def on_get(self, req, resp, token_id): token = identity.token_id_driver().token_from_id(token_id) identity.token_driver().validate_access(token, tenant_id=req.get_param("belongsTo")) access = get_access(token_id, token) resp.status = 200 resp.body = {"access": access}
def on_get(self, req, resp, token_id): token = identity.token_id_driver().token_from_id(token_id) identity.token_driver().validate_access( token, tenant_id=req.get_param('belongsTo')) access = get_access(token_id, token) resp.status = 200 resp.body = {'access': access}
def on_get(self, req, resp, token_id): token = identity.token_id_driver().token_from_id(token_id) identity.token_driver().validate_access(token, tenant_id=req.get_param( 'belongsTo')) access = get_access(token_id, token) # Add catalog to the access data self._add_catalog_to_access(access, token) resp.status = 200 resp.body = {'access': access}
def on_get(self, req, resp): toks = [req.get_header('X-Auth-Token'), # the token who sent request req.get_header('X-Subject-Token')] # the token to be validated token_id_driver = identity.token_id_driver() tokens = identity.token_driver() validated_tokens = [] for token_id in toks: token = token_id_driver.token_from_id(token_id) tokens.validate_token(token) validated_tokens.append(token) access = get_access_v3(toks[1], validated_tokens[1], tokens.user_id(validated_tokens[1]), tokens.username(validated_tokens[1])) if 'nocatalog' not in req.query_string: # Add catalog to the access data catalog = self._build_catalog(validated_tokens[1], tokens.user_id(validated_tokens[1])) access['token']['catalog'] = catalog resp.status = 200 resp.set_header('X-Auth-Token', toks[0]) resp.set_header('X-Subject-Token', toks[1]) # V2 APIs return the body in 'access' keypair but V3 APIs do not # resp.body = {'access': access} resp.body = access
def on_post(self, req, resp): body = req.stream.read().decode() credentials = json.loads(body) tokens = identity.token_driver() auth = identity.auth_driver().authenticate(credentials) if auth is None: raise exceptions.Unauthorized('Unauthorized credentials') token = tokens.create_token(credentials, auth) tok_id = identity.token_id_driver().create_token_id(token) access = get_access(tok_id, token) # Add catalog to the access data raw_catalog = self._get_catalog(tokens.tenant_id(token), tokens.user_id(token)) catalog = [] for services in raw_catalog.values(): for service_type, service in services.items(): d = { 'type': service_type, 'name': service.get('name', 'Unknown'), 'endpoints': [{ 'region': service.get('region', 'RegionOne'), 'publicURL': service.get('publicURL'), 'privateURL': service.get('privateURL'), 'adminURL': service.get('adminURL'), }], 'endpoint_links': [], } catalog.append(d) access['serviceCatalog'] = catalog resp.status = 200 resp.body = {'access': access}
def on_post(self, req, resp): body = req.stream.read().decode() credentials = json.loads(body) tokens = identity.token_driver() auth = identity.auth_driver().authenticate(credentials) if auth is None: raise Unauthorized('Unauthorized credentials') token = tokens.create_token(credentials, auth) tok_id = identity.token_id_driver().create_token_id(token) access = get_access(tok_id, token) # Add catalog to the access data raw_catalog = self._get_catalog(tokens.tenant_id(token), tokens.user_id(token)) catalog = [] for services in raw_catalog.values(): for service_type, service in services.items(): d = { 'type': service_type, 'name': service.get('name', 'Unknown'), 'endpoints': [{ 'region': service.get('region', 'RegionOne'), 'publicURL': service.get('publicURL'), 'privateURL': service.get('privateURL'), 'adminURL': service.get('adminURL'), }], 'endpoint_links': [], } catalog.append(d) access['serviceCatalog'] = catalog resp.status = 200 resp.body = {'access': access}
