**OpenStack** Authenticator --------------------------- ``AuthToken`` covers the case where SL1 needs to reach out to a token server using basic authentication. The received token is then used in subsequent requests to the API endpoints. There are many different flavors of exactly how this works. The out-of-the-box ``AuthToken`` implementation assumes the following: #. There is a URL to retrieve the token from #. The request is a POST #. The request's body is ``{"username": username, "password": password}`` #. The response from the token request must include the token in the body. #. The key to access the token from the response body is configurable in the credential. #. The token must then be used in subsequent requests and included in the header. See :doc:`../../authentication/rest/index` For this example, we will be looking to make custom authenticator to support the **Openstack** authentcation flow. **Openstack** supports token authentication and we can re-use some components of out-of-the-box ``AuthToken`` to accomplish this. The following are sample request/response payloads from an Openstack server. We will use this information to build out the various components of the new ``AuthOpenstack`` authenticator. See `Openstack Curl Examples `_ The following shows an example of making a request to the **Openstack** token server. .. code-block:: shell curl -i \ -H "Content-Type: application/json" \ -d ' { "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "admin", "domain": { "id": "default" }, "password": "adminpwd" } } } } }' \ "http://myopenstackserver:5000/v3/auth/tokens" This does *not* match the POST body of ``AuthToken`` as it formats its POST body as ``{'username': username, 'password': password}``. Now let us examine the response from the token request: .. code-block:: shell :emphasize-lines: 2 HTTP/1.1 201 Created X-Subject-Token: MIIFvgY... Vary: X-Auth-Token Content-Type: application/json Content-Length: 1025 Date: Tue, 10 Jun 2014 20:55:16 GMT { "token": { "methods": ["password"], "roles": [{ "id": "9fe2ff9ee4384b1894a90878d3e92bab", "name": "_member_" }, { "id": "c703057be878458588961ce9a0ce686b", "name": "admin" }], "expires_at": "2014-06-10T2:55:16.806001Z", "project": { "domain": { "id": "default", "name": "Default" }, "id": "8538a3f13f9541b28c2620eb19065e45", "name": "admin" }, "catalog": [{ "endpoints": [{ "url": "http://localhost:3537/v2.0", "region": "RegionOne", "interface": "admin", "id": "29beb2f1567642eb810b042b6719ea88" }, { "url": "http://localhost:5000/v2.0", "region": "RegionOne", "interface": "internal", "id": "8707e3735d4415c97ae231b4841eb1c" }, { "url": "http://localhost:5000/v2.0", "region": "RegionOne", "interface": "public", "id": "ef303187fc8d41668f25199c298396a5" }], "type": "identity", "id": "bd73972c0e14fb69bae8ff76e112a90", "name": "keystone" }], "extras": {}, "user": { "domain": { "id": "default", "name": "Default" }, "id": "3ec3164f750146be97f21559ee4d9c51", "name": "admin" }, "audit_ids": ["yRt0UrxJSs6-WYJgwEMMmg"], "issued_at": "201406-10T20:55:16.806027Z" } } ``AuthToken`` expects to find the token from the POST body of the response. Notice that the token is *not* included in the payload but rather in the header. See `Openstack Auth API `_ Our ``AuthOpenstack`` authenticator need to send the proper payload to the token server and then retrieve the token from the header instead of the payload. First, the request post body will need to be properly formatted. The code for ``AuthToken`` is shown below. Highlighted is the authentication request's POST handling. .. literalinclude:: ../../_static/authentication/src/TokenAuth.py.txt :language: python :emphasize-lines: 91-93,143-162 :linenos: Request Body Update ^^^^^^^^^^^^^^^^^^^ The function that must be modified is ``execute_auth_workflow()`` as we will be replacing the ``AuthToken.request_token()`` function. This new function will be part of the authenticator class called ``AuthOpenstack``. The code changes shown below formats the POST body into the expected format. .. code-block:: python :emphasize-lines: 1,10,24-37,40 :linenos: @add_auth class AuthOpenstack(AuthToken): def execute_auth_workflow(self): """Perform the authentication to get the token Once authenticated, save the information to the cache to re-use at a later time :return: Token information related to the payload :rtype: token_info """ token_resp = AuthOpenstack.request_token( self.url, self.client_info, self.headers, verify=self.ssl_verify ) return self.parse_json_result(token_resp) @staticmethod def request_token(self, url, auth, headers, kwargs**): """Perform the request to gather the result from the endpoint :param str url: URL to query to obtain the token :param dict auth: Authentication information for the request :param dict headers: Headers to use when requesting the token :rtype: request.response """ body = { "auth": { "methods": ["password"], "password": { "user": { "name": auth["username"], "domain": { "id": "default" }, "password": auth["password"] } } } } request_payload = { "json": body, "headers": headers, } request_payload.update(kwargs) try: return requests.post(url, **request_payload) except requests.ConnectionError as err: auth_logger.warning("Cannot connect to [%s]: %s", url, type(err)) raise AuthenticationFailed( "Unable to Authenticate. Cannot connect to the Token Retrieval Endpoint" ) To recap, a new authenticator called ``AuthOpenstack`` which inherits from ``AuthToken`` was defined. Next the ``execute_auth_workflow()`` function was modified to call a new static method called ``request_token()``. This function prepares the expected request body for the authentication server. Next, the response handle will need to be changed to handle receiving the token from the header. Below is our current update and the next section that will need to be updated. The function ``parse_json_result()`` is part of ``AuthToken``'s parent class ``TokenBasedAuthenticator`` and the function's code is show below. .. code-block:: python :emphasize-lines: 13 :linenos: @add_auth class AuthOpenstack(AuthToken): def execute_auth_workflow(self): """Perform the authentication to get the token Once authenticated, save the information to the cache to re-use at a later time :return: Token information related to the payload :rtype: token_info """ token_resp = AuthOpenstack.request_token( self.url, self.client_info, self.headers, verify=self.ssl_verify ) return self.parse_json_result(token_resp) def parse_json_result(self, resp): """Parses the JSON response after requesting token info Parse the response, store any required information, and set the auth so future requests can use the token. :param requests.models.Response resp: Response from the request :return: Information from the payload :rtype: dict """ if not self.check_result(resp): self.auth = None self.mark_as_failed() auth_logger.warning("Invalid response received during token generation, %s", resp) return try: token_resp_json = resp.json() except ValueError: self.mark_as_failed() auth_logger.warning("Non-JSON information returned from %s", self.url) return self.extract_access_token(token_resp_json) self.extract_expires_in(token_resp_json) self.set_auth(token_resp_json[DEFAULT_ACCESS_TOKEN_SELECTOR]) return token_resp_json def extract_access_token(self, token_resp_json): """Extracts a token out of a JSON response payload :param dict token_resp_json: response from :raises AuthenticationFailed: token/access key not found """ try: token_resp_json[DEFAULT_ACCESS_TOKEN_SELECTOR] = token_resp_json[ self.payload_token_key ] except KeyError: avail_keys = '", "'.join(token_resp_json.keys()) raise AuthenticationFailed( 'Unable to find the key, {}, within the payload. Available keys: "{}"'.format( self.payload_token_key, avail_keys ) ) def extract_expires_in(self, token_resp_json): """Populates expires_in field in cachable token data Adds the default expires_in populated with when the token will expire for the dynamic refresh. Otherwise, this will put a static time-to-live for the token. :param str token_resp_json: JSON response from request """ if self.auth_refresh.type == REFRESH_TOKEN_STATIC: auth_logger.debug("Static Token refresh:: ttl: %s", self.auth_refresh.info.ttl) token_resp_json[DEFAULT_EXPIRES_IN_SELECTOR] = self.handle_expiry_time( self.auth_refresh.info.ttl ) else: # dynamic case auth_logger.debug( "Dynamic Token refresh:: expiry_Key: %s", self.auth_refresh.info.expiry_key ) if self.auth_refresh.info.expiry_key: # User has defined an expires_in key to look-up try: token_resp_json[DEFAULT_EXPIRES_IN_SELECTOR] = self.handle_expiry_time( token_resp_json[self.auth_refresh.info.expiry_key] ) except KeyError: avail_keys = '", "'.join(token_resp_json.keys()) auth_logger.warning( "Cannot find %s in authentication