93db837330
As far as keystone v2 will be deprecated soon murano will support unversioned keystone endpoints. Additional work and final switch to Identity API v3 in devstack should be done when all components will switch to it. Change-Id: I062f1b3b3372f502f20a976cde432f22c2489480
78 lines
2.8 KiB
Python
78 lines
2.8 KiB
Python
# Copyright (c) 2015 Mirantis, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import base64
|
|
|
|
from keystoneclient.auth.identity import v3
|
|
from keystoneclient import exceptions
|
|
from keystoneclient import session as ks_session
|
|
from keystoneclient.v3 import client
|
|
from oslo_config import cfg
|
|
from oslo_log import log
|
|
from webob import exc
|
|
|
|
from murano.common.i18n import _
|
|
from murano.common import wsgi
|
|
|
|
CONF = cfg.CONF
|
|
LOG = log.getLogger(__name__)
|
|
|
|
|
|
class ExternalContextMiddleware(wsgi.Middleware):
|
|
def get_keystone_token(self, user, password):
|
|
# TODO(starodubcevna): picking up project_name and auth_url from
|
|
# section related to Cloud Foundry service broker is probably a duct
|
|
# tape and should be rewritten as soon as we get more non-OpenStack
|
|
# services as murano recipients.
|
|
|
|
kwargs = {'auth_url': CONF.cfapi.auth_url.replace('v2.0', 'v3'),
|
|
'username': user,
|
|
'password': password,
|
|
'project_name': CONF.cfapi.tenant}
|
|
password_auth = v3.Password(**kwargs)
|
|
session = ks_session.Session(auth=password_auth)
|
|
keystone = client.Client(session=session)
|
|
|
|
return keystone.auth_token
|
|
|
|
def process_request(self, req):
|
|
|
|
"""Get keystone token for external request
|
|
|
|
This middleware is used for external requests. It get credentials from
|
|
request and try to get keystone token for further authorization.
|
|
|
|
:param req: wsgi request object that will be given the context object
|
|
"""
|
|
try:
|
|
credentials = base64.b64decode(
|
|
req.headers['Authorization'].split(' ')[1])
|
|
user, password = credentials.split(':', 2)
|
|
req.headers['X-Auth-Token'] = self.get_keystone_token(user,
|
|
password)
|
|
except KeyError:
|
|
msg = _("Authorization required")
|
|
LOG.warning(msg)
|
|
raise exc.HTTPUnauthorized(explanation=msg)
|
|
except exceptions.Unauthorized:
|
|
msg = _("Your credentials are wrong. Please try again")
|
|
LOG.warning(msg)
|
|
raise exc.HTTPUnauthorized(explanation=msg)
|
|
|
|
@classmethod
|
|
def factory(cls, global_conf, **local_conf):
|
|
def filter(app):
|
|
return cls(app)
|
|
return filter
|