vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Make email addresses optional in external auth if email feature is turned off

Browse source 
Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
This commit is contained in:
Joseph Schorr 2016-09-08 12:24:47 -04:00
parent 934cdecbd6
commit d7f56350a4
18 changed files with 206 additions and 93 deletions
Download patch file Download diff file Expand all files Collapse all files

39
data/users/keystone.py
View file

@ -18,23 +18,27 @@ def _take(n, iterable):
def get_keystone_users(auth_version, auth_url, admin_username, admin_password, admin_tenant,
timeout=None):
timeout=None, requires_email=True):
if auth_version == 3:
return KeystoneV3Users(auth_url, admin_username, admin_password, admin_tenant, timeout)
return KeystoneV3Users(auth_url, admin_username, admin_password, admin_tenant, timeout,
requires_email)
else:
return KeystoneV2Users(auth_url, admin_username, admin_password, admin_tenant, timeout)
return KeystoneV2Users(auth_url, admin_username, admin_password, admin_tenant, timeout,
requires_email)
class KeystoneV2Users(FederatedUsers):
""" Delegates authentication to OpenStack Keystone V2. """
def __init__(self, auth_url, admin_username, admin_password, admin_tenant, timeout=None):
super(KeystoneV2Users, self).__init__('keystone')
def __init__(self, auth_url, admin_username, admin_password, admin_tenant, timeout=None,
requires_email=True):
super(KeystoneV2Users, self).__init__('keystone', requires_email)
self.auth_url = auth_url
self.admin_username = admin_username
self.admin_password = admin_password
self.admin_tenant = admin_tenant
self.timeout = timeout or DEFAULT_TIMEOUT
self.debug = os.environ.get('USERS_DEBUG') == '1'
self.requires_email = requires_email
def verify_credentials(self, username_or_email, password):
try:
@ -58,7 +62,11 @@ class KeystoneV2Users(FederatedUsers):
logger.exception('Keystone unauthorized admin')
return (None, 'Keystone admin credentials are invalid: %s' % kut.message)
return (UserInformation(username=username_or_email, email=user.email, id=user_id), None)
if self.requires_email and not hasattr(user, 'email'):
return (None, 'Missing email field for user %s' % user_id)
email = user.email if hasattr(user, 'email') else None
return (UserInformation(username=username_or_email, email=email, id=user_id), None)
def query_users(self, query, limit=20):
return (None, 'Unsupported in Keystone V2')
@ -69,14 +77,16 @@ class KeystoneV2Users(FederatedUsers):
class KeystoneV3Users(FederatedUsers):
""" Delegates authentication to OpenStack Keystone V3. """
def __init__(self, auth_url, admin_username, admin_password, admin_tenant, timeout=None):
super(KeystoneV3Users, self).__init__('keystone')
def __init__(self, auth_url, admin_username, admin_password, admin_tenant, timeout=None,
requires_email=True):
super(KeystoneV3Users, self).__init__('keystone', requires_email)
self.auth_url = auth_url
self.admin_username = admin_username
self.admin_password = admin_password
self.admin_tenant = admin_tenant
self.timeout = timeout or DEFAULT_TIMEOUT
self.debug = os.environ.get('USERS_DEBUG') == '1'
self.requires_email = requires_email
def verify_credentials(self, username_or_email, password):
try:
@ -85,6 +95,10 @@ class KeystoneV3Users(FederatedUsers):
debug=self.debug)
user_id = keystone_client.user_id
user = keystone_client.users.get(user_id)
if self.requires_email and not hasattr(user, 'email'):
return (None, 'Missing email field for user %s' % user_id)
return (self._user_info(user), None)
except KeystoneAuthorizationFailure as kaf:
logger.exception('Keystone auth failure for user: %s', username_or_email)
@ -101,12 +115,15 @@ class KeystoneV3Users(FederatedUsers):
if len(users_found) != 1:
return (None, 'Single user not found')
return (users_found[0], None)
user = users_found[0]
if self.requires_email and not user.email:
return (None, 'Missing email field for user %s' % user.id)
return (user, None)
@staticmethod
def _user_info(user):
# Because Keystone uses defined attributes...
email = user.email if hasattr(user, 'email') else ''
email = user.email if hasattr(user, 'email') else None
return UserInformation(user.name, email, user.id)
def query_users(self, query, limit=20):