def switch_tenants(request, tenant_id):
"""
Swaps a user from one tenant to another using the unscoped token from
Keystone to exchange scoped tokens for the new tenant.
"""
if request.user.tenant_id == tenant_id:
return True
endpoint = request.user.endpoint
unscoped_token = request.session.get('unscoped_token', None)
if unscoped_token:
try:
token = api.token_create_scoped(request,
tenant_id,
unscoped_token)
user = create_user_from_token(request, token, endpoint)
request.user = user
set_session_from_user(request, user)
return request.user
except Unauthorized:
raise
except Exception, e:
LOG.error('User(%s) can not authorize project %s. Error: %s'
% (request.user.id, tenant_id, e))
return None
def authorize_login(request):
initial = {}
login_url = 'get_login_view'
if request.method == "POST":
form = curry(Login, request)
else:
form = curry(Login, initial=initial)
extra_context = {'redirect_field_name': REDIRECT_FIELD_NAME}
if request.is_ajax():
template_name = 'auth/_login.html'
extra_context['hide'] = True
else:
template_name = login_url
django_login(request,
template_name=login_url,
authentication_form=form,
extra_context=extra_context)
if request.user.is_authenticated():
set_session_from_user(request, request.user)
redirect = request.POST.get('next', None) or login_url
return shortcuts.redirect(redirect)
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
if settings.WEBSSO_USE_HTTP_REFERER:
referer = request.META.get('HTTP_REFERER',
settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
else:
auth_url = settings.OPENSTACK_KEYSTONE_URL
token = request.POST.get('token')
try:
request.user = auth.authenticate(request,
auth_url=auth_url,
token=token)
except exceptions.KeystoneAuthException as exc:
if settings.WEBSSO_DEFAULT_REDIRECT:
res = django_http.HttpResponseRedirect(settings.LOGIN_ERROR)
else:
msg = 'Login failed: %s' % exc
res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
set_logout_reason(res, msg)
return res
auth_user.set_session_from_user(request, request.user)
auth.login(request, request.user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
return django_http.HttpResponseRedirect(settings.LOGIN_REDIRECT_URL)
def authorize_login(request):
initial = {}
login_url = 'get_login_view'
if request.method == "POST":
form = curry(Login, request)
else:
form = curry(Login, initial=initial)
extra_context = {'redirect_field_name': REDIRECT_FIELD_NAME}
if request.is_ajax():
template_name = 'auth/_login.html'
extra_context['hide'] = True
else:
template_name = login_url
django_login(request,
template_name=login_url,
authentication_form=form,
extra_context=extra_context)
if request.user.is_authenticated():
set_session_from_user(request, request.user)
redirect = request.POST.get('next', None) or login_url
return shortcuts.redirect(redirect)
def login(request):
try:
attributes = get_manager(request)
domain, auth_url = get_ostack_attributes(request)
if attributes:
map_entry = UserMapping.objects.get(globaluser=attributes.username)
localuser = map_entry.registration.username
LOG.debug("Mapped user %s on %s" %
(attributes.username, localuser))
kwargs = {
'auth_url': auth_url,
'request': request,
'username': localuser,
'password': None,
'user_domain_name': domain
}
user = authenticate(**kwargs)
auth_login(request, user)
if request.user.is_authenticated():
set_session_from_user(request, request.user)
default_region = (settings.OPENSTACK_KEYSTONE_URL,
"Default Region")
regions = dict(
getattr(settings, 'AVAILABLE_REGIONS', [default_region]))
region = request.user.endpoint
region_name = regions.get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
request.session['global_user'] = attributes.username
return shortcuts.redirect(get_user_home(user))
except (UserMapping.DoesNotExist, keystone_exceptions.NotFound):
LOG.debug("User %s authenticated but not authorized" %
attributes.username)
return shortcuts.redirect(reverse_lazy('register'))
except (keystone_exceptions.Unauthorized,
auth_exceptions.KeystoneAuthException):
return build_err_response(
request, _("User not authorized: invalid or disabled"), attributes)
except Exception as exc:
LOG.error(exc.message, exc_info=True)
err_msg = "A failure occurs authenticating user\nPlease, contact the cloud managers"
return build_err_response(request, _(err_msg), attributes)
return basic_login(request)
def login(request, template_name=None, extra_context=None, **kwargs):
"""Logs a user in using the :class:`~openstack_auth.forms.Login` form."""
if not request.is_ajax():
# If the user is already authenticated, redirect them to the
# dashboard straight away, unless the 'next' parameter is set as it
# usually indicates requesting access to a page that requires different
# permissions.
if (request.user.is_authenticated() and
auth.REDIRECT_FIELD_NAME not in request.GET and
auth.REDIRECT_FIELD_NAME not in request.POST):
return shortcuts.redirect(settings.LOGIN_REDIRECT_URL)
# Get our initial region for the form.
initial = {}
current_region = request.session.get('region_endpoint', None)
requested_region = request.GET.get('region', None)
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
if requested_region in regions and requested_region != current_region:
initial.update({'region': requested_region})
if request.method == "POST":
# NOTE(saschpe): Since https://code.djangoproject.com/ticket/15198,
# the 'request' object is passed directly to AuthenticationForm in
# django.contrib.auth.views#login:
if django.VERSION >= (1, 6):
form = functional.curry(forms.Login)
else:
form = functional.curry(forms.Login, request)
else:
form = functional.curry(forms.Login, initial=initial)
if extra_context is None:
extra_context = {'redirect_field_name': auth.REDIRECT_FIELD_NAME}
if not template_name:
if request.is_ajax():
template_name = 'auth/_login.html'
extra_context['hide'] = True
else:
template_name = 'auth/login.html'
res = django_auth_views.login(request,
template_name=template_name,
authentication_form=form,
extra_context=extra_context,
**kwargs)
# Set the session data here because django's session key rotation
# will erase it if we set it earlier.
if request.user.is_authenticated():
auth_user.set_session_from_user(request, request.user)
regions = dict(forms.Login.get_region_choices())
region = request.user.endpoint
region_name = regions.get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
return res
def login(request, template_name=None, extra_context=None, **kwargs):
"""Logs a user in using the :class:`~openstack_auth.forms.Login` form."""
if not request.is_ajax():
# If the user is already authenticated, redirect them to the
# dashboard straight away, unless the 'next' parameter is set as it
# usually indicates requesting access to a page that requires different
# permissions.
if (request.user.is_authenticated()
and auth.REDIRECT_FIELD_NAME not in request.GET
and auth.REDIRECT_FIELD_NAME not in request.POST):
return shortcuts.redirect(settings.LOGIN_REDIRECT_URL)
# Get our initial region for the form.
initial = {}
current_region = request.session.get('region_endpoint', None)
requested_region = request.GET.get('region', None)
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
if requested_region in regions and requested_region != current_region:
initial.update({'region': requested_region})
if request.method == "POST":
# NOTE(saschpe): Since https://code.djangoproject.com/ticket/15198,
# the 'request' object is passed directly to AuthenticationForm in
# django.contrib.auth.views#login:
if django.VERSION >= (1, 6):
form = functional.curry(forms.Login)
else:
form = functional.curry(forms.Login, request)
else:
form = functional.curry(forms.Login, initial=initial)
if extra_context is None:
extra_context = {'redirect_field_name': auth.REDIRECT_FIELD_NAME}
if not template_name:
if request.is_ajax():
template_name = 'auth/_login.html'
extra_context['hide'] = True
else:
template_name = 'auth/login.html'
res = django_auth_views.login(request,
template_name=template_name,
authentication_form=form,
extra_context=extra_context,
**kwargs)
# Set the session data here because django's session key rotation
# will erase it if we set it earlier.
if request.user.is_authenticated():
auth_user.set_session_from_user(request, request.user)
regions = dict(forms.Login.get_region_choices())
region = request.user.endpoint
region_name = regions.get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
return res
def login(request):
try:
attributes = IdPAttributes(request)
domain, region = get_ostack_attributes(request)
if attributes:
map_entry = UserMapping.objects.get(globaluser=attributes.username)
localuser = map_entry.registration.username
LOG.debug("Mapped user %s on %s" % (attributes.username, localuser))
user = authenticate(request=request,
username=localuser,
password=None,
user_domain_name=domain,
auth_url=region)
auth_login(request, user)
if request.user.is_authenticated():
set_session_from_user(request, request.user)
default_region = (settings.OPENSTACK_KEYSTONE_URL, "Default Region")
regions = dict(getattr(settings, 'AVAILABLE_REGIONS', [default_region]))
region = request.user.endpoint
region_name = regions.get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
return shortcuts.redirect( '%s/project' % attributes.root_url)
except (UserMapping.DoesNotExist, keystone_exceptions.NotFound):
LOG.debug("User %s authenticated but not authorized" % attributes.username)
return _register(request, attributes)
except keystone_exceptions.Unauthorized:
tempDict = {
'error_header' : _("Authentication failed"),
'error_text' : _("User not authenticated"),
'redirect_url' : '/dashboard',
'redirect_label' : _("Home")
}
return shortcuts.render(request, 'aai_error.html', tempDict)
except Exception as exc:
LOG.error(exc.message, exc_info=True)
tempDict = {
'error_header' : _("Authentication error"),
'error_text' : _("A failure occurs authenticating user"),
'contacts' : settings.MANAGERS,
'redirect_url' : '/dashboard',
'redirect_label' : _("Home")
}
return shortcuts.render(request, 'aai_error.html', tempDict)
return basic_login(request)
def login(request, **kwargs):
'''
Logs a user in using the :class:`~openstack_auth.forms.Login` form.
