OAuth request/access token and consumer support for oauth client API

Add support for creating request and access tokens,
and to authorize request tokens. Also adding basic CRUD for
consumer entities.

DocImpact
Change-Id: Ib9d0b223f202a7e33cbad1602da5be7479cd3284
implements: bp add-oauth-support

7 files changed, 282 insertions, 0 deletions

diff --git a/keystoneclient/v3/client.py b/keystoneclient/v3/client.py
index 417fdb2..32ec90c 100644
--- a/keystoneclient/v3/client.py
+++ b/keystoneclient/v3/client.py
@@ -21,6 +21,7 @@ from keystoneclient import httpclient
 from keystoneclient.openstack.common import jsonutils
 from keystoneclient.v3.contrib import endpoint_filter
 from keystoneclient.v3.contrib import federation
+from keystoneclient.v3.contrib import oauth1
 from keystoneclient.v3.contrib import trusts
 from keystoneclient.v3 import credentials
 from keystoneclient.v3 import domains
@@ -99,6 +100,7 @@ class Client(httpclient.HTTPClient):
         self.domains = domains.DomainManager(self)
         self.federation = federation.FederationManager(self)
         self.groups = groups.GroupManager(self)
+        self.oauth1 = oauth1.create_oauth_manager(self)
         self.policies = policies.PolicyManager(self)
         self.projects = projects.ProjectManager(self)
         self.roles = roles.RoleManager(self)
diff --git a/keystoneclient/v3/contrib/oauth1/__init__.py b/keystoneclient/v3/contrib/oauth1/__init__.py
new file mode 100644
index 0000000..e1fb8b7
--- /dev/null
+++ b/keystoneclient/v3/contrib/oauth1/__init__.py
@@ -0,0 +1,13 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from keystoneclient.v3.contrib.oauth1.core import *  # noqa
diff --git a/keystoneclient/v3/contrib/oauth1/access_tokens.py b/keystoneclient/v3/contrib/oauth1/access_tokens.py
new file mode 100644
index 0000000..917586e
--- /dev/null
+++ b/keystoneclient/v3/contrib/oauth1/access_tokens.py
@@ -0,0 +1,46 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import unicode_literals
+
+from keystoneclient import base
+from keystoneclient.v3.contrib.oauth1 import utils
+
+try:
+    from oauthlib import oauth1
+except ImportError:
+    oauth1 = None
+
+
+class AccessToken(base.Resource):
+    pass
+
+
+class AccessTokenManager(base.CrudManager):
+    """Manager class for manipulating identity OAuth access tokens."""
+    resource_class = AccessToken
+
+    def create(self, consumer_key, consumer_secret, request_key,
+               request_secret, verifier):
+        endpoint = utils.OAUTH_PATH + '/access_token'
+        oauth_client = oauth1.Client(consumer_key,
+                                     client_secret=consumer_secret,
+                                     resource_owner_key=request_key,
+                                     resource_owner_secret=request_secret,
+                                     signature_method=oauth1.SIGNATURE_HMAC,
+                                     verifier=verifier)
+        url = self.client.auth_url.rstrip("/") + endpoint
+        url, headers, body = oauth_client.sign(url, http_method='POST')
+        resp, body = self.client.post(endpoint, headers=headers)
+        token = utils.get_oauth_token_from_body(body)
+        return self.resource_class(self, token)
diff --git a/keystoneclient/v3/contrib/oauth1/consumers.py b/keystoneclient/v3/contrib/oauth1/consumers.py
new file mode 100644
index 0000000..25e8ca1
--- /dev/null
+++ b/keystoneclient/v3/contrib/oauth1/consumers.py
@@ -0,0 +1,52 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from keystoneclient import base
+from keystoneclient.v3.contrib.oauth1 import utils
+
+
+class Consumer(base.Resource):
+    """Represents an OAuth consumer.
+
+    Attributes:
+        * id: a uuid that identifies the consumer
+        * description: a short description of the consumer
+    """
+    pass
+
+
+class ConsumerManager(base.CrudManager):
+    """Manager class for manipulating identity consumers."""
+    resource_class = Consumer
+    collection_key = 'consumers'
+    key = 'consumer'
+    base_url = utils.OAUTH_PATH
+
+    def create(self, description=None, **kwargs):
+        return super(ConsumerManager, self).create(
+            description=description,
+            **kwargs)
+
+    def get(self, consumer):
+        return super(ConsumerManager, self).get(
+            consumer_id=base.getid(consumer))
+
+    def update(self, consumer, description=None, **kwargs):
+        return super(ConsumerManager, self).update(
+            consumer_id=base.getid(consumer),
+            description=description,
+            **kwargs)
+
+    def delete(self, consumer):
+        return super(ConsumerManager, self).delete(
+            consumer_id=base.getid(consumer))
diff --git a/keystoneclient/v3/contrib/oauth1/core.py b/keystoneclient/v3/contrib/oauth1/core.py
new file mode 100644
index 0000000..4820c02
--- /dev/null
+++ b/keystoneclient/v3/contrib/oauth1/core.py
@@ -0,0 +1,64 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from keystoneclient.v3.contrib.oauth1 import access_tokens
+from keystoneclient.v3.contrib.oauth1 import consumers
+from keystoneclient.v3.contrib.oauth1 import request_tokens
+
+
+def create_oauth_manager(self):
