86 Commits

Author SHA1 Message Date
Eric Fried
498320a5fb Nix EndpointData.get_versioned_data(authenticated)
Remove unused `authenticated` kwarg from as-yet-unreleased public API
EndpointData.get_versioned_data, and private method
EndpointData._set_version_info.

Change-Id: I03a9969df4586c79b6b63d44fcb5474dd94e6ba2
Closes-Bug: #1703446
2017-07-10 14:44:47 -05:00
Monty Taylor
429b19c88c
Ensure we discover only when we should
There are a two interrelated pieces in this patch which are around
fixing up places where discovery was being re-run inappropriately.
They fall out from adding tests for the functionality and couldn't
be sanely shifted back further in the stack without a big dance.

Switch the default for "discover_versions" on all of the calls that
return an EndpointData to "True". It's a new feature and is a thing that
doesn't make a ton of sense to call if you don't want discovery run.
However, get_endpoint uses it, so needs to be able to pass in
discover_version=False, so the option is still useful. Make sure that
get_endpoint and other places where ksa calls get_endpoint_data on
behalf of the user work as before without unneeded discovery.

Add tests to show that we use actually use the discovery cache properly when
we've previously done discovery that can satisfy the new request. This
works from the microversion optimization patch, but we had to clean up
a couple of things to show it fully in a test.

Change-Id: I54053336edf1b3c2bd35a77dbd78f56388b8e806
2017-06-29 08:03:35 -05:00
Monty Taylor
2b949de8e9
Support a list of interface values
Sometimes, especially in places like service-to-service defaults, it's
very helpful to express a list of values. For instance, when thinking
about nova connecting to ironic, nova would like to have the default
value of "interface" be ['internal', 'public'] - which is to say, use
internal if it's there, but otherwise use public. This use case is covered
in the API-WG specs on discoverability.

Change-Id: I9102155c2d4ef1ef8bbb1d0fa26a5b5838108a4c
2017-06-29 08:03:34 -05:00
Monty Taylor
46054f42d4
Optimize matching version no microversion needed
In the case where we're just asking for an endpoint, and the endpoint in
the catalog matches the requested version, there is no need to fetch the
version discovery document.

Change-Id: I2c14337a3fcb1369652d43ca68e6a572fef6d425
2017-06-29 08:03:34 -05:00
Monty Taylor
d2ef0287a3
Plumb endpoint_override through get_endpoint_data
If a user has provided an endpoint_override, they may still be
interested in version discovery data for the endpoint. Doing that is
always an opt-in behavior, so we set the strictness flag to prevent any
URL manipulations. We'll either return data or None.

Change-Id: I673beafd1e55fd096bb221b2ca6794bb124653b8
2017-06-29 08:03:34 -05:00
Monty Taylor
d658f84a0f
Add support for version ranges
Just wanting "latest" isn't the full picture. A client could support,
say, v1 and v2 of an API but not v3 and would like to find an
appropriate matching endpoint.

Add two new arguments, min_version and max_version, rather than
repurpose the version argument.

This changes the behavior of versioned_data_for and versioned_url_for in
the case where version=None. Before that would return None, now it
returns the information about the endpoint that was in the catalog.

The booleans in this are a bit hard to read, as are the fun times with
latest and things being or not being defined. It's time to make the
versions into objects, but we'll do that as a followup.

Change-Id: I8ba948a712002775098b0a86c70f05e0c68250f5
2017-06-29 08:03:25 -05:00
Monty Taylor
cdc10d8741
Add flags to turn discovery on and off
If a user does not specify a version, that means they want whatever is
in the catalog. However, they may still want discovery to be run for
things like microversion information. The new parameter
"discover_versions", if set to True, will run discovery even with no
version parameter. The inverse of this is "skip_discovery" which will
tell keystoneauth to not run discovery even if a version has been given.

Note: This adds some parameters to some methods that get removed by
change I54053336edf1b3c2bd35a77dbd78f56388b8e806 so we should not
actually land this one until we're ready to land the stack up to and
including that one.

Note: This adds two new methods that will have behavior changes in
patch I8ba948a712002775098b0a86c70f05e0c68250f5.

