Enable ssl support for keycloak auth module

Currently cacert param is not used in the code and ssl is not supported. This code fixes this and also eliminates several related issues. Change-Id: I30b8673bc64039897a8fea49aad65548cd52063f Closes-bug: #1713918
2017-08-30 09:45:24 +03:00
parent 010b9177b7
commit 6a63ec6ef6
1 changed files with 37 additions and 8 deletions
--- a/mistralclient/auth/keycloak.py
+++ b/mistralclient/auth/keycloak.py
@@ -13,8 +13,11 @@
 #    limitations under the License.

 import logging
+import os
 import pprint
+
 import requests
+from six.moves import urllib

 from mistralclient import auth

@@ -111,11 +114,13 @@ class KeycloakAuthHandler(auth.AuthHandler):

        return response

+    @staticmethod
    def _authenticate_with_token(auth_url, client_id, client_secret,
                                 auth_token, cacert=None, insecure=None):
        # TODO(rakhmerov): Implement.
        raise NotImplementedError

+    @staticmethod
    def _authenticate_with_password(auth_url, client_id, client_secret,
                                    realm_name, username, password,
                                    cacert=None, insecure=None):
@@ -124,6 +129,10 @@ class KeycloakAuthHandler(auth.AuthHandler):
            (auth_url, realm_name)
        )

+        verify = None
+        if urllib.parse.urlparse(access_token_endpoint).scheme == "https":
+            verify = False if insecure else cacert
+
        client_auth = (client_id, client_secret)

        body = {
@@ -137,7 +146,7 @@ class KeycloakAuthHandler(auth.AuthHandler):
            access_token_endpoint,
            auth=client_auth,
            data=body,
-            verify=not insecure
+            verify=verify
        )

        try:
@@ -151,6 +160,24 @@ class KeycloakAuthHandler(auth.AuthHandler):
        return resp.json()['access_token']


+def get_system_ca_file():
+    """Return path to system default CA file."""
+    # Standard CA file locations for Debian/Ubuntu, RedHat/Fedora,
+    # Suse, FreeBSD/OpenBSD, MacOSX, and the bundled ca
+    ca_path = ['/etc/ssl/certs/ca-certificates.crt',
+               '/etc/pki/tls/certs/ca-bundle.crt',
+               '/etc/ssl/ca-bundle.pem',
+               '/etc/ssl/cert.pem',
+               '/System/Library/OpenSSL/certs/cacert.pem',
+               requests.certs.where()]
+    for ca in ca_path:
+        LOG.debug("Looking for ca file %s", ca)
+        if os.path.exists(ca):
+            LOG.debug("Using ca file %s", ca)
+            return ca
+    LOG.warning("System ca file could not be found.")
+
+
 # An example of using KeyCloak OpenID authentication.
 if __name__ == '__main__':
    print("Using username/password to get access token from KeyCloak...")
@@ -158,13 +185,15 @@ if __name__ == '__main__':
    auth_handler = KeycloakAuthHandler()

    a_token = auth_handler.authenticate(
-        "https://my.keycloak:8443/auth",
-        client_id="mistral_client",
-        client_secret="4a080907-921b-409a-b793-c431609c3a47",
-        realm_name="mistral",
-        username="user",
-        password="secret",
-        insecure=True
+        dict(
+            "https://my.keycloak:8443/auth",
+            client_id="mistral_client",
+            client_secret="4a080907-921b-409a-b793-c431609c3a47",
+            realm_name="mistral",
+            username="user",
+            password="secret",
+            insecure=True
+        )
    )

    print("Access token: %s" % a_token)