keystone.federation package¶

Subpackages¶

Submodules¶

keystone.federation.constants module¶

keystone.federation.controllers module¶

Workflow logic for the Federation service.

class keystone.federation.controllers.Auth(*args, **kw)[source]¶

Bases: keystone.auth.controllers.Auth

create_ecp_assertion(request, auth)[source]¶

Exchange a scoped token for an ECP assertion.

Parameters:	auth – Dictionary that contains a token and service provider ID
Returns:	ECP Assertion based on properties from the token

create_saml_assertion(request, auth)[source]¶

Exchange a scoped token for a SAML assertion.

Parameters:	auth – Dictionary that contains a token and service provider ID
Returns:	SAML Assertion based on properties from the token

federated_authentication(request, idp_id, protocol_id)[source]¶

Authenticate from dedicated url endpoint.

Build HTTP request body for federated authentication and inject it into the authenticate_for_token function.

federated_idp_specific_sso_auth(request, idp_id, protocol_id)[source]¶

federated_sso_auth(request, protocol_id)[source]¶

render_html_response(host, token_id)[source]¶

Form an HTML Form from a template with autosubmit.

class keystone.federation.controllers.DomainV3[source]¶

Bases: keystone.common.controller.V3Controller

collection_name = 'domains'¶

list_domains_for_user(request, *args, **kwargs)[source]¶

List all domains available to an authenticated user.

Parameters:	context – request context
Returns:	list of accessible domains

member_name = 'domain'¶

class keystone.federation.controllers.FederationProtocol(*args, **kwargs)[source]¶

Bases: keystone.federation.controllers._ControllerBase

A federation protocol representation.

See keystone.common.controller.V3Controller docstring for explanation on _public_parameters class attributes.

collection_name = 'protocols'¶

create_protocol(request, *args, **kwargs)[source]¶

delete_protocol(request, *args, **kwargs)[source]¶

get_protocol(request, *args, **kwargs)[source]¶

list_protocols(request, *args, **kwargs)[source]¶

member_name = 'protocol'¶

update_protocol(request, *args, **kwargs)[source]¶

classmethod wrap_member(context, ref)[source]¶

class keystone.federation.controllers.IdentityProvider(*args, **kwargs)[source]¶

Bases: keystone.federation.controllers._ControllerBase

Identity Provider representation.

collection_name = 'identity_providers'¶

create_identity_provider(request, *args, **kwargs)[source]¶

delete_identity_provider(request, *args, **kwargs)[source]¶

get_identity_provider(request, *args, **kwargs)[source]¶

list_identity_providers(request, **kwargs)[source]¶

member_name = 'identity_provider'¶

update_identity_provider(request, *args, **kwargs)[source]¶

classmethod wrap_member(context, ref)[source]¶

class keystone.federation.controllers.MappingController(*args, **kwargs)[source]¶

Bases: keystone.federation.controllers._ControllerBase

collection_name = 'mappings'¶

create_mapping(request, *args, **kwargs)[source]¶

delete_mapping(request, *args, **kwargs)[source]¶

get_mapping(request, *args, **kwargs)[source]¶

list_mappings(request, *args, **kwargs)[source]¶

member_name = 'mapping'¶

update_mapping(request, *args, **kwargs)[source]¶

class keystone.federation.controllers.ProjectAssignmentV3[source]¶

Bases: keystone.common.controller.V3Controller

collection_name = 'projects'¶

list_projects_for_user(request, *args, **kwargs)[source]¶

List all projects available to an authenticated user.

Parameters:	context – request context
Returns:	list of accessible projects

member_name = 'project'¶

class keystone.federation.controllers.SAMLMetadataV3(*args, **kwargs)[source]¶

Bases: keystone.federation.controllers._ControllerBase

get_metadata(context)[source]¶

member_name = 'metadata'¶

class keystone.federation.controllers.ServiceProvider(*args, **kwargs)[source]¶

Bases: keystone.federation.controllers._ControllerBase

Service Provider representation.

