func createAuthenticatedClient(t *testing.T) *gophercloud.ServiceClient {
// Obtain credentials from the environment.
ao, err := openstack.AuthOptionsFromEnv()
th.AssertNoErr(t, err)
// Trim out unused fields.
ao.Username, ao.TenantID, ao.TenantName = "", "", ""
if ao.UserID == "" {
t.Logf("Skipping identity v3 tests because no OS_USERID is present.")
return nil
}
// Create a client and manually authenticate against v3.
providerClient, err := openstack.NewClient(ao.IdentityEndpoint)
if err != nil {
t.Fatalf("Unable to instantiate client: %v", err)
}
err = openstack.AuthenticateV3(providerClient, ao)
if err != nil {
t.Fatalf("Unable to authenticate against identity v3: %v", err)
}
// Create a service client.
return openstack.NewIdentityV3(providerClient)
}
func newOpenStack(cfg Config) (*OpenStack, error) {
provider, err := openstack.NewClient(cfg.Global.AuthUrl)
if err != nil {
return nil, err
}
if cfg.Global.TrustId != "" {
authOptionsExt := trust.AuthOptionsExt{
TrustID: cfg.Global.TrustId,
AuthOptions: token3.AuthOptions{AuthOptions: cfg.toAuthOptions()},
}
err = trust.AuthenticateV3Trust(provider, authOptionsExt)
} else {
err = openstack.Authenticate(provider, cfg.toAuthOptions())
}
if err != nil {
return nil, err
}
id, err := readInstanceID()
if err != nil {
return nil, err
}
os := OpenStack{
provider: provider,
region: cfg.Global.Region,
lbOpts: cfg.LoadBalancer,
bsOpts: cfg.BlockStorage,
routeOpts: cfg.Route,
localInstanceID: id,
}
return &os, nil
}
func newClient(t *testing.T) *gophercloud.ServiceClient {
authURL := os.Getenv("OS_AUTH_URL")
username := os.Getenv("OS_USERNAME")
password := os.Getenv("OS_PASSWORD")
tenantName := os.Getenv("OS_TENANT_NAME")
tenantID := os.Getenv("OS_TENANT_ID")
domainName := os.Getenv("OS_DOMAIN_NAME")
regionName := os.Getenv("OS_REGION_NAME")
t.Logf("Credentials used: OS_AUTH_URL='%s' OS_USERNAME='******' OS_PASSWORD='******' OS_TENANT_NAME='%s' OS_TENANT_NAME='%s' OS_REGION_NAME='%s' OS_TENANT_ID='%s' \n",
authURL, username, tenantName, domainName, regionName, tenantID)
client, err := openstack.NewClient(authURL)
th.AssertNoErr(t, err)
ao := gophercloud.AuthOptions{
Username: username,
Password: password,
TenantName: tenantName,
TenantID: tenantID,
DomainName: domainName,
}
err = openstack.AuthenticateV3(client, ao)
th.AssertNoErr(t, err)
t.Logf("Token is %v", client.TokenID)
c, err := openstack.NewImageServiceV2(client, gophercloud.EndpointOpts{
Region: regionName,
})
th.AssertNoErr(t, err)
return c
}
func (c *Config) loadAndValidate() error {
if c.EndpointType != "internal" && c.EndpointType != "internalURL" &&
c.EndpointType != "admin" && c.EndpointType != "adminURL" &&
c.EndpointType != "public" && c.EndpointType != "publicURL" &&
c.EndpointType != "" {
return fmt.Errorf("Invalid endpoint type provided")
}
ao := gophercloud.AuthOptions{
Username: c.Username,
UserID: c.UserID,
Password: c.Password,
APIKey: c.APIKey,
IdentityEndpoint: c.IdentityEndpoint,
TenantID: c.TenantID,
TenantName: c.TenantName,
DomainID: c.DomainID,
DomainName: c.DomainName,
}
client, err := openstack.NewClient(ao.IdentityEndpoint)
if err != nil {
return err
}
if c.CACertFile != "" {
caCert, err := ioutil.ReadFile(c.CACertFile)
if err != nil {
return err
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
config := &tls.Config{
RootCAs: caCertPool,
}
transport := &http.Transport{TLSClientConfig: config}
client.HTTPClient.Transport = transport
}
if c.Insecure {
// Configure custom TLS settings.
