aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/auth/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/keystone/auth/plugins')
-rw-r--r--keystone-moon/keystone/auth/plugins/core.py5
-rw-r--r--keystone-moon/keystone/auth/plugins/external.py85
-rw-r--r--keystone-moon/keystone/auth/plugins/mapped.py62
-rw-r--r--keystone-moon/keystone/auth/plugins/oauth1.py6
-rw-r--r--keystone-moon/keystone/auth/plugins/password.py5
-rw-r--r--keystone-moon/keystone/auth/plugins/saml2.py3
-rw-r--r--keystone-moon/keystone/auth/plugins/token.py4
7 files changed, 38 insertions, 132 deletions
diff --git a/keystone-moon/keystone/auth/plugins/core.py b/keystone-moon/keystone/auth/plugins/core.py
index 96a5ecf8..bcad27e5 100644
--- a/keystone-moon/keystone/auth/plugins/core.py
+++ b/keystone-moon/keystone/auth/plugins/core.py
@@ -21,6 +21,7 @@ import six
from keystone.common import dependency
from keystone import exception
+
CONF = cfg.CONF
LOG = log.getLogger(__name__)
@@ -51,7 +52,7 @@ def convert_method_list_to_integer(methods):
method_ints = []
for method in methods:
- for k, v in six.iteritems(method_map):
+ for k, v in method_map.items():
if v == method:
method_ints.append(k)
return sum(method_ints)
@@ -71,7 +72,7 @@ def convert_integer_to_method_list(method_int):
method_map = construct_method_map_from_config()
method_ints = []
- for k, v in six.iteritems(method_map):
+ for k, v in method_map.items():
method_ints.append(k)
method_ints.sort(reverse=True)
diff --git a/keystone-moon/keystone/auth/plugins/external.py b/keystone-moon/keystone/auth/plugins/external.py
index 2322649f..cabe6282 100644
--- a/keystone-moon/keystone/auth/plugins/external.py
+++ b/keystone-moon/keystone/auth/plugins/external.py
@@ -23,7 +23,6 @@ from keystone import auth
from keystone.common import dependency
from keystone import exception
from keystone.i18n import _
-from keystone.openstack.common import versionutils
CONF = cfg.CONF
@@ -31,9 +30,6 @@ CONF = cfg.CONF
@six.add_metaclass(abc.ABCMeta)
class Base(auth.AuthMethodHandler):
-
- method = 'external'
-
def authenticate(self, context, auth_info, auth_context):
"""Use REMOTE_USER to look up the user in the identity backend.
@@ -96,91 +92,10 @@ class Domain(Base):
return user_ref
-@dependency.requires('assignment_api', 'identity_api')
class KerberosDomain(Domain):
"""Allows `kerberos` as a method."""
- method = 'kerberos'
-
def _authenticate(self, remote_user, context):
auth_type = context['environment'].get('AUTH_TYPE')
if auth_type != 'Negotiate':
raise exception.Unauthorized(_("auth_type is not Negotiate"))
return super(KerberosDomain, self)._authenticate(remote_user, context)
-
-
-class ExternalDefault(DefaultDomain):
- """Deprecated. Please use keystone.auth.external.DefaultDomain instead."""
-
- @versionutils.deprecated(
- as_of=versionutils.deprecated.ICEHOUSE,
- in_favor_of='keystone.auth.external.DefaultDomain',
- remove_in=+1)
- def __init__(self):
- super(ExternalDefault, self).__init__()
-
-
-class ExternalDomain(Domain):
- """Deprecated. Please use keystone.auth.external.Domain instead."""
-
- @versionutils.deprecated(
- as_of=versionutils.deprecated.ICEHOUSE,
- in_favor_of='keystone.auth.external.Domain',
- remove_in=+1)
- def __init__(self):
- super(ExternalDomain, self).__init__()
-
-
-@dependency.requires('identity_api')
-class LegacyDefaultDomain(Base):
- """Deprecated. Please use keystone.auth.external.DefaultDomain instead.
