¡@
OpenStack Study: controllers.py**** CubicPower OpenStack Study ****
# Copyright 2013 OpenStack Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import json from keystoneclient.common import cms import six from keystone.common import controller from keystone.common import dependency from keystone.common import wsgi from keystone import config from keystone.contrib import federation from keystone import exception from keystone.openstack.common.gettextutils import _ from keystone.openstack.common import importutils from keystone.openstack.common import log from keystone.openstack.common import timeutils LOG = log.getLogger(__name__) CONF = config.CONF # registry of authentication methods AUTH_METHODS = {} AUTH_PLUGINS_LOADED = False
**** CubicPower OpenStack Study **** def load_auth_methods(): global AUTH_PLUGINS_LOADED if AUTH_PLUGINS_LOADED: # Only try and load methods a single time. return # config.setup_authentication should be idempotent, call it to ensure we # have setup all the appropriate configuration options we may need. config.setup_authentication() for plugin in CONF.auth.methods: if '.' in plugin: # NOTE(morganfainberg): if '.' is in the plugin name, it should be # imported rather than used as a plugin identifier. plugin_class = plugin driver = importutils.import_object(plugin) if not hasattr(driver, 'method'): raise ValueError(_('Cannot load an auth-plugin by class-name ' 'without a "method" attribute defined: %s'), plugin_class) else: plugin_class = CONF.auth.get(plugin) driver = importutils.import_object(plugin_class) if hasattr(driver, 'method'): if driver.method != plugin: raise ValueError(_('Driver requested method %(req)s does ' 'not match plugin name %(plugin)s.') % {'req': driver.method, 'plugin': plugin}) else: LOG.warning(_('Auth Plugin %s does not have a "method" ' 'attribute.'), plugin) setattr(driver, 'method', plugin) if driver.method in AUTH_METHODS: raise ValueError(_('Auth plugin %(plugin)s is requesting ' 'previously registered method %(method)s') % {'plugin': plugin_class, 'method': driver.method}) AUTH_METHODS[driver.method] = driver AUTH_PLUGINS_LOADED = True
**** CubicPower OpenStack Study **** def get_auth_method(method_name): global AUTH_METHODS if method_name not in AUTH_METHODS: raise exception.AuthMethodNotSupported() return AUTH_METHODS[method_name] # TODO(blk-u): this class doesn't use identity_api directly, but makes it # available for consumers. Consumers should probably not be getting # identity_api from this since it's available in global registry, then # identity_api should be removed from this list. @dependency.requires('assignment_api', 'identity_api', 'trust_api')
**** CubicPower OpenStack Study **** class AuthInfo(object): """Encapsulation of "auth" request.""" @staticmethod
**** CubicPower OpenStack Study **** def create(context, auth=None): auth_info = AuthInfo(context, auth=auth) auth_info._validate_and_normalize_auth_data() return auth_info
**** CubicPower OpenStack Study **** def __init__(self, context, auth=None): self.context = context self.auth = auth self._scope_data = (None, None, None) # self._scope_data is (domain_id, project_id, trust_ref) # project scope: (None, project_id, None) # domain scope: (domain_id, None, None) # trust scope: (None, None, trust_ref) # unscoped: (None, None, None)
**** CubicPower OpenStack Study **** def _assert_project_is_enabled(self, project_ref): # ensure the project is enabled if not project_ref.get('enabled', True): msg = _('Project is disabled: %s') % project_ref['id'] LOG.warning(msg) raise exception.Unauthorized(msg)
**** CubicPower OpenStack Study **** def _assert_domain_is_enabled(self, domain_ref): if not domain_ref.get('enabled'): msg = _('Domain is disabled: %s') % (domain_ref['id']) LOG.warning(msg) raise exception.Unauthorized(msg)
**** CubicPower OpenStack Study **** def _lookup_domain(self, domain_info): domain_id = domain_info.get('id') domain_name = domain_info.get('name') domain_ref = None if not domain_id and not domain_name: raise exception.ValidationError(attribute='id or name', target='domain') try: if domain_name: domain_ref = self.assignment_api.get_domain_by_name( domain_name) else: domain_ref = self.assignment_api.get_domain(domain_id) except exception.DomainNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) self._assert_domain_is_enabled(domain_ref) return domain_ref
**** CubicPower OpenStack Study **** def _lookup_project(self, project_info): project_id = project_info.get('id') project_name = project_info.get('name') project_ref = None if not project_id and not project_name: raise exception.ValidationError(attribute='id or name', target='project') try: if project_name: if 'domain' not in project_info: raise exception.ValidationError(attribute='domain', target='project') domain_ref = self._lookup_domain(project_info['domain']) project_ref = self.assignment_api.get_project_by_name( project_name, domain_ref['id']) else: project_ref = self.assignment_api.get_project(project_id) except exception.ProjectNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) self._assert_project_is_enabled(project_ref) return project_ref
**** CubicPower OpenStack Study **** def _lookup_trust(self, trust_info): trust_id = trust_info.get('id') if not trust_id: raise exception.ValidationError(attribute='trust_id', target='trust') trust = self.trust_api.get_trust(trust_id) if not trust: raise