def __init__(self, context, auth_payload):
self.identity_api = identity.Manager()
self.context = context
self.user_id = None
self.password = None
self.user_ref = None
self._validate_and_normalize_auth_data(auth_payload)
def initialize_drivers():
DRIVERS['catalog_api'] = catalog.Manager()
DRIVERS['identity_api'] = identity.Manager()
DRIVERS['policy_api'] = policy.Manager()
DRIVERS['token_api'] = token.Manager()
DRIVERS['trust_api'] = trust.Manager()
return DRIVERS
def setUp(self):
super(SqlTests, self).setUp()
self.config([
test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_sql.conf')
])
# initialize managers and override drivers
self.catalog_man = catalog.Manager()
self.identity_man = identity.Manager()
self.token_man = token.Manager()
self.trust_man = trust.Manager()
self.policy_man = policy.Manager()
# create tables and keep an engine reference for cleanup.
# this must be done after the models are loaded by the managers.
self.engine = self.get_engine()
sql.ModelBase.metadata.create_all(bind=self.engine)
# create shortcut references to each driver
self.catalog_api = self.catalog_man.driver
self.identity_api = self.identity_man.driver
self.token_api = self.token_man.driver
self.policy_api = self.policy_man.driver
self.trust_api = self.trust_man.driver
# populate the engine with tables & fixtures
self.load_fixtures(default_fixtures)
#defaulted by the data load
self.user_foo['enabled'] = True
def setUp(self):
super(KvsIdentity, self).setUp()
identity.CONF.identity.driver = \
'keystone.identity.backends.kvs.Identity'
self.identity_man = identity.Manager()
self.identity_api = self.identity_man.driver
self.load_fixtures(default_fixtures)
def setUp(self):
super(SqlTests, self).setUp()
self.config([
test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_sql.conf')
])
# initialize managers and override drivers
self.catalog_man = catalog.Manager()
self.identity_man = identity.Manager()
self.token_man = token.Manager()
self.trust_man = trust.Manager()
self.policy_man = policy.Manager()
# create shortcut references to each driver
self.catalog_api = self.catalog_man.driver
self.identity_api = self.identity_man.driver
self.token_api = self.token_man.driver
self.policy_api = self.policy_man.driver
self.trust_api = self.trust_man.driver
# populate the engine with tables & fixtures
self.load_fixtures(default_fixtures)
#defaulted by the data load
self.user_foo['enabled'] = True
def setUp(self):
super(LDAPIdentity, self).setUp()
self._set_config()
self.clear_database()
self.identity_man = identity.Manager()
self.identity_api = self.identity_man.driver
self.load_fixtures(default_fixtures)
def load_backends(include_oauth1=False):
# Ensure that the identity driver is created before the assignment manager.
# The default assignment driver is determined by the identity driver, so
# the identity driver must be available to the assignment manager.
_IDENTITY_API = identity.Manager()
DRIVERS = dict(
assignment_api=assignment.Manager(),
catalog_api=catalog.Manager(),
credential_api=credential.Manager(),
endpoint_filter_api=endpoint_filter.Manager(),
identity_api=_IDENTITY_API,
policy_api=policy.Manager(),
token_api=token.Manager(),
trust_api=trust.Manager(),
token_provider_api=token.provider.Manager())
if include_oauth1:
from keystone.contrib import oauth1
DRIVERS['oauth1_api'] = oauth1.Manager()
dependency.resolve_future_dependencies()
return DRIVERS
def load_backends():
# Configure and build the cache
cache.configure_cache()
cache.configure_cache(region=catalog.COMPUTED_CATALOG_REGION)
