def format_response(callable_returning_session,
nonmatching_tenant_message_generator):
try:
session = callable_returning_session()
except NonMatchingTenantError as e:
request.setResponseCode(401)
return json.dumps({
"unauthorized": {
"code": 401,
"message": nonmatching_tenant_message_generator(e)
}
})
else:
request.setResponseCode(200)
prefix_map = {
# map of entry to URI prefix for that entry
}
def lookup(entry):
return prefix_map[entry]
result = get_token(
session.tenant_id,
entry_generator=lambda tenant_id:
list(self.core.entries_for_tenant(
tenant_id, prefix_map, base_uri_from_request(request))),
prefix_for_endpoint=lookup,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
)
return json.dumps(result)
def get_token_and_service_catalog(self, request):
"""
Return a service catalog consisting of nova and load balancer mocked
endpoints and an api token.
"""
content = json.loads(request.content.read())
# tenant_id = content['auth'].get('tenantName', None)
credentials = content['auth']['passwordCredentials']
session = self.core.session_for_username_password(
credentials['username'],
credentials['password'],
content['auth'].get('tenantName', None),
)
request.setResponseCode(200)
prefix_map = {
# map of entry to URI prefix for that entry
}
def lookup(entry):
return prefix_map[entry]
return json.dumps(
get_token(
session.tenant_id,
entry_generator=lambda tenant_id: list(
self.core.entries_for_tenant(
tenant_id, prefix_map, base_uri_from_request(request))
),
prefix_for_entry=lookup,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
))
def get_token_and_service_catalog(self, request):
"""
Return a service catalog consisting of nova and load balancer mocked
endpoints and an api token.
"""
content = json.loads(request.content.read())
# tenant_id = content['auth'].get('tenantName', None)
credentials = content["auth"]["passwordCredentials"]
session = self.core.sessions.session_for_username_password(
credentials["username"], credentials["password"], content["auth"].get("tenantName", None)
)
request.setResponseCode(200)
prefix_map = {
# map of entry to URI prefix for that entry
}
def lookup(entry):
return prefix_map[entry]
return json.dumps(
get_token(
session.tenant_id,
entry_generator=lambda tenant_id: list(
self.core.entries_for_tenant(tenant_id, prefix_map, base_uri_from_request(request))
),
prefix_for_endpoint=lookup,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
)
)
def format_response(callable_returning_session,
nonmatching_tenant_message_generator):
try:
session = callable_returning_session()
except NonMatchingTenantError as e:
request.setResponseCode(401)
return json.dumps({
"unauthorized": {
"code": 401,
"message": nonmatching_tenant_message_generator(e)
}
})
else:
request.setResponseCode(200)
prefix_map = {
# map of entry to URI prefix for that entry
}
def lookup(entry):
return prefix_map[entry]
result = get_token(
session.tenant_id,
entry_generator=lambda tenant_id: list(
self.core.entries_for_tenant(
tenant_id, prefix_map,
base_uri_from_request(request))),
prefix_for_endpoint=lookup,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
)
return json.dumps(result)
def default_authentication_behavior(core, http_request, credentials):
"""
Default behavior in response to a server creation. This will create
a session for the tenant if one does not already exist, and return
the auth token for that session. In the case of
:class:`PasswordCredentials`, :class:`ApiKeyCredentials`, or
:class:`TokenCredentials`, also returns the service catalog.
:param core: An instance of :class:`mimic.core.MimicCore`
:param http_request: A twisted http request/response object
:param credentials: An `mimic.model.identity.ICredentials` provider
Handles setting the response code and also
:return: The response body for a default authentication request.
"""
try:
session = credentials.get_session(core.sessions)
except NonMatchingTenantError as e:
http_request.setResponseCode(401)
if type(credentials) == TokenCredentials:
message = ("Token doesn't belong to Tenant with Id/Name: "
"'{0}'".format(e.desired_tenant))
else:
message = ("Tenant with Name/Id: '{0}' is not valid for "
"User '{1}' (id: '{2}')".format(e.desired_tenant,
e.session.username,
e.session.user_id))
return json.dumps({"unauthorized": {"code": 401, "message": message}})
else:
if type(credentials) == ImpersonationCredentials:
return json.dumps({
"access": {
"token": {
"id": credentials.impersonated_token,
"expires": format_timestamp(session.expires)
}
}
})
http_request.setResponseCode(200)
prefix_map = {
# map of entry to URI prefix for that entry
}
def lookup(entry):
return prefix_map[entry]
result = get_token(
session.tenant_id,
entry_generator=lambda tenant_id: list(
core.entries_for_tenant(session.tenant_id, prefix_map,
base_uri_from_request(http_request))),
prefix_for_endpoint=lookup,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
)
return json.dumps(result)
def default_authentication_behavior(core, http_request, credentials):
"""
Default behavior in response to a server creation. This will create
a session for the tenant if one does not already exist, and return
the auth token for that session. In the case of
:class:`PasswordCredentials`, :class:`ApiKeyCredentials`, or
:class:`TokenCredentials`, also returns the service catalog.