response. This is required for setting " "a token refresh timer. Defaulting token refresh timer to %d hour. " "Available keys: '%s'", self.auth_refresh.info.expiry_key, self.auth_refresh.info.ttl / 60**2, avail_keys, ) token_resp_json[DEFAULT_EXPIRES_IN_SELECTOR] = self.handle_expiry_time( self.auth_refresh.info.ttl ) else: auth_logger.debug( "Dynamic token refresh selected, but no expiry key has been defined. " "Setting token refresh to %s", self.auth_refresh.info.ttl, ) token_resp_json[DEFAULT_EXPIRES_IN_SELECTOR] = self.handle_expiry_time( self.auth_refresh.info.ttl ) The responsibility of ``parse_json_result()`` is to extract the received response into an ``access-token`` and ``expires-in``. ``access-token`` is the token that is coming from the header and ``expires-in`` is located in the body of response under the key ``expires_at`` which follows ISO 8601. Extracting the Token ^^^^^^^^^^^^^^^^^^^^ The token is located in the header of the response under the key ``X-Subject-Token``. The function ``parse_json_result()`` needs the following update. .. code-block:: python :linenos: @add_auth class AuthOpenstack(AuthToken): PAYLOAD_TOKEN_KEY = "X-Subject-Token" def parse_json_result(self, resp): """Parses the JSON response after requesting token info Parse the response, store any required information, and set the auth so future requests can use the token. :param requests.models.Response resp: Response from the request :return: Information from the payload :rtype: dict """ if not self.check_result(resp): self.auth = None self.mark_as_failed() auth_logger.warning("Invalid response received during token generation, %s", resp) return try: token_resp_json = resp.json() except ValueError: self.mark_as_failed() auth_logger.warning("Non-JSON information returned from %s", self.url) return self.extract_access_token(resp.headers, token_resp_json) self.extract_expires_in(token_resp_json) self.set_auth(token_resp_json[DEFAULT_ACCESS_TOKEN_SELECTOR]) return token_resp_json def extract_access_token(self, headers, token_resp_json): """Extracts a token out of a JSON header payload :param dict headers: auth header response :param dict token_resp_json: auth body response :raises AuthenticationFailed: token/access key not found """ try: token_resp_json[DEFAULT_ACCESS_TOKEN_SELECTOR] = headers[ AuthOpenstack.PAYLOAD_TOKEN_KEY ] except KeyError: avail_keys = '", "'.join(headers.keys()) raise AuthenticationFailed( 'Unable to find the key, {}, within the header. Available keys: "{}"'.format( AuthOpenstack.PAYLOAD_TOKEN_KEY, avail_keys ) ) The function ``extract_access_token()`` was overriden and the headers are now a parameter. The function still assumes following an OAuth2 flow where ``access_in`` is a field in the payload. So ``token_resp_json`` needs to be provided such that the inherited class functions can cache the token for other collections. Extracting the Expiry Time ^^^^^^^^^^^^^^^^^^^^^^^^^^ The ``extract_expires_in()`` function will be updated to handle the ISO 8601 format and allow for dynamic token refreshes. It uses a function called ``handle_expiry_time()`` which is designed to work with the ``expires_in`` field for OAuth2 workflows. ``expires_in`` is some amount of seconds in the future the token will expire. However, ISO 8601 is a definitive time in the future and not a duration. The good news is that the ISO 8601 can be converted to epoch time. Below is the existing ``handle_expiry_time()``. This code needs to be reused for the static refresh intervals. So we will copy and paste the contents to a new function. There we will modify it to handle the new time format. .. code-block:: python def handle_expiry_time(self, expires_in_time): """Converters expires_in seconds to linux epoch time Allows manipulation of the expires_in_time that is received from the json payload after authentications. The default implementation assumes that the expires_in field is in seconds and a time from response. However, this can be a fixed time where an override to this method would be required. :param str expires_in_time: expires_in response time in seconds :rtype: int :return: linux epoch expiration time """ auth_logger.debug("handle_expiry_time --> expires_in:: %s", expires_in_time) try: expires_in_time_int = int(expires_in_time) except ValueError: raise AuthenticationFailed( ( "Unable to convert expires in time: {} to linux