def on_get(self, req, resp): toks = [ req.get_header('X-Auth-Token'), # the token who sent request req.get_header('X-Subject-Token') ] # the token to be validated token_id_driver = identity.token_id_driver() tokens = identity.token_driver() validated_tokens = [] for token_id in toks: token = token_id_driver.token_from_id(token_id) tokens.validate_token(token) validated_tokens.append(token) access = get_access_v3(toks[1], validated_tokens[1], tokens.user_id(validated_tokens[1]), tokens.username(validated_tokens[1])) if 'nocatalog' not in req.query_string: # Add catalog to the access data catalog = self._build_catalog(validated_tokens[1], tokens.user_id(validated_tokens[1])) access['token']['catalog'] = catalog resp.status = 200 resp.set_header('X-Auth-Token', toks[0]) resp.set_header('X-Subject-Token', toks[1]) # V2 APIs return the body in 'access' keypair but V3 APIs do not # resp.body = {'access': access} resp.body = access
def authenticate(self, creds): username = utils.lookup(creds,'auth','passwordCredentials','username') credential = utils.lookup(creds,'auth','passwordCredentials','password') token_id = utils.lookup(creds, 'auth', 'token', 'id') token_driver = identity.token_driver() token_auth = None # If token_id exists, get UID/Password associated w/ this token. if token_id: token = identity.token_id_driver().token_from_id(token_id) token_driver.validate_token(token) username = token_driver.username(token) credential = token_driver.credential(token) token_auth = token['auth_type'] == 'token' headers = {"Accept": "application/json", "Content-Type": "application/json"} auth = (username, credential) resp = requests.get("https://cloud.skytap.com/users", headers=headers, auth=auth) if resp.status_code == 200: payload = json.loads(resp.text) user_id = utils.lookup(payload[0], 'id') auth_type = "token" if token_auth else "api_key" sys.stderr.write("auth_type: %s" % auth_type) return {'user': {"id": user_id, "username": username, "accountId": user_id}, 'credential': credential, 'auth_type': auth_type} return None
def _add_catalog_to_access_stub(self, access, token, req): tokens = identity.token_driver() account_id = tokens.tenant_id(token) index_url = self.app.get_dispatcher('identity').get_endpoint_url(req, 'v2_auth_index') v2_url = self.app.get_dispatcher('compute').get_endpoint_url(req, 'v2_index') service_catalog = [{ 'endpoint_links': [], 'endpoints': [{ 'region': 'RegionOne', 'publicURL': v2_url + '/%s' % account_id, 'privateURL': v2_url + '/v2/%s' % account_id, 'adminURL': v2_url + '/v2/%s' % account_id, 'internalURL': v2_url + '/v2/%s' % account_id, 'id': 1, }], 'type': 'compute', 'name': 'nova', }, { 'endpoint_links': [], 'endpoints': [{ 'region': 'RegionOne', 'publicURL': index_url, 'privateURL': index_url, 'adminURL': index_url, 'internalURL': index_url, 'id': 1, }], 'type': 'identity', 'name': 'keystone', }] access['serviceCatalog'] = service_catalog
def get_access(token_id, token_details): tokens = identity.token_driver() return { 'token': { 'expires': datetime.datetime.fromtimestamp( tokens.expires(token_details)).isoformat(), 'id': token_id, 'tenant': { 'id': tokens.tenant_id(token_details), 'name': tokens.tenant_name(token_details), }, }, 'user': { 'username': tokens.username(token_details), 'id': tokens.user_id(token_details), 'roles': [{ 'id': rid, 'name': name } for rid, name in tokens.roles(token_details).items()], 'role_links': [], 'name': tokens.username(token_details), }, }
def get_access(token_id, token_details): tokens = identity.token_driver() expiration_time = tokens.expires(token_details) issued_at_time = expiration_time - auth.TOKEN_LIFETIME_SEC return { 'token': { # replaced isoformat() with strftime to make tempest pass 'expires': datetime.datetime.fromtimestamp(expiration_time).strftime( '%Y-%m-%dT%H:%M:%SZ'), 'issued_at': datetime.datetime.fromtimestamp(issued_at_time).strftime( '%Y-%m-%dT%H:%M:%S.%fZ'), 'id': token_id, 'tenant': { 'id': tokens.tenant_id(token_details), 'name': tokens.tenant_name(token_details), }, }, 'user': { 'username': tokens.username(token_details), 'id': tokens.user_id(token_details), 'roles': [{ 'id': rid, 'name': name } for rid, name in tokens.roles(token_details).items()], 'role_links': [], 'name': tokens.username(token_details), }, }