# Ensure that the identity driver is created before the assignment manager
# and that the assignment driver is created before the resource manager.
# The default resource driver depends on assignment, which in turn
# depends on identity - hence we need to ensure the chain is available.
_IDENTITY_API = identity.Manager()
_ASSIGNMENT_API = assignment.Manager()
DRIVERS = dict(assignment_api=_ASSIGNMENT_API,
catalog_api=catalog.Manager(),
credential_api=credential.Manager(),
domain_config_api=resource.DomainConfigManager(),
endpoint_policy_api=endpoint_policy.Manager(),
federation_api=federation.Manager(),
id_generator_api=identity.generator.Manager(),
id_mapping_api=identity.MappingManager(),
identity_api=_IDENTITY_API,
oauth_api=oauth1.Manager(),
policy_api=policy.Manager(),
resource_api=resource.Manager(),
revoke_api=revoke.Manager(),
role_api=assignment.RoleManager(),
token_api=token.persistence.Manager(),
trust_api=trust.Manager(),
token_provider_api=token.provider.Manager())
auth.controllers.load_auth_methods()
return DRIVERS
def load_backends():
# Configure and build the cache
cache.configure_cache_region(cache.REGION)
# Ensure that the identity driver is created before the assignment manager.
# The default assignment driver is determined by the identity driver, so
# the identity driver must be available to the assignment manager.
_IDENTITY_API = identity.Manager()
DRIVERS = dict(assignment_api=assignment.Manager(),
catalog_api=catalog.Manager(),
credential_api=credential.Manager(),
endpoint_filter_api=endpoint_filter.Manager(),
id_generator_api=identity.generator.Manager(),
id_mapping_api=identity.MappingManager(),
identity_api=_IDENTITY_API,
policy_api=policy.Manager(),
token_api=token.Manager(),
trust_api=trust.Manager(),
token_provider_api=token.provider.Manager())
auth.controllers.load_auth_methods()
return DRIVERS
def __init__(self):
self.catalog_api = catalog.Manager()
self.identity_api = identity.Manager()
self.token_api = token.Manager()
self.policy_api = policy.Manager()
self.ec2_api = Manager()
super(Ec2Controller, self).__init__()
def __init__(self, app, **config):
# initialization vector
self._iv = '\0' * 16
self.default_tenant = CONF.auto_population.default_project
self.default_role = CONF.auto_population.default_role
self.identity_api = identity.Manager()
self.assignment_api = assignment.Manager()
self.default_domain_id = CONF.identity.default_domain_id
super(AutoPopulation, self).__init__(app)
def setUp(self):
super(ImportLegacy, self).setUp()
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_sql.conf'),
test.testsdir('backend_sql_disk.conf')])
test.setup_test_database()
self.identity_man = identity.Manager()
self.identity_api = identity_sql.Identity()
def get_domain_id(name):
try:
identity.Manager()
assignment_manager = assignment.Manager()
return assignment_manager.driver.get_domain_by_name(name)['id']
except KeyError:
raise ValueError(
_("Unknown domain '%(name)s' specified by "
"--domain-name") % {'name': name})
def setUp(self):
super(KvsTrust, self).setUp()
identity.CONF.identity.driver = \
'keystone.identity.backends.kvs.Identity'
self.identity_man = identity.Manager()
self.identity_api = self.identity_man.driver
self.trust_api = trust_kvs.Trust(db={})
self.catalog_api = catalog_kvs.Catalog(db={})
self.load_fixtures(default_fixtures)
def setUp(self):
super(MigrateNovaAuth, self).setUp()
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_sql.conf'),