:param core: An instance of :class:`mimic.core.MimicCore`
:param http_request: A twisted http request/response object
:param credentials: An `mimic.model.identity.ICredentials` provider
Handles setting the response code and also
:return: The response body for a default authentication request.
"""
try:
session = credentials.get_session(core.sessions)
except NonMatchingTenantError as e:
http_request.setResponseCode(401)
if type(credentials) == TokenCredentials:
message = "Token doesn't belong to Tenant with Id/Name: " "'{0}'".format(e.desired_tenant)
else:
message = "Tenant with Name/Id: '{0}' is not valid for " "User '{1}' (id: '{2}')".format(
e.desired_tenant, e.session.username, e.session.user_id
)
return json.dumps({"unauthorized": {"code": 401, "message": message}})
else:
if type(credentials) == ImpersonationCredentials:
return json.dumps(
{
"access": {
"token": {"id": credentials.impersonated_token, "expires": format_timestamp(session.expires)}
}
}
)
http_request.setResponseCode(200)
prefix_map = {
# map of entry to URI prefix for that entry
}
def lookup(entry):
return prefix_map[entry]
result = get_token(
session.tenant_id,
entry_generator=lambda tenant_id: list(
core.entries_for_tenant(session.tenant_id, prefix_map, base_uri_from_request(http_request))
),
prefix_for_endpoint=lookup,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
)
return json.dumps(result)
def get_service_catalog_and_token(self, request):
"""
Return a service catalog consisting of nova and load balancer mocked
endpoints and an api token.
"""
content = json.loads(request.content.read())
try:
tenant_id = content['auth']['tenantName']
except KeyError:
tenant_id = 'test'
request.setResponseCode(200)
return json.dumps(get_token(tenant_id))
def get_token_and_service_catalog(self, request):
"""
Return a service catalog consisting of all plugin endpoints and an api
token.
"""
try:
content = json.loads(request.content.read())
except ValueError:
request.setResponseCode(400)
return json.dumps(invalid_resource("Invalid JSON request body"))
tenant_id = (content['auth'].get('tenantName', None)
or content['auth'].get('tenantId', None))
if content['auth'].get('passwordCredentials'):
username = content['auth']['passwordCredentials']['username']
password = content['auth']['passwordCredentials']['password']
session = self.core.sessions.session_for_username_password(
username, password, tenant_id)
elif content['auth'].get('RAX-KSKEY:apiKeyCredentials'):
username = content['auth']['RAX-KSKEY:apiKeyCredentials'][
'username']
api_key = content['auth']['RAX-KSKEY:apiKeyCredentials']['apiKey']
session = self.core.sessions.session_for_api_key(
username, api_key, tenant_id)
elif content['auth'].get('token') and tenant_id:
session = self.core.sessions.session_for_token(
content['auth']['token']['id'], tenant_id)
else:
request.setResponseCode(400)
return json.dumps(invalid_resource("Invalid JSON request body"))
request.setResponseCode(200)
prefix_map = {
# map of entry to URI prefix for that entry
}
def lookup(entry):
return prefix_map[entry]
return json.dumps(
get_token(
session.tenant_id,
entry_generator=lambda tenant_id: list(
self.core.entries_for_tenant(
tenant_id, prefix_map, base_uri_from_request(request))
),
prefix_for_endpoint=lookup,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
))
def get_token_and_service_catalog(self, request):
"""
Return a service catalog consisting of all plugin endpoints and an api
token.
"""
try:
content = json.loads(request.content.read())
except ValueError:
request.setResponseCode(400)
return json.dumps(invalid_resource("Invalid JSON request body"))
tenant_id = (content['auth'].get('tenantName', None) or
content['auth'].get('tenantId', None))
if content['auth'].get('passwordCredentials'):
username = content['auth']['passwordCredentials']['username']
password = content['auth']['passwordCredentials']['password']
session = self.core.sessions.session_for_username_password(
username, password, tenant_id)
elif content['auth'].get('RAX-KSKEY:apiKeyCredentials'):
username = content['auth']['RAX-KSKEY:apiKeyCredentials']['username']
api_key = content['auth']['RAX-KSKEY:apiKeyCredentials']['apiKey']
session = self.core.sessions.session_for_api_key(
username, api_key, tenant_id)
elif content['auth'].get('token') and tenant_id:
session = self.core.sessions.session_for_token(
content['auth']['token']['id'], tenant_id)
else:
request.setResponseCode(400)
return json.dumps(invalid_resource("Invalid JSON request body"))
request.setResponseCode(200)
prefix_map = {
# map of entry to URI prefix for that entry
}
def lookup(entry):
return prefix_map[entry]
return json.dumps(
get_token(
session.tenant_id,
entry_generator=lambda tenant_id:
list(self.core.entries_for_tenant(
tenant_id, prefix_map, base_uri_from_request(request))),
prefix_for_endpoint=lookup,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
)
)
def validate_token(self, request, token_id):
"""
Creates a new session for the given tenant_id and token_id
and always returns response code 200.
