def process_token(self, region_name=None):
"""Extract and process information from the new auth_ref.
And set the relevant authentication information.
"""
# if we got a response without a service catalog, set the local
# list of tenants for introspection, and leave to client user
# to determine what to do. Otherwise, load up the service catalog
if self.auth_ref.project_scoped:
if not self.auth_ref.tenant_id:
raise exceptions.AuthorizationFailure(
"Token didn't provide tenant_id")
self._process_management_url(region_name)
self.project_name = self.auth_ref.tenant_name
self.project_id = self.auth_ref.tenant_id
if not self.auth_ref.user_id:
raise exceptions.AuthorizationFailure(
"Token didn't provide user_id")
self.user_id = self.auth_ref.user_id
self.auth_domain_id = self.auth_ref.domain_id
self.auth_tenant_id = self.auth_ref.tenant_id
self.auth_user_id = self.auth_ref.user_id
def get_auth_ref(self, session, **kwargs):
headers = {'Accept': 'application/json'}
body = {'auth': {'identity': {}}}
ident = body['auth']['identity']
for method in self.auth_methods:
name, auth_data = method.get_auth_data(session, self, headers)
ident.setdefault('methods', []).append(name)
ident[name] = auth_data
if not ident:
raise exceptions.AuthorizationFailure('Authentication method '
'required (e.g. password)')
mutual_exclusion = [
bool(self.domain_id or self.domain_name),
bool(self.project_id or self.project_name),
bool(self.trust_id)
]
if sum(mutual_exclusion) > 1:
raise exceptions.AuthorizationFailure('Authentication cannot be '
'scoped to multiple '
'targets. Pick one of: '
'project, domain or trust')
if self.domain_id:
body['auth']['scope'] = {'domain': {'id': self.domain_id}}
elif self.domain_name:
body['auth']['scope'] = {'domain': {'name': self.domain_name}}
elif self.project_id:
body['auth']['scope'] = {'project': {'id': self.project_id}}
elif self.project_name:
scope = body['auth']['scope'] = {'project': {}}
scope['project']['name'] = self.project_name
if self.project_domain_id:
scope['project']['domain'] = {'id': self.project_domain_id}
elif self.project_domain_name:
scope['project']['domain'] = {'name': self.project_domain_name}
elif self.trust_id:
body['auth']['scope'] = {'OS-TRUST:trust': {'id': self.trust_id}}
resp = session.post(self.token_url,
json=body,
headers=headers,
authenticated=False)
try:
resp_data = resp.json()['token']
except (KeyError, ValueError):
raise exceptions.InvalidResponse(response=resp)
return access.AccessInfoV3(resp.headers['X-Subject-Token'],
**resp_data)
def get_raw_token_from_identity_service(self,
auth_url,
user_id=None,
username=None,
user_domain_id=None,
user_domain_name=None,
password=None,
domain_id=None,
domain_name=None,
project_id=None,
project_name=None,
project_domain_id=None,
project_domain_name=None,
token=None,
trust_id=None,
**kwargs):
"""Authenticate against the v3 Identity API.
:returns: access.AccessInfo if authentication was successful.
:raises: AuthorizationFailure if unable to authenticate or validate
the existing authorization token
:raises: Unauthorized if authentication fails due to invalid token
"""
try:
if auth_url is None:
raise ValueError("Cannot authenticate without an auth_url")
a = v3_auth.Auth._factory(auth_url,
username=username,
password=password,
token=token,
trust_id=trust_id,
user_id=user_id,
domain_id=domain_id,
domain_name=domain_name,
user_domain_id=user_domain_id,
user_domain_name=user_domain_name,
project_id=project_id,
project_name=project_name,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name)
return a.get_auth_ref(self.session)
except (exceptions.AuthorizationFailure, exceptions.Unauthorized):
_logger.debug('Authorization failed.')
raise
except exceptions.EndpointNotFound:
msg = 'There was no suitable authentication url for this request'
raise exceptions.AuthorizationFailure(msg)
except Exception as e:
raise exceptions.AuthorizationFailure('Authorization failed: '
'%s' % e)
def get_raw_token_from_identity_service(self,
auth_url,
username=None,
password=None,
tenant_name=None,
tenant_id=None,
token=None,
project_name=None,
project_id=None,
trust_id=None,
**kwargs):
"""Authenticate against the v2 Identity API.
