1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import functools
from oslo.serialization import jsonutils
from pycadf import cadftaxonomy as taxonomy
from six.moves.urllib import parse
from keystone import auth
from keystone.common import dependency
from keystone.contrib import federation
from keystone.contrib.federation import utils
from keystone.models import token_model
from keystone import notifications
@dependency.requires('federation_api', 'identity_api', 'token_provider_api')
class Mapped(auth.AuthMethodHandler):
def authenticate(self, context, auth_payload, auth_context):
"""Authenticate mapped user and return an authentication context.
:param context: keystone's request context
:param auth_payload: the content of the authentication for a
given method
:param auth_context: user authentication context, a dictionary
shared by all plugins.
In addition to ``user_id`` in ``auth_context``, this plugin sets
``group_ids``, ``OS-FEDERATION:identity_provider`` and
``OS-FEDERATION:protocol``
"""
if 'id' in auth_payload:
fields = self._handle_scoped_token(context, auth_payload)
else:
fields = self._handle_unscoped_token(context, auth_payload)
auth_context.update(fields)
def _handle_scoped_token(self, context, auth_payload):
token_id = auth_payload['id']
token_ref = token_model.KeystoneToken(
token_id=token_id,
token_data=self.token_provider_api.validate_token(
token_id))
utils.validate_expiration(token_ref)
token_audit_id = token_ref.audit_id
identity_provider = token_ref.federation_idp_id
protocol = token_ref.federation_protocol_id
user_id = token_ref['user']['id']
group_ids = token_ref.federation_group_ids
send_notification = functools.partial(
notifications.send_saml_audit_notification, 'authenticate',
context, user_id, group_ids, identity_provider, protocol,
token_audit_id)
try:
mapping = self.federation_api.get_mapping_from_idp_and_protocol(
identity_provider, protocol)
utils.validate_groups(group_ids, mapping['id'], self.identity_api)
except Exception:
# NOTE(topol): Diaper defense to catch any exception, so we can
# send off failed authentication notification, raise the exception
# after sending the notification
send_notification(taxonomy.OUTCOME_FAILURE)
raise
else:
send_notification(taxonomy.OUTCOME_SUCCESS)
return {
'user_id': user_id,
'group_ids': group_ids,
federation.IDENTITY_PROVIDER: identity_provider,
federation.PROTOCOL: protocol
}
def _handle_unscoped_token(self, context, auth_payload):
user_id, assertion = self._extract_assertion_data(context)
if user_id:
assertion['user_id'] = user_id
identity_provider = auth_payload['identity_provider']
protocol = auth_payload['protocol']
group_ids = None
# NOTE(topol): Since the user is coming in from an IdP with a SAML doc
# instead of from a token we set token_id to None
token_id = None
try:
mapped_properties = self._apply_mapping_filter(identity_provider,
protocol,
assertion)
group_ids = mapped_properties['group_ids']
if not user_id:
user_id = parse.quote(mapped_properties['name'])
except Exception:
# NOTE(topol): Diaper defense to catch any exception, so we can
# send off failed authentication notification, raise the exception
# after sending the notification
outcome = taxonomy.OUTCOME_FAILURE
notifications.send_saml_audit_notification('authenticate', context,
user_id, group_ids,
identity_provider,
protocol, token_id,
outcome)
raise
else:
outcome = taxonomy.OUTCOME_SUCCESS
notifications.send_saml_audit_notification('authenticate', context,
user_id, group_ids,
identity_provider,
protocol, token_id,
outcome)
return {
'user_id': user_id,
'group_ids': group_ids,
federation.IDENTITY_PROVIDER: identity_provider,
federation.PROTOCOL: protocol
}
def _extract_assertion_data(self, context):
assertion = dict(utils.get_assertion_params_from_env(context))
user_id = context['environment'].get('REMOTE_USER')
return user_id, assertion
def _apply_mapping_filter(self, identity_provider, protocol, assertion):
mapping = self.federation_api.get_mapping_from_idp_and_protocol(
identity_provider, protocol)
rules = jsonutils.loads(mapping['rules'])
rule_processor = utils.RuleProcessor(rules)
mapped_properties = rule_processor.process(assertion)
utils.validate_groups(mapped_properties['group_ids'],
mapping['id'], self.identity_api)
return mapped_properties
|