exception.TrustNotFound(trust_id=trust_id) return trust
**** CubicPower OpenStack Study **** def _validate_and_normalize_scope_data(self): """Validate and normalize scope data.""" if 'scope' not in self.auth: return if sum(['project' in self.auth['scope'], 'domain' in self.auth['scope'], 'OS-TRUST:trust' in self.auth['scope']]) != 1: raise exception.ValidationError( attribute='project, domain, or OS-TRUST:trust', target='scope') if 'project' in self.auth['scope']: project_ref = self._lookup_project(self.auth['scope']['project']) self._scope_data = (None, project_ref['id'], None) elif 'domain' in self.auth['scope']: domain_ref = self._lookup_domain(self.auth['scope']['domain']) self._scope_data = (domain_ref['id'], None, None) elif 'OS-TRUST:trust' in self.auth['scope']: if not CONF.trust.enabled: raise exception.Forbidden('Trusts are disabled.') trust_ref = self._lookup_trust( self.auth['scope']['OS-TRUST:trust']) # TODO(ayoung): when trusts support domains, fill in domain data if 'project_id' in trust_ref: project_ref = self._lookup_project( {'id': trust_ref['project_id']}) self._scope_data = (None, project_ref['id'], trust_ref) else: self._scope_data = (None, None, trust_ref)
**** CubicPower OpenStack Study **** def _validate_auth_methods(self): if 'identity' not in self.auth: raise exception.ValidationError(attribute='identity', target='auth') # make sure auth methods are provided if 'methods' not in self.auth['identity']: raise exception.ValidationError(attribute='methods', target='identity') # make sure all the method data/payload are provided for method_name in self.get_method_names(): if method_name not in self.auth['identity']: raise exception.ValidationError(attribute=method_name, target='identity') # make sure auth method is supported for method_name in self.get_method_names(): if method_name not in AUTH_METHODS: raise exception.AuthMethodNotSupported()
**** CubicPower OpenStack Study **** def _validate_and_normalize_auth_data(self): """Make sure "auth" is valid.""" # make sure "auth" exist if not self.auth: raise exception.ValidationError(attribute='auth', target='request body') self._validate_auth_methods() self._validate_and_normalize_scope_data()
**** CubicPower OpenStack Study **** def get_method_names(self): """Returns the identity method names. :returns: list of auth method names """ # Sanitizes methods received in request's body # Filters out duplicates, while keeping elements' order. method_names = [] for method in self.auth['identity']['methods']: if method not in method_names: method_names.append(method) return method_names
**** CubicPower OpenStack Study **** def get_method_data(self, method): """Get the auth method payload. :returns: auth method payload """ if method not in self.auth['identity']['methods']: raise exception.ValidationError(attribute=method, target='identity') return self.auth['identity'][method]
**** CubicPower OpenStack Study **** def get_scope(self): """Get scope information. Verify and return the scoping information. :returns: (domain_id, project_id, trust_ref). If scope to a project, (None, project_id, None) will be returned. If scoped to a domain, (domain_id, None, None) will be returned. If scoped to a trust, (None, project_id, trust_ref), Will be returned, where the project_id comes from the trust definition. If unscoped, (None, None, None) will be returned. """ return self._scope_data
**** CubicPower OpenStack Study **** def set_scope(self, domain_id=None, project_id=None, trust=None): """Set scope information.""" if domain_id and project_id: msg = _('Scoping to both domain and project is not allowed') raise ValueError(msg) if domain_id and trust: msg = _('Scoping to both domain and trust is not allowed') raise ValueError(msg) if project_id and trust: msg = _('Scoping to both project and trust is not allowed') raise ValueError(msg) self._scope_data = (domain_id, project_id, trust) @dependency.requires('assignment_api', 'identity_api', 'token_api', 'token_provider_api', 'trust_api')
**** CubicPower OpenStack Study **** class Auth(controller.V3Controller): # Note(atiwari): From V3 auth controller code we are # calling protection() wrappers, so we need to setup # the member_name and collection_name attributes of # auth controller code. # In the absence of these attributes,
**** CubicPower OpenStack Study **** def __init__(self, *args, **kw): super(Auth, self).__init__(*args, **kw) config.setup_authentication()
**** CubicPower OpenStack Study **** def authenticate_for_token(self, context, auth=None): """Authenticate user and issue a token.""" include_catalog = 'nocatalog' not in context['query_string'] try: auth_info = AuthInfo.create(context, auth=auth) auth_context = {'extras': {}, 'method_names': [], 'bind': {}} self.authenticate(context, auth_info, auth_context) if auth_context.get('access_token_id'): auth_info.set_scope(None, auth_context['project_id'], None) self._check_and_set_default_scoping(auth_info, auth_context) (domain_id, project_id, trust) = auth_info.get_scope() if trust: self.trust_api.consume_use(trust['id']) method_names = auth_info.get_method_names() method_names += auth_context.get('method_names', []) # make sure the list is unique method_names = list(set(method_names)) expires_at = auth_context.get('expires_at') # NOTE(morganfainberg): define this here so it is clear what the # argument is during the issue_v3_token provider call. metadata_ref = None (token_id, token_data) = self.token_provider_api.issue_v3_token( auth_context['user_id'], method_names, expires_at, project_id, domain_id, auth_context, trust, metadata_ref, include_catalog) return render_token_data_response(token_id, token_data, created=True) except exception.TrustNotFound as e: raise exception.Unauthorized(e)
**** CubicPower OpenStack Study **** def _check_and_set_default_scoping(self, auth_info, auth_context): (domain_id, project_id, trust) = auth_info.get_scope() if trust: project_id = trust['project_id'] if domain_id or project_id or trust: # scope is specified return # Skip scoping when unscoped federated token is being issued if federation.IDENTITY_PROVIDER in auth_context: return # fill in default_project_id if it is available try: user_ref = self.identity_api.get_user(auth_context['user_id']) except exception.UserNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) default_project_id = user_ref.get('default_project_id') if not default_project_id: # User has no default project. He shall get an unscoped token. return # make sure user's default project is legit before scoping to it try: default_project_ref = self.assignment_api.get_project( default_project_id) default_project_domain_ref = self.assignment_api.get_domain( default_project_ref['domain_id']) if (default_project_ref.get('enabled', True) and default_project_domain_ref.get('enabled', True)): if self.assignment_api.get_roles_for_user_and_project( user_ref['id'], default_project_id): auth_info.set_scope(project_id=default_project_id) else: msg = _("User %(user_id)s doesn't have access to" " default project %(project_id)s. The token will" " be unscoped rather than scoped to the project.") LOG.warning(msg, {'user_id': user_ref['id'], 'project_id': default_project_id}) else: msg = _("User %(user_id)s's default project %(project_id)s is" " disabled. The token will be unscoped rather than" " scoped to the project.") LOG.warning(msg, {'user_id': user_ref['id'], 'project_id': default_project_id}) except (exception.ProjectNotFound, exception.DomainNotFound): # default project or default project domain doesn't exist, # will issue unscoped token instead msg = _("User %(user_id)s's default project %(project_id)s not" " found. The token will be unscoped rather than" " scoped to the project.") LOG.warning(msg, {'user_id': user_ref['id'], 'project_id': default_project_id})
**** CubicPower OpenStack Study **** def authenticate(self, context, auth_info, auth_context): """Authenticate user.""" # user has been authenticated externally if 'REMOTE_USER' in context['environment']: external = get_auth_method('external') external.authenticate(context, auth_info, auth_context) # need to aggregate the results in case two or more methods # are specified auth_response = {'methods': []} for method_name in auth_info.get_method_names(): method = get_auth_method(method_name) resp = method.authenticate(context, auth_info.get_method_data(method_name), auth_context) if resp: auth_response['methods'].append(method_name) auth_response[method_name] = resp if auth_response["methods"]: # authentication continuation required raise exception.AdditionalAuthRequired(auth_response) if 'user_id' not in auth_context: msg = _('User not found') raise exception.Unauthorized(msg) @controller.protected()
**** CubicPower OpenStack Study **** def check_token(self, context): token_id = context.get('subject_token_id') self.token_provider_api.check_v3_token(token_id) @controller.protected()
**** CubicPower OpenStack Study **** def revoke_token(self, context): token_id = context.get('subject_token_id') return self.token_provider_api.revoke_token(token_id) @controller.protected()
**** CubicPower OpenStack Study **** def validate_token(self, context): token_id = context.get('subject_token_id') include_catalog = 'nocatalog' not in context['query_string'] token_data = self.token_provider_api.validate_v3_token( token_id) if not include_catalog and 'catalog' in token_data['token']: del token_data['token']['catalog'] return render_token_data_response(token_id, token_data) @controller.protected()
**** CubicPower OpenStack Study **** def revocation_list(self, context, auth=None): if not CONF.token.revoke_by_id: raise exception.Gone() tokens = self.token_api.list_revoked_tokens() for t in tokens: expires = t['expires'] if not (expires and isinstance(expires, six.text_type)): t['expires'] = timeutils.isotime(expires) data = {'revoked': tokens} json_data = json.dumps(data) signed_text = cms.cms_sign_text(json_data, CONF.signing.certfile, CONF.signing.keyfile) return {'signed': signed_text} #FIXME(gyee): not sure if it belongs here or keystone.common. Park it here # for now. def render_token_data_response(token_id, token_data, created=False): """Render token data HTTP response. Stash token ID into the X-Subject-Token header. """ headers = [('X-Subject-Token', token_id)] if created: status = (201, 'Created') else: status = (200, 'OK') return wsgi.render_response(body=token_data, status=status, headers=headers)
**** CubicPower OpenStack Study **** def render_token_data_response(token_id, token_data, created=False): """Render token data HTTP response. Stash token ID into the X-Subject-Token header. """ headers = [('X-Subject-Token', token_id)] if created: status = (201, 'Created') else: status = (200, 'OK') return wsgi.render_response(body=token_data, status=status, headers=headers)
|