If a token is provided it will be used in preference over username and
password.
:returns: access.AccessInfo if authentication was successful.
:raises keystoneclient.exceptions.AuthorizationFailure: if unable to
authenticate or validate the existing authorization token
"""
try:
if auth_url is None:
raise ValueError(_("Cannot authenticate without an auth_url"))
new_kwargs = {
'trust_id': trust_id,
'tenant_id': project_id or tenant_id,
'tenant_name': project_name or tenant_name
}
if token:
plugin = v2_auth.Token(auth_url, token, **new_kwargs)
elif username and password:
plugin = v2_auth.Password(auth_url, username, password,
**new_kwargs)
else:
msg = _('A username and password or token is required.')
raise exceptions.AuthorizationFailure(msg)
return plugin.get_auth_ref(self.session)
except (exceptions.AuthorizationFailure, exceptions.Unauthorized):
_logger.debug("Authorization Failed.")
raise
except exceptions.EndpointNotFound:
msg = (
_('There was no suitable authentication url for this request'))
raise exceptions.AuthorizationFailure(msg)
except Exception as e:
raise exceptions.AuthorizationFailure(
_("Authorization Failed: %s") % e)
def authenticate(self):
""" Authenticate against the Identity API.
Uses the data provided at instantiation to authenticate against
the Keystone server. This may use either a username and password
or token for authentication. If a tenant id was provided
then the resulting authenticated client will be scoped to that
tenant and contain a service catalog of available endpoints.
Returns ``True`` if authentication was successful.
"""
self.management_url = self.auth_url
try:
raw_token = self.tokens.authenticate(username=self.username,
tenant_id=self.tenant_id,
tenant_name=self.tenant_name,
password=self.password,
token=self.auth_token,
return_raw=True)
self._extract_service_catalog(self.auth_url, raw_token)
return True
except (exceptions.AuthorizationFailure, exceptions.Unauthorized):
_logger.debug("Authorization Failed.")
raise
except Exception, e:
raise exceptions.AuthorizationFailure("Authorization Failed: "
"%s" % e)
def _cs_request(self, url, method, management=True, **kwargs):
"""Makes an authenticated request to keystone endpoint by
concatenating self.management_url and url and passing in method and
any associated kwargs.
"""
# NOTE(jamielennox): remember that if you use the legacy client mode
# (you create a client without a session) then this HTTPClient object
# is the auth plugin you are using. Values in the endpoint_filter may
# be ignored and you should look at get_endpoint to figure out what.
interface = 'admin' if management else 'public'
endpoint_filter = kwargs.setdefault('endpoint_filter', {})
endpoint_filter.setdefault('service_type', 'identity')
endpoint_filter.setdefault('interface', interface)
if self.version:
endpoint_filter.setdefault('version', self.version)
if self.region_name:
endpoint_filter.setdefault('region_name', self.region_name)
kwargs.setdefault('authenticated', None)
try:
return self.request(url, method, **kwargs)
except exceptions.MissingAuthPlugin:
_logger.info('Cannot get authenticated endpoint without an '
'auth plugin')
raise exceptions.AuthorizationFailure(
'Current authorization does not have a known management url')
def _extract_service_catalog(self, url, body):
""" Set the client's service catalog from the response data. """
self.service_catalog = service_catalog.ServiceCatalog(body)
try:
sc = self.service_catalog.get_token()
self.auth_token = sc['id']
# Save these since we have them and they'll be useful later
# NOTE(termie): these used to be in the token and then were removed
# ... why?
self.auth_tenant_id = sc.get('tenant_id')
self.auth_user_id = sc.get('user_id')
except KeyError:
raise exceptions.AuthorizationFailure()
# FIXME(ja): we should be lazy about setting managment_url.
# in fact we should rewrite the client to support the service
# catalog (api calls should be directable to any endpoints)
try:
self.management_url = self.service_catalog.url_for(
attr='region',
filter_value=self.region_name,
endpoint_type='adminURL')
except:
# Unscoped tokens don't return a service catalog
_logger.exception("unable to retrieve service catalog with token")
def get_raw_token_from_identity_service(self, auth_url, username=None,
password=None, tenant_name=None,
tenant_id=None, token=None,
project_name=None, project_id=None,
trust_id=None,
**kwargs):
"""Authenticate against the v2 Identity API.