Referenced from openstack_auth.views.login
'''
if not request.is_ajax():
# If the user is already authenticated, redirect them to the
# dashboard straight away, unless the 'next' parameter is set as it
# usually indicates requesting access to a page that requires different
# permissions.
if request.user.is_authenticated():
return HttpResponseRedirect('/')
# Get our initial region for the form.
form = functional.curry(openstack_auth_form)
template_name = 'auth/login.html'
res = django_auth_views.login(request,
template_name=template_name,
authentication_form=form,
**kwargs)
# Save the region in the cookie, this is used as the default
# selected region next time the Login form loads.
if request.method == "POST":
openstack_auth_utils.set_response_cookie(
res, 'login_region', request.POST.get('region', ''))
openstack_auth_utils.set_response_cookie(
res, 'login_domain', request.POST.get('domain', ''))
# Set the session data here because django's session key rotation
# will erase it if we set it earlier.
print request.user.is_authenticated()
if request.user.is_authenticated():
openstack_auth_user.set_session_from_user(request, request.user)
session = openstack_auth_utils.get_session()
user_endpoint = settings.OPENSTACK_KEYSTONE_URL
auth = openstack_auth_utils.get_token_auth_plugin(
auth_url=user_endpoint,
token=request.user.unscoped_token,
project_id=settings.ADMIN_TENANT_ID)
try:
auth_ref = auth.get_access(session)
except keystone_client_exceptions.ClientException as e:
auth_ref = None
if auth_ref:
new_user = openstack_auth_user.create_user_from_token(
request,
openstack_auth_user.Token(auth_ref),
endpoint=request.user.endpoint)
openstack_auth_user.set_session_from_user(request, new_user)
return res
def login(request):
if request.method == "POST":
# print(request.POST)
data = json.loads(request.body)
data['region'] = 'default'
request.POST = data
APILoginView.as_view(template_name='',
redirect_field_name=auth.REDIRECT_FIELD_NAME,
form_class=functional.curry(forms.Login),
extra_context={},
redirect_authenticated_user=False)(request)
if request.user.is_authenticated:
# print("is_authenticated")
auth_user.set_session_from_user(request, request.user)
regions = dict(forms.get_region_choices())
region = request.user.endpoint
login_region = request.POST.get('region')
region_name = regions.get(login_region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
expiration_time = request.user.time_until_expiration()
threshold_days = settings.PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS
if (expiration_time is not None
and expiration_time.days <= threshold_days
and expiration_time > datetime.timedelta(0)):
expiration_time = str(expiration_time).rsplit(':', 1)[0]
msg = (
_('Please consider changing your password, it will expire'
' in %s minutes') % expiration_time).replace(
':', ' Hours and ')
messages.warning(request, msg)
else:
return JsonResponse("Password is wrong. Ensure your password.",
status=400,
safe=False)
res = dict(
items=[d.to_dict() for d in request.user.authorized_tenants])
for project in res['items']:
if project['name'] == 'admin':
break
switch(request, project['id'])
# print(request.session.session_key)
return JsonResponse(
{
"sid": request.session.session_key,
"project_id": request.user.tenant_id,
"token_expires": request.user.token.expires
},
safe=False)
def login(request):
try:
attributes = get_manager(request)
domain, auth_url = get_ostack_attributes(request)
if attributes:
map_entry = UserMapping.objects.get(globaluser=attributes.username)
localuser = map_entry.registration.username
LOG.debug("Mapped user %s on %s" % (attributes.username, localuser))
kwargs = {
'auth_url' : auth_url,
'request' : request,
'username' : localuser,
'password' : None,
'user_domain_name' : domain
}
user = authenticate(**kwargs)
auth_login(request, user)
if request.user.is_authenticated():
set_session_from_user(request, request.user)
default_region = (settings.OPENSTACK_KEYSTONE_URL, "Default Region")
regions = dict(getattr(settings, 'AVAILABLE_REGIONS', [default_region]))
region = request.user.endpoint
region_name = regions.get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
request.session['global_user'] = attributes.username
return shortcuts.redirect(get_user_home(user))
except (UserMapping.DoesNotExist, keystone_exceptions.NotFound):
LOG.debug("User %s authenticated but not authorized" % attributes.username)
return shortcuts.redirect(reverse_lazy('register'))
except (keystone_exceptions.Unauthorized, auth_exceptions.KeystoneAuthException):
return build_err_response(request, _("User not authorized: invalid or disabled"), attributes)
except Exception as exc:
LOG.error(exc.message, exc_info=True)
err_msg = "A failure occurs authenticating user\nPlease, contact the cloud managers"
return build_err_response(request, _(err_msg), attributes)
return basic_login(request)
def login(request, **kwargs):
'''
Logs a user in using the :class:`~openstack_auth.forms.Login` form.
Referenced from openstack_auth.views.login
'''
if not request.is_ajax():
# If the user is already authenticated, redirect them to the
# dashboard straight away, unless the 'next' parameter is set as it
# usually indicates requesting access to a page that requires different
# permissions.
if request.user.is_authenticated():
return HttpResponseRedirect('/')
# Get our initial region for the form.
form = functional.curry(openstack_auth_form)
template_name = 'auth/login.html'
res = django_auth_views.login(request,
template_name=template_name,
authentication_form=form,
**kwargs)
# Save the region in the cookie, this is used as the default
# selected region next time the Login form loads.
if request.method == "POST":
openstack_auth_utils.set_response_cookie(res, 'login_region',
request.POST.get('region', ''))
openstack_auth_utils.set_response_cookie(res, 'login_domain',
request.POST.get('domain', ''))
# Set the session data here because django's session key rotation
# will erase it if we set it earlier.
print request.user.is_authenticated()
if request.user.is_authenticated():
openstack_auth_user.set_session_from_user(request, request.user)
session = openstack_auth_utils.get_session()
user_endpoint = settings.OPENSTACK_KEYSTONE_URL
auth = openstack_auth_utils.get_token_auth_plugin(auth_url=user_endpoint,
token=request.user.unscoped_token,
project_id=settings.ADMIN_TENANT_ID)
try:
auth_ref = auth.get_access(session)
except keystone_client_exceptions.ClientException as e:
auth_ref = None
if auth_ref:
new_user = openstack_auth_user.create_user_from_token(request,
openstack_auth_user.Token(auth_ref),
endpoint=request.user.endpoint)
openstack_auth_user.set_session_from_user(request, new_user)
return res
def switch(request, tenant_id, redirect_field_name=auth.REDIRECT_FIELD_NAME):
"""Switches an authenticated user from one project to another."""
LOG.debug('Switching to tenant %s for user "%s".'
% (tenant_id, request.user.username))
endpoint = utils.fix_auth_url_version(request.user.endpoint)
session = utils.get_session()
# Keystone can be configured to prevent exchanging a scoped token for
# another token. Always use the unscoped token for requesting a
# scoped token.
unscoped_token = request.user.unscoped_token
auth = utils.get_token_auth_plugin(auth_url=endpoint,
token=unscoped_token,
project_id=tenant_id)
try:
auth_ref = auth.get_access(session)
msg = 'Project switch successful for user "%(username)s".' % \
{'username': request.user.username}
LOG.info(msg)
except keystone_exceptions.ClientException:
msg = (
_('Project switch failed for user "%(username)s".') %
{'username': request.user.username})
messages.error(request, msg)
auth_ref = None
LOG.exception('An error occurred while switching sessions.')
