Merge "Add KeyCloak OpenID Connect authentication"

mistralclient/api/client.py

@@ -15,13 +15,15 @@
 import six
 
 from mistralclient.api.v2 import client as client_v2
+from mistralclient.auth import auth_types
 
 
 def client(mistral_url=None, username=None, api_key=None,
            project_name=None, auth_url=None, project_id=None,
            endpoint_type='publicURL', service_type='workflow',
            auth_token=None, user_id=None, cacert=None, insecure=False,
-           profile=None):
+           profile=None, auth_type=auth_types.KEYSTONE, client_id=None,
+           client_secret=None):
 
         if mistral_url and not isinstance(mistral_url, six.string_types):
             raise RuntimeError('Mistral url should be a string.')
@@ -39,7 +41,10 @@ def client(mistral_url=None, username=None, api_key=None,
             user_id=user_id,
             cacert=cacert,
             insecure=insecure,
-            profile=profile
+            profile=profile,
+            auth_type=auth_type,
+            client_id=client_id,
+            client_secret=client_secret
         )
 
 

mistralclient/api/v2/client.py

@@ -28,6 +28,12 @@ from mistralclient.api.v2 import services
 from mistralclient.api.v2 import tasks
 from mistralclient.api.v2 import workbooks
 from mistralclient.api.v2 import workflows
+from mistralclient.auth import auth_types
+from mistralclient.auth import keycloak
+from mistralclient.auth import keystone
+
+
+_DEFAULT_MISTRAL_URL = "http://localhost:8989/v2"
 
 
 class Client(object):
@@ -35,14 +41,16 @@ class Client(object):
                  project_name=None, auth_url=None, project_id=None,
                  endpoint_type='publicURL', service_type='workflowv2',
                  auth_token=None, user_id=None, cacert=None, insecure=False,
-                 profile=None):
+                 profile=None, auth_type=auth_types.KEYSTONE, client_id=None,
+                 client_secret=None):
 
         if mistral_url and not isinstance(mistral_url, six.string_types):
-            raise RuntimeError('Mistral url should be string')
+            raise RuntimeError('Mistral url should be a string.')
 
         if auth_url:
+            if auth_type == auth_types.KEYSTONE:
                 (mistral_url, auth_token, project_id, user_id) = (
-                self.authenticate(
+                    keystone.authenticate(
                         mistral_url,
                         username,
                         api_key,
@@ -57,9 +65,33 @@ class Client(object):
                         insecure
                     )
                 )
+            elif auth_type == auth_types.KEYCLOAK_OIDC:
+                auth_token = keycloak.authenticate(
+                    auth_url,
+                    client_id,
+                    client_secret,
+                    project_name,
+                    username,
+                    api_key,
+                    auth_token,
+                    cacert,
+                    insecure
+                )
+
+                # In case of KeyCloak OpenID Connect we can treat project
+                # name and id in the same way because KeyCloak realm is
+                # essentially a different OpenID Connect Issuer which in
+                # KeyCloak is represented just as a URL path component
+                # (see http://openid.net/specs/openid-connect-core-1_0.html).
+                project_id = project_name
+            else:
+                raise RuntimeError(
+                    'Invalid authentication type [value=%s, valid_values=%s]'
+                    % (auth_type, auth_types.ALL)
+                )
 
         if not mistral_url:
-            mistral_url = "http://localhost:8989/v2"
+            mistral_url = _DEFAULT_MISTRAL_URL
 
         if profile:
             osprofiler.profiler.init(profile)
@@ -84,60 +116,3 @@ class Client(object):
         self.action_executions = action_executions.ActionExecutionManager(self)
         self.services = services.ServiceManager(self)
         self.members = members.MemberManager(self)
-
-    def authenticate(self, mistral_url=None, username=None, api_key=None,
-                     project_name=None, auth_url=None, project_id=None,
-                     endpoint_type='publicURL', service_type='workflowv2',
-                     auth_token=None, user_id=None, cacert=None,
-                     insecure=False):
-
-        if project_name and project_id:
-            raise RuntimeError(
-                'Only project name or project id should be set'
-            )
-
-        if username and user_id:
-            raise RuntimeError(
-                'Only user name or user id should be set'
-            )
-
-        keystone_client = _get_keystone_client(auth_url)
-
-        keystone = keystone_client.Client(
-            username=username,
-            user_id=user_id,
-            password=api_key,
-            token=auth_token,
-            tenant_id=project_id,
-            tenant_name=project_name,
-            auth_url=auth_url,
-            endpoint=auth_url,
-            cacert=cacert,
-            insecure=insecure
-        )
-
-        keystone.authenticate()
-        token = keystone.auth_token
-        user_id = keystone.user_id
-        project_id = keystone.project_id
-
-        if not mistral_url:
-            catalog = keystone.service_catalog.get_endpoints(
-                service_type=service_type,
-                endpoint_type=endpoint_type
-            )
-            if service_type in catalog:
-                service = catalog.get(service_type)
-                mistral_url = service[0].get(
-                    endpoint_type) if service else None
-
-        return mistral_url, token, project_id, user_id
-
-
-def _get_keystone_client(auth_url):
-    if "v2.0" in auth_url:
-        from keystoneclient.v2_0 import client
-    else:
-        from keystoneclient.v3 import client
-
-    return client

