Why Gemfury?
Push, build, and install
RubyGems
npm packages
Python packages
Maven artifacts
PHP packages
Go Modules
Debian packages
RPM packages
NuGet packages
triliodata-3-4 / contego deb
Repository URL to install this package:
|
Version:
3.4.37 ▾
|
contego
/
home
/
tvault
/
.virtenv
/
lib
/
python2.7
/
site-packages
/
keystoneauth1
/
identity
/
v3
/
oidc.pyc
|
|---|
ó
µEYc�����������@���s��d��d�l��Z��d��d�l�Z�d��d�l�m�Z�d��d�l�Z�d��d�l�m�Z�d��d�l�m�Z�d��d�l�m�Z�d��d�l �m
�Z
�e�j
�e
��Z
�d�Z�e�j�e��j��d
�e
�j�f�d
�����Y�Z�d �e�f�d
�����YZ�d�e�f�d�����YZ�d�e�f�d�����YZ�d
�e�f�d�����YZ�d�S(���iÿÿÿÿN(���t
���positional(���t���_utils(���t���access(���t
���exceptions(���t
���federationt���OidcAuthorizationCodet���OidcClientCredentialst
���OidcPasswordt���OidcAccessTokent ���_OidcBasec�����������B���sh���e��Z�d��Z�d �Z�d�d �d �d �d��Z�d���Z�d���Z�d���Z�d���Z �d���Z
�e
�j
�d����Z
�RS(
���s®���Base class for different OpenID Connect based flows.
The OpenID Connect specification can be found at::
``http://openid.net/specs/openid-connect-core-1_0.html``
s���openid profilec
���
������K���s���t��t�|���j�|�|�|�|
��|�|��_�|�|��_�| �|��_�i��|��_�|�|��_�|�|��_�|�|��_ �|
�d�k �r�|
�|��j
�k�r�t
�j
����n��t�j�d�t��n��d�S(���s��The OpenID Connect plugin expects the following.
:param auth_url: URL of the Identity Service
:type auth_url: string
:param identity_provider: Name of the Identity Provider the client
will authenticate against
:type identity_provider: string
:param protocol: Protocol name as configured in keystone
:type protocol: string
:param client_id: OAuth 2.0 Client ID
:type client_id: string
:param client_secret: OAuth 2.0 Client Secret
:type client_secret: string
:param access_token_type: OAuth 2.0 Authorization Server Introspection
token type, it is used to decide which type
of token will be used when processing token
introspection. Valid values are:
"access_token" or "id_token"
:type access_token_type: string
:param access_token_endpoint: OpenID Connect Provider Token Endpoint,
for example:
https://localhost:8020/oidc/OP/token
Note that if a discovery document is
provided this value will override
the discovered one.
:type access_token_endpoint: string
:param discovery_endpoint: OpenID Connect Discovery Document URL,
for example:
https://localhost:8020/oidc/.well-known/openid-configuration
:type access_token_endpoint: string
:param scope: OpenID Connect scope that is requested from OP,
for example: "openid profile email", defaults to
"openid profile". Note that OpenID Connect specification
states that "openid" must be always specified.
:type scope: string
sX��Passing grant_type as an argument has been deprecated as it is now defined in the plugin itself. You should stop passing this argument to the plugin, as it will be ignored, since you cannot pass a free text string as a grant_type. This argument will be dropped from the plugin in July 2017 or with the next major release of keystoneauth (3.0.0)N(���t���superR ���t���__init__t ���client_idt
���client_secrett���discovery_endpointt���_discovery_documentt���access_token_endpointt���access_token_typet���scopet���Nonet
���grant_typeR���t���OidcGrantTypeMissmatcht���warningst���warnt���DeprecationWarning(
���t���selft���auth_urlt���identity_providert���protocolR
���R
���R���R���R���R���R���t���kwargs(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR
���*���s
����4
c���������C���s³���|��j��d�k �r¬�|��j�
r¬�y
�|�j�|��j��d�t�}�Wn2�t�j�k
�ri�t�j�d�i�|��j��d�6���n�Xy�|�j ���|��_�Wn�t
�k
�r�n�X|��j�s¬�t�j
����q¬�n��|��j�S(���sÃ��Get the contents of the OpenID Connect Discovery Document.
This method grabs the contents of the OpenID Connect Discovery Document
if a discovery_endpoint was passed to the constructor and returns it as
a dict, otherwise returns an empty dict. Note that it will fetch the
discovery document only once, so subsequent calls to this method will
return the cached result, if any.
:param session: a session object to send out HTTP requests.
:type session: keystoneauth1.session.Session
:returns: a python dictionary containing the discovery document if any,
otherwise it will return an empty dict.
:rtype: dict
t
���authenticateds-���Cannot fetch discovery document %(discovery)st ���discoveryN(
���R���R���R���t���gett���FalseR���t ���HttpErrort���_loggert���errort���jsont ���Exceptiont
���InvalidOidcDiscoveryDocument(���R���t���sessiont���resp(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyt���_get_discovery_documentw���s ����
c���������C���sS���|��j��d�k �r�|��j��S|��j�|��}�|�j�d��}�|�d�k�rO�t�j����n��|�S(���s��Get the "token_endpoint" for the OpenID Connect flow.