# Ensure the user-originating redirection url is safe.
# Taken from django.contrib.auth.views.login()
redirect_to = request.REQUEST.get(redirect_field_name, '')
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = settings.LOGIN_REDIRECT_URL
if auth_ref:
old_endpoint = request.session.get('region_endpoint')
old_token = request.session.get('token')
if old_token and old_endpoint and old_token.id != auth_ref.auth_token:
delete_token(endpoint=old_endpoint, token_id=old_token.id)
user = auth_user.create_user_from_token(
request,
auth_user.Token(auth_ref, unscoped_token=unscoped_token),
endpoint)
auth_user.set_session_from_user(request, user)
message = (
_('Switch to project "%(project_name)s" successful.') %
{'project_name': request.user.project_name})
messages.success(request, message)
response = shortcuts.redirect(redirect_to)
utils.set_response_cookie(response, 'recent_project',
request.user.project_id)
return response
def switch(request, project_id=None):
if not project_id:
data = json.loads(request.body)
tenant_id = data['project_id']
else:
tenant_id = project_id
LOG.debug('Switching to tenant %s for user "%s".', tenant_id,
request.user.username)
endpoint, __ = utils.fix_auth_url_version_prefix(request.user.endpoint)
session = utils.get_session()
unscoped_token = request.user.unscoped_token
auth = utils.get_token_auth_plugin(auth_url=endpoint,
token=unscoped_token,
project_id=tenant_id)
try:
auth_ref = auth.get_access(session)
msg = 'Project switch successful for user "%(username)s".' % \
{'username': request.user.username}
LOG.info(msg)
except keystone_exceptions.ClientException:
msg = (_('Project switch failed for user "%(username)s".') % {
'username': request.user.username
})
messages.error(request, msg)
auth_ref = None
LOG.exception('An error occurred while switching sessions.')
if auth_ref:
user = auth_user.create_user_from_token(
request, auth_user.Token(auth_ref, unscoped_token=unscoped_token),
endpoint)
auth_user.set_session_from_user(request, user)
message = (_('Switch to project "%(project_name)s" successful.') % {
'project_name': request.user.project_name
})
messages.success(request, message)
# utils.set_response_cookie(response, 'recent_project',
# request.user.project_id)
print({
"tenant_id": request.user.tenant_id,
"tenant_name": request.user.tenant_name,
"username": request.user.username
})
return JsonResponse("success", safe=False)
else:
return JsonResponse("failed", status=400, safe=False)
def authentication_callback(request):
""" Second step of the login process.
It reads in a code from Facebook, then redirects back to the home page. """
code = request.GET.get('code')
user = authenticate(token=code, request=request)
auth_login(request, user)
set_session_from_user(request, user)
region = request.user.endpoint
region_name = dict(Login.get_region_choices()).get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
url = getattr(settings, "LOGIN_REDIRECT_URL", "/")
resp = HttpResponseRedirect(url)
return resp
def authentication_callback(request):
""" Second step of the login process.
It reads in a code from Facebook, then redirects back to the home page. """
code = request.GET.get('code')
user = authenticate(token=code, request=request)
auth_login(request, user)
set_session_from_user(request, user)
region = request.user.endpoint
region_name = dict(Login.get_region_choices()).get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
url = getattr(settings, "LOGIN_REDIRECT_URL", "/")
resp = HttpResponseRedirect(url)
return resp
def switch(request, tenant_id, redirect_field_name=auth.REDIRECT_FIELD_NAME):
"""Switches an authenticated user from one project to another."""
LOG.debug('Switching to tenant %s for user "%s".' %
(tenant_id, request.user.username))
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
ca_cert = getattr(settings, "OPENSTACK_SSL_CACERT", None)
endpoint = request.user.endpoint
try:
if utils.get_keystone_version() >= 3:
if not utils.has_in_url_path(endpoint, '/v3'):
endpoint = utils.url_path_replace(endpoint, '/v2.0', '/v3', 1)
client = utils.get_keystone_client().Client(
tenant_id=tenant_id,
token=request.user.token.id,
auth_url=endpoint,
insecure=insecure,
cacert=ca_cert,
debug=settings.DEBUG)
auth_ref = client.auth_ref
msg = 'Project switch successful for user "%(username)s".' % \
{'username': request.user.username}
LOG.info(msg)
except keystone_exceptions.ClientException:
msg = 'Project switch failed for user "%(username)s".' % \
{'username': request.user.username}
LOG.warning(msg)
auth_ref = None
LOG.exception('An error occurred while switching sessions.')
# Ensure the user-originating redirection url is safe.
# Taken from django.contrib.auth.views.login()
redirect_to = request.REQUEST.get(redirect_field_name, '')
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = settings.LOGIN_REDIRECT_URL
if auth_ref:
old_endpoint = request.session.get('region_endpoint')
old_token = request.session.get('token')
if old_token and old_endpoint and old_token.id != auth_ref.auth_token:
delete_token(endpoint=old_endpoint, token_id=old_token.id)
user = auth_user.create_user_from_token(request,
auth_user.Token(auth_ref),
endpoint)
auth_user.set_session_from_user(request, user)
response = shortcuts.redirect(redirect_to)
utils.set_response_cookie(response, 'recent_project',
request.user.project_id)
return response
def form_valid(self, form):
usr = self.kwargs.get('user_cache') or form.user_cache
auth_login(self.request, usr)
if self.request.session.test_cookie_worked():
self.request.session.delete_test_cookie()
if self.request.user.is_authenticated():
auth_user.set_session_from_user(self.request, usr)
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
region = self.request.user.endpoint
region_name = regions.get(region)
self.request.session['region_endpoint'] = region
self.request.session['region_name'] = region_name
return HttpResponseRedirect(self.kwargs[self.redirect_field])
def switch(request, tenant_id, redirect_field_name=auth.REDIRECT_FIELD_NAME):
"""Switches an authenticated user from one project to another."""
LOG.debug('Switching to tenant %s for user "%s".'
% (tenant_id, request.user.username))
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
ca_cert = getattr(settings, "OPENSTACK_SSL_CACERT", None)
endpoint = request.user.endpoint
try:
if utils.get_keystone_version() >= 3:
if not utils.has_in_url_path(endpoint, '/v3'):
endpoint = utils.url_path_replace(endpoint, '/v2.0', '/v3', 1)
client = utils.get_keystone_client().Client(
tenant_id=tenant_id,
token=request.user.token.id,
auth_url=endpoint,
insecure=insecure,
cacert=ca_cert,
debug=settings.DEBUG)
auth_ref = client.auth_ref
msg = 'Project switch successful for user "%(username)s".' % \
{'username': request.user.username}
LOG.info(msg)
except keystone_exceptions.ClientException:
msg = 'Project switch failed for user "%(username)s".' % \
{'username': request.user.username}
LOG.warning(msg)
auth_ref = None
LOG.exception('An error occurred while switching sessions.')
# Ensure the user-originating redirection url is safe.
# Taken from django.contrib.auth.views.login()
redirect_to = request.REQUEST.get(redirect_field_name, '')
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = settings.LOGIN_REDIRECT_URL
if auth_ref:
old_endpoint = request.session.get('region_endpoint')
old_token = request.session.get('token')
if old_token and old_endpoint and old_token.id != auth_ref.auth_token:
delete_token(endpoint=old_endpoint, token_id=old_token.id)
user = auth_user.create_user_from_token(
request, auth_user.Token(auth_ref), endpoint)
auth_user.set_session_from_user(request, user)
response = shortcuts.redirect(redirect_to)
utils.set_response_cookie(response, 'recent_project',
request.user.project_id)
return response
def authorize_client_login(request):
login_url = 'get_login_client_view'
translation.activate('zh')
request.LANGUAGE_CODE = 'zh'
form = curry(Login, request)
extra_context = {'redirect_field_name': REDIRECT_FIELD_NAME}
django_login(request,
template_name=login_url,
authentication_form=form,
extra_context=extra_context)
if request.user.is_authenticated():
set_session_from_user(request, request.user)
return shortcuts.redirect('get_client_instances')
else:
return shortcuts.redirect(login_url)
def authorize_client_login(request):
login_url = 'get_login_client_view'
translation.activate('zh')
request.LANGUAGE_CODE = 'zh'
form = curry(Login, request)
extra_context = {'redirect_field_name': REDIRECT_FIELD_NAME}
django_login(request,
template_name=login_url,
authentication_form=form,
extra_context=extra_context)
if request.user.is_authenticated():
set_session_from_user(request, request.user)
return shortcuts.redirect('get_client_instances')
else:
return shortcuts.redirect(login_url)
def switch_system_scope(request, redirect_field_name=auth.REDIRECT_FIELD_NAME):
"""Switches an authenticated user from one system to another."""
