deb-murano/murano/api/middleware/ext_context.py

#    Copyright (c) 2015 Mirantis, Inc.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

import base64

from keystoneclient.auth.identity import v3
from keystoneclient import exceptions
from keystoneclient import session as ks_session
from keystoneclient.v3 import client
from oslo_config import cfg
from oslo_log import log
from webob import exc

from murano.common.i18n import _
from murano.common import wsgi

CONF = cfg.CONF
LOG = log.getLogger(__name__)


class ExternalContextMiddleware(wsgi.Middleware):
    def get_keystone_token(self, user, password):
        # TODO(starodubcevna): picking up project_name and auth_url from
        # section related to Cloud Foundry service broker is probably a duct
        # tape and should be rewritten as soon as we get more non-OpenStack
        # services as murano recipients.

        kwargs = {'auth_url': CONF.cfapi.auth_url.replace('v2.0', 'v3'),
                  'username': user,
                  'password': password,
                  'project_name': CONF.cfapi.tenant}
        password_auth = v3.Password(**kwargs)
        session = ks_session.Session(auth=password_auth)
        keystone = client.Client(session=session)

        return keystone.auth_token

    def process_request(self, req):

        """Get keystone token for external request

        This middleware is used for external requests. It get credentials from
        request and try to get keystone token for further authorization.

        :param req: wsgi request object that will be given the context object
        """
        try:
            credentials = base64.b64decode(
                req.headers['Authorization'].split(' ')[1])
            user, password = credentials.split(':', 2)
            req.headers['X-Auth-Token'] = self.get_keystone_token(user,
                                                                  password)
        except KeyError:
            msg = _("Authorization required")
            LOG.warning(msg)
            raise exc.HTTPUnauthorized(explanation=msg)
        except exceptions.Unauthorized:
            msg = _("Your credentials are wrong. Please try again")
            LOG.warning(msg)
            raise exc.HTTPUnauthorized(explanation=msg)

    @classmethod
    def factory(cls, global_conf, **local_conf):
        def filter(app):
            return cls(app)
        return filter
Add middleware for external requests New middleware will solve the problem with non-Openstack requests by adding some minimal required headers. Change-Id: I49986e73d0eb3da1ce13d22771c6bcb5a28ba846 Implements: bp external-request-middleware 2015-11-03 13:40:22 +03:00			`# Copyright (c) 2015 Mirantis, Inc.`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License"); you may`
			`# not use this file except in compliance with the License. You may obtain`
			`# a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT`
			`# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the`
			`# License for the specific language governing permissions and limitations`
			`# under the License.`

			`import base64`

Support unversioned keystone endpoints As far as keystone v2 will be deprecated soon murano will support unversioned keystone endpoints. Additional work and final switch to Identity API v3 in devstack should be done when all components will switch to it. Change-Id: I062f1b3b3372f502f20a976cde432f22c2489480 2016-02-08 17:14:00 +03:00			`from keystoneclient.auth.identity import v3`
Add middleware for external requests New middleware will solve the problem with non-Openstack requests by adding some minimal required headers. Change-Id: I49986e73d0eb3da1ce13d22771c6bcb5a28ba846 Implements: bp external-request-middleware 2015-11-03 13:40:22 +03:00			`from keystoneclient import exceptions`
Support unversioned keystone endpoints As far as keystone v2 will be deprecated soon murano will support unversioned keystone endpoints. Additional work and final switch to Identity API v3 in devstack should be done when all components will switch to it. Change-Id: I062f1b3b3372f502f20a976cde432f22c2489480 2016-02-08 17:14:00 +03:00			`from keystoneclient import session as ks_session`
Add middleware for external requests New middleware will solve the problem with non-Openstack requests by adding some minimal required headers. Change-Id: I49986e73d0eb3da1ce13d22771c6bcb5a28ba846 Implements: bp external-request-middleware 2015-11-03 13:40:22 +03:00			`from keystoneclient.v3 import client`
			`from oslo_config import cfg`
			`from oslo_log import log`
			`from webob import exc`