This method will return the correct access token endpoint to be used.
If the user has explicitly passed an access_token_endpoint to the
constructor that will be returned. If there is no explicit endpoint and
a discovery url is provided, it will try to get it from the discovery
document. If nothing is found, an exception will be raised.
:param session: a session object to send out HTTP requests.
:type session: keystoneauth1.session.Session
:return: the endpoint to use
:rtype: string or None if no endpoint is found
t���token_endpointN(���R���R���R*���R ���R���t ���OidcAccessTokenEndpointNotFound(���R���R(���R ���t���endpoint(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyt���_get_access_token_endpoint���s����
c���������C���sY���|��j��|��j�f�}�|��j�|��}�|�j�|�d�|�d�|�d�t�}�|�j���|��j�}�|�S(���s�Exchange a variety of user supplied values for an access token.
:param session: a session object to send out HTTP requests.
:type session: keystoneauth1.session.Session
:param payload: a dict containing various OpenID Connect values, for
example::
{'grant_type': 'password', 'username': self.username,
'password': self.password, 'scope': self.scope}
:type payload: dict
t
���requests_autht���dataR
���(���R
���R
���R.���t���postR!���R%���R���(���R���R(���t���payloadt
���client_authR���t
���op_responset
���access_token(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyt���_get_access_token³���s����
c���������C���s3���i�d�|�d�6}�|�j��|��j�d�|�d�t�}�|�S(���s ��Exchange an access token for a keystone token.
By Sending the access token in an `Authorization: Bearer` header, to
an OpenID Connect protected endpoint (Federated Token URL). The
OpenID Connect server will use the access token to look up information
about the authenticated user (this technique is called instrospection).
The output of the instrospection will be an OpenID Connect Claim, that
will be used against the mapping engine. Should the mapping engine
succeed, a Keystone token will be presented to the user.
:param session: a session object to send out HTTP requests.
:type session: keystoneauth1.session.Session
:param access_token: The OpenID Connect access token.
:type access_token: str
s���Bearer t
���Authorizationt���headersR
���(���R1���t���federated_token_urlR!���(���R���R(���R5���R8���t
���auth_response(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyt���_get_keystone_token���s
���� c���������C���s§���|��j��|��}�|�j�d��}�|�rQ�|��j�d�k �rQ�|��j�|�k�rQ�t�j����n��|��j�|��}�|�j�d�|��j��|��j�|�|��}�|��j �|�|��}�t
�j
�d�|��S(���s$��Authenticate with OpenID Connect and get back claims.
This is a multi-step process:
1.- An access token must be retrieved from the server. In order to do
so, we need to exchange an authorization grant or refresh token
with the token endpoint in order to obtain an access token. The
authorization grant varies from plugin to plugin.
2.- We then exchange the access token upon accessing the protected
Keystone endpoint (federated auth URL). This will trigger the
OpenID Connect Provider to perform a user introspection and
retrieve information (specified in the scope) about the user in the
form of an OpenID Connect Claim. These claims will be sent to
Keystone in the form of environment variables.
:param session: a session object to send out HTTP requests.
:type session: keystoneauth1.session.Session
:returns: a token data representation
:rtype: :py:class:`keystoneauth1.access.AccessInfoV3`
t���grant_types_supportedR���R)���N(
���R*���R ���R���R���R���t���OidcPluginNotSupportedt
���get_payloadt
���setdefaultR6���R;���R���t���create(���R���R(���R ���t
���grant_typesR2���R5���t���response(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyt���get_unscoped_auth_ref��s����c���������C���s
���t�����d�S(���s$��Get the plugin specific payload for obtainin an access token.
OpenID Connect supports different grant types. This method should
prepare the payload that needs to be exchanged with the server in
order to get an access token for the particular grant type that the
plugin is implementing.
:param session: a session object to send out HTTP requests.
:type session: keystoneauth1.session.Session
:returns: a python dictionary containing the payload to be exchanged
:rtype: dict
N(���t���NotImplementedError(���R���R(���(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR>���
��s����N(���t���__name__t
���__module__t���__doc__R���R���R
���R*���R.���R6���R;���RC���t���abct���abstractmethodR>���(����(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR ��� ���s���
G $ +c�����������B���sA���e��Z�d��Z�d�Z�e�d��d�d�d�d�d�d���Z�d���Z�RS(���sE���Implementation for OpenID Connect Resource Owner Password Credential.t���passwordi���R5���c
���
������K���s\���t��t�|���j�d�|�d�|�d�|�d�|�d�|�d�|�d�|�d�|�|
��| �|��_�|
�|��_�d �S(
���s��The OpenID Password plugin expects the following.
:param username: Username used to authenticate
:type username: string
:param password: Password used to authenticate
:type password: string
R���R���R
���R
���R
���R���R���R���N(���R
���R���R
���t���usernameRJ���(
���R���R���R���R
���R
���R
���R���R���R���RK���RJ���R
���(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR
���#��s���� c���������C���s(���i�|��j��d�6|��j�d�6|��j�d�6}�|�S(���s ��Get an authorization grant for the "password" grant type.
