From 59b0ef0d8767aaaed7a7bedfa25dd5948e56515e Mon Sep 17 00:00:00 2001 From: Khaled Hussein Date: Mon, 25 Apr 2011 23:51:30 +0000 Subject: modifide middleware; echo_client works --- keystone/auth_protocol/auth_protocol_token.py | 28 ++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/keystone/auth_protocol/auth_protocol_token.py b/keystone/auth_protocol/auth_protocol_token.py index b365a2c0..0ba3561c 100644 --- a/keystone/auth_protocol/auth_protocol_token.py +++ b/keystone/auth_protocol/auth_protocol_token.py @@ -43,6 +43,7 @@ HTTP_X_STORAGE_TOKEN: the client token being passed in (legacy Rackspace use) """ +import httplib import json from webob.exc import HTTPUnauthorized, Request @@ -73,6 +74,20 @@ class TokenAuth(object): self.delegated = int(conf.get('delegated', 0)) + def get_admin_auth_token(self, username, password, tenant): + headers = {"Content-type": "application/json", "Accept": "text/json"} + params = {"passwordCredentials": {"username": username, + "password": password, + "tenantId": "1"}} + conn = httplib.HTTPConnection("localhost:8080") + conn.request("POST", "/v1.0/token", json.dumps(params), \ + headers=headers) + response = conn.getresponse() + data = response.read() + ret = data + return ret + + def __call__(self, env, start_response): print "Handling a token-auth client call" def custom_start_response(status, headers): @@ -84,20 +99,23 @@ class TokenAuth(object): if token: # this request is claiming it has a valid token, let's check # with the auth service + auth = self.get_admin_auth_token("admin", "secrete", "1") + admin_token = json.loads(auth)["auth"]["token"]["id"] + headers = {"Content-type": "application/json", - "Accept": "text/json"} + "Accept": "text/json", + "X-Auth-Token": admin_token} conn = http_connect(self.auth_host, self.auth_port, 'GET', '/v1.0/token/%s' % token, headers=headers) resp = conn.getresponse() data = resp.read() conn.close() - #path = 'http://%s:%s/v1.0/token/%s' % \ - # (self.auth_host, self.auth_port, token) - #resp = Request.blank(path).get_response(self.app) - #data = resp.body if not str(resp.status).startswith('20'): if self.delegated: env['HTTP_X_IDENTITY_STATUS'] = "Invalid" + else: + # Unauthorized token + return HTTPUnauthorized()(env, custom_start_response) else: dict_response = json.loads(data) user = dict_response['auth']['user']['username'] -- cgit From c56f00effa3c2646b6881be39e94dd1e0559d44c Mon Sep 17 00:00:00 2001 From: Khaled Hussein Date: Tue, 26 Apr 2011 00:51:11 +0000 Subject: replaced localhost with config --- keystone/auth_protocol/auth_protocol_token.py | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/keystone/auth_protocol/auth_protocol_token.py b/keystone/auth_protocol/auth_protocol_token.py index 0ba3561c..5d33f84c 100644 --- a/keystone/auth_protocol/auth_protocol_token.py +++ b/keystone/auth_protocol/auth_protocol_token.py @@ -45,7 +45,7 @@ HTTP_X_STORAGE_TOKEN: the client token being passed in (legacy Rackspace use) import httplib import json -from webob.exc import HTTPUnauthorized, Request +from webob.exc import HTTPUnauthorized from keystone.common.bufferedhttp import http_connect_raw as http_connect @@ -75,11 +75,16 @@ class TokenAuth(object): def get_admin_auth_token(self, username, password, tenant): + """ + This function gets an admin auth token to be used by this service to + validate a user's token. + """ headers = {"Content-type": "application/json", "Accept": "text/json"} params = {"passwordCredentials": {"username": username, "password": password, "tenantId": "1"}} - conn = httplib.HTTPConnection("localhost:8080") + conn = httplib.HTTPConnection("%s:%s" \ + % (self.auth_host, self.auth_port)) conn.request("POST", "/v1.0/token", json.dumps(params), \ headers=headers) response = conn.getresponse() @@ -99,9 +104,11 @@ class TokenAuth(object): if token: # this request is claiming it has a valid token, let's check # with the auth service + # Step1: Get an admin token auth = self.get_admin_auth_token("admin", "secrete", "1") admin_token = json.loads(auth)["auth"]["token"]["id"] + # Step2: validate the user's token using the admin token headers = {"Content-type": "application/json", "Accept": "text/json", "X-Auth-Token": admin_token} @@ -110,18 +117,19 @@ class TokenAuth(object): resp = conn.getresponse() data = resp.read() conn.close() - if not str(resp.status).startswith('20'): - if self.delegated: - env['HTTP_X_IDENTITY_STATUS'] = "Invalid" - else: - # Unauthorized token - return HTTPUnauthorized()(env, custom_start_response) - else: + + if str(resp.status).startswith('20'): dict_response = json.loads(data) user = dict_response['auth']['user']['username'] env['HTTP_X_AUTHORIZATION'] = "Proxy " + user if self.delegated: env['HTTP_X_IDENTITY_STATUS'] = "Confirmed" + else: + if self.delegated: + env['HTTP_X_IDENTITY_STATUS'] = "Invalid" + else: + # Unauthorized token + return HTTPUnauthorized()(env, custom_start_response) env['HTTP_AUTHORIZATION'] = "Basic dTpw" return self.app(env, custom_start_response) -- cgit