config := &tls.Config{InsecureSkipVerify: true}
transport := &http.Transport{TLSClientConfig: config}
client.HTTPClient.Transport = transport
}
err = openstack.Authenticate(client, ao)
if err != nil {
return err
}
c.osClient = client
return nil
}
func TestGetToken(t *testing.T) {
// Obtain credentials from the environment.
ao, err := openstack.AuthOptionsFromEnv()
if err != nil {
t.Fatalf("Unable to acquire credentials: %v", err)
}
// Trim out unused fields. Skip if we don't have a UserID.
ao.Username, ao.TenantID, ao.TenantName = "", "", ""
if ao.UserID == "" {
t.Logf("Skipping identity v3 tests because no OS_USERID is present.")
return
}
// Create an unauthenticated client.
provider, err := openstack.NewClient(ao.IdentityEndpoint)
if err != nil {
t.Fatalf("Unable to instantiate client: %v", err)
}
// Create a service client.
service := openstack.NewIdentityV3(provider)
// Use the service to create a token.
token, err := tokens3.Create(service, ao, nil).Extract()
if err != nil {
t.Fatalf("Unable to get token: %v", err)
}
t.Logf("Acquired token: %s", token.ID)
}
func createClient(t *testing.T, auth bool) *gophercloud.ServiceClient {
ao := v2AuthOptions(t)
provider, err := openstack.NewClient(ao.IdentityEndpoint)
th.AssertNoErr(t, err)
if auth {
err = openstack.AuthenticateV2(provider, ao)
th.AssertNoErr(t, err)
}
return openstack.NewIdentityV2(provider)
}
// AuthenticatedClient logs in to an OpenStack cloud found at the identity endpoint specified by options, acquires a
// token, and returns a Client instance that's ready to operate.
func (keystoneAuthenticator *KeystoneAuthenticator) AuthenticatedClient(options gophercloud.AuthOptions) (*gophercloud.ProviderClient, error) {
client, err := openstack.NewClient(options.IdentityEndpoint)
if err != nil {
return nil, err
}
if keystoneAuthenticator.transport != nil {
client.HTTPClient.Transport = keystoneAuthenticator.transport
}
err = openstack.Authenticate(client, options)
return client, err
}
func (c *GenericClient) Authenticate(d *Driver) error {
if c.Provider != nil {
return nil
}
log.WithFields(log.Fields{
"AuthUrl": d.AuthUrl,
"Insecure": d.Insecure,
"DomainID": d.DomainID,
"DomainName": d.DomainName,
"Username": d.Username,
"TenantName": d.TenantName,
"TenantID": d.TenantId,
}).Debug("Authenticating...")
opts := gophercloud.AuthOptions{
IdentityEndpoint: d.AuthUrl,
DomainID: d.DomainID,
DomainName: d.DomainName,
Username: d.Username,
Password: d.Password,
TenantName: d.TenantName,
TenantID: d.TenantId,
AllowReauth: true,
}
provider, err := openstack.NewClient(opts.IdentityEndpoint)
if err != nil {
return err
}
provider.UserAgent.Prepend(fmt.Sprintf("docker-machine/v%d", version.ApiVersion))
if d.Insecure {
// Configure custom TLS settings.
