138 lines
4.7 KiB
Python
138 lines
4.7 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
"""Main entry point into the Federation service."""
|
|
|
|
from oslo_config import cfg
|
|
from oslo_log import versionutils
|
|
|
|
from keystone.common import dependency
|
|
from keystone.common import extension
|
|
from keystone.common import manager
|
|
from keystone import exception
|
|
from keystone.federation.backends import base
|
|
from keystone.federation import utils
|
|
|
|
|
|
CONF = cfg.CONF
|
|
EXTENSION_DATA = {
|
|
'name': 'OpenStack Federation APIs',
|
|
'namespace': 'http://docs.openstack.org/identity/api/ext/'
|
|
'OS-FEDERATION/v1.0',
|
|
'alias': 'OS-FEDERATION',
|
|
'updated': '2013-12-17T12:00:0-00:00',
|
|
'description': 'OpenStack Identity Providers Mechanism.',
|
|
'links': [{
|
|
'rel': 'describedby',
|
|
'type': 'text/html',
|
|
'href': 'http://specs.openstack.org/openstack/keystone-specs/api/v3/'
|
|
'identity-api-v3-os-federation-ext.html',
|
|
}]}
|
|
extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
|
|
extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA)
|
|
|
|
|
|
@dependency.provider('federation_api')
|
|
class Manager(manager.Manager):
|
|
"""Default pivot point for the Federation backend.
|
|
|
|
See :mod:`keystone.common.manager.Manager` for more details on how this
|
|
dynamically calls the backend.
|
|
|
|
"""
|
|
|
|
driver_namespace = 'keystone.federation'
|
|
|
|
def __init__(self):
|
|
super(Manager, self).__init__(CONF.federation.driver)
|
|
|
|
# Make sure it is a driver version we support, and if it is a legacy
|
|
# driver, then wrap it.
|
|
if isinstance(self.driver, base.FederationDriverV8):
|
|
self.driver = base.V9FederationWrapperForV8Driver(self.driver)
|
|
elif not isinstance(self.driver, base.FederationDriverV9):
|
|
raise exception.UnsupportedDriverVersion(
|
|
driver=CONF.federation.driver)
|
|
|
|
def get_enabled_service_providers(self):
|
|
"""List enabled service providers for Service Catalog.
|
|
|
|
Service Provider in a catalog contains three attributes: ``id``,
|
|
``auth_url``, ``sp_url``, where:
|
|
|
|
- id is a unique, user defined identifier for service provider object
|
|
- auth_url is an authentication URL of remote Keystone
|
|
- sp_url a URL accessible at the remote service provider where SAML
|
|
assertion is transmitted.
|
|
|
|
:returns: list of dictionaries with enabled service providers
|
|
:rtype: list of dicts
|
|
|
|
"""
|
|
def normalize(sp):
|
|
ref = {
|
|
'auth_url': sp.auth_url,
|
|
'id': sp.id,
|
|
'sp_url': sp.sp_url
|
|
}
|
|
return ref
|
|
|
|
service_providers = self.driver.get_enabled_service_providers()
|
|
return [normalize(sp) for sp in service_providers]
|
|
|
|
def evaluate(self, idp_id, protocol_id, assertion_data):
|
|
mapping = self.get_mapping_from_idp_and_protocol(idp_id, protocol_id)
|
|
rules = mapping['rules']
|
|
rule_processor = utils.RuleProcessor(mapping['id'], rules)
|
|
mapped_properties = rule_processor.process(assertion_data)
|
|
return mapped_properties, mapping['id']
|
|
|
|
|
|
@versionutils.deprecated(
|
|
versionutils.deprecated.NEWTON,
|
|
what='keystone.federation.FederationDriverBase',
|
|
in_favor_of='keystone.federation.backends.base.FederationDriverBase',
|
|
remove_in=+1)
|
|
class FederationDriverBase(base.FederationDriverBase):
|
|
pass
|
|
|
|
|
|
@versionutils.deprecated(
|
|
versionutils.deprecated.NEWTON,
|
|
what='keystone.federation.FederationDriverV8',
|
|
in_favor_of='keystone.federation.backends.base.FederationDriverV8',
|
|
remove_in=+1)
|
|
class FederationDriverV8(base.FederationDriverV8):
|
|
pass
|
|
|
|
|
|
@versionutils.deprecated(
|
|
versionutils.deprecated.NEWTON,
|
|
what='keystone.federation.FederationDriverV9',
|
|
in_favor_of='keystone.federation.backends.base.FederationDriverV9',
|
|
remove_in=+1)
|
|
class FederationDriverV9(base.FederationDriverV9):
|
|
pass
|
|
|
|
|
|
@versionutils.deprecated(
|
|
versionutils.deprecated.NEWTON,
|
|
what='keystone.federation.V9FederationWrapperForV8Driver',
|
|
in_favor_of=(
|
|
'keystone.federation.backends.base.V9FederationWrapperForV8Driver'),
|
|
remove_in=+1)
|
|
class V9FederationWrapperForV8Driver(base.V9FederationWrapperForV8Driver):
|
|
pass
|
|
|
|
|
|
Driver = manager.create_legacy_driver(base.FederationDriverV8)
|