LOG.debug('Switching to system scope for user "%s".',
request.user.username)
endpoint, __ = utils.fix_auth_url_version_prefix(request.user.endpoint)
session = utils.get_session()
# Keystone can be configured to prevent exchanging a scoped token for
# another token. Always use the unscoped token for requesting a
# scoped token.
unscoped_token = request.user.unscoped_token
auth = utils.get_token_auth_plugin(auth_url=endpoint,
token=unscoped_token,
system_scope='all')
try:
auth_ref = auth.get_access(session)
except keystone_exceptions.ClientException:
msg = (_('System switch failed for user "%(username)s".') % {
'username': request.user.username
})
messages.error(request, msg)
auth_ref = None
LOG.exception('An error occurred while switching sessions.')
else:
msg = 'System switch successful for user "%(username)s".' % \
{'username': request.user.username}
LOG.info(msg)
# Ensure the user-originating redirection url is safe.
# Taken from django.contrib.auth.views.login()
redirect_to = request.GET.get(redirect_field_name, '')
if not http.is_safe_url(url=redirect_to,
allowed_hosts=[request.get_host()]):
redirect_to = settings.LOGIN_REDIRECT_URL
if auth_ref:
user = auth_user.create_user_from_token(
request, auth_user.Token(auth_ref, unscoped_token=unscoped_token),
endpoint)
auth_user.set_session_from_user(request, user)
message = _('Switch to system scope successful.')
messages.success(request, message)
response = shortcuts.redirect(redirect_to)
return response
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
referer = request.META.get("HTTP_REFERER", settings.OPENSTACK_KEYSTONE_URL)
auth_url = re.sub(r"/auth.*", "", referer)
token = request.POST.get("token")
try:
request.user = auth.authenticate(request=request, auth_url=auth_url, token=token)
except exceptions.KeystoneAuthException as exc:
msg = "Login failed: %s" % unicode(exc)
res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
res.set_cookie("logout_reason", msg, max_age=10)
return res
auth_user.set_session_from_user(request, request.user)
auth.login(request, request.user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
return django_http.HttpResponseRedirect(settings.LOGIN_REDIRECT_URL)
def sso(request):
referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL)
scheme, netloc, path, query, fragment = urlparse.urlsplit(referer)
auth_url = urlparse.urlunsplit((scheme, netloc, re.sub(r'/auth.*', '', path), '', ''))
token = request.REQUEST.get('token')
project_id = request.REQUEST.get('vdcId')
if token is None or project_id is None:
return None
token = token.replace(' ', '+')
try:
request.user = auth.authenticate(request=request, auth_url=auth_url, token=token, project_id=project_id)
auth_user.set_session_from_user(request, request.user)
auth.login(request, request.user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
return request.user
except Exception:
return None
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL)
auth_url = re.sub(r'/auth.*', '', referer)
token = request.POST.get('token')
try:
request.user = auth.authenticate(request=request, auth_url=auth_url,
token=token)
except exceptions.KeystoneAuthException as exc:
msg = 'Login failed: %s' % six.text_type(exc)
res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
res.set_cookie('logout_reason', msg, max_age=10)
return res
auth_user.set_session_from_user(request, request.user)
auth.login(request, request.user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
return django_http.HttpResponseRedirect(settings.LOGIN_REDIRECT_URL)
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
token = request.POST.get('token')
try:
request.user = auth.authenticate(request=request, auth_url=auth_url,
token=token)
except exceptions.KeystoneAuthException as exc:
msg = 'Login failed: %s' % six.text_type(exc)
res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
res.set_cookie('logout_reason', msg, max_age=10)
return res
auth_user.set_session_from_user(request, request.user)
auth.login(request, request.user)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
return django_http.HttpResponseRedirect(settings.LOGIN_REDIRECT_URL)
def authentication_callback(request):
""" Second step of the login process.
It reads in a code from Sina, then redirects back to the home page. """
code = request.GET.get('code')
user = authenticate(token=code, request=request)
try:
auth_login(request, user)
except AttributeError:
# No valid user returned
return HttpResponseRedirect(request.build_absolute_uri('/'))
set_session_from_user(request, user)
region = request.user.endpoint
region_name = dict(Login.get_region_choices()).get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
url = getattr(settings, "LOGIN_REDIRECT_URL", "/")
resp = HttpResponseRedirect(url)
return resp
def login_view(request):
"""
Đăng nhập
"""
print('------------------')
if request.user.is_authenticated:
print('Session is authenticate')
for key, value in request.session.items():
print('{} => {}'.format(key, value))
print('Check value')
print(request.user.is_authenticated)
print('------------------')
form = LoginForm(request.POST or None)
if form.is_valid():
username = form.cleaned_data.get("username")
password = form.cleaned_data.get('password')
try:
# user = authenticate(request=request,
# username=username,
# password=password,)
# #print(user)
# #json.dumps(user.token)
# auth_user.set_session_from_user(request, user)
user_cache = authenticate(request=request,
username=username,
password=password,
user_domain_name='Default',
auth_url=settings.OPENSTACK_KEYSTONE_URL)
if request.user.is_authenticated:
auth_user.set_session_from_user(request, request.user)
login(request, request.user)
except exceptions.KeystoneAuthException as exc:
print('Login fail')
return redirect('log_view')
print(request.user.is_authenticated)
return render(request, 'authentication/login.html')
def login(request, user):
if user is None:
user = request.user
# TODO: It would be nice to support different login methods, like signed cookies.
if auth.SESSION_KEY in request.session:
if request.session[auth.SESSION_KEY] != user.id:
# To avoid reusing another user's session, create a new, empty
# session if the existing session corresponds to a different
# authenticated user.
request.session.flush()
else:
request.session.cycle_key()
request.session[auth.SESSION_KEY] = user.id
request.session[auth.BACKEND_SESSION_KEY] = user.backend
set_session_from_user(request, user)
if hasattr(request, 'user'):
request.user = user
user_logged_in.send(sender=user.__class__, request=request, user=user)
def login(request, user):
if user is None:
user = request.user
# TODO: It would be nice to support different login methods, like signed cookies.
if auth.SESSION_KEY in request.session:
if request.session[auth.SESSION_KEY] != user.id:
# To avoid reusing another user's session, create a new, empty
# session if the existing session corresponds to a different
# authenticated user.
request.session.flush()
else:
request.session.cycle_key()
request.session[auth.SESSION_KEY] = user.id
request.session[auth.BACKEND_SESSION_KEY] = user.backend
set_session_from_user(request, user)
if hasattr(request, 'user'):
request.user = user
user_logged_in.send(sender=user.__class__, request=request, user=user)
def switch_tenants(request, tenant_id):
"""
Swaps a user from one tenant to another using the unscoped token from
Keystone to exchange scoped tokens for the new tenant.
"""
if request.user.tenant_id == tenant_id:
return True
endpoint = request.user.endpoint
unscoped_token = request.session.get('unscoped_token', None)
if unscoped_token:
try:
token = api.token_create_scoped(request, tenant_id, unscoped_token)
user = create_user_from_token(request, token, endpoint)
request.user = user
set_session_from_user(request, user)
return request.user
except Unauthorized:
raise
except Exception, e:
LOG.error('User(%s) can not authorize project %s. Error: %s' %
(request.user.id, tenant_id, e))
return None
def authenticate(self, request=None, username=None, password=None):
"""Authenticates a user via the Keystone Identity API. """
LOG.debug('Beginning user authentication for user "%s".' % username)
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
ca_cert = getattr(settings, "OPENSTACK_SSL_CACERT", None)
endpoint_type = getattr(
settings, 'OPENSTACK_ENDPOINT_TYPE', 'publicURL')
auth_url = getattr(
settings, "OPENSTACK_KEYSTONE_URL", "http://0.0.0.0:5000/v2.0")
keystone_client = utils.get_keystone_client()
try:
client = keystone_client.Client(
username=username,
password=password,
auth_url=auth_url,
insecure=insecure,
cacert=ca_cert,
debug=settings.DEBUG)
unscoped_auth_ref = client.auth_ref
unscoped_token = auth_user.Token(auth_ref=unscoped_auth_ref)
except (keystone_exceptions.Unauthorized,
keystone_exceptions.Forbidden,
keystone_exceptions.NotFound) as exc:
msg = _('Invalid user name or password.')
LOG.debug(str(exc))
return None
except (keystone_exceptions.ClientException,
keystone_exceptions.AuthorizationFailure) as exc:
msg = _("An error occurred authenticating. "
"Please try again later.")
LOG.debug(str(exc))
return None
# Check expiry for our unscoped auth ref.
self.check_auth_expiry(unscoped_auth_ref)
# Check if token is automatically scoped to default_project
if unscoped_auth_ref.project_scoped:
auth_ref = unscoped_auth_ref
else:
return None
# Check expiry for our new scoped token.
self.check_auth_expiry(auth_ref)
# If we made it here we succeeded. Create our User!
user = auth_user.create_user_from_token(
request,
auth_user.Token(auth_ref),
auth_url)
if request is not None:
auth_user.set_session_from_user(request, user)
# Support client caching to save on auth calls.
setattr(request, KEYSTONE_CLIENT_ATTR, client)
logging.error('Authentication completed for user "%s".' % username)
return user
def login(request, template_name=None, extra_context=None, **kwargs):
"""Logs a user in using the :class:`~openstack_auth.forms.Login` form."""