config := &tls.Config{InsecureSkipVerify: true}
transport := &http.Transport{TLSClientConfig: config}
provider.HTTPClient.Transport = transport
}
err = openstack.Authenticate(provider, opts)
if err != nil {
return err
}
c.Provider = provider
return nil
}
// AuthenticatePassword approves any login attempt which is successfully validated with Keystone
func (a keystonePasswordAuthenticator) AuthenticatePassword(username, password string) (user.Info, bool, error) {
defer func() {
if e := recover(); e != nil {
utilruntime.HandleError(fmt.Errorf("Recovered panic: %v, %s", e, debug.Stack()))
}
}()
// if password is missing, fail authentication immediately
if len(password) == 0 {
return nil, false, nil
}
opts := gophercloud.AuthOptions{
IdentityEndpoint: a.url,
Username: username,
Password: password,
DomainName: a.domainName,
}
// Calling NewClient/Authenticate manually rather than simply calling AuthenticatedClient
// in order to pass in a transport object that supports SSL
client, err := openstack.NewClient(opts.IdentityEndpoint)
if err != nil {
glog.Warningf("Failed: Initializing openstack authentication client: %v", err)
return nil, false, err
}
client.HTTPClient = *a.client
err = openstack.AuthenticateV3(client, opts)
if err != nil {
if responseErr, ok := err.(*gophercloud.UnexpectedResponseCodeError); ok {
if responseErr.Actual == 401 {
return nil, false, nil
}
}
glog.Warningf("Failed: Calling openstack AuthenticateV3: %v", err)
return nil, false, err
}
identity := authapi.NewDefaultUserIdentityInfo(a.providerName, username)
user, err := a.identityMapper.UserFor(identity)
if err != nil {
glog.V(4).Infof("Error creating or updating mapping for: %#v due to %v", identity, err)
return nil, false, err
}
glog.V(4).Infof("Got userIdentityMapping: %#v", user)
return user, true, nil
}
func (c *GenericClient) Authenticate(d *Driver) error {
if c.Provider != nil {
return nil
}
log.Debug("Authenticating...", map[string]interface{}{
"AuthUrl": d.AuthUrl,
"Insecure": d.Insecure,
"CaCert": d.CaCert,
"DomainID": d.DomainID,
"DomainName": d.DomainName,
"Username": d.Username,
"TenantName": d.TenantName,
"TenantID": d.TenantId,
})
opts := gophercloud.AuthOptions{
IdentityEndpoint: d.AuthUrl,
DomainID: d.DomainID,
DomainName: d.DomainName,
Username: d.Username,
Password: d.Password,
TenantName: d.TenantName,
TenantID: d.TenantId,
AllowReauth: true,
}
provider, err := openstack.NewClient(opts.IdentityEndpoint)
if err != nil {
return err
}
c.Provider = provider
c.Provider.UserAgent.Prepend(fmt.Sprintf("docker-machine/v%d", version.APIVersion))
err = c.SetTLSConfig(d)
if err != nil {
return err
}
err = openstack.Authenticate(c.Provider, opts)
if err != nil {
return err
}
return nil
}
func (b *KeystoneAuthenticationBackend) CheckUser(r *http.Request) (string, error) {
cookie, err := r.Cookie("authtok")
if err != nil {
return "", WrongCredentials
}
tokenID := cookie.Value
if tokenID == "" {
return "", WrongCredentials
}
provider, err := openstack.NewClient(b.AuthURL)
if err != nil {
return "", err
}
provider.TokenID = cookie.Value
client := &gophercloud.ServiceClient{ProviderClient: provider, Endpoint: b.AuthURL}
result := tokens.Get(client, tokenID)
user, err := result.ExtractUser()
if err != nil {
return "", err
}
token, err := result.ExtractToken()
if err != nil {
return "", err
}
if token.Tenant.Name != b.Tenant {
return "", WrongCredentials
}
isAdmin := false
for _, role := range user.Roles {
if role.Name == "admin" {
isAdmin = true
break
}
}
if !isAdmin {
return "", WrongCredentials
}
return user.UserName, nil
}
func (b *KeystoneAuthenticationBackend) Authenticate(username string, password string) (string, error) {
opts := gophercloud.AuthOptions{
IdentityEndpoint: b.AuthURL,
Username: username,
Password: password,
TenantName: b.Tenant,
}
provider, err := openstack.NewClient(b.AuthURL)
if err != nil {
return "", err
}
if err := openstack.Authenticate(provider, opts); err != nil {
return "", err
}
return provider.TokenID, nil
}
func (c *AccessConfig) Prepare(ctx *interpolate.Context) []error {
if c.EndpointType != "internal" && c.EndpointType != "internalURL" &&
c.EndpointType != "admin" && c.EndpointType != "adminURL" &&
c.EndpointType != "public" && c.EndpointType != "publicURL" &&
c.EndpointType != "" {
return []error{fmt.Errorf("Invalid endpoint type provided")}
}
if c.Region == "" {
c.Region = os.Getenv("OS_REGION_NAME")
}
// Legacy RackSpace stuff. We're keeping this around to keep things BC.
