OAuth request/access token and consumer support for oauth client API

Add support for creating request and access tokens,
and to authorize request tokens. Also adding basic CRUD for
consumer entities.

DocImpact
Change-Id: Ib9d0b223f202a7e33cbad1602da5be7479cd3284
implements: bp add-oauth-support

keystoneclient/tests/v3/test_oauth1.py

@@ -0,0 +1,229 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import uuid
+
+import httpretty
+import six
+from testtools import matchers
+
+from keystoneclient.openstack.common import jsonutils
+from keystoneclient.openstack.common import timeutils
+from keystoneclient.tests.v3 import utils
+from keystoneclient.v3.contrib.oauth1 import access_tokens
+from keystoneclient.v3.contrib.oauth1 import consumers
+from keystoneclient.v3.contrib.oauth1 import request_tokens
+
+try:
+    from oauthlib import oauth1
+except ImportError:
+    oauth1 = None
+
+
+class BaseTest(utils.TestCase):
+    def setUp(self):
+        super(BaseTest, self).setUp()
+        if oauth1 is None:
+            self.skipTest('oauthlib package not available')
+
+
+class ConsumerTests(BaseTest, utils.CrudTests):
+    def setUp(self):
+        super(ConsumerTests, self).setUp()
+        self.key = 'consumer'
+        self.collection_key = 'consumers'
+        self.model = consumers.Consumer
+        self.manager = self.client.oauth1.consumers
+        self.path_prefix = 'OS-OAUTH1'
+
+    def new_ref(self, **kwargs):
+        kwargs = super(ConsumerTests, self).new_ref(**kwargs)
+        kwargs.setdefault('description', uuid.uuid4().hex)
+        return kwargs
+
+    @httpretty.activate
+    def test_description_is_optional(self):
+        consumer_id = uuid.uuid4().hex
+        resp_ref = {'consumer': {'description': None,
+                                 'id': consumer_id}}
+
+        self.stub_url(httpretty.POST,
+                      [self.path_prefix, self.collection_key],
+                      status=201, json=resp_ref)
+
+        consumer = self.manager.create()
+        self.assertEqual(consumer_id, consumer.id)
+        self.assertIsNone(consumer.description)
+
+    @httpretty.activate
+    def test_description_not_included(self):
+        consumer_id = uuid.uuid4().hex
+        resp_ref = {'consumer': {'id': consumer_id}}
+
+        self.stub_url(httpretty.POST,
+                      [self.path_prefix, self.collection_key],
+                      status=201, json=resp_ref)
+
+        consumer = self.manager.create()
+        self.assertEqual(consumer_id, consumer.id)
+
+
+class TokenTests(BaseTest):
+    def _new_oauth_token(self):
+        key = uuid.uuid4().hex
+        secret = uuid.uuid4().hex
+        token = 'oauth_token=%s&oauth_token_secret=%s' % (key, secret)
+        return (key, secret, token)
+
+    def _new_oauth_token_with_expires_at(self):
+        key, secret, token = self._new_oauth_token()
+        expires_at = timeutils.strtime()
+        token += '&oauth_expires_at=%s' % expires_at
+        return (key, secret, expires_at, token)
+
+    def _validate_oauth_headers(self, auth_header, oauth_client):
+        """Assert that the data in the headers matches the data
+        that is produced from oauthlib.
+        """
+
+        self.assertThat(auth_header, matchers.StartsWith('OAuth '))
+        auth_header = auth_header[len('OAuth '):]
+        header_params = oauth_client.get_oauth_params()
+        parameters = dict(header_params)
+
+        self.assertEqual('HMAC-SHA1', parameters['oauth_signature_method'])
+        self.assertEqual('1.0', parameters['oauth_version'])
+        self.assertIsInstance(parameters['oauth_nonce'], six.string_types)
+        self.assertEqual(oauth_client.client_key,
+                         parameters['oauth_consumer_key'])
+        if oauth_client.resource_owner_key:
+            self.assertEqual(oauth_client.resource_owner_key,
+                             parameters['oauth_token'],)
+        if oauth_client.verifier:
+            self.assertEqual(oauth_client.verifier,
+                             parameters['oauth_verifier'])
+        if oauth_client.callback_uri:
+            self.assertEqual(oauth_client.callback_uri,
+                             parameters['oauth_callback'])
+        if oauth_client.timestamp:
+            self.assertEqual(oauth_client.timestamp,
+                             parameters['oauth_timestamp'])
+        return parameters
+
+
+class RequestTokenTests(TokenTests):
+    def setUp(self):
+        super(RequestTokenTests, self).setUp()
+        self.model = request_tokens.RequestToken
+        self.manager = self.client.oauth1.request_tokens
+        self.path_prefix = 'OS-OAUTH1'
