keystone: refresh token and groups
This commit is contained in:
Krzysztof Balka
@@ -10,111 +10,155 @@ import (
|
||||
"net/http"
|
||||
"bytes"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
)
|
||||
|
||||
type KeystoneConnector struct {
|
||||
domain string
|
||||
keystoneURI string
|
||||
Logger logrus.FieldLogger
|
||||
}
|
||||
|
||||
var (
|
||||
_ connector.PasswordConnector = &KeystoneConnector{}
|
||||
_ connector.PasswordConnector = &Connector{}
|
||||
_ connector.RefreshConnector = &Connector{}
|
||||
)
|
||||
|
||||
// Config holds the configuration parameters for Keystone connector.
|
||||
// An example config:
|
||||
// connectors:
|
||||
// type: ksconfig
|
||||
// id: keystone
|
||||
// name: Keystone
|
||||
// config:
|
||||
// keystoneURI: http://example:5000/v3/auth/tokens
|
||||
// domain: default
|
||||
|
||||
type Config struct {
|
||||
Domain string `json:"domain"`
|
||||
KeystoneURI string `json:"keystoneURI"`
|
||||
}
|
||||
|
||||
// Open returns an authentication strategy using Keystone.
|
||||
func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) {
|
||||
return &KeystoneConnector{c.Domain,c.KeystoneURI,logger}, nil
|
||||
return &Connector{c.Domain, c.KeystoneHost,
|
||||
c.KeystoneUsername, c.KeystonePassword, logger}, nil
|
||||
}
|
||||
|
||||
func (p KeystoneConnector) Close() error { return nil }
|
||||
func (p Connector) Close() error { return nil }
|
||||
|
||||
// Declare KeystoneJson struct to get a token
|
||||
type KeystoneJson struct {
|
||||
Auth `json:"auth"`
|
||||
func (p Connector) Login(ctx context.Context, s connector.Scopes, username, password string) (
|
||||
identity connector.Identity, validPassword bool, err error) {
|
||||
response, err := p.getTokenResponse(username, password)
|
||||
|
||||
// Providing wrong password or wrong keystone URI throws error
|
||||
if err == nil && response.StatusCode == 201 {
|
||||
token := response.Header["X-Subject-Token"][0]
|
||||
data, _ := ioutil.ReadAll(response.Body)
|
||||
|
||||
var tokenResponse = new(TokenResponse)
|
||||
err := json.Unmarshal(data, &tokenResponse)
|
||||
|
||||
if err != nil {
|
||||
fmt.Printf("keystone: invalid token response: %v", err)
|
||||
return identity, false, err
|
||||
}
|
||||
groups, err := p.getUserGroups(tokenResponse.Token.User.ID, token)
|
||||
|
||||
if err != nil {
|
||||
return identity, false, err
|
||||
}
|
||||
|
||||
identity.Username = username
|
||||
identity.UserID = tokenResponse.Token.User.ID
|
||||
identity.Groups = groups
|
||||
return identity, true, nil
|
||||
|
||||
} else if err != nil {
|
||||
fmt.Printf("keystone: error %v", err)
|
||||
return identity, false, err
|
||||
|
||||
} else {
|
||||
data, _ := ioutil.ReadAll(response.Body)
|
||||
fmt.Println(string(data))
|
||||
return identity, false, err
|
||||
}
|
||||
return identity, false, nil
|
||||
}
|
||||
|
||||
type Auth struct {
|
||||
Identity `json:"identity"`
|
||||
func (p Connector) Prompt() string { return "username" }
|
||||
|
||||
func (p Connector) Refresh(
|
||||
ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
|
||||
|
||||
if len(identity.ConnectorData) == 0 {
|
||||
return identity, nil
|
||||
}
|
||||
|
||||
token, err := p.getAdminToken()
|
||||
|
||||
if err != nil {
|
||||
fmt.Printf("keystone: failed to obtain admin token")
|
||||
return identity, err
|
||||
}
|
||||
|
||||
ok := p.checkIfUserExists(identity.UserID, token)
|
||||
if !ok {
|
||||
fmt.Printf("keystone: user %q does not exist\n", identity.UserID)
|
||||
return identity, fmt.Errorf("keystone: user %q does not exist", identity.UserID)
|
||||
}
|
||||
|
||||
groups, err := p.getUserGroups(identity.UserID, token)
|
||||
if err != nil {
|
||||
fmt.Printf("keystone: Failed to fetch user %q groups", identity.UserID)
|
||||
return identity, fmt.Errorf("keystone: failed to fetch user %q groups", identity.UserID)
|
||||
}
|
||||
|
||||
identity.Groups = groups