if c.APIKey == "" {
c.APIKey = os.Getenv("SDK_API_KEY")
}
if c.Password == "" {
c.Password = os.Getenv("SDK_PASSWORD")
}
if c.Region == "" {
c.Region = os.Getenv("SDK_REGION")
}
if c.TenantName == "" {
c.TenantName = os.Getenv("SDK_PROJECT")
}
if c.Username == "" {
c.Username = os.Getenv("SDK_USERNAME")
}
// Get as much as possible from the end
ao, _ := openstack.AuthOptionsFromEnv()
// Override values if we have them in our config
overrides := []struct {
From, To *string
}{
{&c.Username, &ao.Username},
{&c.UserID, &ao.UserID},
{&c.Password, &ao.Password},
{&c.APIKey, &ao.APIKey},
{&c.IdentityEndpoint, &ao.IdentityEndpoint},
{&c.TenantID, &ao.TenantID},
{&c.TenantName, &ao.TenantName},
{&c.DomainID, &ao.DomainID},
{&c.DomainName, &ao.DomainName},
}
for _, s := range overrides {
if *s.From != "" {
*s.To = *s.From
}
}
// Build the client itself
client, err := openstack.NewClient(ao.IdentityEndpoint)
if err != nil {
return []error{err}
}
// If we have insecure set, then create a custom HTTP client that
// ignores SSL errors.
if c.Insecure {
config := &tls.Config{InsecureSkipVerify: true}
transport := &http.Transport{TLSClientConfig: config}
client.HTTPClient.Transport = transport
}
// Auth
err = openstack.Authenticate(client, ao)
if err != nil {
return []error{err}
}
c.osClient = client
return nil
}
func (c *Config) loadAndValidate() error {
if c.EndpointType != "internal" && c.EndpointType != "internalURL" &&
c.EndpointType != "admin" && c.EndpointType != "adminURL" &&
c.EndpointType != "public" && c.EndpointType != "publicURL" &&
c.EndpointType != "" {
return fmt.Errorf("Invalid endpoint type provided")
}
ao := gophercloud.AuthOptions{
Username: c.Username,
UserID: c.UserID,
Password: c.Password,
TokenID: c.Token,
APIKey: c.APIKey,
IdentityEndpoint: c.IdentityEndpoint,
TenantID: c.TenantID,
TenantName: c.TenantName,
DomainID: c.DomainID,
DomainName: c.DomainName,
}
client, err := openstack.NewClient(ao.IdentityEndpoint)
if err != nil {
return err
}
config := &tls.Config{}
if c.CACertFile != "" {
caCert, err := ioutil.ReadFile(c.CACertFile)
if err != nil {
return err
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
config.RootCAs = caCertPool
}
if c.Insecure {
config.InsecureSkipVerify = true
}
if c.ClientCertFile != "" && c.ClientKeyFile != "" {
cert, err := tls.LoadX509KeyPair(c.ClientCertFile, c.ClientKeyFile)
if err != nil {
return err
}
config.Certificates = []tls.Certificate{cert}
config.BuildNameToCertificate()
}
transport := &http.Transport{TLSClientConfig: config}
client.HTTPClient.Transport = transport
err = openstack.Authenticate(client, ao)
if err != nil {
return err
}
c.osClient = client
return nil
}
// NewClient creates a client that's prepared to communicate with the Rackspace API, but is not
// yet authenticated. Most users will probably prefer using the AuthenticatedClient function
// instead.
//
// Provide the base URL of the identity endpoint you wish to authenticate against as "endpoint".
// Often, this will be either RackspaceUSIdentity or RackspaceUKIdentity.
func NewClient(endpoint string) (*gophercloud.ProviderClient, error) {
if endpoint == "" {
return os.NewClient(RackspaceUSIdentity)
}
return os.NewClient(endpoint)
}
