python-vitrageclient/vitrageclient/auth.py

#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

import os
import requests

from keystoneauth1 import loading
from keystoneauth1 import plugin
from oslo_log import log


LOG = log.getLogger(__name__)


# noinspection PyAbstractClass
class VitrageNoAuthPlugin(plugin.BaseAuthPlugin):
    """No authentication plugin for Vitrage

    This is a keystoneauth plugin that instead of
    doing authentication, it just fill the 'x-user-id'
    and 'x-project-id' headers with the user provided one.
    """
    def __init__(self, user_id, project_id, roles, endpoint):
        self._user_id = user_id
        self._project_id = project_id
        self._endpoint = endpoint
        self._roles = roles

    def get_token(self, session, **kwargs):
        return '<no-token-needed>'

    def get_headers(self, session, **kwargs):
        return {'x-user-id': self._user_id,
                'x-project-id': self._project_id,
                'x-roles': self._roles}

    def get_user_id(self, session, **kwargs):
        return self._user_id

    def get_project_id(self, session, **kwargs):
        return self._project_id

    def get_endpoint(self, session, **kwargs):
        return self._endpoint


class VitrageOpt(loading.Opt):
    @property
    def argparse_args(self):
        return ['--%s' % o.name for o in self._all_opts]

    @property
    def argparse_default(self):
        # select the first ENV that is not false-y or return None
        for o in self._all_opts:
            v = os.environ.get('VITRAGE_%s' % o.name.replace('-', '_').upper())
            if v:
                return v
        return self.default


class VitrageNoAuthLoader(loading.BaseLoader):
    plugin_class = VitrageNoAuthPlugin

    def get_options(self):
        options = super(VitrageNoAuthLoader, self).get_options()
        options.extend([
            VitrageOpt('user-id', help='User ID', required=True),
            VitrageOpt('project-id', help='Project ID', required=True),
            VitrageOpt('roles', help='Roles', default="admin"),
            VitrageOpt('endpoint', help='Vitrage endpoint', required=True),
        ])
        return options


# noinspection PyAbstractClass
class VitrageKeycloakPlugin(plugin.BaseAuthPlugin):
    """Authentication plugin for Keycloak """

    def __init__(self, username, password, realm_name, endpoint, auth_url,
                 openid_client_id):
        self.username = username
        self.password = password
        self.realm_name = realm_name
        self.endpoint = endpoint
        self.auth_url = auth_url
        self.client_id = openid_client_id
        self.verify = True

    def get_headers(self, session, **kwargs):
        self.verify = session.verify
        return {'X-Auth-Token': self._authenticate_keycloak(),
                'x-user-id': self.username,
                'x-project-id': self.realm_name}

    def get_endpoint(self, session, **kwargs):
        return self.endpoint

    def _authenticate_keycloak(self):
        keycloak_endpoint = "%s/realms/%s/protocol/openid-connect/token" % \
                            (self.auth_url, self.realm_name)

        body = {
            'grant_type': 'password',
            'username': self.username,
            'password': self.password,
            'client_id': self.client_id,
            'scope': 'profile'
        }

        resp = requests.post(keycloak_endpoint,
                             data=body,
                             verify=self.verify)

        try:
            resp.raise_for_status()
        except Exception as e:
            LOG.error('Failed to get access token: %s', str(e))

        return resp.json()['access_token']


class VitrageKeycloakLoader(loading.BaseLoader):
    plugin_class = VitrageKeycloakPlugin

    def get_options(self):
        options = super(VitrageKeycloakLoader, self).get_options()
        options.extend([
            VitrageOpt('username', help='User Name', required=True),
            VitrageOpt('password', help='password', required=True),
            VitrageOpt('realm-name', help='Realm Name', required=True),
            VitrageOpt('endpoint', help='Vitrage Endpoint', required=True),
            VitrageOpt('auth-url', help='Keycloak Url', required=True),
            VitrageOpt('openid-client-id', help='Keycloak client id',
                       required=True),
        ])
        return options