collection_name = 'service_providers'¶

create_service_provider(request, *args, **kwargs)[source]¶

delete_service_provider(request, *args, **kwargs)[source]¶

get_service_provider(request, *args, **kwargs)[source]¶

list_service_providers(request, **kwargs)[source]¶

member_name = 'service_provider'¶

update_service_provider(request, *args, **kwargs)[source]¶

keystone.federation.core module¶

Main entry point into the Federation service.

class keystone.federation.core.Manager(*args, **kwargs)[source]¶

Bases: keystone.common.manager.Manager

Default pivot point for the Federation backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

create_idp(*args, **kwargs)[source]¶

create_protocol(*args, **kwargs)[source]¶

create_sp(*args, **kwargs)[source]¶

delete_sp(*args, **kwargs)[source]¶

driver_namespace = 'keystone.federation'¶

evaluate(*args, **kwargs)[source]¶

get_enabled_service_providers(*args, **kwargs)[source]¶

List enabled service providers for Service Catalog.

Service Provider in a catalog contains three attributes: id, auth_url, sp_url, where:

• id is a unique, user defined identifier for service provider object
• auth_url is an authentication URL of remote Keystone
• sp_url a URL accessible at the remote service provider where SAML assertion is transmitted.

Returns:	list of dictionaries with enabled service providers
Return type:	list of dicts

update_protocol(*args, **kwargs)[source]¶

update_sp(*args, **kwargs)[source]¶

keystone.federation.idp module¶

class keystone.federation.idp.ECPGenerator[source]¶

Bases: object

A class for generating an ECP assertion.

static generate_ecp(saml_assertion, relay_state_prefix)[source]¶

class keystone.federation.idp.MetadataGenerator[source]¶

Bases: object

A class for generating SAML IdP Metadata.

generate_metadata()[source]¶

Generate Identity Provider Metadata.

Generate and format metadata into XML that can be exposed and consumed by a federated Service Provider.

Returns:	XML <EntityDescriptor> object.
Raises:	keystone.exception.ValidationError – If the required config options aren’t set.

class keystone.federation.idp.SAMLGenerator[source]¶

Bases: object

A class to generate SAML assertions.

samlize_token(issuer, recipient, user, user_domain_name, roles, project, project_domain_name, expires_in=None)[source]¶

Convert Keystone attributes to a SAML assertion.

Parameters:	issuer (string) – URL of the issuing party recipient (string) – URL of the recipient user (string) – User name user_domain_name (string) – User Domain name roles (list) – List of role names project (string) – Project name project_domain_name (string) – Project Domain name expires_in (int) – Sets how long the assertion is valid for, in seconds
Returns:	XML <Response> object

keystone.federation.routers module¶

class keystone.federation.routers.Routers[source]¶

Bases: keystone.common.wsgi.RoutersBase

API Endpoints for the Federation extension.

The API looks like:

PUT /OS-FEDERATION/identity_providers/{idp_id}
GET /OS-FEDERATION/identity_providers
HEAD /OS-FEDERATION/identity_providers
GET /OS-FEDERATION/identity_providers/{idp_id}
HEAD /OS-FEDERATION/identity_providers/{idp_id}
DELETE /OS-FEDERATION/identity_providers/{idp_id}
PATCH /OS-FEDERATION/identity_providers/{idp_id}

PUT /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
GET /OS-FEDERATION/identity_providers/
    {idp_id}/protocols
HEAD /OS-FEDERATION/identity_providers/
    {idp_id}/protocols
GET /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
HEAD /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
PATCH /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
DELETE /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}

PUT /OS-FEDERATION/mappings
GET /OS-FEDERATION/mappings
HEAD /OS-FEDERATION/mappings
PATCH /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/mappings/{mapping_id}
HEAD /OS-FEDERATION/mappings/{mapping_id}
DELETE /OS-FEDERATION/mappings/{mapping_id}

GET /OS-FEDERATION/projects
HEAD /OS-FEDERATION/projects
GET /OS-FEDERATION/domains
HEAD /OS-FEDERATION/domains

PUT /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/service_providers
HEAD /OS-FEDERATION/service_providers
GET /OS-FEDERATION/service_providers/{sp_id}
HEAD /OS-FEDERATION/service_providers/{sp_id}
DELETE /OS-FEDERATION/service_providers/{sp_id}
PATCH /OS-FEDERATION/service_providers/{sp_id}

