Keyring support for openstackclient.

Bug: 1030440 If password is defined in keyring, use it; otherwise, prompt for the password. Keying is configured using command line switch, --os-use-keyring or env(OS_USE_KEYRING). * openstackclient/common/openstackkeyring.py The abstract class for keyring, specifically for openstack. The class is used to store encrypted password in keyring, without prompting for keyring password. The encrypted password is stored in ~/.openstack-keyring.cfg file. * openstack-common.py Update openstackkeyring library from openstack.common. * openstackclient/shell.py OpenStackClient.build_option_parser(): New boolean argument, --os-use-keyring, default to env(OS_USE_KEYRING). OpenStackClient.authenticate_user(): Get password from keyring, if it is defined; otherwise, prompt for the password. If user enter a password and keyring is enabled, store it in keyring. OpenStackClient.init_keyring_backend(): New method to define openstack backend for keyring. OpenStackClient.get_password_from_keyring(): New method to get password from keyring. OpenStackClient.set_password_in_keyring(): New method go set password in keyring. * toos/pip-requires Define keyring and pycrypto as one of dependent. Change-Id: I36d3a63054658c0ef0553d68b38fefbc236930ef
2012-07-08 16:06:32 -07:00
parent 540c4883d6
commit f0cefcc77d
4 changed files with 112 additions and 1 deletions
--- a/openstack-common.conf
+++ b/openstack-common.conf
@@ -1,7 +1,7 @@
 [DEFAULT]

 # The list of modules to copy from openstack-common
-modules=setup
+modules=setup,openstackkeyring

 # The base module to hold the copy of openstack.common
 base=openstackclient
--- a/openstackclient/common/openstackkeyring.py
+++ b/openstackclient/common/openstackkeyring.py
@@ -0,0 +1,65 @@
+# Copyright 2011 OpenStack LLC.
+# All Rights Reserved
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+"""
+Keyring backend for Openstack, to store encrypted password in a file.
+"""
+
+from Crypto.Cipher import AES
+
+import crypt
+import keyring
+import os
+
+KEYRING_FILE = os.path.join(os.path.expanduser('~'), '.openstack-keyring.cfg')
+
+
+class OpenstackKeyring(keyring.backend.BasicFileKeyring):
+    """ Openstack Keyring to store encrypted password """
+
+    filename = KEYRING_FILE
+
+    def supported(self):
+        """ applicable for all platforms, but not recommend """
+        pass
+
+    def _init_crypter(self):
+        """ initialize the crypter using the class name """
+        block_size = 32
+        padding = '0'
+
+        # init the cipher with the class name, upto block_size
+        password = __name__[block_size:]
+        password = password + (block_size - len(password) % \
+                              block_size) * padding
+        return AES.new(password, AES.MODE_CFB)
+
+    def encrypt(self, password):
+        """ encrypt the given password """
+        crypter = self._init_crypter()
+        return crypter.encrypt(password)
+
+    def decrypt(self, password_encrypted):
+        """ decrypt the given password """
+        crypter = self._init_crypter()
+        return crypter.decrypt(password_encrypted)
+
+
+def os_keyring():
+    """ initialize the openstack keyring """
+    return keyring.core.load_keyring(None,
+             'openstackclient.common.openstackkeyring.OpenstackKeyring')
--- a/openstackclient/shell.py
+++ b/openstackclient/shell.py
@@ -29,10 +29,12 @@ from cliff.commandmanager import CommandManager

 from openstackclient.common import clientmanager
 from openstackclient.common import exceptions as exc
+from openstackclient.common import openstackkeyring
 from openstackclient.common import utils


 VERSION = '0.1'
+KEYRING_SERVICE = 'openstack'


 def env(*vars, **kwargs):
@@ -123,6 +125,18 @@ class OpenStackShell(App):
            default=env('OS_URL'),
            help='Defaults to env[OS_URL]')

+        env_os_keyring = env('OS_USE_KEYRING', default=False)
+        if type(env_os_keyring) == str:
+            if env_os_keyring.lower() in ['true', '1']:
+                env_os_keyring = True
+            else:
+                env_os_keyring = False
+        parser.add_argument('--os-use-keyring',
+                            default=env_os_keyring,
+                            action='store_true',
+                            help='Use keyring to store password, '
+                                 'default=False (Env: OS_USE_KEYRING)')
+
        return parser

    def authenticate_user(self):
@@ -149,12 +163,14 @@ class OpenStackShell(App):
                    "You must provide a username via"
                    " either --os-username or env[OS_USERNAME]")

+            self.get_password_from_keyring()
            if not self.options.os_password:
                # No password, if we've got a tty, try prompting for it
                if hasattr(sys.stdin, 'isatty') and sys.stdin.isatty():
                    # Check for Ctl-D
                    try:
                        self.options.os_password = getpass.getpass()
+                        self.set_password_in_keyring()
                    except EOFError:
                        pass
                # No password because we did't have a tty or the
@@ -188,6 +204,34 @@ class OpenStackShell(App):
            )
        return

+    def init_keyring_backend(self):
+        """Initialize openstack backend to use for keyring"""
+        return openstackkeyring.os_keyring()
+
+    def get_password_from_keyring(self):
+        """Get password from keyring, if it's set"""
+        if self.options.os_use_keyring:
+            service = KEYRING_SERVICE
+            backend = self.init_keyring_backend()
+            if not self.options.os_password:
+                password = backend.get_password(service,
+                                                self.options.os_username)
+                self.options.os_password = password
+
+    def set_password_in_keyring(self):
+        """Set password in keyring for this user"""
+        if self.options.os_use_keyring:
+            service = KEYRING_SERVICE
+            backend = self.init_keyring_backend()
+            if self.options.os_password:
+                password = backend.get_password(service,
+                                                self.options.os_username)
+                # either password is not set in keyring, or it is different
+                if password != self.options.os_password:
+                    backend.set_password(service,
+                                         self.options.os_username,
+                                         self.options.os_password)
+
    def initialize_app(self, argv):
        """Global app init bits:

--- a/tools/pip-requires
+++ b/tools/pip-requires
@@ -1,7 +1,9 @@
 cliff
 argparse
 httplib2
+keyring
 prettytable
+pycrypto
 python-keystoneclient>=0.1,<0.2
 python-novaclient>=2,<3
 simplejson