diff --git a/doc/source/man/openstack.rst b/doc/source/man/openstack.rst index de2bbe92fa..4a9df34a39 100644 --- a/doc/source/man/openstack.rst +++ b/doc/source/man/openstack.rst @@ -47,6 +47,9 @@ Please bear in mind that some plugins might not support all of the functionaliti Additionally, it is possible to use Keystone's service token to authenticate, by setting the options :option:`--os-token` and :option:`--os-url` (or the environment variables :envvar:`OS_TOKEN` and :envvar:`OS_URL` respectively). This method takes precedence over authentication plugins. +.. NOTE:: + To use the ``v3unscopedsaml`` method, the lxml package will need to be installed. + OPTIONS ======= diff --git a/openstackclient/identity/v3/unscoped_saml.py b/openstackclient/identity/v3/unscoped_saml.py new file mode 100644 index 0000000000..affbaf3a87 --- /dev/null +++ b/openstackclient/identity/v3/unscoped_saml.py @@ -0,0 +1,79 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +"""Identity v3 unscoped SAML auth action implementations. + +The first step of federated auth is to fetch an unscoped token. From there, +the user can list domains and projects they are allowed to access, and request +a scoped token.""" + +import logging + +from cliff import lister + +from openstackclient.common import exceptions +from openstackclient.common import utils + + +UNSCOPED_AUTH_PLUGINS = ['v3unscopedsaml', 'v3unscopedadfs'] + + +def auth_with_unscoped_saml(func): + """Check the unscoped federated context""" + def _decorated(self, parsed_args): + auth_plugin_name = self.app.client_manager.auth_plugin_name + if auth_plugin_name in UNSCOPED_AUTH_PLUGINS: + return func(self, parsed_args) + else: + msg = ('This command requires the use of an unscoped SAML ' + 'authentication plugin. Please use argument ' + '--os-auth-plugin with one of the following ' + 'plugins: ' + ', '.join(UNSCOPED_AUTH_PLUGINS)) + raise exceptions.CommandError(msg) + return _decorated + + +class ListAccessibleDomains(lister.Lister): + """List accessible domains""" + + log = logging.getLogger(__name__ + '.ListAccessibleDomains') + + @auth_with_unscoped_saml + def take_action(self, parsed_args): + self.log.debug('take_action(%s)', parsed_args) + columns = ('ID', 'Enabled', 'Name', 'Description') + identity_client = self.app.client_manager.identity + data = identity_client.federation.domains.list() + return (columns, + (utils.get_item_properties( + s, columns, + formatters={}, + ) for s in data)) + + +class ListAccessibleProjects(lister.Lister): + """List accessible projects""" + + log = logging.getLogger(__name__ + '.ListAccessibleProjects') + + @auth_with_unscoped_saml + def take_action(self, parsed_args): + self.log.debug('take_action(%s)', parsed_args) + columns = ('ID', 'Domain ID', 'Enabled', 'Name') + identity_client = self.app.client_manager.identity + data = identity_client.federation.projects.list() + return (columns, + (utils.get_item_properties( + s, columns, + formatters={}, + ) for s in data)) diff --git a/openstackclient/tests/fakes.py b/openstackclient/tests/fakes.py index f8b7bb6f39..abad4cffe6 100644 --- a/openstackclient/tests/fakes.py +++ b/openstackclient/tests/fakes.py @@ -199,6 +199,7 @@ class FakeClientManager(object): self.network = None self.session = None self.auth_ref = None + self.auth_plugin_name = None class FakeModule(object): diff --git a/openstackclient/tests/identity/v3/fakes.py b/openstackclient/tests/identity/v3/fakes.py index 5844d160b9..b195ed78b7 100644 --- a/openstackclient/tests/identity/v3/fakes.py +++ b/openstackclient/tests/identity/v3/fakes.py @@ -285,6 +285,19 @@ OAUTH_VERIFIER = { } +class FakeAuth(object): + def __init__(self, auth_method_class=None): + self._auth_method_class = auth_method_class + + def get_token(self, *args, **kwargs): + return token_id + + +class FakeSession(object): + def __init__(self, **kwargs): + self.auth = FakeAuth() + + class FakeIdentityv3Client(object): def __init__(self, **kwargs): self.domains = mock.Mock() @@ -320,6 +333,10 @@ class FakeFederationManager(object): self.mappings.resource_class = fakes.FakeResource(None, {}) self.protocols = mock.Mock() self.protocols.resource_class = fakes.FakeResource(None, {}) + self.projects = mock.Mock() + self.projects.resource_class = fakes.FakeResource(None, {}) + self.domains = mock.Mock() + self.domains.resource_class = fakes.FakeResource(None, {}) class FakeFederatedClient(FakeIdentityv3Client): diff --git a/openstackclient/tests/identity/v3/test_unscoped_saml.py b/openstackclient/tests/identity/v3/test_unscoped_saml.py new file mode 100644 index 0000000000..6b2d3f5b1c --- /dev/null +++ b/openstackclient/tests/identity/v3/test_unscoped_saml.py @@ -0,0 +1,128 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import copy + +from openstackclient.common import exceptions +from openstackclient.identity.v3 import unscoped_saml +from openstackclient.tests import fakes +from openstackclient.tests.identity.v3 import fakes as identity_fakes + + +class TestUnscopedSAML(identity_fakes.TestFederatedIdentity): + + def setUp(self): + super(TestUnscopedSAML, self).setUp() + + federation_lib = self.app.client_manager.identity.federation + self.projects_mock = federation_lib.projects + self.projects_mock.reset_mock() + self.domains_mock = federation_lib.domains + self.domains_mock.reset_mock() + + +class TestProjectList(TestUnscopedSAML): + + def setUp(self): + super(TestProjectList, self).setUp() + + self.projects_mock.list.return_value = [ + fakes.FakeResource( + None, + copy.deepcopy(identity_fakes.PROJECT), + loaded=True, + ), + ] + + # Get the command object to test + self.cmd = unscoped_saml.ListAccessibleProjects(self.app, None) + + def test_accessible_projects_list(self): + self.app.client_manager.auth_plugin_name = 'v3unscopedsaml' + arglist = [] + verifylist = [] + parsed_args = self.check_parser(self.cmd, arglist, verifylist) + + # DisplayCommandBase.take_action() returns two tuples + columns, data = self.cmd.take_action(parsed_args) + + self.projects_mock.list.assert_called_with() + + collist = ('ID', 'Domain ID', 'Enabled', 'Name') + self.assertEqual(columns, collist) + datalist = (( + identity_fakes.project_id, + identity_fakes.domain_id, + True, + identity_fakes.project_name, + ), ) + self.assertEqual(tuple(data), datalist) + + def test_accessible_projects_list_wrong_auth(self): + auth = identity_fakes.FakeAuth("wrong auth") + self.app.client_manager.identity.session.auth = auth + arglist = [] + verifylist = [] + parsed_args = self.check_parser(self.cmd, arglist, verifylist) + + self.assertRaises(exceptions.CommandError, + self.cmd.take_action, + parsed_args) + + +class TestDomainList(TestUnscopedSAML): + + def setUp(self): + super(TestDomainList, self).setUp() + + self.domains_mock.list.return_value = [ + fakes.FakeResource( + None, + copy.deepcopy(identity_fakes.DOMAIN), + loaded=True, + ), + ] + + # Get the command object to test + self.cmd = unscoped_saml.ListAccessibleDomains(self.app, None) + + def test_accessible_domains_list(self): + self.app.client_manager.auth_plugin_name = 'v3unscopedsaml' + arglist = [] + verifylist = [] + parsed_args = self.check_parser(self.cmd, arglist, verifylist) + + # DisplayCommandBase.take_action() returns two tuples + columns, data = self.cmd.take_action(parsed_args) + + self.domains_mock.list.assert_called_with() + + collist = ('ID', 'Enabled', 'Name', 'Description') + self.assertEqual(columns, collist) + datalist = (( + identity_fakes.domain_id, + True, + identity_fakes.domain_name, + identity_fakes.domain_description, + ), ) + self.assertEqual(tuple(data), datalist) + + def test_accessible_domains_list_wrong_auth(self): + auth = identity_fakes.FakeAuth("wrong auth") + self.app.client_manager.identity.session.auth = auth + arglist = [] + verifylist = [] + parsed_args = self.check_parser(self.cmd, arglist, verifylist) + + self.assertRaises(exceptions.CommandError, + self.cmd.take_action, + parsed_args) diff --git a/setup.cfg b/setup.cfg index af601649de..c0519d11d6 100644 --- a/setup.cfg +++ b/setup.cfg @@ -240,6 +240,9 @@ openstack.identity.v3 = federation_protocol_set = openstackclient.identity.v3.federation_protocol:SetProtocol federation_protocol_show = openstackclient.identity.v3.federation_protocol:ShowProtocol + federation_domain_list = openstackclient.identity.v3.unscoped_saml:ListAccessibleDomains + federation_project_list = openstackclient.identity.v3.unscoped_saml:ListAccessibleProjects + request_token_authorize = openstackclient.identity.v3.token:AuthorizeRequestToken request_token_create = openstackclient.identity.v3.token:CreateRequestToken