Mini Shell

Direktori : /proc/self/root/opt/imh-python/lib/python3.9/site-packages/keystoneauth1/identity/v3/
Upload File :
Current File : //proc/self/root/opt/imh-python/lib/python3.9/site-packages/keystoneauth1/identity/v3/oidc.py

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

import abc
import base64
import copy
import hashlib
import logging
import os
import time
from urllib import parse as urlparse
import warnings

from keystoneauth1 import _utils as utils
from keystoneauth1 import access
from keystoneauth1 import exceptions
from keystoneauth1.identity.v3 import federation

_logger = utils.get_logger(__name__)

__all__ = ('OidcAuthorizationCode',
           'OidcClientCredentials',
           'OidcPassword',
           'OidcAccessToken')

SENSITIVE_KEYS = ("password", "code", "token", "secret")


class _OidcBase(federation.FederationBaseAuth, metaclass=abc.ABCMeta):
    """Base class for different OpenID Connect based flows.

    The OpenID Connect specification can be found at::
    ``http://openid.net/specs/openid-connect-core-1_0.html``
    """

    grant_type = None

    def __init__(self, auth_url, identity_provider, protocol,
                 client_id, client_secret,
                 access_token_type,
                 scope="openid profile",
                 access_token_endpoint=None,
                 discovery_endpoint=None,
                 grant_type=None,
                 **kwargs):
        """The OpenID Connect plugin expects the following.

        :param auth_url: URL of the Identity Service
        :type auth_url: string

        :param identity_provider: Name of the Identity Provider the client
                                  will authenticate against
        :type identity_provider: string

        :param protocol: Protocol name as configured in keystone
        :type protocol: string

        :param client_id: OAuth 2.0 Client ID
        :type client_id: string

        :param client_secret: OAuth 2.0 Client Secret
        :type client_secret: string

        :param access_token_type: OAuth 2.0 Authorization Server Introspection
                                  token type, it is used to decide which type
                                  of token will be used when processing token
                                  introspection. Valid values are:
                                  "access_token" or "id_token"
        :type access_token_type: string

        :param access_token_endpoint: OpenID Connect Provider Token Endpoint,
                                      for example:
                                      https://localhost:8020/oidc/OP/token
                                      Note that if a discovery document is
                                      provided this value will override
                                      the discovered one.
        :type access_token_endpoint: string

        :param discovery_endpoint: OpenID Connect Discovery Document URL,
                                   for example:
                  https://localhost:8020/oidc/.well-known/openid-configuration
        :type access_token_endpoint: string

        :param scope: OpenID Connect scope that is requested from OP,
                      for example: "openid profile email", defaults to
                      "openid profile". Note that OpenID Connect specification
                      states that "openid" must be always specified.
        :type scope: string
        """
        super(_OidcBase, self).__init__(auth_url, identity_provider, protocol,
                                        **kwargs)
        self.client_id = client_id
        self.client_secret = client_secret

        self.discovery_endpoint = discovery_endpoint
        self._discovery_document = {}
        self.access_token_endpoint = access_token_endpoint

        self.access_token_type = access_token_type
        self.scope = scope

        if grant_type is not None:
            if grant_type != self.grant_type:
                raise exceptions.OidcGrantTypeMissmatch()
            warnings.warn("Passing grant_type as an argument has been "
                          "deprecated as it is now defined in the plugin "
                          "itself. You should stop passing this argument "
                          "to the plugin, as it will be ignored, since you "
                          "cannot pass a free text string as a grant_type. "
                          "This argument will be dropped from the plugin in "
                          "July 2017 or with the next major release of "
                          "keystoneauth (3.0.0)",
                          DeprecationWarning)

    def _get_discovery_document(self, session):
        """Get the contents of the OpenID Connect Discovery Document.

