quay/data/users/keystone.py

import logging

from keystoneclient.v2_0 import client as kclient
from keystoneclient.exceptions import AuthorizationFailure as KeystoneAuthorizationFailure
from keystoneclient.exceptions import Unauthorized as KeystoneUnauthorized
from data.users.federated import FederatedUsers, VerifiedCredentials

logger = logging.getLogger(__name__)

class KeystoneUsers(FederatedUsers):
  """ Delegates authentication to OpenStack Keystone. """
  def __init__(self, auth_url, admin_username, admin_password, admin_tenant):
    super(KeystoneUsers, self).__init__('keystone')
    self.auth_url = auth_url
    self.admin_username = admin_username
    self.admin_password = admin_password
    self.admin_tenant = admin_tenant

  def verify_credentials(self, username_or_email, password):
    try:
      keystone_client = kclient.Client(username=username_or_email, password=password,
                                       auth_url=self.auth_url)
      user_id = keystone_client.user_id
    except KeystoneAuthorizationFailure as kaf:
      logger.exception('Keystone auth failure for user: %s', username_or_email)
      return (None, kaf.message or 'Invalid username or password')
    except KeystoneUnauthorized as kut:
      logger.exception('Keystone unauthorized for user: %s', username_or_email)
      return (None, kut.message or 'Invalid username or password')

    try:
      admin_client = kclient.Client(username=self.admin_username, password=self.admin_password,
                                    tenant_name=self.admin_tenant, auth_url=self.auth_url)
      user = admin_client.users.get(user_id)
    except KeystoneUnauthorized as kut:
      logger.exception('Keystone unauthorized admin')
      return (None, 'Keystone admin credentials are invalid: %s' % kut.message)

    return (VerifiedCredentials(username=username_or_email, email=user.email), None)
Refactor the users class into their own files, add a common base class for federated users and add a `verify_credentials` method which only does the verification, without the linking. We use this in the superuser verification pass 2015-07-20 15:39:59 +00:00			`import logging`

			`from keystoneclient.v2_0 import client as kclient`
			`from keystoneclient.exceptions import AuthorizationFailure as KeystoneAuthorizationFailure`
			`from keystoneclient.exceptions import Unauthorized as KeystoneUnauthorized`
			`from data.users.federated import FederatedUsers, VerifiedCredentials`

			`logger = logging.getLogger(__name__)`

			`class KeystoneUsers(FederatedUsers):`
			`""" Delegates authentication to OpenStack Keystone. """`
			`def __init__(self, auth_url, admin_username, admin_password, admin_tenant):`
			`super(KeystoneUsers, self).__init__('keystone')`
			`self.auth_url = auth_url`
			`self.admin_username = admin_username`
			`self.admin_password = admin_password`
			`self.admin_tenant = admin_tenant`

			`def verify_credentials(self, username_or_email, password):`
			`try:`
			`keystone_client = kclient.Client(username=username_or_email, password=password,`
			`auth_url=self.auth_url)`
			`user_id = keystone_client.user_id`
			`except KeystoneAuthorizationFailure as kaf:`
			`logger.exception('Keystone auth failure for user: %s', username_or_email)`
			`return (None, kaf.message or 'Invalid username or password')`
			`except KeystoneUnauthorized as kut:`
			`logger.exception('Keystone unauthorized for user: %s', username_or_email)`
			`return (None, kut.message or 'Invalid username or password')`

			`try:`
			`admin_client = kclient.Client(username=self.admin_username, password=self.admin_password,`
			`tenant_name=self.admin_tenant, auth_url=self.auth_url)`
			`user = admin_client.users.get(user_id)`
			`except KeystoneUnauthorized as kut:`
			`logger.exception('Keystone unauthorized admin')`
			`return (None, 'Keystone admin credentials are invalid: %s' % kut.message)`

			`return (VerifiedCredentials(username=username_or_email, email=user.email), None)`