"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/api/auth.py" between
keystone-16.0.1.tar.gz and keystone-17.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Ussuri" series (latest release).

auth.py  (keystone-16.0.1):auth.py  (keystone-17.0.0)
skipping to change at line 18 skipping to change at line 18
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
# This file handles all flask-restful resources for /v3/auth # This file handles all flask-restful resources for /v3/auth
import string import string
import flask import flask
import flask_restful import flask_restful
import http.client
from oslo_log import log from oslo_log import log
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
from oslo_utils import strutils from oslo_utils import strutils
from six.moves import http_client import urllib
from six.moves import urllib
import werkzeug.exceptions import werkzeug.exceptions
from keystone.api._shared import authentication from keystone.api._shared import authentication
from keystone.api._shared import json_home_relations from keystone.api._shared import json_home_relations
from keystone.api._shared import saml from keystone.api._shared import saml
from keystone.auth import schema as auth_schema from keystone.auth import schema as auth_schema
from keystone.common import authorization from keystone.common import authorization
from keystone.common import provider_api from keystone.common import provider_api
from keystone.common import rbac_enforcer from keystone.common import rbac_enforcer
from keystone.common import render_token from keystone.common import render_token
skipping to change at line 105 skipping to change at line 105
return host return host
class _AuthFederationWebSSOBase(ks_flask.ResourceBase): class _AuthFederationWebSSOBase(ks_flask.ResourceBase):
@staticmethod @staticmethod
def _render_template_response(host, token_id): def _render_template_response(host, token_id):
with open(CONF.federation.sso_callback_template) as template: with open(CONF.federation.sso_callback_template) as template:
src = string.Template(template.read()) src = string.Template(template.read())
subs = {'host': host, 'token': token_id} subs = {'host': host, 'token': token_id}
body = src.substitute(subs) body = src.substitute(subs)
resp = flask.make_response(body, http_client.OK) resp = flask.make_response(body, http.client.OK)
resp.charset = 'utf-8' resp.charset = 'utf-8'
resp.headers['Content-Type'] = 'text/html' resp.headers['Content-Type'] = 'text/html'
return resp return resp
class AuthProjectsResource(ks_flask.ResourceBase): class AuthProjectsResource(ks_flask.ResourceBase):
collection_key = 'projects' collection_key = 'projects'
member_key = 'project' member_key = 'project'
def get(self): def get(self):
"""Get possible project scopes for token. """Get possible project scopes for token.
skipping to change at line 268 skipping to change at line 268
raise exception.Forbidden() raise exception.Forbidden()
class AuthTokenResource(_AuthFederationWebSSOBase): class AuthTokenResource(_AuthFederationWebSSOBase):
def get(self): def get(self):
"""Validate a token. """Validate a token.
HEAD/GET /v3/auth/tokens HEAD/GET /v3/auth/tokens
""" """
# TODO(morgan): eliminate the check_token action only use validate # TODO(morgan): eliminate the check_token action only use validate
# NOTE(morgan): Well lookie here, we have different enforcements # NOTE(morgan): Well lookie here, we have different enforcements
# for no good reason (historical), because the methods previouslly # for no good reason (historical), because the methods previously
# had to be named different names. Check which method and do the # had to be named different names. Check which method and do the
# correct enforcement. # correct enforcement.
if flask.request.method == 'HEAD': if flask.request.method == 'HEAD':
ENFORCER.enforce_call(action='identity:check_token') ENFORCER.enforce_call(action='identity:check_token')
else: else:
ENFORCER.enforce_call(action='identity:validate_token') ENFORCER.enforce_call(action='identity:validate_token')
token_id = flask.request.headers.get( token_id = flask.request.headers.get(
authorization.SUBJECT_TOKEN_HEADER) authorization.SUBJECT_TOKEN_HEADER)
access_rules_support = flask.request.headers.get( access_rules_support = flask.request.headers.get(
skipping to change at line 290 skipping to change at line 290
allow_expired = strutils.bool_from_string( allow_expired = strutils.bool_from_string(
flask.request.args.get('allow_expired')) flask.request.args.get('allow_expired'))
window_secs = CONF.token.allow_expired_window if allow_expired else 0 window_secs = CONF.token.allow_expired_window if allow_expired else 0
include_catalog = 'nocatalog' not in flask.request.args include_catalog = 'nocatalog' not in flask.request.args
token = PROVIDERS.token_provider_api.validate_token( token = PROVIDERS.token_provider_api.validate_token(
token_id, window_seconds=window_secs, token_id, window_seconds=window_secs,
access_rules_support=access_rules_support) access_rules_support=access_rules_support)
token_resp = render_token.render_token_response_from_model( token_resp = render_token.render_token_response_from_model(
token, include_catalog=include_catalog) token, include_catalog=include_catalog)
resp_body = jsonutils.dumps(token_resp) resp_body = jsonutils.dumps(token_resp)
response = flask.make_response(resp_body, http_client.OK) response = flask.make_response(resp_body, http.client.OK)
response.headers['X-Subject-Token'] = token_id response.headers['X-Subject-Token'] = token_id
response.headers['Content-Type'] = 'application/json' response.headers['Content-Type'] = 'application/json'
return response return response
@ks_flask.unenforced_api @ks_flask.unenforced_api
def post(self): def post(self):
"""Issue a token. """Issue a token.
