From f7c04df5ec07426a97ff8a0fa72b718ef8e84cbd Mon Sep 17 00:00:00 2001 From: Renat Akhmerov Date: Thu, 30 Jun 2016 11:12:50 +0700 Subject: [PATCH] Add KeyCloak OpenID Connect authentication Questions: * The implementation is now KeyCloak specific in part of using realms as a substition for Keystone projects (multitenancy). Based on a realm name (in fact, project name) we build a url where we send auth requests. Can we move away from KeyCloak specifics and provide a pure OpenID Connect implementation? TODO: * Reusing existing token * Refreshin a token NOTE: This addition now looks slightly hacky because we try to put all possible auth parameters into Client initializer. Ideally, authentication method should be pluggable similar to the new Keystone approach with separation sessions and authentication methods (see keystoneauth project). This separation can be addressed only in Mistral future versions because all changes in API/CLI v2 have to be backwards compatible. API/CLI v3 must address this architectural issue. Change-Id: I845b2bfbc1877e6f4b0c1a523d136e01c3742865 --- mistralclient/api/client.py | 9 +- mistralclient/api/v2/client.py | 115 ++++++++++--------------- mistralclient/auth/__init__.py | 0 mistralclient/auth/auth_types.py | 26 ++++++ mistralclient/auth/keycloak.py | 141 +++++++++++++++++++++++++++++++ mistralclient/auth/keystone.py | 73 ++++++++++++++++ mistralclient/shell.py | 35 +++++++- 7 files changed, 325 insertions(+), 74 deletions(-) create mode 100644 mistralclient/auth/__init__.py create mode 100644 mistralclient/auth/auth_types.py create mode 100644 mistralclient/auth/keycloak.py create mode 100644 mistralclient/auth/keystone.py diff --git a/mistralclient/api/client.py b/mistralclient/api/client.py index a481dca8..4a0147af 100644 --- a/mistralclient/api/client.py +++ b/mistralclient/api/client.py @@ -15,13 +15,15 @@ import six from mistralclient.api.v2 import client as client_v2 +from mistralclient.auth import auth_types def client(mistral_url=None, username=None, api_key=None, project_name=None, auth_url=None, project_id=None, endpoint_type='publicURL', service_type='workflow', auth_token=None, user_id=None, cacert=None, insecure=False, - profile=None): + profile=None, auth_type=auth_types.KEYSTONE, client_id=None, + client_secret=None): if mistral_url and not isinstance(mistral_url, six.string_types): raise RuntimeError('Mistral url should be a string.') @@ -39,7 +41,10 @@ def client(mistral_url=None, username=None, api_key=None, user_id=user_id, cacert=cacert, insecure=insecure, - profile=profile + profile=profile, + auth_type=auth_type, + client_id=client_id, + client_secret=client_secret ) diff --git a/mistralclient/api/v2/client.py b/mistralclient/api/v2/client.py index c0a93395..35deb1e0 100644 --- a/mistralclient/api/v2/client.py +++ b/mistralclient/api/v2/client.py @@ -28,6 +28,12 @@ from mistralclient.api.v2 import services from mistralclient.api.v2 import tasks from mistralclient.api.v2 import workbooks from mistralclient.api.v2 import workflows +from mistralclient.auth import auth_types +from mistralclient.auth import keycloak +from mistralclient.auth import keystone + + +_DEFAULT_MISTRAL_URL = "http://localhost:8989/v2" class Client(object): @@ -35,31 +41,57 @@ class Client(object): project_name=None, auth_url=None, project_id=None, endpoint_type='publicURL', service_type='workflowv2', auth_token=None, user_id=None, cacert=None, insecure=False, - profile=None): + profile=None, auth_type=auth_types.KEYSTONE, client_id=None, + client_secret=None): if mistral_url and not isinstance(mistral_url, six.string_types): - raise RuntimeError('Mistral url should be string') + raise RuntimeError('Mistral url should be a string.') if auth_url: - (mistral_url, auth_token, project_id, user_id) = ( - self.authenticate( - mistral_url, + if auth_type == auth_types.KEYSTONE: + (mistral_url, auth_token, project_id, user_id) = ( + keystone.authenticate( + mistral_url, + username, + api_key, + project_name, + auth_url, + project_id, + endpoint_type, + service_type, + auth_token, + user_id, + cacert, + insecure + ) + ) + elif auth_type == auth_types.KEYCLOAK_OIDC: + auth_token = keycloak.authenticate( + auth_url, + client_id, + client_secret, + project_name, username, api_key, - project_name, - auth_url, - project_id, - endpoint_type, - service_type, auth_token, - user_id, cacert, insecure ) - ) + + # In case of KeyCloak OpenID Connect we can treat project + # name and id in the same way because KeyCloak realm is + # essentially a different OpenID Connect Issuer which in + # KeyCloak is represented just as a URL path component + # (see http://openid.net/specs/openid-connect-core-1_0.html). + project_id = project_name + else: + raise RuntimeError( + 