def on_get(self, req, resp, token_id):
token = identity.token_id_driver().token_from_id(token_id)
identity.token_driver().validate_access(token, tenant_id=req.get_param("belongsTo"))
access = get_access(token_id, token)
resp.status = 200
resp.body = {"access": access}
def on_post(self, req, resp):
body = req.stream.read().decode()
credentials = json.loads(body)
tokens = identity.token_driver()
auth = identity.auth_driver().authenticate(credentials)
if auth is None:
raise exceptions.Unauthorized('Unauthorized credentials')
token = tokens.create_token(credentials, auth)
tok_id = identity.token_id_driver().create_token_id(token)
access = get_access(tok_id, token)
# Add catalog to the access data
raw_catalog = self._get_catalog(tokens.tenant_id(token),
tokens.user_id(token))
catalog = []
for services in raw_catalog.values():
for service_type, service in services.items():
d = {
'type': service_type,
'name': service.get('name', 'Unknown'),
'endpoints': [{
'region': service.get('region', 'RegionOne'),
'publicURL': service.get('publicURL'),
'privateURL': service.get('privateURL'),
'adminURL': service.get('adminURL'),
}],
'endpoint_links': [],
}
catalog.append(d)
access['serviceCatalog'] = catalog
resp.status = 200
resp.body = {'access': access}
def on_get(self, req, resp):
toks = [req.get_header('X-Auth-Token'), # the token who sent request
req.get_header('X-Subject-Token')] # the token to be validated
token_id_driver = identity.token_id_driver()
tokens = identity.token_driver()
validated_tokens = []
for token_id in toks:
token = token_id_driver.token_from_id(token_id)
tokens.validate_token(token)
validated_tokens.append(token)
access = get_access_v3(toks[1], validated_tokens[1],
tokens.user_id(validated_tokens[1]),
tokens.username(validated_tokens[1]))
if 'nocatalog' not in req.query_string:
# Add catalog to the access data
catalog = self._build_catalog(validated_tokens[1],
tokens.user_id(validated_tokens[1]))
access['token']['catalog'] = catalog
resp.status = 200
resp.set_header('X-Auth-Token', toks[0])
resp.set_header('X-Subject-Token', toks[1])
# V2 APIs return the body in 'access' keypair but V3 APIs do not
# resp.body = {'access': access}
resp.body = access
def authenticate(self, creds):
username = utils.lookup(creds,'auth','passwordCredentials','username')
credential = utils.lookup(creds,'auth','passwordCredentials','password')
token_id = utils.lookup(creds, 'auth', 'token', 'id')
token_driver = identity.token_driver()
token_auth = None
# If token_id exists, get UID/Password associated w/ this token.
if token_id:
token = identity.token_id_driver().token_from_id(token_id)
token_driver.validate_token(token)
username = token_driver.username(token)
credential = token_driver.credential(token)
token_auth = token['auth_type'] == 'token'
headers = {"Accept": "application/json", "Content-Type": "application/json"}
auth = (username, credential)
resp = requests.get("https://cloud.skytap.com/users", headers=headers, auth=auth)
if resp.status_code == 200:
payload = json.loads(resp.text)
user_id = utils.lookup(payload[0], 'id')
auth_type = "token" if token_auth else "api_key"
sys.stderr.write("auth_type: %s" % auth_type)
return {'user': {"id": user_id, "username": username, "accountId": user_id}, 'credential': credential, 'auth_type': auth_type}
return None
def authenticate(self, creds):
username = lookup(creds, 'auth', 'passwordCredentials',
'username')
credential = lookup(creds, 'auth', 'passwordCredentials',
'password')
token_id = lookup(creds, 'auth', 'token', 'id')
token_auth = None
if token_id:
token = identity.token_id_driver().token_from_id(token_id)
token_driver = identity.token_driver()
token_driver.validate_token(token)
username = token_driver.username(token)
credential = token_driver.credential(token)
token_auth = token['auth_type'] == 'token'
