← Back to branch summary

~ubuntu-branches/ubuntu/saucy/heat/saucy

« back to all changes in this revision

Viewing changes to heat/common/auth_password.py

  • Committer: Package Import Robot
  • Author(s): Chuck Short, Chuck Short, Adam Gandelman
  • Date: 2013-09-08 21:51:19 UTC
  • mfrom: (1.1.4)
  • Revision ID: package-import@ubuntu.com-20130908215119-r939tu4aumqgdrkx
Tags: 2013.2~b3-0ubuntu1
[ Chuck Short ]
* New upstream release.
* debian/control: Add python-netaddr as build-dep.
* debian/heat-common.install: Remove heat-boto and associated man-page
* debian/heat-common.install: Remove heat-cfn and associated man-page
* debian/heat-common.install: Remove heat-watch and associated man-page
* debian/patches/fix-sqlalchemy-0.8.patch: Dropped

[ Adam Gandelman ]
* debian/patches/default-kombu.patch: Dropped.
* debian/patches/default-sqlite.patch: Refreshed.
* debian/*.install, rules: Install heat.conf.sample as common
  config file in heat-common. Drop other per-package configs, they
  are no longer used.
* debian/rules: Clean pbr .egg from build dir if it exists.

Show diffs side-by-side

added added

removed removed

Lines of Context:
heat/common/auth_password.py
18
18
from keystoneclient.v2_0 import client as keystone_client
19
19
from keystoneclient import exceptions as keystone_exceptions
20
20
from oslo.config import cfg
 
21
from webob.exc import HTTPBadRequest
21
22
from webob.exc import HTTPUnauthorized
22
23
 
23
24
from heat.openstack.common import importutils
34
35
    def __init__(self, app, conf):
35
36
        self.app = app
36
37
        self.conf = conf
37
 
        if 'auth_uri' in self.conf:
38
 
            auth_url = self.conf['auth_uri']
39
 
        else:
40
 
            # Import auth_token to have keystone_authtoken settings setup.
41
 
            importutils.import_module('keystoneclient.middleware.auth_token')
42
 
            auth_url = cfg.CONF.keystone_authtoken['auth_uri']
 
38
        auth_url = None
 
39
        if not cfg.CONF.auth_password.multi_cloud:
 
40
            if 'auth_uri' in self.conf:
 
41
                auth_url = self.conf['auth_uri']
 
42
            else:
 
43
                # Import auth_token to have keystone_authtoken settings setup.
 
44
                importutils.import_module(
 
45
                    'keystoneclient.middleware.auth_token')
 
46
                auth_url = cfg.CONF.keystone_authtoken['auth_uri']
43
47
        self.auth_url = auth_url
44
48
 
45
49
    def __call__(self, env, start_response):
48
52
        password = env.get('HTTP_X_AUTH_KEY')
49
53
        # Determine tenant id from path.
50
54
        tenant = env.get('PATH_INFO').split('/')[1]
 
55
        auth_url = self.auth_url
 
56
        if cfg.CONF.auth_password.multi_cloud:
 
57
            auth_url = env.get('HTTP_X_AUTH_URL')
 
58
            error = self._validate_auth_url(env, start_response, auth_url)
 
59
            if error:
 
60
                return error
51
61
        if not tenant:
52
 
            return self._reject_request(env, start_response)
 
62
            return self._reject_request(env, start_response, auth_url)
53
63
        try:
54
64
            client = keystone_client.Client(
55
65
                username=username, password=password, tenant_id=tenant,
56
 
                auth_url=self.auth_url)
 
66
                auth_url=auth_url)
57
67
        except (keystone_exceptions.Unauthorized,
58
68
                keystone_exceptions.Forbidden,
59
69
                keystone_exceptions.NotFound,
60
70
                keystone_exceptions.AuthorizationFailure):
61
 
            return self._reject_request(env, start_response)
 
71
            return self._reject_request(env, start_response, auth_url)
62
72
        env['keystone.token_info'] = client.auth_ref
63
 
        env.update(self._build_user_headers(client.auth_ref))
 
73
        env.update(self._build_user_headers(client.auth_ref, auth_url))
64
74
        return self.app(env, start_response)
65
75
 
66
 
    def _reject_request(self, env, start_response):
 
76
    def _reject_request(self, env, start_response, auth_url):
67
77
        """Redirect client to auth server."""
68
 
        headers = [('WWW-Authenticate', 'Keystone uri=\'%s\'' % self.auth_url)]
 
78
        headers = [('WWW-Authenticate', 'Keystone uri=\'%s\'' % auth_url)]
69
79
        resp = HTTPUnauthorized('Authentication required', headers)
70
80
        return resp(env, start_response)
71
81
 
72
 
    def _build_user_headers(self, token_info):
 
82
    def _build_user_headers(self, token_info, auth_url):
73
83
        """Build headers that represent authenticated user from auth token."""
74
84
        tenant_id = token_info['token']['tenant']['id']
75
85
        tenant_name = token_info['token']['tenant']['name']
89
99
            'HTTP_X_ROLES': roles,
90
100
            'HTTP_X_SERVICE_CATALOG': service_catalog,
91
101
            'HTTP_X_AUTH_TOKEN': auth_token,
92
 
            'HTTP_X_AUTH_URL': self.auth_url,
 
102
            'HTTP_X_AUTH_URL': auth_url,
93
103
            # DEPRECATED
94
104
            'HTTP_X_USER': user_name,
95
105
            'HTTP_X_TENANT_ID': tenant_id,
100
110
 
101
111
        return headers
102
112
 
 
113
    def _validate_auth_url(self, env, start_response, auth_url):
 
114
        """Validate auth_url to ensure it can be used."""
 
115
        if not auth_url:
 
116
            resp = HTTPBadRequest(_('Request missing required header '
 
117
                                    'X-Auth-Url'))
 
118
            return resp(env, start_response)
 
119
        allowed = cfg.CONF.auth_password.allowed_auth_uris
 
120
        if auth_url not in allowed:
 
121
            resp = HTTPUnauthorized(_('Header X-Auth-Url "%s" not an allowed '
 
122
                                      'endpoint')
 
123
                                    % auth_url)
 
124
            return resp(env, start_response)
 
125
        return None
 
126
 
103
127
 
104
128
def filter_factory(global_conf, **local_conf):
105
129
    """Returns a WSGI filter app for use with paste.deploy."""