def authenticate(self, creds): username = lookup(creds, 'auth', 'passwordCredentials', 'username') credential = lookup(creds, 'auth', 'passwordCredentials', 'password') token_id = lookup(creds, 'auth', 'token', 'id') token_auth = None if token_id: token = identity.token_id_driver().token_from_id(token_id) token_driver = identity.token_driver() token_driver.validate_token(token) username = token_driver.username(token) credential = token_driver.credential(token) token_auth = token['auth_type'] == 'token' def assert_tenant(user): tenant = lookup(creds, 'auth', 'tenantId') or lookup(creds, 'auth', 'tenantName') if tenant and str(user['accountId']) != tenant: raise Unauthorized('Invalid username, password or tenant id') # If the 'password' is the right length, treat it as an API api_key if len(credential) == 64: client = Client(username=username, api_key=credential, endpoint_url=cfg.CONF['softlayer']['endpoint'], proxy=cfg.CONF['softlayer']['proxy']) user = client['Account'].getCurrentUser(mask=USER_MASK) assert_tenant(user) return {'user': user, 'credential': credential, 'auth_type': 'api_key'} else: client = Client(endpoint_url=cfg.CONF['softlayer']['endpoint'], proxy=cfg.CONF['softlayer']['proxy']) client.auth = None try: if token_auth: client.auth = TokenAuthentication(token['user_id'], credential) else: userId, tokenHash = client.\ authenticate_with_password(username, credential) user = client['Account'].getCurrentUser(mask=USER_MASK) assert_tenant(user) if token_auth: tokenHash = credential return {'user': user, 'credential': tokenHash, 'auth_type': 'token'} except SoftLayerAPIError as e: if (e.faultCode == "SoftLayer_Exception_User_Customer" "_LoginFailed"): raise Unauthorized(e.faultString) raise
def on_get(self, req, resp, token_id): tokens = identity.token_driver() token = identity.token_id_driver().token_from_id(token_id) identity.token_driver().validate_token(token) raw_endpoints = self._get_catalog(tokens.tenant_id(token), tokens.user_id(token)) endpoints = [] for services in raw_endpoints.values(): for service_type, service in services.items(): d = { "adminURL": service.get("adminURL"), "name": service.get("name", "Unknown"), "publicURL": service.get("publicURL"), "privateURL": service.get("privateURL"), "region": service.get("region", "RegionOne"), "tenantId": tokens.tenant_id(token), "type": service_type, } endpoints.append(d) resp.status = 200 resp.body = {"endpoints": endpoints, "endpoints_links": []}
def on_get(self, req, resp): token_id = req.headers.get('X-AUTH-TOKEN', None) tokens = identity.token_driver() token = identity.token_id_driver().token_from_id(token_id) identity.token_driver().validate_token(token) raw_endpoints = self._get_catalog(tokens.tenant_id(token), tokens.user_id(token)) endpoints = [] for services in raw_endpoints.values(): for service_type, service in services.items(): d = { 'adminURL': service.get('adminURL'), 'name': service.get('name', 'Unknown'), 'publicURL': service.get('publicURL'), 'privateURL': service.get('privateURL'), 'region': service.get('region', 'RegionOne'), 'tenantId': tokens.tenant_id(token), 'type': service_type, } endpoints.append(d) resp.status = 200 resp.body = {'endpoints': endpoints, 'endpoints_links': []}
def on_get(self, req, resp, token_id): tokens = identity.token_driver() token = identity.token_id_driver().token_from_id(token_id) identity.token_driver().validate_token(token) raw_endpoints = self._get_catalog(tokens.tenant_id(token), tokens.user_id(token)) endpoints = [] for services in raw_endpoints.values(): for service_type, service in services.items(): d = { 'adminURL': service.get('adminURL'), 'name': service.get('name', 'Unknown'), 'publicURL': service.get('publicURL'), 'privateURL': service.get('privateURL'), 'region': service.get('region', 'RegionOne'), 'tenantId': tokens.tenant_id(token), 'type': service_type, } endpoints.append(d) resp.status = 200 resp.body = {'endpoints': endpoints, 'endpoints_links': []}