test.testsdir('backend_sql_disk.conf')])
sql_util.setup_test_database()
self.identity_man = identity.Manager()
self.identity_api = identity_sql.Identity()
self.ec2_api = ec2_sql.Ec2()
def get_domain_id(name):
try:
identity.Manager()
# init assignment manager to avoid KeyError in resource.core
assignment.Manager()
resource_manager = resource.Manager()
return resource_manager.driver.get_domain_by_name(name)['id']
except KeyError:
raise ValueError(_("Unknown domain '%(name)s' specified by "
"--domain-name") % {'name': name})
def __init__(self, context, auth=None):
self.identity_api = identity.Manager()
self.trust_api = trust.Manager()
self.context = context
self.auth = auth
self._scope_data = (None, None, None)
# self._scope_data is (domain_id, project_id, trust_ref)
# project scope: (None, project_id, None)
# domain scope: (domain_id, None, None)
# trust scope: (None, None, trust_ref)
# unscoped: (None, None, None)
self._validate_and_normalize_auth_data()
def load_backends():
# Configure and build the cache
cache.configure_cache()
cache.configure_cache(region=catalog.COMPUTED_CATALOG_REGION)
cache.apply_invalidation_patch(
region=catalog.COMPUTED_CATALOG_REGION,
region_name=catalog.COMPUTED_CATALOG_REGION.name)
cache.configure_cache(region=assignment.COMPUTED_ASSIGNMENTS_REGION)
cache.apply_invalidation_patch(
region=assignment.COMPUTED_ASSIGNMENTS_REGION,
region_name=assignment.COMPUTED_ASSIGNMENTS_REGION.name)
cache.configure_cache(region=revoke.REVOKE_REGION)
cache.apply_invalidation_patch(region=revoke.REVOKE_REGION,
region_name=revoke.REVOKE_REGION.name)
cache.configure_cache(region=token.provider.TOKENS_REGION)
cache.configure_cache(region=identity.ID_MAPPING_REGION)
cache.apply_invalidation_patch(region=identity.ID_MAPPING_REGION,
region_name=identity.ID_MAPPING_REGION.name)
# Ensure that the identity driver is created before the assignment manager
# and that the assignment driver is created before the resource manager.
# The default resource driver depends on assignment, which in turn
# depends on identity - hence we need to ensure the chain is available.
# TODO(morganfainberg): In "O" release move _IDENTITY_API to be directly
# instantiated in the DRIVERS dict once assignment driver being selected
# based upon [identity]/driver is removed.
_IDENTITY_API = identity.Manager()
_ASSIGNMENT_API = assignment.Manager()
DRIVERS = dict(
assignment_api=_ASSIGNMENT_API,
catalog_api=catalog.Manager(),
credential_api=credential.Manager(),
domain_config_api=resource.DomainConfigManager(),
endpoint_policy_api=endpoint_policy.Manager(),
federation_api=federation.Manager(),
id_generator_api=identity.generator.Manager(),
id_mapping_api=identity.MappingManager(),
identity_api=_IDENTITY_API,
shadow_users_api=identity.ShadowUsersManager(),
oauth_api=oauth1.Manager(),
policy_api=policy.Manager(),
resource_api=resource.Manager(),
revoke_api=revoke.Manager(),
role_api=assignment.RoleManager(),
token_api=token.persistence.Manager(),
trust_api=trust.Manager(),
token_provider_api=token.provider.Manager())
auth.controllers.load_auth_methods()
return DRIVERS
def __init__(self, identity_api=None):
if identity_api is None:
from keystone import identity
identity_api = identity.Manager(self)
assignment_driver = CONF.assignment.driver
if assignment_driver is None:
assignment_driver = identity_api.default_assignment_driver()
super(Manager, self).__init__(assignment_driver)
self.driver.identity_api = identity_api
