1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
# Copyright 2022 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import webob
from oslo_log import log as logging
from oslo_serialization import jsonutils
from keystonemiddleware.auth_token import _user_plugin
from keystonemiddleware.auth_token import AuthProtocol
from keystonemiddleware import exceptions
from keystonemiddleware.i18n import _
_LOG = logging.getLogger(__name__)
class OAuth2Protocol(AuthProtocol):
"""Middleware that handles OAuth2.0 client credentials authentication."""
def __init__(self, app, conf):
log = logging.getLogger(conf.get('log_name', __name__))
log.info('Starting Keystone oauth2_token middleware')
super(OAuth2Protocol, self).__init__(app, conf)
def _is_valid_access_token(self, request):
"""Check if the request contains an OAuth2.0 access token.
:param request: Incoming request
:type request: _request.AuthTokenRequest
"""
access_token = None
if (request.authorization and
request.authorization.authtype == 'Bearer'):
access_token = request.authorization.params
if access_token:
try:
token_data, user_auth_ref = self._do_fetch_token(
access_token, allow_expired=False)
self._validate_token(user_auth_ref,
allow_expired=False)
token = token_data['token']
self.validate_allowed_request(request, token)
self._confirm_token_bind(user_auth_ref, request)
request.token_info = token_data
request.token_auth = _user_plugin.UserAuthPlugin(
user_auth_ref, None)
return True
except exceptions.KeystoneMiddlewareException as err:
_LOG.info('Invalid OAuth2.0 access token: %s' % str(err))
return False
def process_request(self, request):
"""Process request.
:param request: Incoming request
:type request: _request.AuthTokenRequest
"""
request.remove_auth_headers()
self._token_cache.initialize(request.environ)
if (not self._is_valid_access_token(request)
or "keystone.token_info" not in request.environ
or "token" not in request.environ["keystone.token_info"]):
_LOG.info('Rejecting request')
message = _('The request you have made requires authentication.')
body = {'error': {
'code': 401,
'title': 'Unauthorized',
'message': message,
}}
raise webob.exc.HTTPUnauthorized(
body=jsonutils.dumps(body),
headers=self._reject_auth_headers,
charset='UTF-8',
content_type='application/json')
request.set_user_headers(request.token_auth.user)
request.set_service_catalog_headers(request.token_auth.user)
request.token_auth._auth = self._auth
request.token_auth._session = self._session
def filter_factory(global_conf, **local_conf):
"""Return a WSGI filter app for use with paste.deploy."""
conf = global_conf.copy()
conf.update(local_conf)
def auth_filter(app):
return OAuth2Protocol(app, conf)
return auth_filter
|