+
+    @httpretty.activate
+    def test_authorize_request_token(self):
+        request_key = uuid.uuid4().hex
+        info = {'id': request_key,
+                'key': request_key,
+                'secret': uuid.uuid4().hex}
+        request_token = request_tokens.RequestToken(self.manager, info)
+
+        verifier = uuid.uuid4().hex
+        resp_ref = {'token': {'oauth_verifier': verifier}}
+        self.stub_url(httpretty.PUT,
+                      [self.path_prefix, 'authorize', request_key],
+                      status=200, json=resp_ref)
+
+        # Assert the manager is returning the expected data
+        role_id = uuid.uuid4().hex
+        token = request_token.authorize([role_id])
+        self.assertEqual(verifier, token.oauth_verifier)
+
+        # Assert that the request was sent in the expected structure
+        exp_body = {'roles': [{'id': role_id}]}
+        self.assertRequestBodyIs(json=exp_body)
+
+    @httpretty.activate
+    def test_create_request_token(self):
+        project_id = uuid.uuid4().hex
+        consumer_key = uuid.uuid4().hex
+        consumer_secret = uuid.uuid4().hex
+
+        request_key, request_secret, resp_ref = self._new_oauth_token()
+
+        # NOTE(stevemar) The server expects the body to be JSON. Even though
+        # the resp_ref is a string it is not a JSON string.
+        self.stub_url(httpretty.POST, [self.path_prefix, 'request_token'],
+                      status=201, body=jsonutils.dumps(resp_ref),
+                      content_type='application/x-www-form-urlencoded')
+
+        # Assert the manager is returning request token object
+        request_token = self.manager.create(consumer_key, consumer_secret,
+                                            project_id)
+        self.assertIsInstance(request_token, self.model)
+        self.assertEqual(request_key, request_token.key)
+        self.assertEqual(request_secret, request_token.secret)
+
+        # Assert that the project id is in the header
+        self.assertRequestHeaderEqual('requested_project_id', project_id)
+        req_headers = httpretty.last_request().headers
+
+        oauth_client = oauth1.Client(consumer_key,
+                                     client_secret=consumer_secret,
+                                     signature_method=oauth1.SIGNATURE_HMAC,
+                                     callback_uri="oob")
+        self._validate_oauth_headers(req_headers['Authorization'],
+                                     oauth_client)
+
+
+class AccessTokenTests(TokenTests):
+    def setUp(self):
+        super(AccessTokenTests, self).setUp()
+        self.manager = self.client.oauth1.access_tokens
+        self.model = access_tokens.AccessToken
+        self.path_prefix = 'OS-OAUTH1'
+
+    @httpretty.activate
+    def test_create_access_token_expires_at(self):
+        verifier = uuid.uuid4().hex
+        consumer_key = uuid.uuid4().hex
+        consumer_secret = uuid.uuid4().hex
+        request_key = uuid.uuid4().hex
+        request_secret = uuid.uuid4().hex
+
+        t = self._new_oauth_token_with_expires_at()
+        access_key, access_secret, expires_at, resp_ref = t
+
+        # NOTE(stevemar) The server expects the body to be JSON. Even though
+        # the resp_ref is a string it is not a JSON string.
+        self.stub_url(httpretty.POST, [self.path_prefix, 'access_token'],
+                      status=201, body=jsonutils.dumps(resp_ref),
+                      content_type='application/x-www-form-urlencoded')
+
+        # Assert that the manager creates an access token object
+        access_token = self.manager.create(consumer_key, consumer_secret,
+                                           request_key, request_secret,
+                                           verifier)
+        self.assertIsInstance(access_token, self.model)
+        self.assertEqual(access_key, access_token.key)
+        self.assertEqual(access_secret, access_token.secret)
+        self.assertEqual(expires_at, access_token.expires)
+
+        req_headers = httpretty.last_request().headers
+        oauth_client = oauth1.Client(consumer_key,
+                                     client_secret=consumer_secret,
+                                     resource_owner_key=request_key,
+                                     resource_owner_secret=request_secret,
+                                     signature_method=oauth1.SIGNATURE_HMAC,
+                                     verifier=verifier,
+                                     timestamp=expires_at)
+        self._validate_oauth_headers(req_headers['Authorization'],
+                                     oauth_client)

