"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/auth/plugins/external.py" (13 May 2020, 3138 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "external.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 16.0.1_vs_17.0.0.

    1 # Copyright 2013 OpenStack Foundation
    2 #
    3 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    4 # not use this file except in compliance with the License. You may obtain
    5 # a copy of the License at
    6 #
    7 #      http://www.apache.org/licenses/LICENSE-2.0
    8 #
    9 # Unless required by applicable law or agreed to in writing, software
   10 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
   11 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   12 # License for the specific language governing permissions and limitations
   13 # under the License.
   14 
   15 """Keystone External Authentication Plugins."""
   16 
   17 import abc
   18 
   19 import flask
   20 
   21 from keystone.auth.plugins import base
   22 from keystone.common import provider_api
   23 import keystone.conf
   24 from keystone import exception
   25 from keystone.i18n import _
   26 
   27 
   28 CONF = keystone.conf.CONF
   29 PROVIDERS = provider_api.ProviderAPIs
   30 
   31 
   32 class Base(base.AuthMethodHandler, metaclass=abc.ABCMeta):
   33     def authenticate(self, auth_payload):
   34         """Use REMOTE_USER to look up the user in the identity backend.
   35 
   36         The user_id from the actual user from the REMOTE_USER env variable is
   37         placed in the response_data.
   38         """
   39         response_data = {}
   40         if not flask.request.remote_user:
   41             msg = _('No authenticated user')
   42             raise exception.Unauthorized(msg)
   43 
   44         try:
   45             user_ref = self._authenticate()
   46         except Exception:
   47             msg = _('Unable to lookup user %s') % flask.request.remote_user
   48             raise exception.Unauthorized(msg)
   49 
   50         response_data['user_id'] = user_ref['id']
   51         return base.AuthHandlerResponse(status=True, response_body=None,
   52                                         response_data=response_data)
   53 
   54     @abc.abstractmethod
   55     def _authenticate(self):
   56         """Look up the user in the identity backend.
   57 
   58         Return user_ref
   59         """
   60         pass
   61 
   62 
   63 class DefaultDomain(Base):
   64     def _authenticate(self):
   65         """Use remote_user to look up the user in the identity backend."""
   66         return PROVIDERS.identity_api.get_user_by_name(
   67             flask.request.remote_user,
   68             CONF.identity.default_domain_id)
   69 
   70 
   71 class Domain(Base):
   72     def _authenticate(self):
   73         """Use remote_user to look up the user in the identity backend.
   74 
   75         The domain will be extracted from the REMOTE_DOMAIN environment
   76         variable if present. If not, the default domain will be used.
   77         """
   78         remote_domain = flask.request.environ.get('REMOTE_DOMAIN')
   79         if remote_domain:
   80             ref = PROVIDERS.resource_api.get_domain_by_name(remote_domain)
   81             domain_id = ref['id']
   82         else:
   83             domain_id = CONF.identity.default_domain_id
   84 
   85         return PROVIDERS.identity_api.get_user_by_name(
   86             flask.request.remote_user, domain_id)
   87 
   88 
   89 class KerberosDomain(Domain):
   90     """Allows `kerberos` as a method."""
   91 
   92     def _authenticate(self):
   93         if flask.request.environ.get('AUTH_TYPE') != 'Negotiate':
   94             raise exception.Unauthorized(_("auth_type is not Negotiate"))
   95         return super(KerberosDomain, self)._authenticate()