aboutsummaryrefslogtreecommitdiffstats
path: root/keystonemiddleware-moon/keystonemiddleware/auth_token/_user_plugin.py
blob: 93075c5c14925875eb0db1b10c28760b943a9d5a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

from keystoneclient.auth.identity import base as base_identity


class _TokenData(object):
    """An abstraction to show auth_token consumers some of the token contents.

    This is a simplified and cleaned up keystoneclient.access.AccessInfo object
    with which services relying on auth_token middleware can find details of
    the current token.
    """

    def __init__(self, auth_ref):
        self._stored_auth_ref = auth_ref

    @property
    def _is_v2(self):
        return self._stored_auth_ref.version == 'v2.0'

    @property
    def auth_token(self):
        """The token data used to authenticate requests.

        :returns: token data.
        :rtype: str
        """
        return self._stored_auth_ref.auth_token

    @property
    def user_id(self):
        """The user id associated with the authentication request.

        :rtype: str
        """
        return self._stored_auth_ref.user_id

    @property
    def user_domain_id(self):
        """Returns the domain id of the user associated with the authentication
        request.

        :returns: str
        """
        # NOTE(jamielennox): v2 AccessInfo returns 'default' for domain_id
        # because it can't know that value. We want to return None instead.
        if self._is_v2:
            return None

        return self._stored_auth_ref.user_domain_id

    @property
    def project_id(self):
        """The project ID associated with the authentication.

        :rtype: str
        """
        return self._stored_auth_ref.project_id

    @property
    def project_domain_id(self):
        """The domain id of the project associated with the authentication
        request.

        :rtype: str
        """
        # NOTE(jamielennox): v2 AccessInfo returns 'default' for domain_id
        # because it can't know that value. We want to return None instead.
        if self._is_v2:
            return None

        return self._stored_auth_ref.project_domain_id

    @property
    def trust_id(self):
        """Returns the trust id associated with the authentication request..

        :rtype: str
        """
        return self._stored_auth_ref.trust_id

    @property
    def role_ids(self):
        """Role ids of the user associated with the authentication request.

        :rtype: set(str)
        """
        return frozenset(self._stored_auth_ref.role_ids or [])

    @property
    def role_names(self):
        """Role names of the user associated with the authentication request.

        :rtype: set(str)
        """
        return frozenset(self._stored_auth_ref.role_names or [])

    @property
    def _log_format(self):
        roles = ','.join(self.role_names)
        return 'user_id %s, project_id %s, roles %s' % (self.user_id,
                                                        self.project_id,
                                                        roles)


class UserAuthPlugin(base_identity.BaseIdentityPlugin):
    """The incoming authentication credentials.

    A plugin that represents the incoming user credentials. This can be
    consumed by applications.

    This object is not expected to be constructed directly by users. It is
    created and passed by auth_token middleware and then can be used as the
    authentication plugin when communicating via a session.
    """

    def __init__(self, user_auth_ref, serv_auth_ref):
        super(UserAuthPlugin, self).__init__(reauthenticate=False)

        # NOTE(jamielennox): _user_auth_ref and _serv_auth_ref are private
        # because this object ends up in the environ that is passed to the
        # service, however they are used within auth_token middleware.
        self._user_auth_ref = user_auth_ref
        self._serv_auth_ref = serv_auth_ref

        self._user_data = None
        self._serv_data = None

    @property
    def has_user_token(self):
        """Did this authentication request contained a user auth token."""
        return self._user_auth_ref is not None

    @property
    def user(self):
        """Authentication information about the user token.

        Will return None if a user token was not passed with this request.
        """
        if not self.has_user_token:
            return None

        if not self._user_data:
            self._user_data = _TokenData(self._user_auth_ref)

        return self._user_data

    @property
    def has_service_token(self):
        """Did this authentication request contained a service token."""
        return self._serv_auth_ref is not None

    @property
    def service(self):
        """Authentication information about the service token.

        Will return None if a user token was not passed with this request.
        """
        if not self.has_service_token:
            return None

        if not self._serv_data:
            self._serv_data = _TokenData(self._serv_auth_ref)

        return self._serv_data

    def get_auth_ref(self, session, **kwargs):
        # NOTE(jamielennox): We will always use the auth_ref that was
        # calculated by the middleware. reauthenticate=False in __init__ should
        # ensure that this function is only called on the first access.
        return self._user_auth_ref

    @property
    def _log_format(self):
        msg = []

        if self.has_user_token:
            msg.append('user: %s' % self.user._log_format)

        if self.has_service_token:
            msg.append('service: %s' % self.service._log_format)

        return ' '.join(msg)