def assert_tenant(user):
tenant = lookup(creds, 'auth', 'tenantId') or lookup(creds,
'auth',
'tenantName')
if tenant and str(user['accountId']) != tenant:
raise Unauthorized('Invalid username, password or tenant id')
# If the 'password' is the right length, treat it as an API api_key
if len(credential) == 64:
client = Client(username=username, api_key=credential,
endpoint_url=cfg.CONF['softlayer']['endpoint'],
proxy=cfg.CONF['softlayer']['proxy'])
user = client['Account'].getCurrentUser(mask=USER_MASK)
assert_tenant(user)
return {'user': user, 'credential': credential,
'auth_type': 'api_key'}
else:
client = Client(endpoint_url=cfg.CONF['softlayer']['endpoint'],
proxy=cfg.CONF['softlayer']['proxy'])
client.auth = None
try:
if token_auth:
client.auth = TokenAuthentication(token['user_id'],
credential)
else:
userId, tokenHash = client.\
authenticate_with_password(username, credential)
user = client['Account'].getCurrentUser(mask=USER_MASK)
assert_tenant(user)
if token_auth:
tokenHash = credential
return {'user': user, 'credential': tokenHash,
'auth_type': 'token'}
except SoftLayerAPIError as e:
if (e.faultCode == "SoftLayer_Exception_User_Customer"
"_LoginFailed"):
raise Unauthorized(e.faultString)
raise
def on_get(self, req, resp, token_id):
token = identity.token_id_driver().token_from_id(token_id)
identity.token_driver().validate_access(token, tenant_id=req.get_param(
'belongsTo'))
access = get_access(token_id, token)
# Add catalog to the access data
self._add_catalog_to_access(access, token)
resp.status = 200
resp.body = {'access': access}
def get_token_details(token, tenant_id=None):
try:
token_id_driver = identity.token_id_driver()
token_details = token_id_driver.token_from_id(token)
except (TypeError, ValueError):
raise exceptions.Unauthorized('Invalid Key')
if time.time() > token_details['expires']:
raise exceptions.Unauthorized('Expired Key')
if tenant_id and str(token_details['tenant_id']) != tenant_id:
raise exceptions.Unauthorized('Tenant/token Mismatch')
return token_details
def on_post(self, req, resp):
body = req.stream.read().decode()
credentials = json.loads(body)
tokens = identity.token_driver()
auth = identity.auth_driver().authenticate(credentials)
if auth is None:
raise exceptions.Unauthorized('Unauthorized credentials')
token = tokens.create_token(credentials, auth)
tok_id = identity.token_id_driver().create_token_id(token)
access = get_access(tok_id, token)
# Add catalog to the access data
self._add_catalog_to_access(access, token)
resp.status = 200
resp.body = {'access': access}
def authenticate(self, creds):
username = lookup(creds, 'auth', 'passwordCredentials',
'username')
credential = lookup(creds, 'auth', 'passwordCredentials',
'password')
token_id = lookup(creds, 'auth', 'token', 'id')
if token_id:
token = identity.token_id_driver().token_from_id(token_id)
token_driver = identity.token_driver()
token_driver.validate_token(token)
username = token_driver.username(token)
credential = token_driver.credential(token)
def assert_tenant(user):
tenant = lookup(creds, 'auth', 'tenantId') or lookup(creds,
'auth',
'tenantName')
if tenant and str(user['accountId']) != tenant:
raise Unauthorized('Invalid username, password or tenant id')
# If the 'password' is the right length, treat it as an API api_key
if len(credential) == 64:
client = Client(username=username, api_key=credential,
endpoint_url=cfg.CONF['softlayer']['endpoint'],
proxy=cfg.CONF['softlayer']['proxy'])
user = client['Account'].getCurrentUser(mask=USER_MASK)
assert_tenant(user)
return {'user': user, 'credential': credential,
'auth_type': 'api_key'}
else:
client = Client(endpoint_url=cfg.CONF['softlayer']['endpoint'],
proxy=cfg.CONF['softlayer']['proxy'])
client.auth = None
try:
userId, tokenHash = client.\
authenticate_with_password(username, credential)
