summaryrefslogtreecommitdiff
path: root/keystoneclient/auth
Commit message (Collapse)AuthorAgeFilesLines
* Docstrings should have :returns: everywhere.Marek Denis2014-10-151-1/+1
| | | | | | | Some of the docstrings have ``:return:`` instead of ``:returns:`` keyword. This patch fixes that and make it consistent. Change-Id: I4321a63798ab9e2abdf0bbd716bf2b995be22ba3
* Versioned Endpoint hack for SessionsJamie Lennox2014-09-161-1/+8
| | | | | | | | | | | | | | | To maintain compatibility we must allow people to specify a versioned URL in the service catalog but allow the plugins to return a different URL to users. We need this to be a general approach as other services will likely have a similar problem with their catalog. The expectation here is that a client will register the catalog hack at import time rather than for every request. Closes-Bug: #1335726 Change-Id: I244f0ec3acca39fd1b2a2c5883abc06ec10eddc7
* Merge "Pass kwargs to auth plugins"Jenkins2014-09-131-2/+6
|\
| * Pass kwargs to auth pluginsJose Castro Leon2014-09-111-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Auth plugins must sometimes affect the Headers and other portions of the network setup. Examples: Kerberos needs to set the negotiate header. X509 to provide the client certificate. This change makes that capability available to the Auth plugins. Those plugins will live in separate repositories. There are no dependent patches for it in this repository. This was split out by Adam Young from the Kerberos Client patch written by Jose Castro Leon Change-Id: Iab7287888e4b3f199b9035c1a24ac43639b5027b
* | Merge "fix typos"Jenkins2014-09-111-1/+1
|\ \
| * | fix typosDolph Mathews2014-09-081-1/+1
| | | | | | | | | | | | Change-Id: Ia850e62fe4c888365f5031cc8b7c7ad526600222
* | | Merge "Version independent plugins"Jenkins2014-09-115-5/+342
|\ \ \
| * | | Version independent pluginsJamie Lennox2014-09-035-5/+342
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | A Framework for creating plugins that work across identity versions. Upon creating a generic plugin the plugin will go and discover what versions are available on the server and then attemp to construct a suitable plugin. Blueprint: version-independant-plugins Change-Id: If7fed94aaf4636e80a9c3a834cf6c5430f20e489
* | | Merge "Allow passing None for username in v2.Password"Jenkins2014-09-111-3/+11
|\ \ \
| * | | Allow passing None for username in v2.PasswordJamie Lennox2014-08-261-3/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | None must be an acceptable parameter for username in password due to tests in other libraries, however we should still raise an error if neither username or user_id is passed. Use and check a sentinel value instead of None. Change-Id: Id61cfd1423afa8f9dd964fda278f4fab40887512 Closes-Bug: #1361444
* | | | Merge "Distinguish between name not provided and incorrect"Jenkins2014-09-101-3/+2
|\ \ \ \ | |_|_|/ |/| | |
| * | | Distinguish between name not provided and incorrectJamie Lennox2014-08-211-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When loading from config we need a way to determine if a plugin name was specified incorrectly or was not specified at all. We need this to determine if we need to load a fallback plugin. This is much more in line with how CLI loading works and how it should have worked initially. Change-Id: I5547b6e169abc4f1850ff205a8f054a617785c2c Closes-Bug: #1359618
* | | | Merge "Handle invalidate in identity plugins correctly"Jenkins2014-09-091-2/+5
|\ \ \ \ | |_|_|/ |/| | |
| * | | Handle invalidate in identity plugins correctlyJamie Lennox2014-08-071-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Returning a True from the invalidate() call means that something has changed within the plugin and the session should reissue the request and expect the plugin to authenticate itself. This means we should only return True if something actually changed, because re-issuing the request if there was no auth_ref will not change the outcome. Change-Id: I012dacc93b1fcaee31d31a49e95db5a38044f211
* | | | Allow providing a default value to CLI loadingJamie Lennox2014-08-211-8/+19
| |_|/ |/| | | | | | | | | | | | | | | | | | | | Allow users to specify a default value to loading auth plugins from the CLI so that you can fallback to some default behaviour if the user doesn't specify a plugin. Change-Id: I44eb838f7ccc3b377dd1ba53dbb941e973e4a22e
* | | Allow unauthenticated discoveryJamie Lennox2014-08-211-3/+9
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | The default state for session requests is that if there is an auth plugin available then it should include a token in any requests. This is a problem for cases where it is the authentication plugin itself trying to do discovery (like in the case of version independent plugins) because you end up in an infinite loop. Allow controlling the authenticated parameter on discovery requests. Closes-Bug: #1359457 Change-Id: Ib5ab0a3a30fe79139b7b5dcaae698438281b6d36
* | Merge "Fix handling of deprecated opts in CLI"Jenkins2014-08-201-6/+13
|\ \