self.identity_api = identity_api
self.identity_api.assignment_api = self
def setUp(self):
super(LDAPIdentityEnabledEmulation, self).setUp()
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
CONF.ldap.user_enabled_emulation = True
CONF.ldap.tenant_enabled_emulation = True
self.clear_database()
self.identity_man = identity.Manager()
self.identity_api = self.identity_man.driver
self.load_fixtures(default_fixtures)
for obj in [self.tenant_bar, self.tenant_baz, self.user_foo,
self.user_two, self.user_badguy]:
obj.setdefault('enabled', True)
def __init__(self, app, **config):
super(LdapAuthAuthentication, self).__init__(app)
# initialization vector
self._iv = '\0' * 16
self.identity_api = identity.Manager()
self.ldap_config = {}
#domain_ref = self.identity_api.get_domain( self.identity_api, DEFAULT_DOMAIN_ID)
domain_ref = self.identity_api.get_domain(DEFAULT_DOMAIN_ID)
self.default_domain = domain_ref['name']
self.common_ldap_config = CONF.ldap_pre_auth
self.log_ldap_config(CONF)
if self.common_ldap_config.tls_cacertfile is not None:
if not os.path.isfile(self.common_ldap_config.tls_cacertfile):
raise IOError("tls_cacertfile %s not found or is not a file" %
self.common_ldap_config.tls_cacertfile)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,
self.common_ldap_config.tls_cacertfile)
if self.common_ldap_config.tls_cacertdir is not None:
if not os.path.isdir(self.common_ldap_config.tls_cacertdir):
raise IOError(
"tls_cacertdir %s not found or is not a directory" %
self.common_ldap_config.tls_cacertdir)
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,
self.common_ldap_config.tls_cacertdir)
if self.common_ldap_config.tls_req_cert is not None:
if self.common_ldap_config.tls_req_cert in LDAP_TLS_CERTS:
ldap.set_option(
ldap.OPT_X_TLS_REQUIRE_CERT,
LDAP_TLS_CERTS[self.common_ldap_config.tls_req_cert])
else:
raise ValueError(
'Invalid LDAP TLS certs option: %s\nChoose one of: %s' %
(self.common_ldap_config.tls_req_cert,
LDAP_TLS_CERTS.keys()))
self._validate_ldap_config(self.common_ldap_config)
self.domain_specific_drivers_enabled = CONF.ldap_pre_auth.domain_specific_drivers_enabled
if self.domain_specific_drivers_enabled:
domain_config_dir = self.common_ldap_config.domain_config_dir
if not os.path.isdir(domain_config_dir):
raise ValueError(
'Domain config directory %s is not a valid path' %
domain_config_dir)
self._load_domain_config(domain_config_dir)
self.non_ldap_users = CONF.ldap_pre_auth.non_ldap_users
LOG.debug('Initialization complete')
def import_auth(data):
identity_api = identity.Manager()
assignment_api = assignment.Manager()
tenant_map = _create_projects(assignment_api, data['tenants'])
user_map = _create_users(identity_api, data['users'])
_create_memberships(assignment_api, data['user_tenant_list'], user_map,
tenant_map)
role_map = _create_roles(assignment_api, data['roles'])
_assign_roles(assignment_api, data['role_user_tenant_list'], role_map,
user_map, tenant_map)
ec2_api = ec2_sql.Ec2()
ec2_creds = data['ec2_credentials']
_create_ec2_creds(ec2_api, assignment_api, ec2_creds, user_map)
def load_backends(self):
"""Load the backends needed for uploading domain configs.
We only need the resource and domain_config managers, but there are
some dependencies which mean we have to load the assignment and
identity managers as well.
The order of loading the backends is important, since the resource
manager depends on the assignment manager, which in turn depends on
the identity manager.
