416 lines
17 KiB
Python
416 lines
17 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from positional import positional
|
|
|
|
from keystoneauth1 import _utils as utils
|
|
from keystoneauth1 import access
|
|
from keystoneauth1 import exceptions
|
|
from keystoneauth1.identity.v3 import federation
|
|
|
|
_logger = utils.get_logger(__name__)
|
|
|
|
__all__ = ('OidcAuthorizationCode',
|
|
'OidcPassword',
|
|
'OidcAccessToken')
|
|
|
|
|
|
class _OidcBase(federation.FederationBaseAuth):
|
|
"""Base class for different OpenID Connect based flows.
|
|
|
|
The OpenID Connect specification can be found at::
|
|
``http://openid.net/specs/openid-connect-core-1_0.html``
|
|
"""
|
|
|
|
def __init__(self, auth_url, identity_provider, protocol,
|
|
client_id, client_secret, grant_type,
|
|
access_token_type,
|
|
scope="openid profile",
|
|
access_token_endpoint=None,
|
|
discovery_endpoint=None, **kwargs):
|
|
"""The OpenID Connect plugin expects the following.
|
|
|
|
:param auth_url: URL of the Identity Service
|
|
:type auth_url: string
|
|
|
|
:param identity_provider: Name of the Identity Provider the client
|
|
will authenticate against
|
|
:type identity_provider: string
|
|
|
|
:param protocol: Protocol name as configured in keystone
|
|
:type protocol: string
|
|
|
|
:param client_id: OAuth 2.0 Client ID
|
|
:type client_id: string
|
|
|
|
:param client_secret: OAuth 2.0 Client Secret
|
|
:type client_secret: string
|
|
|
|
:param grant_type: OpenID Connect grant type, it represents the flow
|
|
that is used to talk to the OP. Valid values are:
|
|
"authorization_code", "refresh_token", or
|
|
"password". If a discovery document is being used,
|
|
this class will check if the provided value is
|
|
supported by the provider.
|
|
:type grant_type: string
|
|
|
|
:param access_token_type: OAuth 2.0 Authorization Server Introspection
|
|
token type, it is used to decide which type
|
|
of token will be used when processing token
|
|
introspection. Valid values are:
|
|
"access_token" or "id_token"
|
|
:type access_token_type: string
|
|
|
|
:param access_token_endpoint: OpenID Connect Provider Token Endpoint,
|
|
for example:
|
|
https://localhost:8020/oidc/OP/token
|
|
Note that if a discovery document is
|
|
provided this value will override
|
|
the discovered one.
|
|
:type access_token_endpoint: string
|
|
|
|
:param discovery_endpoint: OpenID Connect Discovery Document URL,
|
|
for example:
|
|
https://localhost:8020/oidc/.well-known/openid-configuration
|
|
:type access_token_endpoint: string
|
|
|
|
:param scope: OpenID Connect scope that is requested from OP,
|
|
for example: "openid profile email", defaults to
|
|
"openid profile". Note that OpenID Connect specification
|
|
states that "openid" must be always specified.
|
|
:type scope: string
|
|
"""
|
|
super(_OidcBase, self).__init__(auth_url, identity_provider, protocol,
|
|
**kwargs)
|
|
self.client_id = client_id
|
|
self.client_secret = client_secret
|
|
|
|
self.discovery_endpoint = discovery_endpoint
|
|
self._discovery_document = {}
|
|
self.access_token_endpoint = access_token_endpoint
|
|
|
|
self.access_token_type = access_token_type
|
|
self.scope = scope
|
|
|
|
self.grant_type = grant_type
|
|
|
|
def _get_discovery_document(self, session):
|
|
"""Get the contents of the OpenID Connect Discovery Document.
|
|
|
|
This method grabs the contents of the OpenID Connect Discovery Document
|
|
if a discovery_endpoint was passed to the constructor and returns it as
|
|
a dict, otherwise returns an empty dict. Note that it will fetch the
|
|
discovery document only once, so subsequent calls to this method will
|
|
return the cached result, if any.