| * | Fix handling of deprecated opts in CLIJamie Lennox2014-08-201-6/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | Deprecated opts are supposed to be accessible via the CLI in a similar way as they are available via CONF. Currently these values are ignored. Add CLI flags for all the deprecated opts as well. Change-Id: If5f23c7b30a0cacda893a5e3150bc6bdb95f3693
* | | Merge "Allow passing user_id to v2Password plugin"Jenkins2014-08-201-3/+23
|\ \ \ | |/ / |/| |
| * | Allow passing user_id to v2Password pluginJamie Lennox2014-08-151-3/+23
| | | | | | | | | | | | | | | | | | | | | Whilst this is undocumented it is supported by keystone and relied upon by other services. Change-Id: Idf8be75e2e0b275d9c9840082079100dd13a70ff
* | | Make auth plugins dest save to os_Jamie Lennox2014-08-151-2/+2
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the auth plugin saves into the normal namespace like .user_id and user_id is an argument of the command then the two argument collide with each other. This is fairly common, particularly in keystoneclient's shell. There is a little bit of a compatibility concern in that the variables on the returned namespace have changed, however the usage of this function should be if you use register_argparse_arguments you should also use load_from_argparse_arguments and that is not changed. Change-Id: Id1cb0983a1e78661492acd78ad9aa67ff8d49250
* | Merge "Allow registering individual plugin CONF options"Jenkins2014-08-142-10/+33
|\ \
| * | Allow registering individual plugin CONF optionsJamie Lennox2014-08-132-10/+33
| | | | | | | | | | | | | | | | | | | | | Give plugins some more flexibility in registering there own CONF options. Change-Id: Id6d47e59e96b7b42c04cecdd53c13a887f60c75b
* | | Merge "Individual plugin CLI registering"Jenkins2014-08-142-30/+57
|\ \ \ | |/ /
| * | Individual plugin CLI registeringJamie Lennox2014-08-082-30/+57
| |/ | | | | | | | | | | | | | | | | | | Split the functions that load the auth plugins from CLI so that they can be used on a specific plugin. The intention here is to be able to turn the existing authentication options in shells into a new auth plugin and have that be loadable rather than maintain separate paths through the shells. Change-Id: I3dd5a8ed183d843246b1add3dfbf591ba4e2f94c
* | Merge "Mark auth plugin options as secret"Jenkins2014-08-083-5/+9
|\ \
| * | Mark auth plugin options as secretJamie Lennox2014-08-073-5/+9
| |/ | | | | | | | | | | | | By marking the options as secret they don't get printed out in things like the debug log when loading the application. Change-Id: Iadab479a896bc4b1682ee8d207cc50a01dca8255
* | Isolate get_discovery functionJamie Lennox2014-08-071-20/+43
|/ | | | | | | | | | | | | | When we get to having version independent identity plugins they need to be able to share the discovery cache with the session. This function should therefore be reusable rather than making the cache on the session public. DocImpact: Adds a new get_discovery function to identity plugins. This function is expected to be used by subclasses doing custom URL discovery rather than users. Blueprint: version-independant-plugins Change-Id: I769b4e2cd59a4dd167c4dcd8f14641081f867a71
* Control identity plugin reauthenticationJamie Lennox2014-08-043-7/+40
| | | | | | | | | | Identity plugins will by default re-authenticate themselves if they are about to expire. This is generally correct however there are times where this re-authentication doesn't make sense and we should be able to prevent it. Closes-Bug: #1352051 Change-Id: I66b50b1e650501e7f076139895473e8d1791ce27
* Add the 'auth' interface typeJamie Lennox2014-07-253-2/+17
| | | | | | | | | | | | There are certain requests that will always want to be sent to the auth_url. Add a new interface type to the get_endpoint command of the base identity plugin such that if you ask for the 'auth' interface it will give you the auth_url. Implements: blueprint session-auth-endpoint Change-Id: If653970354b919fdd6e80c061611c3aad129c574
* Don't log sensitive auth dataJamie Lennox2014-07-242-2/+7
| | | | | | | | | | | | | | | | Add the ability to turn off logging from the session object and then handle logging of auth requests within their own sections. This is a very simplistic ability to completely disable logging. Logging more filtered debugging can be added later. This new ability is utilized in this patch to prevent logging of requests that include passwords. This covers authenticate, password change, and user update requests that include passwords. SecurityImpact Change-Id: I3dabb94ab047e86b8730e73416c1a1c333688489 Closes-Bug: #1004114 Closes-Bug: #1327019
* Merge "Ensure no double slash in get token URL"Jenkins2014-07-151-1/+1
|\
| * Ensure no double slash in get token URLJordanP2014-07-041-1/+1
| | | | | | | | | | | | | | | | Before appending a slash to an URL, we should make sure that the url doesn't already have one at the end. Change-Id: Iff864d9b49cf3e3138f602a2c6615ed742f35698 Closes-Bug: 1337880
* | Merge "Provide an __all__ for auth module"Jenkins2014-07-141-0/+34
|\ \
| * | Provide an __all__ for auth moduleJamie Lennox2014-07-141-0/+34
| | | | | | | | | | | | | | | | | | | | | | | | Define the public functions for the auth module. To access actual auth plugins users should still be expected to pull in the right file but this shows the interface most service will need. Change-Id: If389c8c0e91166ca46c1766bf5b76ad9d66417b0
