This repository has been archived on 2020-03-24. You can view files and clone it, but cannot push or open issues or pull requests.
quay/data/users/keystone.py
2019-11-12 11:09:47 -05:00

300 lines
13 KiB
Python

import logging
import os
from keystoneauth1.identity import v2 as keystone_v2_auth
from keystoneauth1.identity import v3 as keystone_v3_auth
from keystoneauth1 import session
from keystoneauth1.exceptions import ClientException
from keystoneclient.v2_0 import client as client_v2
from keystoneclient.v3 import client as client_v3
from keystoneclient.exceptions import AuthorizationFailure as KeystoneAuthorizationFailure
from keystoneclient.exceptions import Unauthorized as KeystoneUnauthorized
from keystoneclient.exceptions import NotFound as KeystoneNotFound
from data.users.federated import FederatedUsers, UserInformation
from util.itertoolrecipes import take
logger = logging.getLogger(__name__)
DEFAULT_TIMEOUT = 10 # seconds
def get_keystone_users(auth_version, auth_url, admin_username, admin_password, admin_tenant,
timeout=None, requires_email=True):
if auth_version == 3:
return KeystoneV3Users(auth_url, admin_username, admin_password, admin_tenant, timeout,
requires_email)
else:
return KeystoneV2Users(auth_url, admin_username, admin_password, admin_tenant, timeout,
requires_email)
class KeystoneV2Users(FederatedUsers):
""" Delegates authentication to OpenStack Keystone V2. """
def __init__(self, auth_url, admin_username, admin_password, admin_tenant, timeout=None,
requires_email=True):
super(KeystoneV2Users, self).__init__('keystone', requires_email)
self.auth_url = auth_url
self.admin_username = admin_username
self.admin_password = admin_password
self.admin_tenant = admin_tenant
self.timeout = timeout or DEFAULT_TIMEOUT
self.debug = os.environ.get('USERS_DEBUG') == '1'
self.requires_email = requires_email
def _get_client(self, username, password, tenant_name=None):
if tenant_name:
auth = keystone_v2_auth.Password(auth_url=self.auth_url,
username=username,
password=password,
tenant_name=tenant_name)
else:
auth = keystone_v2_auth.Password(auth_url=self.auth_url,
username=username,
password=password)
sess = session.Session(auth=auth)
client = client_v2.Client(session=sess,
timeout=self.timeout,
debug=self.debug)
return client, sess
def ping(self):
try:
_, sess = self._get_client(self.admin_username, self.admin_password, self.admin_tenant)
assert sess.get_user_id() # Make sure we loaded a valid user.
except KeystoneUnauthorized as kut:
logger.exception('Keystone unauthorized admin')
return (False, 'Keystone admin credentials are invalid: %s' % kut.message)
except ClientException as e:
logger.exception('Keystone unauthorized admin')
return (False, 'Keystone ping check failed: %s' % e.message)
return (True, None)
def at_least_one_user_exists(self):
logger.debug('Checking if any users exist in Keystone')
try:
keystone_client, _ = self._get_client(self.admin_username, self.admin_password,
self.admin_tenant)
user_list = keystone_client.users.list(tenant_id=self.admin_tenant, limit=1)
if len(user_list) < 1:
return (False, None)
return (True, None)
except ClientException as e:
# Catch exceptions to give the user our custom error message
logger.exception('Unable to list users in Keystone')
return (False, e.message)
def verify_credentials(self, username_or_email, password):
try:
_, sess = self._get_client(username_or_email, password)
user_id = sess.get_user_id()
except KeystoneAuthorizationFailure as kaf:
logger.exception('Keystone auth failure for user: %s', username_or_email)
return (None, 'Invalid username or password')
except KeystoneUnauthorized as kut:
logger.exception('Keystone unauthorized for user: %s', username_or_email)
return (None, 'Invalid username or password')
except ClientException as ex:
logger.exception('Keystone unauthorized for user: %s', username_or_email)
return (None, 'Invalid username or password')
if user_id is None:
return (None, 'Invalid username or password')
try:
admin_client, _ = self._get_client(self.admin_username, self.admin_password,
self.admin_tenant)
user = admin_client.users.get(user_id)
except KeystoneUnauthorized as kut:
logger.exception('Keystone unauthorized admin')
return (None, 'Keystone admin credentials are invalid: %s' % kut.message)
if self.requires_email and not hasattr(user, 'email'):
return (None, 'Missing email field for user %s' % user_id)
email = user.email if hasattr(user, 'email') else None
return (UserInformation(username=username_or_email, email=email, id=user_id), None)
def query_users(self, query, limit=20):
return (None, self.federated_service, 'Unsupported in Keystone V2')
def get_user(self, username_or_email):
return (None, 'Unsupported in Keystone V2')
class KeystoneV3Users(FederatedUsers):
""" Delegates authentication to OpenStack Keystone V3. """
def __init__(self, auth_url, admin_username, admin_password, admin_tenant, timeout=None,
requires_email=True, project_domain_id='default', user_domain_id='default'):
super(KeystoneV3Users, self).__init__('keystone', requires_email)
self.auth_url = auth_url
self.admin_username = admin_username
self.admin_password = admin_password
self.admin_tenant = admin_tenant
self.project_domain_id = project_domain_id
self.user_domain_id = user_domain_id
self.timeout = timeout or DEFAULT_TIMEOUT
self.debug = os.environ.get('USERS_DEBUG') == '1'
self.requires_email = requires_email
def _get_client(self, username, password, project_name=None):
if project_name:
auth = keystone_v3_auth.Password(auth_url=self.auth_url,
username=username,
password=password,
project_name=project_name,
project_domain_id=self.project_domain_id,
user_domain_id=self.user_domain_id)
else:
auth = keystone_v3_auth.Password(auth_url=self.auth_url,
username=username,
password=password,
user_domain_id=self.user_domain_id)
sess = session.Session(auth=auth)
client = client_v3.Client(session=sess,
timeout=self.timeout,
debug=self.debug)
return client, sess
def ping(self):
try:
_, sess = self._get_client(self.admin_username, self.admin_password)
assert sess.get_user_id() # Make sure we loaded a valid user.
