1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import typing as ty
from keystoneauth1 import exceptions
from keystoneauth1 import identity
from keystoneauth1.identity.v3 import oidc
from keystoneauth1 import loading
from keystoneauth1.loading import opts
def _add_common_identity_options(options: list[opts.Opt]) -> None:
options.extend(
[
loading.Opt('user-id', help="User's user ID"),
loading.Opt(
'username',
help="User's username",
deprecated=[loading.Opt('user-name')],
),
loading.Opt('user-domain-id', help="User's domain ID"),
loading.Opt('user-domain-name', help="User's domain name"),
]
)
def _assert_identity_options(options: dict[str, ty.Any]) -> None:
if options.get('username') and not (
options.get('user_domain_name') or options.get('user_domain_id')
):
m = (
"You have provided a username. In the V3 identity API a "
"username is only unique within a domain so you must "
"also provide either a user_domain_id or user_domain_name."
)
raise exceptions.OptionError(m)
class Password(loading.BaseV3Loader[identity.V3Password]):
"""Authenticate with a username and password.
Authenticate to the identity service using the provided username and
password. This is the standard and most common form of authentication.
"""
@property
def plugin_class(self) -> type[identity.V3Password]:
return identity.V3Password
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
_add_common_identity_options(options)
options.extend(
[
loading.Opt(
'password',
secret=True,
prompt='Password: ',
help="User's password",
)
]
)
return options
def load_from_options(self, **kwargs: ty.Any) -> identity.V3Password:
_assert_identity_options(kwargs)
return super().load_from_options(**kwargs)
class Token(loading.BaseV3Loader[identity.V3Token]):
"""Given an existing token rescope it to another target.
Use the Identity service's rescope mechanism to get a new token based upon
an existing token. Because an auth plugin requires a service catalog and
scope information it is often easier to fetch a new token based on an
existing one than validate and reuse the one you already have.
"""
@property
def plugin_class(self) -> type[identity.V3Token]:
return identity.V3Token
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
options.extend(
[
loading.Opt(
'token', secret=True, help='Token to authenticate with'
)
]
)
return options
class _OpenIDConnectBase(loading.BaseFederationLoader[oidc._OidcBaseT]):
def load_from_options(self, **kwargs: ty.Any) -> oidc._OidcBaseT:
if not (
kwargs.get('access_token_endpoint')
or kwargs.get('discovery_endpoint')
):
m = (
"You have to specify either an 'access-token-endpoint' or "
"a 'discovery-endpoint'."
)
raise exceptions.OptionError(m)
return super().load_from_options(**kwargs)
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
options.extend(
[
loading.Opt('client-id', help='OAuth 2.0 Client ID'),
loading.Opt(
'client-secret',
secret=True,
help='OAuth 2.0 Client Secret',
),
loading.Opt(
'openid-scope',
default="openid profile",
dest="scope",
help='OpenID Connect scope that is requested from '
'authorization server. Note that the OpenID '
'Connect specification states that "openid" '
'must be always specified.',
),
loading.Opt(
'access-token-endpoint',
help='OpenID Connect Provider Token Endpoint. Note '
'that if a discovery document is being passed this '
'option will override the endpoint provided by the '
'server in the discovery document.',
),
loading.Opt(
'discovery-endpoint',
help='OpenID Connect Discovery Document URL. '
'The discovery document will be used to obtain the '
'values of the access token endpoint and the '
'authentication endpoint. This URL should look like '
'https://idp.example.org/.well-known/'
'openid-configuration',
),
loading.Opt(
'access-token-type',
help='OAuth 2.0 Authorization Server Introspection '
'token type, it is used to decide which type '
'of token will be used when processing token '
'introspection. Valid values are: '
'"access_token" or "id_token"',
),
]
)
return options
class OpenIDConnectClientCredentials(
_OpenIDConnectBase[identity.V3OidcClientCredentials]
):
"""Authenticate with the OIDC Client Credentials flow."""
@property
def plugin_class(self) -> type[identity.V3OidcClientCredentials]:
return identity.V3OidcClientCredentials
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
return options
class OpenIDConnectPassword(_OpenIDConnectBase[identity.V3OidcPassword]):
"""Authenticate with the OIDC Resource Owner Password Credentials flow."""