user = client['Account'].getCurrentUser(mask=USER_MASK)
assert_tenant(user)
return {'user': user, 'credential': tokenHash,
'auth_type': 'token'}
except SoftLayerAPIError as e:
if (e.faultCode == "SoftLayer_Exception_User_Customer"
"_LoginFailed"):
raise Unauthorized(e.faultString)
raise
def on_get(self, req, resp, token_id):
tokens = identity.token_driver()
token = identity.token_id_driver().token_from_id(token_id)
identity.token_driver().validate_token(token)
raw_endpoints = self._get_catalog(tokens.tenant_id(token), tokens.user_id(token))
endpoints = []
for services in raw_endpoints.values():
for service_type, service in services.items():
d = {
"adminURL": service.get("adminURL"),
"name": service.get("name", "Unknown"),
"publicURL": service.get("publicURL"),
"privateURL": service.get("privateURL"),
"region": service.get("region", "RegionOne"),
"tenantId": tokens.tenant_id(token),
"type": service_type,
}
endpoints.append(d)
resp.status = 200
resp.body = {"endpoints": endpoints, "endpoints_links": []}
def on_get(self, req, resp):
token_id = req.headers.get('X-AUTH-TOKEN', None)
tokens = identity.token_driver()
token = identity.token_id_driver().token_from_id(token_id)
identity.token_driver().validate_token(token)
raw_endpoints = self._get_catalog(tokens.tenant_id(token), tokens.user_id(token))
endpoints = []
for services in raw_endpoints.values():
for service_type, service in services.items():
d = {
'adminURL': service.get('adminURL'),
'name': service.get('name', 'Unknown'),
'publicURL': service.get('publicURL'),
'privateURL': service.get('privateURL'),
'region': service.get('region', 'RegionOne'),
'tenantId': tokens.tenant_id(token),
'type': service_type,
}
endpoints.append(d)
resp.status = 200
resp.body = {'endpoints': endpoints, 'endpoints_links': []}
def validate_token(req, resp, kwargs):
tenant_id = req.env.get('tenant_id', None)
token = req.headers.get('X-AUTH-TOKEN', None)
if (req.env.get('REMOTE_USER', None) is not None or
req.env.get('is_admin', False) or
req.env.get('auth', None) is not None):
# upstream authentication
return
if token is not None:
if tenant_id is None:
tenant_id = kwargs.get('tenant_id',
req.headers.get('X-AUTH-PROJECT-ID'))
req.env['tenant_id'] = tenant_id
LOG.debug("Authenticating request token '%s'" % (token))
identity.validate_token_id(token, tenant_id=tenant_id)
req.env['auth'] = identity.token_id_driver().token_from_id(token)
elif protected("%s:%s" % (req.method, req.path)):
raise exceptions.Unauthorized('Authentication token required')
def on_get(self, req, resp, token_id):
tokens = identity.token_driver()
token = identity.token_id_driver().token_from_id(token_id)
identity.token_driver().validate_token(token)
raw_endpoints = self._get_catalog(tokens.tenant_id(token),
tokens.user_id(token))
endpoints = []
for services in raw_endpoints.values():
for service_type, service in services.items():
d = {
'adminURL': service.get('adminURL'),
'name': service.get('name', 'Unknown'),
'publicURL': service.get('publicURL'),
'privateURL': service.get('privateURL'),
'region': service.get('region', 'RegionOne'),
'tenantId': tokens.tenant_id(token),
'type': service_type,
}
endpoints.append(d)
resp.status = 200
resp.body = {'endpoints': endpoints, 'endpoints_links': []}
def validate_token(req, resp, kwargs):
tenant_id = req.env.get('tenant_id', None)
token = req.headers.get('X-AUTH-TOKEN', None)
if (req.env.get('REMOTE_USER', None) is not None
or req.env.get('is_admin', False)
or req.env.get('auth', None) is not None):
# upstream authentication
return
if token is not None:
if tenant_id is None:
tenant_id = kwargs.get('tenant_id',
req.headers.get('X-AUTH-PROJECT-ID'))
req.env['tenant_id'] = tenant_id
LOG.debug("Authenticating request token '%s'" % (token))
identity.validate_token_id(token, tenant_id=tenant_id)