        This method grabs the contents of the OpenID Connect Discovery Document
        if a discovery_endpoint was passed to the constructor and returns it as
        a dict, otherwise returns an empty dict. Note that it will fetch the
        discovery document only once, so subsequent calls to this method will
        return the cached result, if any.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :returns: a python dictionary containing the discovery document if any,
                  otherwise it will return an empty dict.
        :rtype: dict
        """
        if (self.discovery_endpoint is not None
                and not self._discovery_document):
            try:
                resp = session.get(self.discovery_endpoint,
                                   authenticated=False)
            except exceptions.HttpError:
                _logger.error("Cannot fetch discovery document %(discovery)s" %
                              {"discovery": self.discovery_endpoint})
                raise

            try:
                self._discovery_document = resp.json()
            except Exception:
                pass

            if not self._discovery_document:
                raise exceptions.InvalidOidcDiscoveryDocument()

        return self._discovery_document

    def _get_access_token_endpoint(self, session):
        """Get the "token_endpoint" for the OpenID Connect flow.

        This method will return the correct access token endpoint to be used.
        If the user has explicitly passed an access_token_endpoint to the
        constructor that will be returned. If there is no explicit endpoint and
        a discovery url is provided, it will try to get it from the discovery
        document. If nothing is found, an exception will be raised.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :return: the endpoint to use
        :rtype: string or None if no endpoint is found
        """
        if self.access_token_endpoint is not None:
            return self.access_token_endpoint

        discovery = self._get_discovery_document(session)
        endpoint = discovery.get("token_endpoint")
        if endpoint is None:
            raise exceptions.OidcAccessTokenEndpointNotFound()
        return endpoint

    def _sanitize(self, data):
        sanitized = copy.deepcopy(data)
        for key in sanitized:
            if any(s in key for s in SENSITIVE_KEYS):
                sanitized[key] = "***"
        return sanitized

    def _get_access_token(self, session, payload):
        """Exchange a variety of user supplied values for an access token.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :param payload: a dict containing various OpenID Connect values, for
                        example::
                          {'grant_type': 'password', 'username': self.username,
                           'password': self.password, 'scope': self.scope}
        :type payload: dict
        """
        client_auth = (self.client_id, self.client_secret)
        access_token_endpoint = self._get_access_token_endpoint(session)

        if _logger.isEnabledFor(logging.DEBUG):
            sanitized_payload = self._sanitize(payload)
            _logger.debug(
                "Making OpenID-Connect authentication request to %s with "
                "data %s", access_token_endpoint, sanitized_payload
            )

        op_response = session.post(access_token_endpoint,
                                   requests_auth=client_auth,
                                   data=payload,
                                   log=False,
                                   authenticated=False)
        response = op_response.json()
        if _logger.isEnabledFor(logging.DEBUG):
            sanitized_response = self._sanitize(response)
            _logger.debug(
                "OpenID-Connect authentication response from %s is %s",
                access_token_endpoint, sanitized_response
            )
        return response[self.access_token_type]

    def _get_keystone_token(self, session, access_token):
        r"""Exchange an access token for a keystone token.

        By Sending the access token in an `Authorization: Bearer` header, to
        an OpenID Connect protected endpoint (Federated Token URL). The
        OpenID Connect server will use the access token to look up information
        about the authenticated user (this technique is called instrospection).
        The output of the instrospection will be an OpenID Connect Claim, that
        will be used against the mapping engine. Should the mapping engine
        succeed, a Keystone token will be presented to the user.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :param access_token: The OpenID Connect access token.
        :type access_token: str
        """
        # use access token against protected URL
        headers = {'Authorization': 'Bearer ' + access_token}
        auth_response = session.post(self.federated_token_url,
                                     headers=headers,
                                     authenticated=False)
        return auth_response

    def get_unscoped_auth_ref(self, session):
        """Authenticate with OpenID Connect and get back claims.

        This is a multi-step process:

        1.- An access token must be retrieved from the server. In order to do
            so, we need to exchange an authorization grant or refresh token
            with the token endpoint in order to obtain an access token. The
            authorization grant varies from plugin to plugin.