:returns: access.AccessInfo if authentication was successful.
:raises: AuthorizationFailure if unable to authenticate or validate
the existing authorization token
"""
try:
if auth_url is None:
raise ValueError("Cannot authenticate without an auth_url")
a = v2_auth.Auth.factory(auth_url,
username=username,
password=password,
token=token,
trust_id=trust_id,
tenant_id=project_id or tenant_id,
tenant_name=project_name or tenant_name)
return a.get_auth_ref(self.session)
except (exceptions.AuthorizationFailure, exceptions.Unauthorized):
_logger.debug("Authorization Failed.")
raise
except Exception as e:
raise exceptions.AuthorizationFailure("Authorization Failed: "
"%s" % e)
def test_retrieve_keystone_bad_client_authorization_error(self):
url = 'myurl'
tenant_id = '789012345'
token = 'abcdefABCDEF'
bttl = 5
redis_client = fakeredis_connection()
with mock.patch(
'keystoneclient.v2_0.client.Client') as MockKeystoneClient:
MockKeystoneClient.side_effect = exceptions.Unauthorized(
'Mock - invalid client object')
keystone_create_error = auth._retrieve_data_from_keystone(
redis_client, url, tenant_id, token, bttl,
self.default_max_cache_life)
self.assertIsNone(keystone_create_error)
with mock.patch(
'keystoneclient.v2_0.client.Client') as MockKeystoneClient:
MockKeystoneClient.side_effect = exceptions.AuthorizationFailure(
'Mock - invalid client object')
keystone_create_error = auth._retrieve_data_from_keystone(
redis_client, url, tenant_id, token, bttl,
self.default_max_cache_life)
self.assertIsNone(keystone_create_error)
def _factory(auth_url, **kwargs):
"""Construct a plugin appropriate to your available arguments.
This function is intended as a convenience and backwards compatibility.
If you know the style of authorization you require then you should
construct that plugin directly.
"""
methods = []
# NOTE(jamielennox): kwargs extraction is outside the if statement to
# clear up additional args that might be passed but not valid for type.
method_kwargs = PasswordMethod._extract_kwargs(kwargs)
if method_kwargs.get('password'):
methods.append(PasswordMethod(**method_kwargs))
method_kwargs = TokenMethod._extract_kwargs(kwargs)
if method_kwargs.get('token'):
methods.append(TokenMethod(**method_kwargs))
if not methods:
msg = 'A username and password or token is required.'
raise exceptions.AuthorizationFailure(msg)
return Auth(auth_url, methods, **kwargs)
def _send_idp_saml2_authn_request(self, session):
"""Present modified SAML2 authn assertion from the Service Provider."""
self._prepare_idp_saml2_request(self.saml2_authn_request)
idp_saml2_authn_request = self.saml2_authn_request
# Currently HTTPBasicAuth method is hardcoded into the plugin
idp_response = session.post(
self.identity_provider_url,
headers={'Content-type': 'text/xml'},
data=etree.tostring(idp_saml2_authn_request),
requests_auth=(self.username, self.password),
authenticated=False,
log=False)
try:
self.saml2_idp_authn_response = etree.XML(idp_response.content)
except etree.XMLSyntaxError as e:
msg = _("SAML2: Error parsing XML returned "
"from Identity Provider, reason: %s") % e
raise exceptions.AuthorizationFailure(msg)
idp_response_consumer_url = self.saml2_idp_authn_response.xpath(
self.ECP_IDP_CONSUMER_URL, namespaces=self.ECP_SAML2_NAMESPACES)
self.idp_response_consumer_url = self._first(idp_response_consumer_url)
self._check_consumer_urls(session, self.idp_response_consumer_url,
self.sp_response_consumer_url)
def get_raw_token_from_identity_service(self,
auth_url,
username=None,
password=None,
tenant_name=None,
tenant_id=None,
token=None):
""" Authenticate against the Keystone API.
:returns: ``raw token`` if authentication was successful.