|
|
|
|
:param session: a session object to send out HTTP requests.
|
|
:type session: keystoneauth1.session.Session
|
|
|
|
:returns: a python dictionary containing the discovery document if any,
|
|
otherwise it will return an empty dict.
|
|
:rtype: dict
|
|
"""
|
|
if (self.discovery_endpoint is not None and
|
|
not self._discovery_document):
|
|
try:
|
|
resp = session.get(self.discovery_endpoint,
|
|
authenticated=False)
|
|
except exceptions.HttpError:
|
|
_logger.error("Cannot fetch discovery document %(discovery)s" %
|
|
{"discovery": self.discovery_endpoint})
|
|
raise
|
|
|
|
try:
|
|
self._discovery_document = resp.json()
|
|
except Exception:
|
|
pass
|
|
|
|
if not self._discovery_document:
|
|
raise exceptions.InvalidOidcDiscoveryDocument()
|
|
|
|
return self._discovery_document
|
|
|
|
def _check_grant_type(self, session):
|
|
"""Check if the grant_type requested is supported by the server.
|
|
|
|
If a discovery_endpoint is provided and the discoverty document
|
|
advertises the supported grant types, this method will check if the
|
|
requested grant_type is supported by the server, raising an exception
|
|
otherwise.
|
|
|
|
:param session: a session object to send out HTTP requests.
|
|
:type session: keystoneauth1.session.Session
|
|
"""
|
|
discovery = self._get_discovery_document(session)
|
|
grant_types = discovery.get("grant_types_supported")
|
|
if (grant_types and
|
|
self.grant_type is not None and
|
|
self.grant_type not in grant_types):
|
|
raise exceptions.OidcPluginNotSupported()
|
|
|
|
def _get_access_token_endpoint(self, session):
|
|
"""Get the "token_endpoint" for the OpenID Connect flow.
|
|
|
|
This method will return the correct access token endpoint to be used.
|
|
If the user has explicitly passed an access_token_endpoint to the
|
|
constructor that will be returned. If there is no explicit endpoint and
|
|
a discovery url is provided, it will try to get it from the discovery
|
|
document. If nothing is found, an exception will be raised.
|
|
|
|
:param session: a session object to send out HTTP requests.
|
|
:type session: keystoneauth1.session.Session
|
|
|
|
:return: the endpoint to use
|
|
:rtype: string or None if no endpoint is found
|
|
"""
|
|
if self.access_token_endpoint is not None:
|
|
return self.access_token_endpoint
|
|
|
|
discovery = self._get_discovery_document(session)
|
|
endpoint = discovery.get("token_endpoint")
|
|
if endpoint is None:
|
|
raise exceptions.OidcAccessTokenEndpointNotFound()
|
|
return endpoint
|
|
|
|
def _get_access_token(self, session, payload):
|
|
"""Exchange a variety of user supplied values for an access token.
|
|
|
|
:param session: a session object to send out HTTP requests.
|
|
:type session: keystoneauth1.session.Session
|
|
|
|
:param payload: a dict containing various OpenID Connect values, for
|
|
example::
|
|
{'grant_type': 'password', 'username': self.username,
|
|
'password': self.password, 'scope': self.scope}
|
|
:type payload: dict
|
|
"""
|
|
client_auth = (self.client_id, self.client_secret)
|
|
access_token_endpoint = self._get_access_token_endpoint(session)
|
|
|
|
op_response = session.post(access_token_endpoint,
|
|
requests_auth=client_auth,
|
|
data=payload,
|
|
authenticated=False)
|
|
access_token = op_response.json()[self.access_token_type]
|
|
return access_token
|
|
|
|
def _get_keystone_token(self, session, access_token):
|
|
r"""Exchange an access token for a keystone token.
|
|
|
|
By Sending the access token in an `Authorization: Bearer` header, to
|
|
an OpenID Connect protected endpoint (Federated Token URL). The
|
|
OpenID Connect server will use the access token to look up information
|
|
about the authenticated user (this technique is called instrospection).