Docs: http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken # noqa
"""
request.setResponseCode(200)
session = None
# Attempt to get the session based on tenant_id+token if the optional
# tenant_id is provided; if tenant_id is not provided, then just look
# it up based on the token.
tenant_id = request.args.get(b'belongsTo')
if tenant_id is not None:
tenant_id = tenant_id[0].decode("utf-8")
session = self.core.sessions.session_for_tenant_id(
tenant_id, token_id)
else:
session = self.core.sessions.session_for_token(
token_id
)
response = get_token(
session.tenant_id,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
)
if session.impersonator_session_for_token(token_id) is not None:
impersonator_session = session.impersonator_session_for_token(token_id)
response["access"]["RAX-AUTH:impersonator"] = impersonator_user_role(
impersonator_session.user_id,
impersonator_session.username)
if token_id in get_presets["identity"]["token_fail_to_auth"]:
request.setResponseCode(401)
return json.dumps({'itemNotFound':
{'code': 401, 'message': 'Invalid auth token'}})
imp_token = get_presets["identity"]["maas_admin_roles"]
racker_token = get_presets["identity"]["racker_token"]
if token_id in imp_token:
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{"id": "123",
"name": "monitoring:service-admin"},
{"id": "234",
"name": "object-store:admin"}]}
if token_id in racker_token:
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{"id": "9",
"name": "Racker"}]}
if tenant_id in get_presets["identity"]["observer_role"]:
response["access"]["user"]["roles"] = [
{"id": "observer",
"description": "Global Observer Role.",
"name": "observer"}]
if tenant_id in get_presets["identity"]["creator_role"]:
response["access"]["user"]["roles"] = [
{"id": "creator",
"description": "Global Creator Role.",
"name": "creator"}]
if tenant_id in get_presets["identity"]["admin_role"]:
response["access"]["user"]["roles"] = [
{"id": "admin",
"description": "Global Admin Role.",
"name": "admin"},
{"id": "observer",
"description": "Global Observer Role.",
"name": "observer"}]
# Canned responses to be removed ...
if token_id in get_presets["identity"]["non_dedicated_observer"]:
response["access"]["token"]["tenant"] = {
"id": "135790",
"name": "135790",
}
response["access"]["user"] = {
"id": "12",
"name": "OneTwo",
"roles": [{"id": "1",
"name": "monitoring:observer",
"description": "Monitoring Observer"}]
}
if token_id in get_presets["identity"]["non_dedicated_admin"]:
response["access"]["token"]["tenant"] = {
"id": "135790",
"name": "135790",
}
response["access"]["user"] = {
"id": "34",
"name": "ThreeFour",
"roles": [{"id": "1",
"name": "monitoring:admin",
"description": "Monitoring Admin"},
{"id": "2",
"name": "admin",
"description": "Admin"}]
}
if token_id in get_presets["identity"]["non_dedicated_impersonator"]:
response["access"]["token"]["tenant"] = {
"id": "135790",
"name": "135790",
}
response["access"]["user"] = {
"id": "34",
"name": "ThreeFour",
"roles": [{"id": "1",
"name": "identity:nobody",
"description": "Nobody"}]
}
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{"id": "1",
"name": "monitoring:service-admin"},
{"id": "2",
"name": "object-store:admin"}]
}
if token_id in get_presets["identity"]["non_dedicated_racker"]:
response["access"]["token"]["tenant"] = {
"id": "135790",
"name": "135790",
}
response["access"]["user"] = {
"id": "34",
"name": "ThreeFour",
"roles": [{"id": "1",
"name": "identity:nobody",
"description": "Nobody"}]
}
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{"id": "1",
"name": "Racker"}]
}
if token_id in get_presets["identity"]["dedicated_full_device_permission_holder"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id": "12",
"name": "HybridOneTwo",
"roles": [{"id": "1",
"name": "monitoring:observer",
"tenantId": "hybrid:123456"}],
"RAX-AUTH:contactId": "12"
}
if token_id in get_presets["identity"]["dedicated_account_permission_holder"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id": "34",
"name": "HybridThreeFour",
"roles": [{"id": "1",
"name": "monitoring:creator",
"description": "Monitoring Creator"},
{"id": "2",
"name": "creator",
"description": "Creator"}],
"RAX-AUTH:contactId": "34"
}
if token_id in get_presets["identity"]["dedicated_limited_device_permission_holder"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id": "56",
"name": "HybridFiveSix",
"roles": [{"id": "1",
"name": "monitoring:observer",
"description": "Monitoring Observer"},
{"id": "2",
"name": "observer",
"description": "Observer"}],
"RAX-AUTH:contactId": "56"
}
if token_id in get_presets["identity"]["dedicated_racker"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id": "12",
"name": "HybridOneTwo",
"roles": [{"id": "1",
"name": "identity:nobody",
"description": "Nobody"}],
"RAX-AUTH:contactId": "12"
}
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{"id": "1",
"name": "Racker"}]
}
if token_id in get_presets["identity"]["dedicated_impersonator"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id": "34",
"name": "HybridThreeFour",
"roles": [{"id": "1",
"name": "identity:nobody",
"description": "Nobody"}],
"RAX-AUTH:contactId": "34"
}
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{"id": "1",
"name": "monitoring:service-admin"}]
}
if token_id in get_presets["identity"]["dedicated_non_permission_holder"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id": "78",
"name": "HybridSevenEight",
"roles": [{"id": "1",
"name": "identity:user-admin",
"description": "User admin"}],
"RAX-AUTH:contactId": "78"
}
if token_id in get_presets["identity"]["dedicated_quasi_user_impersonator"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id": "90",
"name": "HybridNineZero",
"roles": [{"id": "1",
"name": "identity:user-admin",
"description": "Admin"},
{"id": "3",
"name": "hybridRole",
"description": "Hybrid Admin",
"tenantId": "hybrid:123456"}]
}
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{"id": "1",
"name": "monitoring:service-admin"}]
}
return json.dumps(response)
def test_tokens_response(self):
"""
:func:`get_token` returns JSON-serializable data in the format
presented by a ``POST /v2.0/tokens`` API request; i.e. the normal
user-facing service catalog generation.
