25 Commits

Author SHA1 Message Date
Jenkins
1972df32f8 Merge "Allow setting EndpointReference in ADFSPassword" 2017-05-16 20:14:39 +00:00
Blake Covarrubias
4ca1a1f028 Allow setting EndpointReference in ADFSPassword
The ADFSPassword plugin currently sets the WS-Policy 'AppliesTo'
EndpointReference Address in the WS-Trust RequestSecurityToken message
to the value specified in the ‘service-provider-endpoint’ option. This
may not be desirable if the Service Provider's SAML entity ID differs
from the WS-Federation Passive Endpoint (i.e. service provider endpoint)
consuming the WS-Trust RequestSecurityTokenResponse.

This commit introduces the ability to specify the EndpointReference used
in the RequestSecurityToken message via the 'service-provider-entity-id'
option. If omitted, the EndpointReference defaults to the value provided
in the ‘service-provider-endpoint' option to preserve backward
compatibility.

Change-Id: I842427232db79d628dc29f5a1dcf68e011667dfa
Closes-Bug: #1689424
2017-05-16 17:21:41 +00:00
Blake Covarrubias
07390df499 Fix V3ADFSPassword retrieval of scoped token
The current V3ADFSPassword plugin is unable to return a scoped token in
“access.create(resp=self.authenticated_response)” due to scoping info
not being passed from V3ADFSPassword to the parent class.

This change adds kwargs when calling the parent class’ init method
(as performed by other plugins) to ensure the scoping info is correctly
propagated.

Change-Id: I825f7fe8f6d062ca23623ca5d6790a1dd45a0f5a
Closes-Bug: #1687316
2017-05-07 14:40:36 -07:00
Gage Hugo
7bf7619104 Remove pbr warnerrors in favor of sphinx check
This change removes the soon-to-be unused "warnerrors" setting,
which will be replaced by "warning-is-error" in sphinx
releases >= 1.5.[0] This also pre-emptively fixes most warnings
that came up when testing with sphinx >= 1.5:

- Multiple cases of Opts
- Redundant loading of todo extension

Added a comment to not to enable the new sphinx setting until
the issues with Changlog building are fixed.

Added setup.py to the list of files to ignore when building
docs.

[0] http://lists.openstack.org/pipermail/openstack-dev/2017-March/113085.html

Change-Id: Ia0079c6b551dd3896bc3d922a477f927757bd61b
2017-03-07 20:51:19 -06:00
John Dennis
b1301e606d Use comma as separator in ECP Accept HTTP header
During SAML ECP authentication 2 specially formatted HTTP headers
*MUST* be included in the request in order for the SP (Service
Provider) to recognize the client is ECP capable and to start the SAML
ECP flow. One is the PAOS header and the other is the Accept header
which must include the "application/vnd.paos+xml" media type. Media
types in the Accept header are separated by a comma (,). Unfortunately
keystoneauth uses a semicolon (;) as the media type separator. The
HTTP spec reserves the semicolon in the Accept header to attach
parameters to the media type. For example

Accept: type1;params1,type2;params2

Using a semicolon as a media type separator is syntactically invalid
and can cause failures in servers that parse the Accept header. For
example mod_auth_mellon emits this error message and fails to process
the ECP request:

request supplied valid PAOS header but omitted PAOS media type in Accept header
have_paos_media_type=False valid_paos_header=True is_paos=False

This indicates only 1 of the 2 required conditions were met.

Change-Id: I6469990a57762fc47b297d7b5b2b4cb4872df4ba
Signed-off-by: John Dennis <jdennis@redhat.com>
Closes-Bug: 1656946
2017-01-16 16:50:09 -05:00
Adam Young
1306c8b0e1 Fix parameters for Kerberos Auth Plugin
The auth plugin was not loading when called from the CLI due to the
mismatch of variable argument parameter calling convention.  This was
due in part to not specfying the parameters properly in the plugin, and
also due to extending from the wrong base class.