Change-Id: I897c39743089c5994b51336a4ad44eebed33ec35
2017-06-29 07:39:18 -05:00
Monty Taylor
a4066a86b5
Add url manipulation and microversion collection
From the API-WG spec, there are two common patterns for service URLs
that can be interpreted. Trailing project_id and a string that starts
with v. If the project_id is in the URL, it needs to be removed before
discovery can happen, but it needs to be put back on to the url found
via discovery. If the endpointin the catalog has a version, and it
matches the version we're asking for, then we don't need to go hunting
for the unversioned doc.

Also, in the EndpointData we're collecting, we want to grab microversion
info, since we're already there in the discovery doc.

There is one behavior change that can be seen in the tests. If the
attempt at an unversioned discovery endpoint fails, we fall back to the
url from the catalog ... but we attempt to get a discovery document from
it because we need the metadata for microversions. The catalog URL should be
returned as the endpoint even if the second discovery call attempt
succeeds, so the user-facing interface is the same - there will just be,
in some cases, an additional URL fetch behind the scenes.

Change-Id: I2a036d65e4f7dba6f50daf6a0ce4589ee59ae95f
2017-06-26 06:00:34 -05:00
Monty Taylor
e89e354335
Move version discovery logic to keystoneauth1.discover
As part of implementing the API-WG spec on version discovery, there are
more version manipulations and logic that need to happen between
fetching from the catalog and doing discovery.

Move the logic for doing that into the discovery file and attach it to
the EndpointData object.

This changes 2 interfaces, but neither of those interfaces have been in
a release.

The method "discover_versions" is renamed to "get_versioned_data" - since
the work it does is actually to get a versioned EndpointData object.

It also now returns a new EndpointData object instead of mutating the
existing one. Especially with the name change, mutation seemed really
off.

Change-Id: Ifeeac7af1ebd9d2d59a30d4503c8bcc0137e9370
2017-06-26 06:00:31 -05:00
Monty Taylor
68e0fe5179
Rework discovery cache
Allow the user to pass in a cache dict that will be used
in addition to the session and auth level caches. Make Session
always have a discovery_cache attribute and allow the user to
provide the cache at Session creation time. Finally, rename
the private variable to _discovery_cache from _endpoint_cache
since it's caching discovery objects, not endpoints.

Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Change-Id: I0a0f489fd3bbecc4596e99acafcde1bff4e181f7
2017-06-25 16:31:27 -05:00
Monty Taylor
337e5af637
Add returning EndpointData objects from discovery
The existing version discovery process is awesome, but in the normal flows it
ultimately returns urls, not the full endpoint data, so it's not
possible to know what version was discovered.

Make an EndpointData object that gets created and plumb that through the
stack so that it's possible to request EndpointData instead of just
endpoints. The existing discovery logic is unchanged, and the existing
methods continue to return the data they returned before.

Change-Id: Id48861e7d6d20be16f61cb375a21bca4a43a2500
2017-06-09 09:01:54 -05:00
Samriddhi
d0cdc355a4 Updated inconsistent value of scope parameter
For explicit unscoped authentication, the keystome server
specifies the scope parameter value as 'unscoped'. However
keystoneauth1 initialises it to {'unscoped': {}}. This
patch removes this inconsistency.

Updated the corresponding test for unscoped request which
checks the scope parameter in auth to match the 'unscoped'
string.

Partial-Bug #1637682

Change-Id: I1c9d89fd86773f4acecbefcdad4dca6cff16b58d
2017-04-04 19:51:18 +05:30
Jamie Lennox
3ce5cb4bf6 Add an allow_version_hack flag to session and identity plugins.
Whilst historically we always wanted keystoneauth to do the most
permissive thing and allow a versioned or unversioned entry in a service
catalog there are now cases where we would prefer to fail when the
catalog is misconfigured. This will allow a client to opt out of
versioned catalog endpoints to insist that the deployment is correctly
configured.

Closes-Bug: #1668484
Change-Id: Ided0e0c7409994f703175fe61bd4043b840bcf1e
2017-02-28 19:21:55 +11:00
Jamie Lennox
3364703d3b Include the auth_url in the discovery failure message
The failed to discover message pops up a lot because it means that we
didn't get a sensible response to the version list request a plugin
makes. Debugging this can be a pain, but it's easier if we at least know
the URL that failed to be called.