:param session: a session object to send out HTTP requests.
:type session: keystoneauth1.session.Session
:returns: a python dictionary containing the payload to be exchanged
:rtype: dict
RK���RJ���R���(���RK���RJ���R���(���R���R(���R2���(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR>���@��s����
N(���RE���RF���RG���R���R����R���R
���R>���(����(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR���
��s��� c�����������B���s;���e��Z�d��Z�d�Z�e�d��d�d�d�d���Z�d���Z�RS(���s5���Implementation for OpenID Connect Client Credentials.t���client_credentialsi���R5���c ���
������K���sJ���t��t�|���j�d�|�d�|�d�|�d�|�d�|�d�|�d�|�d�|�| ��d �S(
���s÷���The OpenID Client Credentials expects the following.
:param client_id: Client ID used to authenticate
:type username: string
:param client_secret: Client Secret used to authenticate
:type password: string
R���R���R
���R
���R
���R���R���R���N(���R
���R���R
���(
���R���R���R���R
���R
���R
���R���R���R���R
���(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR
���T��s����c���������C���s���i�|��j��d�6}�|�S(���s'��Get an authorization grant for the client credentials grant type.
:param session: a session object to send out HTTP requests.
:type session: keystoneauth1.session.Session
:returns: a python dictionary containing the payload to be exchanged
:rtype: dict
R���(���R���(���R���R(���R2���(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR>���n��s���� N(���RE���RF���RG���R���R����R���R
���R>���(����(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR���O��s��� c�����������B���sA���e��Z�d��Z�d�Z�e�d��d�d�d�d�d�d���Z�d���Z�RS(���s5���Implementation for OpenID Connect Authorization Code.t���authorization_codei���R5���c
���
������K���s\���t��t�|���j�d�|�d�|�d�|�d�|�d�|�d�|�d�|�d�|�|
��| �|��_�|
�|��_�d �S(
���s÷���The OpenID Authorization Code plugin expects the following.
:param redirect_uri: OpenID Connect Client Redirect URL
:type redirect_uri: string
:param code: OAuth 2.0 Authorization Code
:type code: string
R���R���R
���R
���R
���R���R���R���N(���R
���R���R
���t
���redirect_urit���code(
���R���R���R���R
���R
���R
���R���R���R���RN���RO���R
���(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR
�����s���� c���������C���s
���i�|��j��d�6|��j�d�6}�|�S(���s)��Get an authorization grant for the "authorization_code" grant type.
:param session: a session object to send out HTTP requests.
:type session: keystoneauth1.session.Session
:returns: a python dictionary containing the payload to be exchanged
:rtype: dict
RN���RO���(���RN���RO���(���R���R(���R2���(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR>�����s���� N(���RE���RF���RG���R���R����R���R
���R>���(����(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR���{��s��� c�����������B���s5���e��Z�d��Z�e�d��d����Z�d���Z�d���Z�RS(���s5���Implementation for OpenID Connect access token reuse.i���c������
���K���sD���t��t�|���j�|�|�|�d�d�d�d�d�d�d�d�|�|�|��_�d�S(���s#��The OpenID Connect plugin based on the Access Token.
It expects the following:
:param auth_url: URL of the Identity Service
:type auth_url: string
:param identity_provider: Name of the Identity Provider the client
will authenticate against
:type identity_provider: string
:param protocol: Protocol name as configured in keystone
:type protocol: string
:param access_token: OpenID Connect Access token
:type access_token: string
R
���R
���R���R���N(���R
���R���R
���R���R5���(���R���R���R���R
���R5���R
���(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR
���®��s����c���������C���s���i��S(���s+���OidcAccessToken does not require a payload.(����(���R���R(���(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR>���Ë��s����c���������C���s%���|��j��|�|��j��}�t�j�d�|��S(���s¼��Authenticate with OpenID Connect and get back claims.
We exchange the access token upon accessing the protected Keystone
endpoint (federated auth URL). This will trigger the OpenID Connect
Provider to perform a user introspection and retrieve information
(specified in the scope) about the user in the form of an OpenID
Connect Claim. These claims will be sent to Keystone in the form of
environment variables.
:param session: a session object to send out HTTP requests.
:type session: keystoneclient.session.Session
:returns: a token data representation
:rtype: :py:class:`keystoneauth1.access.AccessInfoV3`
R)���(���R;���R5���R���R@���(���R���R(���RB���(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyRC�����s����(���RE���RF���RG���R����R
���R>���RC���(����(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyR���«��s���
(���s���OidcAuthorizationCodes���OidcClientCredentialss
���OidcPasswords���OidcAccessToken(���RH���R���R����t���sixt
���keystoneauth1R���t���utilsR���R���t���keystoneauth1.identity.v3R���t
���get_loggerRE���R#���t���__all__t
���add_metaclasst���ABCMetat���FederationBaseAuthR ���R���R���R���R���(����(����(����sS���/home/tvault/.virtenv/lib/python2.7/site-packages/keystoneauth1/identity/v3/oidc.pyt���<module>
���s$���
���ý1,0