# If the user enabled websso and selects default protocol
# from the dropdown, We need to redirect user to the websso url
if request.method == 'POST':
protocol = request.POST.get('auth_type', 'credentials')
if utils.is_websso_enabled() and protocol != 'credentials':
region = request.POST.get('region')
origin = utils.build_absolute_uri(request, '/auth/websso/')
url = ('%s/auth/OS-FEDERATION/websso/%s?origin=%s' %
(region, protocol, origin))
return shortcuts.redirect(url)
if not request.is_ajax():
# If the user is already authenticated, redirect them to the
# dashboard straight away, unless the 'next' parameter is set as it
# usually indicates requesting access to a page that requires different
# permissions.
if (request.user.is_authenticated()
and auth.REDIRECT_FIELD_NAME not in request.GET
and auth.REDIRECT_FIELD_NAME not in request.POST):
return shortcuts.redirect(settings.LOGIN_REDIRECT_URL)
# Get our initial region for the form.
initial = {}
current_region = request.session.get('region_endpoint', None)
requested_region = request.GET.get('region', None)
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
if requested_region in regions and requested_region != current_region:
initial.update({'region': requested_region})
if request.method == "POST":
# NOTE(saschpe): Since https://code.djangoproject.com/ticket/15198,
# the 'request' object is passed directly to AuthenticationForm in
# django.contrib.auth.views#login:
if django.VERSION >= (1, 6):
form = functional.curry(forms.Login)
else:
form = functional.curry(forms.Login, request)
else:
form = functional.curry(forms.Login, initial=initial)
if extra_context is None:
extra_context = {'redirect_field_name': auth.REDIRECT_FIELD_NAME}
if not template_name:
if request.is_ajax():
template_name = 'auth/_login.html'
extra_context['hide'] = True
else:
template_name = 'auth/login.html'
res = django_auth_views.login(request,
template_name=template_name,
authentication_form=form,
extra_context=extra_context,
**kwargs)
# Save the region in the cookie, this is used as the default
# selected region next time the Login form loads.
if request.method == "POST":
utils.set_response_cookie(res, 'login_region',
request.POST.get('region', ''))
# Set the session data here because django's session key rotation
# will erase it if we set it earlier.
if request.user.is_authenticated():
auth_user.set_session_from_user(request, request.user)
regions = dict(forms.Login.get_region_choices())
region = request.user.endpoint
region_name = regions.get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
request.session['last_activity'] = int(time.time())
return res
def login(request, template_name=None, extra_context=None, **kwargs):
"""Logs a user in using the :class:`~openstack_auth.forms.Login` form."""
# If the user enabled websso and selects default protocol
# from the dropdown, We need to redirect user to the websso url
if request.method == 'POST':
auth_type = request.POST.get('auth_type', 'credentials')
if utils.is_websso_enabled() and auth_type != 'credentials':
auth_url = request.POST.get('region')
url = utils.get_websso_url(request, auth_url, auth_type)
return shortcuts.redirect(url)
if not request.is_ajax():
# If the user is already authenticated, redirect them to the
# dashboard straight away, unless the 'next' parameter is set as it
# usually indicates requesting access to a page that requires different
# permissions.
if (request.user.is_authenticated()
and auth.REDIRECT_FIELD_NAME not in request.GET
and auth.REDIRECT_FIELD_NAME not in request.POST):
return shortcuts.redirect(settings.LOGIN_REDIRECT_URL)
# Get our initial region for the form.
initial = {}
current_region = request.session.get('region_endpoint', None)
requested_region = request.GET.get('region', None)
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
if requested_region in regions and requested_region != current_region:
initial.update({'region': requested_region})
if request.method == "POST":
form = functional.curry(forms.Login)
else:
form = functional.curry(forms.Login, initial=initial)
if extra_context is None:
extra_context = {'redirect_field_name': auth.REDIRECT_FIELD_NAME}
if not template_name:
if request.is_ajax():
template_name = 'auth/_login.html'
extra_context['hide'] = True
else:
template_name = 'auth/login.html'
res = django_auth_views.login(request,
template_name=template_name,
authentication_form=form,
extra_context=extra_context,
**kwargs)
# Save the region in the cookie, this is used as the default
# selected region next time the Login form loads.
if request.method == "POST":
utils.set_response_cookie(res, 'login_region',
request.POST.get('region', ''))
utils.set_response_cookie(res, 'login_domain',
request.POST.get('domain', ''))
# Set the session data here because django's session key rotation
# will erase it if we set it earlier.
if request.user.is_authenticated():
auth_user.set_session_from_user(request, request.user)
regions = dict(forms.Login.get_region_choices())
region = request.user.endpoint
login_region = request.POST.get('region')
region_name = regions.get(login_region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
expiration_time = request.user.time_until_expiration()
threshold_days = getattr(settings,
'PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS', -1)
if expiration_time is not None and \
expiration_time.days <= threshold_days:
expiration_time = str(expiration_time).rsplit(':', 1)[0]
msg = (_('Please consider changing your password, it will expire'
' in %s minutes') % expiration_time).replace(
':', ' Hours and ')
messages.warning(request, msg)
return res
def login(request, template_name=None, extra_context=None, **kwargs):
"""Logs a user in using the :class:`~openstack_auth.forms.Login` form."""
# If the user enabled websso and selects default protocol
# from the dropdown, We need to redirect user to the websso url
if request.method == 'POST':
auth_type = request.POST.get('auth_type', 'credentials')
if utils.is_websso_enabled() and auth_type != 'credentials':
auth_url = request.POST.get('region')
url = utils.get_websso_url(request, auth_url, auth_type)
return shortcuts.redirect(url)
if not request.is_ajax():
# If the user is already authenticated, redirect them to the
# dashboard straight away, unless the 'next' parameter is set as it
# usually indicates requesting access to a page that requires different
# permissions.
if (request.user.is_authenticated() and
auth.REDIRECT_FIELD_NAME not in request.GET and
auth.REDIRECT_FIELD_NAME not in request.POST):
return shortcuts.redirect(settings.LOGIN_REDIRECT_URL)
# Get our initial region for the form.
initial = {}
current_region = request.session.get('region_endpoint', None)
requested_region = request.GET.get('region', None)
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
if requested_region in regions and requested_region != current_region:
initial.update({'region': requested_region})
if request.method == "POST":
form = functional.curry(forms.Login)
else:
form = functional.curry(forms.Login, initial=initial)
if extra_context is None:
extra_context = {'redirect_field_name': auth.REDIRECT_FIELD_NAME}
if not template_name:
if request.is_ajax():
template_name = 'auth/_login.html'
extra_context['hide'] = True
else:
template_name = 'auth/login.html'
res = django_auth_views.login(request,
template_name=template_name,
authentication_form=form,
extra_context=extra_context,
**kwargs)
# Save the region in the cookie, this is used as the default
# selected region next time the Login form loads.
if request.method == "POST":
utils.set_response_cookie(res, 'login_region',
request.POST.get('region', ''))
utils.set_response_cookie(res, 'login_domain',
request.POST.get('domain', ''))
# Set the session data here because django's session key rotation
# will erase it if we set it earlier.
if request.user.is_authenticated():
auth_user.set_session_from_user(request, request.user)
regions = dict(forms.Login.get_region_choices())
region = request.user.endpoint
login_region = request.POST.get('region')
region_name = regions.get(login_region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
return res
def switch_keystone_provider(request,
keystone_provider=None,
redirect_field_name=auth.REDIRECT_FIELD_NAME):
"""Switches the user's keystone provider using K2K Federation
If keystone_provider is given then we switch the user to
the keystone provider using K2K federation. Otherwise if keystone_provider
is None then we switch the user back to the Identity Provider Keystone
which a non federated token auth will be used.