Change-Id: Ibaa89b43b23ebacb72f441fde01dfd79b927f977
2017-02-24 10:30:41 -05:00
Gage Hugo
fe5ded5e80 Fixed multiple target Auth warning in docstring
When building keystoneauth docs, the following warning would be
emitted:

docstring of
keystoneauth1.identity.v3.base.AuthMethod.get_auth_data:None:
WARNING: more than one target found for cross-reference u'Auth':
keystoneauth1.identity.v2.Auth,
keystoneauth1.identity.v3.base.Auth,
keystoneauth1.identity.v3.Auth

for the following files:

keystoneauth/keystoneauth1/identity/v3/base.py:docstring of
keystoneauth/keystoneauth1/identity/v3/__init__.py

This change specifies the correct Auth object in get_auth_data's
docstring and the two warnings no longer appear

Change-Id: I2b204c9dfac1b6578620048ebbdf2c2b00ab5248
2017-02-08 15:25:35 -06:00
gengchc2
a00b8d844d Replace six.iteritems() with .items()
1.As mentioned in [1], we should avoid using
six.iteritems to achieve iterators. We can
use dict.items instead, as it will return
iterators in PY3 as well. And dict.items/keys
will more readable. 2.In py2, the performance
about list should be negligible, see the link [2].
[1] https://wiki.openstack.org/wiki/Python3
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html

Change-Id: I9f8f2c35f0d45d866076507a3a167aaafb8382e5
2016-12-09 10:59:00 +08:00
Juan Antonio Osorio Robles
08539ec4d6 Add reauthenticate to generic plugins
Currently, the plugins supported in the generic plugins all have a
reathenticate option, however, this is not passed anywhere in the
generic plugin interface. This adds it to the base class in order to
support this, and provide a more interchangeable interface between
the version-specific plugins and the generic one.

Change-Id: I35f1c9dcd20017b9c442b04c142e46cad4d15eb4
Closes-Bug: #1643782
2016-11-22 09:59:14 +02:00
melissaml
f2242de6fe Fix a typo in base.py
TrivialFix

Change-Id: I6e7ea9bafd59a0915d3f88df595a0653af2a0f1e
2016-11-17 23:10:23 +08:00
gecong1973
e1bf1f0e83 Fix a typo in base.py
TrivialFix

Change-Id: Ifffcea354e785a7fc5720e15d3bd259be559f13e
2016-10-13 09:42:13 +08:00
Jamie Lennox
01b7c87285 Implement caching for the generic plugins.
When caching was implemented it was added to the v2 and v3 plugins but
for some reason the generic plugins were missed.

To do generic plugin caching we'll skip even trying to figure out the
inner plugin for now and just load the authentication for the generic.

Closes-Bug: #1616261
Change-Id: Icbb8acde0dca084f4a221f8ebff5503d5bdc219a
2016-10-04 16:00:32 +11:00
Ji-Wei
2d3e376a2c Raise NotImplementedError instead of NotImplemented
NotImplementedError is the name of the exception
(https://docs.python.org/2/library/exceptions.html).
NotImplemented is the name of a constant
(https://docs.python.org/2/library/constants.html).

This patch fix it.

Change-Id: Icfbc0603d03e2001d1494027c492059687e15fa7
Closes-Bug: #1339855
2016-09-09 02:56:31 +00:00
Jamie Lennox
b7b887c519 get_endpoint should return None when no version found
After patch Ia08538ccf00c9063dc0d284c5ece9a969c15500a the urljoin would
ensure that a URL was always returned from the get_endpoint method even
when the version was not available. This breaks plugin discovery and a
number of other areas.

Change-Id: I04014b6e770c2e9708c5f9c81c3160d51603ad0c
Closes-Bug: #1616720
2016-08-25 13:49:35 +10:00
Jamie Lennox
fe7ea40ea5 Allow identity plugins to discover relative version urls
When using a reverse proxy or TLS terminator it can be really hard to
correctly specify a URL in version discovery that is correct for all
situations.