        2.- We then exchange the access token upon accessing the protected
            Keystone endpoint (federated auth URL). This will trigger the
            OpenID Connect Provider to perform a user introspection and
            retrieve information (specified in the scope) about the user in the
            form of an OpenID Connect Claim. These claims will be sent to
            Keystone in the form of environment variables.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :returns: a token data representation
        :rtype: :py:class:`keystoneauth1.access.AccessInfoV3`
        """
        # First of all, check if the grant type is supported
        discovery = self._get_discovery_document(session)
        grant_types = discovery.get("grant_types_supported")
        if (grant_types and self.grant_type is not None
                and self.grant_type not in grant_types):
            raise exceptions.OidcPluginNotSupported()

        # Get the payload
        payload = self.get_payload(session)
        payload.setdefault('grant_type', self.grant_type)

        # get an access token
        access_token = self._get_access_token(session, payload)

        response = self._get_keystone_token(session, access_token)

        # grab the unscoped token
        return access.create(resp=response)

    @abc.abstractmethod
    def get_payload(self, session):
        """Get the plugin specific payload for obtainin an access token.

        OpenID Connect supports different grant types. This method should
        prepare the payload that needs to be exchanged with the server in
        order to get an access token for the particular grant type that the
        plugin is implementing.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :returns: a python dictionary containing the payload to be exchanged
        :rtype: dict
        """
        raise NotImplementedError()


class OidcPassword(_OidcBase):
    """Implementation for OpenID Connect Resource Owner Password Credential."""

    grant_type = "password"

    def __init__(self, auth_url, identity_provider, protocol,  # nosec
                 client_id, client_secret,
                 access_token_endpoint=None,
                 discovery_endpoint=None,
                 access_token_type='access_token',
                 username=None, password=None, idp_otp_key=None,
                 **kwargs):
        """The OpenID Password plugin expects the following.

        :param username: Username used to authenticate
        :type username: string

        :param password: Password used to authenticate
        :type password: string
        """
        super(OidcPassword, self).__init__(
            auth_url=auth_url,
            identity_provider=identity_provider,
            protocol=protocol,
            client_id=client_id,
            client_secret=client_secret,
            access_token_endpoint=access_token_endpoint,
            discovery_endpoint=discovery_endpoint,
            access_token_type=access_token_type,
            **kwargs)
        self.username = username
        self.password = password
        self.idp_otp_key = idp_otp_key

    def get_payload(self, session):
        """Get an authorization grant for the "password" grant type.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :returns: a python dictionary containing the payload to be exchanged
        :rtype: dict
        """
        payload = {'username': self.username,
                   'password': self.password,
                   'scope': self.scope,
                   'client_id': self.client_id}

        self.manage_otp_from_session_or_request_to_the_user(payload, session)

        return payload

    def manage_otp_from_session_or_request_to_the_user(self, payload, session):
        """Get the OTP code from the session or else request to the user.

        When the OS_IDP_OTP_KEY environment variable is set, this method will
        verify if there is an OTP value in the current session, if it exists,
        we use it (the OTP from session) to send to the Identity Provider when
        retrieving the access token. If there is no OTP in the current session,
        we ask the user to enter it (the OTP), and we add it to the session to
        execute the authentication flow.

        The OTP is being stored in the session because in some flows, the CLI
        is doing the authentication process two times, so saving the OTP
        in the session, allow us to use the same OTP in a short time interval,
        avoiding to request it to the user twice in a row.