@property
def plugin_class(self) -> type[identity.V3OidcPassword]:
return identity.V3OidcPassword
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
options.extend(
[
loading.Opt('username', help='Username', required=True),
loading.Opt(
'password', secret=True, help='Password', required=True
),
loading.Opt(
'idp_otp_key',
help='A key to be used in the Identity Provider access'
' token endpoint to pass the OTP value. '
'E.g. totp',
),
]
)
return options
class OpenIDConnectAuthorizationCode(
_OpenIDConnectBase[identity.V3OidcAuthorizationCode]
):
"""Authenticate with the OIDC Authorization Code flow."""
@property
def plugin_class(self) -> type[identity.V3OidcAuthorizationCode]:
return identity.V3OidcAuthorizationCode
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
options.extend(
[
loading.Opt(
'redirect-uri', help='OpenID Connect Redirect URL'
),
loading.Opt(
'code',
secret=True,
required=True,
deprecated=[loading.Opt('authorization-code')],
help='OAuth 2.0 Authorization Code',
),
]
)
return options
class OpenIDConnectAccessToken(
loading.BaseFederationLoader[identity.V3OidcAccessToken]
):
"""Authenticate with the OIDC Access Token flow."""
@property
def plugin_class(self) -> type[identity.V3OidcAccessToken]:
return identity.V3OidcAccessToken
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
options.extend(
[
loading.Opt(
'access-token',
secret=True,
required=True,
help='OAuth 2.0 Access Token',
)
]
)
return options
class OpenIDConnectDeviceAuthorization(
_OpenIDConnectBase[identity.V3OidcDeviceAuthorization]
):
"""Authenticate with the OAuth 2.0 Device Authorization flow."""
@property
def plugin_class(self) -> type[identity.V3OidcDeviceAuthorization]:
return identity.V3OidcDeviceAuthorization
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
options.extend(
[
loading.Opt(
'device-authorization-endpoint',
help='OAuth 2.0 Device Authorization Endpoint. Note '
'that if a discovery document is being passed this '
'option will override the endpoint provided by the '
'server in the discovery document.',
),
loading.Opt(
'code-challenge-method',
help='PKCE Challenge Method (RFC 7636)',
),
]
)
return options
class TOTP(loading.BaseV3Loader[identity.V3TOTP]):
"""Authenticate with a Time-based One-Time Password.
Authenticate to the identity service using a time-based one-time password.
This is typically used in combination with another plugin as part of a
multi-factor configuration.
"""
@property
def plugin_class(self) -> type[identity.V3TOTP]:
return identity.V3TOTP
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
_add_common_identity_options(options)
options.extend(
[
loading.Opt(
'passcode',
secret=True,
prompt='TOTP passcode: ',
help="User's TOTP passcode",
)
]
)
return options
def load_from_options(self, **kwargs: ty.Any) -> identity.V3TOTP:
_assert_identity_options(kwargs)
return super().load_from_options(**kwargs)
class TokenlessAuth(loading.BaseLoader[identity.V3TokenlessAuth]):
"""Authenticate without a token, using an X.509 certificate."""
@property
def plugin_class(self) -> type[identity.V3TokenlessAuth]:
return identity.V3TokenlessAuth
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
options.extend(
[
loading.Opt(
'auth-url', required=True, help='Authentication URL'
),
loading.Opt('domain-id', help='Domain ID to scope to'),
loading.Opt('domain-name', help='Domain name to scope to'),
loading.Opt('project-id', help='Project ID to scope to'),
loading.Opt('project-name', help='Project name to scope to'),
loading.Opt(
'project-domain-id', help='Domain ID containing project'
),
loading.Opt(
'project-domain-name',
help='Domain name containing project',
),
]
)
return options
def load_from_options(self, **kwargs: ty.Any) -> identity.V3TokenlessAuth:
if (
not kwargs.get('domain_id')
and not kwargs.get('domain_name')
and not kwargs.get('project_id')
and not kwargs.get('project_name')
or (
kwargs.get('project_name')
and not (
kwargs.get('project_domain_name')
or kwargs.get('project_domain_id')
)
)
):
m = (
'You need to provide either a domain_name, domain_id, '
'project_id or project_name. '
'If you have provided a project_name, in the V3 identity '
'API a project_name is only unique within a domain so '
'you must also provide either a project_domain_id or '
'project_domain_name.'
)
raise exceptions.OptionError(m)
return super().load_from_options(**kwargs)
class ApplicationCredential(
loading.BaseV3Loader[identity.V3ApplicationCredential]
):
"""Authenticate with an application credential.
Authenticate to the identity service using the provided application
credential secret and ID or name. If a name is used, you must also provide
a username and user domain to assist in lookup.
