openstack/python-keystoneclient
Code Issues Proposed changes
946e928b52
python-keystoneclient/keystoneclient/utils.py

157 lines
4.8 KiB
Python
Raw Normal View History

Fix License Headers and Enable Gating on H102 Add ASLv2 headers to files that were missing it. fixes bug #1211587 Change-Id: Iede918e1ce84993cee4ecbb2d9c2606627fa412e
2013-08-15 16:56:22 -07:00
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
Allow secure user password update. This patch allows the ability for user password to be updated via a command prompt so the password doesnt show up in the bash history. The prompted password is asked twice to verify the match. If user cntl-D's the prompt a message appears suggesting user to use either of the options to update the password. Fixes: bug#938315 Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39
2013-05-09 09:29:02 -07:00
import getpass
Add auth-token code to keystoneclient, along with supporting files This step in the process duplicates the auth-token code to keystoneclient but, for the moment, leaves a copy in its origional location in keystone. Testing for auth-token is also copied across, as is the cms support file. Although no other project will yet pick up the code here in the client, since the paste.ini files haev not yet been updated, it would work if anyone did reference it. Once the client code is in, the next step is to update all the other project paste files, and then finally retire the code from keystone. Change-Id: I88853a373d406020d54b61cba5a5e887380e3b3e
2012-11-12 19:40:21 +00:00
import hashlib
Add a positional decorator This decorator allow us to define that certain parameters are strictly keyword arguments only, without sacrificing the convenience of having those arguments listed in the function definition. This will mean that we are no longer trapped maintaining backwards compatibility for the order of keyword arguments. The enforcement levels should allow us to start putting warnings on existing functions and strict enforcement on new functions. Partial-Bug: #1295881 Change-Id: Ic0a196874930e7be8362df50594471ab8037c5b2
2014-02-28 11:22:26 +10:00
import logging
Allow secure user password update. This patch allows the ability for user password to be updated via a command prompt so the password doesnt show up in the bash history. The prompted password is asked twice to verify the match. If user cntl-D's the prompt a message appears suggesting user to use either of the options to update the password. Fixes: bug#938315 Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39
2013-05-09 09:29:02 -07:00
import sys
Initial commit.
2011-10-25 16:50:08 -07:00
Switch from deprecated isotime oslo_utils.timeutils.isotime() is deprecated as of 1.6 so we need to stop using it. The deprecation message says to use datetime.datetime.isoformat() instead, but the format of the string generated by isoformat isn't the same as the format of the string generated by isotime. The string is used in tokens and other public APIs and we can't change it without potentially breaking clients. So the workaround is to copy the current implementation from oslo_utils.timeutils.isotime() to keystone.common.utils.isotime(). Change-Id: I34b12b96de3ea21beaf935ed8a9f6bae2fe0d0bc Closes-Bug: 1461251
2015-06-07 11:20:44 -05:00
from oslo_utils import timeutils
use positional library instead of utils swap instances of utils.positional with the positional library. Change-Id: Id8a9961e68d287a802f25512fc970829e9feb5c2
2016-01-25 01:48:16 -05:00
# NOTE(stevemar): do not remove positional. We need this to stay for a while
# since versions of auth_token require it here.
Use positional library instead of local code Use the positional library instead of the local copy of the code. This will prevent duplicating code across repositories without needing to chase down weird dependency graphs. Change-Id: I7fef334666e93e358870173d29018e5d47312d2b
2016-01-15 16:03:14 -08:00
from positional import positional # noqa
python3: Make iteritems py3k compat Use six.iteritems to replace dictionary.iteritems() on python2 or dictionary.items() on python3. Change-Id: I972f065414e22d287bd7e00ab2c6e754f17afb75 Signed-off-by: Chuck Short <chuck.short@canonical.com>
2013-10-10 13:20:37 -04:00
import six
Initial commit.