def token_from_id(self, token_id): try: tokens = identity.token_driver() if (identity.auth_driver().__class__.__name__ != "NoAuthDriver"): raise exceptions.InvalidTokenError( 'Auth-driver must be NoAuthDriver') auth = identity.auth_driver().authenticate(None) if auth is None: raise exceptions.Unauthorized('Unauthorized credentials') token = tokens.create_token(None, auth) return token except (TypeError, ValueError): raise exceptions.InvalidTokenError('Malformed token')
def authenticate(self, creds): username = lookup(creds, 'auth', 'passwordCredentials', 'username') credential = lookup(creds, 'auth', 'passwordCredentials', 'password') token_id = lookup(creds, 'auth', 'token', 'id') if token_id: token = identity.token_id_driver().token_from_id(token_id) token_driver = identity.token_driver() token_driver.validate_token(token) username = token_driver.username(token) credential = token_driver.credential(token) def assert_tenant(user): tenant = lookup(creds, 'auth', 'tenantId') or lookup( creds, 'auth', 'tenantName') if tenant and str(user['accountId']) != tenant: raise Unauthorized('Invalid username, password or tenant id') # If the 'password' is the right length, treat it as an API api_key if len(credential) == 64: client = Client(username=username, api_key=credential, endpoint_url=cfg.CONF['softlayer']['endpoint'], proxy=cfg.CONF['softlayer']['proxy']) user = client['Account'].getCurrentUser(mask=USER_MASK) assert_tenant(user) return { 'user': user, 'credential': credential, 'auth_type': 'api_key' } else: client = Client(endpoint_url=cfg.CONF['softlayer']['endpoint'], proxy=cfg.CONF['softlayer']['proxy']) client.auth = None try: userId, tokenHash = client.\ authenticate_with_password(username, credential) user = client['Account'].getCurrentUser(mask=USER_MASK) assert_tenant(user) return { 'user': user, 'credential': tokenHash, 'auth_type': 'token' } except SoftLayerAPIError as e: if (e.faultCode == "SoftLayer_Exception_User_Customer" "_LoginFailed"): raise Unauthorized(e.faultString) raise
def get_access(token_id, token_details): tokens = identity.token_driver() return { "token": { "expires": datetime.datetime.fromtimestamp(tokens.expires(token_details)).isoformat(), "id": token_id, "tenant": {"id": tokens.tenant_id(token_details), "name": tokens.tenant_name(token_details)}, }, "user": { "username": tokens.username(token_details), "id": tokens.user_id(token_details), "roles": [{"id": rid, "name": name} for rid, name in tokens.roles(token_details).items()], "role_links": [], "name": tokens.username(token_details), }, }
def on_post(self, req, resp): body = req.stream.read().decode() credentials = json.loads(body) tokens = identity.token_driver() auth = identity.auth_driver().authenticate(credentials) if auth is None: raise exceptions.Unauthorized('Unauthorized credentials') token = tokens.create_token(credentials, auth) tok_id = identity.token_id_driver().create_token_id(token) access = get_access(tok_id, token) # Add catalog to the access data self._add_catalog_to_access(access, token) resp.status = 200 resp.body = {'access': access}
def _add_catalog_to_access(self, access, token): tokens = identity.token_driver() raw_catalog = self._get_catalog(tokens.tenant_id(token), tokens.user_id(token)) catalog = [] for services in raw_catalog.values(): for service_type, service in services.items(): d = { 'type': service_type, 'name': service.get('name', 'Unknown'), 'endpoints': [{ 'region': service.get('region', 'RegionOne'), 'publicURL': service.get('publicURL'), 'privateURL': service.get('privateURL'), 'adminURL': service.get('adminURL'), }], 'endpoint_links': [], } catalog.append(d) access['serviceCatalog'] = catalog