        :param payload:
        :param session:
        :return:
        """
        if not self.idp_otp_key:
            return

        otp_from_session = getattr(session, 'otp', None)
        if otp_from_session:
            payload[self.idp_otp_key] = otp_from_session
        else:
            payload[self.idp_otp_key] = input(
                "Please, enter the generated OTP code: ")
            setattr(session, 'otp', payload[self.idp_otp_key])


class OidcClientCredentials(_OidcBase):
    """Implementation for OpenID Connect Client Credentials."""

    grant_type = 'client_credentials'

    def __init__(self, auth_url, identity_provider, protocol,  # nosec
                 client_id, client_secret,
                 access_token_endpoint=None,
                 discovery_endpoint=None,
                 access_token_type='access_token',
                 **kwargs):
        """The OpenID Client Credentials expects the following.

        :param client_id: Client ID used to authenticate
        :type username: string

        :param client_secret: Client Secret used to authenticate
        :type password: string
        """
        super(OidcClientCredentials, self).__init__(
            auth_url=auth_url,
            identity_provider=identity_provider,
            protocol=protocol,
            client_id=client_id,
            client_secret=client_secret,
            access_token_endpoint=access_token_endpoint,
            discovery_endpoint=discovery_endpoint,
            access_token_type=access_token_type,
            **kwargs)

    def get_payload(self, session):
        """Get an authorization grant for the client credentials grant type.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :returns: a python dictionary containing the payload to be exchanged
        :rtype: dict
        """
        payload = {'scope': self.scope}
        return payload


class OidcAuthorizationCode(_OidcBase):
    """Implementation for OpenID Connect Authorization Code."""

    grant_type = 'authorization_code'

    def __init__(self, auth_url, identity_provider, protocol,  # nosec
                 client_id, client_secret,
                 access_token_endpoint=None,
                 discovery_endpoint=None,
                 access_token_type='access_token',
                 redirect_uri=None, code=None, **kwargs):
        """The OpenID Authorization Code plugin expects the following.

        :param redirect_uri: OpenID Connect Client Redirect URL
        :type redirect_uri: string

        :param code: OAuth 2.0 Authorization Code
        :type code: string

        """
        super(OidcAuthorizationCode, self).__init__(
            auth_url=auth_url,
            identity_provider=identity_provider,
            protocol=protocol,
            client_id=client_id,
            client_secret=client_secret,
            access_token_endpoint=access_token_endpoint,
            discovery_endpoint=discovery_endpoint,
            access_token_type=access_token_type,
            **kwargs)
        self.redirect_uri = redirect_uri
        self.code = code

    def get_payload(self, session):
        """Get an authorization grant for the "authorization_code" grant type.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :returns: a python dictionary containing the payload to be exchanged
        :rtype: dict
        """
        payload = {'redirect_uri': self.redirect_uri, 'code': self.code}

        return payload


class OidcAccessToken(_OidcBase):
    """Implementation for OpenID Connect access token reuse."""

    def __init__(self, auth_url, identity_provider, protocol,
                 access_token, **kwargs):
        """The OpenID Connect plugin based on the Access Token.

        It expects the following:

        :param auth_url: URL of the Identity Service
        :type auth_url: string

        :param identity_provider: Name of the Identity Provider the client
                                  will authenticate against
        :type identity_provider: string

        :param protocol: Protocol name as configured in keystone
        :type protocol: string

        :param access_token: OpenID Connect Access token
        :type access_token: string
        """
        super(OidcAccessToken, self).__init__(auth_url, identity_provider,
                                              protocol,
                                              client_id=None,
                                              client_secret=None,
                                              access_token_endpoint=None,
                                              access_token_type=None,
                                              **kwargs)
        self.access_token = access_token

    def get_payload(self, session):
        """OidcAccessToken does not require a payload."""  # noqa: D403
        return {}

    def get_unscoped_auth_ref(self, session):
        """Authenticate with OpenID Connect and get back claims.