epoch time. " "Expires in time must be castable to an integer and is expected " "to be some duration of time since the authentication response. " "Consider overriding this method if the input is a fixed calendar time." ).format(expires_in_time) ) return int(time.time()) + expires_in_time_int Below is the new ``handle_iso8601_expiry_time()``. It makes use of datetime to parse and convert to time since epoch. It is similar in style to previous function, ``handle_expiry_time()``. .. code-block:: python from datetime import datetime def handle_iso8601_expiry_time(self, expires_at_time): """Converters expires_at ISO 8601 to linux epoch time example format: CCYY-MM-DDThh:mm:ss.sssZ example input: 2015-08-27T09:49:58.000000Z There is a special case were this value can be `null` :param str expires_at_time: ISO 8601 expiry time :rtype: int :return: linux epoch expiration time """ auth_logger.debug("handle_iso8601_expiry_time --> expires_at:: %s", expires_at_time) try: utc_time = datetime.strptime(expires_at_time, "%Y-%m-%dT%H:%M:%S.%fZ") except ValueError: raise AuthenticationFailed( ( "Unable to parse expires at time: {}" ).format(expires_at_time) ) return utc_time.strftime("%s") Finally, the ``expires_at`` extract method needs to be updated to correctly select the correct value. Since the expiry key is static and won't change, the class is updated to handle the selection ``token.expires_at`` from the body of the response. Again, we are using ``handle_expiry_time()`` for the static refresh case and ``handle_iso8601_expiry_time()`` for the data extracted from the **Openstack** authentication response. .. code-block:: python :linenos: :emphasize-lines: 17-19 class AuthOpenstack(AuthToken): def extract_expires_in(self, token_resp_json): """Populates expires_in field in cachable token data Adds the default expires_in populated with when the token will expire for the dynamic refresh. Otherwise, this will put a static time-to-live for the token. :param str token_resp_json: JSON response from request """ if self.auth_refresh.type == REFRESH_TOKEN_STATIC: auth_logger.debug("Static Token refresh:: ttl: %s", self.auth_refresh.info.ttl) token_resp_json[DEFAULT_EXPIRES_IN_SELECTOR] = self.handle_expiry_time( self.auth_refresh.info.ttl ) else: # dynamic case try: token_resp_json[DEFAULT_EXPIRES_IN_SELECTOR] = self.handle_iso8601_expiry_time( token_resp_json["token"]["expires_at"] ) except KeyError: avail_keys = '", "'.join(token_resp_json.keys()) auth_logger.warning( "Cannot find %s in authentication response. This is required for setting " "a token refresh timer. Defaulting token refresh timer to %d hour. " "Available keys: '%s'", self.auth_refresh.info.expiry_key, self.auth_refresh.info.ttl / 60**2, avail_keys, ) token_resp_json[DEFAULT_EXPIRES_IN_SELECTOR] = self.handle_expiry_time( self.auth_refresh.info.ttl ) Putting It All Together ^^^^^^^^^^^^^^^^^^^^^^^ Taking all the components that were developed above, we can now pull them into SL1. Below are the different components that are required. **Snippet** .. code-block:: python import requests from datetime import datetime from silo.auth import add_auth, AuthToken, auth_logger from silo.auth.exceptions import AuthenticationFailed from silo.auth.authenticator import DEFAULT_EXPIRES_IN_SELECTOR, REFRESH_TOKEN_STATIC @add_auth class AuthOpenstack(AuthToken): PAYLOAD_TOKEN_KEY = "X-Subject-Token" def __init__(self, credentials, **kwargs): AuthToken.__init__(self,credentials, **kwargs) @staticmethod def build(credentials, **kwargs): """Build method to be called by get_authmethod in low_code""" return AuthOpenstack(credentials, **kwargs) @staticmethod def get_name(): """Look-up name/key for the Authenticator in get_authmethod() and register_auth()""" return "AuthOpenstack" @staticmethod def get_desc(): """Describes the purpose of the Authenticator""" return "Openstack Authentication for HTTP" def execute_auth_workflow(self): """Perform the authentication to get the token Once authenticated, save the information to the cache to re-use at a later time :return: Token information related to the payload :rtype: token_info """ token_resp = AuthOpenstack.request_token( self.url, self.client_info, self.headers, verify=self.ssl_verify ) return self.parse_json_result(token_resp) @staticmethod def request_token(self, url, auth, headers, kwargs**): """Perform the request to gather the result