domain': {'id': self.domain_id}} elif self.domain_name: body['auth']['scope'] = {'domain': {'name': self.domain_name}} elif self.project_id: body['auth']['scope'] = {'project': {'id': self.project_id}} elif self.project_name: scope = body['auth']['scope'] = {'project': {}} scope['project']['name'] = self.project_name if self.project_domain_id: scope['project']['domain'] = {'id': self.project_domain_id} elif self.project_domain_name: scope['project']['domain'] = {'name': self.project_domain_name} elif self.trust_id: body['auth']['scope'] = {'OS-TRUST:trust': {'id': self.trust_id}} elif self.unscoped: body['auth']['scope'] = 'unscoped' elif self.system_scope: # NOTE(lbragstad): Right now it's only possible to have role # assignments on the entire system. In the future that might change # so that users and groups can have roles on parts of the system, # like a specific service in a specific region. If that happens, # this will have to be accounted for here. Until then we'll only # support scoping to the entire system. if self.system_scope == 'all': body['auth']['scope'] = {'system': {'all': True}} # NOTE(jamielennox): we add nocatalog here rather than in token_url # directly as some federation plugins require the base token_url token_url = self.token_url if not self.include_catalog: token_url += '?nocatalog' _logger.debug('Making authentication request to %s', token_url) resp = session.post(token_url, json=body, headers=headers, authenticated=False, log=False, **rkwargs) try: _logger.debug(json.dumps(resp.json())) resp_data = resp.json() except ValueError: raise exceptions.InvalidResponse(response=resp) if 'token' not in resp_data: raise exceptions.InvalidResponse(response=resp) return access.AccessInfoV3(auth_token=resp.headers['X-Subject-Token'], body=resp_data)
def get_auth_ref(self, session, **kwargs): # First do regular authorization auth_access = super(Agency, self).get_auth_ref(session, **kwargs) # And now reauth with another scope headers = { 'Accept': 'application/json', 'X-Auth-Token': auth_access._auth_token } body = {'auth': {'identity': {}}} ident = body['auth']['identity'] rkwargs = {} for method in self.auth_methods: name, auth_data = method.get_assume_role_auth_data( session, self, headers, request_kwargs=rkwargs) # NOTE(adriant): Methods like ReceiptMethod don't # want anything added to the request data, so they # explicitly return None, which we check for. if name: ident.setdefault('methods', []).append(name) ident[name] = auth_data if not ident: raise exceptions.AuthorizationFailure( 'Authentication method required (e.g. password)') if self.target_project_id: body['auth']['scope'] = {'project': {'id': self.target_project_id}} elif self.target_project_name: scope = body['auth']['scope'] = {'project': {}} scope['project']['name'] = self.target_project_name # If project is not set - get a domain scope elif self.target_domain_id: body['auth']['scope'] = {'domain': {'id': self.target_domain_id}} elif self.target_domain_name: body['auth']['scope'] = {'domain': {'name': self.target_domain_name}} token_url = self.token_url if not self.auth_url.rstrip('/').endswith('v3'): token_url = '%s/v3/auth/tokens' % self.auth_url.rstrip('/') if not self.include_catalog: token_url += '?nocatalog' _logger.debug('Making authentication request to %s', token_url) resp = session.post(token_url, json=body, headers=headers, authenticated=False, log=False, **rkwargs) try: _logger.debug(json.dumps(resp.json())) resp_data = resp.json() except ValueError: raise exceptions.InvalidResponse(response=resp) if 'token' not in resp_data: raise exceptions.InvalidResponse(response=resp) return access.AccessInfoV3(auth_token=resp.headers['X-Subject-Token'], body=resp_data)