def get_token_details(token, tenant_id=None):
try:
token_details = json.loads(aes.decode_aes(base64.b64decode(token)))
except (TypeError, ValueError):
raise exceptions.Unauthorized('Invalid Key')
if time.time() > token_details['expires']:
raise exceptions.Unauthorized('Expired Key')
if tenant_id and str(token_details['tenant_id']) != tenant_id:
raise exceptions.Unauthorized('Tenant/token Mismatch')
return token_details
def get_token_details(token, tenant_id=None):
try:
token_id_driver = identity.token_id_driver()
token_details = token_id_driver.token_from_id(token)
except (TypeError, ValueError):
raise exceptions.Unauthorized('Invalid Key')
if time.time() > token_details['expires']:
raise exceptions.Unauthorized('Expired Key')
if tenant_id and str(token_details['tenant_id']) != tenant_id:
raise exceptions.Unauthorized('Tenant/token Mismatch')
return token_details
def token_from_id(self, token_id):
try:
tokens = identity.token_driver()
if (identity.auth_driver().__class__.__name__ != "NoAuthDriver"):
raise exceptions.InvalidTokenError(
'Auth-driver must be NoAuthDriver')
auth = identity.auth_driver().authenticate(None)
if auth is None:
raise exceptions.Unauthorized('Unauthorized credentials')
token = tokens.create_token(None, auth)
return token
except (TypeError, ValueError):
raise exceptions.InvalidTokenError('Malformed token')
def on_post(self, req, resp):
body = req.stream.read().decode()
credentials = json.loads(body)
tokens = identity.token_driver()
auth = identity.auth_driver().authenticate(credentials)
if auth is None:
raise exceptions.Unauthorized('Unauthorized credentials')
token = tokens.create_token(credentials, auth)
tok_id = identity.token_id_driver().create_token_id(token)
access = get_access(tok_id, token)
# Add catalog to the access data
self._add_catalog_to_access(access, token)
resp.status = 200
resp.body = {'access': access}
def get_new_token(credentials):
username = utils.lookup(credentials,
'auth',
'passwordCredentials',
'username')
credential = utils.lookup(credentials,
'auth',
'passwordCredentials',
'password')
def assert_tenant(user):
tenant = utils.lookup(credentials, 'auth', 'tenantId')
if tenant and str(user['accountId']) != tenant:
raise exceptions.Unauthorized(
'Invalid username, password or tenant id')
# If the 'password' is the right length, treat it as an API api_key
if len(credential) == 64:
client = SoftLayer.Client(username=username, api_key=credential)
user = client['Account'].getCurrentUser(mask=USER_MASK)
assert_tenant(user)
return {'username': username,
'api_key': credential,
'auth_type': 'api_key',
'tenant_id': str(user['accountId']),
'expires': time.time() + (60 * 60 * 24)}, user
else:
client = SoftLayer.Client()
client.auth = None
try:
userId, tokenHash = client.authenticate_with_password(username,
credential)
user = client['Account'].getCurrentUser(mask=USER_MASK)
assert_tenant(user)
return {'userId': userId,
'tokenHash': tokenHash,
'auth_type': 'token',
'tenant_id': str(user['accountId']),
'expires': time.time() + (60 * 60 * 24)}, user
except SoftLayer.SoftLayerAPIError as e:
if e.faultCode == 'SoftLayer_Exception_User_Customer_LoginFailed':
raise exceptions.Unauthorized(e.faultString)
raise
def validate_token(req, resp, kwargs):
tenant_id = req.env.get('tenant_id', None)
token = req.headers.get('X-AUTH-TOKEN', None)
if (req.env.get('REMOTE_USER', None) is not None
or req.env.get('is_admin', False)
or req.env.get('auth', None) is not None):
# upstream authentication
return
if token is not None:
if tenant_id is None:
tenant_id = kwargs.get('tenant_id',
req.headers.get('X-AUTH-PROJECT-ID'))
req.env['tenant_id'] = tenant_id
LOG.debug("Authenticating request token '%s'" % (token))
identity.validate_token_id(token, tenant_id=tenant_id)
req.env['auth'] = identity.token_id_driver().token_from_id(token)
elif protected("%s:%s" % (req.method, req.path)):
raise exceptions.Unauthorized('Authentication token required')
def get_new_token_v3(credentials):
token_driver = identity.token_driver()
token_id = utils.lookup(credentials, 'auth', 'identity', 'token', 'id')