Closes-Bug: #1622079

Change-Id: I37a8320b61e7468c173f81348b0a7dd0ee1ad966
2016-09-21 12:22:46 -04:00
Ji-Wei
2d3e376a2c Raise NotImplementedError instead of NotImplemented
NotImplementedError is the name of the exception
(https://docs.python.org/2/library/exceptions.html).
NotImplemented is the name of a constant
(https://docs.python.org/2/library/constants.html).

This patch fix it.

Change-Id: Icfbc0603d03e2001d1494027c492059687e15fa7
Closes-Bug: #1339855
2016-09-09 02:56:31 +00:00
Jamie Lennox
2e227b9952 Correctly report available for ADFS plugin
The ADFS plugin doesn't correctly catch when lxml is not available. This
will fail when a user then tries to iterate all available plugins.

Closes-Bug: #1608169
Change-Id: Ie9d228751306e6df24b43a62392a8f903f82ab82
2016-07-30 23:53:13 -05:00
Jenkins
86e010cc83 Merge "Lazy load oauthlib for plugin loading" 2016-07-22 22:24:36 +00:00
Jamie Lennox
6306504c58 Lazy load oauthlib for plugin loading
If oauthlib is not available the oauth plugins should not be marked as
available when iterating plugins.

Change-Id: Idabb7adf61dc5ca36fc1524af47e346f8f296245
2016-07-22 04:16:04 +10:00
Roxana Gherle
67530bd1a2 Fix ECP doc link in Saml2 Password class doc
ECP doc link points to an inexistent web page. This patch
fixes it.

Change-Id: I70819b44329100ea569603d4ac244050b0360072
2016-07-19 10:59:09 -07:00
Jamie Lennox
701b911437 Use SAML2 requests plugin
This is a major refactoring of the SAML2 plugin to move the logic into a
standalone requests auth plugin, and then have the keystoneauth plugin
simply provide a wrapper around that.

There was really no way to migrate this and keep the existing test files
as they were because the entire structure has been changed.

This will be the recommended way to do federation plugins in future and
keep the auth logic out of keystoneauth as much as possible (as kerberos
already does).

The intention will be that later we should be able to extract the SAML
ECP requests plugin into it's own upstream module.

Change-Id: I4a7377b9350741e8f7a4ed2a49a7e2442eacdd23
2016-07-18 00:24:37 -04:00
Adam Young
d86df8613e Add entrypoint for Federated Kerberos
Closes-Bug: 1593885

Change-Id: I6cf01a796d96001812ef078acfde9a367f216b7a
2016-06-18 07:40:15 -04:00
Colleen Murphy
bf53e7e044 Fix kerberos available property
Kerberos is available if the requests_kerberos module was successfully
loaded in keystoneauth.extras.kerberos. kerberos_requests has no
meaning and causes keystoneauth1 to raise an error:

 AttributeError: "'module' object has no attribute 'kerberos_requests'"

But this gets eaten by stevedore[1]so if logging is not set up the
result is that v3kerberos silently fails to load. This patch fixes the
typo that causes this.

[1] http://git.openstack.org/cgit/openstack/stevedore/tree/stevedore/extension.py?id=01b09a5c1d683007d86fec09594db9f5787805f3#n169

Change-Id: Ie7445e99d710bd238db7ce04a8610bd54c2d6ae7
2016-06-15 15:51:56 -07:00
Colleen Murphy
fc95d25544 Make the kerberos plugin loadable
This patch adds a BaseLoader class for the Kerberos plugin and an entry
point in setup.cfg.

Since the plugin file is being renamed, also fix the comment that
refers to the library as 'keystoneauth' - it is called 'keystoneauth1'
and trying to install 'keystoneauth' will cause the outdated version of
the library to be installed and kerberos will not work.

To make sure the plugin was loadable, this was tested using a version
of python-openstackclient that had been migrated to keystoneauth[1].