-
- This plugin exists to provide compatibility for the unintended behavior
- described here: https://bugs.launchpad.net/keystone/+bug/1253484
-
- """
-
- @versionutils.deprecated(
- as_of=versionutils.deprecated.ICEHOUSE,
- in_favor_of='keystone.auth.external.DefaultDomain',
- remove_in=+1)
- def __init__(self):
- super(LegacyDefaultDomain, self).__init__()
-
- def _authenticate(self, remote_user, context):
- """Use remote_user to look up the user in the identity backend."""
- # NOTE(dolph): this unintentionally discards half the REMOTE_USER value
- names = remote_user.split('@')
- username = names.pop(0)
- domain_id = CONF.identity.default_domain_id
- user_ref = self.identity_api.get_user_by_name(username, domain_id)
- return user_ref
-
-
-@dependency.requires('identity_api', 'resource_api')
-class LegacyDomain(Base):
- """Deprecated. Please use keystone.auth.external.Domain instead."""
-
- @versionutils.deprecated(
- as_of=versionutils.deprecated.ICEHOUSE,
- in_favor_of='keystone.auth.external.Domain',
- remove_in=+1)
- def __init__(self):
- super(LegacyDomain, self).__init__()
-
- def _authenticate(self, remote_user, context):
- """Use remote_user to look up the user in the identity backend.
-
- If remote_user contains an `@` assume that the substring before the
- rightmost `@` is the username, and the substring after the @ is the
- domain name.
- """
- names = remote_user.rsplit('@', 1)
- username = names.pop(0)
- if names:
- domain_name = names[0]
- domain_ref = self.resource_api.get_domain_by_name(domain_name)
- domain_id = domain_ref['id']
- else:
- domain_id = CONF.identity.default_domain_id
- user_ref = self.identity_api.get_user_by_name(username, domain_id)
- return user_ref
diff --git a/keystone-moon/keystone/auth/plugins/mapped.py b/keystone-moon/keystone/auth/plugins/mapped.py
index abf44481..220ff013 100644
--- a/keystone-moon/keystone/auth/plugins/mapped.py
+++ b/keystone-moon/keystone/auth/plugins/mapped.py
@@ -13,14 +13,13 @@
import functools
from oslo_log import log
-from oslo_serialization import jsonutils
from pycadf import cadftaxonomy as taxonomy
from six.moves.urllib import parse
from keystone import auth
from keystone.auth import plugins as auth_plugins
from keystone.common import dependency
-from keystone.contrib import federation
+from keystone.contrib.federation import constants as federation_constants
from keystone.contrib.federation import utils
from keystone import exception
from keystone.i18n import _
@@ -33,8 +32,8 @@ LOG = log.getLogger(__name__)
METHOD_NAME = 'mapped'
-@dependency.requires('assignment_api', 'federation_api', 'identity_api',
- 'token_provider_api')
+@dependency.requires('federation_api', 'identity_api',
+ 'resource_api', 'token_provider_api')
class Mapped(auth.AuthMethodHandler):
def _get_token_ref(self, auth_payload):
@@ -44,7 +43,7 @@ class Mapped(auth.AuthMethodHandler):
token_data=response)
def authenticate(self, context, auth_payload, auth_context):
- """Authenticate mapped user and return an authentication context.
+ """Authenticate mapped user and set an authentication context.