        We exchange the access token upon accessing the protected Keystone
        endpoint (federated auth URL). This will trigger the OpenID Connect
        Provider to perform a user introspection and retrieve information
        (specified in the scope) about the user in the form of an OpenID
        Connect Claim. These claims will be sent to Keystone in the form of
        environment variables.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :returns: a token data representation
        :rtype: :py:class:`keystoneauth1.access.AccessInfoV3`
        """
        response = self._get_keystone_token(session, self.access_token)
        return access.create(resp=response)


class OidcDeviceAuthorization(_OidcBase):
    """Implementation for OAuth 2.0 Device Authorization Grant."""

    grant_type = "urn:ietf:params:oauth:grant-type:device_code"
    HEADER_X_FORM = {"Content-Type": "application/x-www-form-urlencoded"}

    def __init__(self, auth_url, identity_provider, protocol,  # nosec
                 client_id, client_secret=None,
                 access_token_endpoint=None,
                 device_authorization_endpoint=None,
                 discovery_endpoint=None,
                 code_challenge=None, code_challenge_method=None,
                 **kwargs):
        """The OAuth 2.0 Device Authorization plugin expects the following.

        :param device_authorization_endpoint: OAuth 2.0 Device Authorization
                                  Endpoint, for example:
                                  https://localhost:8020/oidc/authorize/device
                                  Note that if a discovery document is
                                  provided this value will override
                                  the discovered one.
        :type device_authorization_endpoint: string

        :param code_challenge_method: PKCE Challenge Method (RFC 7636).
        :type code_challenge_method: string
        """
        # RFC 8628 only allows to retrieve an access_token
        self.access_token_type = 'access_token'  # nosec B105
        self.device_authorization_endpoint = device_authorization_endpoint
        self.code_challenge_method = code_challenge_method

        super(OidcDeviceAuthorization, self).__init__(
            auth_url=auth_url,
            identity_provider=identity_provider,
            protocol=protocol,
            client_id=client_id,
            client_secret=client_secret,
            access_token_endpoint=access_token_endpoint,
            discovery_endpoint=discovery_endpoint,
            access_token_type=self.access_token_type,
            **kwargs)

    def _get_device_authorization_endpoint(self, session):
        """Get the endpoint for the OAuth 2.0 Device Authorization flow.

        This method will return the correct device authorization endpoint to
        be used.
        If the user has explicitly passed an device_authorization_endpoint to
        the constructor that will be returned. If there is no explicit endpoint
        and a discovery url is provided, it will try to get it from the
        discovery document. If nothing is found, an exception will be raised.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :return: the endpoint to use
        :rtype: string or None if no endpoint is found
        """
        if self.device_authorization_endpoint is not None:
            return self.device_authorization_endpoint

        discovery = self._get_discovery_document(session)
        endpoint = discovery.get("device_authorization_endpoint")
        if endpoint is None:
            raise exceptions.oidc.OidcDeviceAuthorizationEndpointNotFound()
        return endpoint

    def _generate_pkce_verifier(self):
        """Generate PKCE verifier string as defined in RFC 7636."""
        raw_bytes = 42  # 32 is the minimum from the RFC, let's use a bit more
        _rand = os.urandom(raw_bytes)
        _rand_b64 = base64.urlsafe_b64encode(_rand).decode('ascii')
        code_verifier = _rand_b64.rstrip('=')  # strip padding as RFC says
        return code_verifier

    def _generate_pkce_challenge(self):
        """Generate PKCE challenge string as defined in RFC 7636."""
        if self.code_challenge_method not in ('plain', 'S256'):
            raise exceptions.OidcGrantTypeMissmatch()
        self.code_verifier = self._generate_pkce_verifier()

        if self.code_challenge_method == 'plain':
            return self.code_verifier
        elif self.code_challenge_method == 'S256':
            _tmp = self.code_verifier.encode('ascii')
            _hash = hashlib.sha256(_tmp).digest()
            _tmp = base64.urlsafe_b64encode(_hash).decode('ascii')
            code_challenge = _tmp.rstrip('=')
            return code_challenge