			`from murano.common.i18n import _`
			`from murano.common import wsgi`

			`CONF = cfg.CONF`
			`LOG = log.getLogger(__name__)`


			`class ExternalContextMiddleware(wsgi.Middleware):`
			`def get_keystone_token(self, user, password):`
Get scoped token from ext_context middleware Freshly introduced ext_context middleware produces unscouped token which breaks authorization in Cloud Foundry service broker API. Change-Id: Ibc85604dc9abed58c4c3bbeb92c572674fe74ff3 Closes-Bug: 1516635 2015-11-16 17:13:09 +03:00			`# TODO(starodubcevna): picking up project_name and auth_url from`
			`# section related to Cloud Foundry service broker is probably a duct`
			`# tape and should be rewritten as soon as we get more non-OpenStack`
			`# services as murano recipients.`
Support unversioned keystone endpoints As far as keystone v2 will be deprecated soon murano will support unversioned keystone endpoints. Additional work and final switch to Identity API v3 in devstack should be done when all components will switch to it. Change-Id: I062f1b3b3372f502f20a976cde432f22c2489480 2016-02-08 17:14:00 +03:00
			`kwargs = {'auth_url': CONF.cfapi.auth_url.replace('v2.0', 'v3'),`
			`'username': user,`
			`'password': password,`
			`'project_name': CONF.cfapi.tenant}`
			`password_auth = v3.Password(**kwargs)`
			`session = ks_session.Session(auth=password_auth)`
			`keystone = client.Client(session=session)`

Add middleware for external requests New middleware will solve the problem with non-Openstack requests by adding some minimal required headers. Change-Id: I49986e73d0eb3da1ce13d22771c6bcb5a28ba846 Implements: bp external-request-middleware 2015-11-03 13:40:22 +03:00			`return keystone.auth_token`

			`def process_request(self, req):`

			`"""Get keystone token for external request`

			`This middleware is used for external requests. It get credentials from`
Fix spelling typos Change-Id: I7e295abea49a7b3cd906d747917a9729c479b275 2016-02-03 21:27:45 +05:30			`request and try to get keystone token for further authorization.`
Add middleware for external requests New middleware will solve the problem with non-Openstack requests by adding some minimal required headers. Change-Id: I49986e73d0eb3da1ce13d22771c6bcb5a28ba846 Implements: bp external-request-middleware 2015-11-03 13:40:22 +03:00
			`:param req: wsgi request object that will be given the context object`
			`"""`
			`try:`
Raise proper exception in ext context middleware Previously if request without 'HTTP-Authorization' header comes to external context middleware it raised error code 500 Internal Server Error instead of 401 Unauthorized. Change-Id: I8285d24741bed5b541a4f8104422340c8594c695 Closes-Bug: #1522707 2015-12-04 10:33:15 +03:00			`credentials = base64.b64decode(`
			`req.headers['Authorization'].split(' ')[1])`
			`user, password = credentials.split(':', 2)`
Add middleware for external requests New middleware will solve the problem with non-Openstack requests by adding some minimal required headers. Change-Id: I49986e73d0eb3da1ce13d22771c6bcb5a28ba846 Implements: bp external-request-middleware 2015-11-03 13:40:22 +03:00			`req.headers['X-Auth-Token'] = self.get_keystone_token(user,`
			`password)`
Raise proper exception in ext context middleware Previously if request without 'HTTP-Authorization' header comes to external context middleware it raised error code 500 Internal Server Error instead of 401 Unauthorized. Change-Id: I8285d24741bed5b541a4f8104422340c8594c695 Closes-Bug: #1522707 2015-12-04 10:33:15 +03:00			`except KeyError:`
			`msg = _("Authorization required")`
			`LOG.warning(msg)`
			`raise exc.HTTPUnauthorized(explanation=msg)`
Add middleware for external requests New middleware will solve the problem with non-Openstack requests by adding some minimal required headers. Change-Id: I49986e73d0eb3da1ce13d22771c6bcb5a28ba846 Implements: bp external-request-middleware 2015-11-03 13:40:22 +03:00			`except exceptions.Unauthorized:`
			`msg = _("Your credentials are wrong. Please try again")`
			`LOG.warning(msg)`
			`raise exc.HTTPUnauthorized(explanation=msg)`

			`@classmethod`
			`def factory(cls, global_conf, **local_conf):`
			`def filter(app):`
			`return cls(app)`
			`return filter`