diff options
author | Jamie Lennox <jamielennox@redhat.com> | 2015-03-11 13:48:02 +1100 |
---|---|---|
committer | Jamie Lennox <jamielennox@redhat.com> | 2015-03-20 20:29:18 +1100 |
commit | 3759cfa96bcd9bbaa650e42a52693bc3d785092d (patch) | |
tree | 4e2bbdea5a50e29a26126a65e6ecdc862a3e43b2 /keystoneclient/auth | |
parent | 3a76d5c211f72fd00450ec540e7e77e5d3e17771 (diff) | |
download | python-keystoneclient-3759cfa96bcd9bbaa650e42a52693bc3d785092d.tar.gz |
Add a FederatedBase v3 plugin
With the out of tree federation plugins going on extract the basic
federation workflow and required information that can be reused.
Change-Id: I6fdb3a5c6d9f3e1d6fa3425fd05809155effed1f
Diffstat (limited to 'keystoneclient/auth')
-rw-r--r-- | keystoneclient/auth/identity/v3/__init__.py | 3 | ||||
-rw-r--r-- | keystoneclient/auth/identity/v3/federated.py | 111 |
2 files changed, 114 insertions, 0 deletions
diff --git a/keystoneclient/auth/identity/v3/__init__.py b/keystoneclient/auth/identity/v3/__init__.py index 6992c7f..a08f3ec 100644 --- a/keystoneclient/auth/identity/v3/__init__.py +++ b/keystoneclient/auth/identity/v3/__init__.py @@ -11,6 +11,7 @@ # under the License. from keystoneclient.auth.identity.v3.base import * # noqa +from keystoneclient.auth.identity.v3.federated import * # noqa from keystoneclient.auth.identity.v3.password import * # noqa from keystoneclient.auth.identity.v3.token import * # noqa @@ -20,6 +21,8 @@ __all__ = ['Auth', 'AuthMethod', 'BaseAuth', + 'FederatedBaseAuth', + 'Password', 'PasswordMethod', diff --git a/keystoneclient/auth/identity/v3/federated.py b/keystoneclient/auth/identity/v3/federated.py new file mode 100644 index 0000000..db7ad2b --- /dev/null +++ b/keystoneclient/auth/identity/v3/federated.py @@ -0,0 +1,111 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import abc + +from oslo_config import cfg +import six + +from keystoneclient.auth.identity.v3 import base +from keystoneclient.auth.identity.v3 import token + +__all__ = ['FederatedBaseAuth'] + + +@six.add_metaclass(abc.ABCMeta) +class FederatedBaseAuth(base.BaseAuth): + + rescoping_plugin = token.Token + + def __init__(self, auth_url, identity_provider, protocol, **kwargs): + """Class constructor accepting following parameters: + + :param auth_url: URL of the Identity Service + :type auth_url: string + :param identity_provider: name of the Identity Provider the client + will authenticate against. This parameter + will be used to build a dynamic URL used to + obtain unscoped OpenStack token. + :type identity_provider: string + + """ + super(FederatedBaseAuth, self).__init__(auth_url=auth_url, **kwargs) + self.identity_provider = identity_provider + self.protocol = protocol + + @classmethod + def get_options(cls): + options = super(FederatedBaseAuth, cls).get_options() + + options.extend([ + cfg.StrOpt('identity-provider', + help="Identity Provider's name"), + cfg.StrOpt('protocol', + help='Protocol for federated plugin'), + ]) + + return options + + @property + def federated_token_url(self): + """Full URL where authorization data is sent.""" + values = { + 'host': self.auth_url.rstrip('/'), + 'identity_provider': self.identity_provider, + 'protocol': self.protocol + } + url = ("%(host)s/OS-FEDERATION/identity_providers/" + "%(identity_provider)s/protocols/%(protocol)s/auth") + url = url % values + + return url + + def _get_scoping_data(self): + return {'trust_id': self.trust_id, + 'domain_id': self.domain_id, + 'domain_name': self.domain_name, + 'project_id': self.project_id, + 'project_name': self.project_name, + 'project_domain_id': self.project_domain_id, + 'project_domain_name': self.project_domain_name} + + def get_auth_ref(self, session, **kwargs): + """Authenticate retrieve token information. + + This is a multi-step process where a client does federated authn + receives an unscoped token. + + If an unscoped token is successfully received and scoping information + is present then the token is rescoped to that target. + + :param session: a session object to send out HTTP requests. + :type session: keystoneclient.session.Session + + :returns: a token data representation + :rtype: :py:class:`keystoneclient.access.AccessInfo` + + """ + auth_ref = self.get_unscoped_auth_ref(session) + scoping = self._get_scoping_data() + + if any(scoping.values()): + token_plugin = self.rescoping_plugin(self.auth_url, + token=auth_ref.auth_token, + **scoping) + + auth_ref = token_plugin.get_auth_ref(session) + + return auth_ref + + @abc.abstractmethod + def get_unscoped_auth_ref(self, session, **kwargs): + """Fetch unscoped federated token.""" |