¡@
OpenStack Study: saml2.py**** CubicPower OpenStack Study ****
# Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from six.moves.urllib import parse from keystone import auth from keystone.common import dependency from keystone import config from keystone.contrib import federation from keystone.contrib.federation import utils from keystone import exception from keystone.openstack.common import jsonutils from keystone.openstack.common import log from keystone.openstack.common import timeutils CONF = config.CONF LOG = log.getLogger(__name__) @dependency.requires('federation_api', 'identity_api', 'token_api')
**** CubicPower OpenStack Study **** class Saml2(auth.AuthMethodHandler): method = 'saml2'
**** CubicPower OpenStack Study **** def authenticate(self, context, auth_payload, auth_context): """Authenticate federated user and return an authentication context. :param context: keystone's request context :param auth_payload: the content of the authentication for a given method :param auth_context: user authentication context, a dictionary shared by all plugins. In addition to ``user_id`` in ``auth_context``, the ``saml2`` plugin sets ``group_ids``. When handling unscoped tokens, ``OS-FEDERATION:identity_provider`` and ``OS-FEDERATION:protocol`` are set as well. """ if 'id' in auth_payload: fields = self._handle_scoped_token(auth_payload) else: fields = self._handle_unscoped_token(context, auth_payload) auth_context.update(fields)
**** CubicPower OpenStack Study **** def _handle_scoped_token(self, auth_payload): token_ref = self.token_api.get_token(auth_payload['id']) self._validate_expiration(token_ref) _federation = token_ref['user'][federation.FEDERATION] identity_provider = _federation['identity_provider']['id'] protocol = _federation['protocol']['id'] group_ids = [group['id'] for group in _federation['groups']] mapping = self.federation_api.get_mapping_from_idp_and_protocol( identity_provider, protocol) self._validate_groups(group_ids, mapping['id']) return { 'user_id': token_ref['user_id'], 'group_ids': group_ids }
**** CubicPower OpenStack Study **** def _handle_unscoped_token(self, context, auth_payload): assertion = dict(self._get_assertion_params_from_env(context)) identity_provider = auth_payload['identity_provider'] protocol = auth_payload['protocol'] mapping = self.federation_api.get_mapping_from_idp_and_protocol( identity_provider, protocol) rules = jsonutils.loads(mapping['rules']) rule_processor = utils.RuleProcessor(rules) mapped_properties = rule_processor.process(assertion) self._validate_groups(mapped_properties['group_ids'], mapping['id']) return { 'user_id': parse.quote(mapped_properties['name']), 'group_ids': mapped_properties['group_ids'], federation.IDENTITY_PROVIDER: identity_provider, federation.PROTOCOL: protocol }
**** CubicPower OpenStack Study **** def _validate_expiration(self, token_ref): if timeutils.utcnow() > token_ref['expires']: raise exception.Unauthorized(_('Federation token is expired'))
**** CubicPower OpenStack Study **** def _validate_groups(self, group_ids, mapping_id): if not group_ids: raise exception.MissingGroups(mapping_id=mapping_id) for group_id in group_ids: try: self.identity_api.get_group(group_id) except exception.GroupNotFound: raise exception.MappedGroupNotFound( group_id=group_id, mapping_id=mapping_id)
**** CubicPower OpenStack Study **** def _get_assertion_params_from_env(self, context): prefix = CONF.federation.assertion_prefix for k, v in context['environment'].items(): if k.startswith(prefix): yield (k, v)
|