def _authenticate_external(self, context, auth):
"""Try to authenticate an external user via REMOTE_USER variable.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if "REMOTE_USER" not in context:
raise ExternalAuthNotApplicable()
username = context["REMOTE_USER"]
try:
user_ref = self.identity_api.get_user_by_name(context=context, user_name=username)
user_id = user_ref["id"]
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
tenant_id = self._get_project_id_from_auth(context, auth)
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
self._append_roles(metadata_ref, self._get_group_metadata_ref(context, user_id, tenant_id))
self._append_roles(metadata_ref, self._get_domain_metadata_ref(context, user_id, tenant_id))
expiry = core.default_expire_time()
auth_token_data = self._get_auth_token_data(user_ref, tenant_ref, metadata_ref, expiry)
return auth_token_data, (user_ref, tenant_ref, metadata_ref)
def _authenticate_external(self, context, auth):
"""Try to authenticate an external user via REMOTE_USER variable.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if 'REMOTE_USER' not in context.get('environment', {}):
raise ExternalAuthNotApplicable()
# NOTE(jamielennox): xml and json differ and get confused about what
# empty auth should look like so just reset it.
if not auth:
auth = {}
username = context['environment']['REMOTE_USER']
try:
user_ref = self.identity_api.get_user_by_name(
username, CONF.identity.default_domain_id)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
metadata_ref = {}
tenant_id = self._get_project_id_from_auth(auth)
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
user_id, tenant_id)
expiry = core.default_expire_time()
bind = None
if ('kerberos' in CONF.token.bind and
context['environment'].
get('AUTH_TYPE', '').lower() == 'negotiate'):
bind = {'kerberos': username}
return (user_ref, tenant_ref, metadata_ref, expiry, bind)
def _authenticate_external(self, context, auth):
"""Try to authenticate an external user via REMOTE_USER variable.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if 'REMOTE_USER' not in context.get('environment', {}):
raise ExternalAuthNotApplicable()
#NOTE(jamielennox): xml and json differ and get confused about what
# empty auth should look like so just reset it.
if not auth:
auth = {}
username = context['environment']['REMOTE_USER']
try:
user_ref = self.identity_api.get_user_by_name(
username, CONF.identity.default_domain_id)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
metadata_ref = {}
tenant_id = self._get_project_id_from_auth(auth)
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
user_id, tenant_id)
expiry = core.default_expire_time()
bind = None
if ('kerberos' in CONF.token.bind and context['environment'].get(
'AUTH_TYPE', '').lower() == 'negotiate'):
bind = {'kerberos': username}
return (user_ref, tenant_ref, metadata_ref, expiry, bind)
def _authenticate_external(self, context, auth):
"""Try to authenticate an external user via REMOTE_USER variable.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if "REMOTE_USER" not in context.get("environment", {}):
raise ExternalAuthNotApplicable()
# NOTE(jamielennox): xml and json differ and get confused about what
# empty auth should look like so just reset it.
if not auth:
auth = {}
username = context["environment"]["REMOTE_USER"]
try:
user_ref = self.identity_api.get_user_by_name(username, DEFAULT_DOMAIN_ID)
user_id = user_ref["id"]
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
metadata_ref = {}
tenant_id = self._get_project_id_from_auth(auth)
tenant_ref, metadata_ref["roles"] = self._get_project_roles_and_ref(user_id, tenant_id)
expiry = core.default_expire_time()
bind = None
if "kerberos" in CONF.token.bind and context["environment"].get("AUTH_TYPE", "").lower() == "negotiate":
bind = {"kerberos": username}
return (user_ref, tenant_ref, metadata_ref, expiry, bind)
def _authenticate_external(self, context, auth):
"""Try to authenticate an external user via REMOTE_USER variable.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if 'REMOTE_USER' not in context:
raise ExternalAuthNotApplicable()
username = context['REMOTE_USER']
try:
user_ref = self.identity_api.get_user_by_name(
context=context, user_name=username,
domain_id=DEFAULT_DOMAIN_ID)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
tenant_id = self._get_project_id_from_auth(context, auth)
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
# TODO (henry-nash) If no tenant was specified, instead check
# for a domain and find any related user/group roles
self._append_roles(metadata_ref,
self._get_group_metadata_ref(
context, user_id, tenant_id))
expiry = core.default_expire_time()
return (user_ref, tenant_ref, metadata_ref, expiry)
def _authenticate_external(self, context, auth):
"""Try to authenticate an external user via REMOTE_USER variable.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if 'REMOTE_USER' not in context:
raise ExternalAuthNotApplicable()
username = context['REMOTE_USER']
try:
user_ref = self.identity_api.get_user_by_name(
context=context,
user_name=username,
