def _authenticate(self, validate, user_id, tenant_id=None): if tenant_id: duser = api.USER.get_by_tenant(user_id, tenant_id) if duser == None: raise fault.UnauthorizedFault("Unauthorized on this tenant") else: duser = api.USER.get(user_id) if duser == None: raise fault.UnauthorizedFault("Unauthorized") if not duser.enabled: raise fault.UserDisabledFault("Your account has been disabled") if not validate(duser): raise fault.UnauthorizedFault("Unauthorized") # use user's default tenant_id if one is not specified tenant_id = tenant_id or duser.tenant_id # check for an existing token dtoken = api.TOKEN.get_for_user_by_tenant(duser.id, tenant_id) if not dtoken or dtoken.expires < datetime.now(): # Create new token dtoken = models.Token() dtoken.id = str(uuid.uuid4()) dtoken.user_id = duser.id dtoken.tenant_id = tenant_id dtoken.expires = datetime.now() + timedelta(days=1) api.TOKEN.create(dtoken) return self.__get_auth_data(dtoken)
def authenticate_ec2(self, credentials): # Check credentials if not isinstance(credentials, auth.Ec2Credentials): raise fault.BadRequestFault("Expecting Ec2 Credentials!") creds = api.CREDENTIALS.get_by_access(credentials.access) if not creds: raise fault.UnauthorizedFault("No credentials found for %s" % credentials.access) def validate(duser): signer = Signer(creds.secret) signature = signer.generate(credentials) if signature == credentials.signature: return True # NOTE(vish): Some libraries don't use the port when signing # requests, so try again without port. if ':' in credentials.host: hostname, _port = credentials.host.split(":") credentials.host = hostname signature = signer.generate(credentials) return signature == credentials.signature return False return self._authenticate(validate, creds.user_id, creds.tenant_id)
def __validate_service_or_keystone_admin_token(self, token_id): (token, user) = self.__validate_token(token_id) if backends.ADMIN_ROLE_ID is None: role = api.ROLE.get_by_name(backends.ADMIN_ROLE_NAME) if role: backends.ADMIN_ROLE_ID = role.id else: LOG.error('Admin role is missing.') if backends.SERVICE_ADMIN_ROLE_ID is None: role = api.ROLE.get_by_name(backends.SERVICE_ADMIN_ROLE_NAME) if role: backends.SERVICE_ADMIN_ROLE_ID = role.id else: LOG.warn('No service admin role is defined.') for role_ref in api.ROLE.ref_get_all_global_roles(user.id): if (role_ref.role_id == backends.ADMIN_ROLE_ID or \ role_ref.role_id == backends.SERVICE_ADMIN_ROLE_ID) \ and role_ref.tenant_id is None: return (token, user) raise fault.UnauthorizedFault( "You are not authorized to make this call")
def __validate_tenant_by_name(self, tenant_name): if not tenant_name: raise fault.UnauthorizedFault("Missing tenant name") dtenant = api.TENANT.get_by_name(name=tenant_name) return self.__validate_tenant(dtenant)
def __validate_tenant_by_id(self, tenant_id): if not tenant_id: raise fault.UnauthorizedFault("Missing tenant id") dtenant = api.TENANT.get(tenant_id) return self.__validate_tenant(dtenant)
def __validate_tenant(self, dtenant): if not dtenant: raise fault.UnauthorizedFault("Tenant not found") if not dtenant.enabled: raise fault.TenantDisabledFault("Tenant %s has been disabled!" % dtenant.id) return dtenant
def get_token_by(self, req): try: cred = utils.get_normalized_request_content(token_by.TokenBy, req) if cred.by_type == 'email': return self.get_token_by_email(req, cred.key) elif cred.by_type == 'eppn': return self.get_token_by_eppn(req, cred.key) except KeyError: raise fault.UnauthorizedFault("bad request email or eppn")
def __validate_token(self, token_id, belongs_to=None, is_check_token=None): """ Method to validate a token. token_id -- value of actual token that need to be validated. belngs_to -- optional tenant_id to check whether the token is mapped to a specific tenant. is_check_token -- optional argument that tells whether we check the existence of a Token using another Token to authenticate.This value decides the faults that are to be thrown. """ if not token_id: raise fault.UnauthorizedFault("Missing token") (token, user) = self.__get_dauth_data(token_id) if not token: if is_check_token: raise fault.ItemNotFoundFault("Token does not exist.") else: raise fault.UnauthorizedFault( "Bad token, please reauthenticate") if token.expires < datetime.now(): if is_check_token: raise fault.ItemNotFoundFault("Token expired, please renew.") else: raise fault.ForbiddenFault("Token expired, please renew.") if not user.enabled: raise fault.UserDisabledFault("User %s has been disabled!" % user.id) if user.tenant_id: self.__validate_tenant_by_id(user.tenant_id) if token.tenant_id: self.__validate_tenant_by_id(token.tenant_id) if belongs_to and unicode(token.tenant_id) != unicode(belongs_to): raise fault.UnauthorizedFault("Unauthorized on this tenant") return (token, user)
def __validate_admin_token(self, token_id): (token, user) = self.__validate_token(token_id) if backends.ADMIN_ROLE_ID is None: role = api.ROLE.get_by_name(backends.ADMIN_ROLE_NAME) backends.ADMIN_ROLE_ID = role.id for role_ref in api.ROLE.ref_get_all_global_roles(user.id): if role_ref.role_id == backends.ADMIN_ROLE_ID and \ role_ref.tenant_id is None: return (token, user) raise fault.UnauthorizedFault( "You are not authorized to make this call")
def authenticate_s3(self, credentials): # Check credentials if not isinstance(credentials, auth.S3Credentials): raise fault.BadRequestFault("Expecting S3 Credentials!") creds = api.CREDENTIALS.get_by_access(credentials.access) if not creds: raise fault.UnauthorizedFault("No credentials found for %s" % credentials.access) def validate(duser): signer = Signer(creds.secret) signature = signer.generate(credentials, s3=True) if signature == credentials.signature: return True return False return self._authenticate(validate, creds.user_id, creds.tenant_id)
def authenticate(self, auth_request): # Check auth_with_password_credentials if not isinstance(auth_request, auth.AuthWithPasswordCredentials): raise fault.BadRequestFault( "Expecting auth_with_password_credentials!") def validate(duser): return api.USER.check_password(duser, auth_request.password) if auth_request.tenant_name: dtenant = self.__validate_tenant_by_name(auth_request.tenant_name) auth_request.tenant_id = dtenant.id elif auth_request.tenant_id: dtenant = self.__validate_tenant_by_id(auth_request.tenant_id) user = api.USER.get_by_name(auth_request.username) if not user: raise fault.UnauthorizedFault("Unauthorized") return self._authenticate(validate, user.id, auth_request.tenant_id)