[1] https://review.openstack.org/#/c/276350/

Change-Id: Id339295c795f6bf1b428dac8fc9f79d2f5fb453f
Closes-bug: #1567257
Partial-bug: #1567260
2016-06-10 15:59:20 +00:00
Jamie Lennox
c10722b789 Add oauth plugin to keystoneauth
OAuth1 has been supported by keystone for a long time, and was supported
as an authentication plugin in keystoneclient. Port this work to
keystoneauth and add the ability to load it from the CLI.

Closes-Bug: #1524862
Change-Id: Ie53aeb1b926104cac692cd98551a701522f7fec4
2016-05-10 14:31:59 +10:00
Navid Pustchi
2caee11017 Fixing D301 docstring.
Currently tox ignores D301 (D301: Use r”“” if anybackslashes in a
docstring). This change removes D301 ignore.
All pep8 violatios are fixed.

Change-Id: Icfe41f21ce26e687c322daca4a927de2ebdb9848
2016-04-19 06:35:59 +00:00
Navid Pustchi
2e0c0030a9 Removing tox ignore D400.
Currently tox ignores D400 (D400: First line should end with a period).
This change removes D400 ignore.
All pep8 violatios are fixed.

Change-Id: I9190a15a36c90d3c60a9c520cb53d5f182b0c4e9
2016-04-18 21:20:51 +00:00
Prosunjit Biswas
7d448dbc55 Fix for PEP8 violation - D202
(No blank lines allowed after function docstring.)

Change-Id: Ice629f0ef8b1431f0c4655ff37efe0cd5e9c86ec
2016-03-30 04:18:34 +00:00
Brant Knudson
fcd9538eaf Mark password/secret options as secret
Password, token, and secret options should be marked as secret=True
so that when the value is logged the logger knows to obfuscate the
value.

Change-Id: I4818c4cc04cc6a4e1e3cf09d5e0b7b4ffefbb892
Closes-Bug: 1534299
2016-01-15 22:43:38 +00:00
hgangwx
35cad4a2ef Wrong usage of "a"
Wrong usage of "a" in the messages:
"build a etree.XML object"
"Return a object representing the list"

Should be:
"build an etree.XML object"
"Return an object representing the list"

Totally 2 occurrences in keystoneauth base code.

Change-Id: I0299e16d5340b4f062e119dc95a529b812f7606c
2015-12-30 19:43:56 +08:00
Brant Knudson
2baf7c49ad Migrate kerberos plugin
The auth plugin from the keystoneclient-kerberos repository is
copied to this package. It was in its own repository because it
requires the requests-kerberos package and we want to minimize
requirements in keystoneauth (or keystoneclient at the time the
plugin was originally developed). Since we've got support for
"extras" in setup.cfg in pip now this isn't an issue with the
package anymore. Users of the kerberos plugin must install the
extra packages using

 $ pip install keystoneauth['kerberos']

otherwise the plugin will fail to load.

Closes-Bug: 1512741
Change-Id: Ia84bf559413e9bfd1a3faaceb417c2477bd10d5f
2015-11-10 10:05:57 -06:00
Jamie Lennox
f147a1b095 Split ADFS and SAML2 plugins
There is a fair bit of code here. Split the ADFS and SAML2 plugins into
their own files so that they are easier to refactor.

Change-Id: I76b0d6e7a0dd54d09ef8ed1633e9c85924a9228c
2015-11-04 15:25:36 +11:00
Marek Denis
34993d332c SAML2 authentication plugins in keystoneauth
Move SAML2 related auth plugins directly to keystoneauth.
Since SAML2 plugins requires ``lxml` which is a heavy dependency,
plugins will be installed on request:

$ pip install keystoneauth[saml2]

Authentication plugins has been renamed to Saml2Password
and ADFSPassword.

Change-Id: I7872f7524902e4b723ab685c684e16162a4af781
Implements: bp saml2-to-ksa
2015-11-04 15:09:56 +11:00
Jamie Lennox
bb98d0182d Declare an extras directory for plugins
Create an extras directory and add some explanatory documentation for
dealing with plugins defined in extras.

Change-Id: Ibdd6bc16f38d1b9ca38db775671876458ec60e7a
2015-11-03 14:31:36 +11:00