if token_id:
token = identity.token_id_driver().token_from_id(token_id)
LOG.debug("token details are: %s", str(token))
token_driver.validate_token(token)
username = token_driver.username(token)
credential = token_driver.credential(token)
userinfo = {'username': username,
'auth_type': str(token['auth_type']),
'tenant_id': str(token['tenant_id']),
'expires': token['expires']}
if token['auth_type'] == 'token':
userinfo['tokenHash'] = credential
if token['auth_type'] == 'api_key':
userinfo['api_key'] = credential
user = {'id': token['user_id'],
'username': username,
'accountId': token['tenant_id']}
return userinfo, user
username = utils.lookup(credentials,
'auth',
'passwordCredentials',
'username')
credential = utils.lookup(credentials,
'auth',
'passwordCredentials',
'password')
# If the 'password' is the right length, treat it as an API api_key
if len(credential) == 64:
endpoint = cfg.CONF['softlayer']['endpoint']
client = SoftLayer.Client(username=username,
api_key=credential,
endpoint_url=endpoint,
proxy=cfg.CONF['softlayer']['proxy'])
user = client['Account'].getCurrentUser(mask=USER_MASK)
username = token_driver.username(user)
return {'username': username,
'api_key': credential,
'auth_type': 'api_key',
'tenant_id': str(user['accountId']),
'expires': time.time() + (60 * 60 * 24)}, user
else:
endpoint = cfg.CONF['softlayer']['endpoint']
client = SoftLayer.Client(endpoint_url=endpoint,
proxy=cfg.CONF['softlayer']['proxy'])
client.auth = None
try:
userId, tokenHash = client.authenticate_with_password(username,
credential)
user = client['Account'].getCurrentUser(mask=USER_MASK)
username = token_driver.username(user)
return {'userId': userId,
'username': username,
'tokenHash': tokenHash,
'auth_type': 'token',
'tenant_id': str(user['accountId']),
'expires': time.time() + (60 * 60 * 24)}, user
except SoftLayer.SoftLayerAPIError as e:
if e.faultCode == 'SoftLayer_Exception_User_Customer_LoginFailed':
raise exceptions.Unauthorized(e.faultString)
raise
def assert_tenant(user):
tenant = utils.lookup(credentials, 'auth', 'tenantId')
if tenant and str(user['accountId']) != tenant:
raise exceptions.Unauthorized(
'Invalid username, password or tenant id')
def authenticate(self, creds):
username = utils.lookup(creds, 'auth', 'passwordCredentials',
'username')
credential = utils.lookup(creds, 'auth', 'passwordCredentials',
'password')
token_id = utils.lookup(creds, 'auth', 'token', 'id')
token_driver = identity.token_driver()
token_auth = None
if token_id:
token = identity.token_id_driver().token_from_id(token_id)
token_driver.validate_token(token)
username = token_driver.username(token)
credential = token_driver.credential(token)
token_auth = token['auth_type'] == 'token'
def assert_tenant(user):
tenant = (utils.lookup(creds, 'auth', 'tenantId')
or utils.lookup(creds, 'auth', 'tenantName'))
if tenant and str(user['accountId']) != tenant:
raise exceptions.Unauthorized(
'Invalid username, password or tenant id')
endpoint = config.PARSER.get('softlayer', 'endpoint')
proxy = config.PARSER.get('softlayer', 'proxy')
# If the 'password' is the right length, treat it as an API api_key
if len(credential) == 64:
client = SoftLayer.Client(username=username,
api_key=credential,
endpoint_url=endpoint,
proxy=proxy)
user = client['Account'].getCurrentUser(mask=USER_MASK)
assert_tenant(user)
return {
'user': user,
'credential': credential,
'auth_type': 'api_key'
}
else:
client = SoftLayer.Client(endpoint_url=endpoint, proxy=proxy)
client.auth = None
try:
if token_auth:
client.auth = SoftLayer.TokenAuthentication(
token['user_id'], credential)
else:
userId, tokenHash = (client.authenticate_with_password(
username, credential))
user = client['Account'].getCurrentUser(mask=USER_MASK)
assert_tenant(user)
if token_auth:
tokenHash = credential
return {
'user': user,
'credential': tokenHash,
'auth_type': 'token'
}
except SoftLayer.SoftLayerAPIError as e:
if (e.faultCode == "SoftLayer_Exception_User_Customer"
"_LoginFailed"):
raise exceptions.Unauthorized(e.faultString)
raise