Add support to ExternalJWT Auth for external user linking

2016-10-27 15:34:03 -04:00 · 2016-10-27 15:34:03 -04:00 · fbb524e34e
commit fbb524e34e
parent f9ee8d2bef
5 changed files with 268 additions and 41 deletions
--- a/util/config/validator.py
+++ b/util/config/validator.py
@ -372,6 +372,9 @@ def _validate_jwt(config, password):
    return

  verify_endpoint = config.get('JWT_VERIFY_ENDPOINT')
+  query_endpoint = config.get('JWT_QUERY_ENDPOINT', None)
+  getuser_endpoint = config.get('JWT_GETUSER_ENDPOINT', None)
+
  issuer = config.get('JWT_AUTH_ISSUER')

  if not verify_endpoint:
@ -382,7 +385,8 @@ def _validate_jwt(config, password):

  # Try to instatiate the JWT authentication mechanism. This will raise an exception if
  # the key cannot be found.
-  users = ExternalJWTAuthN(verify_endpoint, issuer, OVERRIDE_CONFIG_DIRECTORY,
+  users = ExternalJWTAuthN(verify_endpoint, query_endpoint, getuser_endpoint, issuer,
+                           OVERRIDE_CONFIG_DIRECTORY,
                           app.config['HTTPCLIENT'],
                           app.config.get('JWT_AUTH_MAX_FRESH_S', 300))

@ -392,7 +396,24 @@ def _validate_jwt(config, password):
  if not result:
    raise Exception(('Verification of superuser %s failed: %s. \n\nThe user either does not ' +
                     'exist in the remote authentication system ' +
-                     'OR JWT auth is misconfigured.') % (username, err_msg))
+                     'OR JWT auth is misconfigured') % (username, err_msg))
+
+  # If the query endpoint exists, ensure we can query to find the current user and that we can
+  # look up users directly.
+  if query_endpoint:
+    (results, err_msg) = users.query_users(username)
+    if not results:
+      err_msg = err_msg or ('Could not find users matching query: %s' % username)
+      raise Exception('Query endpoint is misconfigured or not returning proper users: %s' % err_msg)
+
+    # Make sure the get user endpoint is also configured.
+    if not getuser_endpoint:
+      raise Exception('The lookup user endpoint must be configured if the query endpoint is set')
+
+    (result, err_msg) = users.get_user(username)
+    if not result:
+      err_msg = err_msg or ('Could not find user %s' % username)
+      raise Exception('Lookup endpoint is misconfigured or not returning properly: %s' % err_msg)


 def _validate_keystone(config, password):