def get_access(token_id, token_details): tokens = identity.token_driver() return { 'token': { 'expires': datetime.datetime.fromtimestamp( tokens.expires(token_details)).isoformat(), 'id': token_id, 'tenant': { 'id': tokens.tenant_id(token_details), 'name': tokens.tenant_name(token_details), }, }, 'user': { 'username': tokens.username(token_details), 'id': tokens.user_id(token_details), 'roles': [{'id': rid, 'name': name} for rid, name in tokens.roles(token_details).items()], 'role_links': [], 'name': tokens.username(token_details), }, }
def get_access(token_id, token_details): tokens = identity.token_driver() return { 'token': { # replaced isoformat() with strftime to make tempest pass 'expires': datetime.datetime.fromtimestamp( tokens.expires(token_details)).strftime('%Y-%m-%dT%H:%M:%SZ'), 'id': token_id, 'tenant': { 'id': tokens.tenant_id(token_details), 'name': tokens.tenant_name(token_details), }, }, 'user': { 'username': tokens.username(token_details), 'id': tokens.user_id(token_details), 'roles': [{'id': rid, 'name': name} for rid, name in tokens.roles(token_details).items()], 'role_links': [], 'name': tokens.username(token_details), }, }
def authenticate(self, creds): username = lookup(creds, "auth", "passwordCredentials", "username") credential = lookup(creds, "auth", "passwordCredentials", "password") token_id = lookup(creds, "auth", "token", "id") if token_id: token = identity.token_id_driver().token_from_id(token_id) token_driver = identity.token_driver() token_driver.validate_token(token) username = token_driver.username(token) credential = token_driver.credential(token) def assert_tenant(user): tenant = lookup(creds, "auth", "tenantId") or lookup(creds, "auth", "tenantName") if tenant and str(user["accountId"]) != tenant: raise Unauthorized("Invalid username, password or tenant id") # If the 'password' is the right length, treat it as an API api_key if len(credential) == 64: client = Client( username=username, api_key=credential, endpoint_url=cfg.CONF["softlayer"]["endpoint"], proxy=cfg.CONF["softlayer"]["proxy"], ) user = client["Account"].getCurrentUser(mask=USER_MASK) assert_tenant(user) return {"user": user, "credential": credential, "auth_type": "api_key"} else: client = Client(endpoint_url=cfg.CONF["softlayer"]["endpoint"], proxy=cfg.CONF["softlayer"]["proxy"]) client.auth = None try: userId, tokenHash = client.authenticate_with_password(username, credential) user = client["Account"].getCurrentUser(mask=USER_MASK) assert_tenant(user) return {"user": user, "credential": tokenHash, "auth_type": "token"} except SoftLayerAPIError as e: if e.faultCode == "SoftLayer_Exception_User_Customer" "_LoginFailed": raise Unauthorized(e.faultString) raise
def _add_catalog_to_access(self, access, token): tokens = identity.token_driver() raw_catalog = self._get_catalog(tokens.tenant_id(token), tokens.user_id(token)) catalog = [] for services in raw_catalog.values(): for service_type, service in services.items(): d = { 'type': service_type, 'name': service.get('name', 'Unknown'), 'endpoints': [{ 'region': service.get('region', 'RegionOne'), 'publicURL': service.get('publicURL'), 'internalURL': service.get('internalURL'), 'adminURL': service.get('adminURL'), }], 'endpoint_links': [], } catalog.append(d) access['serviceCatalog'] = catalog
def on_post(self, req, resp): body = req.stream.read().decode() credentials = json.loads(body) tokens = identity.token_driver() auth = identity.auth_driver().authenticate(credentials) if auth is None: raise Unauthorized("Unauthorized credentials") token = tokens.create_token(credentials, auth) tok_id = identity.token_id_driver().create_token_id(token) access = get_access(tok_id, token) # Add catalog to the access data raw_catalog = self._get_catalog(tokens.tenant_id(token), tokens.user_id(token)) catalog = [] for services in raw_catalog.values(): for service_type, service in services.items(): d = { "type": service_type, "name": service.get("name", "Unknown"), "endpoints": [ { "region": service.get("region", "RegionOne"), "publicURL": service.get("publicURL"), "privateURL": service.get("privateURL"), "adminURL": service.get("adminURL"), } ], "endpoint_links": [], } catalog.append(d) access["serviceCatalog"] = catalog resp.status = 200 resp.body = {"access": access}
