# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from keystone.common import validation
from keystone.common.validation import parameter_types
from keystone import exception
from keystone.i18n import _
token_issue = {
'type': 'object',
'properties': {
'identity': {
'type': 'object',
'properties': {
'methods': {
'type': 'array',
'items': {
'type': 'string',
},
},
'password': {
'type': 'object',
'properties': {
'user': {
'type': 'object',
'properties': {
'id': {
'type': 'string',
},
'name': {
'type': 'string',
},
'password': {
'type': 'string',
},
'domain': {
'type': 'object',
'properties': {
'id': {
'type': 'string',
},
'name': {
'type': 'string',
},
},
},
},
},
},
},
'token': {
'type': 'object',
'properties': {
'id': {
'type': 'string',
},
},
'required': [
'id',
],
},
},
'required': [
'methods',
],
},
'scope': {
# For explicit unscoped authentication the type should not be
# strictly string. Although keystone server specifies the value
# to be 'unscoped', old versions of keystoneauth might still be
# using `"scope": {'unscoped': {}}` instead of
# `"scope": "unscoped"`
# https://bugs.launchpad.net/keystoneauth/+bug/1637682/
'type': ['object', 'string'],
'properties': {
'project': {
'type': 'object',
'properties': {
'name': {
'type': 'string',
},
'id': {
'type': 'string',
},
'domain': {
'type': 'object',
'properties': {
'id': {
'type': 'string',
},
'name': {
'type': 'string',
},
},
},
},
},
'domain': {
'type': 'object',
'properties': {
'id': {
'type': 'string',
},
'name': {
'type': 'string',
},
},
},
'OS-TRUST:trust': {
'type': 'object',
'properties': {
'id': {
'type': 'string',
},
},
},
'system': {
'type': 'object',
'properties': {'all': parameter_types.boolean},
},
},
},
},
'required': [
'identity',
],
}
[docs]
def validate_issue_token_auth(auth=None):
if auth is None:
return
validation.lazy_validate(token_issue, auth)
user = auth['identity'].get('password', {}).get('user')
if user is not None:
if 'id' not in user and 'name' not in user:
msg = _(
'Invalid input for field identity/password/user: '
'id or name must be present.'
)
raise exception.SchemaValidationError(detail=msg)
domain = user.get('domain')
if domain is not None:
if 'id' not in domain and 'name' not in domain:
msg = _(
'Invalid input for field identity/password/user/domain: '
'id or name must be present.'
)
raise exception.SchemaValidationError(detail=msg)
scope = auth.get('scope')
if scope is not None and isinstance(scope, dict):
project = scope.get('project')
if project is not None:
if 'id' not in project and 'name' not in project:
msg = _(
'Invalid input for field scope/project: '
'id or name must be present.'
)
raise exception.SchemaValidationError(detail=msg)
domain = project.get('domain')
if domain is not None:
if 'id' not in domain and 'name' not in domain:
msg = _(
'Invalid input for field scope/project/domain: '
'id or name must be present.'
)
raise exception.SchemaValidationError(detail=msg)
domain = scope.get('domain')
if domain is not None:
if 'id' not in domain and 'name' not in domain:
msg = _(
'Invalid input for field scope/domain: '
'id or name must be present.'
)
raise exception.SchemaValidationError(detail=msg)