Make it so that a relative URL in a discovery document is joined to the
queried URL to always return a fully qualified URL to the identity
plugins.

Change-Id: Ia08538ccf00c9063dc0d284c5ece9a969c15500a
Closes-Bug: #1614304
2016-08-18 09:57:37 +10:00
Alvaro Lopez Garcia
31796b370f Add missing class name to tuple of public objects
The class name OidcClientCredentials is missing in the __all__ list of
public objects from keystoneauth1/identity/v3/oidc.py, therefore it
couldn't be loaded.

Change-Id: Ife9f58f14d31863904673c962c06cc1d3df4b49d
Closes-bug: #1608419
2016-08-01 11:00:22 +02:00
Jenkins
973ef586e8 Merge "oidc: implement client_credentials grant type" 2016-07-22 19:55:13 +00:00
Alvaro Lopez Garcia
712ee40544 oidc: add missing 'OidcAccessToken' to __all__
Change-Id: Ib0bfed8a85729dced59e64d31e85c6a41631f9b1
2016-07-20 10:03:44 +02:00
Alvaro Lopez Garcia
e5fd66ca35 oidc: implement client_credentials grant type
Change-Id: If1538726cb7e4cb87fad82c5daf50c67b161b52d
2016-07-20 09:59:05 +02:00
Alvaro Lopez Garcia
9bf4efde46 oidc: move the get_unscoped_auth_ref into the base class
The method get_unscoped_auth_ref in each of the plugins is essentially
the same, except for the payload that will be exchanged with the server.
We can move it to the base class and implement the payload generation in
each plugin.

Change-Id: I4abb414fc3709ab6eb433641269137d1dbb77e6a
2016-07-14 11:15:27 +02:00
Alvaro Lopez Garcia
885aff00ac oidc: deprecate grant_type argument
The OpenID Connect grant type is something implicit to our plugins,
so there is no need to pass it as a keyword argument, we can define
this as a class argument. Moreover, it makes no sense to pass a
grant_type that is different to the grant type that is being
implemented. This change deprecates the keyword argument (showing a
warning to the users if they're passing it) and checking if the
grant_type is different to the one defined by the plugin itself.

Change-Id: I4fffc2c651487d3240bbc8458ad728b06b0ffa64
2016-07-14 11:08:29 +02:00
Alvaro Lopez Garcia
00746ea636 oidc: add discovery document support
The OpenID Connect specifies that all providers must return a JSON
discovery document [1] in a well-known location. We can let the user
pass this document instead of the individual endpoints (i.e. token and
authorization endpoint). Moreover, we can also check if the requested
grant_type (implicit to the used plugin, and one of client_credentials,
password, authorization_code) is supported by the provider before
starting the auth flow.

[1] https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Fixes-bug: #1583682
Change-Id: I24b7960b25ddcff45552c0ab5541d92122d1d560
2016-07-14 10:19:10 +02:00
ji-xuepeng
f2cc77cba0 remove unused LOG
This is to remove unused LOG to keep code clean.

Change-Id: Iaf511b4d61590a9e014ab6a37a2c2b91c3916238
2016-07-10 13:29:53 +08:00
Jenkins
01d040b2be Merge "Auth plugin for X.509 tokenless authentication" 2016-07-06 03:53:26 +00:00
chioleong
e203d61092 Auth plugin for X.509 tokenless authentication
An auth plugin that allows service clients to be authenticated
with the X.509 tokenless authentication. Please find typical configured
options in authentication-plugins.rst

implements bp keystone-tokenless-authz-with-x509-ssl-client-cert

Change-Id: Ie0298f0ef7f3891cfc81072ab9ef9e501773fe5f
2016-07-05 17:11:36 -07:00
Alvaro Lopez Garcia
68a7962488 oidc: fix OpenID scope management
The OpenID scope is something common to all the OpenID grant types,
therefore we move the OIDC scope parameter 'scope' from the OidcPassword
class into the base _OidcBase class, moving the option as well into the
corresponding loader.

Moreover, OpenID scopes are not handled properly, as the loaders have
the option defined as "openid-scope" whereas the class constructor
argument is named "openid".