:raises: AuthorizationFailure if unable to authenticate or validate
the existing authorization token
:raises: ValueError if insufficient parameters are used.
"""
try:
return self._base_authN(auth_url,
username=username,
tenant_id=tenant_id,
tenant_name=tenant_name,
password=password,
token=token)
except (exceptions.AuthorizationFailure, exceptions.Unauthorized):
_logger.debug("Authorization Failed.")
raise
except Exception as e:
raise exceptions.AuthorizationFailure("Authorization Failed: "
"%s" % e)
def _extract_service_catalog(self, url, body):
""" Set the client's service catalog from the response data. """
self.service_catalog = service_catalog.ServiceCatalog(body)
try:
sc = self.service_catalog.get_token()
self.auth_token = sc['id']
# Save these since we have them and they'll be useful later
self.auth_tenant_id = sc.get('tenant_id')
self.auth_user_id = sc.get('user_id')
except KeyError:
raise exceptions.AuthorizationFailure()
# FIXME(ja): we should be lazy about setting managment_url.
# in fact we should rewrite the client to support the service
# catalog (api calls should be directable to any endpoints)
try:
self.management_url = self.service_catalog.url_for(
attr='region',
filter_value=self.region_name,
endpoint_type='adminURL')
except exceptions.EmptyCatalog:
# Unscoped tokens don't return a service catalog;
# allow those to pass while any other errors bubble up.
pass
except exceptions.EndpointNotFound:
# the client shouldn't expect the authenticating user to
# be authorized to view adminURL's, nor expect the identity
# endpoint to publish one
pass
def get_token(self, auth=None):
"""Return a token as provided by the auth plugin.
:param auth: The auth plugin to use for token. Overrides the plugin
on the session. (optional)
:type auth: :py:class:`keystoneclient.auth.base.BaseAuthPlugin`
:raises keystoneclient.exceptions.AuthorizationFailure: if a new token
fetch fails.
:raises keystoneclient.exceptions.MissingAuthPlugin: if a plugin is not
available.
:returns: A valid token.
:rtype: string
"""
if not auth:
auth = self.auth
if not auth:
raise exceptions.MissingAuthPlugin(_("Token Required"))
try:
return auth.get_token(self)
except exceptions.HttpError as exc:
raise exceptions.AuthorizationFailure(
_("Authentication failure: %s") % exc)
def _access_service_provider(self, session):
"""Access protected endpoint and fetch unscoped token.
After federated authentication workflow a protected endpoint should be
accessible with the session object. The access is granted basing on the
cookies stored within the session object. If, for some reason no
cookies are present (quantity test) it means something went wrong and
user will not be able to fetch an unscoped token. In that case an
``exceptions.AuthorizationFailure` exception is raised and no HTTP call
is even made.
:param session : a session object to send out HTTP requests.
:type session: keystoneclient.session.Session
:raises keystoneclient.exceptions.AuthorizationFailure: in case session
object has empty cookie jar.
"""
if self._cookies(session) is False:
raise exceptions.AuthorizationFailure(
_("Session object doesn't contain a cookie, therefore you are "
"not allowed to enter the Identity Provider's protected "
"area."))
self.authenticated_response = session.get(self.token_url,
authenticated=False)
def test_keystone_request_raises_auth_failure_exception(
self, mock_from_resp):
kwargs = {
"body": {
"volume": {
"status": "creating",
"imageRef": "username",
"attach_status": "detached"
},
"authenticated": "True"
}
}
with mock.patch.object(
adapter.Adapter,
'request',
side_effect=keystone_exception.AuthorizationFailure()):
mock_session = mock.Mock()
mock_session.get_endpoint.return_value = fixture_base.VOLUME_V1_URL
session_client = cinderclient.client.SessionClient(
session=mock_session)
self.assertRaises(keystone_exception.AuthorizationFailure,
session_client.request,
fixture_base.VOLUME_V1_URL, 'POST', **kwargs)
# As keystonesession.request method will raise
# AuthorizationFailure exception, check exceptions.from_response
# is not getting called.
self.assertFalse(mock_from_resp.called)
def get_auth_ref(self, session, **kwargs):
headers = {}
url = self.auth_url + "/auth/tokens"
body = {'auth': {'identity': {}}}
ident = body['auth']['identity']
for method in self.auth_methods:
method, auth_data = method.get_auth_data(headers)
ident.setdefault('methods', []).append(method)
ident[method] = auth_data
if not ident:
raise exceptions.AuthorizationFailure('Authentication method '
'required (e.g. password)')
if ((self.domain_id or self.domain_name)
and (self.project_id or self.project_name)):
raise exceptions.AuthorizationFailure('Authentication cannot be '
'scoped to both domain '
'and project.')
