Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

# vim: tabstop=4 shiftwidth=4 softtabstop=4 

 

# Copyright 2013 OpenStack LLC 

# 

# Licensed under the Apache License, Version 2.0 (the "License"); you may 

# not use this file except in compliance with the License. You may obtain 

# a copy of the License at 

# 

#      http://www.apache.org/licenses/LICENSE-2.0 

# 

# Unless required by applicable law or agreed to in writing, software 

# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 

# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 

# License for the specific language governing permissions and limitations 

# under the License. 

 

from keystone import auth 

from keystone.common import logging 

from keystone import exception 

from keystone import identity 

 

 

METHOD_NAME = 'password' 

 

LOG = logging.getLogger(__name__) 

 

 

class UserAuthInfo(object): 

    def __init__(self, context, auth_payload): 

        self.identity_api = identity.Manager() 

        self.context = context 

        self.user_id = None 

        self.password = None 

        self.user_ref = None 

        self._validate_and_normalize_auth_data(auth_payload) 

 

    def _assert_domain_is_enabled(self, domain_ref): 

        if not domain_ref.get('enabled'): 

            msg = _('Domain is disabled: %s') % (domain_ref['id']) 

            LOG.warning(msg) 

            raise exception.Unauthorized(msg) 

 

    def _assert_user_is_enabled(self, user_ref): 

45        if not user_ref.get('enabled', True): 

            msg = _('User is disabled: %s') % (user_ref['id']) 

            LOG.warning(msg) 

            raise exception.Unauthorized(msg) 

 

    def _lookup_domain(self, domain_info): 

        domain_id = domain_info.get('id') 

        domain_name = domain_info.get('name') 

        domain_ref = None 

54        if not domain_id and not domain_name: 

            raise exception.ValidationError(attribute='id or name', 

                                            target='domain') 

        try: 

            if domain_name: 

                domain_ref = self.identity_api.get_domain_by_name( 

                    context=self.context, domain_name=domain_name) 

            else: 

                domain_ref = self.identity_api.get_domain( 

                    context=self.context, domain_id=domain_id) 

        except exception.DomainNotFound as e: 

            LOG.exception(e) 

            raise exception.Unauthorized(e) 

        self._assert_domain_is_enabled(domain_ref) 

        return domain_ref 

 

    def _validate_and_normalize_auth_data(self, auth_payload): 

71        if 'user' not in auth_payload: 

            raise exception.ValidationError(attribute='user', 

                                            target=METHOD_NAME) 

        user_info = auth_payload['user'] 

        user_id = user_info.get('id') 

        user_name = user_info.get('name') 

        user_ref = None 

78        if not user_id and not user_name: 

            raise exception.ValidationError(attribute='id or name', 

                                            target='user') 

        self.password = user_info.get('password', None) 

        try: 

            if user_name: 

84                if 'domain' not in user_info: 

                    raise exception.ValidationError(attribute='domain', 

                                                    target='user') 

                domain_ref = self._lookup_domain(user_info['domain']) 

                user_ref = self.identity_api.get_user_by_name( 

                    context=self.context, user_name=user_name, 

                    domain_id=domain_ref['id']) 

            else: 

                user_ref = self.identity_api.get_user( 

                    context=self.context, user_id=user_id) 

                domain_ref = self.identity_api.get_domain( 

                    context=self.context, domain_id=user_ref['domain_id']) 

                self._assert_domain_is_enabled(domain_ref) 

        except exception.UserNotFound as e: 

            LOG.exception(e) 

            raise exception.Unauthorized(e) 

        self._assert_user_is_enabled(user_ref) 

        self.user_ref = user_ref 

        self.user_id = user_ref['id'] 

 

 

class Password(auth.AuthMethodHandler): 

    def authenticate(self, context, auth_payload, user_context): 

        """Try to authenticate against the identity backend.""" 

        user_info = UserAuthInfo(context, auth_payload) 

 

        # FIXME(gyee): identity.authenticate() can use some refactoring since 

        # all we care is password matches 

        self.identity_api.authenticate( 

            context=context, 

            user_id=user_info.user_id, 

            password=user_info.password) 

exit        if 'user_id' not in user_context: 

            user_context['user_id'] = user_info.user_id