1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
# Copyright (c) 2013 Rackspace, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import abc
import json
import logging
from keystoneclient.v2_0 import client as ksclient
from keystoneclient import exceptions
import requests
import six
LOG = logging.getLogger(__name__)
class AuthException(Exception):
"""Raised when authorization fails."""
pass
@six.add_metaclass(abc.ABCMeta)
class AuthPluginBase(object):
"""Base class for Auth plugins."""
@abc.abstractproperty
def auth_token(self):
"""
Returns a valid token to be used in X-Auth-Token header for
api requests.
"""
@abc.abstractproperty
def barbican_url(self):
"""
Returns the barbican endpoint url, including the version.
"""
class KeystoneAuthV2(AuthPluginBase):
def __init__(self, auth_url='', username='', password='',
tenant_name='', tenant_id='', insecure=False, keystone=None):
if not keystone:
tenant_info = tenant_name or tenant_id
if not all([auth_url, username, password, tenant_info]):
raise ValueError('Please provide auth_url, username, password,'
' and tenant_id or tenant_name.')
self._barbican_url = None
#TODO(dmend): make these configurable
self._service_type = 'keystore'
self._endpoint_type = 'publicURL'
self._keystone = keystone or ksclient.Client(username=username,
password=password,
tenant_name=tenant_name,
tenant_id=tenant_id,
auth_url=auth_url,
insecure=insecure)
self.tenant_name = self._keystone.tenant_name
self.tenant_id = self._keystone.tenant_id
@property
def auth_token(self):
return self._keystone.auth_token
@property
def barbican_url(self):
if not self._barbican_url:
try:
self._barbican_url = self._keystone.service_catalog.url_for(
attr='region',
filter_value=self._keystone.region_name,
service_type=self._service_type,
endpoint_type=self._endpoint_type
)
except exceptions.EmptyCatalog:
LOG.error('Keystone is reporting an empty catalog.')
raise AuthException('Empty keystone catalog.')
except exceptions.EndpointNotFound:
LOG.error('Barbican endpoint not found in keystone catalog.')
raise AuthException('Barbican endpoint not found.')
return self._barbican_url
class RackspaceAuthV2(AuthPluginBase):
def __init__(self, auth_url='', username='', api_key='', password=''):
if not all([auth_url, username, api_key or password]):
raise ValueError('Please provide auth_url, username, api_key or '
'password.')
self._auth_url = auth_url
self._username = username
self._api_key = api_key
self._password = password
self._auth_token = None
self._barbican_url = None
self.tenant_id = None
self._authenticate()
@property
def auth_token(self):
return self._auth_token
@property
def barbican_url(self):
return self._barbican_url
def _authenticate(self):
auth_url = '{0}/tokens'.format(self._auth_url)
headers = {'Accept': 'application/json',
'Content-Type': 'application/json'}
if self._api_key:
payload = self._authenticate_with_api_key()
else:
payload = self._authenticate_with_password()
r = requests.post(auth_url, data=json.dumps(payload), headers=headers)
try:
r.raise_for_status()
except requests.HTTPError:
msg = 'HTTPError ({0}): Unable to authenticate with Rackspace.'
msg = msg.format(r.status_code)
LOG.error(msg)
raise AuthException(msg)
try:
data = r.json()
except ValueError:
msg = 'Error parsing response from Rackspace Identity.'
LOG.error(msg)
raise AuthException(msg)
else:
#TODO(dmend): get barbican_url from catalog
self._auth_token = data['access']['token']['id']
self.tenant_id = data['access']['token']['tenant']['id']
def _authenticate_with_api_key(self):
return {
'auth': {
'RAX-KSKEY:apiKeyCredentials': {
'username': self._username,
'apiKey': self._api_key
}
}
}
def _authenticate_with_password(self):
return {
'auth': {
'passwordCredentials': {
'username': self._username,
'password': self._password
}
}
}
|