:param context: keystone's request context
:param auth_payload: the content of the authentication for a
@@ -66,7 +65,7 @@ class Mapped(auth.AuthMethodHandler):
self.token_provider_api)
else:
handle_unscoped_token(context, auth_payload, auth_context,
- self.assignment_api, self.federation_api,
+ self.resource_api, self.federation_api,
self.identity_api)
@@ -101,12 +100,12 @@ def handle_scoped_token(context, auth_payload, auth_context, token_ref,
auth_context['user_id'] = user_id
auth_context['group_ids'] = group_ids
- auth_context[federation.IDENTITY_PROVIDER] = identity_provider
- auth_context[federation.PROTOCOL] = protocol
+ auth_context[federation_constants.IDENTITY_PROVIDER] = identity_provider
+ auth_context[federation_constants.PROTOCOL] = protocol
def handle_unscoped_token(context, auth_payload, auth_context,
- assignment_api, federation_api, identity_api):
+ resource_api, federation_api, identity_api):
def is_ephemeral_user(mapped_properties):
return mapped_properties['user']['type'] == utils.UserType.EPHEMERAL
@@ -115,8 +114,9 @@ def handle_unscoped_token(context, auth_payload, auth_context,
identity_provider, protocol):
auth_context['user_id'] = user['id']
auth_context['group_ids'] = mapped_properties['group_ids']
- auth_context[federation.IDENTITY_PROVIDER] = identity_provider
- auth_context[federation.PROTOCOL] = protocol
+ auth_context[federation_constants.IDENTITY_PROVIDER] = (
+ identity_provider)
+ auth_context[federation_constants.PROTOCOL] = protocol
def build_local_user_context(auth_context, mapped_properties):
user_info = auth_plugins.UserAuthInfo.create(mapped_properties,
@@ -139,17 +139,15 @@ def handle_unscoped_token(context, auth_payload, auth_context,
user_id = None
try:
- mapped_properties = apply_mapping_filter(
- identity_provider, protocol, assertion, assignment_api,
+ mapped_properties, mapping_id = apply_mapping_filter(
+ identity_provider, protocol, assertion, resource_api,
federation_api, identity_api)
if is_ephemeral_user(mapped_properties):
user = setup_username(context, mapped_properties)
user_id = user['id']
group_ids = mapped_properties['group_ids']
- mapping = federation_api.get_mapping_from_idp_and_protocol(
- identity_provider, protocol)
- utils.validate_groups_cardinality(group_ids, mapping['id'])
+ utils.validate_groups_cardinality(group_ids, mapping_id)
build_ephemeral_user_context(auth_context, user,
mapped_properties,
identity_provider, protocol)
@@ -182,32 +180,29 @@ def extract_assertion_data(context):
def apply_mapping_filter(identity_provider, protocol, assertion,
- assignment_api, federation_api, identity_api):
+ resource_api, federation_api, identity_api):
idp = federation_api.get_idp(identity_provider)
- utils.validate_idp(idp, assertion)
- mapping = federation_api.get_mapping_from_idp_and_protocol(
- identity_provider, protocol)
- rules = jsonutils.loads(mapping['rules'])
- LOG.debug('using the following rules: %s', rules)
- rule_processor = utils.RuleProcessor(rules)
- mapped_properties = rule_processor.process(assertion)
+ utils.validate_idp(idp, protocol, assertion)
+
+ mapped_properties, mapping_id = federation_api.evaluate(
+ identity_provider, protocol, assertion)
# NOTE(marek-denis): We update group_ids only here to avoid fetching
# groups identified by name/domain twice.
# NOTE(marek-denis): Groups are translated from name/domain to their
# corresponding ids in the auth plugin, as we need information what
- # ``mapping_id`` was used as well as idenity_api and assignment_api
+ # ``mapping_id`` was used as well as idenity_api and resource_api
# objects.
group_ids = mapped_properties['group_ids']
utils.validate_groups_in_backend(group_ids,
- mapping['id'],
+ mapping_id,
identity_api)
group_ids.extend(
utils.transform_to_group_ids(
- mapped_properties['group_names'], mapping['id'],
- identity_api, assignment_api))
+ mapped_properties['group_names'], mapping_id,
+ identity_api, resource_api))
mapped_properties['group_ids'] = list(set(group_ids))
- return mapped_properties
+ return mapped_properties, mapping_id
def setup_username(context, mapped_properties):
@@ -241,12 +236,17 @@ def setup_username(context, mapped_properties):
user_name = user.get('name') or context['environment'].get('REMOTE_USER')
if not any([user_id, user_name]):
- raise exception.Unauthorized(_("Could not map user"))
+ msg = _("Could not map user while setting ephemeral user identity. "
+ "Either mapping rules must specify user id/name or "
+ "REMOTE_USER environment variable must be set.")
