1
# vim: tabstop=4 shiftwidth=4 softtabstop=4
3
# Copyright 2010 OpenStack LLC.
6
# Licensed under the Apache License, Version 2.0 (the "License"); you may
7
# not use this file except in compliance with the License. You may obtain
8
# a copy of the License at
10
# http://www.apache.org/licenses/LICENSE-2.0
12
# Unless required by applicable law or agreed to in writing, software
13
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15
# License for the specific language governing permissions and limitations
16
# under the License.import datetime
9
26
from nova import auth
27
from nova import context
10
28
from nova import db
11
29
from nova import flags
12
30
from nova import manager
13
31
from nova import utils
14
33
from nova.api.openstack import faults
16
35
FLAGS = flags.FLAGS
19
class Context(object):
23
class BasicApiAuthManager(object):
24
""" Implements a somewhat rudimentary version of OpenStack Auth"""
26
def __init__(self, db_driver=None):
38
class AuthMiddleware(wsgi.Middleware):
39
"""Authorize the openstack API request or return an HTTP Forbidden."""
41
def __init__(self, application, db_driver=None):
28
43
db_driver = FLAGS.db_driver
29
44
self.db = utils.import_object(db_driver)
30
45
self.auth = auth.manager.AuthManager()
31
self.context = Context()
32
super(BasicApiAuthManager, self).__init__()
46
super(AuthMiddleware, self).__init__(application)
49
def __call__(self, req):
50
if not self.has_authentication(req):
51
return self.authenticate(req)
53
user = self.get_user_by_authentication(req)
56
return faults.Fault(webob.exc.HTTPUnauthorized())
58
project = self.auth.get_project(FLAGS.default_project)
59
req.environ['nova.context'] = context.RequestContext(user, project)
60
return self.application
62
def has_authentication(self, req):
63
return 'X-Auth-Token' in req.headers
65
def get_user_by_authentication(self, req):
66
return self.authorize_token(req.headers["X-Auth-Token"])
34
68
def authenticate(self, req):
35
69
# Unless the request is explicitly made against /<version>/ don't
68
102
This method will also remove the token if the timestamp is older than
71
token = self.db.auth_get_token(self.context, token_hash)
105
ctxt = context.get_admin_context()
106
token = self.db.auth_get_token(ctxt, token_hash)
73
108
delta = datetime.datetime.now() - token.created_at
74
109
if delta.days >= 2:
75
self.db.auth_destroy_token(self.context, token)
110
self.db.auth_destroy_token(ctxt, token)
77
112
return self.auth.get_user(token.user_id)
84
119
key - string API key
85
120
req - webob.Request object
122
ctxt = context.get_admin_context()
87
123
user = self.auth.get_user_from_access_key(key)
88
124
if user and user.name == username:
89
125
token_hash = hashlib.sha1('%s%s%f' % (username, key,
95
131
token_dict['server_management_url'] = req.url
96
132
token_dict['storage_url'] = ''
97
133
token_dict['user_id'] = user.id
98
token = self.db.auth_create_token(self.context, token_dict)
134
token = self.db.auth_create_token(ctxt, token_dict)
99
135
return token, user
100
136
return None, None