Lastly, OpenID states that the OpenID scope MUST contain "openid" at
least, so we should include this in our defaults argument.

Closes-Bug: #1594272
Closes-Bug: #1597334
Change-Id: I9a242ae93a61737d032c19830c5d89ef6237f875
2016-07-04 11:08:55 +02:00
guang-yee
9e29e6e9c5 Support TOTP auth plugin
Add support for time-based one-time password (TOTP) authentication.

Change-Id: I004677ac7f0e2fb8c059ad14868e661e8ee4c1f9
2016-06-13 11:40:43 -07:00
Alvaro Lopez Garcia
4343ce524a Let Oidc* auth plugins accept scope parameters as kwargs
The OidcPassword and OidcAauthCode auth plugins should accept scope
parameters like the project, otherwise it would be impossible to get a
scoped token, making python-openstackclient fail.

Closes-Bug: #1582774
Change-Id: I960d67b4529afbc83eff0da945677b2fd83973e1
2016-05-28 02:48:51 +00:00
Alvaro Lopez Garcia
553a523830 oidc: add OidcAccessToken class to authenticate reusing an access token
Some services or users may have obtained an access token, so it would be
possible to authenticate using this token directly (for example a
service where the user has already logged in). This new class makes
possible to use an access token to authenticate directly with Keystone,
exchanging it for a Keystone token.

Closes-bug: 1583780
Change-Id: I5a31270194a3d1aa48de709dba49afde460731e2
2016-05-20 09:31:09 +02:00
Alvaro Lopez Garcia
1c07cddcb2 oidc: fix typo in docstring
Change-Id: Ia18cd69e82b4cba459246c0beb046a8b50f03394
2016-05-19 17:15:06 +02:00
Alvaro Lopez Garcia
fe773c9b95 oidc: DRY when obtaining an access token
Obtanining the access token from the access token URL is done in the
same way, regardless of the grant_type being used, with the only
difference of the payload exchanged. This change tries to remove
duplicated code.

Change-Id: I0f77e664f3b0064a76128e21ea177bc07e3a19d7
2016-05-19 17:15:05 +02:00
Alvaro Lopez Garcia
f678ecd34e oidc: DRY when obtaining a keystone token
All the exchange of an access token with the protected auth URL is done
in the same way, so we can remove duplicated code.

Change-Id: I99d9e53fea404a566284e57d5b0c287c1a56f53e
2016-05-19 17:15:05 +02:00
Alvaro Lopez Garcia
356f5e3717 oidc: Remove unused parameters in _OidcBase
Some methods in _OidcBase accepted a parameter to indicate the URL where
a request was to be made:

- _get_keystone_token accepted federated_token_url, the URL for
  federated authentication.
- _get_access_token accepted access_token_endpoint, the URL used to get
  an oidc access token.

However, the methods were using internally the object attribute
self.access_token_endpoint and the property self.federated_token_url,
therefore the parameters were completely ignored. This changes removes
them and adjust the derived classes.

Change-Id: Ibc2157d47cb0edd59c4d966bae77c102423f97ae
2016-05-19 17:14:51 +02:00
Colleen Murphy
118c9629e5 Expose allow parameters for URL discovery
The Discover class can fiilter API versions by experimental status, deprecated
status, and unknown status, and potentially more designations in the future.
The parameters that control this were not exposed in the Session or Adapter, so
users could not take advantage of this filtering through normal means. This
patch creates an 'allow' parameter for the Adapter that will get passed down as
keyword arguments into Discover.raw_version_data().

