| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Some of the docstrings have ``:return:`` instead of ``:returns:``
keyword. This patch fixes that and make it consistent.
Change-Id: I4321a63798ab9e2abdf0bbd716bf2b995be22ba3
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To maintain compatibility we must allow people to specify a versioned
URL in the service catalog but allow the plugins to return a different
URL to users.
We need this to be a general approach as other services will likely have
a similar problem with their catalog.
The expectation here is that a client will register the catalog hack at
import time rather than for every request.
Closes-Bug: #1335726
Change-Id: I244f0ec3acca39fd1b2a2c5883abc06ec10eddc7
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Auth plugins must sometimes affect the Headers and other portions
of the network setup. Examples: Kerberos needs to set the
negotiate header. X509 to provide the client certificate.
This change makes that capability available to the Auth plugins.
Those plugins will live in separate repositories. There are no
dependent patches for it in this repository.
This was split out by Adam Young from the Kerberos Client patch
written by Jose Castro Leon
Change-Id: Iab7287888e4b3f199b9035c1a24ac43639b5027b
|
|\ \ |
|
| | |
| | |
| | |
| | | |
Change-Id: Ia850e62fe4c888365f5031cc8b7c7ad526600222
|
|\ \ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
A Framework for creating plugins that work across identity versions.
Upon creating a generic plugin the plugin will go and discover what
versions are available on the server and then attemp to construct a
suitable plugin.
Blueprint: version-independant-plugins
Change-Id: If7fed94aaf4636e80a9c3a834cf6c5430f20e489
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
None must be an acceptable parameter for username in password due to
tests in other libraries, however we should still raise an error if
neither username or user_id is passed. Use and check a sentinel value
instead of None.
Change-Id: Id61cfd1423afa8f9dd964fda278f4fab40887512
Closes-Bug: #1361444
|
|\ \ \ \
| |_|_|/
|/| | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When loading from config we need a way to determine if a plugin name was
specified incorrectly or was not specified at all. We need this to
determine if we need to load a fallback plugin.
This is much more in line with how CLI loading works and how it should
have worked initially.
Change-Id: I5547b6e169abc4f1850ff205a8f054a617785c2c
Closes-Bug: #1359618
|
|\ \ \ \
| |_|_|/
|/| | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Returning a True from the invalidate() call means that something has
changed within the plugin and the session should reissue the request and
expect the plugin to authenticate itself.
This means we should only return True if something actually changed,
because re-issuing the request if there was no auth_ref will not change
the outcome.
Change-Id: I012dacc93b1fcaee31d31a49e95db5a38044f211
|
| |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | | |
Allow users to specify a default value to loading auth plugins from the
CLI so that you can fallback to some default behaviour if the user
doesn't specify a plugin.
Change-Id: I44eb838f7ccc3b377dd1ba53dbb941e973e4a22e
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The default state for session requests is that if there is an auth
plugin available then it should include a token in any requests. This is
a problem for cases where it is the authentication plugin itself trying
to do discovery (like in the case of version independent plugins)
because you end up in an infinite loop.
Allow controlling the authenticated parameter on discovery requests.
Closes-Bug: #1359457
Change-Id: Ib5ab0a3a30fe79139b7b5dcaae698438281b6d36
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Deprecated opts are supposed to be accessible via the CLI in a similar
way as they are available via CONF. Currently these values are ignored.
Add CLI flags for all the deprecated opts as well.
Change-Id: If5f23c7b30a0cacda893a5e3150bc6bdb95f3693
|
|\ \ \
| |/ /
|/| | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Whilst this is undocumented it is supported by keystone and relied upon
by other services.
Change-Id: Idf8be75e2e0b275d9c9840082079100dd13a70ff
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the auth plugin saves into the normal namespace like .user_id and
user_id is an argument of the command then the two argument collide with
each other.
This is fairly common, particularly in keystoneclient's shell.
There is a little bit of a compatibility concern in that the variables
on the returned namespace have changed, however the usage of this
function should be if you use register_argparse_arguments you should
also use load_from_argparse_arguments and that is not changed.
Change-Id: Id1cb0983a1e78661492acd78ad9aa67ff8d49250
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Give plugins some more flexibility in registering there own CONF
options.
Change-Id: Id6d47e59e96b7b42c04cecdd53c13a887f60c75b
|
|\ \ \
| |/ / |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Split the functions that load the auth plugins from CLI so that they can
be used on a specific plugin. The intention here is to be able to turn
the existing authentication options in shells into a new auth plugin and
have that be loadable rather than maintain separate paths through the
shells.
Change-Id: I3dd5a8ed183d843246b1add3dfbf591ba4e2f94c
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| | |
By marking the options as secret they don't get printed out in things
like the debug log when loading the application.
Change-Id: Iadab479a896bc4b1682ee8d207cc50a01dca8255
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we get to having version independent identity plugins they need to
be able to share the discovery cache with the session. This function
should therefore be reusable rather than making the cache on the session
public.
DocImpact: Adds a new get_discovery function to identity plugins. This
function is expected to be used by subclasses doing custom URL discovery
rather than users.