2011-10-25 16:50:08 -07:00
from keystoneclient import exceptions
Add a positional decorator This decorator allow us to define that certain parameters are strictly keyword arguments only, without sacrificing the convenience of having those arguments listed in the function definition. This will mean that we are no longer trapped maintaining backwards compatibility for the order of keyword arguments. The enforcement levels should allow us to start putting warnings on existing functions and strict enforcement on new functions. Partial-Bug: #1295881 Change-Id: Ic0a196874930e7be8362df50594471ab8037c5b2
2014-02-28 11:22:26 +10:00
logger = logging.getLogger(__name__)
Initial commit.
2011-10-25 16:50:08 -07:00
def find_resource(manager, name_or_id):
"""Helper for the _find_* methods."""
Fix tests to use UUID strings rather than ints for IDs Several tests were using ints rather than strings for IDs. The ints were changed to UUID strings. Change-Id: I65312509c72078c08ca284e313104e926d9885ba
2014-04-27 18:01:12 -05:00
# first try the entity as a string
Initial commit.
2011-10-25 16:50:08 -07:00
try:
return manager.get(name_or_id)
Removing bandit.yaml in favor of defaults Removing old configuration options for build-in defaults of latest bandit functionality. Also, marking flagged items with _# nosec_ with a descriptive comment on why the code is acceptable as is. Co-Authored-By: Christopher J Schaefer <cjschaef@us.ibm.com> Co-Authored-By: Tom Cocozzello <tjcocozz@us.ibm.com> Change-Id: I138ebd46a8be195177361a9c3306bb70423b639d
2016-03-11 15:55:06 -06:00
except (exceptions.NotFound): # nosec(cjschaef): try to find 'name_or_id'
# as a six.binary_type instead
Initial commit.
2011-10-25 16:50:08 -07:00
pass
# finally try to find entity by name
try:
Do not try to call decode() on a text string This fixes a call to 'isinstance' that only worked on Python2. Closes-Bug: #1265879 Change-Id: I886da95f1ad2a8314de92be8aecb354ee3124e6d
2013-12-16 15:52:24 +01:00
if isinstance(name_or_id, six.binary_type):
Decode the non-english username str to unicode convert the non-english username str to unicode, then the converted username can match the username from db. Fixes bug #1221576 Change-Id: I9e5f941fe43f081d75750e3f4754e8beea8210db
2013-09-06 17:24:05 +08:00
name_or_id = name_or_id.decode('utf-8', 'strict')
Initial commit.
2011-10-25 16:50:08 -07:00
return manager.find(name=name_or_id)
except exceptions.NotFound:
Backslash continuations (python-keystoneclient) Fixes bug #940023 Backslash continuations removal for python-keystoneclient Change-Id: I816fc39ced20bb8ba8a42d3f07a03da94a76f8ea
2012-02-29 11:31:10 +08:00
msg = ("No %s with a name or ID of '%s' exists." %
(manager.resource_class.__name__.lower(), name_or_id))
Initial commit.
2011-10-25 16:50:08 -07:00
raise exceptions.CommandError(msg)
Add name arguments to keystone command. This patch adds name arguments to the following subcommands: * role-delete * role-get * service-delete * service-get * tenant-delete * tenant-get * tenant-update * user-delete * user-get * user-password-update * user-role-add * user-role-list * user-role-remove * user-update Fixes bug 1100648 Change-Id: I73c08c0ba553a72ec57ff3a684a00be4ef1294a6
2013-01-17 18:11:27 +09:00
except exceptions.NoUniqueMatch:
msg = ("Multiple %s matches found for '%s', use an ID to be more"
" specific." % (manager.resource_class.__name__.lower(),
name_or_id))
Fixing potential NameErrors Fixing a couple locations that could potentially raise NameErrors instead of intended exceptions. These were found by looking at flake8 F821 (undefined name) errors. Added in unit tests to verify NameErrors would not be raised. Change-Id: I8619cb0be495b814335a5aea23daca025484d3c6
2013-08-18 22:17:21 -07:00
raise exceptions.CommandError(msg)
Support for version and extension discovery - Supports unauthenticated call to Keystone to discover supported API versions - Added command-line support (usage: keystone discover) - Added client support (keystoneclient.genenric client). Client returns dicts, whereas shell command prints formated output. - Added tests for genenric client - Replicates 'nove discover' in python-novaclient - Starts to address blueprint keystone-client - keystone discover output looks like this: $ keystone discover Keystone found at http://localhost:35357 - supports version v1.0 (DEPRECATED) here http://localhost:35357/v1.0 - supports version v1.1 (CURRENT) here http://localhost:35357/v1.1 - supports version v2.0 (BETA) here http://localhost:35357/v2.0 - and HP-IDM: HP Token Validation Extension - and OS-KSADM: Openstack Keystone Admin - and OS-KSCATALOG: Openstack Keystone Catalog Change-Id: Id16d34dac094c780d36afb3e31c98c318b6071ac
2011-12-28 00:23:31 -06:00
def unauthenticated(f):
Fix D401 PEP257 violation. Currently tox ignores D401. 401: First line should be in imperative mood. This change removes it and make keystoneclient docstrings compliant with it. Change-Id: If34ff12d18390b357342cf29f2d116dd3c86a44d
2016-04-23 03:19:58 +00:00
"""Add 'unauthenticated' attribute to decorated function.
