 e51a8d6374
			
		
	
	e51a8d6374
	
	
	
		
			
			The method being changed constructs domain-related parameters that will further be passed to the auth plugin. If project domain is not passed, the method sets it to the default domain. token_endpoint does not expect any information about domain, because it uses only a token and URL. Passing it to auth plugin causes an exception. Construct domain-related parameters only for specific plugins, such as password or totp. Change-Id: I13db3bbe31a0ed843e9f4528d37c768546e2bee9 Closes-Bug: 1642301
		
			
				
	
	
		
			263 lines
		
	
	
		
			10 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			263 lines
		
	
	
		
			10 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| #   Licensed under the Apache License, Version 2.0 (the "License"); you may
 | |
| #   not use this file except in compliance with the License. You may obtain
 | |
| #   a copy of the License at
 | |
| #
 | |
| #        http://www.apache.org/licenses/LICENSE-2.0
 | |
| #
 | |
| #   Unless required by applicable law or agreed to in writing, software
 | |
| #   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 | |
| #   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 | |
| #   License for the specific language governing permissions and limitations
 | |
| #   under the License.
 | |
| #
 | |
| 
 | |
| """OpenStackConfig subclass for argument compatibility"""
 | |
| 
 | |
| import logging
 | |
| 
 | |
| from os_client_config import config
 | |
| from os_client_config import exceptions as occ_exceptions
 | |
| from oslo_utils import strutils
 | |
| import six
 | |
| 
 | |
| 
 | |
| LOG = logging.getLogger(__name__)
 | |
| 
 | |
| 
 | |
| # Sublcass OpenStackConfig in order to munge config values
 | |
| # before auth plugins are loaded
 | |
| class OSC_Config(config.OpenStackConfig):
 | |
| 
 | |
|     # TODO(dtroyer): Once os-client-config with pw_func argument is in
 | |
|     #                global-requirements we can remove __init()__
 | |
|     def __init__(
 | |
|         self,
 | |
|         config_files=None,
 | |
|         vendor_files=None,
 | |
|         override_defaults=None,
 | |
|         force_ipv4=None,
 | |
|         envvar_prefix=None,
 | |
|         secure_files=None,
 | |
|         pw_func=None,
 | |
|     ):
 | |
|         ret = super(OSC_Config, self).__init__(
 | |
|             config_files=config_files,
 | |
|             vendor_files=vendor_files,
 | |
|             override_defaults=override_defaults,
 | |
|             force_ipv4=force_ipv4,
 | |
|             envvar_prefix=envvar_prefix,
 | |
|             secure_files=secure_files,
 | |
|         )
 | |
| 
 | |
|         # NOTE(dtroyer): This will be pushed down into os-client-config
 | |
|         #                The default is there is no callback, the calling
 | |
|         #                application must specify what to use, typically
 | |
|         #                it will be osc_lib.shell.prompt_for_password()
 | |
|         if '_pw_callback' not in vars(self):
 | |
|             # Set the default if it doesn't already exist
 | |
|             self._pw_callback = None
 | |
|         if pw_func is not None:
 | |
|             # Set the passed in value
 | |
|             self._pw_callback = pw_func
 | |
| 
 | |
|         return ret
 | |
| 
 | |
|     def _auth_select_default_plugin(self, config):
 | |
|         """Select a default plugin based on supplied arguments
 | |
| 
 | |
|         Migrated from auth.select_auth_plugin()
 | |
|         """
 | |
| 
 | |
|         identity_version = config.get('identity_api_version', '')
 | |
| 
 | |
|         if config.get('username', None) and not config.get('auth_type', None):
 | |
|             if identity_version == '3':
 | |
|                 config['auth_type'] = 'v3password'
 | |
|             elif identity_version.startswith('2'):
 | |
|                 config['auth_type'] = 'v2password'
 | |
|             else:
 | |
|                 # let keystoneauth figure it out itself
 | |
|                 config['auth_type'] = 'password'
 | |
|         elif config.get('token', None) and not config.get('auth_type', None):
 | |
|             if identity_version == '3':
 | |
|                 config['auth_type'] = 'v3token'
 | |
|             elif identity_version.startswith('2'):
 | |
