/usr/lib/python3/dist-packages/castellan/common/utils.py is in python3-castellan 0.17.0-0ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 | # Copyright (c) 2016 IBM
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""
Common utilities for Castellan.
"""
from castellan.common.credentials import keystone_password
from castellan.common.credentials import keystone_token
from castellan.common.credentials import password
from castellan.common.credentials import token
from castellan.common import exception
from oslo_config import cfg
from oslo_log import log as logging
LOG = logging.getLogger(__name__)
credential_opts = [
# auth_type opt
cfg.StrOpt('auth_type',
help="The type of authentication credential to create. "
"Possible values are 'token', 'password', 'keystone_token', "
"and 'keystone_password'. Required if no context is passed to "
"the credential factory."),
# token opt
cfg.StrOpt('token', secret=True,
help="Token for authentication. Required for 'token' and "
"'keystone_token' auth_type if no context is passed to the "
"credential factory."),
# password opts
cfg.StrOpt('username',
help="Username for authentication. Required for 'password' "
"auth_type. Optional for the 'keystone_password' auth_type."),
cfg.StrOpt('password', secret=True,
help="Password for authentication. Required for 'password' and "
"'keystone_password' auth_type."),
# keystone credential opts
cfg.StrOpt('auth_url',
help="Use this endpoint to connect to Keystone."),
cfg.StrOpt('user_id',
help="User ID for authentication. Optional for "
"'keystone_token' and 'keystone_password' auth_type."),
cfg.StrOpt('user_domain_id',
help="User's domain ID for authentication. Optional for "
"'keystone_token' and 'keystone_password' auth_type."),
cfg.StrOpt('user_domain_name',
help="User's domain name for authentication. Optional for "
"'keystone_token' and 'keystone_password' auth_type."),
cfg.StrOpt('trust_id',
help="Trust ID for trust scoping. Optional for "
"'keystone_token' and 'keystone_password' auth_type."),
cfg.StrOpt('domain_id',
help="Domain ID for domain scoping. Optional for "
"'keystone_token' and 'keystone_password' auth_type."),
cfg.StrOpt('domain_name',
help="Domain name for domain scoping. Optional for "
"'keystone_token' and 'keystone_password' auth_type."),
cfg.StrOpt('project_id',
help="Project ID for project scoping. Optional for "
"'keystone_token' and 'keystone_password' auth_type."),
cfg.StrOpt('project_name',
help="Project name for project scoping. Optional for "
"'keystone_token' and 'keystone_password' auth_type."),
cfg.StrOpt('project_domain_id',
help="Project's domain ID for project. Optional for "
"'keystone_token' and 'keystone_password' auth_type."),
cfg.StrOpt('project_domain_name',
help="Project's domain name for project. Optional for "
"'keystone_token' and 'keystone_password' auth_type."),
cfg.BoolOpt('reauthenticate', default=True,
help="Allow fetching a new token if the current one is "
"going to expire. Optional for 'keystone_token' and "
"'keystone_password' auth_type.")
]
OPT_GROUP = 'key_manager'
def credential_factory(conf=None, context=None):
"""This function provides a factory for credentials.
It is used to create an appropriare credential object
from a passed configuration. This should be called before
making any calls to a key manager.
:param conf: Configuration file which this factory method uses
to generate a credential object. Note: In the future it will
become a required field.
:param context: Context used for authentication. It can be used
in conjunction with the configuration file. If no conf is passed,
then the context object will be converted to a KeystoneToken and
returned. If a conf is passed then only the 'token' is grabbed from
the context for the authentication types that require a token.
:returns: A credential object used for authenticating with the
Castellan key manager. Type of credential returned depends on
config and/or context passed.
"""
if conf:
conf.register_opts(credential_opts, group=OPT_GROUP)
if conf.key_manager.auth_type == 'token':
if conf.key_manager.token:
auth_token = conf.key_manager.token
elif context:
auth_token = context.auth_token
else:
raise exception.InsufficientCredentialDataError()
return token.Token(auth_token)
elif conf.key_manager.auth_type == 'password':
return password.Password(
conf.key_manager.username,
conf.key_manager.password)
elif conf.key_manager.auth_type == 'keystone_password':
return keystone_password.KeystonePassword(
conf.key_manager.password,
auth_url=conf.key_manager.auth_url,
username=conf.key_manager.username,
user_id=conf.key_manager.user_id,
user_domain_id=conf.key_manager.user_domain_id,
user_domain_name=conf.key_manager.user_domain_name,
trust_id=conf.key_manager.trust_id,
domain_id=conf.key_manager.domain_id,
domain_name=conf.key_manager.domain_name,
project_id=conf.key_manager.project_id,
project_name=conf.key_manager.project_name,
project_domain_id=conf.key_manager.project_domain_id,
project_domain_name=conf.key_manager.project_domain_name,
reauthenticate=conf.key_manager.reauthenticate)
elif conf.key_manager.auth_type == 'keystone_token':
if conf.key_manager.token:
auth_token = conf.key_manager.token
elif context:
auth_token = context.auth_token
else:
raise exception.InsufficientCredentialDataError()
return keystone_token.KeystoneToken(
auth_token,
auth_url=conf.key_manager.auth_url,
trust_id=conf.key_manager.trust_id,
domain_id=conf.key_manager.domain_id,
domain_name=conf.key_manager.domain_name,
project_id=conf.key_manager.project_id,
project_name=conf.key_manager.project_name,
project_domain_id=conf.key_manager.project_domain_id,
project_domain_name=conf.key_manager.project_domain_name,
reauthenticate=conf.key_manager.reauthenticate)
else:
LOG.error("Invalid auth_type specified.")
raise exception.AuthTypeInvalidError(
type=conf.key_manager.auth_type)
# for compatibility between _TokenData and RequestContext
if hasattr(context, 'tenant') and context.tenant:
project_id = context.tenant
elif hasattr(context, 'project_id') and context.project_id:
project_id = context.project_id
return keystone_token.KeystoneToken(
context.auth_token,
project_id=project_id)
|