POST /v3/auth/tokens POST /v3/auth/tokens
""" """
include_catalog = 'nocatalog' not in flask.request.args include_catalog = 'nocatalog' not in flask.request.args
auth_data = self.request_body_json.get('auth') auth_data = self.request_body_json.get('auth')
auth_schema.validate_issue_token_auth(auth_data) auth_schema.validate_issue_token_auth(auth_data)
token = authentication.authenticate_for_token(auth_data) token = authentication.authenticate_for_token(auth_data)
resp_data = render_token.render_token_response_from_model( resp_data = render_token.render_token_response_from_model(
token, include_catalog=include_catalog token, include_catalog=include_catalog
) )
resp_body = jsonutils.dumps(resp_data) resp_body = jsonutils.dumps(resp_data)
response = flask.make_response(resp_body, http_client.CREATED) response = flask.make_response(resp_body, http.client.CREATED)
response.headers['X-Subject-Token'] = token.id response.headers['X-Subject-Token'] = token.id
response.headers['Content-Type'] = 'application/json' response.headers['Content-Type'] = 'application/json'
return response return response
def delete(self): def delete(self):
"""Revoke a token. """Revoke a token.
DELETE /v3/auth/tokens DELETE /v3/auth/tokens
""" """
ENFORCER.enforce_call(action='identity:revoke_token') ENFORCER.enforce_call(action='identity:revoke_token')
token_id = flask.request.headers.get( token_id = flask.request.headers.get(
authorization.SUBJECT_TOKEN_HEADER) authorization.SUBJECT_TOKEN_HEADER)
PROVIDERS.token_provider_api.revoke_token(token_id) PROVIDERS.token_provider_api.revoke_token(token_id)
return None, http_client.NO_CONTENT return None, http.client.NO_CONTENT
class AuthFederationWebSSOResource(_AuthFederationWebSSOBase): class AuthFederationWebSSOResource(_AuthFederationWebSSOBase):
@classmethod @classmethod
def _perform_auth(cls, protocol_id): def _perform_auth(cls, protocol_id):
idps = PROVIDERS.federation_api.list_idps() idps = PROVIDERS.federation_api.list_idps()
remote_id = None remote_id = None
for idp in idps: for idp in idps:
try: try:
remote_id_name = federation_utils.get_remote_id_parameter( remote_id_name = federation_utils.get_remote_id_parameter(
idp, protocol_id) idp, protocol_id)
skipping to change at line 393 skipping to change at line 393
@ks_flask.unenforced_api @ks_flask.unenforced_api
def post(self): def post(self):
"""Exchange a scoped token for a SAML assertion. """Exchange a scoped token for a SAML assertion.
POST /v3/auth/OS-FEDERATION/saml2 POST /v3/auth/OS-FEDERATION/saml2
""" """
auth = self.request_body_json.get('auth') auth = self.request_body_json.get('auth')
validation.lazy_validate(federation_schema.saml_create, auth) validation.lazy_validate(federation_schema.saml_create, auth)
response, service_provider = saml.create_base_saml_assertion(auth) response, service_provider = saml.create_base_saml_assertion(auth)
headers = _build_response_headers(service_provider) headers = _build_response_headers(service_provider)
response = flask.make_response(response.to_string(), http_client.OK) response = flask.make_response(response.to_string(), http.client.OK)
for header, value in headers: for header, value in headers:
response.headers[header] = value response.headers[header] = value
return response return response
class AuthFederationSaml2ECPResource(_AuthFederationWebSSOBase): class AuthFederationSaml2ECPResource(_AuthFederationWebSSOBase):
def get(self): def get(self):
raise werkzeug.exceptions.MethodNotAllowed(valid_methods=['POST']) raise werkzeug.exceptions.MethodNotAllowed(valid_methods=['POST'])
@ks_flask.unenforced_api @ks_flask.unenforced_api
def post(self): def post(self):
skipping to change at line 419 skipping to change at line 419
validation.lazy_validate(federation_schema.saml_create, auth) validation.lazy_validate(federation_schema.saml_create, auth)
saml_assertion, service_provider = saml.create_base_saml_assertion( saml_assertion, service_provider = saml.create_base_saml_assertion(
auth) auth)
relay_state_prefix = service_provider['relay_state_prefix'] relay_state_prefix = service_provider['relay_state_prefix']
generator = keystone_idp.ECPGenerator() generator = keystone_idp.ECPGenerator()
ecp_assertion = generator.generate_ecp( ecp_assertion = generator.generate_ecp(
saml_assertion, relay_state_prefix) saml_assertion, relay_state_prefix)
headers = _build_response_headers(service_provider) headers = _build_response_headers(service_provider)
response = flask.make_response( response = flask.make_response(
ecp_assertion.to_string(), http_client.OK) ecp_assertion.to_string(), http.client.OK)
for header, value in headers: for header, value in headers:
response.headers[header] = value response.headers[header] = value
return response return response
class AuthAPI(ks_flask.APIBase): class AuthAPI(ks_flask.APIBase):
_name = 'auth' _name = 'auth'
_import_name = __name__ _import_name = __name__
resources = [] resources = []
resource_mapping = [ resource_mapping = [
ks_flask.construct_resource_map( ks_flask.construct_resource_map(
 End of changes. 9 change blocks. 
9 lines changed or deleted 9 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)