"""
tenant_id = 'abcdefg'
self.assertEqual(
get_token(
tenant_id=tenant_id, timestamp=lambda dt: "<<<timestamp>>>",
entry_generator=example_endpoints(lambda: 1),
prefix_for_endpoint=lambda e: 'prefix'
),
{
"access": {
"token": {
"id": HARD_CODED_TOKEN,
"expires": "<<<timestamp>>>",
"tenant": {
"id": tenant_id,
"name": tenant_id, # TODO: parameterize later
},
"RAX-AUTH:authenticatedBy": [
"PASSWORD",
]
},
"serviceCatalog": [
{
"name": "something",
"type": "compute",
"endpoints": [
{
"region": "EXAMPLE_1",
"tenantId": "abcdefg_1",
"publicURL": "http://ok_1"
},
{
"region": "EXAMPLE_2",
"tenantId": "abcdefg_2",
"publicURL": "http://ok_2"
}
]
},
{
"name": "something_else",
"type": "compute",
"endpoints": [
{
"region": "EXAMPLE_1",
"tenantId": "abcdefg_1",
"publicURL": "http://ok_1"
},
{
"region": "EXAMPLE_2",
"tenantId": "abcdefg_2",
"publicURL": "http://ok_2"
}
]
}
],
"user": {
"id": HARD_CODED_USER_ID,
"name": HARD_CODED_USER_NAME,
"roles": HARD_CODED_ROLES,
}
}
}
)
def validate_token(self, request, token_id):
"""
Creates a new session for the given tenant_id and token_id
and always returns response code 200.
Docs: http://developer.openstack.org/api-ref-identity-v2.html#admin-tokens
"""
request.setResponseCode(200)
tenant_id = request.args.get('belongsTo')
if tenant_id is not None:
tenant_id = tenant_id[0]
session = self.core.sessions.session_for_tenant_id(tenant_id, token_id)
response = get_token(
session.tenant_id,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
)
if session.impersonator_session_for_token(token_id) is not None:
impersonator_session = session.impersonator_session_for_token(
token_id)
response["access"][
"RAX-AUTH:impersonator"] = impersonator_user_role(
impersonator_session.user_id,
impersonator_session.username)
if token_id in get_presets["identity"]["token_fail_to_auth"]:
request.setResponseCode(401)
return json.dumps({
'itemNotFound': {
'code': 401,
'message': 'Invalid auth token'
}
})
imp_token = get_presets["identity"]["maas_admin_roles"]
racker_token = get_presets["identity"]["racker_token"]
if token_id in imp_token:
response["access"]["RAX-AUTH:impersonator"] = {
"id":
response["access"]["user"]["id"],
"name":
response["access"]["user"]["name"],
"roles": [{
"id": "123",
"name": "monitoring:service-admin"
}, {
"id": "234",
"name": "object-store:admin"
}]
}
if token_id in racker_token:
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{
"id": "9",
"name": "Racker"
}]
}
if tenant_id in get_presets["identity"]["observer_role"]:
response["access"]["user"]["roles"] = [{
"id": "observer",
"description": "Global Observer Role.",
"name": "observer"
}]
if tenant_id in get_presets["identity"]["creator_role"]:
response["access"]["user"]["roles"] = [{
"id": "creator",
"description": "Global Creator Role.",
"name": "creator"
}]
if tenant_id in get_presets["identity"]["admin_role"]:
response["access"]["user"]["roles"] = [{
"id": "admin",
"description": "Global Admin Role.",
"name": "admin"
}, {
"id": "observer",
"description": "Global Observer Role.",
"name": "observer"
}]
if token_id in get_presets["identity"]["non_dedicated_observer"]:
response["access"]["token"]["tenant"] = {
"id": "135790",
"name": "135790",
}
response["access"]["user"] = {
"name":
"OneTwo",
"roles": [{
"id": "1",
"name": "monitoring:observer",
"description": "Monitoring Observer"
}]
}
if token_id in get_presets["identity"]["non_dedicated_admin"]:
response["access"]["token"]["tenant"] = {
"id": "135790",
"name": "135790",
}
response["access"]["user"] = {
"name":
"ThreeFour",
"roles": [{
"id": "1",
"name": "monitoring:admin",
"description": "Monitoring Admin"
}, {
"id": "2",
"name": "admin",
"description": "Admin"
}]
}
if token_id in get_presets["identity"][
"dedicated_full_device_permission_holder"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id":
"12",
"name":
"HybridOneTwo",
"roles": [{
"id": "1",