from the endpoint :param str url: URL to query to obtain the token :param dict auth: Authentication information for the request :param dict headers: Headers to use when requesting the token :rtype: request.response """ body = { "auth": { "methods": ["password"], "password": { "user": { "name": auth["username"], "domain": { "id": "default" }, "password": auth["password"] } } } } request_payload = { "json": body, "headers": headers, } request_payload.update(kwargs) try: return requests.post(url, **request_payload) except requests.ConnectionError as err: auth_logger.warning("Cannot connect to [%s]: %s", url, type(err)) raise AuthenticationFailed( "Unable to Authenticate. Cannot connect to the Token Retrieval Endpoint" ) def parse_json_result(self, resp): """Parses the JSON response after requesting token info Parse the response, store any required information, and set the auth so future requests can use the token. :param requests.models.Response resp: Response from the request :return: Information from the payload :rtype: dict """ if not self.check_result(resp): self.auth = None self.mark_as_failed() auth_logger.warning("Invalid response received during token generation, %s", resp) return try: token_resp_json = resp.json() except ValueError: self.mark_as_failed() auth_logger.warning("Non-JSON information returned from %s", self.url) return self.extract_access_token(resp.headers, token_resp_json) self.extract_expires_in(token_resp_json) self.set_auth(token_resp_json[DEFAULT_ACCESS_TOKEN_SELECTOR]) return token_resp_json def extract_access_token(self, headers, token_resp_json): """Extracts a token out of a JSON header payload :param dict headers: auth header response :param dict token_resp_json: auth body response :raises AuthenticationFailed: token/access key not found """ try: token_resp_json[DEFAULT_ACCESS_TOKEN_SELECTOR] = headers[ AuthOpenstack.PAYLOAD_TOKEN_KEY ] except KeyError: avail_keys = '", "'.join(headers.keys()) raise AuthenticationFailed( 'Unable to find the key, {}, within the header. Available keys: "{}"'.format( AuthOpenstack.PAYLOAD_TOKEN_KEY, avail_keys ) ) def extract_expires_in(self, token_resp_json): """Populates expires_in field in cachable token data Adds the default expires_in populated with when the token will expire for the dynamic refresh. Otherwise, this will put a static time-to-live for the token. :param str token_resp_json: JSON response from request """ if self.auth_refresh.type == REFRESH_TOKEN_STATIC: auth_logger.debug("Static Token refresh:: ttl: %s", self.auth_refresh.info.ttl) token_resp_json[DEFAULT_EXPIRES_IN_SELECTOR] = self.handle_expiry_time( self.auth_refresh.info.ttl ) else: # dynamic case try: token_resp_json[DEFAULT_EXPIRES_IN_SELECTOR] = self.handle_iso8601_xpiry_time( token_resp_json["token"]["expires_at"] ) except KeyError: avail_keys = '", "'.join(token_resp_json.keys()) auth_logger.warning( "Cannot find %s in authentication response. This is required for setting " "a token refresh timer. Defaulting token refresh timer to %d hour. " "Available keys: '%s'", self.auth_refresh.info.expiry_key, self.auth_refresh.info.ttl / 60**2, avail_keys, ) token_resp_json[DEFAULT_EXPIRES_IN_SELECTOR] = self.handle_expiry_time( self.auth_refresh.info.ttl ) def handle_iso8601_expiry_time(self, expires_at_time): """Converters expires_at ISO 8601 to linux epoch time example format: CCYY-MM-DDThh:mm:ss.sssZ example input: 2015-08-27T09:49:58.000000Z There is a special case were this value can be `null` :param str expires_at_time: ISO 8601 expiry time :rtype: int :return: linux epoch expiration time """ auth_logger.debug("handle_expiry_time --> expires_at:: %s", expires_at_time) try: utc_time = datetime.strptime(expires_at_time, "%Y-%m-%dT%H:%M:%S.%fZ") except ValueError: raise AuthenticationFailed( ( "Unable to parse expires at time: {}" ).format(expires_at_time) ) return utc_time.strftime("%s") **Snippet Argument** .. code-block:: yaml low_code: version: 2 steps: - http: uri: "/v3/users" - json **Credential** * Authentication Type - ``Token Authentication`` * Authenticator Override - ``AuthOpenstack`` * URL - ``http://myopenstackserver:5000`` * Token Retrieval Endpoint - ``http://myopenstackserver:5000/v3/auth/tokens`` * Authorization Header - ``X-Auth-Token`` * Bearer Token Format - ``{}`` .. note:: Replace the ``URL`` and ``Token Retrieval Endpoint`` with your **Openstack** URL.