diff options
| author | Jamie Lennox <jlennox@redhat.com> | 2013-06-17 04:22:06 +0000 |
|---|---|---|
| committer | Jamie Lennox <jamielennox@gmail.com> | 2013-07-17 15:37:14 +1000 |
| commit | 2667c772a30c16ca147f8e38143b59ac53ec5b0c (patch) | |
| tree | a0765296b56be440847fa856382f79eed216714f /keystone/auth | |
| parent | 53a03b53e7541367c07df6d4f6739173330f5353 (diff) | |
| download | keystone-2667c772a30c16ca147f8e38143b59ac53ec5b0c.tar.gz keystone-2667c772a30c16ca147f8e38143b59ac53ec5b0c.tar.xz keystone-2667c772a30c16ca147f8e38143b59ac53ec5b0c.zip | |
Implement Token Binding.
Brings token binding to keystone server. There are a number of places
where the location or hardcoding of binding checks are not optimal
however fixing them will require having a proper authentication plugin
scheme so just assume that they will be moved when that happens.
DocImpact
Implements: blueprint authentication-tied-to-token
Change-Id: Ib34e5e0b6bd83837f6addbd45d4c5b828ce2f3bd
Diffstat (limited to 'keystone/auth')
| -rw-r--r-- | keystone/auth/controllers.py | 2 | ||||
| -rw-r--r-- | keystone/auth/plugins/external.py | 7 | ||||
| -rw-r--r-- | keystone/auth/plugins/token.py | 2 |
3 files changed, 10 insertions, 1 deletions
diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index 6937c44d..d1bd764f 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -283,7 +283,7 @@ class Auth(controller.V3Controller): try: auth_info = AuthInfo(context, auth=auth) - auth_context = {'extras': {}, 'method_names': []} + auth_context = {'extras': {}, 'method_names': [], 'bind': {}} self.authenticate(context, auth_info, auth_context) self._check_and_set_default_scoping(auth_info, auth_context) (domain_id, project_id, trust) = auth_info.get_scope() diff --git a/keystone/auth/plugins/external.py b/keystone/auth/plugins/external.py index 3460ab92..67b11001 100644 --- a/keystone/auth/plugins/external.py +++ b/keystone/auth/plugins/external.py @@ -42,6 +42,9 @@ class ExternalDefault(object): user_ref = auth_info.identity_api.get_user_by_name(username, domain_id) auth_context['user_id'] = user_ref['id'] + if ('kerberos' in CONF.token.bind and + context.get('AUTH_TYPE', '').lower() == 'negotiate'): + auth_context['bind']['kerberos'] = username except Exception: msg = _('Unable to lookup user %s') % (REMOTE_USER) raise exception.Unauthorized(msg) @@ -75,6 +78,10 @@ class ExternalDomain(object): user_ref = auth_info.identity_api.get_user_by_name(username, domain_id) auth_context['user_id'] = user_ref['id'] + if ('kerberos' in CONF.token.bind and + context.get('AUTH_TYPE', '').lower() == 'negotiate'): + auth_context['bind']['kerberos'] = username + except Exception: msg = _('Unable to lookup user %s') % (REMOTE_USER) raise exception.Unauthorized(msg) diff --git a/keystone/auth/plugins/token.py b/keystone/auth/plugins/token.py index e9982733..720eccac 100644 --- a/keystone/auth/plugins/token.py +++ b/keystone/auth/plugins/token.py @@ -16,6 +16,7 @@ from keystone import auth from keystone.common import logging +from keystone.common import wsgi from keystone import exception from keystone import token @@ -36,6 +37,7 @@ class Token(auth.AuthMethodHandler): target=METHOD_NAME) token_id = auth_payload['id'] token_ref = self.token_api.get_token(token_id) + wsgi.validate_token_bind(context, token_ref) user_context.setdefault( 'user_id', token_ref['token_data']['token']['user']['id']) # to support Grizzly-3 to Grizzly-RC1 transition |