|
|
The output of the instrospection will be an OpenID Connect Claim, that
|
|
will be used against the mapping engine. Should the mapping engine
|
|
succeed, a Keystone token will be presented to the user.
|
|
|
|
:param session: a session object to send out HTTP requests.
|
|
:type session: keystoneauth1.session.Session
|
|
|
|
:param access_token: The OpenID Connect access token.
|
|
:type access_token: str
|
|
"""
|
|
# use access token against protected URL
|
|
headers = {'Authorization': 'Bearer ' + access_token}
|
|
auth_response = session.post(self.federated_token_url,
|
|
headers=headers,
|
|
authenticated=False)
|
|
return auth_response
|
|
|
|
|
|
class OidcPassword(_OidcBase):
|
|
"""Implementation for OpenID Connect Resource Owner Password Credential."""
|
|
|
|
@positional(4)
|
|
def __init__(self, auth_url, identity_provider, protocol,
|
|
client_id, client_secret,
|
|
access_token_endpoint=None,
|
|
discovery_endpoint=None,
|
|
grant_type='password', access_token_type='access_token',
|
|
username=None, password=None, **kwargs):
|
|
"""The OpenID Password plugin expects the following.
|
|
|
|
:param username: Username used to authenticate
|
|
:type username: string
|
|
|
|
:param password: Password used to authenticate
|
|
:type password: string
|
|
"""
|
|
super(OidcPassword, self).__init__(
|
|
auth_url=auth_url,
|
|
identity_provider=identity_provider,
|
|
protocol=protocol,
|
|
client_id=client_id,
|
|
client_secret=client_secret,
|
|
access_token_endpoint=access_token_endpoint,
|
|
discovery_endpoint=discovery_endpoint,
|
|
grant_type=grant_type,
|
|
access_token_type=access_token_type,
|
|
**kwargs)
|
|
self.username = username
|
|
self.password = password
|
|
|
|
def get_unscoped_auth_ref(self, session):
|
|
"""Authenticate with OpenID Connect and get back claims.
|
|
|
|
This is a multi-step process. First an access token must be retrieved,
|
|
to do this, the username and password, the OpenID Connect client ID
|
|
and secret, and the access token endpoint must be known.
|
|
|
|
Secondly, we then exchange the access token upon accessing the
|
|
protected Keystone endpoint (federated auth URL). This will trigger
|
|
the OpenID Connect Provider to perform a user introspection and
|
|
retrieve information (specified in the scope) about the user in
|
|
the form of an OpenID Connect Claim. These claims will be sent
|
|
to Keystone in the form of environment variables.
|
|
|
|
:param session: a session object to send out HTTP requests.
|
|
:type session: keystoneauth1.session.Session
|
|
|
|
:returns: a token data representation
|
|
:rtype: :py:class:`keystoneauth1.access.AccessInfoV3`
|
|
"""
|
|
# First of all, check if the grant type is supported
|
|
self._check_grant_type(session)
|
|
|
|
# get an access token
|
|
payload = {'grant_type': self.grant_type, 'username': self.username,
|
|
'password': self.password, 'scope': self.scope}
|
|
access_token = self._get_access_token(session, payload)
|
|
|
|
response = self._get_keystone_token(session, access_token)
|
|
|
|
# grab the unscoped token
|
|
return access.create(resp=response)
|
|
|
|
|
|
class OidcAuthorizationCode(_OidcBase):
|
|
"""Implementation for OpenID Connect Authorization Code."""
|
|
|
|
@positional(4)
|
|
def __init__(self, auth_url, identity_provider, protocol,
|
|
client_id, client_secret,
|
|
access_token_endpoint=None,
|
|
discovery_endpoint=None,
|
|
grant_type='authorization_code',
|
|
access_token_type='access_token',
|
|
redirect_uri=None, code=None, **kwargs):
|
|
"""The OpenID Authorization Code plugin expects the following.
