From c3c6edbe8a083aef0fb6aea3cb461ff8e715fc59 Mon Sep 17 00:00:00 2001
From: Dean Troyer <dtroyer@gmail.com>
Date: Thu, 9 Oct 2014 15:16:07 -0500
Subject: Add plugin to support token-endpoint auth

The ksc auth plugins do not have support for the original
token-endpoint (aka token flow) auth where the user supplies
a token (possibly the Keystone admin_token) and an API endpoint.
This is used for bootstrapping Keystone but also has other uses
when a scoped user token is provided.

The api.auth:TokenEndpoint class is required to provide the
same interface methods so all of the special-case code branches
to support token-endpoint can be removed.

Some additional cleanups related to ClientManager and creating
the Compute client also were done to streamline using sessions.

Change-Id: I1a6059afa845a591eff92567ca346c09010a93af
---
 openstackclient/api/auth.py | 69 +++++++++++++++++++++++++++++++++++++++------
 1 file changed, 61 insertions(+), 8 deletions(-)

(limited to 'openstackclient/api')

diff --git a/openstackclient/api/auth.py b/openstackclient/api/auth.py
index 2bd5271f..e33b72d5 100644
--- a/openstackclient/api/auth.py
+++ b/openstackclient/api/auth.py
@@ -18,6 +18,8 @@ import logging
 
 import stevedore
 
+from oslo.config import cfg
+
 from keystoneclient.auth import base
 
 from openstackclient.common import exceptions as exc
@@ -53,14 +55,14 @@ for plugin in PLUGIN_LIST:
         )
 
 
-def _guess_authentication_method(options):
+def select_auth_plugin(options):
     """If no auth plugin was specified, pick one based on other options"""
 
-    if options.os_url:
-        # service token authentication, do nothing
-        return
     auth_plugin = None
-    if options.os_password:
+    if options.os_url and options.os_token:
+        # service token authentication
+        auth_plugin = 'token_endpoint'
+    elif options.os_password:
         if options.os_identity_api_version == '3':
             auth_plugin = 'v3password'
         elif options.os_identity_api_version == '2.0':
@@ -83,14 +85,13 @@ def _guess_authentication_method(options):
         )
     LOG.debug("No auth plugin selected, picking %s from other "
               "options" % auth_plugin)
-    options.os_auth_plugin = auth_plugin
+    return auth_plugin
 
 
 def build_auth_params(cmd_options):
     auth_params = {}
-    if cmd_options.os_url:
-        return {'token': cmd_options.os_token}
     if cmd_options.os_auth_plugin:
+        LOG.debug('auth_plugin: %s', cmd_options.os_auth_plugin)
         auth_plugin = base.get_plugin_class(cmd_options.os_auth_plugin)
         plugin_options = auth_plugin.get_options()
         for option in plugin_options:
@@ -110,6 +111,7 @@ def build_auth_params(cmd_options):
                 None,
             )
     else:
+        LOG.debug('no auth_plugin')
         # delay the plugin choice, grab every option
         plugin_options = set([o.replace('-', '_') for o in OPTIONS_LIST])
         for option in plugin_options:
@@ -178,3 +180,54 @@ def build_auth_plugins_option_parser(parser):
         help=argparse.SUPPRESS,
     )
     return parser
+
+
+class TokenEndpoint(base.BaseAuthPlugin):
+    """Auth plugin to handle traditional token/endpoint usage
+
+    Implements the methods required to handle token authentication
+    with a user-specified token and service endpoint; no Identity calls
+    are made for re-scoping, service catalog lookups or the like.
+
+    The purpose of this plugin is to get rid of the special-case paths
+    in the code to handle this authentication format. Its primary use
+    is for bootstrapping the Keystone database.
+    """
+
+    def __init__(self, url, token, **kwargs):
+        """A plugin for static authentication with an existing token
+
+        :param string url: Service endpoint
+        :param string token: Existing token
+        """
+        super(TokenEndpoint, self).__init__()
+        self.endpoint = url
+        self.token = token
+
+    def get_endpoint(self, session, **kwargs):
+        """Return the supplied endpoint"""
+        return self.endpoint
+
+    def get_token(self, session):
+        """Return the supplied token"""
+        return self.token
+
+    def get_auth_ref(self, session, **kwargs):
+        """Stub this method for compatibility"""
+        return None
+
+    # Override this because it needs to be a class method...
+    @classmethod
+    def get_options(self):
+        options = super(TokenEndpoint, self).get_options()
+
+        options.extend([
+            # Maintain name 'url' for compatibility
+            cfg.StrOpt('url',
+                       help='Specific service endpoint to use'),
+            cfg.StrOpt('token',
+                       secret=True,
+                       help='Authentication token to use'),
+        ])
+
+        return options
-- 
cgit v1.2.1