if self.domain_id:
body['auth']['scope'] = {'domain': {'id': self.domain_id}}
elif self.domain_name:
body['auth']['scope'] = {'domain': {'name': self.domain_name}}
elif self.project_id:
body['auth']['scope'] = {'project': {'id': self.project_id}}
elif self.project_name:
scope = body['auth']['scope'] = {'project': {}}
scope['project']['name'] = self.project_name
if self.project_domain_id:
scope['project']['domain'] = {'id': self.project_domain_id}
elif self.project_domain_name:
scope['project']['domain'] = {'name': self.project_domain_name}
if self.trust_id:
scope = body['auth'].setdefault('scope', {})
scope['OS-TRUST:trust'] = {'id': self.trust_id}
resp = session.post(url,
json=body,
headers=headers,
authenticated=False)
return access.AccessInfoV3(resp.headers['X-Subject-Token'],
**resp.json()['token'])
def str_to_xml(content, msg=None, include_exc=True):
try:
return etree.XML(content)
except etree.XMLSyntaxError as e:
if not msg:
msg = str(e)
else:
msg = msg % e if include_exc else msg
raise exceptions.AuthorizationFailure(msg)
def authenticate(self, username=None, password=None, tenant_name=None,
tenant_id=None, auth_url=None, token=None):
""" Authenticate against the Keystone API.
Uses the data provided at instantiation to authenticate against
the Keystone server. This may use either a username and password
or token for authentication. If a tenant name or id was provided
then the resulting authenticated client will be scoped to that
tenant and contain a service catalog of available endpoints.
With the v2.0 API, if a tenant name or ID is not provided, the
authenication token returned will be 'unscoped' and limited in
capabilities until a fully-scoped token is acquired.
If successful, sets the self.auth_ref and self.auth_token with
the returned token. If not already set, will also set
self.management_url from the details provided in the token.
:returns: ``True`` if authentication was successful.
:raises: AuthorizationFailure if unable to authenticate or validate
the existing authorization token
:raises: ValueError if insufficient parameters are used.
"""
auth_url = auth_url or self.auth_url
username = username or self.username
password = password or self.password
tenant_name = tenant_name or self.tenant_name
tenant_id = tenant_id or self.tenant_id
token = token or self.auth_token
try:
raw_token = self._base_authN(auth_url,
username=username,
tenant_id=tenant_id,
tenant_name=tenant_name,
password=password,
token=token)
self.auth_ref = access.AccessInfo(**raw_token)
# if we got a response without a service catalog, set the local
# list of tenants for introspection, and leave to client user
# to determine what to do. Otherwise, load up the service catalog
self.auth_token = self.auth_ref.auth_token
if self.auth_ref.scoped:
if self.management_url is None:
self.management_url = self.auth_ref.management_url[0]
self.tenant_name = self.auth_ref.tenant_name
self.tenant_id = self.auth_ref.tenant_id
self.user_id = self.auth_ref.user_id
self._extract_service_catalog(self.auth_url, self.auth_ref)
return True
except (exceptions.AuthorizationFailure, exceptions.Unauthorized):
_logger.debug("Authorization Failed.")