|                 config['auth_type'] = 'v2token'
 | |
|             else:
 | |
|                 # let keystoneauth figure it out itself
 | |
|                 config['auth_type'] = 'token'
 | |
|         else:
 | |
|             # The ultimate default is similar to the original behaviour,
 | |
|             # but this time with version discovery
 | |
|             if not config.get('auth_type', None):
 | |
|                 config['auth_type'] = 'password'
 | |
| 
 | |
|         LOG.debug("Auth plugin %s selected" % config['auth_type'])
 | |
|         return config
 | |
| 
 | |
|     def _auth_v2_arguments(self, config):
 | |
|         """Set up v2-required arguments from v3 info
 | |
| 
 | |
|         Migrated from auth.build_auth_params()
 | |
|         """
 | |
| 
 | |
|         if ('auth_type' in config and config['auth_type'].startswith("v2")):
 | |
|             if 'project_id' in config['auth']:
 | |
|                 config['auth']['tenant_id'] = config['auth']['project_id']
 | |
|             if 'project_name' in config['auth']:
 | |
|                 config['auth']['tenant_name'] = config['auth']['project_name']
 | |
|         return config
 | |
| 
 | |
|     def _auth_v2_ignore_v3(self, config):
 | |
|         """Remove v3 arguemnts if present for v2 plugin
 | |
| 
 | |
|         Migrated from clientmanager.setup_auth()
 | |
|         """
 | |
| 
 | |
|         # NOTE(hieulq): If USER_DOMAIN_NAME, USER_DOMAIN_ID, PROJECT_DOMAIN_ID
 | |
|         # or PROJECT_DOMAIN_NAME is present and API_VERSION is 2.0, then
 | |
|         # ignore all domain related configs.
 | |
|         if (config.get('identity_api_version', '').startswith('2') and
 | |
|                 config.get('auth_type', None).endswith('password')):
 | |
|             domain_props = [
 | |
|                 'project_domain_id',
 | |
|                 'project_domain_name',
 | |
|                 'user_domain_id',
 | |
|                 'user_domain_name',
 | |
|             ]
 | |
|             for prop in domain_props:
 | |
|                 if config['auth'].pop(prop, None) is not None:
 | |
|                     LOG.warning("Ignoring domain related config " +
 | |
|                                 prop + " because identity API version is 2.0")
 | |
|         return config
 | |
| 
 | |
|     def _auth_default_domain(self, config):
 | |
|         """Set a default domain from available arguments
 | |
| 
 | |
|         Migrated from clientmanager.setup_auth()
 | |
|         """
 | |
| 
 | |
|         identity_version = config.get('identity_api_version', '')
 | |
|         auth_type = config.get('auth_type', None)
 | |
| 
 | |
|         # TODO(mordred): This is a usability improvement that's broadly useful
 | |
|         # We should port it back up into os-client-config.
 | |
|         default_domain = config.get('default_domain', None)
 | |
|         if (identity_version == '3' and
 | |
|                 not auth_type.startswith('v2') and
 | |
|                 default_domain):
 | |
| 
 | |
|             # NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is
 | |
|             # present, then do not change the behaviour. Otherwise, set the
 | |
|             # PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
 | |
|             if (
 | |
|                     auth_type in ("password", "v3password", "v3totp") and
 | |
|                     not config['auth'].get('project_domain_id') and
 | |
|                     not config['auth'].get('project_domain_name')
 | |
|             ):
 | |
|                 config['auth']['project_domain_id'] = default_domain
 | |
| 
 | |
|             # NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present,
 | |
|             # then do not change the behaviour. Otherwise, set the
 | |
|             # USER_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
 | |
|             # NOTE(aloga): this should only be set if there is a username.
 | |
|             # TODO(dtroyer): Move this to os-client-config after the plugin has
 | |
|             # been loaded so we can check directly if the options are accepted.
 | |
|             if (
 | |
|                     auth_type in ("password", "v3password", "v3totp") and
 | |
|                     not config['auth'].get('user_domain_id') and
 | |