|
||||
fmt.Printf("Identity data after use of refresh token: %v", identity)
|
||||
return identity, nil
|
||||
}
|
||||
|
||||
type Identity struct {
|
||||
Methods []string `json:"methods"`
|
||||
Password `json:"password"`
|
||||
}
|
||||
|
||||
type Password struct {
|
||||
User `json:"user"`
|
||||
}
|
||||
|
||||
type User struct {
|
||||
Name string `json:"name"`
|
||||
Domain `json:"domain"`
|
||||
Password string `json:"password"`
|
||||
}
|
||||
|
||||
type Domain struct {
|
||||
ID string `json:"id"`
|
||||
}
|
||||
|
||||
func (p KeystoneConnector) Login(ctx context.Context, s connector.Scopes, username, password string) (identity connector.Identity, validPassword bool, err error) {
|
||||
// Instantiate KeystoneJson struct type to get a token
|
||||
jsonData := KeystoneJson{
|
||||
func (p Connector) getTokenResponse(username, password string) (response *http.Response, err error) {
|
||||
jsonData := LoginRequestData{
|
||||
Auth: Auth{
|
||||
Identity: Identity{
|
||||
Methods:[]string{"password"},
|
||||
Password: Password{
|
||||
User: User{
|
||||
Name: username,
|
||||
Domain: Domain{ID:p.domain},
|
||||
Domain: Domain{ID:p.Domain},
|
||||
Password: password,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// Marshal jsonData
|
||||
jsonValue, _ := json.Marshal(jsonData)
|
||||
|
||||
// Make an http post request to Keystone URI
|
||||
response, err := http.Post(p.keystoneURI, "application/json", bytes.NewBuffer(jsonValue))
|
||||
|
||||
// Providing wrong password or wrong keystone URI throws error
|
||||
if err == nil && response.StatusCode == 201 {
|
||||
data, _ := ioutil.ReadAll(response.Body)
|
||||
fmt.Println(string(data))
|
||||
identity.Username = username
|
||||
return identity, true, nil
|
||||
|
||||
} else if err != nil {
|
||||
log.Fatal(err)
|
||||
return identity, false, err
|
||||
|
||||
} else {
|
||||
fmt.Printf("The HTTP request failed with error %v\n", response.StatusCode)
|
||||
data, _ := ioutil.ReadAll(response.Body)
|
||||
fmt.Println(string(data))
|
||||
return identity, false, err
|
||||
|
||||
}
|
||||
return identity, false, nil
|
||||
loginURI := p.KeystoneHost + "/v3/auth/tokens"
|
||||
return http.Post(loginURI, "application/json", bytes.NewBuffer(jsonValue))
|
||||
}
|
||||
|
||||
func (p KeystoneConnector) Prompt() string { return "username" }
|
||||
func (p Connector) getAdminToken()(string, error) {
|
||||
response, err := p.getTokenResponse(p.KeystoneUsername, p.KeystonePassword)
|
||||
if err!= nil {
|
||||
return "", err
|
||||
}
|
||||
token := response.Header["X-Subject-Token"][0]
|
||||
return token, nil
|
||||
}
|
||||
|
||||
func (p Connector) checkIfUserExists(userID string, token string) (bool) {
|
||||
groupsURI := p.KeystoneHost + "/v3/users/" + userID
|
||||
client := &http.Client{}
|
||||
req, _ := http.NewRequest("GET", groupsURI, nil)
|
||||
req.Header.Set("X-Auth-Token", token)
|
||||
response, err := client.Do(req)
|
||||
if err == nil && response.StatusCode == 200 {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (p Connector) getUserGroups(userID string, token string) ([]string, error) {
|
||||
groupsURI := p.KeystoneHost + "/v3/users/" + userID + "/groups"
|
||||
client := &http.Client{}
|
||||
req, _ := http.NewRequest("GET", groupsURI, nil)
|
||||
req.Header.Set("X-Auth-Token", token)
|
||||
response, err := client.Do(req)
|
||||
|
||||
if err != nil {
|
||||
fmt.Printf("keystone: error while fetching user %q groups\n", userID)
|
||||
return nil, err
|
||||
}
|
||||
data, _ := ioutil.ReadAll(response.Body)
|
||||
var groupsResponse = new(GroupsResponse)
|
||||
err = json.Unmarshal(data, &groupsResponse)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
groups := []string{}
|
||||
for _, group := range groupsResponse.Groups {
|
||||
groups = append(groups, group.Name)
|
||||
}
|
||||
return groups, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user