* | | Merge "Add invalidate doc string to identity plugin"Jenkins2014-07-141-0/+12
|\ \ \ | |/ / |/| |
| * | Add invalidate doc string to identity pluginJamie Lennox2014-06-251-0/+12
| |/ | | | | | | | | | | This was simply copied and pasted from the abstract method it overrides. Change-Id: Ica349e7302434be43e08fc272e8fce5699553d9a
* | Allow loading auth plugins from CLIJamie Lennox2014-07-071-0/+93
| | | | | | | | | | | | | | | | | | With a standard definition of auth plugin options we should be able to load and use those plugins from command line applications. Provide a mechanism to register argparse parameters and load from them. Blueprint: standard-client-params Change-Id: I5d9904fa885602aaaef7a9e0afd4bd6bbfca3f07
* | Plugin loading from config objectsJamie Lennox2014-07-076-0/+265
|/ | | | | | | | | | | | | | Provide a pattern for auth plugins to load themselves from a config object. The first user of this will be auth_token middleware however it is not likely to be the only user. By doing this in an exportable way we are defining a single config file format for specifying how to load a plugin for all services. We also provide a standard way of retrieving a plugins options for loading via other mechanisms. Blueprint: standard-client-params Change-Id: I353b26a1ffc04a20666e76f5bd2f1e6d7c19a22d
* Merge "Unversioned endpoints in service catalog"Jenkins2014-06-251-9/+55
|\
| * Unversioned endpoints in service catalogJamie Lennox2014-06-231-9/+55
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If you pass a version number to the endpoint_filter then an identity plugin will make a request to the URL in the service catalog and find an appropriate URL for the requested version. It caches the response to each of the discovery queries so that it should only query once per URL. This will only work for applications that create session objects directly as the legacy model does not use the get_endpoint features of an identity plugin. This change showed an inconsistency in the docstrings between discovery and the usage of discovery so the docstring was fixed. Blueprint: endpoint-version-query Change-Id: I277f2f6ad6c8cd44f1a9c06cf07d62bc8f8b383b
* | Merge "Update keystoneclient code to account for hacking 0.9.2"Jenkins2014-06-242-0/+2
|\ \ | |/ |/|
| * Update keystoneclient code to account for hacking 0.9.2Steve Martinelli2014-06-192-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixed most of the errors reported back from hacking 0.9.2. Specifically: - E128 continuation line under-indented for visual indent - E251 unexpected spaces around keyword / parameter equals - E265 block comment should start with '# ' - H305 imports not grouped correctly - H307 like imports should be grouped together - H402 one line docstring needs punctuation - H904 Wrap long lines in parentheses instead of a backslash But opted to ignore the following for now: - E122: continuation line missing indentation or outdented - H405: multi line docstring summary not separated with an empty line Change-Id: Ib8e698d85fd598fa91435538657361a1f695ce89
* | Rename v3._AuthConstructor to v3.AuthConstructorMarek Denis2014-06-191-4/+4
|/ | | | | | | | | | | | | Since more auth plugins depending on v3._AuthConstructor are created in separated modules, this class should no longer be named as it was private. Auth plugins using v3._AuthConstructor currently are: - SAML2 auth plugin (under review) - oAuth auth plugin (merged with basecode) Change-Id: Ia097941a465a972dc7ca177a74c8fb8d21d219e6
* Add service_name to URL discoveryJamie Lennox2014-06-112-2/+6
| | | | | | | The catalog was recently enhanced to allow filtering based on the service_name so this should be passed on to endpoint filtering. Change-Id: If08fcdba9719f6aacdcbbb6b951117f4f544f9ca
* Merge "Remove _factory methods from auth plugins"Jenkins2014-06-102-54/+0
|\
| * Remove _factory methods from auth pluginsJamie Lennox2014-06-092-54/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | This was a simple factory that would give compatibility for the existing client to load up the appropriate auth plugin. A more robust plugin loading mechanism is coming for this and having it available encourages other auth plugins that they should be using that where they shouldn't. Just remove it from the auth plugin class. It shouldn't be used by anyone else so lets keep it on the client objects. Blueprint: plugin-params Change-Id: I0618b646f302300d41c7dd7153a1c0bdc237a745
* | Merge "Add endpoint handling to Token/Endpoint auth"Jenkins2014-06-101-0/+8
|\ \ | |/ |/|
| * Add endpoint handling to Token/Endpoint authJamie Lennox2014-05-281-0/+8
| | | | | | | | | | | | | | | | | | This auth plugin was initially created before get_endpoint was available. Implement the get_endpoint method so that we can use the plugin with relative URLs. Closes-Bug: #1323926 Change-Id: Ic868f509e708ad29faf86ec5ceeab2a9c98a24fc
* | Remove left over vim headersJamie Lennox2014-05-282-4/+0
|/ | | | | | | These files were being added at the time when the comments were removed from the rest of the project. Change-Id: I5ece3ee3f7ce02ffd3914c644a2b99fc84c3f31c
View Lorry Controller Status