mistralclient/auth/auth_types.py

@@ -0,0 +1,26 @@
+# Copyright 2016 - Nokia Networks
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+# Valid authentication types.
+
+# Standard Keystone authentication.
+KEYSTONE = 'keystone'
+
+# Authentication using OpenID Connect protocol but specific to KeyCloak
+# server regarding multi-tenancy support. KeyCloak has a notion of realm
+# used as an analog of Keystone project/tenant.
+KEYCLOAK_OIDC = 'keycloak-oidc'
+
+
+ALL = [KEYSTONE, KEYCLOAK_OIDC]

mistralclient/auth/keycloak.py

@@ -0,0 +1,141 @@
+# Copyright 2016 - Nokia Networks
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+import logging
+import pprint
+import requests
+
+
+LOG = logging.getLogger(__name__)
+
+
+def authenticate(auth_url, client_id, client_secret, realm_name,
+                 username=None, password=None, access_token=None,
+                 cacert=None, insecure=False):
+    """Performs authentication using Keycloak OpenID Protocol.
+
+    :param auth_url: Base authentication url of KeyCloak server (e.g.
+        "https://my.keycloak:8443/auth"
+    :param client_id: Client ID (according to OpenID Connect protocol).
+    :param client_secret: Client secret (according to OpenID Connect protocol).
+    :param realm_name: KeyCloak realm name.
+    :param username: User name (Optional, if None then access_token must be
+        provided).
+    :param password: Password (Optional).
+    :param access_token: Access token. If passed, username and password are
+        not used and this method just validates the token and refreshes it,
+        if needed. (Optional, if None then username must be provided)
+    :param cacert: SSL certificate file (Optional).
+    :param insecure: If True, SSL certificate is not verified (Optional).
+
+    """
+    if not auth_url:
+        raise ValueError('Base authentication url is not provided.')
+
+    if not client_id:
+        raise ValueError('Client ID is not provided.')
+
+    if not client_secret:
+        raise ValueError('Client secret is not provided.')
+
+    if not realm_name:
+        raise ValueError('Project(realm) name is not provided.')
+
+    if username and access_token:
+        raise ValueError(
+            "User name and access token can't be provided at the same time."
+        )
+
+    if access_token:
+        return _authenticate_with_token(
+            auth_url,
+            client_id,
+            client_secret,
+            access_token,
+            cacert,
+            insecure
+        )
+
+    if not username:
+        raise ValueError('Either user name or access token must be provided.')
+
+    return _authenticate_with_password(
+        auth_url,
+        client_id,
+        client_secret,
+        realm_name,
+        username,
+        password,
+        cacert,
+        insecure
+    )
+
+
+def _authenticate_with_token(auth_url, client_id, client_secret, auth_token,
+                             cacert=None, insecure=None):
+    # TODO(rakhmerov): Implement.
+    raise NotImplementedError
+
+
+def _authenticate_with_password(auth_url, client_id, client_secret,
+                                realm_name, username, password,
+                                cacert=None, insecure=None):
+    access_token_endpoint = (
+        "%s/realms/%s/protocol/openid-connect/token" % (auth_url, realm_name)
+    )
+
+    client_auth = (client_id, client_secret)
+
+    body = {
+        'grant_type': 'password',
+        'username': username,
+        'password': password,
+        'scope': 'profile'
+    }
+
+    resp = requests.post(
+        access_token_endpoint,
+        auth=client_auth,
+        data=body,
+        verify=not insecure
+    )
+
+    try:
+        resp.raise_for_status()
+    except Exception as e:
+        raise Exception("Failed to get access token:\n %s" % str(e))
+
+    LOG.debug(
+        "HTTP response from OIDC provider: %s" % pprint.pformat(resp.json())
+    )
+
+    return resp.json()['access_token']
+
+
+# An example of using KeyCloak OpenID authentication.
+
+if __name__ == '__main__':
+    print("Using username/password to get access token from KeyCloak...")
+
+    a_token = authenticate(
+        "https://my.keycloak:8443/auth",
+        client_id="mistral_client",
+        client_secret="4a080907-921b-409a-b793-c431609c3a47",
+        realm_name="mistral",
+        username="user",
+        password="secret",
+        insecure=True
+    )
+
+    print("Access token: %s" % a_token)

