Add tools to get keystone auth plugin

With directly provide auth string(with contain a json formate
with auth_type and auth info), we can release context to specific
auth_type and give user the ability to provide other Keystone
(or their own) authentication method (like using
`v3applicationcredential` or others).
The format for `auth` and `auth_type` follows exactly Keystone
plugins like in clouds.yaml file [1].

[1] https://docs.openstack.org/keystoneauth/latest/
plugin-options.html#additional-loaders

Change-Id: Ic4dc2292a82860b9bb54ecb9e3b1a4dc806dab2c
Story: #2002126
Task: #26904
This commit is contained in:
ricolin 2019-02-01 14:31:08 +08:00
parent f47748d4b6
commit 4ee754f359
3 changed files with 168 additions and 1 deletions

View File

@ -0,0 +1,64 @@
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import json
from keystoneauth1 import loading as ks_loading
from oslo_log import log as logging
from heat.common import exception
LOG = logging.getLogger(__name__)
def parse_auth_credential_to_dict(cred):
"""Parse credential to dict"""
def validate(cred):
valid_keys = ['auth_type', 'auth']
for k in valid_keys:
if k not in cred:
raise ValueError('Missing key in auth information, the '
'correct format contains %s.' % valid_keys)
try:
_cred = json.loads(cred)
except ValueError as e:
LOG.error('Failed to parse credential with error: %s' % e)
raise ValueError('Failed to parse credential, please check your '
'Stack Credential format.')
validate(_cred)
return _cred
def validate_auth_plugin(auth_plugin, keystone_session):
"""Validate if this auth_plugin is valid to use."""
try:
auth_plugin.get_token(keystone_session)
except Exception as e:
# TODO(ricolin) Add heat document link for plugin information,
# once we generated one.
failure_reason = ("Failed to validate auth_plugin with error %s. "
"Please make sure the credential you provide is "
"correct. Also make sure the it is a valid Keystone "
"auth plugin type and contain in your "
"environment." % e)
raise exception.AuthorizationFailure(failure_reason=failure_reason)
def get_keystone_plugin_loader(auth, keystone_session):
cred = parse_auth_credential_to_dict(auth)
auth_plugin = ks_loading.get_plugin_loader(
cred.get('auth_type')).load_from_options(
**cred.get('auth'))
validate_auth_plugin(auth_plugin, keystone_session)
return auth_plugin

View File

@ -90,7 +90,14 @@ class MissingCredentialError(HeatException):
class AuthorizationFailure(HeatException):
msg_fmt = _("Authorization failed.")
msg_fmt = _("Authorization failed.%(failure_reason)s")
def __init__(self, failure_reason=""):
if failure_reason != "":
# Add a space to make message more readable
failure_reason = " " + failure_reason
super(AuthorizationFailure, self).__init__(
failure_reason=failure_reason)
class NotAuthenticated(HeatException):

View File

@ -0,0 +1,96 @@
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import json
from keystoneauth1 import loading as ks_loading
from keystoneauth1 import session
import mock
import six
from heat.common import auth_plugin
from heat.common import config
from heat.common import exception
from heat.common import policy
from heat.tests import common
class TestAuthPlugin(common.HeatTestCase):
def setUp(self):
self.credential = (
'{"auth_type": "v3applicationcredential", '
'"auth": {"auth_url": "http://192.168.1.101/identity/v3", '
'"application_credential_id": '
'"9dfa187e5a354484bf9c49a2b674333a", '
'"application_credential_secret": "sec"} }')
self.m_plugin = mock.Mock()
self.m_loader = self.patchobject(
ks_loading, 'get_plugin_loader', return_value=self.m_plugin)
self.patchobject(policy.Enforcer, 'check_is_admin')
self.secret_id = '0eca0615-c330-41aa-b0cb-a2493a770409'
self.session = session.Session(
**config.get_ssl_options('keystone'))
super(TestAuthPlugin, self).setUp()
def _get_keystone_plugin_loader(self):
auth_plugin.get_keystone_plugin_loader(self.credential, self.session)
self.m_plugin.load_from_options.assert_called_once_with(
application_credential_id='9dfa187e5a354484bf9c49a2b674333a',
application_credential_secret='sec',
auth_url='http://192.168.1.101/identity/v3')
self.m_loader.assert_called_once_with('v3applicationcredential')
def test_get_keystone_plugin_loader(self):
self._get_keystone_plugin_loader()
# called in validate_auth_plugin
self.assertEqual(
1, self.m_plugin.load_from_options().get_token.call_count)
def test_get_keystone_plugin_loader_with_no_AuthZ(self):
self.m_plugin.load_from_options().get_token.side_effect = Exception
self.assertRaises(
exception.AuthorizationFailure, self._get_keystone_plugin_loader)
self.assertEqual(
1, self.m_plugin.load_from_options().get_token.call_count)
def test_parse_auth_credential_to_dict(self):
cred_dict = json.loads(self.credential)
self.assertEqual(
cred_dict, auth_plugin.parse_auth_credential_to_dict(
self.credential))
def test_parse_auth_credential_to_dict_with_value_error(self):
credential = (
'{"auth": {"auth_url": "http://192.168.1.101/identity/v3", '
'"application_credential_id": '
'"9dfa187e5a354484bf9c49a2b674333a", '
'"application_credential_secret": "sec"} }')
error = self.assertRaises(
ValueError, auth_plugin.parse_auth_credential_to_dict, credential)
self.assertEqual("Missing key in auth information, the correct "
"format contains [\'auth_type\', \'auth\'].",
six.text_type(error))
def test_parse_auth_credential_to_dict_with_json_error(self):
credential = (
"{'auth_type': v3applicationcredential, "
"'auth': {'auth_url': 'http://192.168.1.101/identity/v3', "
"'application_credential_id': "
"'9dfa187e5a354484bf9c49a2b674333a', "
"'application_credential_secret': 'sec'} }")
error = self.assertRaises(
ValueError, auth_plugin.parse_auth_credential_to_dict, credential)
error_msg = ('Failed to parse credential, please check your Stack '
'Credential format.')
self.assertEqual(error_msg, six.text_type(error))