"""
identity.Manager()
assignment.Manager()
self.resource_manager = resource.Manager()
self.domain_config_manager = resource.DomainConfigManager()
def __init__(self, app, **config):
super(LdapAuthAuthentication, self).__init__(app)
# initialization vector
self._iv = '\0' * 16
self.ldap_url = CONF.ldap_pre_auth.url
self.user_tree_dn = CONF.ldap_pre_auth.user_tree_dn
self.user_attribute_name = CONF.ldap_pre_auth.user_attribute_name
self.user = CONF.ldap_pre_auth.user
self.password = CONF.ldap_pre_auth.password
self.pass_through = CONF.ldap_pre_auth.pass_through
self.identity_api = identity.Manager()
self.tls_cacertfile = CONF.ldap_pre_auth.tls_cacertfile
self.tls_cacertdir = CONF.ldap_pre_auth.tls_cacertdir
self.tls_req_cert = CONF.ldap_pre_auth.tls_req_cert
self.use_tls = CONF.ldap_pre_auth.use_tls
self.user_id_attribute = CONF.ldap_pre_auth.user_id_attribute
self.non_ldap_users = CONF.ldap_pre_auth.non_ldap_users
using_ldaps = self.ldap_url.lower().startswith("ldaps")
if self.use_tls and using_ldaps:
raise AssertionError(_('Invalid TLS / LDAPS combination'))
if self.tls_cacertfile is not None:
if not os.path.isfile(self.tls_cacertfile):
raise IOError("tls_cacertfile %s not found or is not a file" %
self.tls_cacertfile)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.tls_cacertfile)
if self.tls_cacertdir is not None:
if not os.path.isdir(self.tls_cacertdir):
raise IOError(
"tls_cacertdir %s not found or is not a directory" %
self.tls_cacertdir)
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.tls_cacertdir)
if self.tls_req_cert is not None:
if self.tls_req_cert in LDAP_TLS_CERTS:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,
LDAP_TLS_CERTS[self.tls_req_cert])
else:
raise ValueError(
'Invalid LDAP TLS certs option: %s\nChoose one of: %s' %
(self.tls_req_cert, LDAP_TLS_CERTS.keys()))
def __init__(self, app, **config):
# initialization vector
self._iv = '\0' * 16
self.identity_api = identity.Manager()
self.assignment_api = assignment.Manager()
super(AutoPopulation, self).__init__(app)
self.autopop_config = {}
#domain_ref = self.identity_api.get_domain( self.identity_api, DEFAULT_DOMAIN_ID)
domain_ref = self.identity_api.get_domain(DEFAULT_DOMAIN_ID)
self.default_domain = domain_ref['name']
self.common_autopop_config = CONF.auto_population
self.log_ldap_config(CONF)
self.domain_specific_drivers_enabled = CONF.ldap_pre_auth.domain_specific_drivers_enabled
if self.domain_specific_drivers_enabled:
domain_config_dir = CONF.ldap_pre_auth.domain_config_dir
if not os.path.isdir(domain_config_dir):
raise ValueError( 'Domain config directory %s is not a valid path' % domain_config_dir)
self._load_domain_config( domain_config_dir)
LOG.debug('Initialization complete')
def load_backends():
# Configure and build the cache
cache.configure_cache()
cache.configure_cache(region=catalog.COMPUTED_CATALOG_REGION)
cache.apply_invalidation_patch(
region=catalog.COMPUTED_CATALOG_REGION,
region_name=catalog.COMPUTED_CATALOG_REGION.name)
cache.configure_cache(region=assignment.COMPUTED_ASSIGNMENTS_REGION)
cache.apply_invalidation_patch(
region=assignment.COMPUTED_ASSIGNMENTS_REGION,
region_name=assignment.COMPUTED_ASSIGNMENTS_REGION.name)
# Ensure that the assignment driver is created before the resource manager.
# The default resource driver depends on assignment.
_ASSIGNMENT_API = assignment.Manager()
DRIVERS = dict(assignment_api=_ASSIGNMENT_API,
catalog_api=catalog.Manager(),
credential_api=credential.Manager(),
domain_config_api=resource.DomainConfigManager(),
endpoint_policy_api=endpoint_policy.Manager(),
federation_api=federation.Manager(),
id_generator_api=identity.generator.Manager(),
id_mapping_api=identity.MappingManager(),
identity_api=identity.Manager(),
oauth_api=oauth1.Manager(),
policy_api=policy.Manager(),
resource_api=resource.Manager(),
revoke_api=revoke.Manager(),
role_api=assignment.RoleManager(),
token_api=token.persistence.Manager(),
trust_api=trust.Manager(),
token_provider_api=token.provider.Manager())
auth.controllers.load_auth_methods()
return DRIVERS
def load_backends():
# Configure and build the cache
cache.configure_cache()
cache.configure_cache(region=catalog.COMPUTED_CATALOG_REGION)
cache.configure_cache(region=assignment.COMPUTED_ASSIGNMENTS_REGION)
cache.configure_cache(region=revoke.REVOKE_REGION)
cache.configure_cache(region=token.provider.TOKENS_REGION)
cache.configure_cache(region=identity.ID_MAPPING_REGION)
cache.configure_invalidation_region()