Now, given an unversioned endpoint like:

    $ openstack endpoint show cinder
    +--------------+----------------------------------+
    | Field        | Value                            |
    +--------------+----------------------------------+
    | adminurl     | http://192.168.122.183:8776      |
    | enabled      | True                             |
    | id           | 485107c1d92b41829c331a2dc82aaaeb |
    | internalurl  | http://192.168.122.183:8776      |
    | publicurl    | http://192.168.122.183:8776      |
    | region       | RegionOne                        |
    | service_id   | 01b4f36a173d4c59b31fc95763095373 |
    | service_name | cinder                           |
    | service_type | volume                           |
    +--------------+----------------------------------+

an Adapter can be used like this (this example would be expected to fail
since it disallows the deprecated volume V1 API):

    auth = Password(<auth_params>)
    sess = session.Session(auth=auth)
    adptr = adapter.Adapter(sess)
    adptr.get('<project-id>/volumes',
              endpoint_filter={'service_type': 'volume',
                               'interface': 'public',
                               'version': 1},
              allow={'allow_deprecated': False}))

This is inspired by an abandoned patch to keystoneclient[1] that exposed this
information as a tuple. The problem with exposing it like that is that
raw_version_data() defaults allow_deprecated to True, so including 'deprecated'
in the tuple or not including it would have the same result. Using a dict
allows us to keep the Discover interface the same.

[1] https://review.openstack.org/#/c/130159

Co-authored-by: Endre Karlson <endre.karlson@hp.com>

Change-Id: I54c29e1c2a4a2b02a3967f4ea108b8d2533616eb
Closes-bug: #1394245
2016-05-08 10:23:21 -07:00
Rodrigo Duarte
1a2a579393 Add 303 as redirect code for k2k plugin
Some service providers, like mod_mellon return a 303 response
upon successful authentication. The "requests" package only
considers 302, as per the following example::

  >>> import requests
  >>> requests.codes['found']
  302

Change-Id: I5797f490f2e57d1c952e769bc0ef4b96c08f9a83
Related-Bug: 1501918
2016-04-25 18:53:19 -03:00
Navid Pustchi
21d5ba92e0 Fix H405, D105, D200, and D203 PEP257
Curently tox ignores H405, D105, D200, and D203.
H405: multi line docstring summary not separated with an empty line.
D105: Missing docstring in magic method.
D200: One-line docstring should fit on one line with quotes.
D203: 1 blank required before class docstring.
This patch removes tox ignores and fix docstrings.

Change-Id: Ia3ac9796630e24ce04dc9f38a8d944334d6978d2
2016-04-19 21:05:19 +00:00
Navid Pustchi
2caee11017 Fixing D301 docstring.
Currently tox ignores D301 (D301: Use r”“” if anybackslashes in a
docstring). This change removes D301 ignore.
All pep8 violatios are fixed.

Change-Id: Icfe41f21ce26e687c322daca4a927de2ebdb9848
2016-04-19 06:35:59 +00:00
Navid Pustchi
2e0c0030a9 Removing tox ignore D400.
Currently tox ignores D400 (D400: First line should end with a period).
This change removes D400 ignore.
All pep8 violatios are fixed.

Change-Id: I9190a15a36c90d3c60a9c520cb53d5f182b0c4e9
2016-04-18 21:20:51 +00:00
Navid Pustchi
01cf25ad36 Removing tox ignore D401 and make keystoneauth compliant
Currently tox ignores D401 (401: First line should be in imperative mood).
This change removes it and make keystoneauth docstring compliantwith it.

Change-Id: Ia3bc1ecf0d2bd9699e9a1a549f9995c008db233c
2016-04-13 18:46:05 +00:00
Prosunjit Biswas
7d448dbc55 Fix for PEP8 violation - D202
(No blank lines allowed after function docstring.)

Change-Id: Ice629f0ef8b1431f0c4655ff37efe0cd5e9c86ec
2016-03-30 04:18:34 +00:00
Stuart McLaren
ae2e6f4dc3 Allow seeing full token response when debug enabled
In many situations it can be useful to see the full token response.

Print v3 token response when in debug mode. This will allow the
reponse to be seen when '--debug' is specified with the openstack CLI:

 {
     "token": {
         "methods": [
             "password"
         ],
         "roles": [
             {
                 "id": "93bff41cabda4def87cc9d83aaaa7479"
                 "name": "Member"
             },
             .
             .
             .

Change-Id: I9d09648efb09dac1fb62b349c690a2eb01c1538e
Closes-bug: 1556977
2016-03-15 16:25:49 +00:00
Jenkins
943fde7d50 Merge "Remove unavailable parameter" 2016-03-02 00:54:29 +00:00