Migrate kerberos plugin

The auth plugin from the keystoneclient-kerberos repository is
copied to this package. It was in its own repository because it
requires the requests-kerberos package and we want to minimize
requirements in keystoneauth (or keystoneclient at the time the
plugin was originally developed). Since we've got support for
"extras" in setup.cfg in pip now this isn't an issue with the
package anymore. Users of the kerberos plugin must install the
extra packages using

 $ pip install keystoneauth['kerberos']

otherwise the plugin will fail to load.

Closes-Bug: 1512741
Change-Id: Ia84bf559413e9bfd1a3faaceb417c2477bd10d5f
This commit is contained in:
Brant Knudson 2015-10-30 02:19:25 -05:00
parent 60275af0b3
commit 2baf7c49ad
9 changed files with 345 additions and 1 deletions

View File

@ -55,6 +55,8 @@ this V3 defines a number of different
against a V3 identity service using a username and password. against a V3 identity service using a username and password.
- :py:class:`~keystoneauth1.identity.v3.TokenMethod`: Authenticate against - :py:class:`~keystoneauth1.identity.v3.TokenMethod`: Authenticate against
a V3 identity service using an existing token. a V3 identity service using an existing token.
- :py:class:`~keystoneauth1.extras.kerberos.KerberosMethod`: Authenticate
against a V3 identity service using Kerberos.
The :py:class:`~keystoneauth1.identity.v3.AuthMethod` objects are then The :py:class:`~keystoneauth1.identity.v3.AuthMethod` objects are then
passed to the :py:class:`~keystoneauth1.identity.v3.Auth` plugin:: passed to the :py:class:`~keystoneauth1.identity.v3.Auth` plugin::
@ -78,6 +80,8 @@ like the V2 plugins:
only a :py:class:`~keystoneauth1.identity.v3.PasswordMethod`. only a :py:class:`~keystoneauth1.identity.v3.PasswordMethod`.
- :py:class:`~keystoneauth1.identity.v3.Token`: Authenticate using only a - :py:class:`~keystoneauth1.identity.v3.Token`: Authenticate using only a
:py:class:`~keystoneauth1.identity.v3.TokenMethod`. :py:class:`~keystoneauth1.identity.v3.TokenMethod`.
- :py:class:`~keystoneauth1.extras.kerberos.Kerberos`: Authenticate using
only a :py:class:`~keystoneauth1.extras.kerberos.KerberosMethod`.
:: ::

View File

@ -0,0 +1,67 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Kerberos authentication plugins.
.. warning::
This module requires installation of an extra package (`requests_kerberos`)
not installed by default. Without the extra package an import error will
occur. The extra package can be installed using::
$ pip install keystoneauth['kerberos']
"""
import requests_kerberos
from keystoneauth1 import access
from keystoneauth1.identity import v3
from keystoneauth1.identity.v3 import federation
def _requests_auth():
# NOTE(jamielennox): request_kerberos.OPTIONAL allows the plugin to accept
# unencrypted error messages where we can't verify the origin of the error
# because we aren't authenticated.
return requests_kerberos.HTTPKerberosAuth(
mutual_authentication=requests_kerberos.OPTIONAL)
class KerberosMethod(v3.AuthMethod):
_method_parameters = []
def get_auth_data(self, session, auth, headers, request_kwargs, **kwargs):
# NOTE(jamielennox): request_kwargs is passed as a kwarg however it is
# required and always present when called from keystoneclient.
request_kwargs['requests_auth'] = _requests_auth()
return 'kerberos', {}
class Kerberos(v3.AuthConstructor):
_auth_method_class = KerberosMethod
class MappedKerberos(federation.FederationBaseAuth):
"""Authenticate using Kerberos via the keystone federation mechanisms.
This uses the OS-FEDERATION extension to gain an unscoped token and then
use the standard keystone auth process to scope that to any given project.
"""
def get_unscoped_auth_ref(self, session, **kwargs):
resp = session.get(self.federated_token_url,
requests_auth=_requests_auth(),
authenticated=False)
return access.create(body=resp.json(), resp=resp)

View File

@ -0,0 +1,47 @@
# -*- coding: utf-8 -*-
# Copyright 2010-2011 OpenStack Foundation
# Copyright (c) 2013 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from keystoneauth1.tests.unit.extras.kerberos import utils
from keystoneauth1.tests.unit import utils as test_utils
REQUEST = {'auth': {'identity': {'methods': ['kerberos'],
'kerberos': {}}}}
class TestCase(test_utils.TestCase):
"""Test case base class for Kerberos unit tests."""
TEST_V3_URL = test_utils.TestCase.TEST_ROOT_URL + 'v3'
def setUp(self):
super(TestCase, self).setUp()
km = utils.KerberosMock(self.requests_mock)
self.kerberos_mock = self.useFixture(km)
def assertRequestBody(self, body=None):
"""Ensure the request body is the standard Kerberos auth request.
:param dict body: the body to compare. If not provided the last request
body will be used.
"""
if not body:
body = self.requests_mock.last_request.json()
self.assertEqual(REQUEST, body)