raise
except Exception as e:
raise exceptions.AuthorizationFailure("Authorization Failed: "
"%s" % e)
def _extract_service_catalog(self, url, body):
""" Set the client's service catalog from the response data. """
self.service_catalog = service_catalog.ServiceCatalog(body)
try:
sc = self.service_catalog.get_token()
# Save these since we have them and they'll be useful later
self.auth_tenant_id = sc.get('tenant_id')
self.auth_user_id = sc.get('user_id')
except KeyError:
raise exceptions.AuthorizationFailure()
def get_raw_token_from_identity_service(self, auth_url, tenant_id, token):
LOG.debug('URL: {0}'.format(auth_url))
LOG.debug('Token: {0}'.format(token))
LOG.debug('Tenant: {0}'.format(tenant_id))
if token == 'valid_token' and tenant_id == 'valid_projectid':
catalog_gen = servicecatalog.ServiceCatalogGenerator(
token, tenant_id)
catalog = catalog_gen.generate_full_catalog()['access']
return access.AccessInfoV2(**catalog)
else:
if token == 'valid_token':
raise exceptions.AuthorizationFailure(
'mocking - invalid project id')
elif tenant_id == 'valid_projectid':
raise exceptions.AuthorizationFailure(
'mocking - invalid token')
else:
raise exceptions.AuthorizationFailure(
'mocking - invalid or missing token or project id')
def a(a):
if a == 1:
raise keystone_exc.Unauthorized()
if a == 2:
raise keystone_exc.AuthorizationFailure()
if a == 3:
raise keystone_exc.ConnectionRefused()
return a
def _get_adfs_security_token(self, session):
"""Send ADFS Security token to the ADFS server.
Store the result in the instance attribute and raise an exception in
case the response is not valid XML data.
If a user cannot authenticate due to providing bad credentials, the
ADFS2.0 server will return a HTTP 500 response and a XML Fault message.
If ``exceptions.InternalServerError`` is caught, the method tries to
parse the XML response.
If parsing is unsuccessful, an ``exceptions.AuthorizationFailure`` is
raised with a reason from the XML fault. Otherwise an original
``exceptions.InternalServerError`` is re-raised.
:param session : a session object to send out HTTP requests.
:type session: keystoneclient.session.Session
:raises keystoneclient.exceptions.AuthorizationFailure: when HTTP
response from the ADFS server is not a valid XML ADFS security
token.
:raises keystoneclient.exceptions.InternalServerError: If response
status code is HTTP 500 and the response XML cannot be
recognized.
"""
def _get_failure(e):
xpath = '/s:Envelope/s:Body/s:Fault/s:Code/s:Subcode/s:Value'
content = e.response.content
try:
obj = self.str_to_xml(content).xpath(
xpath, namespaces=self.NAMESPACES)
obj = self._first(obj)
return obj.text
# NOTE(marek-denis): etree.Element.xpath() doesn't raise an
# exception, it just returns an empty list. In that case, _first()
# will raise IndexError and we should treat it as an indication XML
# is not valid. exceptions.AuthorizationFailure can be raised from
# str_to_xml(), however since server returned HTTP 500 we should
# re-raise exceptions.InternalServerError.
except (IndexError, exceptions.AuthorizationFailure):
raise e
request_security_token = self.xml_to_str(self.prepared_request)
try:
response = session.post(url=self.identity_provider_url,
headers=self.HEADER_SOAP,
data=request_security_token,
authenticated=False)
except exceptions.InternalServerError as e:
reason = _get_failure(e)
raise exceptions.AuthorizationFailure(reason)
msg = _("Error parsing XML returned from "
"the ADFS Identity Provider, reason: %s")
self.adfs_token = self.str_to_xml(response.content, msg)
def _extract_service_catalog(self, url, body):
""" Set the client's service catalog from the response data. """
self.service_catalog = service_catalog.ServiceCatalog(body)
try:
self.auth_token = self.service_catalog.get_token()
except KeyError:
raise exceptions.AuthorizationFailure()
if self.project_id:
# Unscoped tokens don't return a service catalog
self.management_url = self.service_catalog.url_for(
attr='region', filter_value=self.region_name)
return self.service_catalog
def process_token(self, **kwargs):
"""Extract and process information from the new auth_ref.
And set the relevant authentication information.
