diff --git a/mistralclient/api/client.py b/mistralclient/api/client.py index a481dca8..4a0147af 100644 --- a/mistralclient/api/client.py +++ b/mistralclient/api/client.py @@ -15,13 +15,15 @@ import six from mistralclient.api.v2 import client as client_v2 +from mistralclient.auth import auth_types def client(mistral_url=None, username=None, api_key=None, project_name=None, auth_url=None, project_id=None, endpoint_type='publicURL', service_type='workflow', auth_token=None, user_id=None, cacert=None, insecure=False, - profile=None): + profile=None, auth_type=auth_types.KEYSTONE, client_id=None, + client_secret=None): if mistral_url and not isinstance(mistral_url, six.string_types): raise RuntimeError('Mistral url should be a string.') @@ -39,7 +41,10 @@ def client(mistral_url=None, username=None, api_key=None, user_id=user_id, cacert=cacert, insecure=insecure, - profile=profile + profile=profile, + auth_type=auth_type, + client_id=client_id, + client_secret=client_secret ) diff --git a/mistralclient/api/v2/client.py b/mistralclient/api/v2/client.py index c0a93395..35deb1e0 100644 --- a/mistralclient/api/v2/client.py +++ b/mistralclient/api/v2/client.py @@ -28,6 +28,12 @@ from mistralclient.api.v2 import services from mistralclient.api.v2 import tasks from mistralclient.api.v2 import workbooks from mistralclient.api.v2 import workflows +from mistralclient.auth import auth_types +from mistralclient.auth import keycloak +from mistralclient.auth import keystone + + +_DEFAULT_MISTRAL_URL = "http://localhost:8989/v2" class Client(object): @@ -35,31 +41,57 @@ class Client(object): project_name=None, auth_url=None, project_id=None, endpoint_type='publicURL', service_type='workflowv2', auth_token=None, user_id=None, cacert=None, insecure=False, - profile=None): + profile=None, auth_type=auth_types.KEYSTONE, client_id=None, + client_secret=None): if mistral_url and not isinstance(mistral_url, six.string_types): - raise RuntimeError('Mistral url should be string') + raise RuntimeError('Mistral url should be a string.') if auth_url: - (mistral_url, auth_token, project_id, user_id) = ( - self.authenticate( - mistral_url, + if auth_type == auth_types.KEYSTONE: + (mistral_url, auth_token, project_id, user_id) = ( + keystone.authenticate( + mistral_url, + username, + api_key, + project_name, + auth_url, + project_id, + endpoint_type, + service_type, + auth_token, + user_id, + cacert, + insecure + ) + ) + elif auth_type == auth_types.KEYCLOAK_OIDC: + auth_token = keycloak.authenticate( + auth_url, + client_id, + client_secret, + project_name, username, api_key, - project_name, - auth_url, - project_id, - endpoint_type, - service_type, auth_token, - user_id, cacert, insecure ) - ) + + # In case of KeyCloak OpenID Connect we can treat project + # name and id in the same way because KeyCloak realm is + # essentially a different OpenID Connect Issuer which in + # KeyCloak is represented just as a URL path component + # (see http://openid.net/specs/openid-connect-core-1_0.html). + project_id = project_name + else: + raise RuntimeError( + 'Invalid authentication type [value=%s, valid_values=%s]' + % (auth_type, auth_types.ALL) + ) if not mistral_url: - mistral_url = "http://localhost:8989/v2" + mistral_url = _DEFAULT_MISTRAL_URL if profile: osprofiler.profiler.init(profile) @@ -84,60 +116,3 @@ class Client(object): self.action_executions = action_executions.ActionExecutionManager(self) self.services = services.ServiceManager(self) self.members = members.MemberManager(self) - - def authenticate(self, mistral_url=None, username=None, api_key=None, - project_name=None, auth_url=None, project_id=None, - endpoint_type='publicURL', service_type='workflowv2', - auth_token=None, user_id=None, cacert=None, - insecure=False): - - if project_name and project_id: - raise RuntimeError( - 'Only project name or project id should be set' - ) - - if username and user_id: - raise RuntimeError( - 'Only user name or user id should be set' - ) - - keystone_client = _get_keystone_client(auth_url) - - keystone = keystone_client.Client( - username=username, - user_id=user_id, - password=api_key, - token=auth_token, - tenant_id=project_id, - tenant_name=project_name, - auth_url=auth_url, - endpoint=auth_url, - cacert=cacert, - insecure=insecure - ) - - keystone.authenticate() - token = keystone.auth_token - user_id = keystone.user_id - project_id = keystone.project_id - - if not mistral_url: - catalog = keystone.service_catalog.get_endpoints( - service_type=service_type, - endpoint_type=endpoint_type - ) - if service_type in catalog: - service = catalog.get(service_type) - mistral_url = service[0].get( - endpoint_type) if service else None - - return mistral_url, token, project_id, user_id - - -def _get_keystone_client(auth_url): - if "v2.0" in auth_url: - from keystoneclient.v2_0 import client - else: - from keystoneclient.v3 import client - - return client diff --git a/mistralclient/auth/__init__.py b/mistralclient/auth/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/mistralclient/auth/auth_types.py b/mistralclient/auth/auth_types.py new file mode 100644 index 00000000..71762601 --- /dev/null +++ b/mistralclient/auth/auth_types.py @@ -0,0 +1,26 @@ +# Copyright 2016 - Nokia Networks +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Valid authentication types. + +# Standard Keystone authentication. +KEYSTONE = 'keystone' + +# Authentication using OpenID Connect protocol but specific to KeyCloak +# server regarding multi-tenancy support. KeyCloak has a notion of realm +# used as an analog of Keystone project/tenant. +KEYCLOAK_OIDC = 'keycloak-oidc' + + +ALL = [KEYSTONE, KEYCLOAK_OIDC] diff --git a/mistralclient/auth/keycloak.py b/mistralclient/auth/keycloak.py new file mode 100644 index 00000000..9c3f849d --- /dev/null +++ b/mistralclient/auth/keycloak.py @@ -0,0 +1,141 @@ +# Copyright 2016 - Nokia Networks +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import logging +import pprint +import requests + + +LOG = logging.getLogger(__name__) + + +def authenticate(auth_url, client_id, client_secret, realm_name, + username=None, password=None, access_token=None, + cacert=None, insecure=False): + """Performs authentication using Keycloak OpenID Protocol. + + :param auth_url: Base authentication url of KeyCloak server (e.g. + "https://my.keycloak:8443/auth" + :param client_id: Client ID (according to OpenID Connect protocol). + :param client_secret: Client secret (according to OpenID Connect protocol). + :param realm_name: KeyCloak realm name. + :param username: User name (Optional, if None then access_token must be + provided). + :param password: Password (Optional). + :param access_token: Access token. If passed, username and password are + not used and this method just validates the token and refreshes it, + if needed. (Optional, if None then username must be provided) + :param cacert: SSL certificate file (Optional). + :param insecure: If True, SSL certificate is not verified (Optional). + + """ + if not auth_url: + raise ValueError('Base authentication url is not provided.') + + if not client_id: + raise ValueError('Client ID is not provided.') + + if not client_secret: + raise ValueError('Client secret is not provided.') + + if not realm_name: + raise ValueError('Project(realm) name is not provided.') + + if username and access_token: + raise ValueError( + "User name and access token can't be provided at the same time." + ) + + if access_token: + return _authenticate_with_token( + auth_url, + client_id, + client_secret, + access_token, + cacert, + insecure + ) + + if not username: + raise ValueError('Either user name or access token must be provided.') + + return _authenticate_with_password( + auth_url, + client_id, + client_secret, + realm_name, + username, + password, + cacert, + insecure + ) + + +def _authenticate_with_token(auth_url, client_id, client_secret, auth_token, + cacert=None, insecure=None): + # TODO(rakhmerov): Implement. + raise NotImplementedError + + +def _authenticate_with_password(auth_url, client_id, client_secret, + realm_name, username, password, + cacert=None, insecure=None): + access_token_endpoint = ( + "%s/realms/%s/protocol/openid-connect/token" % (auth_url, realm_name) + ) + + client_auth = (client_id, client_secret) + + body = { + 'grant_type': 'password', + 'username': username, + 'password': password, + 'scope': 'profile' + } + + resp = requests.post( + access_token_endpoint, + auth=client_auth, + data=body, + verify=not insecure + ) + + try: + resp.raise_for_status() + except Exception as e: + raise Exception("Failed to get access token:\n %s" % str(e)) + + LOG.debug( + "HTTP response from OIDC provider: %s" % pprint.pformat(resp.json()) + ) + + return resp.json()['access_token'] + + +# An example of using KeyCloak OpenID authentication. + +if __name__ == '__main__': + print("Using username/password to get access token from KeyCloak...") + + a_token = authenticate( + "https://my.keycloak:8443/auth", + client_id="mistral_client", + client_secret="4a080907-921b-409a-b793-c431609c3a47", + realm_name="mistral", + username="user", + password="secret", + insecure=True + ) + + print("Access token: %s" % a_token) diff --git a/mistralclient/auth/keystone.py b/mistralclient/auth/keystone.py new file mode 100644 index 00000000..000da3a9 --- /dev/null +++ b/mistralclient/auth/keystone.py @@ -0,0 +1,73 @@ +# Copyright 2016 - Nokia Networks +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +def authenticate(mistral_url=None, username=None, + api_key=None, project_name=None, auth_url=None, + project_id=None, endpoint_type='publicURL', + service_type='workflowv2', auth_token=None, user_id=None, + cacert=None, insecure=False): + + if project_name and project_id: + raise RuntimeError( + 'Only project name or project id should be set' + ) + + if username and user_id: + raise RuntimeError( + 'Only user name or user id should be set' + ) + + keystone_client = _get_keystone_client(auth_url) + + keystone = keystone_client.Client( + username=username, + user_id=user_id, + password=api_key, + token=auth_token, + tenant_id=project_id, + tenant_name=project_name, + auth_url=auth_url, + endpoint=auth_url, + cacert=cacert, + insecure=insecure + ) + + keystone.authenticate() + + token = keystone.auth_token + user_id = keystone.user_id + project_id = keystone.project_id + + if not mistral_url: + catalog = keystone.service_catalog.get_endpoints( + service_type=service_type, + endpoint_type=endpoint_type + ) + + if service_type in catalog: + service = catalog.get(service_type) + mistral_url = service[0].get( + endpoint_type) if service else None + + return mistral_url, token, project_id, user_id + + +def _get_keystone_client(auth_url): + if "v2.0" in auth_url: + from keystoneclient.v2_0 import client + else: + from keystoneclient.v3 import client + + return client diff --git a/mistralclient/shell.py b/mistralclient/shell.py index fa555ad7..2d313731 100644 --- a/mistralclient/shell.py +++ b/mistralclient/shell.py @@ -20,6 +20,7 @@ import logging import sys from mistralclient.api import client +from mistralclient.auth import auth_types import mistralclient.commands.v2.action_executions import mistralclient.commands.v2.actions import mistralclient.commands.v2.cron_triggers @@ -297,6 +298,33 @@ class MistralShell(app.App): '(Env: MISTRALCLIENT_INSECURE)' ) + parser.add_argument( + '--auth-type', + action='store', + dest='auth_type', + default=c.env('MISTRAL_AUTH_TYPE', default=auth_types.KEYSTONE), + help='Authentication type. Valid options are: %s.' + ' (Env: MISTRAL_AUTH_TYPE)' % auth_types.ALL + ) + + parser.add_argument( + '--openid-client-id', + action='store', + dest='client_id', + default=c.env('OPENID_CLIENT_ID'), + help='Client ID (according to OpenID Connect).' + ' (Env: OPENID_CLIENT_ID)' + ) + + parser.add_argument( + '--openid-client-secret', + action='store', + dest='client_secret', + default=c.env('OPENID_CLIENT_SECRET'), + help='Client secret (according to OpenID Connect)' + ' (Env: OPENID_CLIENT_SECRET)' + ) + parser.add_argument( '--profile', dest='profile', @@ -344,11 +372,14 @@ class MistralShell(app.App): auth_token=self.options.token, cacert=self.options.cacert, insecure=self.options.insecure, - profile=self.options.profile + profile=self.options.profile, + auth_type=self.options.auth_type, + client_id=self.options.client_id, + client_secret=self.options.client_secret, ) # Adding client_manager variable to make mistral client work with - # unified openstack client. + # unified OpenStack client. ClientManager = type( 'ClientManager', (object,),