"name": "monitoring:observer",
"description": "Monitoring Observer"
}, {
"id": "3",
"name": "hybridRole",
"description": "Hybrid Admin",
"tenantId": "hybrid:123456"
}],
"RAX-AUTH:contactId":
"12"
}
if token_id in get_presets["identity"][
"dedicated_account_permission_holder"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id":
"34",
"name":
"HybridThreeFour",
"roles": [{
"id": "1",
"name": "monitoring:creator",
"description": "Monitoring Creator"
}, {
"id": "2",
"name": "creator",
"description": "Creator"
}],
"RAX-AUTH:contactId":
"34"
}
if token_id in get_presets["identity"][
"dedicated_limited_device_permission_holder"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id":
"56",
"name":
"HybridFiveSix",
"roles": [{
"id": "1",
"name": "monitoring:observer",
"description": "Monitoring Observer"
}, {
"id": "2",
"name": "observer",
"description": "Observer"
}],
"RAX-AUTH:contactId":
"56"
}
if token_id in get_presets["identity"][
"dedicated_other_account_observer"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:654321",
"name": "hybrid:654321",
}
response["access"]["user"] = {
"id":
"78",
"name":
"HybridSevenEight",
"roles": [{
"id": "1",
"name": "monitoring:observer",
"description": "Observer"
}, {
"id": "2",
"name": "observer",
"description": "Observer"
}],
"RAX-AUTH:contactId":
"78"
}
if token_id in get_presets["identity"][
"dedicated_other_account_admin"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:654321",
"name": "hybrid:654321",
}
response["access"]["user"] = {
"id":
"90",
"name":
"HybridNineZero",
"roles": [{
"id": "1",
"name": "monitoring:admin",
"description": "Admin"
}, {
"id": "2",
"name": "admin",
"description": "Admin"
}],
"RAX-AUTH:contactId":
"90"
}
return json.dumps(response)
def validate_token(self, request, token_id):
"""
Creates a new session for the given tenant_id and token_id
and always returns response code 200.
Docs: http://developer.openstack.org/api-ref-identity-v2.html#admin-tokens
"""
request.setResponseCode(200)
tenant_id = request.args.get('belongsTo')
if tenant_id is not None:
tenant_id = tenant_id[0]
session = self.core.sessions.session_for_tenant_id(tenant_id, token_id)
response = get_token(
session.tenant_id,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
)
if session.impersonator_session_for_token(token_id) is not None:
impersonator_session = session.impersonator_session_for_token(token_id)
response["access"]["RAX-AUTH:impersonator"] = impersonator_user_role(
impersonator_session.user_id,
impersonator_session.username)
if token_id in get_presets["identity"]["token_fail_to_auth"]:
request.setResponseCode(401)
return json.dumps({'itemNotFound':
{'code': 401, 'message': 'Invalid auth token'}})
imp_token = get_presets["identity"]["maas_admin_roles"]
racker_token = get_presets["identity"]["racker_token"]
if token_id in imp_token:
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{"id": "123",
"name": "monitoring:service-admin"},
{"id": "234",
"name": "object-store:admin"}]}
if token_id in racker_token:
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{"id": "9",
"name": "Racker"}]}
if tenant_id in get_presets["identity"]["observer_role"]:
response["access"]["user"]["roles"] = [
{"id": "observer",
"description": "Global Observer Role.",
"name": "observer"}]
if tenant_id in get_presets["identity"]["creator_role"]:
response["access"]["user"]["roles"] = [
{"id": "creator",
"description": "Global Creator Role.",
"name": "creator"}]
if tenant_id in get_presets["identity"]["admin_role"]:
response["access"]["user"]["roles"] = [
{"id": "admin",
"description": "Global Admin Role.",
"name": "admin"},
{"id": "observer",
"description": "Global Observer Role.",
"name": "observer"}]
return json.dumps(response)
def validate_token(self, request, token_id):
"""
Creates a new session for the given tenant_id and token_id
and always returns response code 200.