|                     not config['auth'].get('user_domain_name')
 | |
|             ):
 | |
|                 config['auth']['user_domain_id'] = default_domain
 | |
|         return config
 | |
| 
 | |
|     def auth_config_hook(self, config):
 | |
|         """Allow examination of config values before loading auth plugin
 | |
| 
 | |
|         OpenStackClient will override this to perform additional chacks
 | |
|         on auth_type.
 | |
|         """
 | |
| 
 | |
|         config = self._auth_select_default_plugin(config)
 | |
|         config = self._auth_v2_arguments(config)
 | |
|         config = self._auth_v2_ignore_v3(config)
 | |
|         config = self._auth_default_domain(config)
 | |
| 
 | |
|         if LOG.isEnabledFor(logging.DEBUG):
 | |
|             LOG.debug("auth_config_hook(): %s",
 | |
|                       strutils.mask_password(six.text_type(config)))
 | |
|         return config
 | |
| 
 | |
|     def load_auth_plugin(self, config):
 | |
|         """Get auth plugin and validate args"""
 | |
| 
 | |
|         loader = self._get_auth_loader(config)
 | |
|         config = self._validate_auth(config, loader)
 | |
|         auth_plugin = loader.load_from_options(**config['auth'])
 | |
|         return auth_plugin
 | |
| 
 | |
|     def _validate_auth_ksc(self, config, cloud, fixed_argparse=None):
 | |
|         """Old compatibility hack for OSC, no longer needed/wanted"""
 | |
|         return config
 | |
| 
 | |
|     def _validate_auth(self, config, loader, fixed_argparse=None):
 | |
|         """Validate auth plugin arguments"""
 | |
|         # May throw a keystoneauth1.exceptions.NoMatchingPlugin
 | |
| 
 | |
|         plugin_options = loader.get_options()
 | |
| 
 | |
|         msgs = []
 | |
|         prompt_options = []
 | |
|         for p_opt in plugin_options:
 | |
|             # if it's in config, win, move it and kill it from config dict
 | |
|             # if it's in config.auth but not in config we're good
 | |
|             # deprecated loses to current
 | |
|             # provided beats default, deprecated or not
 | |
|             winning_value = self._find_winning_auth_value(p_opt, config)
 | |
|             if not winning_value:
 | |
|                 winning_value = self._find_winning_auth_value(
 | |
|                     p_opt, config['auth'])
 | |
| 
 | |
|             # if the plugin tells us that this value is required
 | |
|             # then error if it's doesn't exist now
 | |
|             if not winning_value and p_opt.required:
 | |
|                 msgs.append(
 | |
|                     'Missing value {auth_key}'
 | |
|                     ' required for auth plugin {plugin}'.format(
 | |
|                         auth_key=p_opt.name, plugin=config.get('auth_type'),
 | |
|                     )
 | |
|                 )
 | |
| 
 | |
|             # Clean up after ourselves
 | |
|             for opt in [p_opt.name] + [o.name for o in p_opt.deprecated]:
 | |
|                 opt = opt.replace('-', '_')
 | |
|                 config.pop(opt, None)
 | |
|                 config['auth'].pop(opt, None)
 | |
| 
 | |
|             if winning_value:
 | |
|                 # Prefer the plugin configuration dest value if the value's key
 | |
|                 # is marked as depreciated.
 | |
|                 if p_opt.dest is None:
 | |
|                     config['auth'][p_opt.name.replace('-', '_')] = (
 | |
|                         winning_value)
 | |
|                 else:
 | |
|                     config['auth'][p_opt.dest] = winning_value
 | |
| 
 | |
|             # See if this needs a prompting
 | |
|             if (
 | |
|                     'prompt' in vars(p_opt) and
 | |
|                     p_opt.prompt is not None and
 | |
|                     p_opt.dest not in config['auth'] and
 | |
|                     self._pw_callback is not None
 | |
|             ):
 | |
|                 # Defer these until we know all required opts are present
 | |
|                 prompt_options.append(p_opt)
 | |
| 
 | |
|         if msgs:
 | |
|             raise occ_exceptions.OpenStackConfigException('\n'.join(msgs))
 | |
|         else:
 | |
|             for p_opt in prompt_options:
 | |
|                 config['auth'][p_opt.dest] = self._pw_callback(p_opt.prompt)
 | |
| 
 | |
|         return config
 |