keystoneclient/v3/client.py

@@ -21,6 +21,7 @@ from keystoneclient import httpclient
 from keystoneclient.openstack.common import jsonutils
 from keystoneclient.v3.contrib import endpoint_filter
 from keystoneclient.v3.contrib import federation
+from keystoneclient.v3.contrib import oauth1
 from keystoneclient.v3.contrib import trusts
 from keystoneclient.v3 import credentials
 from keystoneclient.v3 import domains
@@ -99,6 +100,7 @@ class Client(httpclient.HTTPClient):
         self.domains = domains.DomainManager(self)
         self.federation = federation.FederationManager(self)
         self.groups = groups.GroupManager(self)
+        self.oauth1 = oauth1.create_oauth_manager(self)
         self.policies = policies.PolicyManager(self)
         self.projects = projects.ProjectManager(self)
         self.roles = roles.RoleManager(self)

keystoneclient/v3/contrib/oauth1/__init__.py

@@ -0,0 +1,13 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from keystoneclient.v3.contrib.oauth1.core import *  # noqa

keystoneclient/v3/contrib/oauth1/access_tokens.py

@@ -0,0 +1,46 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import unicode_literals
+
+from keystoneclient import base
+from keystoneclient.v3.contrib.oauth1 import utils
+
+try:
+    from oauthlib import oauth1
+except ImportError:
+    oauth1 = None
+
+
+class AccessToken(base.Resource):
+    pass
+
+
+class AccessTokenManager(base.CrudManager):
+    """Manager class for manipulating identity OAuth access tokens."""
+    resource_class = AccessToken
+
+    def create(self, consumer_key, consumer_secret, request_key,
+               request_secret, verifier):
+        endpoint = utils.OAUTH_PATH + '/access_token'
+        oauth_client = oauth1.Client(consumer_key,
+                                     client_secret=consumer_secret,
+                                     resource_owner_key=request_key,
+                                     resource_owner_secret=request_secret,
+                                     signature_method=oauth1.SIGNATURE_HMAC,
+                                     verifier=verifier)
+        url = self.client.auth_url.rstrip("/") + endpoint
+        url, headers, body = oauth_client.sign(url, http_method='POST')
+        resp, body = self.client.post(endpoint, headers=headers)
+        token = utils.get_oauth_token_from_body(body)
+        return self.resource_class(self, token)

keystoneclient/v3/contrib/oauth1/consumers.py

@@ -0,0 +1,52 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from keystoneclient import base
+from keystoneclient.v3.contrib.oauth1 import utils
+
+
+class Consumer(base.Resource):
+    """Represents an OAuth consumer.
+
+    Attributes:
+        * id: a uuid that identifies the consumer
+        * description: a short description of the consumer
+    """
+    pass
+
+
+class ConsumerManager(base.CrudManager):
+    """Manager class for manipulating identity consumers."""
+    resource_class = Consumer
+    collection_key = 'consumers'
+    key = 'consumer'
+    base_url = utils.OAUTH_PATH
+
+    def create(self, description=None, **kwargs):
+        return super(ConsumerManager, self).create(
+            description=description,
+            **kwargs)
+
+    def get(self, consumer):
+        return super(ConsumerManager, self).get(
+            consumer_id=base.getid(consumer))
+
+    def update(self, consumer, description=None, **kwargs):
+        return super(ConsumerManager, self).update(
+            consumer_id=base.getid(consumer),
+            description=description,
+            **kwargs)
+
+    def delete(self, consumer):
+        return super(ConsumerManager, self).delete(
+            consumer_id=base.getid(consumer))