Docs: http://developer.openstack.org/api-ref-identity-v2.html#admin-tokens
"""
request.setResponseCode(200)
tenant_id = request.args.get("belongsTo")
if tenant_id is not None:
tenant_id = tenant_id[0]
session = self.core.sessions.session_for_tenant_id(tenant_id, token_id)
response = get_token(
session.tenant_id,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
)
if session.impersonator_session_for_token(token_id) is not None:
impersonator_session = session.impersonator_session_for_token(token_id)
response["access"]["RAX-AUTH:impersonator"] = impersonator_user_role(
impersonator_session.user_id, impersonator_session.username
)
if token_id in get_presets["identity"]["token_fail_to_auth"]:
request.setResponseCode(401)
return json.dumps({"itemNotFound": {"code": 401, "message": "Invalid auth token"}})
imp_token = get_presets["identity"]["maas_admin_roles"]
racker_token = get_presets["identity"]["racker_token"]
if token_id in imp_token:
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [
{"id": "123", "name": "monitoring:service-admin"},
{"id": "234", "name": "object-store:admin"},
],
}
if token_id in racker_token:
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{"id": "9", "name": "Racker"}],
}
if tenant_id in get_presets["identity"]["observer_role"]:
response["access"]["user"]["roles"] = [
{"id": "observer", "description": "Global Observer Role.", "name": "observer"}
]
if tenant_id in get_presets["identity"]["creator_role"]:
response["access"]["user"]["roles"] = [
{"id": "creator", "description": "Global Creator Role.", "name": "creator"}
]
if tenant_id in get_presets["identity"]["admin_role"]:
response["access"]["user"]["roles"] = [
{"id": "admin", "description": "Global Admin Role.", "name": "admin"},
{"id": "observer", "description": "Global Observer Role.", "name": "observer"},
]
if token_id in get_presets["identity"]["non_dedicated_observer"]:
response["access"]["token"]["tenant"] = {"id": "135790", "name": "135790"}
response["access"]["user"] = {
"name": "OneTwo",
"roles": [{"id": "1", "name": "monitoring:observer", "description": "Monitoring Observer"}],
}
if token_id in get_presets["identity"]["non_dedicated_admin"]:
response["access"]["token"]["tenant"] = {"id": "135790", "name": "135790"}
response["access"]["user"] = {
"name": "ThreeFour",
"roles": [
{"id": "1", "name": "monitoring:admin", "description": "Monitoring Admin"},
{"id": "2", "name": "admin", "description": "Admin"},
],
}
if token_id in get_presets["identity"]["dedicated_full_device_permission_holder"]:
response["access"]["token"]["tenant"] = {"id": "hybrid:123456", "name": "hybrid:123456"}
response["access"]["user"] = {
"id": "12",
"name": "HybridOneTwo",
"roles": [
{"id": "1", "name": "monitoring:observer", "description": "Monitoring Observer"},
{"id": "3", "name": "hybridRole", "description": "Hybrid Admin", "tenantId": "hybrid:123456"},
],
"RAX-AUTH:contactId": "12",
}
if token_id in get_presets["identity"]["dedicated_account_permission_holder"]:
response["access"]["token"]["tenant"] = {"id": "hybrid:123456", "name": "hybrid:123456"}
response["access"]["user"] = {
"id": "34",
"name": "HybridThreeFour",
"roles": [
{"id": "1", "name": "monitoring:creator", "description": "Monitoring Creator"},
{"id": "2", "name": "creator", "description": "Creator"},
],
"RAX-AUTH:contactId": "34",
}
if token_id in get_presets["identity"]["dedicated_limited_device_permission_holder"]:
response["access"]["token"]["tenant"] = {"id": "hybrid:123456", "name": "hybrid:123456"}
response["access"]["user"] = {
"id": "56",
"name": "HybridFiveSix",
"roles": [
{"id": "1", "name": "monitoring:observer", "description": "Monitoring Observer"},
{"id": "2", "name": "observer", "description": "Observer"},
],
"RAX-AUTH:contactId": "56",
}
if token_id in get_presets["identity"]["dedicated_other_account_observer"]:
response["access"]["token"]["tenant"] = {"id": "hybrid:654321", "name": "hybrid:654321"}
response["access"]["user"] = {
"id": "78",
"name": "HybridSevenEight",
"roles": [
{"id": "1", "name": "monitoring:observer", "description": "Observer"},
{"id": "2", "name": "observer", "description": "Observer"},
],
"RAX-AUTH:contactId": "78",
}
if token_id in get_presets["identity"]["dedicated_other_account_admin"]:
response["access"]["token"]["tenant"] = {"id": "hybrid:654321", "name": "hybrid:654321"}
response["access"]["user"] = {
"id": "90",
"name": "HybridNineZero",
"roles": [
{"id": "1", "name": "monitoring:admin", "description": "Admin"},
{"id": "2", "name": "admin", "description": "Admin"},
],
"RAX-AUTH:contactId": "90",
}
return json.dumps(response)
def validate_token(self, request, token_id):
"""
Creates a new session for the given tenant_id and token_id
and always returns response code 200.