updating keystoneclient doc theme adding in openstack theming enabling last update from git removing old manual references to API, converted entirely to autodoc updated .gitignore fixed docstring warnings and errors Change-Id: Id22ddc446331d52cbf56c3462d8b532fc37f64ac
2012-09-29 15:28:08 -07:00
Usage::
Support for version and extension discovery - Supports unauthenticated call to Keystone to discover supported API versions - Added command-line support (usage: keystone discover) - Added client support (keystoneclient.genenric client). Client returns dicts, whereas shell command prints formated output. - Added tests for genenric client - Replicates 'nove discover' in python-novaclient - Starts to address blueprint keystone-client - keystone discover output looks like this: $ keystone discover Keystone found at http://localhost:35357 - supports version v1.0 (DEPRECATED) here http://localhost:35357/v1.0 - supports version v1.1 (CURRENT) here http://localhost:35357/v1.1 - supports version v2.0 (BETA) here http://localhost:35357/v2.0 - and HP-IDM: HP Token Validation Extension - and OS-KSADM: Openstack Keystone Admin - and OS-KSCATALOG: Openstack Keystone Catalog Change-Id: Id16d34dac094c780d36afb3e31c98c318b6071ac
2011-12-28 00:23:31 -06:00
@unauthenticated
def mymethod(f):
...
"""
f.unauthenticated = True
return f
def isunauthenticated(f):
Address hacking check H405 Previously, there were a string of commits to keystone that addresed ignored hacking checks. This commit does the same for H405 in keystoneclient. This also modifies our tox.ini so that we no longer ignore H405 violations. Change-Id: I2af152e5425a0e9c82314039fdbb90d661c22680 Closes-Bug: 1482773
2016-01-13 13:03:51 -08:00
"""Check if function requires authentication.
Checks to see if the function is marked as not requiring authentication
Fix and enable Gating on H404 Enable gating on the Hacking H404 check - docstring should start with a summary. Change-Id: I80612a15bd11f689e9e9f4dc2ff812138630ddbd
2013-08-04 23:10:16 +02:00
with the @unauthenticated decorator.
Returns True if decorator is set to True, False otherwise.