    def get_payload(self, session):
        """Get an authorization grant for the "device_code" grant type.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :returns: a python dictionary containing the payload to be exchanged
        :rtype: dict
        """
        device_authz_endpoint = \
            self._get_device_authorization_endpoint(session)

        if self.client_secret:
            client_auth = (self.client_id, self.client_secret)
            payload = {}
        else:
            client_auth = None
            payload = {'client_id': self.client_id}

        if self.code_challenge_method:
            self.code_challenge = self._generate_pkce_challenge()
            payload.setdefault('code_challenge_method',
                               self.code_challenge_method)
            payload.setdefault('code_challenge', self.code_challenge)
        encoded_payload = urlparse.urlencode(payload)

        if _logger.isEnabledFor(logging.DEBUG):
            sanitized_payload = self._sanitize(payload)
            _logger.debug(
                "Making OpenID-Connect authentication request to %s with "
                "data %s", device_authz_endpoint, sanitized_payload
            )
        op_response = session.post(device_authz_endpoint,
                                   requests_auth=client_auth,
                                   headers=self.HEADER_X_FORM,
                                   data=encoded_payload,
                                   log=False,
                                   authenticated=False)
        if _logger.isEnabledFor(logging.DEBUG):
            sanitized_response = self._sanitize(op_response.json())
            _logger.debug(
                "OpenID-Connect authentication response from %s is %s",
                device_authz_endpoint, sanitized_response
            )

        self.expires_in = int(op_response.json()["expires_in"])
        self.timeout = time.time() + self.expires_in
        self.device_code = op_response.json()["device_code"]
        self.interval = int(op_response.json()["interval"])
        self.user_code = op_response.json()["user_code"]
        self.verification_uri = op_response.json()["verification_uri"]
        self.verification_uri_complete = \
            op_response.json()["verification_uri_complete"]

        payload = {'device_code': self.device_code}
        if self.code_challenge_method:
            payload.setdefault('code_verifier', self.code_verifier)
        return payload

    def _get_access_token(self, session, payload):
        """Poll token endpoint for an access token.

        :param session: a session object to send out HTTP requests.
        :type session: keystoneauth1.session.Session

        :param payload: a dict containing various OpenID Connect values,
                for example::
                {'grant_type': 'urn:ietf:params:oauth:grant-type:device_code',
                 'device_code': self.device_code}
        :type payload: dict
        """
        _logger.warning(f"To authenticate please go to: "
                        f"{self.verification_uri_complete}")

        if self.client_secret:
            client_auth = (self.client_id, self.client_secret)
        else:
            client_auth = None
            payload.setdefault('client_id', self.client_id)

        access_token_endpoint = self._get_access_token_endpoint(session)
        encoded_payload = urlparse.urlencode(payload)

        while time.time() < self.timeout:
            try:
                if _logger.isEnabledFor(logging.DEBUG):
                    sanitized_payload = self._sanitize(payload)
                    _logger.debug(
                        "Making OpenID-Connect authentication request to %s "
                        "with data %s",
                        access_token_endpoint, sanitized_payload
                    )
                op_response = session.post(access_token_endpoint,
                                           requests_auth=client_auth,
                                           data=encoded_payload,
                                           headers=self.HEADER_X_FORM,
                                           log=False,
                                           authenticated=False)
                if _logger.isEnabledFor(logging.DEBUG):
                    sanitized_response = self._sanitize(op_response.json())
                    _logger.debug(
                        "OpenID-Connect authentication response from %s is %s",
                        access_token_endpoint, sanitized_response
                    )
            except exceptions.http.BadRequest as exc:
                error = exc.response.json().get("error")
                if error != "authorization_pending":
                    raise
                time.sleep(self.interval)
                continue
            break
        else:
            if error == "authorization_pending":
                raise exceptions.oidc.OidcDeviceAuthorizationTimeOut()

        access_token = op_response.json()[self.access_token_type]
        return access_token

Zerion Mini Shell 1.0