Merge "Kerberos as method name"
This commit is contained in:
commit
95bc069519
@ -453,10 +453,19 @@ class Auth(controller.V3Controller):
|
||||
def authenticate(self, context, auth_info, auth_context):
|
||||
"""Authenticate user."""
|
||||
|
||||
# user has been authenticated externally
|
||||
# The 'external' method allows any 'REMOTE_USER' based authentication
|
||||
if 'REMOTE_USER' in context['environment']:
|
||||
try:
|
||||
external = get_auth_method('external')
|
||||
external.authenticate(context, auth_info, auth_context)
|
||||
except exception.AuthMethodNotSupported:
|
||||
# This will happen there is no 'external' plugin registered
|
||||
# and the container is performing authentication.
|
||||
# The 'kerberos' and 'saml' methods will be used this way.
|
||||
# In those cases, it is correct to not register an
|
||||
# 'external' plugin; if there is both an 'external' and a
|
||||
# 'kerberos' plugin, it would run the check on identity twice.
|
||||
pass
|
||||
|
||||
# need to aggregate the results in case two or more methods
|
||||
# are specified
|
||||
|
@ -96,6 +96,18 @@ class Domain(Base):
|
||||
return user_ref
|
||||
|
||||
|
||||
@dependency.requires('assignment_api', 'identity_api')
|
||||
class KerberosDomain(Domain):
|
||||
"""Allows `kerberos` as a method."""
|
||||
method = 'kerberos'
|
||||
|
||||
def _authenticate(self, remote_user, context):
|
||||
auth_type = context['environment'].get('AUTH_TYPE')
|
||||
if auth_type != 'Negotiate':
|
||||
raise exception.Unauthorized(_("auth_type is not Negotiate"))
|
||||
return super(KerberosDomain, self)._authenticate(remote_user, context)
|
||||
|
||||
|
||||
class ExternalDefault(DefaultDomain):
|
||||
"""Deprecated. Please use keystone.auth.external.DefaultDomain instead."""
|
||||
|
||||
|
@ -1115,7 +1115,7 @@ class RestfulTestCase(tests.SQLDriverOverrides, rest.RestfulTestCase):
|
||||
def build_authentication_request(self, token=None, user_id=None,
|
||||
username=None, user_domain_id=None,
|
||||
user_domain_name=None, password=None,
|
||||
**kwargs):
|
||||
kerberos=False, **kwargs):
|
||||
"""Build auth dictionary.
|
||||
|
||||
It will create an auth dictionary based on all the arguments
|
||||
@ -1123,6 +1123,9 @@ class RestfulTestCase(tests.SQLDriverOverrides, rest.RestfulTestCase):
|
||||
"""
|
||||
auth_data = {}
|
||||
auth_data['identity'] = {'methods': []}
|
||||
if kerberos:
|
||||
auth_data['identity']['methods'].append('kerberos')
|
||||
auth_data['identity']['kerberos'] = {}
|
||||
if token:
|
||||
auth_data['identity']['methods'].append('token')
|
||||
auth_data['identity']['token'] = self.build_token_auth(token)
|
||||
@ -1135,12 +1138,15 @@ class RestfulTestCase(tests.SQLDriverOverrides, rest.RestfulTestCase):
|
||||
return {'auth': auth_data}
|
||||
|
||||
def build_external_auth_request(self, remote_user,
|
||||
remote_domain=None, auth_data=None):
|
||||
context = {'environment': {'REMOTE_USER': remote_user}}
|
||||
remote_domain=None, auth_data=None,
|
||||
kerberos=False):
|
||||
context = {'environment': {'REMOTE_USER': remote_user,
|
||||
'AUTH_TYPE': 'Negotiate'}}
|
||||
if remote_domain:
|
||||
context['environment']['REMOTE_DOMAIN'] = remote_domain
|
||||
if not auth_data:
|
||||
auth_data = self.build_authentication_request()['auth']