def authenticate(self, creds): username = utils.lookup(creds, 'auth', 'passwordCredentials', 'username') credential = utils.lookup(creds, 'auth', 'passwordCredentials', 'password') token_id = utils.lookup(creds, 'auth', 'token', 'id') token_driver = identity.token_driver() token_auth = None if token_id: token = identity.token_id_driver().token_from_id(token_id) token_driver.validate_token(token) username = token_driver.username(token) credential = token_driver.credential(token) token_auth = token['auth_type'] == 'token' def assert_tenant(user): tenant = (utils.lookup(creds, 'auth', 'tenantId') or utils.lookup(creds, 'auth', 'tenantName')) if tenant and str(user['accountId']) != tenant: raise exceptions.Unauthorized( 'Invalid username, password or tenant id') endpoint = config.PARSER.get('softlayer', 'endpoint') proxy = config.PARSER.get('softlayer', 'proxy') # If the 'password' is the right length, treat it as an API api_key if len(credential) == 64: client = SoftLayer.Client(username=username, api_key=credential, endpoint_url=endpoint, proxy=proxy) user = client['Account'].getCurrentUser(mask=USER_MASK) assert_tenant(user) return { 'user': user, 'credential': credential, 'auth_type': 'api_key' } else: client = SoftLayer.Client(endpoint_url=endpoint, proxy=proxy) client.auth = None try: if token_auth: client.auth = SoftLayer.TokenAuthentication( token['user_id'], credential) else: userId, tokenHash = (client.authenticate_with_password( username, credential)) user = client['Account'].getCurrentUser(mask=USER_MASK) assert_tenant(user) if token_auth: tokenHash = credential return { 'user': user, 'credential': tokenHash, 'auth_type': 'token' } except SoftLayer.SoftLayerAPIError as e: if (e.faultCode == "SoftLayer_Exception_User_Customer" "_LoginFailed"): raise exceptions.Unauthorized(e.faultString) raise
def get_new_token_v3(credentials): token_driver = identity.token_driver() token_id = utils.lookup(credentials, 'auth', 'identity', 'token', 'id') if token_id: token = identity.token_id_driver().token_from_id(token_id) LOG.debug("token details are: %s", str(token)) token_driver.validate_token(token) username = token_driver.username(token) credential = token_driver.credential(token) userinfo = {'username': username, 'auth_type': str(token['auth_type']), 'tenant_id': str(token['tenant_id']), 'expires': token['expires']} if token['auth_type'] == 'token': userinfo['tokenHash'] = credential if token['auth_type'] == 'api_key': userinfo['api_key'] = credential user = {'id': token['user_id'], 'username': username, 'accountId': token['tenant_id']} return userinfo, user username = utils.lookup(credentials, 'auth', 'passwordCredentials', 'username') credential = utils.lookup(credentials, 'auth', 'passwordCredentials', 'password') # If the 'password' is the right length, treat it as an API api_key if len(credential) == 64: endpoint = cfg.CONF['softlayer']['endpoint'] client = SoftLayer.Client(username=username, api_key=credential, endpoint_url=endpoint, proxy=cfg.CONF['softlayer']['proxy']) user = client['Account'].getCurrentUser(mask=USER_MASK) username = token_driver.username(user) return {'username': username, 'api_key': credential, 'auth_type': 'api_key', 'tenant_id': str(user['accountId']), 'expires': time.time() + (60 * 60 * 24)}, user else: endpoint = cfg.CONF['softlayer']['endpoint'] client = SoftLayer.Client(endpoint_url=endpoint, proxy=cfg.CONF['softlayer']['proxy']) client.auth = None try: userId, tokenHash = client.authenticate_with_password(username, credential) user = client['Account'].getCurrentUser(mask=USER_MASK) username = token_driver.username(user) return {'userId': userId, 'username': username, 'tokenHash': tokenHash, 'auth_type': 'token', 'tenant_id': str(user['accountId']), 'expires': time.time() + (60 * 60 * 24)}, user except SoftLayer.SoftLayerAPIError as e: if e.faultCode == 'SoftLayer_Exception_User_Customer_LoginFailed': raise exceptions.Unauthorized(e.faultString) raise