'Invalid authentication type [value=%s, valid_values=%s]' + % (auth_type, auth_types.ALL) + ) if not mistral_url: - mistral_url = "http://localhost:8989/v2" + mistral_url = _DEFAULT_MISTRAL_URL if profile: osprofiler.profiler.init(profile) @@ -84,60 +116,3 @@ class Client(object): self.action_executions = action_executions.ActionExecutionManager(self) self.services = services.ServiceManager(self) self.members = members.MemberManager(self) - - def authenticate(self, mistral_url=None, username=None, api_key=None, - project_name=None, auth_url=None, project_id=None, - endpoint_type='publicURL', service_type='workflowv2', - auth_token=None, user_id=None, cacert=None, - insecure=False): - - if project_name and project_id: - raise RuntimeError( - 'Only project name or project id should be set' - ) - - if username and user_id: - raise RuntimeError( - 'Only user name or user id should be set' - ) - - keystone_client = _get_keystone_client(auth_url) - - keystone = keystone_client.Client( - username=username, - user_id=user_id, - password=api_key, - token=auth_token, - tenant_id=project_id, - tenant_name=project_name, - auth_url=auth_url, - endpoint=auth_url, - cacert=cacert, - insecure=insecure - ) - - keystone.authenticate() - token = keystone.auth_token - user_id = keystone.user_id - project_id = keystone.project_id - - if not mistral_url: - catalog = keystone.service_catalog.get_endpoints( - service_type=service_type, - endpoint_type=endpoint_type - ) - if service_type in catalog: - service = catalog.get(service_type) - mistral_url = service[0].get( - endpoint_type) if service else None - - return mistral_url, token, project_id, user_id - - -def _get_keystone_client(auth_url): - if "v2.0" in auth_url: - from keystoneclient.v2_0 import client - else: - from keystoneclient.v3 import client - - return client diff --git a/mistralclient/auth/__init__.py b/mistralclient/auth/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/mistralclient/auth/auth_types.py b/mistralclient/auth/auth_types.py new file mode 100644 index 00000000..71762601 --- /dev/null +++ b/mistralclient/auth/auth_types.py @@ -0,0 +1,26 @@ +# Copyright 2016 - Nokia Networks +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Valid authentication types. + +# Standard Keystone authentication. +KEYSTONE = 'keystone' + +# Authentication using OpenID Connect protocol but specific to KeyCloak +# server regarding multi-tenancy support. KeyCloak has a notion of realm +# used as an analog of Keystone project/tenant. +KEYCLOAK_OIDC = 'keycloak-oidc' + + +ALL = [KEYSTONE, KEYCLOAK_OIDC] diff --git a/mistralclient/auth/keycloak.py b/mistralclient/auth/keycloak.py new file mode 100644 index 00000000..9c3f849d --- /dev/null +++ b/mistralclient/auth/keycloak.py @@ -0,0 +1,141 @@ +# Copyright 2016 - Nokia Networks +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import logging +import pprint +import requests + + +LOG = logging.getLogger(__name__) + + +def authenticate(auth_url, client_id, client_secret, realm_name, + username=None, password=None, access_token=None, + cacert=None, insecure=False): + """Performs authentication using Keycloak OpenID Protocol. + + :param auth_url: Base authentication url of KeyCloak server (e.g. + "https://my.keycloak:8443/auth" + :param client_id: Client ID (according to OpenID Connect protocol). + :param client_secret: Client secret (according to OpenID Connect protocol). + :param realm_name: KeyCloak realm name. + :param username: User name (Optional, if None then access_token must be + provided). + :param password: Password (Optional). + :param access_token: Access token. If passed, username and password are + not used and this method just validates the token and refreshes it, + if needed. (Optional, if None then username must be provided) + :param cacert: SSL certificate file (Optional). + :param insecure: If True, SSL certificate is not verified (Optional). + + """ + if not auth_url: + raise ValueError('Base authentication url is not provided.') + + if not client_id: + raise ValueError('Client ID is not provided.') + + if not client_secret: + raise ValueError('Client secret is not provided.') + + if not realm_name: + raise ValueError('Project(realm) name is not provided.') + + if username and access_token: + raise ValueError( + "User name and access token can't be provided at the same time." + ) + + if access_token: + return _authenticate_with_token( + auth_url, + client_id, + client_secret, + access_token, + cacert, + insecure + ) + + if not username: + raise ValueError('Either user name or access token must be provided.') + + return _authenticate_with_password( + auth_url, + client_id, + client_secret, + realm_name, + username, + password, + cacert, + insecure + ) + + +def _authenticate_with_token(auth_url, client_id, client_secret, auth_token, + cacert=None, insecure=None): + # TODO(rakhmerov): Implement. + raise NotImplementedError + + +def _authenticate_with_password(auth_url, client_id, client_secret, + realm_name, username, password, + cacert=None, insecure=None): + access_token_endpoint = ( + "%s/realms/%s/protocol/openid-connect/token" % (auth_url, realm_name) + ) + + client_auth = (client_id, client_secret) + + body = { + 'grant_type': 'password', + 'username': username, + 'password': password, + 'scope': 'profile' + } + + resp = requests.post( + access_token_endpoint, + auth=client_auth, + data=body, + verify=not insecure + ) + + try: + resp.raise_for_status() + except Exception as e: + raise Exception("Failed to get access token:\n %s" % str(e)) + + LOG.debug( + "HTTP response from OIDC provider: %s" % pprint.pformat(resp.json()) + ) + + return resp.json()['access_token'] + + +# An example of using KeyCloak OpenID authentication. + +if __name__ == '__main__': + print("Using username/password to get access token from KeyCloak...") + + a_token = authenticate( + "https://my.keycloak:8443/auth", + client_id="mistral_client", + client_secret="4a080907-921b-409a-b793-c431609c3a47", + realm_name="mistral", + username="user", + password="secret", + insecure=True + ) + + print("Access token: %s" % a_token) diff --git a/mistralclient/auth/keystone.py b/mistralclient/auth/keystone.py new file mode 100644 index 00000000..000da3a9 --- /dev/null +++ b/mistralclient/auth/keystone.py @@ -0,0 +1,73 @@ +# Copyright 2016 - Nokia Networks +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +def authenticate(mistral_url=None, username=None, + api_key=None, project_name=None, auth_url=None, + project_id=None, endpoint_type='publicURL', + service_type='workflowv2', auth_token=None, user_id=None, + cacert=None, insecure=False): + + if project_name and project_id: + raise RuntimeError( + 'Only project name or project id should be set' + ) + + if username and user_id: + raise RuntimeError( + 'Only user name or user id should be set' + ) + + keystone_client = _get_keystone_client(auth_url) + + keystone = keystone_client.Client( + username=username, + user_id=user_id, + password=api_key, + token=auth_token, + tenant_id=project_id, + tenant_name=project_name, + auth_url=auth_url, + endpoint=auth_url, + cacert=cacert, + insecure=insecure + ) + + keystone.authenticate() + + token = keystone.auth_token + user_id = keystone.user_id + project_id = keystone.project_id + + if not mistral_url: + catalog = keystone.service_catalog.get_endpoints( + service_type=service_type, + endpoint_type=endpoint_type + ) + + if service_type in catalog: + service = catalog.get(service_type) + mistral_url = service[0].get( + endpoint_type) if service else None + + return mistral_url, token, project_id, user_id + + +def _get_keystone_client(auth_url): + if "v2.0" in auth_url: + from keystoneclient.v2_0 import client + else: + from keystoneclient.v3 import client + + return client diff --git a/mistralclient/shell.py b/mistralclient/shell.py index fa555ad7..2d313731 100644 --- a/mistralclient/shell.py +++ b/mistralclient/shell.py @@ -20,6 +20,7 @@ import logging import sys from mistralclient.api import client +from mistralclient.auth import auth_types import mistralclient.commands.v2.action_executions import mistralclient.commands.v2.actions import mistralclient.commands.v2.cron_triggers @@ -297,6 +298,33 @@ class MistralShell(app.App): '(Env: MISTRALCLIENT_INSECURE)' ) + parser.add_argument( + '--auth-type', + action='store', + dest='auth_type', + default=c.env('MISTRAL_AUTH_TYPE', default=auth_types.KEYSTONE), + help='Authentication type. Valid options are: %s.' + ' (Env: MISTRAL_AUTH_TYPE)' % auth_types.ALL + ) + + parser.add_argument( + '--openid-client-id', + action='store', + dest='client_id', + default=c.env('OPENID_CLIENT_ID'), + help='Client ID (according to OpenID Connect).' + ' (Env: OPENID_CLIENT_ID)' + ) + + parser.add_argument( + '--openid-client-secret', + action='store', + dest='client_secret', + default=c.env('OPENID_CLIENT_SECRET'), + help='Client secret (according to OpenID Connect)' + ' (Env: OPENID_CLIENT_SECRET)' + ) + parser.add_argument( '--profile', dest='profile', @@ -344,11 +372,14 @@ class MistralShell(app.App): auth_token=self.options.token, cacert=self.options.cacert, insecure=self.options.insecure, - profile=self.options.profile + profile=self.options.profile, + auth_type=self.options.auth_type, + client_id=self.options.client_id, + client_secret=self.options.client_secret, ) # Adding client_manager variable to make mistral client work with - # unified openstack client. + # unified OpenStack client. ClientManager = type( 'ClientManager', (object,),