def _require_domain_xor_project(self, domain, project):
if domain and project:
msg = _('Specify either a domain or project, not both')
raise exceptions.ValidationError(msg)
elif not (domain or project):
msg = _('Must specify either a domain or project')
raise exceptions.ValidationError(msg)
def _require_user_xor_group(self, user, group):
if user and group:
msg = _('Specify either a user or group, not both')
raise exceptions.ValidationError(msg)
elif not (user or group):
msg = _('Must specify either a user or group')
raise exceptions.ValidationError(msg)
def update_password(self, old_password, new_password):
"""Update the password for the user the token belongs to.
:param str old_password: the user's old password
:param str new_password: the user's new password
:returns: 204 No Content.
"""
if not (old_password and new_password):
msg = _('Specify both the current password and a new password')
raise exceptions.ValidationError(msg)
if old_password == new_password:
msg = _('Old password and new password must be different.')
raise exceptions.ValidationError(msg)
params = {
'user': {
'password': new_password,
'original_password': old_password
}
}
base_url = '/users/%s/password' % self.client.user_id
return self._update(base_url, params, method='POST', log=False)
def _check_consumer_urls(self, session, sp_response_consumer_url,
idp_sp_response_consumer_url):
"""Check if consumer URLs issued by SP and IdP are equal.
In the initial SAML2 authn Request issued by a Service Provider
there is a url called ``consumer url``. A trusted Identity Provider
should issue identical url. If the URLs are not equal the federated
authn process should be interrupted and the user should be warned.
:param session: session object to send out HTTP requests.
:type session: keystoneclient.session.Session
:param sp_response_consumer_url: consumer URL issued by a SP
:type sp_response_consumer_url: string
:param idp_sp_response_consumer_url: consumer URL issued by an IdP
:type idp_sp_response_consumer_url: string
"""
if sp_response_consumer_url != idp_sp_response_consumer_url:
# send fault message to the SP, discard the response
session.post(sp_response_consumer_url, data=self.SOAP_FAULT,
headers=self.ECP_SP_SAML2_REQUEST_HEADERS,
authenticated=False)
# prepare error message and raise an exception.
msg = _("Consumer URLs from Service Provider %(service_provider)s "
"%(sp_consumer_url)s and Identity Provider "
"%(identity_provider)s %(idp_consumer_url)s are not equal")
msg = msg % {
'service_provider': self.token_url,
'sp_consumer_url': sp_response_consumer_url,
'identity_provider': self.identity_provider,
'idp_consumer_url': idp_sp_response_consumer_url
}
raise exceptions.ValidationError(msg)
def _enforce_mutually_exclusive_group(self, system, domain, project):
if not system:
if domain and project:
msg = _('Specify either a domain or project, not both')
raise exceptions.ValidationError(msg)
elif not (domain or project):
msg = _('Must specify either system, domain, or project')
raise exceptions.ValidationError(msg)
elif system:
if domain and project:
msg = _(
'Specify either system, domain, or project, not all three.'
)
raise exceptions.ValidationError(msg)
if domain:
msg = _('Specify either system or a domain, not both')
raise exceptions.ValidationError(msg)
if project:
msg = _('Specify either a system or project, not both')
raise exceptions.ValidationError(msg)
def update_password(self, old_password, new_password):
"""Update the password for the user the token belongs to."""
if not (old_password and new_password):
msg = _('Specify both the current password and a new password')
raise exceptions.ValidationError(msg)
if old_password == new_password:
msg = _('Old password and new password must be different.')
