def get_system_access(user_id, auth_url, token, is_federated):
session = get_session()
auth_url, _ = fix_auth_url_version_prefix(auth_url)
auth = token_endpoint.Token(auth_url, token)
client = get_keystone_client().Client(session=session, auth=auth)
# Old versions of keystoneclient don't have auth.system endpoint yet.
auth_system = getattr(client.auth, 'system', None)
if auth_system is not None:
return 'all' in auth_system()
# Fall back to trying to get the system scope token.
try:
auth = get_token_auth_plugin(auth_url=auth_url, token=token,
system_scope='all')
auth.get_access(session)
except keystone_exceptions.ClientException:
return False
return True
def switch(request, tenant_id, redirect_field_name=auth.REDIRECT_FIELD_NAME):
"""Switches an authenticated user from one project to another."""
LOG.debug('Switching to tenant %s for user "%s".'
% (tenant_id, request.user.username))
endpoint = utils.fix_auth_url_version(request.user.endpoint)
session = utils.get_session()
# Keystone can be configured to prevent exchanging a scoped token for
# another token. Always use the unscoped token for requesting a
# scoped token.
unscoped_token = request.user.unscoped_token
auth = utils.get_token_auth_plugin(auth_url=endpoint,
token=unscoped_token,
project_id=tenant_id)
try:
auth_ref = auth.get_access(session)
msg = 'Project switch successful for user "%(username)s".' % \
{'username': request.user.username}
LOG.info(msg)
except keystone_exceptions.ClientException:
msg = (
_('Project switch failed for user "%(username)s".') %
{'username': request.user.username})
messages.error(request, msg)
auth_ref = None
LOG.exception('An error occurred while switching sessions.')
# Ensure the user-originating redirection url is safe.
# Taken from django.contrib.auth.views.login()
redirect_to = request.REQUEST.get(redirect_field_name, '')
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = settings.LOGIN_REDIRECT_URL
if auth_ref:
old_endpoint = request.session.get('region_endpoint')
old_token = request.session.get('token')
if old_token and old_endpoint and old_token.id != auth_ref.auth_token:
delete_token(endpoint=old_endpoint, token_id=old_token.id)
user = auth_user.create_user_from_token(
request,
auth_user.Token(auth_ref, unscoped_token=unscoped_token),
endpoint)
auth_user.set_session_from_user(request, user)
message = (
_('Switch to project "%(project_name)s" successful.') %
{'project_name': request.user.project_name})
messages.success(request, message)
response = shortcuts.redirect(redirect_to)
utils.set_response_cookie(response, 'recent_project',
request.user.project_id)
return response
def switch(request, project_id=None):
if not project_id:
data = json.loads(request.body)
tenant_id = data['project_id']
else:
tenant_id = project_id
LOG.debug('Switching to tenant %s for user "%s".', tenant_id,
request.user.username)
endpoint, __ = utils.fix_auth_url_version_prefix(request.user.endpoint)
session = utils.get_session()
unscoped_token = request.user.unscoped_token
auth = utils.get_token_auth_plugin(auth_url=endpoint,
token=unscoped_token,
project_id=tenant_id)
try:
auth_ref = auth.get_access(session)
msg = 'Project switch successful for user "%(username)s".' % \
{'username': request.user.username}
LOG.info(msg)
except keystone_exceptions.ClientException:
msg = (_('Project switch failed for user "%(username)s".') % {
'username': request.user.username
})
messages.error(request, msg)
auth_ref = None
LOG.exception('An error occurred while switching sessions.')
if auth_ref:
user = auth_user.create_user_from_token(
request, auth_user.Token(auth_ref, unscoped_token=unscoped_token),
endpoint)
auth_user.set_session_from_user(request, user)
message = (_('Switch to project "%(project_name)s" successful.') % {
'project_name': request.user.project_name
})
messages.success(request, message)
# utils.set_response_cookie(response, 'recent_project',
# request.user.project_id)
print({
"tenant_id": request.user.tenant_id,
"tenant_name": request.user.tenant_name,
"username": request.user.username
})
return JsonResponse("success", safe=False)
else:
return JsonResponse("failed", status=400, safe=False)
def switch_system_scope(request, redirect_field_name=auth.REDIRECT_FIELD_NAME):
"""Switches an authenticated user from one system to another."""
LOG.debug('Switching to system scope for user "%s".',
request.user.username)
endpoint, __ = utils.fix_auth_url_version_prefix(request.user.endpoint)
session = utils.get_session()
# Keystone can be configured to prevent exchanging a scoped token for
# another token. Always use the unscoped token for requesting a
# scoped token.
unscoped_token = request.user.unscoped_token
auth = utils.get_token_auth_plugin(auth_url=endpoint,
token=unscoped_token,
system_scope='all')
try:
auth_ref = auth.get_access(session)
except keystone_exceptions.ClientException:
msg = (_('System switch failed for user "%(username)s".') % {
'username': request.user.username
})
messages.error(request, msg)
auth_ref = None
LOG.exception('An error occurred while switching sessions.')
else:
msg = 'System switch successful for user "%(username)s".' % \
{'username': request.user.username}
LOG.info(msg)
# Ensure the user-originating redirection url is safe.
# Taken from django.contrib.auth.views.login()
redirect_to = request.GET.get(redirect_field_name, '')
if not http.is_safe_url(url=redirect_to,
allowed_hosts=[request.get_host()]):
redirect_to = settings.LOGIN_REDIRECT_URL
if auth_ref:
user = auth_user.create_user_from_token(
request, auth_user.Token(auth_ref, unscoped_token=unscoped_token),
endpoint)
auth_user.set_session_from_user(request, user)
message = _('Switch to system scope successful.')
messages.success(request, message)
response = shortcuts.redirect(redirect_to)
return response