mistralclient/auth/keystone.py

@@ -0,0 +1,73 @@
+# Copyright 2016 - Nokia Networks
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+
+def authenticate(mistral_url=None, username=None,
+                 api_key=None, project_name=None, auth_url=None,
+                 project_id=None, endpoint_type='publicURL',
+                 service_type='workflowv2', auth_token=None, user_id=None,
+                 cacert=None, insecure=False):
+
+    if project_name and project_id:
+        raise RuntimeError(
+            'Only project name or project id should be set'
+        )
+
+    if username and user_id:
+        raise RuntimeError(
+            'Only user name or user id should be set'
+        )
+
+    keystone_client = _get_keystone_client(auth_url)
+
+    keystone = keystone_client.Client(
+        username=username,
+        user_id=user_id,
+        password=api_key,
+        token=auth_token,
+        tenant_id=project_id,
+        tenant_name=project_name,
+        auth_url=auth_url,
+        endpoint=auth_url,
+        cacert=cacert,
+        insecure=insecure
+    )
+
+    keystone.authenticate()
+
+    token = keystone.auth_token
+    user_id = keystone.user_id
+    project_id = keystone.project_id
+
+    if not mistral_url:
+        catalog = keystone.service_catalog.get_endpoints(
+            service_type=service_type,
+            endpoint_type=endpoint_type
+        )
+
+        if service_type in catalog:
+            service = catalog.get(service_type)
+            mistral_url = service[0].get(
+                endpoint_type) if service else None
+
+    return mistral_url, token, project_id, user_id
+
+
+def _get_keystone_client(auth_url):
+    if "v2.0" in auth_url:
+        from keystoneclient.v2_0 import client
+    else:
+        from keystoneclient.v3 import client
+
+    return client

mistralclient/shell.py

@@ -20,6 +20,7 @@ import logging
 import sys
 
 from mistralclient.api import client
+from mistralclient.auth import auth_types
 import mistralclient.commands.v2.action_executions
 import mistralclient.commands.v2.actions
 import mistralclient.commands.v2.cron_triggers
@@ -297,6 +298,33 @@ class MistralShell(app.App):
                  '(Env: MISTRALCLIENT_INSECURE)'
         )
 
+        parser.add_argument(
+            '--auth-type',
+            action='store',
+            dest='auth_type',
+            default=c.env('MISTRAL_AUTH_TYPE', default=auth_types.KEYSTONE),
+            help='Authentication type. Valid options are: %s.'
+                 ' (Env: MISTRAL_AUTH_TYPE)' % auth_types.ALL
+        )
+
+        parser.add_argument(
+            '--openid-client-id',
+            action='store',
+            dest='client_id',
+            default=c.env('OPENID_CLIENT_ID'),
+            help='Client ID (according to OpenID Connect).'
+                 ' (Env: OPENID_CLIENT_ID)'
+        )
+
+        parser.add_argument(
+            '--openid-client-secret',
+            action='store',
+            dest='client_secret',
+            default=c.env('OPENID_CLIENT_SECRET'),
+            help='Client secret (according to OpenID Connect)'
+                 ' (Env: OPENID_CLIENT_SECRET)'
+        )
+
         parser.add_argument(
             '--profile',
             dest='profile',
@@ -344,11 +372,14 @@ class MistralShell(app.App):
             auth_token=self.options.token,
             cacert=self.options.cacert,
             insecure=self.options.insecure,
-            profile=self.options.profile
+            profile=self.options.profile,
+            auth_type=self.options.auth_type,
+            client_id=self.options.client_id,
+            client_secret=self.options.client_secret,
         )
 
         # Adding client_manager variable to make mistral client work with
-        # unified openstack client.
+        # unified OpenStack client.
         ClientManager = type(
             'ClientManager',
             (object,),