domain_id=DEFAULT_DOMAIN_ID)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
tenant_id = self._get_project_id_from_auth(context, auth)
tenant_ref = self._get_project_ref(context, user_id, tenant_id)
metadata_ref = self._get_metadata_ref(context, user_id, tenant_id)
# TODO (henry-nash) If no tenant was specified, instead check
# for a domain and find any related user/group roles
self._append_roles(
metadata_ref,
self._get_group_metadata_ref(context, user_id, tenant_id))
expiry = core.default_expire_time()
return (user_ref, tenant_ref, metadata_ref, expiry)
def authenticate(self, context, accesskey=None):
if 'accessKeyCredentials' not in accesskey:
raise exception.Unauthorized(
message='Invalid access key authentication request')
user_ref = self._get_user(accesskey)
user_ref = {
'default_project_id': user_ref.get('default_project_id'),
'domain_id': user_ref.get('domain_id'),
'enabled': user_ref.get('enabled'),
'id': user_ref.get('id'),
'name': user_ref.get('name'),
'email': user_ref.get('email')
}
user_ref = self.v3_to_v2_user(user_ref)
tenant_ref = {}
metadata_ref = {}
roles_ref = {}
catalog_ref = {}
expiry = core.default_expire_time()
bind = None
'''tenant_ref = self.assignment_api.get_project(creds_ref['tenant_id'])
user_ref = self.identity_api.get_user(creds_ref['user_id'])
metadata_ref = {}
metadata_ref['roles'] = (
self.assignment_api.get_roles_for_user_and_project(
user_ref['id'], tenant_ref['id']))
trust_id = creds_ref.get('trust_id')
if trust_id:
metadata_ref['trust_id'] = trust_id
metadata_ref['trustee_user_id'] = user_ref['id']
roles = metadata_ref.get('roles', [])
if not roles:
raise exception.Unauthorized(message='User not valid for tenant.')
roles_ref = [self.assignment_api.get_role(role_id)
for role_id in roles]
catalog_ref = self.catalog_api.get_catalog(
user_ref['id'], tenant_ref['id'], metadata_ref)
# NOTE(morganfainberg): Make sure the data is in correct form since it
# might be consumed external to Keystone and this is a v2.0 controller.
# The token provider does not explicitly care about user_ref version
# in this case, but the data is stored in the token itself and should
# match the version'''
user_ref = self.v3_to_v2_user(user_ref)
auth_token_data = dict(user=user_ref,
tenant=tenant_ref,
metadata=metadata_ref,
id='placeholder')
(token_id, token_data) = self.token_provider_api.issue_v2_token(
auth_token_data, roles_ref, catalog_ref)
return token_data
def _authenticate_local(self, context, auth):
"""Try to authenticate against the identity backend.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if 'passwordCredentials' not in auth:
raise exception.ValidationError(
attribute='passwordCredentials', target='auth')
if "password" not in auth['passwordCredentials']:
raise exception.ValidationError(
attribute='password', target='passwordCredentials')
password = auth['passwordCredentials']['password']
if ("userId" not in auth['passwordCredentials'] and
"username" not in auth['passwordCredentials']):
raise exception.ValidationError(
attribute='username or userId',
target='passwordCredentials')
user_id = auth['passwordCredentials'].get('userId', None)
username = auth['passwordCredentials'].get('username', '')
if username:
try:
user_ref = self.identity_api.get_user_by_name(
context=context, user_name=username)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
tenant_id = self._get_tenant_id_from_auth(context, auth)
try:
auth_info = self.identity_api.authenticate(
context=context,
user_id=user_id,
password=password,
tenant_id=tenant_id)
except AssertionError as e:
raise exception.Unauthorized(e)
(user_ref, tenant_ref, metadata_ref) = auth_info
self._append_roles(metadata_ref,
self._get_group_metadata_ref(
context, user_id, tenant_id))
self._append_roles(metadata_ref,
self._get_domain_metadata_ref(
context, user_id, tenant_id))
expiry = core.default_expire_time()
auth_token_data = self._get_auth_token_data(user_ref,
tenant_ref,
metadata_ref,
expiry)
return auth_token_data, (user_ref, tenant_ref, metadata_ref)
def _authenticate_local(self, context, auth):
"""Try to authenticate against the identity backend.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if 'passwordCredentials' not in auth:
raise exception.ValidationError(
attribute='passwordCredentials', target='auth')
if "password" not in auth['passwordCredentials']:
raise exception.ValidationError(
attribute='password', target='passwordCredentials')
password = auth['passwordCredentials']['password']
max_pw_size = utils.MAX_PASSWORD_LENGTH
if password and len(password) > max_pw_size:
raise exception.ValidationSizeError(attribute='password',
size=max_pw_size)
if ("userId" not in auth['passwordCredentials'] and
"username" not in auth['passwordCredentials']):
raise exception.ValidationError(
attribute='username or userId',
target='passwordCredentials')
user_id = auth['passwordCredentials'].get('userId', None)
if user_id and len(user_id) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute='userId',
size=CONF.max_param_size)
username = auth['passwordCredentials'].get('username', '')
if len(username) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute='username',