"""
super(Client, self).process_token(**kwargs)
if self.auth_ref.domain_scoped:
if not self.auth_ref.domain_id:
raise exceptions.AuthorizationFailure(
"Token didn't provide domain_id")
self._process_management_url(kwargs.get('region_name'))
self.domain_name = self.auth_ref.domain_name
self.domain_id = self.auth_ref.domain_id
def _check_keystone_versions(self, url):
"""Calls Keystone URL and detects the available API versions."""
try:
client = httpclient.HTTPClient()
resp, body = client.request(url,
"GET",
headers={'Accept': 'application/json'})
# Multiple Choices status code is returned by the root
# identity endpoint, with references to one or more
# Identity API versions -- v3 spec
# some cases we get No Content
if resp.status_code in (200, 204, 300):
try:
results = {}
if 'version' in body:
results['message'] = "Keystone found at %s" % url
version = body['version']
# Stable/diablo incorrect format
id, status, version_url = \
self._get_version_info(version, url)
results[str(id)] = {
"id": id,
"status": status,
"url": version_url
}
return results
elif 'versions' in body:
# Correct format
results['message'] = "Keystone found at %s" % url
for version in body['versions']['values']:
id, status, version_url = \
self._get_version_info(version, url)
results[str(id)] = {
"id": id,
"status": status,
"url": version_url
}
return results
else:
results['message'] = ("Unrecognized response from %s" %
url)
return results
except KeyError:
raise exceptions.AuthorizationFailure()
elif resp.status_code == 305:
return self._check_keystone_versions(resp['location'])
else:
raise exceptions.from_response(resp, "GET", url)
except Exception as e:
_logger.exception(e)
def _cs_request(self, url, method, **kwargs):
""" Makes an authenticated request to keystone endpoint by
concatenating self.management_url and url and passing in method and
any associated kwargs. """
if self.management_url is None:
raise exceptions.AuthorizationFailure(
'Current authorization does not have a known management url')
kwargs.setdefault('headers', {})
if self.auth_token:
kwargs['headers']['X-Auth-Token'] = self.auth_token
resp, body = self.request(self.management_url + url, method, **kwargs)
return resp, body
def process_token(self):
"""Extract and process information from the new auth_ref.
And set the relevant authentication information.
"""
super(Client, self).process_token()
if self.auth_ref.domain_scoped:
if not self.auth_ref.domain_id:
raise exceptions.AuthorizationFailure(
"Token didn't provide domain_id")
if self.management_url is None and self.auth_ref.management_url:
self.management_url = self.auth_ref.management_url[0]
self.domain_name = self.auth_ref.domain_name
self.domain_id = self.auth_ref.domain_id
def keystone_auth(auth_details):
keystone = None
try:
if (int(auth_details['OS_IDENTITY_API_VERSION']) == 3 or
auth_details['OS_AUTH_URL'].endswith('v3')):
keystone = k3_client.Client(
username=auth_details['OS_USERNAME'],
password=auth_details['OS_PASSWORD'],
user_domain_name=auth_details.get(
'OS_USER_DOMAIN_NAME',
'Default'
),
project_domain_name=auth_details.get(
'OS_PROJECT_DOMAIN_NAME',
'Default'
),
project_name=auth_details.get(
'OS_PROJECT_NAME',
'admin'
),
auth_url=auth_details['OS_AUTH_URL'],
region_name=auth_details.get('OS_REGION_NAME'),
insecure=AUTH_DETAILS['OS_API_INSECURE']
)
else:
keystone = k2_client.Client(
username=auth_details['OS_USERNAME'],
password=auth_details['OS_PASSWORD'],
tenant_name=auth_details['OS_TENANT_NAME'],
auth_url=auth_details['OS_AUTH_URL'],
region_name=auth_details['OS_REGION_NAME'],
insecure=AUTH_DETAILS['OS_API_INSECURE']
)
except Exception as e:
metric_bool('client_success', False, m_name='maas_keystone')
status_err(str(e), m_name='maas_keystone')
else:
if keystone:
return keystone.auth_ref
else:
raise k_exc.AuthorizationFailure()
finally:
try:
if keystone:
with open(TOKEN_FILE, 'w') as token_file:
json.dump(keystone.auth_ref, token_file)
except IOError:
# if we can't write the file we go on
pass
def get_token(self):
"""Return a token as provided by the auth plugin.
:raises AuthorizationFailure: if a new token fetch fails.
:returns string: A valid token.
"""
if not self.auth:
raise exceptions.MissingAuthPlugin("Token Required")
try:
return self.auth.get_token(self)
except exceptions.HTTPError as exc:
raise exceptions.AuthorizationFailure("Authentication failure: "
"%s" % exc)