req.env['auth'] = identity.token_id_driver().token_from_id(token)
elif protected("%s:%s" % (req.method, req.path)):
raise exceptions.Unauthorized('Authentication token required')
def authenticate(self, creds):
username = lookup(creds, "auth", "passwordCredentials", "username")
credential = lookup(creds, "auth", "passwordCredentials", "password")
token_id = lookup(creds, "auth", "token", "id")
if token_id:
token = identity.token_id_driver().token_from_id(token_id)
token_driver = identity.token_driver()
token_driver.validate_token(token)
username = token_driver.username(token)
credential = token_driver.credential(token)
def assert_tenant(user):
tenant = lookup(creds, "auth", "tenantId") or lookup(creds, "auth", "tenantName")
if tenant and str(user["accountId"]) != tenant:
raise Unauthorized("Invalid username, password or tenant id")
# If the 'password' is the right length, treat it as an API api_key
if len(credential) == 64:
client = Client(
username=username,
api_key=credential,
endpoint_url=cfg.CONF["softlayer"]["endpoint"],
proxy=cfg.CONF["softlayer"]["proxy"],
)
user = client["Account"].getCurrentUser(mask=USER_MASK)
assert_tenant(user)
return {"user": user, "credential": credential, "auth_type": "api_key"}
else:
client = Client(endpoint_url=cfg.CONF["softlayer"]["endpoint"], proxy=cfg.CONF["softlayer"]["proxy"])
client.auth = None
try:
userId, tokenHash = client.authenticate_with_password(username, credential)
user = client["Account"].getCurrentUser(mask=USER_MASK)
assert_tenant(user)
return {"user": user, "credential": tokenHash, "auth_type": "token"}
except SoftLayerAPIError as e:
if e.faultCode == "SoftLayer_Exception_User_Customer" "_LoginFailed":
raise Unauthorized(e.faultString)
raise
def on_post(self, req, resp):
body = req.stream.read().decode()
credentials = json.loads(body)
tokens = identity.token_driver()
auth = identity.auth_driver().authenticate(credentials)
if auth is None:
raise Unauthorized('Unauthorized credentials')
token = tokens.create_token(credentials, auth)
tok_id = identity.token_id_driver().create_token_id(token)
access = get_access(tok_id, token)
# Add catalog to the access data
raw_catalog = self._get_catalog(tokens.tenant_id(token),
tokens.user_id(token))
catalog = []
for services in raw_catalog.values():
for service_type, service in services.items():
d = {
'type':
service_type,
'name':
service.get('name', 'Unknown'),
'endpoints': [{
'region': service.get('region', 'RegionOne'),
'publicURL': service.get('publicURL'),
'privateURL': service.get('privateURL'),
'adminURL': service.get('adminURL'),
}],
'endpoint_links': [],
}
catalog.append(d)
access['serviceCatalog'] = catalog
resp.status = 200
resp.body = {'access': access}
def on_post(self, req, resp):
body = req.stream.read().decode()
credentials = json.loads(body)
tokens = identity.token_driver()
auth = identity.auth_driver().authenticate(credentials)
if auth is None:
raise Unauthorized("Unauthorized credentials")
token = tokens.create_token(credentials, auth)
tok_id = identity.token_id_driver().create_token_id(token)
access = get_access(tok_id, token)
# Add catalog to the access data
raw_catalog = self._get_catalog(tokens.tenant_id(token), tokens.user_id(token))
catalog = []
for services in raw_catalog.values():
for service_type, service in services.items():
d = {
"type": service_type,
"name": service.get("name", "Unknown"),
"endpoints": [
{
"region": service.get("region", "RegionOne"),
"publicURL": service.get("publicURL"),
"privateURL": service.get("privateURL"),
"adminURL": service.get("adminURL"),
}
],
"endpoint_links": [],
}
catalog.append(d)
access["serviceCatalog"] = catalog
resp.status = 200
resp.body = {"access": access}
def get_new_token_v3(credentials):
token_driver = identity.token_driver()
token_id = utils.lookup(credentials, 'auth', 'identity', 'token', 'id')
