The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8.
Remove hacking and friends from lower-constraints, those are not
needed for co-installing.
The ADFSPassword plugin currently sets the WS-Policy 'AppliesTo'
EndpointReference Address in the WS-Trust RequestSecurityToken message
to the value specified in the ‘service-provider-endpoint’ option. This
may not be desirable if the Service Provider's SAML entity ID differs
from the WS-Federation Passive Endpoint (i.e. service provider endpoint)
consuming the WS-Trust RequestSecurityTokenResponse.
This commit introduces the ability to specify the EndpointReference used
in the RequestSecurityToken message via the 'service-provider-entity-id'
option. If omitted, the EndpointReference defaults to the value provided
in the ‘service-provider-endpoint' option to preserve backward
The current V3ADFSPassword plugin is unable to return a scoped token in
“access.create(resp=self.authenticated_response)” due to scoping info
not being passed from V3ADFSPassword to the parent class.
This change adds kwargs when calling the parent class’ init method
(as performed by other plugins) to ensure the scoping info is correctly
This change removes the soon-to-be unused "warnerrors" setting,
which will be replaced by "warning-is-error" in sphinx
releases >= 1.5. This also pre-emptively fixes most warnings
that came up when testing with sphinx >= 1.5:
- Multiple cases of Opts
- Redundant loading of todo extension
Added a comment to not to enable the new sphinx setting until
the issues with Changlog building are fixed.
Added setup.py to the list of files to ignore when building
During SAML ECP authentication 2 specially formatted HTTP headers
*MUST* be included in the request in order for the SP (Service
Provider) to recognize the client is ECP capable and to start the SAML
ECP flow. One is the PAOS header and the other is the Accept header
which must include the "application/vnd.paos+xml" media type. Media
types in the Accept header are separated by a comma (,). Unfortunately
keystoneauth uses a semicolon (;) as the media type separator. The
HTTP spec reserves the semicolon in the Accept header to attach
parameters to the media type. For example
Using a semicolon as a media type separator is syntactically invalid
and can cause failures in servers that parse the Accept header. For
example mod_auth_mellon emits this error message and fails to process
the ECP request:
request supplied valid PAOS header but omitted PAOS media type in Accept header
have_paos_media_type=False valid_paos_header=True is_paos=False
This indicates only 1 of the 2 required conditions were met.
Signed-off-by: John Dennis <email@example.com>
The auth plugin was not loading when called from the CLI due to the
mismatch of variable argument parameter calling convention. This was
due in part to not specfying the parameters properly in the plugin, and
also due to extending from the wrong base class.
The ADFS plugin doesn't correctly catch when lxml is not available. This
will fail when a user then tries to iterate all available plugins.
This is a major refactoring of the SAML2 plugin to move the logic into a
standalone requests auth plugin, and then have the keystoneauth plugin
simply provide a wrapper around that.
There was really no way to migrate this and keep the existing test files
as they were because the entire structure has been changed.
This will be the recommended way to do federation plugins in future and
keep the auth logic out of keystoneauth as much as possible (as kerberos
The intention will be that later we should be able to extract the SAML
ECP requests plugin into it's own upstream module.
This patch adds a BaseLoader class for the Kerberos plugin and an entry
point in setup.cfg.
Since the plugin file is being renamed, also fix the comment that
refers to the library as 'keystoneauth' - it is called 'keystoneauth1'
and trying to install 'keystoneauth' will cause the outdated version of
the library to be installed and kerberos will not work.
To make sure the plugin was loadable, this was tested using a version
of python-openstackclient that had been migrated to keystoneauth.
OAuth1 has been supported by keystone for a long time, and was supported
as an authentication plugin in keystoneclient. Port this work to
keystoneauth and add the ability to load it from the CLI.
Password, token, and secret options should be marked as secret=True
so that when the value is logged the logger knows to obfuscate the
Wrong usage of "a" in the messages:
"build a etree.XML object"
"Return a object representing the list"
"build an etree.XML object"
"Return an object representing the list"
Totally 2 occurrences in keystoneauth base code.
The auth plugin from the keystoneclient-kerberos repository is
copied to this package. It was in its own repository because it
requires the requests-kerberos package and we want to minimize
requirements in keystoneauth (or keystoneclient at the time the
plugin was originally developed). Since we've got support for
"extras" in setup.cfg in pip now this isn't an issue with the
package anymore. Users of the kerberos plugin must install the
extra packages using
$ pip install keystoneauth['kerberos']
otherwise the plugin will fail to load.
Move SAML2 related auth plugins directly to keystoneauth.
Since SAML2 plugins requires ``lxml` which is a heavy dependency,
plugins will be installed on request:
$ pip install keystoneauth[saml2]
Authentication plugins has been renamed to Saml2Password
Implements: bp saml2-to-ksa