|
||||
auth_data = self.build_authentication_request(
|
||||
kerberos=kerberos)['auth']
|
||||
no_context = None
|
||||
auth_info = auth.controllers.AuthInfo.create(no_context, auth_data)
|
||||
auth_context = {'extras': {}, 'method_names': []}
|
||||
|
@ -1522,6 +1522,7 @@ class TestAuthExternalDomain(test_v3.RestfulTestCase):
|
||||
|
||||
def config_overrides(self):
|
||||
super(TestAuthExternalDomain, self).config_overrides()
|
||||
self.kerberos = False
|
||||
self.config_fixture.config(
|
||||
group='auth',
|
||||
methods=['keystone.auth.plugins.external.Domain',
|
||||
@ -1533,7 +1534,7 @@ class TestAuthExternalDomain(test_v3.RestfulTestCase):
|
||||
remote_user = self.user['name']
|
||||
remote_domain = self.domain['name']
|
||||
context, auth_info, auth_context = self.build_external_auth_request(
|
||||
remote_user, remote_domain=remote_domain)
|
||||
remote_user, remote_domain=remote_domain, kerberos=self.kerberos)
|
||||
|
||||
api.authenticate(context, auth_info, auth_context)
|
||||
self.assertEqual(auth_context['user_id'], self.user['id'])
|
||||
@ -1544,7 +1545,7 @@ class TestAuthExternalDomain(test_v3.RestfulTestCase):
|
||||
self.identity_api.update_user(self.user['id'], user)
|
||||
remote_user = user['name']
|
||||
context, auth_info, auth_context = self.build_external_auth_request(
|
||||
remote_user, remote_domain=remote_domain)
|
||||
remote_user, remote_domain=remote_domain, kerberos=self.kerberos)
|
||||
|
||||
api.authenticate(context, auth_info, auth_context)
|
||||
self.assertEqual(auth_context['user_id'], self.user['id'])
|
||||
@ -1552,7 +1553,8 @@ class TestAuthExternalDomain(test_v3.RestfulTestCase):
|
||||
def test_project_id_scoped_with_remote_user(self):
|
||||
CONF.token.bind = ['kerberos']
|
||||
auth_data = self.build_authentication_request(
|
||||
project_id=self.project['id'])
|
||||
project_id=self.project['id'],
|
||||
kerberos=self.kerberos)
|
||||
remote_user = self.user['name']
|
||||
remote_domain = self.domain['name']
|
||||
self.admin_app.extra_environ.update({'REMOTE_USER': remote_user,
|
||||
@ -1564,7 +1566,7 @@ class TestAuthExternalDomain(test_v3.RestfulTestCase):
|
||||
|
||||
def test_unscoped_bind_with_remote_user(self):
|
||||
CONF.token.bind = ['kerberos']
|
||||
auth_data = self.build_authentication_request()
|
||||
auth_data = self.build_authentication_request(kerberos=self.kerberos)
|
||||
remote_user = self.user['name']
|
||||
remote_domain = self.domain['name']
|
||||
self.admin_app.extra_environ.update({'REMOTE_USER': remote_user,
|
||||
@ -1575,6 +1577,19 @@ class TestAuthExternalDomain(test_v3.RestfulTestCase):
|
||||
self.assertEqual(token['bind']['kerberos'], self.user['name'])
|
||||
|
||||
|
||||
class TestAuthKerberos(TestAuthExternalDomain):
|
||||
|
||||
def config_overrides(self):
|
||||
super(TestAuthKerberos, self).config_overrides()
|
||||
self.kerberos = True
|
||||
|
||||
self.config_fixture.config(
|
||||
group='auth',
|
||||
methods=['keystone.auth.plugins.external.KerberosDomain',
|
||||
'keystone.auth.plugins.password.Password',
|
||||
'keystone.auth.plugins.token.Token'])
|
||||
|
||||
|
||||
class TestAuthJSON(test_v3.RestfulTestCase):
|
||||
content_type = 'json'
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user