"""
base_token = request.session.get('k2k_base_unscoped_token', None)
k2k_auth_url = request.session.get('k2k_auth_url', None)
keystone_providers = request.session.get('keystone_providers', None)
recent_project = request.COOKIES.get('recent_project')
if not base_token or not k2k_auth_url:
msg = _('K2K Federation not setup for this session')
raise exceptions.KeystoneAuthException(msg)
redirect_to = request.GET.get(redirect_field_name, '')
if not http.is_safe_url(url=redirect_to,
allowed_hosts=[request.get_host()]):
redirect_to = settings.LOGIN_REDIRECT_URL
unscoped_auth_ref = None
keystone_idp_id = settings.KEYSTONE_PROVIDER_IDP_ID
if keystone_provider == keystone_idp_id:
current_plugin = plugin.TokenPlugin()
unscoped_auth = current_plugin.get_plugin(auth_url=k2k_auth_url,
token=base_token)
else:
# Switch to service provider using K2K federation
plugins = [plugin.TokenPlugin()]
current_plugin = plugin.K2KAuthPlugin()
unscoped_auth = current_plugin.get_plugin(
auth_url=k2k_auth_url,
service_provider=keystone_provider,
plugins=plugins,
token=base_token,
recent_project=recent_project)
try:
# Switch to identity provider using token auth
unscoped_auth_ref = current_plugin.get_access_info(unscoped_auth)
except exceptions.KeystoneAuthException as exc:
msg = 'Switching to Keystone Provider %s has failed. %s' \
% (keystone_provider, exc)
messages.error(request, msg)
if unscoped_auth_ref:
try:
request.user = auth.authenticate(
request,
auth_url=unscoped_auth.auth_url,
token=unscoped_auth_ref.auth_token)
except exceptions.KeystoneAuthException as exc:
msg = 'Keystone provider switch failed: %s' % exc
res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
set_logout_reason(res, msg)
return res
auth.login(request, request.user)
auth_user.set_session_from_user(request, request.user)
request.session['keystone_provider_id'] = keystone_provider
request.session['keystone_providers'] = keystone_providers
request.session['k2k_base_unscoped_token'] = base_token
request.session['k2k_auth_url'] = k2k_auth_url
message = (_('Switch to Keystone Provider "%(keystone_provider)s" '
'successful.') % {
'keystone_provider': keystone_provider
})
messages.success(request, message)
response = shortcuts.redirect(redirect_to)
return response
def login(request, extra_context=None, **kwargs):
redirect = request.GET.get('redirect',
request.POST.get('redirect', kwargs.get('redirect', '')))
template_name = kwargs.get('template', 'auth/login.html')
if (request.user.is_authenticated() and
auth.REDIRECT_FIELD_NAME not in request.GET and
auth.REDIRECT_FIELD_NAME not in request.POST):
return shortcuts.redirect(settings.LOGIN_REDIRECT_URL)
initial = {}
current_region = request.session.get('region_endpoint', None)
requested_region = request.GET.get('region', None)
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
if requested_region in regions and requested_region != current_region:
initial.update({'region': requested_region})
if request.method == "POST":
if django.VERSION >= (1, 6):
authentication_form = functional.curry(forms.Login)
else:
authentication_form = functional.curry(forms.Login, request)
else:
authentication_form = functional.curry(forms.Login, initial=initial)
if request.method == "POST":
form = authentication_form(request, data=request.POST)
if form.is_valid():
django_auth_login(request, form.get_user())
else:
form = authentication_form(request)
if request.user.is_authenticated():
print 'user.is_authenticated'
auth_user.set_session_from_user(
request,
request.user
)
regions = dict(forms.Login.get_region_choices())
region = request.user.endpoint
region_name = regions.get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
print u'验证'
u = request.user
c = getattr(request, KEYSTONE_CLIENT_ATTR)
print '-+' * 20
print type(c)
print '-' * 20
d = u.__dict__
return JsonResponseSuccess(msg='success', user=d)
context = {
'form': form,
'redirect': redirect,
}
return TemplateResponse(request, template_name, context)
# Get our initial region for the form.
initial = {}
current_region = request.session.get('region_endpoint', None)
requested_region = request.GET.get('region', 'http://controller:5000/v3')
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
if requested_region in regions and requested_region != current_region:
initial.update({'region': requested_region})
if request.method == "POST":
# NOTE(saschpe): Since https://code.djangoproject.com/ticket/15198,
# the 'request' object is passed directly to AuthenticationForm in
# django.contrib.auth.views#login:
if django.VERSION >= (1, 6):
authentication_form = functional.curry(forms.Login)
else:
authentication_form = functional.curry(forms.Login, request)
else:
authentication_form = functional.curry(forms.Login, initial=initial)
if request.method == "POST":
form = authentication_form(request, data=request.POST)
if form.is_valid():
django_auth_login(request, form.get_user())
else:
print 3333333, form.errors
# Set the session data here because django's session key rotation
# will erase it if we set it earlier.
if request.user.is_authenticated():
print 'user.is_authenticated'
auth_user.set_session_from_user(
request,
request.user
)
regions = dict(forms.Login.get_region_choices())
region = request.user.endpoint
region_name = regions.get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
print u'验证'
u = request.user
lst = [
'authorized_tenants',
'available_services_regions',
'backend',
'check_password',
'default_services_region',
'delete',
'domain_id',
'domain_name',
'enabled',
'endpoint',
'get_all_permissions',
'get_group_permissions',
'groups',
'has_a_matching_perm',
'has_module_perms',
'has_perm',
'has_perms',
'id',
'is_active',
'is_anonymous',
'is_authenticated',
'is_staff',
'is_superuser',
'is_token_expired',
'last_login',
'pk',
'project_id',
'project_name',
'roles',
'save',
'service_catalog',
'services_region',
'set_password',
'tenant_id',
'tenant_name',
'token',
'user_domain_id',
'user_domain_name',
'user_permissions',
'username'
]
for k in lst:
print k, ':', getattr(u, k), '\n', '-' * 20
return HttpResponse('success')
else:
return HttpResponseRedirect('/demo/login')
def login(request, template_name=None, extra_context=None, **kwargs):
"""Logs a user in using the :class:`~openstack_auth.forms.Login` form."""
# If the user enabled websso and the default redirect
# redirect to the default websso url
if (request.method == 'GET' and utils.is_websso_enabled and
utils.is_websso_default_redirect()):
protocol = utils.get_websso_default_redirect_protocol()
region = utils.get_websso_default_redirect_region()
origin = utils.build_absolute_uri(request, '/auth/websso/')
url = ('%s/auth/OS-FEDERATION/websso/%s?origin=%s' %
(region, protocol, origin))
return shortcuts.redirect(url)
# If the user enabled websso and selects default protocol
# from the dropdown, We need to redirect user to the websso url
if request.method == 'POST':
auth_type = request.POST.get('auth_type', 'credentials')
if utils.is_websso_enabled() and auth_type != 'credentials':
region_id = request.POST.get('region')
auth_url = getattr(settings, 'WEBSSO_KEYSTONE_URL',
forms.get_region_endpoint(region_id))
url = utils.get_websso_url(request, auth_url, auth_type)
return shortcuts.redirect(url)
if not request.is_ajax():
# If the user is already authenticated, redirect them to the
# dashboard straight away, unless the 'next' parameter is set as it
# usually indicates requesting access to a page that requires different
# permissions.
if (request.user.is_authenticated and
auth.REDIRECT_FIELD_NAME not in request.GET and
auth.REDIRECT_FIELD_NAME not in request.POST):
return shortcuts.redirect(settings.LOGIN_REDIRECT_URL)
# Get our initial region for the form.
initial = {}
current_region = request.session.get('region_endpoint', None)
requested_region = request.GET.get('region', None)
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
if requested_region in regions and requested_region != current_region:
initial.update({'region': requested_region})
if request.method == "POST":
form = functional.curry(forms.Login)
else:
form = functional.curry(forms.Login, initial=initial)
if extra_context is None:
extra_context = {'redirect_field_name': auth.REDIRECT_FIELD_NAME}
extra_context['csrf_failure'] = request.GET.get('csrf_failure')
choices = getattr(settings, 'WEBSSO_CHOICES', ())
extra_context['show_sso_opts'] = (utils.is_websso_enabled() and
len(choices) > 1)
if not template_name:
if request.is_ajax():
template_name = 'auth/_login.html'
extra_context['hide'] = True
else:
template_name = 'auth/login.html'
res = django_auth_views.login(request,
template_name=template_name,
authentication_form=form,
extra_context=extra_context,
**kwargs)
# Save the region in the cookie, this is used as the default
# selected region next time the Login form loads.
if request.method == "POST":
utils.set_response_cookie(res, 'login_region',
request.POST.get('region', ''))
utils.set_response_cookie(res, 'login_domain',
request.POST.get('domain', ''))
# Set the session data here because django's session key rotation
# will erase it if we set it earlier.
if request.user.is_authenticated:
auth_user.set_session_from_user(request, request.user)
regions = dict(forms.Login.get_region_choices())
region = request.user.endpoint
login_region = request.POST.get('region')
region_name = regions.get(login_region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
expiration_time = request.user.time_until_expiration()
threshold_days = getattr(
settings, 'PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS', -1)
if expiration_time is not None and \
expiration_time.days <= threshold_days:
expiration_time = str(expiration_time).rsplit(':', 1)[0]
msg = (_('Please consider changing your password, it will expire'
' in %s minutes') %
expiration_time).replace(':', ' Hours and ')
messages.warning(request, msg)
return res
def switch_keystone_provider(request, keystone_provider=None,
redirect_field_name=auth.REDIRECT_FIELD_NAME):
"""Switches the user's keystone provider using K2K Federation
If keystone_provider is given then we switch the user to
the keystone provider using K2K federation. Otherwise if keystone_provider
is None then we switch the user back to the Identity Provider Keystone
which a non federated token auth will be used.
