Refactor the users class into their own files, add a common base class for federated users and add a verify_credentials method which only does the verification, without the linking. We use this in the superuser verification pass
This commit is contained in:
Joseph Schorr
parent
1245385808
commit
33b54218cc
13 changed files with 541 additions and 495 deletions
39
data/users/keystone.py
Normal file
39
data/users/keystone.py
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
import logging
|
||||
|
||||
from keystoneclient.v2_0 import client as kclient
|
||||
from keystoneclient.exceptions import AuthorizationFailure as KeystoneAuthorizationFailure
|
||||
from keystoneclient.exceptions import Unauthorized as KeystoneUnauthorized
|
||||
from data.users.federated import FederatedUsers, VerifiedCredentials
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
class KeystoneUsers(FederatedUsers):
|
||||
""" Delegates authentication to OpenStack Keystone. """
|
||||
def __init__(self, auth_url, admin_username, admin_password, admin_tenant):
|
||||
super(KeystoneUsers, self).__init__('keystone')
|
||||
self.auth_url = auth_url
|
||||
self.admin_username = admin_username
|
||||
self.admin_password = admin_password
|
||||
self.admin_tenant = admin_tenant
|
||||
|
||||
def verify_credentials(self, username_or_email, password):
|
||||
try:
|
||||
keystone_client = kclient.Client(username=username_or_email, password=password,
|
||||
auth_url=self.auth_url)
|
||||
user_id = keystone_client.user_id
|
||||
except KeystoneAuthorizationFailure as kaf:
|
||||
logger.exception('Keystone auth failure for user: %s', username_or_email)
|
||||
return (None, kaf.message or 'Invalid username or password')
|
||||
except KeystoneUnauthorized as kut:
|
||||
logger.exception('Keystone unauthorized for user: %s', username_or_email)
|
||||
return (None, kut.message or 'Invalid username or password')
|
||||
|
||||
try:
|
||||
admin_client = kclient.Client(username=self.admin_username, password=self.admin_password,
|
||||
tenant_name=self.admin_tenant, auth_url=self.auth_url)
|
||||
user = admin_client.users.get(user_id)
|
||||
except KeystoneUnauthorized as kut:
|
||||
logger.exception('Keystone unauthorized admin')
|
||||
return (None, 'Keystone admin credentials are invalid: %s' % kut.message)
|
||||
|
||||
return (VerifiedCredentials(username=username_or_email, email=user.email), None)
|
||||
Reference in a new issue