|
|
|
|
:param redirect_uri: OpenID Connect Client Redirect URL
|
|
:type redirect_uri: string
|
|
|
|
:param code: OAuth 2.0 Authorization Code
|
|
:type code: string
|
|
|
|
"""
|
|
super(OidcAuthorizationCode, self).__init__(
|
|
auth_url=auth_url,
|
|
identity_provider=identity_provider,
|
|
protocol=protocol,
|
|
client_id=client_id,
|
|
client_secret=client_secret,
|
|
access_token_endpoint=access_token_endpoint,
|
|
discovery_endpoint=discovery_endpoint,
|
|
grant_type=grant_type,
|
|
access_token_type=access_token_type,
|
|
**kwargs)
|
|
self.redirect_uri = redirect_uri
|
|
self.code = code
|
|
|
|
def get_unscoped_auth_ref(self, session):
|
|
"""Authenticate with OpenID Connect and get back claims.
|
|
|
|
This is a multi-step process. First an access token must be retrieved,
|
|
to do this, an authorization code and redirect URL must be given.
|
|
|
|
Secondly, we then exchange the access token upon accessing the
|
|
protected Keystone endpoint (federated auth URL). This will trigger
|
|
the OpenID Connect Provider to perform a user introspection and
|
|
retrieve information (specified in the scope) about the user in
|
|
the form of an OpenID Connect Claim. These claims will be sent
|
|
to Keystone in the form of environment variables.
|
|
|
|
:param session: a session object to send out HTTP requests.
|
|
:type session: keystoneauth1.session.Session
|
|
|
|
:returns: a token data representation
|
|
:rtype: :py:class:`keystoneauth1.access.AccessInfoV3`
|
|
"""
|
|
# First of all, check if the grant type is supported
|
|
self._check_grant_type(session)
|
|
|
|
# get an access token
|
|
payload = {'grant_type': self.grant_type,
|
|
'redirect_uri': self.redirect_uri,
|
|
'code': self.code}
|
|
access_token = self._get_access_token(session, payload)
|
|
|
|
response = self._get_keystone_token(session, access_token)
|
|
|
|
# grab the unscoped token
|
|
return access.create(resp=response)
|
|
|
|
|
|
class OidcAccessToken(_OidcBase):
|
|
"""Implementation for OpenID Connect access token reuse."""
|
|
|
|
@positional(5)
|
|
def __init__(self, auth_url, identity_provider, protocol,
|
|
access_token, **kwargs):
|
|
"""The OpenID Connect plugin based on the Access Token.
|
|
|
|
It expects the following:
|
|
|
|
:param auth_url: URL of the Identity Service
|
|
:type auth_url: string
|
|
|
|
:param identity_provider: Name of the Identity Provider the client
|
|
will authenticate against
|
|
:type identity_provider: string
|
|
|
|
:param protocol: Protocol name as configured in keystone
|
|
:type protocol: string
|
|
|
|
:param access_token: OpenID Connect Access token
|
|
:type access_token: string
|
|
"""
|
|
super(OidcAccessToken, self).__init__(auth_url, identity_provider,
|
|
protocol,
|
|
client_id=None,
|
|
client_secret=None,
|
|
access_token_endpoint=None,
|
|
grant_type=None,
|
|
access_token_type=None,
|
|
**kwargs)
|
|
self.access_token = access_token
|
|
|
|
def get_unscoped_auth_ref(self, session):
|
|
"""Authenticate with OpenID Connect and get back claims.
|
|
|
|
We exchange the access token upon accessing the protected Keystone
|
|
endpoint (federated auth URL). This will trigger the OpenID Connect
|
|
Provider to perform a user introspection and retrieve information
|
|
(specified in the scope) about the user in the form of an OpenID
|
|
Connect Claim. These claims will be sent to Keystone in the form of
|
|
environment variables.
|
|
|
|
:param session: a session object to send out HTTP requests.
|
|
:type session: keystoneclient.session.Session
|
|
|
|
:returns: a token data representation
|
|
:rtype: :py:class:`keystoneauth1.access.AccessInfoV3`
|
|
"""
|
|
response = self._get_keystone_token(session, self.access_token)
|
|
return access.create(resp=response)
|