Blueprint: version-independant-plugins
Change-Id: I769b4e2cd59a4dd167c4dcd8f14641081f867a71
|
|
|
|
|
|
|
|
|
|
| |
Identity plugins will by default re-authenticate themselves if they are
about to expire. This is generally correct however there are times where
this re-authentication doesn't make sense and we should be able to
prevent it.
Closes-Bug: #1352051
Change-Id: I66b50b1e650501e7f076139895473e8d1791ce27
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are certain requests that will always want to be sent to the
auth_url.
Add a new interface type to the get_endpoint command of the base
identity plugin such that if you ask for the 'auth' interface it will
give you the auth_url.
Implements: blueprint session-auth-endpoint
Change-Id: If653970354b919fdd6e80c061611c3aad129c574
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the ability to turn off logging from the session object and then
handle logging of auth requests within their own sections. This is a
very simplistic ability to completely disable logging. Logging more
filtered debugging can be added later.
This new ability is utilized in this patch to prevent logging of
requests that include passwords. This covers authenticate, password
change, and user update requests that include passwords.
SecurityImpact
Change-Id: I3dabb94ab047e86b8730e73416c1a1c333688489
Closes-Bug: #1004114
Closes-Bug: #1327019
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Before appending a slash to an URL, we should make sure
that the url doesn't already have one at the end.
Change-Id: Iff864d9b49cf3e3138f602a2c6615ed742f35698
Closes-Bug: 1337880
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Define the public functions for the auth module. To access actual auth
plugins users should still be expected to pull in the right file but
this shows the interface most service will need.
Change-Id: If389c8c0e91166ca46c1766bf5b76ad9d66417b0
|
|\ \ \
| |/ /
|/| | |
|
| |/
| |
| |
| |
| |
| | |
This was simply copied and pasted from the abstract method it overrides.
Change-Id: Ica349e7302434be43e08fc272e8fce5699553d9a
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With a standard definition of auth plugin options we should be able to
load and use those plugins from command line applications. Provide a
mechanism to register argparse parameters and load from them.
Blueprint: standard-client-params
Change-Id: I5d9904fa885602aaaef7a9e0afd4bd6bbfca3f07
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide a pattern for auth plugins to load themselves from a config
object. The first user of this will be auth_token middleware however it
is not likely to be the only user.
By doing this in an exportable way we are defining a single config file
format for specifying how to load a plugin for all services. We also
provide a standard way of retrieving a plugins options for loading via
other mechanisms.
Blueprint: standard-client-params
Change-Id: I353b26a1ffc04a20666e76f5bd2f1e6d7c19a22d
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If you pass a version number to the endpoint_filter then an identity
plugin will make a request to the URL in the service catalog and find an
appropriate URL for the requested version.
It caches the response to each of the discovery queries so that it
should only query once per URL.
This will only work for applications that create session objects
directly as the legacy model does not use the get_endpoint features of
an identity plugin.
This change showed an inconsistency in the docstrings between discovery
and the usage of discovery so the docstring was fixed.
Blueprint: endpoint-version-query
Change-Id: I277f2f6ad6c8cd44f1a9c06cf07d62bc8f8b383b
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixed most of the errors reported back from hacking 0.9.2.
Specifically:
- E128 continuation line under-indented for visual indent
- E251 unexpected spaces around keyword / parameter equals
- E265 block comment should start with '# '
- H305 imports not grouped correctly
- H307 like imports should be grouped together
- H402 one line docstring needs punctuation
- H904 Wrap long lines in parentheses instead of a backslash
But opted to ignore the following for now:
- E122: continuation line missing indentation or outdented
- H405: multi line docstring summary not separated with an empty line
Change-Id: Ib8e698d85fd598fa91435538657361a1f695ce89
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
Since more auth plugins depending on v3._AuthConstructor are created
in separated modules, this class should no longer be named as it was
private.
Auth plugins using v3._AuthConstructor currently are:
- SAML2 auth plugin (under review)
- oAuth auth plugin (merged with basecode)
Change-Id: Ia097941a465a972dc7ca177a74c8fb8d21d219e6
|
|
|
|
|
|
|
| |
The catalog was recently enhanced to allow filtering based on the
service_name so this should be passed on to endpoint filtering.
Change-Id: If08fcdba9719f6aacdcbbb6b951117f4f544f9ca
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This was a simple factory that would give compatibility for the existing
client to load up the appropriate auth plugin. A more robust plugin
loading mechanism is coming for this and having it available encourages
other auth plugins that they should be using that where they shouldn't.
Just remove it from the auth plugin class. It shouldn't be used by
anyone else so lets keep it on the client objects.
Blueprint: plugin-params
Change-Id: I0618b646f302300d41c7dd7153a1c0bdc237a745
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This auth plugin was initially created before get_endpoint was
available. Implement the get_endpoint method so that we can use the
plugin with relative URLs.
Closes-Bug: #1323926
Change-Id: Ic868f509e708ad29faf86ec5ceeab2a9c98a24fc
|
|/
|
|
|
|
|
| |
These files were being added at the time when the comments were removed
from the rest of the project.
Change-Id: I5ece3ee3f7ce02ffd3914c644a2b99fc84c3f31c
|