Merge "Add s3_token." into redux
This commit is contained in:
commit
d44b859797
|
@ -0,0 +1,136 @@
|
|||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||
|
||||
# Copyright 2010 United States Government as represented by the
|
||||
# Administrator of the National Aeronautics and Space Administration.
|
||||
# Copyright 2011,2012 Akira YOSHIYAMA <akirayoshiyama@gmail.com>
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
# This source code is based ./auth_token.py and ./ec2_token.py.
|
||||
# See them for their copyright.
|
||||
|
||||
"""Starting point for routing S3 requests."""
|
||||
|
||||
import httplib
|
||||
import json
|
||||
|
||||
import webob
|
||||
|
||||
from swift.common import utils as swift_utils
|
||||
|
||||
|
||||
PROTOCOL_NAME = "S3 Token Authentication"
|
||||
|
||||
|
||||
class S3Token(object):
|
||||
"""Auth Middleware that handles S3 authenticating client calls."""
|
||||
|
||||
def __init__(self, app, conf):
|
||||
"""Common initialization code."""
|
||||
self.app = app
|
||||
self.logger = swift_utils.get_logger(conf, log_route='s3_token')
|
||||
self.logger.debug('Starting the %s component' % PROTOCOL_NAME)
|
||||
|
||||
# where to find the auth service (we use this to validate tokens)
|
||||
self.auth_host = conf.get('auth_host')
|
||||
self.auth_port = int(conf.get('auth_port'))
|
||||
self.auth_protocol = conf.get('auth_protocol', 'https')
|
||||
|
||||
# where to tell clients to find the auth service (default to url
|
||||
# constructed based on endpoint we have for the service to use)
|
||||
self.auth_location = conf.get('auth_uri',
|
||||
'%s://%s:%s' % (self.auth_protocol,
|
||||
self.auth_host,
|
||||
self.auth_port))
|
||||
|
||||
# Credentials used to verify this component with the Auth service since
|
||||
# validating tokens is a privileged call
|
||||
self.admin_token = conf.get('admin_token')
|
||||
|
||||
def __call__(self, environ, start_response):
|
||||
"""Handle incoming request. authenticate and send downstream."""
|
||||
req = webob.Request(environ)
|
||||
parts = swift_utils.split_path(req.path, 1, 4, True)
|
||||
version, account, container, obj = parts
|
||||
|
||||
# Read request signature and access id.
|
||||
if not 'Authorization' in req.headers:
|
||||
return self.app(environ, start_response)
|
||||
token = req.headers.get('X-Auth-Token',
|
||||
req.headers.get('X-Storage-Token'))
|
||||
|
||||
auth_header = req.headers['Authorization']
|
||||
access, signature = auth_header.split(' ')[-1].rsplit(':', 1)
|
||||
|
||||
# Authenticate the request.
|
||||
creds = {'credentials': {'access': access,
|
||||
'token': token,
|
||||
'signature': signature,
|
||||
'host': req.host,
|
||||
'verb': req.method,
|
||||
'path': req.path,
|
||||
'expire': req.headers['Date'],
|
||||
}}
|
||||
|
||||
creds_json = json.dumps(creds)
|
||||
headers = {'Content-Type': 'application/json'}
|
||||
if self.auth_protocol == 'http':
|
||||
conn = httplib.HTTPConnection(self.auth_host, self.auth_port)
|
||||
else:
|
||||
conn = httplib.HTTPSConnection(self.auth_host, self.auth_port)
|
||||
|
||||
conn.request('POST', '/v2.0/s3tokens',
|
||||
body=creds_json,
|
||||
headers=headers)
|
||||
resp = conn.getresponse()
|
||||
if resp.status < 200 or resp.status >= 300:
|
||||
raise Exception('Keystone reply error: status=%s reason=%s' % (
|
||||
resp.status,
|
||||
resp.reason))
|
||||
|
||||
# NOTE(vish): We could save a call to keystone by having
|
||||
# keystone return token, tenant, user, and roles
|
||||
# from this call.
|
||||
#
|
||||
# NOTE(chmou): We still have the same problem we would need to
|
||||
# change token_auth to detect if we already
|
||||
# identified and not doing a second query and just
|
||||
# pass it through to swiftauth in this case.
|
||||
# identity_info = json.loads(response)
|
||||
output = resp.read()
|
||||
conn.close()
|
||||
identity_info = json.loads(output)
|
||||
try:
|
||||
token_id = str(identity_info['access']['token']['id'])
|
||||
tenant = (identity_info['access']['token']['tenant']['id'],
|
||||
identity_info['access']['token']['tenant']['name'])
|
||||
except (KeyError, IndexError):
|
||||
self.logger.debug('Error getting keystone reply: %s' %
|
||||
(str(output)))
|
||||
raise
|
||||
|
||||
req.headers['X-Auth-Token'] = token_id
|
||||
environ['PATH_INFO'] = environ['PATH_INFO'].replace(
|
||||
account, 'AUTH_%s' % tenant[0])
|
||||
return self.app(environ, start_response)
|
||||
|
||||
|
||||
def filter_factory(global_conf, **local_conf):
|
||||
"""Returns a WSGI filter app for use with paste.deploy."""
|
||||
conf = global_conf.copy()
|
||||
conf.update(local_conf)
|
||||
|
||||
def auth_filter(app):
|
||||
return S3Token(app, conf)
|
||||
return auth_filter
|
Loading…
Reference in New Issue