"""
base_token = request.session.get('k2k_base_unscoped_token', None)
k2k_auth_url = request.session.get('k2k_auth_url', None)
keystone_providers = request.session.get('keystone_providers', None)
recent_project = request.COOKIES.get('recent_project')
if not base_token or not k2k_auth_url:
msg = _('K2K Federation not setup for this session')
raise exceptions.KeystoneAuthException(msg)
redirect_to = request.GET.get(redirect_field_name, '')
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = settings.LOGIN_REDIRECT_URL
unscoped_auth_ref = None
keystone_idp_id = getattr(
settings, 'KEYSTONE_PROVIDER_IDP_ID', 'localkeystone')
if keystone_provider == keystone_idp_id:
current_plugin = plugin.TokenPlugin()
unscoped_auth = current_plugin.get_plugin(auth_url=k2k_auth_url,
token=base_token)
else:
# Switch to service provider using K2K federation
plugins = [plugin.TokenPlugin()]
current_plugin = plugin.K2KAuthPlugin()
unscoped_auth = current_plugin.get_plugin(
auth_url=k2k_auth_url, service_provider=keystone_provider,
plugins=plugins, token=base_token, recent_project=recent_project)
try:
# Switch to identity provider using token auth
unscoped_auth_ref = current_plugin.get_access_info(unscoped_auth)
except exceptions.KeystoneAuthException as exc:
msg = 'Switching to Keystone Provider %s has failed. %s' \
% (keystone_provider, (six.text_type(exc)))
messages.error(request, msg)
if unscoped_auth_ref:
try:
request.user = auth.authenticate(
request=request, auth_url=unscoped_auth.auth_url,
token=unscoped_auth_ref.auth_token)
except exceptions.KeystoneAuthException as exc:
msg = 'Keystone provider switch failed: %s' % six.text_type(exc)
res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
res.set_cookie('logout_reason', msg, max_age=10)
return res
auth.login(request, request.user)
auth_user.set_session_from_user(request, request.user)
request.session['keystone_provider_id'] = keystone_provider
request.session['keystone_providers'] = keystone_providers
request.session['k2k_base_unscoped_token'] = base_token
request.session['k2k_auth_url'] = k2k_auth_url
message = (
_('Switch to Keystone Provider "%(keystone_provider)s"'
'successful.') % {'keystone_provider': keystone_provider})
messages.success(request, message)
response = shortcuts.redirect(redirect_to)
return response
def login(request, extra_context=None, **kwargs):
redirect = request.GET.get(
'redirect', request.POST.get('redirect', kwargs.get('redirect', '')))
template_name = kwargs.get('template', 'auth/login.html')
if (request.user.is_authenticated()
and auth.REDIRECT_FIELD_NAME not in request.GET
and auth.REDIRECT_FIELD_NAME not in request.POST):
return shortcuts.redirect(settings.LOGIN_REDIRECT_URL)
initial = {}
current_region = request.session.get('region_endpoint', None)
requested_region = request.GET.get('region', None)
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
if requested_region in regions and requested_region != current_region:
initial.update({'region': requested_region})
if request.method == "POST":
if django.VERSION >= (1, 6):
authentication_form = functional.curry(forms.Login)
else:
authentication_form = functional.curry(forms.Login, request)
else:
authentication_form = functional.curry(forms.Login, initial=initial)
if request.method == "POST":
form = authentication_form(request, data=request.POST)
if form.is_valid():
django_auth_login(request, form.get_user())
else:
form = authentication_form(request)
if request.user.is_authenticated():
print 'user.is_authenticated'
auth_user.set_session_from_user(request, request.user)
regions = dict(forms.Login.get_region_choices())
region = request.user.endpoint
region_name = regions.get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
print u'验证'
u = request.user
c = getattr(request, KEYSTONE_CLIENT_ATTR)
print '-+' * 20
print type(c)
print '-' * 20
d = u.__dict__
return JsonResponseSuccess(msg='success', user=d)
context = {
'form': form,
'redirect': redirect,
}
return TemplateResponse(request, template_name, context)
# Get our initial region for the form.
initial = {}
current_region = request.session.get('region_endpoint', None)
requested_region = request.GET.get('region', 'http://controller:5000/v3')
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
if requested_region in regions and requested_region != current_region:
initial.update({'region': requested_region})
if request.method == "POST":
# NOTE(saschpe): Since https://code.djangoproject.com/ticket/15198,
# the 'request' object is passed directly to AuthenticationForm in
# django.contrib.auth.views#login:
if django.VERSION >= (1, 6):
authentication_form = functional.curry(forms.Login)
else:
authentication_form = functional.curry(forms.Login, request)
else:
authentication_form = functional.curry(forms.Login, initial=initial)
if request.method == "POST":
form = authentication_form(request, data=request.POST)
if form.is_valid():
django_auth_login(request, form.get_user())
else:
print 3333333, form.errors
# Set the session data here because django's session key rotation
# will erase it if we set it earlier.
if request.user.is_authenticated():
print 'user.is_authenticated'
auth_user.set_session_from_user(request, request.user)
regions = dict(forms.Login.get_region_choices())
region = request.user.endpoint
region_name = regions.get(region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
print u'验证'
u = request.user
lst = [
'authorized_tenants', 'available_services_regions', 'backend',
'check_password', 'default_services_region', 'delete', 'domain_id',
'domain_name', 'enabled', 'endpoint', 'get_all_permissions',
'get_group_permissions', 'groups', 'has_a_matching_perm',
'has_module_perms', 'has_perm', 'has_perms', 'id', 'is_active',
'is_anonymous', 'is_authenticated', 'is_staff', 'is_superuser',
'is_token_expired', 'last_login', 'pk', 'project_id',
'project_name', 'roles', 'save', 'service_catalog',
'services_region', 'set_password', 'tenant_id', 'tenant_name',
'token', 'user_domain_id', 'user_domain_name', 'user_permissions',
'username'
]
for k in lst:
print k, ':', getattr(u, k), '\n', '-' * 20
return HttpResponse('success')
else:
return HttpResponseRedirect('/demo/login')
def set_user_admin_token(request):
"""
Via admin account login again when admin token is expired.
"""
from keystoneclient.v2_0 import client as keystone_client
from keystoneclient import exceptions as keystone_exceptions
from keystoneclient.v2_0.tokens import Token, TokenManager
from openstack_auth.exceptions import KeystoneAuthException
from openstack_auth.utils import is_ans1_token
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
endpoint = request.user.endpoint
try:
password = getattr(settings, 'OPENSTACK_ADMIN_TOKEN', 'admin')
client = keystone_client.Client(username=u'admin',
password=password,
tenant_id='',
auth_url=endpoint,
insecure=insecure)
unscoped_token_data = {"token": client.service_catalog.get_token()}
unscoped_token = Token(TokenManager(None),
unscoped_token_data,
loaded=True)
except (keystone_exceptions.Unauthorized,
keystone_exceptions.Forbidden,
keystone_exceptions.NotFound) as exc:
msg = _('Invalid user name or password.')
LOG.debug(exc.message)
raise KeystoneAuthException(msg)
except (keystone_exceptions.ClientException,
keystone_exceptions.AuthorizationFailure) as exc:
msg = _("An error occurred authenticating. "
"Please try again later.")
LOG.debug(exc.message)
raise KeystoneAuthException(msg)
# FIXME: Log in to default tenant when the Keystone API returns it...
# For now we list all the user's tenants and iterate through.
try:
tenants = client.tenants.list()
except (keystone_exceptions.ClientException,
keystone_exceptions.AuthorizationFailure):
msg = _('Unable to retrieve authorized projects.')
raise KeystoneAuthException(msg)
# Abort if there are no tenants for this user
if not tenants:
msg = _('You are not authorized for any projects.')
raise KeystoneAuthException(msg)
while tenants:
tenant = tenants.pop()
try:
token = api.token_create_scoped(request,
tenant.id,
unscoped_token.id)
break
except (keystone_exceptions.ClientException,
keystone_exceptions.AuthorizationFailure):
token = None
if token is None:
msg = _("Unable to authenticate to any available projects.")
raise KeystoneAuthException(msg)
# If we made it here we succeeded. Create our User!
user = create_user_from_token(request,
token,
endpoint)
if request is not None:
if is_ans1_token(unscoped_token.id):
hashed_token = hashlib.md5(unscoped_token.id).hexdigest()
unscoped_token._info['token']['id'] = hashed_token
request.session['unscoped_token'] = unscoped_token.id
request.user = user
set_session_from_user(request, request.user)
return user
def login(request, template_name=None, extra_context=None, **kwargs):
"""Logs a user in using the :class:`~openstack_auth.forms.Login` form."""