"""
@property
def plugin_class(self) -> type[identity.V3ApplicationCredential]:
return identity.V3ApplicationCredential
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
_add_common_identity_options(options)
options.extend(
[
loading.Opt(
'application_credential_secret',
secret=True,
required=True,
help="Application credential auth secret",
),
loading.Opt(
'application_credential_id',
help='Application credential ID',
),
loading.Opt(
'application_credential_name',
help='Application credential name',
),
]
)
return options
def load_from_options(
self, **kwargs: ty.Any
) -> identity.V3ApplicationCredential:
_assert_identity_options(kwargs)
if not kwargs.get('application_credential_id') and not kwargs.get(
'application_credential_name'
):
m = (
'You must provide either an application credential ID or an '
'application credential name and user.'
)
raise exceptions.OptionError(m)
if not kwargs.get('application_credential_secret'):
m = 'You must provide an auth secret.'
raise exceptions.OptionError(m)
return super().load_from_options(**kwargs)
class MultiFactor(loading.BaseV3Loader[identity.V3MultiFactor]):
"""Authenticate using multiple factors.
Authenticate to the identity service using a combination of factors, such
as username/password and a TOTP code.
"""
def __init__(self) -> None:
super().__init__()
self._methods = None
@property
def plugin_class(self) -> type[identity.V3MultiFactor]:
return identity.V3MultiFactor
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
options.extend(
[
loading.Opt(
'auth_methods',
required=True,
help="Methods to authenticate with.",
)
]
)
if self._methods:
options_dict = {o.name: o for o in options}
for method in self._methods:
method_opts = loading.get_plugin_options(method)
for opt in method_opts:
options_dict[opt.name] = opt
options = list(options_dict.values())
return options
def load_from_options(self, **kwargs: ty.Any) -> identity.V3MultiFactor:
_assert_identity_options(kwargs)
if 'auth_methods' not in kwargs:
raise exceptions.OptionError("methods is a required option.")
self._methods = kwargs['auth_methods']
return super().load_from_options(**kwargs)
class OAuth2ClientCredential(
loading.BaseV3Loader[identity.V3OAuth2ClientCredential]
):
"""Authenticate with an OAuth2.0 client credential."""
@property
def plugin_class(self) -> type[identity.V3OAuth2ClientCredential]:
return identity.V3OAuth2ClientCredential
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
options.extend(
[
loading.Opt(
'oauth2_endpoint',
required=True,
help='Endpoint for OAuth2.0',
),
loading.Opt(
'oauth2_client_id',
required=True,
help='Client id for OAuth2.0',
),
loading.Opt(
'oauth2_client_secret',
secret=True,
required=True,
help='Client secret for OAuth2.0',
),
]
)
return options
def load_from_options(
self, **kwargs: ty.Any
) -> identity.V3OAuth2ClientCredential:
if not kwargs.get('oauth2_endpoint'):
m = 'You must provide an OAuth2.0 endpoint.'
raise exceptions.OptionError(m)
if not kwargs.get('oauth2_client_id'):
m = 'You must provide an OAuth2.0 client credential ID.'
raise exceptions.OptionError(m)
if not kwargs.get('oauth2_client_secret'):
m = 'You must provide an OAuth2.0 client credential auth secret.'
raise exceptions.OptionError(m)
return super().load_from_options(**kwargs)
class OAuth2mTlsClientCredential(
loading.BaseV3Loader[identity.V3OAuth2mTlsClientCredential]
):
"""Authenticate with an OAuth2.0 mTLS client credential."""
@property
def plugin_class(self) -> type[identity.V3OAuth2mTlsClientCredential]:
return identity.V3OAuth2mTlsClientCredential
def get_options(self) -> list[opts.Opt]:
options = super().get_options()
options.extend(
[
loading.Opt(
'oauth2-endpoint',
required=True,
help='Endpoint for OAuth2.0 Mutual-TLS Authorization',
),
loading.Opt(
'oauth2-client-id',
required=True,
help='Client credential ID for OAuth2.0 Mutual-TLS '
'Authorization',
),
]
)
return options
def load_from_options(
self, **kwargs: ty.Any
) -> identity.V3OAuth2mTlsClientCredential:
if not kwargs.get('oauth2_endpoint'):
m = 'You must provide an OAuth2.0 Mutual-TLS endpoint.'
raise exceptions.OptionError(m)
if not kwargs.get('oauth2_client_id'):
m = (
'You must provide an client credential ID for '
'OAuth2.0 Mutual-TLS Authorization.'
)
raise exceptions.OptionError(m)
return super().load_from_options(**kwargs)
|