raise exceptions.ValidationError(msg)
params = {
'user': {
'password': new_password,
'original_password': old_password
}
}
base_url = '/users/%s/password' % self.api.user_id
return self._update(base_url,
params,
method='POST',
log=False,
endpoint_filter={'interface': 'public'})
def _build_base_url(self, project=None, endpoint=None):
project_id = base.getid(project)
endpoint_id = base.getid(endpoint)
if project_id and endpoint_id:
api_path = '/projects/%s/endpoints/%s' % (endpoint_id, project_id)
elif project_id:
api_path = '/projects/%s/endpoints' % (project_id)
elif endpoint_id:
api_path = '/endpoints/%s/projects' % (endpoint_id)
else:
msg = _('Must specify a project, an endpoint, or both')
raise exceptions.ValidationError(msg)
return '/' + OS_EP_FILTER_EXT + api_path
def _build_base_url(self, project=None, endpoint_group=None):
project_id = base.getid(project)
endpoint_group_id = base.getid(endpoint_group)
if project_id and endpoint_group_id:
api_path = '/endpoint_groups/{0}/projects/{1}'.format(endpoint_group_id,
project_id)
elif project_id:
api_path = '/projects/{0}/endpoint_groups'.format(project_id)
elif endpoint_group_id:
api_path = '/endpoint_groups/{0}/projects'.format(endpoint_group_id)
else:
msg = _('Must specify a project, an endpoint_group, or both')
raise exceptions.ValidationError(msg)
return '/' + OS_EP_FILTER_EXT + api_path
def _role_grants_base_url(self, user, group, system, domain, project,
use_inherit_extension):
# When called, we have already checked that only one of user & group
# and one of domain & project have been specified
params = {}
if project:
params['project_id'] = base.getid(project)
base_url = '/projects/%(project_id)s'
elif domain:
params['domain_id'] = base.getid(domain)
base_url = '/domains/%(domain_id)s'
elif system:
if system == 'all':
base_url = '/system'
else:
# NOTE(lbragstad): If we've made it this far, a user is
# attempting to do something with system scope that isn't
# supported yet (e.g. 'all' is currently the only supported
# system scope). In the future that may change but until then
# we should fail like we would if a user provided a bogus
# project name or domain ID.
msg = _("Only a system scope of 'all' is currently supported")
raise exceptions.ValidationError(msg)
if use_inherit_extension:
base_url = '/OS-INHERIT' + base_url
if user:
params['user_id'] = base.getid(user)
base_url += '/users/%(user_id)s'
elif group:
params['group_id'] = base.getid(group)
base_url += '/groups/%(group_id)s'
return base_url % params
def _check_not_parents_as_ids_and_parents_as_list(self, parents_as_ids,
parents_as_list):
if parents_as_ids and parents_as_list:
msg = _('Specify either parents_as_ids or parents_as_list '
'parameters, not both')
raise exceptions.ValidationError(msg)
def _require_role_and_permission(self, role, permission):
if not (role and permission):
msg = 'Specify both a role and a permission'
raise exceptions.ValidationError(msg)
def _check_not_domain_and_project(self, domain, project):
if domain and project:
msg = 'Specify either a domain or project, not both'
raise exceptions.ValidationError(msg)
def _validate_interface(self, interface):
if interface is not None and interface not in VALID_INTERFACES:
msg = _('"interface" must be one of: %s')
msg %= ', '.join(VALID_INTERFACES)
raise exceptions.ValidationError(msg)
def _require_user_and_group(self, user, group):
if not (user and group):
msg = _('Specify both a user and a group')
raise exceptions.ValidationError(msg)
def _check_not_user_and_group(self, user, group):
if user and group:
msg = 'Specify either a user or group, not both'
raise exceptions.ValidationError(msg)
def _require_user_xor_group(self, user, group):
if (user and group) or (not user and not group):
msg = 'Specify either a user or group, not both'
raise exceptions.ValidationError(msg)
def _require_domain_or_project(self, domain, project):
if (domain and project) or (not domain and not project):
msg = 'Specify either a domain or project, not both'
raise exceptions.ValidationError(msg)
def _check_not_subtree_as_ids_and_subtree_as_list(self, subtree_as_ids,
subtree_as_list):
if subtree_as_ids and subtree_as_list:
msg = _('Specify either subtree_as_ids or subtree_as_list '
'parameters, not both')
raise exceptions.ValidationError(msg)
def _check_not_system_and_domain(self, system, domain):
if system and domain:
msg = _('Specify either system or domain, not both')
raise exceptions.ValidationError(msg)
def __init__(self, auth_url, token, **kwargs):
super(Saml2ScopedToken, self).__init__(auth_url, token, **kwargs)
if not (self.project_id or self.domain_id):
raise exceptions.ValidationError(
_('Neither project nor domain specified'))
def _check_system_value(self, system):
if system and system != 'all':
msg = _("Only a system scope of 'all' is currently supported")
raise exceptions.ValidationError(msg)
def _check_not_system_and_project(self, system, project):
if system and project:
msg = _('Specify either system or project, not both')
raise exceptions.ValidationError(msg)
