From 35ed9ac45deee8ebbf90ea1a47ac311279a12db3 Mon Sep 17 00:00:00 2001 From: asteroide Date: Wed, 26 Jul 2017 14:30:23 +0200 Subject: Add authentication features for interface Change-Id: I722a92784ca0f0dd0f02be9f27ed1bb1e52483be --- moonv4/moon_utilities/Changelog | 7 ++- moonv4/moon_utilities/moon_utilities/__init__.py | 2 +- moonv4/moon_utilities/moon_utilities/auth.py | 76 ++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 moonv4/moon_utilities/moon_utilities/auth.py diff --git a/moonv4/moon_utilities/Changelog b/moonv4/moon_utilities/Changelog index 4857e826..e39a8b53 100644 --- a/moonv4/moon_utilities/Changelog +++ b/moonv4/moon_utilities/Changelog @@ -29,4 +29,9 @@ CHANGES 1.1.1 ----- -- Add a missing requirements \ No newline at end of file +- Add a missing requirements + +1.2.0 +----- +- Add authentication features for interface + diff --git a/moonv4/moon_utilities/moon_utilities/__init__.py b/moonv4/moon_utilities/moon_utilities/__init__.py index 6d434ce7..2c7f8f5c 100644 --- a/moonv4/moon_utilities/moon_utilities/__init__.py +++ b/moonv4/moon_utilities/moon_utilities/__init__.py @@ -3,4 +3,4 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -__version__ = "1.1.1" +__version__ = "1.2.0" diff --git a/moonv4/moon_utilities/moon_utilities/auth.py b/moonv4/moon_utilities/moon_utilities/auth.py new file mode 100644 index 00000000..10dda3ed --- /dev/null +++ b/moonv4/moon_utilities/moon_utilities/auth.py @@ -0,0 +1,76 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import requests +import time +from functools import wraps +from flask import request +from oslo_log import log as logging +from moon_utilities import exceptions, configuration + + +LOG = logging.getLogger(__name__) +KEYSTONE_CONFIG = configuration.get_configuration("openstack/keystone")["openstack/keystone"] +TOKENS = {} + + +def check_token(token, url=None): + _verify = False + if KEYSTONE_CONFIG['certificate']: + _verify = KEYSTONE_CONFIG['certificate'] + try: + os.environ.pop("http_proxy") + os.environ.pop("https_proxy") + except KeyError: + pass + if not url: + url = KEYSTONE_CONFIG['url'] + headers = { + "Content-Type": "application/json", + 'X-Subject-Token': token, + 'X-Auth-Token': token, + } + if KEYSTONE_CONFIG['check_token'].lower() in ("false", "no", "n"): + # TODO (asteroide): must send the admin id + return "admin" if not token else token + if KEYSTONE_CONFIG['check_token'].lower() in ("yes", "y", "true"): + if token in TOKENS: + delta = time.mktime(TOKENS[token]["expires_at"]) - time.mktime(time.gmtime()) + if delta > 0: + return TOKENS[token]["user"] + raise exceptions.KeystoneError + else: + req = requests.get("{}/auth/tokens".format(url), headers=headers, verify=_verify) + if req.status_code in (200, 201): + # Note (asteroide): the time stamps is not in ISO 8601, so it is necessary to delete + # characters after the dot + token_time = req.json().get("token").get("expires_at").split(".") + TOKENS[token] = dict() + TOKENS[token]["expires_at"] = time.strptime(token_time[0], "%Y-%m-%dT%H:%M:%S") + TOKENS[token]["user"] = req.json().get("token").get("user").get("id") + return TOKENS[token]["user"] + LOG.error("{} - {}".format(req.status_code, req.text)) + raise exceptions.KeystoneError + elif KEYSTONE_CONFIG['check_token'].lower() == "strict": + req = requests.head("{}/auth/tokens".format(url), headers=headers, verify=_verify) + if req.status_code in (200, 201): + return token + LOG.error("{} - {}".format(req.status_code, req.text)) + raise exceptions.KeystoneError + raise exceptions.KeystoneError + + +def check_auth(function): + @wraps(function) + def wrapper(*args, **kwargs): + token = request.headers.get('X-Auth-Token') + token = check_token(token) + if not token: + raise exceptions.AuthException + user_id = kwargs.pop("user_id", token) + result = function(*args, **kwargs, user_id=user_id) + return result + return wrapper -- cgit 1.2.3-korg