The Utils Module

openstack_auth.utils.build_absolute_uri(request, relative_url)[source]

Ensure absolute_uri are relative to WEBROOT.

openstack_auth.utils.clean_up_auth_url(auth_url)[source]

Clean up the auth url to extract the exact Keystone URL

openstack_auth.utils.default_services_region(service_catalog, request=None)[source]

Returns the first endpoint region for first non-identity service.

Extracted from the service catalog.

openstack_auth.utils.fix_auth_url_version(auth_url)[source]

Fix up the auth url if an invalid or no version prefix was given.

People still give a v2 auth_url even when they specify that they want v3 authentication. Fix the URL to say v3 in this case and add version if it is missing entirely. This should be smarter and use discovery.

openstack_auth.utils.fix_auth_url_version_prefix(auth_url)[source]

Fix up the auth url if an invalid or no version prefix was given.

People still give a v2 auth_url even when they specify that they want v3 authentication. Fix the URL to say v3 in this case and add version if it is missing entirely. This should be smarter and use discovery.

openstack_auth.utils.get_admin_permissions()[source]

Common function for getting the admin permissions from settings

This format is ‘openstack.roles.xxx’ and ‘xxx’ is a real role name.

Returns:Set object including all admin permission. If there is no permission, this will return empty:
{
    "openstack.roles.foo",
    "openstack.roles.bar",
    "openstack.roles.admin"
}
openstack_auth.utils.get_admin_roles()[source]

Common function for getting the admin roles from settings

Returns:Set object including all admin roles. If there is no role, this will return empty:
{
    "foo", "bar", "admin"
}
openstack_auth.utils.get_client_ip(request)[source]

Return client ip address using SECURE_PROXY_ADDR_HEADER variable.

If not present or not defined on settings then REMOTE_ADDR is used.

Parameters:request (django.http.HttpRequest) – Django http request object.
Returns:Possible client ip address
Return type:string
openstack_auth.utils.get_endpoint_region(endpoint)[source]

Common function for getting the region from endpoint.

In Keystone V3, region has been deprecated in favor of region_id.

This method provides a way to get region that works for both Keystone V2 and V3.

openstack_auth.utils.get_role_permission(role)[source]

Common function for getting the permission froms arg

This format is ‘openstack.roles.xxx’ and ‘xxx’ is a real role name.

Returns:String like “openstack.roles.admin” If role is None, this will return None.
openstack_auth.utils.get_websso_url(request, auth_url, websso_auth)[source]

Return the keystone endpoint for initiating WebSSO.

Generate the keystone WebSSO endpoint that will redirect the user to the login page of the federated identity provider.

Based on the authentication type selected by the user in the login form, it will construct the keystone WebSSO endpoint.

Parameters:
  • request (django.http.HttpRequest) – Django http request object.
  • auth_url (string) – Keystone endpoint configured in the horizon setting. The value is derived from: - OPENSTACK_KEYSTONE_URL - AVAILABLE_REGIONS
  • websso_auth (string) – Authentication type selected by the user from the login form. The value is derived from the horizon setting WEBSSO_CHOICES.

Example of horizon WebSSO setting:

WEBSSO_CHOICES = (
    ("credentials", "Keystone Credentials"),
    ("oidc", "OpenID Connect"),
    ("saml2", "Security Assertion Markup Language"),
    ("acme_oidc", "ACME - OpenID Connect"),
    ("acme_saml2", "ACME - SAML2")
)

WEBSSO_IDP_MAPPING = {
    "acme_oidc": ("acme", "oidc"),
    "acme_saml2": ("acme", "saml2")
    }
}

The value of websso_auth will be looked up in the WEBSSO_IDP_MAPPING dictionary, if a match is found it will return a IdP specific WebSSO endpoint using the values found in the mapping.

The value in WEBSSO_IDP_MAPPING is expected to be a tuple formatted as (<idp_id>, <protocol_id>). Using the values found, a IdP/protocol specific URL will be constructed:

/auth/OS-FEDERATION/identity_providers/<idp_id> /protocols/<protocol_id>/websso

If no value is found from the WEBSSO_IDP_MAPPING dictionary, it will treat the value as the global WebSSO protocol <protocol_id> and construct the WebSSO URL by:

/auth/OS-FEDERATION/websso/<protocol_id>
Returns:Keystone WebSSO endpoint.
Return type:string
openstack_auth.utils.has_in_url_path(url, subs)[source]

Test if any of subs strings is present in the url path.

openstack_auth.utils.is_safe_url(url, host=None)[source]

Return True if the url is a safe redirection.

The safe redirection means that it doesn’t point to a different host. Always returns False on an empty url.

openstack_auth.utils.is_token_valid(token, margin=None)[source]

Timezone-aware checking of the auth token’s expiration timestamp.

Returns True if the token has not yet expired, otherwise False.

Parameters:
  • token – The openstack_auth.user.Token instance to check
  • margin – A time margin in seconds to subtract from the real token’s validity. An example usage is that the token can be valid once the middleware passed, and invalid (timed-out) during a view rendering and this generates authorization errors during the view rendering. A default margin can be set by the TOKEN_TIMEOUT_MARGIN in the django settings.
openstack_auth.utils.is_websso_enabled()[source]

Websso is supported in Keystone version 3.

Common function for setting the cookie in the response.

Provides a common policy of setting cookies for last used project and region, can be reused in other locations.

This method will set the cookie to expire in 365 days.

openstack_auth.utils.store_initial_k2k_session(auth_url, request, scoped_auth_ref, unscoped_auth_ref)[source]

Stores session variables if there are k2k service providers

This stores variables related to Keystone2Keystone federation. This function gets skipped if there are no Keystone service providers. An unscoped token to the identity provider keystone gets stored so that it can be used to do federated login into the service providers when switching keystone providers. The settings file can be configured to set the display name of the local (identity provider) keystone by setting KEYSTONE_PROVIDER_IDP_NAME. The KEYSTONE_PROVIDER_IDP_ID settings variable is used for comparison against the service providers. It should not conflict with any of the service provider ids.

Parameters:
  • auth_url – base token auth url
  • request – Django http request object
  • scoped_auth_ref – Scoped Keystone access info object
  • unscoped_auth_ref – Unscoped Keystone access info object
openstack_auth.utils.url_path_replace(url, old, new, count=None)[source]

Return a copy of url with replaced path.

Return a copy of url with all occurrences of old replaced by new in the url path. If the optional argument count is given, only the first count occurrences are replaced.