View File

@ -0,0 +1,90 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import uuid
import six
from keystoneauth1 import fixture as ks_fixture
from keystoneauth1 import session
from keystoneauth1.tests.unit.extras.kerberos import base
try:
# Until requests_kerberos gets py3 support, this is going to fail to import
from keystoneauth1.extras import kerberos
except ImportError:
if six.PY2:
# requests_kerberos is expected to be there on py2, so don't ignore.
raise
# requests_kerberos isn't available
kerberos = False
class TestMappedAuth(base.TestCase):
def setUp(self):
if not kerberos:
self.skipTest("Kerberos support isn't available.")
super(TestMappedAuth, self).setUp()
self.protocol = uuid.uuid4().hex
self.identity_provider = uuid.uuid4().hex
@property
def token_url(self):
fmt = '%s/OS-FEDERATION/identity_providers/%s/protocols/%s/auth'
return fmt % (
self.TEST_V3_URL,
self.identity_provider,
self.protocol)
def test_unscoped_mapped_auth(self):
token_id, _ = self.kerberos_mock.mock_auth_success(
url=self.token_url, method='GET')
plugin = kerberos.MappedKerberos(
auth_url=self.TEST_V3_URL, protocol=self.protocol,
identity_provider=self.identity_provider)
sess = session.Session()
tok = plugin.get_token(sess)
self.assertEqual(token_id, tok)
def test_project_scoped_mapped_auth(self):
self.kerberos_mock.mock_auth_success(url=self.token_url,
method='GET')
scoped_id = uuid.uuid4().hex
scoped_body = ks_fixture.V3Token()
scoped_body.set_project_scope()
self.requests_mock.post(
'%s/auth/tokens' % self.TEST_V3_URL,
json=scoped_body,
headers={'X-Subject-Token': scoped_id,
'Content-Type': 'application/json'})
plugin = kerberos.MappedKerberos(
auth_url=self.TEST_V3_URL, protocol=self.protocol,
identity_provider=self.identity_provider,
project_id=scoped_body.project_id)
sess = session.Session()
tok = plugin.get_token(sess)
proj = plugin.get_project_id(sess)
self.assertEqual(scoped_id, tok)
self.assertEqual(scoped_body.project_id, proj)

View File

@ -0,0 +1,52 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import six
from keystoneauth1 import session
from keystoneauth1.tests.unit.extras.kerberos import base
try:
# Until requests_kerberos gets py3 support, this is going to fail to import
from keystoneauth1.extras import kerberos
except ImportError:
if six.PY2:
# requests_kerberos is expected to be there on py2, so don't ignore.
raise
# requests_kerberos isn't available
kerberos = None
class TestKerberosAuth(base.TestCase):
def setUp(self):
if not kerberos:
self.skipTest("Kerberos support isn't available.")
super(TestKerberosAuth, self).setUp()
def test_authenticate_with_kerberos_domain_scoped(self):
token_id, token_body = self.kerberos_mock.mock_auth_success()
a = kerberos.Kerberos(self.TEST_ROOT_URL + 'v3')
s = session.Session(a)
token = a.get_token(s)
self.assertRequestBody()
self.assertEqual(
self.kerberos_mock.challenge_header,
self.requests_mock.last_request.headers['Authorization'])
self.assertEqual(token_id, a.auth_ref.auth_token)
self.assertEqual(token_id, token)

View File

@ -0,0 +1,81 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import uuid
import fixtures
from oslotest import mockpatch
try:
# requests_kerberos won't be available on py3, it doesn't work with py3.
import requests_kerberos
except ImportError:
requests_kerberos = None
from keystoneauth1 import fixture as ks_fixture
from keystoneauth1.tests.unit import utils as test_utils
class KerberosMock(fixtures.Fixture):
def __init__(self, requests_mock):
super(KerberosMock, self).__init__()
self.challenge_header = 'Negotiate %s' % uuid.uuid4().hex
self.pass_header = 'Negotiate %s' % uuid.uuid4().hex
self.requests_mock = requests_mock
def setUp(self):
super(KerberosMock, self).setUp()
m = mockpatch.PatchObject(requests_kerberos.HTTPKerberosAuth,
'generate_request_header',
self._generate_request_header)
self.header_fixture = self.useFixture(m)
m = mockpatch.PatchObject(requests_kerberos.HTTPKerberosAuth,
'authenticate_server',
self._authenticate_server)
self.authenticate_fixture = self.useFixture(m)
def _generate_request_header(self, *args, **kwargs):
return self.challenge_header
def _authenticate_server(self, response):
return response.headers.get('www-authenticate') == self.pass_header
def mock_auth_success(
self,
token_id=None,
token_body=None,
method='POST',
url=test_utils.TestCase.TEST_ROOT_URL + 'v3/auth/tokens'):
if not token_id:
token_id = uuid.uuid4().hex
if not token_body:
token_body = ks_fixture.V3Token()
response_list = [{'text': 'Fail',
'status_code': 401,
'headers': {'WWW-Authenticate': 'Negotiate'}},
{'headers': {'X-Subject-Token': token_id,
'Content-Type': 'application/json',
'WWW-Authenticate': self.pass_header},
'status_code': 200,
'json': token_body}]
self.requests_mock.register_uri(method,
url,
response_list=response_list)
return token_id, token_body

View File

@ -24,6 +24,9 @@ packages =
keystoneauth1 keystoneauth1
[extras] [extras]
kerberos =
requests-kerberos>=0.6:python_version=='2.7' or python_version=='2.6' # MIT
saml2 = saml2 =
lxml>=2.3 lxml>=2.3

View File

@ -12,7 +12,7 @@ setenv = VIRTUAL_ENV={envdir}
deps = -r{toxinidir}/requirements.txt deps = -r{toxinidir}/requirements.txt
-r{toxinidir}/test-requirements.txt -r{toxinidir}/test-requirements.txt
.[saml2] .[kerberos,saml2]
commands = ostestr {posargs} commands = ostestr {posargs}
[testenv:pep8] [testenv:pep8]