size=CONF.max_param_size)
if username:
try:
user_ref = self.identity_api.get_user_by_name(
username, DEFAULT_DOMAIN_ID)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
try:
user_ref = self.identity_api.authenticate(
user_id=user_id,
password=password)
except AssertionError as e:
raise exception.Unauthorized(e)
metadata_ref = {}
tenant_id = self._get_project_id_from_auth(auth)
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
user_id, tenant_id)
expiry = core.default_expire_time()
return (user_ref, tenant_ref, metadata_ref, expiry, None)
def _authenticate_local(self, context, auth):
"""Try to authenticate against the identity backend.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if "passwordCredentials" not in auth:
raise exception.ValidationError(attribute="passwordCredentials", target="auth")
if "password" not in auth["passwordCredentials"]:
raise exception.ValidationError(attribute="password", target="passwordCredentials")
password = auth["passwordCredentials"]["password"]
max_pw_size = utils.MAX_PASSWORD_LENGTH
if password and len(password) > max_pw_size:
raise exception.ValidationSizeError(attribute="password", size=max_pw_size)
if "userId" not in auth["passwordCredentials"] and "username" not in auth["passwordCredentials"]:
raise exception.ValidationError(attribute="username or userId", target="passwordCredentials")
user_id = auth["passwordCredentials"].get("userId", None)
if user_id and len(user_id) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute="userId", size=CONF.max_param_size)
username = auth["passwordCredentials"].get("username", "")
if len(username) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute="username", size=CONF.max_param_size)
if username:
try:
user_ref = self.identity_api.get_user_by_name(
context=context, user_name=username, domain_id=DEFAULT_DOMAIN_ID
)
user_id = user_ref["id"]
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
tenant_id = self._get_project_id_from_auth(context, auth)
try:
auth_info = self.identity_api.authenticate(
context=context, user_id=user_id, password=password, tenant_id=tenant_id
)
except AssertionError as e:
raise exception.Unauthorized(e)
(user_ref, tenant_ref, metadata_ref) = auth_info
# By now we will have authorized and if a tenant/project was
# specified, we will have obtained its metadata. In this case
# we just need to add in any group roles.
#
# TODO (henry-nash) If no tenant was specified, instead check
# for a domain and find any related user/group roles
self._append_roles(metadata_ref, self._get_group_metadata_ref(context, user_id, tenant_id))
expiry = core.default_expire_time()
return (user_ref, tenant_ref, metadata_ref, expiry)
def _authenticate_local(self, context, auth):
"""Try to authenticate against the identity backend.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if 'passwordCredentials' not in auth:
raise exception.ValidationError(
attribute='passwordCredentials', target='auth')
if "password" not in auth['passwordCredentials']:
raise exception.ValidationError(
attribute='password', target='passwordCredentials')
password = auth['passwordCredentials']['password']
if password and len(password) > CONF.identity.max_password_length:
raise exception.ValidationSizeError(
attribute='password', size=CONF.identity.max_password_length)
if ("userId" not in auth['passwordCredentials'] and
"username" not in auth['passwordCredentials']):
raise exception.ValidationError(
attribute='username or userId',
target='passwordCredentials')
user_id = auth['passwordCredentials'].get('userId')
if user_id and len(user_id) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute='userId',
size=CONF.max_param_size)
username = auth['passwordCredentials'].get('username', '')
if len(username) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute='username',
size=CONF.max_param_size)
if username:
try:
user_ref = self.identity_api.get_user_by_name(
username, CONF.identity.default_domain_id)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
try:
user_ref = self.identity_api.authenticate(
context,
user_id=user_id,
password=password)
except AssertionError as e:
raise exception.Unauthorized(e.args[0])
metadata_ref = {}
tenant_id = self._get_project_id_from_auth(auth)
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
user_id, tenant_id)
expiry = core.default_expire_time()
return (user_ref, tenant_ref, metadata_ref, expiry, None)
def _authenticate_ak(self, context, auth):
if 'accessKeyCredentials' not in auth:
raise exception.ValidationError(
attribute='accessKeyCredentials', target='auth')
if "accessKey" not in auth['accessKeyCredentials']:
raise exception.ValidationError(
attribute='password', target='passwordCredentials')
access_key = auth['accessKeyCredentials']['accessKey']
#TODO: ATHEENDRA
#if access_key and len(access_key) > CONF.identity.max_password_length:
# raise exception.ValidationSizeError(
# attribute='accessKey', size=CONF.identity.max_password_length)
if ("userId" not in auth['accessKeyCredentials'] and
"username" not in auth['accessKeyCredentials']):
raise exception.ValidationError(