# NOTE(knikolla): The assignment manager must be instantiated before the
# resource manager. The current dictionary ordering ensures that.
DRIVERS = dict(assignment_api=assignment.Manager(),
catalog_api=catalog.Manager(),
credential_api=credential.Manager(),
credential_provider_api=credential.provider.Manager(),
domain_config_api=resource.DomainConfigManager(),
endpoint_policy_api=endpoint_policy.Manager(),
federation_api=federation.Manager(),
id_generator_api=identity.generator.Manager(),
id_mapping_api=identity.MappingManager(),
identity_api=identity.Manager(),
shadow_users_api=identity.ShadowUsersManager(),
oauth_api=oauth1.Manager(),
policy_api=policy.Manager(),
resource_api=resource.Manager(),
revoke_api=revoke.Manager(),
role_api=assignment.RoleManager(),
token_api=token.persistence.Manager(),
trust_api=trust.Manager(),
token_provider_api=token.provider.Manager())
auth.core.load_auth_methods()
return DRIVERS
def load_backends():
# Configure and build the cache
cache.configure_cache_region(cache.REGION)
# Ensure that the identity driver is created before the assignment manager.
# The default assignment driver is determined by the identity driver, so
# the identity driver must be available to the assignment manager.
_IDENTITY_API = identity.Manager()
DRIVERS = dict(
assignment_api=assignment.Manager(),
catalog_api=catalog.Manager(),
credential_api=credential.Manager(),
domain_config_api=resource.DomainConfigManager(),
endpoint_filter_api=endpoint_filter.Manager(),
endpoint_policy_api=endpoint_policy.Manager(),
federation_api=federation.Manager(),
id_generator_api=identity.generator.Manager(),
id_mapping_api=identity.MappingManager(),
identity_api=_IDENTITY_API,
oauth_api=oauth1.Manager(),
policy_api=policy.Manager(),
resource_api=resource.Manager(),
revoke_api=revoke.Manager(),
role_api=assignment.RoleManager(),
token_api=token.persistence.Manager(),
trust_api=trust.Manager(),
token_provider_api=token.provider.Manager(),
# admin_api=moon.AdminManager(),
# authz_api=moon.AuthzManager()
)
auth.controllers.load_auth_methods()
return DRIVERS
def __init__(self, *args, **kwargs):
self.identity_api = identity.Manager()
self.domain = CONF.identity.default_domain_id or "default"
super(CASAuthMiddleware, self).__init__(*args, **kwargs)
from keystone.contrib import ec2
from keystone import controllers
from keystone import credential
from keystone import identity
from keystone import policy
from keystone import routers
from keystone import token
from keystone import trust
CONF = config.CONF
LOG = logging.getLogger(__name__)
DRIVERS = dict(catalog_api=catalog.Manager(),
credentials_api=credential.Manager(),
ec2_api=ec2.Manager(),
identity_api=identity.Manager(),
policy_api=policy.Manager(),
token_api=token.Manager(),
trust_api=trust.Manager())
@logging.fail_gracefully
def public_app_factory(global_conf, **local_conf):
controllers.register_version('v2.0')
conf = global_conf.copy()
conf.update(local_conf)
return wsgi.ComposingRouter(routes.Mapper(), [
identity.routers.Public(),
token.routers.Router(),
routers.VersionV2('public'),
routers.Extension(False)