except KeystoneUnauthorized as kut:
logger.exception('Keystone unauthorized admin')
return (False, 'Keystone admin credentials are invalid: %s' % kut.message)
except ClientException as cle:
logger.exception('Keystone unauthorized admin')
return (False, 'Keystone ping check failed: %s' % cle.message)
return (True, None)
def at_least_one_user_exists(self):
logger.debug('Checking if any users exist in admin tenant in Keystone')
try:
# Just make sure the admin can connect to the project.
self._get_client(self.admin_username, self.admin_password, self.admin_tenant)
return (True, None)
except ClientException as cle:
# Catch exceptions to give the user our custom error message
logger.exception('Unable to list users in Keystone')
return (False, cle.message)
def verify_credentials(self, username_or_email, password):
try:
keystone_client, sess = self._get_client(username_or_email, password)
user_id = sess.get_user_id()
assert user_id
keystone_client, sess = self._get_client(self.admin_username, self.admin_password,
self.admin_tenant)
user = keystone_client.users.get(user_id)
if self.requires_email and not hasattr(user, 'email'):
return (None, 'Missing email field for user %s' % user_id)
return (self._user_info(user), None)
except KeystoneAuthorizationFailure as kaf:
logger.exception('Keystone auth failure for user: %s', username_or_email)
return (None, 'Invalid username or password')
except KeystoneUnauthorized as kut:
logger.exception('Keystone unauthorized for user: %s', username_or_email)
return (None, 'Invalid username or password')
except ClientException as cle:
logger.exception('Keystone unauthorized for user: %s', username_or_email)
return (None, 'Invalid username or password')
def get_user(self, username_or_email):
users_found, _, err_msg = self.query_users(username_or_email)
if err_msg is not None:
return (None, err_msg)
if len(users_found) != 1:
return (None, 'Single user not found')
user = users_found[0]
if self.requires_email and not user.email:
return (None, 'Missing email field for user %s' % user.id)
return (user, None)
def check_group_lookup_args(self, group_lookup_args):
if not group_lookup_args.get('group_id'):
return (False, 'Missing group_id')
group_id = group_lookup_args['group_id']
return self._check_group(group_id)
def _check_group(self, group_id):
try:
admin_client, _ = self._get_client(self.admin_username, self.admin_password,
self.admin_tenant)
return (bool(admin_client.groups.get(group_id)), None)
except KeystoneNotFound:
return (False, 'Group not found')
except KeystoneAuthorizationFailure as kaf:
logger.exception('Keystone auth failure for admin user for group lookup %s', group_id)
return (False, kaf.message or 'Invalid admin username or password')
except KeystoneUnauthorized as kut:
logger.exception('Keystone unauthorized for admin user for group lookup %s', group_id)
return (False, kut.message or 'Invalid admin username or password')
except ClientException as cle:
logger.exception('Keystone unauthorized for admin user for group lookup %s', group_id)
return (False, cle.message or 'Invalid admin username or password')
def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
group_id = group_lookup_args['group_id']
(status, err) = self._check_group(group_id)
if not status:
return (None, err)
try:
admin_client, _ = self._get_client(self.admin_username, self.admin_password,
self.admin_tenant)
user_info_iterator = admin_client.users.list(group=group_id)
def iterator():
for user in user_info_iterator:
yield (self._user_info(user), None)
return (iterator(), None)
except KeystoneAuthorizationFailure as kaf:
logger.exception('Keystone auth failure for admin user for group lookup %s', group_id)
return (False, kaf.message or 'Invalid admin username or password')
except KeystoneUnauthorized as kut:
logger.exception('Keystone unauthorized for admin user for group lookup %s', group_id)
return (False, kut.message or 'Invalid admin username or password')
except ClientException as cle:
logger.exception('Keystone unauthorized for admin user for group lookup %s', group_id)
return (False, cle.message or 'Invalid admin username or password')
@staticmethod
def _user_info(user):
email = user.email if hasattr(user, 'email') else None
return UserInformation(user.name, email, user.id)
def query_users(self, query, limit=20):
if len(query) < 3:
return ([], self.federated_service, None)
try:
admin_client, _ = self._get_client(self.admin_username, self.admin_password,
self.admin_tenant)
found_users = list(take(limit, admin_client.users.list(name=query)))
logger.debug('For Keystone query %s found users: %s', query, found_users)
if not found_users:
return ([], self.federated_service, None)
return ([self._user_info(user) for user in found_users], self.federated_service, None)
except KeystoneAuthorizationFailure as kaf:
logger.exception('Keystone auth failure for admin user for query %s', query)
return (None, self.federated_service, kaf.message or 'Invalid admin username or password')
except KeystoneUnauthorized as kut:
logger.exception('Keystone unauthorized for admin user for query %s', query)
return (None, self.federated_service, kut.message or 'Invalid admin username or password')
except ClientException as cle:
logger.exception('Keystone unauthorized for admin user for query %s', query)
return (None, self.federated_service, cle.message or 'Invalid admin username or password')