if token_id:
token = identity.token_id_driver().token_from_id(token_id)
LOG.debug("token details are: %s", str(token))
token_driver.validate_token(token)
username = token_driver.username(token)
credential = token_driver.credential(token)
userinfo = {'username': username,
'auth_type': str(token['auth_type']),
'tenant_id': str(token['tenant_id']),
'expires': token['expires']}
if token['auth_type'] == 'token':
userinfo['tokenHash'] = credential
if token['auth_type'] == 'api_key':
userinfo['api_key'] = credential
user = {'id': token['user_id'],
'username': username,
'accountId': token['tenant_id']}
return userinfo, user
username = utils.lookup(credentials,
'auth',
'passwordCredentials',
'username')
credential = utils.lookup(credentials,
'auth',
'passwordCredentials',
'password')
# If the 'password' is the right length, treat it as an API api_key
if len(credential) == 64:
endpoint = cfg.CONF['softlayer']['endpoint']
client = SoftLayer.Client(username=username,
api_key=credential,
endpoint_url=endpoint,
proxy=cfg.CONF['softlayer']['proxy'])
user = client['Account'].getCurrentUser(mask=USER_MASK)
username = token_driver.username(user)
return {'username': username,
'api_key': credential,
'auth_type': 'api_key',
'tenant_id': str(user['accountId']),
'expires': time.time() + (60 * 60 * 24)}, user
else:
endpoint = cfg.CONF['softlayer']['endpoint']
client = SoftLayer.Client(endpoint_url=endpoint,
proxy=cfg.CONF['softlayer']['proxy'])
client.auth = None
try:
userId, tokenHash = client.authenticate_with_password(username,
credential)
user = client['Account'].getCurrentUser(mask=USER_MASK)
username = token_driver.username(user)
return {'userId': userId,
'username': username,
'tokenHash': tokenHash,
'auth_type': 'token',
'tenant_id': str(user['accountId']),
'expires': time.time() + (60 * 60 * 24)}, user
except SoftLayer.SoftLayerAPIError as e:
if e.faultCode == 'SoftLayer_Exception_User_Customer_LoginFailed':
raise exceptions.Unauthorized(e.faultString)
raise
def authenticate(self, creds):
username = utils.lookup(creds, 'auth', 'passwordCredentials',
'username')
credential = utils.lookup(creds, 'auth', 'passwordCredentials',
'password')
token_id = utils.lookup(creds, 'auth', 'token', 'id')
token_driver = identity.token_driver()
token_auth = None
if token_id:
token = identity.token_id_driver().token_from_id(token_id)
token_driver.validate_token(token)
username = token_driver.username(token)
credential = token_driver.credential(token)
token_auth = token['auth_type'] == 'token'
def assert_tenant(user):
tenant = (utils.lookup(creds, 'auth', 'tenantId')
or utils.lookup(creds, 'auth', 'tenantName'))
if tenant and str(user['accountId']) != tenant:
raise exceptions.Unauthorized(
'Invalid username, password or tenant id')
endpoint = config.PARSER.get('softlayer', 'endpoint')
proxy = config.PARSER.get('softlayer', 'proxy')
# If the 'password' is the right length, treat it as an API api_key
if len(credential) == 64:
client = SoftLayer.Client(username=username,
api_key=credential,
endpoint_url=endpoint,
proxy=proxy)
user = client['Account'].getCurrentUser(mask=USER_MASK)
assert_tenant(user)
return {
'user': user,
'credential': credential,
'auth_type': 'api_key'
}
else:
client = SoftLayer.Client(endpoint_url=endpoint, proxy=proxy)
client.auth = None
try:
if token_auth:
client.auth = SoftLayer.TokenAuthentication(
token['user_id'], credential)
else:
userId, tokenHash = (client.authenticate_with_password(
username, credential))
user = client['Account'].getCurrentUser(mask=USER_MASK)
assert_tenant(user)
if token_auth:
tokenHash = credential
return {
'user': user,
'credential': tokenHash,
'auth_type': 'token'
}
except SoftLayer.SoftLayerAPIError as e:
if (e.faultCode == "SoftLayer_Exception_User_Customer"
"_LoginFailed"):
raise exceptions.Unauthorized(e.faultString)
raise