GET /OS-FEDERATION/identity_providers/{idp_id}/
    protocols/{protocol_id}/auth
POST /OS-FEDERATION/identity_providers/{idp_id}/
    protocols/{protocol_id}/auth
GET /auth/OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}/websso
    ?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}/websso
    ?origin=https%3A//horizon.example.com


POST /auth/OS-FEDERATION/saml2
POST /auth/OS-FEDERATION/saml2/ecp
GET /OS-FEDERATION/saml2/metadata
HEAD /OS-FEDERATION/saml2/metadata

GET /auth/OS-FEDERATION/websso/{protocol_id}
    ?origin=https%3A//horizon.example.com

POST /auth/OS-FEDERATION/websso/{protocol_id}
     ?origin=https%3A//horizon.example.com

append_v3_routers(mapper, routers)[source]¶

keystone.federation.schema module¶

keystone.federation.utils module¶

Utilities for Federation Extension.

class keystone.federation.utils.DirectMaps[source]¶

Bases: object

An abstraction around the remote matches.

Each match is treated internally as a list.

add(values)[source]¶

Add a matched value to the list of matches.

Parameters:	value (list) – the match to save

class keystone.federation.utils.RuleProcessor(mapping_id, rules)[source]¶

Bases: object

A class to process assertions and mapping rules.

process(assertion_data)[source]¶

Transform assertion to a dictionary.

The dictionary contains mapping of user name and group ids based on mapping rules.

This function will iterate through the mapping rules to find assertions that are valid.

Parameters:	assertion_data (dict) – an assertion containing values from an IdP

Example assertion_data:

{
    'Email': 'testacct@example.com',
    'UserName': 'testacct',
    'FirstName': 'Test',
    'LastName': 'Account',
    'orgPersonType': 'Tester'
}

Returns:	dictionary with user and group_ids

The expected return structure is:

{
    'name': 'foobar',
    'group_ids': ['abc123', 'def456'],
    'group_names': [
        {
            'name': 'group_name_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_1_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_2',
            'domain': {
                'id': 'xyz132'
            }
        }
    ]
}

class keystone.federation.utils.UserType[source]¶

Bases: object

User mapping type.

EPHEMERAL = 'ephemeral'¶

LOCAL = 'local'¶

keystone.federation.utils.assert_enabled_identity_provider(federation_api, idp_id)[source]¶

keystone.federation.utils.assert_enabled_service_provider_object(service_provider)[source]¶

keystone.federation.utils.get_assertion_params_from_env(request)[source]¶

keystone.federation.utils.get_remote_id_parameter(protocol)[source]¶

keystone.federation.utils.transform_to_group_ids(group_names, mapping_id, identity_api, resource_api)[source]¶

Transform groups identified by name/domain to their ids.

Function accepts list of groups identified by a name and domain giving a list of group ids in return.

Example of group_names parameter:

[
    {
        "name": "group_name",
        "domain": {
            "id": "domain_id"
        },
    },
    {
        "name": "group_name_2",
        "domain": {
            "name": "domain_name"
        }
    }
]

Parameters:	group_names (list) – list of group identified by name and its domain. mapping_id (str) – id of the mapping used for mapping assertion into local credentials identity_api – identity_api object resource_api – resource manager object
Returns:	generator object with group ids
Raises:	keystone.exception.MappedGroupNotFound – in case asked group doesn’t exist in the backend.

keystone.federation.utils.validate_expiration(token_ref)[source]¶

keystone.federation.utils.validate_idp(idp, protocol, assertion)[source]¶

The IdP providing the assertion should be registered for the mapping.

keystone.federation.utils.validate_mapped_group_ids(group_ids, mapping_id, identity_api)[source]¶

Iterate over group ids and make sure they are present in the backend.

This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str

Parameters:	mapping_id (str) – id of the mapping used for this operation identity_api (identity.Manager) – Identity Manager object used for communication with backend
Raises:	keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.

keystone.federation.utils.validate_mapping_structure(ref)[source]¶

Module contents¶