The directory openstack/common was used to keep codes from
oslo-incubator, we have retired oslo-incubator, so don't use
this directory any more.
Change-Id: I8ac81a0615f9d2e35012d95ceab3c21986b256ba
The plugin documentation had some errors, like:
- Erroneous Python code
- Missing OpenID Connect plugins.
- Not in alphabetical order.
Change-Id: I92cd40b130e55b04476b723db9bf7c309427832d
The class name OidcClientCredentials is missing in the __all__ list of
public objects from keystoneauth1/identity/v3/oidc.py, therefore it
couldn't be loaded.
Change-Id: Ife9f58f14d31863904673c962c06cc1d3df4b49d
Closes-bug: #1608419
The ADFS plugin doesn't correctly catch when lxml is not available. This
will fail when a user then tries to iterate all available plugins.
Closes-Bug: #1608169
Change-Id: Ie9d228751306e6df24b43a62392a8f903f82ab82
_auth_required() already prepends the string
"An auth plugin is required to" to the message callers
pass-in. Change get_auth_connection_params() to pass
a correct, shortened string.
Change-Id: Iab9c6d7fa92e0d5400dece2f9a18a7a5d3cad497
In unittest2, assertDictEqual() is implemented by
using != operator to compare two dicts. So is
assertEqual() in testtools. assertEqual() in
testtools is able to handle dict, list, set and so
on. So we just call assertEqual() to make the unit
tests simpler.
Change-Id: Id90d1445053f295d36d52bf95794847ed524087d
If oauthlib is not available the oauth plugins should not be marked as
available when iterating plugins.
Change-Id: Idabb7adf61dc5ca36fc1524af47e346f8f296245
Extras documentation has a link for "extras dependencies" that
results in a "404 Not Found" error page. This patch fixes the doc
link to the correct URL from setuptools online doc.
Closes-Bug: #1604168
Change-Id: I8846f05a33eb6886004f551fc659b77cb8285de0
Saving json responses all on one line escaped inside of json
cassettes is great for computers, but is impossible for humans to
read. Add a serializer that is nicely flowed yaml that emits
multi-line values as yaml blocks. Additionally, re-flow and indent
the nested json, which will stay as json.
An example of the output produced can be seen at:
https://review.openstack.org/#/c/328338/2/shade/tests/unit/fixtures/test_create_flavor.yaml
Hook it in to the keystoneauth1 betamax fixture by default, because
why in the world would you want ugly when you can have pretty.
Change-Id: I457408fcbbdca240090228d18f0482f958a7d6e4
The existing version is failing open, which can cause errors to show up.
The new version doesn't fail this way.
Change-Id: I711b6aa286908040aa6ea5f93f76b8bc512d56ed
This is a major refactoring of the SAML2 plugin to move the logic into a
standalone requests auth plugin, and then have the keystoneauth plugin
simply provide a wrapper around that.
There was really no way to migrate this and keep the existing test files
as they were because the entire structure has been changed.
This will be the recommended way to do federation plugins in future and
keep the auth logic out of keystoneauth as much as possible (as kerberos
already does).
The intention will be that later we should be able to extract the SAML
ECP requests plugin into it's own upstream module.
Change-Id: I4a7377b9350741e8f7a4ed2a49a7e2442eacdd23
The method get_unscoped_auth_ref in each of the plugins is essentially
the same, except for the payload that will be exchanged with the server.
We can move it to the base class and implement the payload generation in
each plugin.
Change-Id: I4abb414fc3709ab6eb433641269137d1dbb77e6a
The OpenID Connect grant type is something implicit to our plugins,
so there is no need to pass it as a keyword argument, we can define
this as a class argument. Moreover, it makes no sense to pass a
grant_type that is different to the grant type that is being
implemented. This change deprecates the keyword argument (showing a
warning to the users if they're passing it) and checking if the
grant_type is different to the one defined by the plugin itself.
Change-Id: I4fffc2c651487d3240bbc8458ad728b06b0ffa64
The OpenID Connect specifies that all providers must return a JSON
discovery document [1] in a well-known location. We can let the user
pass this document instead of the individual endpoints (i.e. token and
authorization endpoint). Moreover, we can also check if the requested
grant_type (implicit to the used plugin, and one of client_credentials,
password, authorization_code) is supported by the provider before
starting the auth flow.
[1] https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
Fixes-bug: #1583682
Change-Id: I24b7960b25ddcff45552c0ab5541d92122d1d560
Allow clients and services to set additional_headers that will be sent
with all requests made by the session.
Change-Id: Idbd2e5159de5790c7db65c806b964f220bb6628e
Now that there is a passing gate job, we can claim support for
Python 3.5 in the classifier. This patch also adds the convenience
py35 venv.
Change-Id: I277c17f774e880b6d2c7c73a8410f1cd1167f055
The prompt parameter is supposed to provide both an indication to
loaders that it is ok to prompt the user for input for an option and
also an appropriate message that can be used.
It would be up to the loader whether it wanted to use that message or
something it generated.
This will allow os-client-config and openstackclient better control over
the loading of sensitive authentication options.
Related-Bug: #1519202
Change-Id: I7c39f25b78404950af6f6eaf21739be1c1ef9c6a
An auth plugin that allows service clients to be authenticated
with the X.509 tokenless authentication. Please find typical configured
options in authentication-plugins.rst
implements bp keystone-tokenless-authz-with-x509-ssl-client-cert
Change-Id: Ie0298f0ef7f3891cfc81072ab9ef9e501773fe5f
The OpenID scope is something common to all the OpenID grant types,
therefore we move the OIDC scope parameter 'scope' from the OidcPassword
class into the base _OidcBase class, moving the option as well into the
corresponding loader.
Moreover, OpenID scopes are not handled properly, as the loaders have
the option defined as "openid-scope" whereas the class constructor
argument is named "openid".
Lastly, OpenID states that the OpenID scope MUST contain "openid" at
least, so we should include this in our defaults argument.
Closes-Bug: #1594272
Closes-Bug: #1597334
Change-Id: I9a242ae93a61737d032c19830c5d89ef6237f875
Add a create_plugin function to loaders. This can be used to create a
plugin based on options with more control than simply specifying a
plugin_class as a property.
The plugin_class property is no longer an abstractproperty however an
implementer must still provide either the plugin_class property or
implement the create_plugin function to succeed.
Change-Id: Iea2ff93cfc3c814c78f6d9cd7e0069bab7e0180b
Closes-Bug: #1595400