Docs: http://developer.openstack.org/api-ref-identity-v2.html#admin-tokens
"""
request.setResponseCode(200)
tenant_id = request.args.get('belongsTo')
if tenant_id is not None:
tenant_id = tenant_id[0]
session = self.core.sessions.session_for_tenant_id(tenant_id, token_id)
response = get_token(
session.tenant_id,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
)
if session.impersonator_session_for_token(token_id) is not None:
impersonator_session = session.impersonator_session_for_token(
token_id)
response["access"][
"RAX-AUTH:impersonator"] = impersonator_user_role(
impersonator_session.user_id,
impersonator_session.username)
if token_id in get_presets["identity"]["token_fail_to_auth"]:
request.setResponseCode(401)
return json.dumps({
'itemNotFound': {
'code': 401,
'message': 'Invalid auth token'
}
})
imp_token = get_presets["identity"]["maas_admin_roles"]
racker_token = get_presets["identity"]["racker_token"]
if token_id in imp_token:
response["access"]["RAX-AUTH:impersonator"] = {
"id":
response["access"]["user"]["id"],
"name":
response["access"]["user"]["name"],
"roles": [{
"id": "123",
"name": "monitoring:service-admin"
}, {
"id": "234",
"name": "object-store:admin"
}]
}
if token_id in racker_token:
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{
"id": "9",
"name": "Racker"
}]
}
if tenant_id in get_presets["identity"]["observer_role"]:
response["access"]["user"]["roles"] = [{
"id": "observer",
"description": "Global Observer Role.",
"name": "observer"
}]
if tenant_id in get_presets["identity"]["creator_role"]:
response["access"]["user"]["roles"] = [{
"id": "creator",
"description": "Global Creator Role.",
"name": "creator"
}]
if tenant_id in get_presets["identity"]["admin_role"]:
response["access"]["user"]["roles"] = [{
"id": "admin",
"description": "Global Admin Role.",
"name": "admin"
}, {
"id": "observer",
"description": "Global Observer Role.",
"name": "observer"
}]
return json.dumps(response)
def validate_token(self, request, token_id):
"""
Creates a new session for the given tenant_id and token_id
and always returns response code 200.
`OpenStack Identity v2 Admin Validate Token
<http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken>`_
"""
request.setResponseCode(200)
session = None
# Attempt to get the session based on tenant_id+token if the optional
# tenant_id is provided; if tenant_id is not provided, then just look
# it up based on the token.
tenant_id = request.args.get(b'belongsTo')
if tenant_id is not None:
tenant_id = tenant_id[0].decode("utf-8")
session = self.core.sessions.session_for_tenant_id(
tenant_id, token_id)
else:
session = self.core.sessions.session_for_token(token_id)
response = get_token(
session.tenant_id,
response_token=session.token,
response_user_id=session.user_id,
response_user_name=session.username,
)
if session.impersonator_session_for_token(token_id) is not None:
impersonator_session = session.impersonator_session_for_token(
token_id)
response["access"][
"RAX-AUTH:impersonator"] = impersonator_user_role(
impersonator_session.user_id,
impersonator_session.username)
if token_id in get_presets["identity"]["token_fail_to_auth"]:
# This is returning a 401 Unauthorized message but in a 404 not_found
# JSON data format. Is there a reason for this? An old OpenStack bug?
request.setResponseCode(401)
return json.dumps({
'itemNotFound': {
'code': 401,
'message': 'Invalid auth token'
}
})
imp_token = get_presets["identity"]["maas_admin_roles"]
racker_token = get_presets["identity"]["racker_token"]
if token_id in imp_token:
response["access"]["RAX-AUTH:impersonator"] = {
"id":
response["access"]["user"]["id"],
"name":
response["access"]["user"]["name"],
"roles": [{
"id": "123",
"name": "monitoring:service-admin"
}, {
"id": "234",
"name": "object-store:admin"
}]
}
if token_id in racker_token:
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{
"id": "9",
"name": "Racker"
}]
}
if tenant_id in get_presets["identity"]["observer_role"]:
response["access"]["user"]["roles"] = [{
"id": "observer",
"description": "Global Observer Role.",
"name": "observer"
}]
if tenant_id in get_presets["identity"]["creator_role"]:
response["access"]["user"]["roles"] = [{
"id": "creator",
"description": "Global Creator Role.",
"name": "creator"
}]
if tenant_id in get_presets["identity"]["admin_role"]:
response["access"]["user"]["roles"] = [{
"id": "admin",
"description": "Global Admin Role.",
"name": "admin"
}, {
"id": "observer",
"description": "Global Observer Role.",
"name": "observer"
}]
