Merge "split authenticate call"

5 files changed, 49 insertions, 47 deletions

diff --git a/keystone/identity/backends/kvs.py b/keystone/identity/backends/kvs.py
index 101ceb9e..339d2e75 100644
--- a/keystone/identity/backends/kvs.py
+++ b/keystone/identity/backends/kvs.py
@@ -23,29 +23,23 @@ from keystone import identity
 
 class Identity(kvs.Base, identity.Driver):
     # Public interface
-    def authenticate(self, user_id=None, tenant_id=None, password=None):
-        """Authenticate based on a user, tenant and password.
-
-        Expects the user object to have a password field and the tenant to be
-        in the list of tenants on the user.
-
-        """
+    def authenticate_user(self, user_id=None, password=None):
         user_ref = None
-        tenant_ref = None
-        metadata_ref = {}
-
         try:
             user_ref = self._get_user(user_id)
         except exception.UserNotFound:
             raise AssertionError('Invalid user / password')
-
         if not utils.check_password(password, user_ref.get('password')):
             raise AssertionError('Invalid user / password')
+        return user_ref
 
+    def authorize_for_project(self, user_ref, tenant_id=None):
+        user_id = user_ref['id']
+        tenant_ref = None
+        metadata_ref = {}
         if tenant_id is not None:
             if tenant_id not in self.get_projects_for_user(user_id):
                 raise AssertionError('Invalid tenant')
-
             try:
                 tenant_ref = self.get_project(tenant_id)
                 metadata_ref = self.get_metadata(user_id, tenant_id)
@@ -54,7 +48,6 @@ class Identity(kvs.Base, identity.Driver):
                 metadata_ref = {}
             except exception.MetadataNotFound:
                 metadata_ref = {}
-
         return (identity.filter_user(user_ref), tenant_ref, metadata_ref)
 
     def get_project(self, tenant_id):
diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
index 65330149..4493e49c 100644
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@@ -95,20 +95,12 @@ class Identity(identity.Driver):
             raise ValueError(_('Expected dict or list: %s') % type(ref))
 
     # Identity interface
-    def authenticate(self, user_id=None, tenant_id=None, password=None):
-        """Authenticate based on a user, tenant and password.
-
-        Expects the user object to have a password field and the tenant to be
-        in the list of tenants on the user.
-        """
-        tenant_ref = None
-        metadata_ref = {}
 
+    def authenticate_user(self, user_id=None, password=None):
         try:
             user_ref = self._get_user(user_id)
         except exception.UserNotFound:
             raise AssertionError('Invalid user / password')
-
         try:
             conn = self.user.get_connection(self.user._id_to_dn(user_id),
                                             password)
@@ -116,6 +108,12 @@ class Identity(identity.Driver):
                 raise AssertionError('Invalid user / password')
         except Exception:
             raise AssertionError('Invalid user / password')
+        return user_ref
+
+    def authorize_for_project(self, user_ref, tenant_id=None):
+        user_id = user_ref['id']
+        tenant_ref = None
+        metadata_ref = {}
 
         if tenant_id is not None:
             if tenant_id not in self.get_projects_for_user(user_id):
diff --git a/keystone/identity/backends/pam.py b/keystone/identity/backends/pam.py
index 1a312a27..9c4bbf38 100644
--- a/keystone/identity/backends/pam.py
+++ b/keystone/identity/backends/pam.py
@@ -58,18 +58,20 @@ class PamIdentity(identity.Driver):
     Tenant is always the same as User, root user has admin role.
     """
 
-    def authenticate(self, user_id, tenant_id, password):
+    def authenticate_user(self, user_id=None, password=None):
         auth = pam.authenticate if pam else PAM_authenticate
-        if auth(user_id, password):
-            metadata = {}
-            if user_id == 'root':
-                metadata['is_admin'] = True
+        if not auth(user_id, password):
+            raise AssertionError('Invalid user / password')
+        user = {'id': user_id, 'name': user_id}
+        return user
 
-            tenant = {'id': user_id, 'name': user_id}
-
-            user = {'id': user_id, 'name': user_id}
-
-            return (user, tenant, metadata)
+    def authorize_for_project(self, user_ref, tenant_id=None):
+        user_id = user_ref['id']
+        metadata = {}
+        if user_id == 'root':
+            metadata['is_admin'] = True
+        tenant = {'id': user_id, 'name': user_id}
+        return (user_ref, tenant, metadata)
 
     def get_project(self, tenant_id):
         return {'id': tenant_id, 'name': tenant_id}
diff --git a/keystone/identity/backends/sql.py b/keystone/identity/backends/sql.py
index 71cab057..41285579 100644
--- a/keystone/identity/backends/sql.py
+++ b/keystone/identity/backends/sql.py
@@ -156,27 +156,21 @@ class Identity(sql.Base, identity.Driver):
         return utils.check_password(password, user_ref.password)
 
     # Identity interface
-    def authenticate(self, user_id=None, tenant_id=None, password=None):
-        """Authenticate based on a user, tenant and password.
-
-        Expects the user object to have a password field and the tenant to be
-        in the list of tenants on the user.
-
-        """
+    def authenticate_user(self, user_id=None, password=None):
         session = self.get_session()
-
         user_ref = None
-        tenant_ref = None
-        metadata_ref = {}
-
         try:
             user_ref = self._get_user(session, user_id)
         except exception.UserNotFound:
             raise AssertionError('Invalid user / password')
-
         if not self._check_password(password, user_ref):
             raise AssertionError('Invalid user / password')
+        return user_ref
 
+    def authorize_for_project(self, user_ref, tenant_id=None):
+        user_id = user_ref['id']
+        tenant_ref = None
+        metadata_ref = {}
         if tenant_id is not None:
             # FIXME(gyee): this should really be
             # get_roles_for_user_and_project() after the dusts settle
diff --git a/keystone/identity/core.py b/keystone/identity/core.py
index fde7ac8d..6f30c744 100644
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@@ -62,6 +62,16 @@ class Manager(manager.Manager):
     def __init__(self):
         super(Manager, self).__init__(CONF.identity.driver)
 
+    def authenticate(self, context, user_id=None,
+                     tenant_id=None, password=None):
+        """Authenticate a given user and password and
+        authorize them for a tenant.
+        :returns: (user_ref, tenant_ref, metadata_ref)
+        :raises: AssertionError
+        """
+        user_ref = self.driver.authenticate_user(user_id, password)
+        return self.driver.authorize_for_project(user_ref, tenant_id)
+
     def create_user(self, context, user_id, user_ref):
         user = user_ref.copy()
         if 'enabled' not in user:
@@ -86,12 +96,17 @@ class Manager(manager.Manager):
 class Driver(object):
     """Interface description for an Identity driver."""
 
-    def authenticate(self, user_id=None, tenant_id=None, password=None):
-        """Authenticate a given user, tenant and password.
+    def authenticate_user(self, user_id, password):
+        """Authenticate a given user and password.
+        :returns: user_ref
+        :raises: AssertionError
+        """
+        raise exception.NotImplemented()
 
+    def authorize_for_project(self, tenant_id, user_ref):
+        """Authenticate a given user for a tenant.
         :returns: (user_ref, tenant_ref, metadata_ref)
         :raises: AssertionError
-
         """
         raise exception.NotImplemented()