attribute='username or userId',
target='accessKeyCredentials')
user_id = auth['accessKeyCredentials'].get('userId')
if user_id and len(user_id) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute='userId',
size=CONF.max_param_size)
username = auth['accessKeyCredentials'].get('username', '')
if len(username) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute='username',
size=CONF.max_param_size)
if username:
try:
user_ref = self.identity_api.get_user_by_name(
username, CONF.identity.default_domain_id)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
try:
user_ref = self.identity_api.authenticate_ak(
context,
user_id=user_id,
access_key=access_key)
except AssertionError as e:
raise exception.Unauthorized(e.args[0])
metadata_ref = {}
tenant_id = self._get_project_id_from_auth(auth)
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
user_id, tenant_id)
expiry = core.default_expire_time()
return (user_ref, tenant_ref, metadata_ref, expiry, None)
def _authenticate_ak(self, context, auth):
if 'accessKeyCredentials' not in auth:
raise exception.ValidationError(attribute='accessKeyCredentials',
target='auth')
if "accessKey" not in auth['accessKeyCredentials']:
raise exception.ValidationError(attribute='password',
target='passwordCredentials')
access_key = auth['accessKeyCredentials']['accessKey']
#TODO: ATHEENDRA
#if access_key and len(access_key) > CONF.identity.max_password_length:
# raise exception.ValidationSizeError(
# attribute='accessKey', size=CONF.identity.max_password_length)
if ("userId" not in auth['accessKeyCredentials']
and "username" not in auth['accessKeyCredentials']):
raise exception.ValidationError(attribute='username or userId',
target='accessKeyCredentials')
user_id = auth['accessKeyCredentials'].get('userId')
if user_id and len(user_id) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute='userId',
size=CONF.max_param_size)
username = auth['accessKeyCredentials'].get('username', '')
if len(username) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute='username',
size=CONF.max_param_size)
if username:
try:
user_ref = self.identity_api.get_user_by_name(
username, CONF.identity.default_domain_id)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
try:
user_ref = self.identity_api.authenticate_ak(context,
user_id=user_id,
access_key=access_key)
except AssertionError as e:
raise exception.Unauthorized(e.args[0])
metadata_ref = {}
tenant_id = self._get_project_id_from_auth(auth)
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
user_id, tenant_id)
expiry = core.default_expire_time()
return (user_ref, tenant_ref, metadata_ref, expiry, None)
def _authenticate_local(self, context, auth):
"""Try to authenticate against the identity backend.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if "passwordCredentials" not in auth:
raise exception.ValidationError(attribute="passwordCredentials", target="auth")
if "password" not in auth["passwordCredentials"]:
raise exception.ValidationError(attribute="password", target="passwordCredentials")
password = auth["passwordCredentials"]["password"]
if password and len(password) > CONF.identity.max_password_length:
raise exception.ValidationSizeError(attribute="password", size=CONF.identity.max_password_length)
if "userId" not in auth["passwordCredentials"] and "username" not in auth["passwordCredentials"]:
raise exception.ValidationError(attribute="username or userId", target="passwordCredentials")
user_id = auth["passwordCredentials"].get("userId", None)
if user_id and len(user_id) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute="userId", size=CONF.max_param_size)
username = auth["passwordCredentials"].get("username", "")
if len(username) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute="username", size=CONF.max_param_size)
if username:
try:
user_ref = self.identity_api.get_user_by_name(username, DEFAULT_DOMAIN_ID)
user_id = user_ref["id"]
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
try:
user_ref = self.identity_api.authenticate(user_id=user_id, password=password)
except AssertionError as e:
raise exception.Unauthorized(e)
metadata_ref = {}
tenant_id = self._get_project_id_from_auth(auth)
tenant_ref, metadata_ref["roles"] = self._get_project_roles_and_ref(user_id, tenant_id)
expiry = core.default_expire_time()
return (user_ref, tenant_ref, metadata_ref, expiry, None)
def _authenticate_external(self, context, auth):
"""Try to authenticate an external user via REMOTE_USER variable.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if 'REMOTE_USER' not in context:
raise ExternalAuthNotApplicable()
username = context['REMOTE_USER']
try:
user_ref = self.identity_api.get_user_by_name(
username, DEFAULT_DOMAIN_ID)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
metadata_ref = {}
tenant_id = self._get_project_id_from_auth(auth)
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
user_id, tenant_id)
expiry = core.default_expire_time()
return (user_ref, tenant_ref, metadata_ref, expiry)
def _authenticate_local(self, context, auth):
"""Try to authenticate against the identity backend.