# If the user enabled websso and selects default protocol
# from the dropdown, We need to redirect user to the websso url
if request.method == "POST":
protocol = request.POST.get("auth_type", "credentials")
if utils.is_websso_enabled() and protocol != "credentials":
region = request.POST.get("region")
origin = request.build_absolute_uri("/auth/websso/")
url = "%s/auth/OS-FEDERATION/websso/%s?origin=%s" % (region, protocol, origin)
return shortcuts.redirect(url)
if not request.is_ajax():
# If the user is already authenticated, redirect them to the
# dashboard straight away, unless the 'next' parameter is set as it
# usually indicates requesting access to a page that requires different
# permissions.
if (
request.user.is_authenticated()
and auth.REDIRECT_FIELD_NAME not in request.GET
and auth.REDIRECT_FIELD_NAME not in request.POST
):
return shortcuts.redirect(settings.LOGIN_REDIRECT_URL)
# Get our initial region for the form.
initial = {}
current_region = request.session.get("region_endpoint", None)
requested_region = request.GET.get("region", None)
regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
if requested_region in regions and requested_region != current_region:
initial.update({"region": requested_region})
if request.method == "POST":
# NOTE(saschpe): Since https://code.djangoproject.com/ticket/15198,
# the 'request' object is passed directly to AuthenticationForm in
# django.contrib.auth.views#login:
if django.VERSION >= (1, 6):
form = functional.curry(forms.Login)
else:
form = functional.curry(forms.Login, request)
else:
form = functional.curry(forms.Login, initial=initial)
if extra_context is None:
extra_context = {"redirect_field_name": auth.REDIRECT_FIELD_NAME}
if not template_name:
if request.is_ajax():
template_name = "auth/_login.html"
extra_context["hide"] = True
else:
template_name = "auth/login.html"
res = django_auth_views.login(
request, template_name=template_name, authentication_form=form, extra_context=extra_context, **kwargs
)
# Save the region in the cookie, this is used as the default
# selected region next time the Login form loads.
if request.method == "POST":
utils.set_response_cookie(res, "login_region", request.POST.get("region", ""))
# Set the session data here because django's session key rotation
# will erase it if we set it earlier.
if request.user.is_authenticated():
auth_user.set_session_from_user(request, request.user)
regions = dict(forms.Login.get_region_choices())
region = request.user.endpoint
region_name = regions.get(region)
request.session["region_endpoint"] = region
request.session["region_name"] = region_name
request.session["last_activity"] = int(time.time())
return res
def login(request):
"""Logs a user in using the :class:`~openstack_auth.forms.Login` form."""
# If the user enabled websso and the default redirect
# redirect to the default websso url
if (request.method == 'GET' and settings.WEBSSO_ENABLED
and settings.WEBSSO_DEFAULT_REDIRECT):
protocol = settings.WEBSSO_DEFAULT_REDIRECT_PROTOCOL
region = settings.WEBSSO_DEFAULT_REDIRECT_REGION
origin = utils.build_absolute_uri(request, '/auth/websso/')
url = ('%s/auth/OS-FEDERATION/websso/%s?origin=%s' %
(region, protocol, origin))
return shortcuts.redirect(url)
# If the user enabled websso and selects default protocol
# from the dropdown, We need to redirect user to the websso url
if request.method == 'POST':
auth_type = request.POST.get('auth_type', 'credentials')
request.session['auth_type'] = auth_type
if settings.WEBSSO_ENABLED and auth_type != 'credentials':
region_id = request.POST.get('region')
auth_url = getattr(settings, 'WEBSSO_KEYSTONE_URL', None)
if auth_url is None:
auth_url = forms.get_region_endpoint(region_id)
url = utils.get_websso_url(request, auth_url, auth_type)
return shortcuts.redirect(url)
if not request.is_ajax():
# If the user is already authenticated, redirect them to the
# dashboard straight away, unless the 'next' parameter is set as it
# usually indicates requesting access to a page that requires different
# permissions.
if (request.user.is_authenticated
and auth.REDIRECT_FIELD_NAME not in request.GET
and auth.REDIRECT_FIELD_NAME not in request.POST):
return shortcuts.redirect(settings.LOGIN_REDIRECT_URL)
# Get our initial region for the form.
initial = {}
current_region = request.session.get('region_endpoint', None)
requested_region = request.GET.get('region', None)
regions = dict(settings.AVAILABLE_REGIONS)
if requested_region in regions and requested_region != current_region:
initial.update({'region': requested_region})
if request.method == "POST":
form = functools.partial(forms.Login)
else:
form = functools.partial(forms.Login, initial=initial)
choices = settings.WEBSSO_CHOICES
reason = get_csrf_reason(request.GET.get('csrf_failure'))
logout_reason = request.COOKIES.get(
'logout_reason', '').encode('ascii').decode('unicode_escape')
logout_status = request.COOKIES.get('logout_status')
extra_context = {
'redirect_field_name': auth.REDIRECT_FIELD_NAME,
'csrf_failure': reason,
'show_sso_opts': settings.WEBSSO_ENABLED and len(choices) > 1,
'classes': {
'value': '',
'single_value': '',
'label': '',
},
'logout_reason': logout_reason,
'logout_status': logout_status,
}
if request.is_ajax():
template_name = 'auth/_login.html'
extra_context['hide'] = True
else:
template_name = 'auth/login.html'
try:
res = django_auth_views.LoginView.as_view(
template_name=template_name,
redirect_field_name=auth.REDIRECT_FIELD_NAME,
form_class=form,
extra_context=extra_context,
redirect_authenticated_user=False)(request)
except exceptions.KeystonePassExpiredException as exc:
res = django_http.HttpResponseRedirect(
reverse('password', args=[exc.user_id]))
msg = _("Your password has expired. Please set a new password.")
set_logout_reason(res, msg)
# Save the region in the cookie, this is used as the default
# selected region next time the Login form loads.
if request.method == "POST":
utils.set_response_cookie(res, 'login_region',
request.POST.get('region', ''))
utils.set_response_cookie(res, 'login_domain',
request.POST.get('domain', ''))
# Set the session data here because django's session key rotation
# will erase it if we set it earlier.
if request.user.is_authenticated:
auth_user.set_session_from_user(request, request.user)
regions = dict(forms.get_region_choices())
region = request.user.endpoint
login_region = request.POST.get('region')
region_name = regions.get(login_region)
request.session['region_endpoint'] = region
request.session['region_name'] = region_name
expiration_time = request.user.time_until_expiration()
threshold_days = settings.PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS
if (expiration_time is not None
and expiration_time.days <= threshold_days
and expiration_time > datetime.timedelta(0)):
expiration_time = str(expiration_time).rsplit(':', 1)[0]
msg = (_('Please consider changing your password, it will expire'
' in %s minutes') % expiration_time).replace(
':', ' Hours and ')
messages.warning(request, msg)
return res
def set_user_admin_token(request):
"""
Via admin account login again when admin token is expired.
"""
from keystoneclient.v2_0 import client as keystone_client
from keystoneclient import exceptions as keystone_exceptions
from keystoneclient.v2_0.tokens import Token, TokenManager
from openstack_auth.exceptions import KeystoneAuthException
from openstack_auth.utils import is_ans1_token
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
endpoint = request.user.endpoint
try:
password = getattr(settings, 'OPENSTACK_ADMIN_TOKEN', 'admin')
client = keystone_client.Client(username=u'admin',
password=password,
tenant_id='',
auth_url=endpoint,
insecure=insecure)
unscoped_token_data = {"token": client.service_catalog.get_token()}
unscoped_token = Token(TokenManager(None),
unscoped_token_data,
loaded=True)
except (keystone_exceptions.Unauthorized, keystone_exceptions.Forbidden,
keystone_exceptions.NotFound) as exc:
msg = _('Invalid user name or password.')
LOG.debug(exc.message)
raise KeystoneAuthException(msg)
except (keystone_exceptions.ClientException,
keystone_exceptions.AuthorizationFailure) as exc:
msg = _("An error occurred authenticating. " "Please try again later.")
LOG.debug(exc.message)
raise KeystoneAuthException(msg)
# FIXME: Log in to default tenant when the Keystone API returns it...
# For now we list all the user's tenants and iterate through.
try:
tenants = client.tenants.list()
except (keystone_exceptions.ClientException,
keystone_exceptions.AuthorizationFailure):
msg = _('Unable to retrieve authorized projects.')
raise KeystoneAuthException(msg)
# Abort if there are no tenants for this user
if not tenants:
msg = _('You are not authorized for any projects.')
raise KeystoneAuthException(msg)
while tenants:
tenant = tenants.pop()
try:
token = api.token_create_scoped(request, tenant.id,
unscoped_token.id)
break
except (keystone_exceptions.ClientException,
keystone_exceptions.AuthorizationFailure):
token = None
if token is None:
msg = _("Unable to authenticate to any available projects.")
raise KeystoneAuthException(msg)
# If we made it here we succeeded. Create our User!
user = create_user_from_token(request, token, endpoint)
if request is not None:
if is_ans1_token(unscoped_token.id):
hashed_token = hashlib.md5(unscoped_token.id).hexdigest()
unscoped_token._info['token']['id'] = hashed_token
request.session['unscoped_token'] = unscoped_token.id
request.user = user
set_session_from_user(request, request.user)
return user