Support for version and extension discovery - Supports unauthenticated call to Keystone to discover supported API versions - Added command-line support (usage: keystone discover) - Added client support (keystoneclient.genenric client). Client returns dicts, whereas shell command prints formated output. - Added tests for genenric client - Replicates 'nove discover' in python-novaclient - Starts to address blueprint keystone-client - keystone discover output looks like this: $ keystone discover Keystone found at http://localhost:35357 - supports version v1.0 (DEPRECATED) here http://localhost:35357/v1.0 - supports version v1.1 (CURRENT) here http://localhost:35357/v1.1 - supports version v2.0 (BETA) here http://localhost:35357/v2.0 - and HP-IDM: HP Token Validation Extension - and OS-KSADM: Openstack Keystone Admin - and OS-KSCATALOG: Openstack Keystone Catalog Change-Id: Id16d34dac094c780d36afb3e31c98c318b6071ac
2011-12-28 00:23:31 -06:00
"""
return getattr(f, 'unauthenticated', False)
Improve usability of CLI. * Fixes bug #936422 * Fixes bug #932223 * Depends on bcwaldon's review: https://review.openstack.org/#change,4305 * This review proposes making changes outlined in this spreadsheet: https://docs.google.com/spreadsheet/ccc?key=0Ak6TA47h_6fwdGZwRE5WWEJBdEhnckpMTG5RcWFjY3c#gid=0 This cleans up the CLI, normalizing commands and arguments, correcting optional and required arguments and flags. * included https://review.openstack.org/4270 here per Brian's request Note that some commands have changed names to conform to noun-verb form: user-update-password -> user-password-update add-user-role -> user-role-add remove-user-role -> user-role-remove ec2-create-credentials -> ec2-credentials-create ec2-list-credentials -> ec2-credentials-list ec2-delete-credentials -> ec2-credentials-delete token -> token-get Change-Id: I8128fa105a1b8002199211f9e475b1a7a6229b8c
2012-02-21 15:02:41 -08:00
Hash functions support different hash algorithms The token hash functions always used MD5. With this change, the hash function can be passed in to the hash functions. SecurityImpact Related-Bug: #1174499 Change-Id: Ia08c2d6252bb034087a244b47d5bcbea7dcfa70b
2014-04-08 19:50:09 -05:00
def hash_signed_token(signed_text, mode='md5'):
hash_ = hashlib.new(mode)
Add auth-token code to keystoneclient, along with supporting files This step in the process duplicates the auth-token code to keystoneclient but, for the moment, leaves a copy in its origional location in keystone. Testing for auth-token is also copied across, as is the cms support file. Although no other project will yet pick up the code here in the client, since the paste.ini files haev not yet been updated, it would work if anyone did reference it. Once the client code is in, the next step is to update all the other project paste files, and then finally retire the code from keystone. Change-Id: I88853a373d406020d54b61cba5a5e887380e3b3e
2012-11-12 19:40:21 +00:00
hash_.update(signed_text)
return hash_.hexdigest()
Allow secure user password update. This patch allows the ability for user password to be updated via a command prompt so the password doesnt show up in the bash history. The prompted password is asked twice to verify the match. If user cntl-D's the prompt a message appears suggesting user to use either of the options to update the password. Fixes: bug#938315 Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39
2013-05-09 09:29:02 -07:00
Prompt for password on CLI if not provided load_from_argparse_arguments is very specifically for use with argparse. We can therefore safely prompt for a password from the user if none is provided and it won't affect config options or other loading mechanisms. Change-Id: Ib76743b768c5f0eef756184f1da49613423298f0
2015-04-15 09:36:10 +10:00
def prompt_user_password():
"""Prompt user for a password
Prompt for a password if stdin is a tty.
"""
password = None
# If stdin is a tty, try prompting for the password
if hasattr(sys.stdin, 'isatty') and sys.stdin.isatty():
# Check for Ctl-D
try:
password = getpass.getpass('Password: ')
Removing bandit.yaml in favor of defaults Removing old configuration options for build-in defaults of latest bandit functionality. Also, marking flagged items with _# nosec_ with a descriptive comment on why the code is acceptable as is. Co-Authored-By: Christopher J Schaefer <cjschaef@us.ibm.com> Co-Authored-By: Tom Cocozzello <tjcocozz@us.ibm.com> Change-Id: I138ebd46a8be195177361a9c3306bb70423b639d
2016-03-11 15:55:06 -06:00
except EOFError: # nosec(cjschaef): return password, which is None if
# password was not found
Prompt for password on CLI if not provided load_from_argparse_arguments is very specifically for use with argparse. We can therefore safely prompt for a password from the user if none is provided and it won't affect config options or other loading mechanisms. Change-Id: Ib76743b768c5f0eef756184f1da49613423298f0
2015-04-15 09:36:10 +10:00
pass
return password
Allow secure user password update. This patch allows the ability for user password to be updated via a command prompt so the password doesnt show up in the bash history. The prompted password is asked twice to verify the match. If user cntl-D's the prompt a message appears suggesting user to use either of the options to update the password. Fixes: bug#938315 Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39
2013-05-09 09:29:02 -07:00
def prompt_for_password():
Address hacking check H405 Previously, there were a string of commits to keystone that addresed ignored hacking checks. This commit does the same for H405 in keystoneclient. This also modifies our tox.ini so that we no longer ignore H405 violations. Change-Id: I2af152e5425a0e9c82314039fdbb90d661c22680 Closes-Bug: 1482773
2016-01-13 13:03:51 -08:00
"""Prompt user for password if not provided.