# Canned responses to be removed ...
if token_id in get_presets["identity"]["non_dedicated_observer"]:
response["access"]["token"]["tenant"] = {
"id": "135790",
"name": "135790",
}
response["access"]["user"] = {
"id":
"12",
"name":
"OneTwo",
"roles": [{
"id": "1",
"name": "monitoring:observer",
"description": "Monitoring Observer"
}]
}
if token_id in get_presets["identity"]["non_dedicated_admin"]:
response["access"]["token"]["tenant"] = {
"id": "135790",
"name": "135790",
}
response["access"]["user"] = {
"id":
"34",
"name":
"ThreeFour",
"roles": [{
"id": "1",
"name": "monitoring:admin",
"description": "Monitoring Admin"
}, {
"id": "2",
"name": "admin",
"description": "Admin"
}]
}
if token_id in get_presets["identity"]["non_dedicated_impersonator"]:
response["access"]["token"]["tenant"] = {
"id": "135790",
"name": "135790",
}
response["access"]["user"] = {
"id":
"34",
"name":
"ThreeFour",
"roles": [{
"id": "1",
"name": "identity:nobody",
"description": "Nobody"
}]
}
response["access"]["RAX-AUTH:impersonator"] = {
"id":
response["access"]["user"]["id"],
"name":
response["access"]["user"]["name"],
"roles": [{
"id": "1",
"name": "monitoring:service-admin"
}, {
"id": "2",
"name": "object-store:admin"
}]
}
if token_id in get_presets["identity"]["non_dedicated_racker"]:
response["access"]["token"]["tenant"] = {
"id": "135790",
"name": "135790",
}
response["access"]["user"] = {
"id":
"34",
"name":
"ThreeFour",
"roles": [{
"id": "1",
"name": "identity:nobody",
"description": "Nobody"
}]
}
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{
"id": "1",
"name": "Racker"
}]
}
if token_id in get_presets["identity"][
"dedicated_full_device_permission_holder"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id":
"12",
"name":
"HybridOneTwo",
"roles": [{
"id": "1",
"name": "monitoring:observer",
"tenantId": "hybrid:123456"
}],
"RAX-AUTH:contactId":
"12"
}
if token_id in get_presets["identity"][
"dedicated_account_permission_holder"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id":
"34",
"name":
"HybridThreeFour",
"roles": [{
"id": "1",
"name": "monitoring:creator",
"description": "Monitoring Creator"
}, {
"id": "2",
"name": "creator",
"description": "Creator"
}],
"RAX-AUTH:contactId":
"34"
}
if token_id in get_presets["identity"][
"dedicated_limited_device_permission_holder"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id":
"56",
"name":
"HybridFiveSix",
"roles": [{
"id": "1",
"name": "monitoring:observer",
"description": "Monitoring Observer"
}, {
"id": "2",
"name": "observer",
"description": "Observer"
}],
"RAX-AUTH:contactId":
"56"
}
if token_id in get_presets["identity"]["dedicated_racker"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id":
"12",
"name":
"HybridOneTwo",
"roles": [{
"id": "1",
"name": "identity:nobody",
"description": "Nobody"
}],
"RAX-AUTH:contactId":
"12"
}
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{
"id": "1",
"name": "Racker"
}]
}
if token_id in get_presets["identity"]["dedicated_impersonator"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id":
"34",
"name":
"HybridThreeFour",
"roles": [{
"id": "1",
"name": "identity:nobody",
"description": "Nobody"
}],
"RAX-AUTH:contactId":
"34"
}
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{
"id": "1",
"name": "monitoring:service-admin"
}]
}
if token_id in get_presets["identity"][
"dedicated_non_permission_holder"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id":
"78",
"name":
"HybridSevenEight",
"roles": [{
"id": "1",
"name": "identity:user-admin",
"description": "User admin"
}],
"RAX-AUTH:contactId":
"78"
}
if token_id in get_presets["identity"][
"dedicated_quasi_user_impersonator"]:
response["access"]["token"]["tenant"] = {
"id": "hybrid:123456",
"name": "hybrid:123456",
}
response["access"]["user"] = {
"id":
"90",
"name":
"HybridNineZero",
"roles": [{
"id": "1",
"name": "identity:user-admin",
"description": "Admin"
}, {
"id": "3",
"name": "hybridRole",
"description": "Hybrid Admin",
"tenantId": "hybrid:123456"
}]
}
response["access"]["RAX-AUTH:impersonator"] = {
"id": response["access"]["user"]["id"],
"name": response["access"]["user"]["name"],
"roles": [{
"id": "1",
"name": "monitoring:service-admin"
}]
}
return json.dumps(response)
def test_tokens_response(self):
"""
:func:`get_token` returns JSON-serializable data in the format
presented by a ``POST /v2.0/tokens`` API request; i.e. the normal
user-facing service catalog generation.
"""
tenant_id = 'abcdefg'
self.assertEqual(
get_token(tenant_id=tenant_id,
timestamp=lambda dt: "<<<timestamp>>>",
entry_generator=example_endpoints(lambda: 1),
prefix_for_endpoint=lambda e: 'prefix'),
{
"access": {
"token": {
"id": HARD_CODED_TOKEN,
"expires": "<<<timestamp>>>",
"tenant": {
"id": tenant_id,
"name": tenant_id, # TODO: parameterize later
},
"RAX-AUTH:authenticatedBy": [
"PASSWORD",
]
},
"serviceCatalog": [{
"name":
"something",
"type":
"compute",
"endpoints": [{
"region": "EXAMPLE_1",
"tenantId": "abcdefg_1",
"publicURL": "http://ok_1"
}, {
"region": "EXAMPLE_2",
"tenantId": "abcdefg_2",
"publicURL": "http://ok_2"
}]
}, {
"name":
"something_else",
"type":
"compute",
"endpoints": [{
"region": "EXAMPLE_1",
"tenantId": "abcdefg_1",
"publicURL": "http://ok_1"
}, {
"region": "EXAMPLE_2",
"tenantId": "abcdefg_2",
"publicURL": "http://ok_2"
}]
}],
"user": {
"id": HARD_CODED_USER_ID,
"name": HARD_CODED_USER_NAME,
"roles": HARD_CODED_ROLES,
}
}
})