keystoneclient/v3/contrib/oauth1/core.py

@@ -0,0 +1,64 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from keystoneclient.v3.contrib.oauth1 import access_tokens
+from keystoneclient.v3.contrib.oauth1 import consumers
+from keystoneclient.v3.contrib.oauth1 import request_tokens
+
+
+def create_oauth_manager(self):
+    # NOTE(stevemar): Attempt to import the oauthlib package at this point.
+    try:
+        import oauthlib  # noqa
+    # NOTE(stevemar): Return an object instead of raising an exception here,
+    # this will allow users to see an exception only when trying to access the
+    # oauth portions of client. Otherwise an exception would be raised
+    # when the client is created.
+    except ImportError:
+        return OAuthManagerOptionalImportProxy()
+    else:
+        return OAuthManager(self)
+
+
+class OAuthManager(object):
+    def __init__(self, api):
+        self.access_tokens = access_tokens.AccessTokenManager(api)
+        self.consumers = consumers.ConsumerManager(api)
+        self.request_tokens = request_tokens.RequestTokenManager(api)
+
+
+class OAuthManagerOptionalImportProxy(object):
+    """Act as a proxy manager in case oauthlib is no installed.
+
+    This class will only be created if oauthlib is not in the system,
+    trying to access any of the attributes in name (access_tokens,
+    consumers, request_tokens), will result in a NotImplementedError,
+    and a message.
+
+    >>> manager.access_tokens.blah
+    NotImplementedError: To use 'access_tokens' oauthlib must be installed
+
+    Otherwise, if trying to access an attribute other than the ones in name,
+    the manager will state that the attribute does not exist.
+
+    >>> manager.dne.blah
+    AttributeError: 'OAuthManagerOptionalImportProxy' object has no
+    attribute 'dne'
+    """
+
+    def __getattribute__(self, name):
+        if name in ('access_tokens', 'comsumers', 'request_tokens'):
+            raise NotImplementedError(
+                'To use %r oauthlib must be installed' % name)
+        return super(OAuthManagerOptionalImportProxy,
+                     self).__getattribute__(name)

keystoneclient/v3/contrib/oauth1/request_tokens.py

@@ -0,0 +1,70 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import unicode_literals
+
+from six.moves.urllib import parse as urlparse
+
+from keystoneclient import base
+from keystoneclient.v3.contrib.oauth1 import utils
+
+try:
+    from oauthlib import oauth1
+except ImportError:
+    oauth1 = None
+
+
+class RequestToken(base.Resource):
+    def authorize(self, roles):
+        try:
+            retval = self.manager.authorize(self.id, roles)
+            self = retval
+        except Exception:
+            retval = None
+
+        return retval
+
+
+class RequestTokenManager(base.CrudManager):
+    """Manager class for manipulating identity OAuth request tokens."""
+    resource_class = RequestToken
+
+    def authorize(self, request_token, roles):
+        """Authorize a request token with specific roles.
+
+        Utilize Identity API operation:
+        PUT /OS-OAUTH1/authorize/$request_token_id
+
+        :param request_token: a request token that will be authorized, and
+            can be exchanged for an access token.
+        :param roles: a list of roles, that will be delegated to the user.
+        """
+
+        request_id = urlparse.quote(base.getid(request_token))
+        endpoint = utils.OAUTH_PATH + '/authorize/%s' % (request_id)
+        body = {'roles': [{'id': base.getid(r_id)} for r_id in roles]}
+        return self._put(endpoint, body, "token")
+
+    def create(self, consumer_key, consumer_secret, project):
+        endpoint = utils.OAUTH_PATH + '/request_token'
+        headers = {'requested_project_id': base.getid(project)}
+        oauth_client = oauth1.Client(consumer_key,
+                                     client_secret=consumer_secret,
+                                     signature_method=oauth1.SIGNATURE_HMAC,
+                                     callback_uri="oob")
+        url = self.client.auth_url.rstrip("/") + endpoint
+        url, headers, body = oauth_client.sign(url, http_method='POST',
+                                               headers=headers)
+        resp, body = self.client.post(endpoint, headers=headers)
+        token = utils.get_oauth_token_from_body(body)
+        return self.resource_class(self, token)

keystoneclient/v3/contrib/oauth1/utils.py

@@ -0,0 +1,35 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from six.moves.urllib import parse as urlparse
+
+
+OAUTH_PATH = '/OS-OAUTH1'
+
+
+def get_oauth_token_from_body(body):
+    """Parse the URL response body to retrieve the oauth token key and secret
+
+    The response body will look like:
+    'oauth_token=12345&oauth_token_secret=67890' with
+    'oauth_expires_at=2013-03-30T05:27:19.463201' possibly there, too.
+    """
+
+    credentials = urlparse.parse_qs(body)
+    key = credentials['oauth_token'][0]
+    secret = credentials['oauth_token_secret'][0]
+    token = {'key': key, 'id': key, 'secret': secret}
+    expires_at = credentials.get('oauth_expires_at')
+    if expires_at:
+        token['expires'] = expires_at[0]
+    return token

test-requirements.txt

@@ -6,6 +6,7 @@ httpretty>=0.8.0
 keyring>=2.1
 mock>=1.0
 mox3>=0.7.0
+oauthlib>=0.6
 pycrypto>=2.6
 sphinx>=1.1.2,<1.2
 stevedore>=0.14