Prompt is used so the password doesn't show up in the
bash history.
Allow secure user password update. This patch allows the ability for user password to be updated via a command prompt so the password doesnt show up in the bash history. The prompted password is asked twice to verify the match. If user cntl-D's the prompt a message appears suggesting user to use either of the options to update the password. Fixes: bug#938315 Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39
2013-05-09 09:29:02 -07:00
"""
if not (hasattr(sys.stdin, 'isatty') and sys.stdin.isatty()):
# nothing to do
return
while True:
try:
new_passwd = getpass.getpass('New Password: ')
rep_passwd = getpass.getpass('Repeat New Password: ')
if new_passwd == rep_passwd:
return new_passwd
except EOFError:
return
Add a positional decorator This decorator allow us to define that certain parameters are strictly keyword arguments only, without sacrificing the convenience of having those arguments listed in the function definition. This will mean that we are no longer trapped maintaining backwards compatibility for the order of keyword arguments. The enforcement levels should allow us to start putting warnings on existing functions and strict enforcement on new functions. Partial-Bug: #1295881 Change-Id: Ic0a196874930e7be8362df50594471ab8037c5b2
2014-02-28 11:22:26 +10:00
Switch from deprecated isotime oslo_utils.timeutils.isotime() is deprecated as of 1.6 so we need to stop using it. The deprecation message says to use datetime.datetime.isoformat() instead, but the format of the string generated by isoformat isn't the same as the format of the string generated by isotime. The string is used in tokens and other public APIs and we can't change it without potentially breaking clients. So the workaround is to copy the current implementation from oslo_utils.timeutils.isotime() to keystone.common.utils.isotime(). Change-Id: I34b12b96de3ea21beaf935ed8a9f6bae2fe0d0bc Closes-Bug: 1461251
2015-06-07 11:20:44 -05:00
_ISO8601_TIME_FORMAT_SUBSECOND = '%Y-%m-%dT%H:%M:%S.%f'
_ISO8601_TIME_FORMAT = '%Y-%m-%dT%H:%M:%S'
def isotime(at=None, subsecond=False):
"""Stringify time in ISO 8601 format."""
# Python provides a similar instance method for datetime.datetime objects
# called isoformat(). The format of the strings generated by isoformat()
# have a couple of problems:
# 1) The strings generated by isotime are used in tokens and other public
# APIs that we can't change without a deprecation period. The strings
# generated by isoformat are not the same format, so we can't just
# change to it.
# 2) The strings generated by isoformat do not include the microseconds if
# the value happens to be 0. This will likely show up as random failures
# as parsers may be written to always expect microseconds, and it will
# parse correctly most of the time.
if not at:
at = timeutils.utcnow()
st = at.strftime(_ISO8601_TIME_FORMAT
if not subsecond
else _ISO8601_TIME_FORMAT_SUBSECOND)
tz = at.tzinfo.tzname(None) if at.tzinfo else 'UTC'
st += ('Z' if tz == 'UTC' else tz)
return st
Switch from deprecated oslo_utils.timeutils.strtime The oslo_utils.timeutils.strtime function is deprecated as of oslo_utils 1.7. DeprecationWarning: Using function/method 'oslo_utils.timeutils.strtime()' is deprecated in version '1.6' and will be removed in a future version: use either datetime.datetime.isoformat() or datetime.datetime.strftime() instead Closes-Bug: 1469867 Change-Id: I97897728703547414a621b6687989cff07e01b3e
2015-06-29 15:46:35 -05:00
def strtime(at=None):
at = at or timeutils.utcnow()
return at.strftime(timeutils.PERFECT_TIME_FORMAT)
Copy Permalink