-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathkeystone.py
80 lines (57 loc) · 2.16 KB
/
keystone.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
import re
import pyrox.log as logging
import pyrox.filtering as filtering
from ConfigParser import ConfigParser
from keystoneclient.v2_0.client import Client as KeystoneClient
"""
This is a very rough example of what an authentication function might look like
Configuration Example
---------------------
[auth.openstack.keystone]
id_regex = /v1/service/([^/]+).*
service_tenant = tenant
service_user = user
password = password
keystone_url = http://127.0.0.1:35357/v2.0
"""
_LOG = logging.get_logger(__name__)
_CONFIG_KEY = 'auth.openstack.keystone'
X_AUTH_TOKEN = 'X-Auth-Token'
_CONFIG = ConfigParser()
_CONFIG.read("/etc/pyrox/keystone/keystone.conf")
def keystone_token_validator():
"""
Factory method for token validation filters
"""
service_user = _CONFIG.get(_CONFIG_KEY, 'service_user')
service_tenant = _CONFIG.get(_CONFIG_KEY, 'service_tenant')
password = _CONFIG.get(_CONFIG_KEY, 'password')
auth_url = _CONFIG.get(_CONFIG_KEY, 'keystone_url')
id_regex = re.compile(
config.get(_CONFIG_KEY, 'id_regex'))
keystone_client = KeystoneClient(
username=service_user,
password=password,
tenant_name=service_tenant,
auth_url=auth_url)
return KeystoneTokenValidationFilter(id_regex, keystone_client)
class KeystoneTokenValidationFilter(filtering.HttpFilter):
def __init__(self, id_regex, keystone_client):
self.id_regex = id_regex
self.client = keystone_client
@filtering.handles_request_head
def on_request_head(self, request_head):
token_header = request_head.get_header(X_AUTH_TOKEN)
if token_header and len(token_header.values) >= 1:
match = self.id_regex.match(request_head.url)
if match and len(match.groups()) >= 1:
tenant_id = match.group(1)
try:
auth_result = self.client.authenticate(
token=token_header.values[0],
tenant_id=tenant_id)
if auth_result:
return filtering.next()
except Exception as ex:
_LOG.exception(ex)
return filtering.reject()