+    # NOTE(stevemar): Attempt to import the oauthlib package at this point.
+    try:
+        import oauthlib  # noqa
+    # NOTE(stevemar): Return an object instead of raising an exception here,
+    # this will allow users to see an exception only when trying to access the
+    # oauth portions of client. Otherwise an exception would be raised
+    # when the client is created.
+    except ImportError:
+        return OAuthManagerOptionalImportProxy()
+    else:
+        return OAuthManager(self)
+
+
+class OAuthManager(object):
+    def __init__(self, api):
+        self.access_tokens = access_tokens.AccessTokenManager(api)
+        self.consumers = consumers.ConsumerManager(api)
+        self.request_tokens = request_tokens.RequestTokenManager(api)
+
+
+class OAuthManagerOptionalImportProxy(object):
+    """Act as a proxy manager in case oauthlib is no installed.
+
+    This class will only be created if oauthlib is not in the system,
+    trying to access any of the attributes in name (access_tokens,
+    consumers, request_tokens), will result in a NotImplementedError,
+    and a message.
+
+    >>> manager.access_tokens.blah
+    NotImplementedError: To use 'access_tokens' oauthlib must be installed
+
+    Otherwise, if trying to access an attribute other than the ones in name,
+    the manager will state that the attribute does not exist.
+
+    >>> manager.dne.blah
+    AttributeError: 'OAuthManagerOptionalImportProxy' object has no
+    attribute 'dne'
+    """
+
+    def __getattribute__(self, name):
+        if name in ('access_tokens', 'comsumers', 'request_tokens'):
+            raise NotImplementedError(
+                'To use %r oauthlib must be installed' % name)
+        return super(OAuthManagerOptionalImportProxy,
+                     self).__getattribute__(name)
diff --git a/keystoneclient/v3/contrib/oauth1/request_tokens.py b/keystoneclient/v3/contrib/oauth1/request_tokens.py
new file mode 100644
index 0000000..29f428e
--- /dev/null
+++ b/keystoneclient/v3/contrib/oauth1/request_tokens.py
@@ -0,0 +1,70 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import unicode_literals
+
+from six.moves.urllib import parse as urlparse
+
+from keystoneclient import base
+from keystoneclient.v3.contrib.oauth1 import utils
+
+try:
+    from oauthlib import oauth1
+except ImportError:
+    oauth1 = None
+
+
+class RequestToken(base.Resource):
+    def authorize(self, roles):
+        try:
+            retval = self.manager.authorize(self.id, roles)
+            self = retval
+        except Exception:
+            retval = None
+
+        return retval
+
+
+class RequestTokenManager(base.CrudManager):
+    """Manager class for manipulating identity OAuth request tokens."""
+    resource_class = RequestToken
+
+    def authorize(self, request_token, roles):
+        """Authorize a request token with specific roles.
+
+        Utilize Identity API operation:
+        PUT /OS-OAUTH1/authorize/$request_token_id
+
+        :param request_token: a request token that will be authorized, and
+            can be exchanged for an access token.
+        :param roles: a list of roles, that will be delegated to the user.
+        """
+
+        request_id = urlparse.quote(base.getid(request_token))
+        endpoint = utils.OAUTH_PATH + '/authorize/%s' % (request_id)
+        body = {'roles': [{'id': base.getid(r_id)} for r_id in roles]}
+        return self._put(endpoint, body, "token")
+
+    def create(self, consumer_key, consumer_secret, project):
+        endpoint = utils.OAUTH_PATH + '/request_token'
+        headers = {'requested_project_id': base.getid(project)}
+        oauth_client = oauth1.Client(consumer_key,
+                                     client_secret=consumer_secret,
+                                     signature_method=oauth1.SIGNATURE_HMAC,
+                                     callback_uri="oob")
+        url = self.client.auth_url.rstrip("/") + endpoint
+        url, headers, body = oauth_client.sign(url, http_method='POST',
+                                               headers=headers)
+        resp, body = self.client.post(endpoint, headers=headers)
+        token = utils.get_oauth_token_from_body(body)
+        return self.resource_class(self, token)
diff --git a/keystoneclient/v3/contrib/oauth1/utils.py b/keystoneclient/v3/contrib/oauth1/utils.py
new file mode 100644
index 0000000..5d02f94
--- /dev/null
+++ b/keystoneclient/v3/contrib/oauth1/utils.py
@@ -0,0 +1,35 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from six.moves.urllib import parse as urlparse
+
+
+OAUTH_PATH = '/OS-OAUTH1'
+
+
+def get_oauth_token_from_body(body):
+    """Parse the URL response body to retrieve the oauth token key and secret
+
+    The response body will look like:
+    'oauth_token=12345&oauth_token_secret=67890' with
+    'oauth_expires_at=2013-03-30T05:27:19.463201' possibly there, too.
+    """
+
+    credentials = urlparse.parse_qs(body)
+    key = credentials['oauth_token'][0]
+    secret = credentials['oauth_token_secret'][0]
+    token = {'key': key, 'id': key, 'secret': secret}
+    expires_at = credentials.get('oauth_expires_at')
+    if expires_at:
+        token['expires'] = expires_at[0]
+    return token