keystone/auth/core.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

# vim: tabstop=4 shiftwidth=4 softtabstop=4

# Copyright 2013 OpenStack LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

from keystone.common import dependency
from keystone import exception


@dependency.requires('identity_api')
class AuthMethodHandler(object):
    """Abstract base class for an authentication plugin."""

    def __init__(self):
        pass

    def authenticate(self, context, auth_payload, auth_context):
        """Authenticate user and return an authentication context.

        :param context: keystone's request context
        :auth_payload: the content of the authentication for a given method
        :auth_context: user authentication context, a dictionary shared
                       by all plugins. It contains "method_names" and "extras"
                       by default. "method_names" is a list and "extras" is
                       a dictionary.

        If successful, plugin must set "user_id" in "auth_context".
        "method_name" is used to convey any additional authentication methods
        in case authentication is for re-scoping. For example,
        if the authentication is for re-scoping, plugin must append the
        previous method names into "method_names". Also, plugin may add
        any additional information into "extras". Anything in "extras"
        will be conveyed in the token's "extras" field. Here's an example of
        "auth_context" on successful authentication.

        {"user_id": "abc123",
         "methods": ["password", "token"],
         "extras": {}}

        Plugins are invoked in the order in which they are specified in the
        "methods" attribute of the "identity" object.
        For example, with the following authentication request,

        {"auth": {
            "identity": {
                "methods": ["custom-plugin", "password", "token"],
                "token": {
                    "id": "sdfafasdfsfasfasdfds"
                },
                "custom-plugin": {
                    "custom-data": "sdfdfsfsfsdfsf"
                },
                "password": {
                    "user": {
                        "id": "s23sfad1",
                        "password": "secrete"
                    }
                }
            }
        }}

        plugins will be invoked in this order:

        1. custom-plugin
        2. password
        3. token

        :returns: None if authentication is successful.
                  Authentication payload in the form of a dictionary for the
                  next authentication step if this is a multi step
                  authentication.
        :raises: exception.Unauthorized for authentication failure
        """
        raise exception.Unauthorized()