+ raise exception.Unauthorized(msg)
elif not user_name:
user['name'] = user_id
elif not user_id:
- user['id'] = parse.quote(user_name)
+ user_id = user_name
+
+ user['id'] = parse.quote(user_id)
return user
diff --git a/keystone-moon/keystone/auth/plugins/oauth1.py b/keystone-moon/keystone/auth/plugins/oauth1.py
index 2f1cc2fa..e081cd62 100644
--- a/keystone-moon/keystone/auth/plugins/oauth1.py
+++ b/keystone-moon/keystone/auth/plugins/oauth1.py
@@ -29,15 +29,9 @@ LOG = log.getLogger(__name__)
@dependency.requires('oauth_api')
class OAuth(auth.AuthMethodHandler):
-
- method = 'oauth1'
-
def authenticate(self, context, auth_info, auth_context):
"""Turn a signed request with an access key into a keystone token."""
- if not self.oauth_api:
- raise exception.Unauthorized(_('%s not supported') % self.method)
-
headers = context['headers']
oauth_headers = oauth.get_oauth_headers(headers)
access_token_id = oauth_headers.get('oauth_token')
diff --git a/keystone-moon/keystone/auth/plugins/password.py b/keystone-moon/keystone/auth/plugins/password.py
index c5770445..16492a32 100644
--- a/keystone-moon/keystone/auth/plugins/password.py
+++ b/keystone-moon/keystone/auth/plugins/password.py
@@ -20,6 +20,7 @@ from keystone.common import dependency
from keystone import exception
from keystone.i18n import _
+
METHOD_NAME = 'password'
LOG = log.getLogger(__name__)
@@ -28,11 +29,9 @@ LOG = log.getLogger(__name__)
@dependency.requires('identity_api')
class Password(auth.AuthMethodHandler):
- method = METHOD_NAME
-
def authenticate(self, context, auth_payload, auth_context):
"""Try to authenticate against the identity backend."""
- user_info = auth_plugins.UserAuthInfo.create(auth_payload, self.method)
+ user_info = auth_plugins.UserAuthInfo.create(auth_payload, METHOD_NAME)
# FIXME(gyee): identity.authenticate() can use some refactoring since
# all we care is password matches
diff --git a/keystone-moon/keystone/auth/plugins/saml2.py b/keystone-moon/keystone/auth/plugins/saml2.py
index 744f26a9..cf7a8a50 100644
--- a/keystone-moon/keystone/auth/plugins/saml2.py
+++ b/keystone-moon/keystone/auth/plugins/saml2.py
@@ -23,5 +23,4 @@ This plugin subclasses mapped.Mapped, and may be specified in keystone.conf:
class Saml2(mapped.Mapped):
-
- method = 'saml2'
+ pass
diff --git a/keystone-moon/keystone/auth/plugins/token.py b/keystone-moon/keystone/auth/plugins/token.py
index 5ca0b257..069f1140 100644
--- a/keystone-moon/keystone/auth/plugins/token.py
+++ b/keystone-moon/keystone/auth/plugins/token.py
@@ -33,8 +33,6 @@ CONF = cfg.CONF
@dependency.requires('federation_api', 'identity_api', 'token_provider_api')
class Token(auth.AuthMethodHandler):
- method = 'token'
-
def _get_token_ref(self, auth_payload):
token_id = auth_payload['id']
response = self.token_provider_api.validate_token(token_id)
@@ -44,7 +42,7 @@ class Token(auth.AuthMethodHandler):
def authenticate(self, context, auth_payload, user_context):
if 'id' not in auth_payload:
raise exception.ValidationError(attribute='id',
- target=self.method)
+ target='token')
token_ref = self._get_token_ref(auth_payload)
if token_ref.is_federated_user and self.federation_api:
mapped.handle_scoped_token(