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if 'passwordCredentials' not in auth:
raise exception.ValidationError(attribute='passwordCredentials',
target='auth')
if "password" not in auth['passwordCredentials']:
raise exception.ValidationError(attribute='password',
target='passwordCredentials')
password = auth['passwordCredentials']['password']
max_pw_size = utils.MAX_PASSWORD_LENGTH
if password and len(password) > max_pw_size:
raise exception.ValidationSizeError(attribute='password',
size=max_pw_size)
if ("userId" not in auth['passwordCredentials']
and "username" not in auth['passwordCredentials']):
raise exception.ValidationError(attribute='username or userId',
target='passwordCredentials')
user_id = auth['passwordCredentials'].get('userId', None)
if user_id and len(user_id) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute='userId',
size=CONF.max_param_size)
username = auth['passwordCredentials'].get('username', '')
if len(username) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute='username',
size=CONF.max_param_size)
if username:
try:
user_ref = self.identity_api.get_user_by_name(
context=context,
user_name=username,
domain_id=DEFAULT_DOMAIN_ID)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
tenant_id = self._get_project_id_from_auth(context, auth)
try:
auth_info = self.identity_api.authenticate(context=context,
user_id=user_id,
password=password,
tenant_id=tenant_id)
except AssertionError as e:
raise exception.Unauthorized(e)
(user_ref, tenant_ref, metadata_ref) = auth_info
# By now we will have authorized and if a tenant/project was
# specified, we will have obtained its metadata. In this case
# we just need to add in any group roles.
#
# TODO (henry-nash) If no tenant was specified, instead check
# for a domain and find any related user/group roles
self._append_roles(
metadata_ref,
self._get_group_metadata_ref(context, user_id, tenant_id))
expiry = core.default_expire_time()
return (user_ref, tenant_ref, metadata_ref, expiry)
def _authenticate_local(self, context, auth):
"""Try to authenticate against the identity backend.
{
"auth":{
"accessKeyCredentials":{
"username":"******",
"accesskey":"myaccesskey",
"tenantName":"customer-x"
}
}
}
Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
"""
if 'passwordCredentials' not in auth:
raise exception.ValidationError(attribute='passwordCredentials',
target='auth')
if "password" not in auth['passwordCredentials']:
raise exception.ValidationError(attribute='password',
target='passwordCredentials')
password = auth['passwordCredentials']['password']
if password and len(password) > CONF.identity.max_password_length:
raise exception.ValidationSizeError(
attribute='password', size=CONF.identity.max_password_length)
if ("userId" not in auth['passwordCredentials']
and "username" not in auth['passwordCredentials']):
raise exception.ValidationError(attribute='username or userId',
target='passwordCredentials')
user_id = auth['passwordCredentials'].get('userId')
if user_id and len(user_id) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute='userId',
size=CONF.max_param_size)
username = auth['passwordCredentials'].get('username', '')
if len(username) > CONF.max_param_size:
raise exception.ValidationSizeError(attribute='username',
size=CONF.max_param_size)
if username:
try:
user_ref = self.identity_api.get_user_by_name(
username, CONF.identity.default_domain_id)
user_id = user_ref['id']
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
try:
user_ref = self.identity_api.authenticate(context,
user_id=user_id,
password=password)
except AssertionError as e:
raise exception.Unauthorized(e.args[0])
metadata_ref = {}
tenant_id = self._get_project_id_from_auth(auth)
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
user_id, tenant_id)
expiry = core.default_expire_time()
return (user_ref, tenant_ref, metadata_ref, expiry, None)
