keystone.federation package

Submodules

keystone.federation.constants module

keystone.federation.core module

Main entry point into the Federation service.

class keystone.federation.core.Manager[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Federation backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

create_idp(idp_id, idp)[source]
create_protocol(idp_id, protocol_id, protocol)[source]
create_sp(sp_id, service_provider)[source]
delete_idp(idp_id)[source]
delete_protocol(idp_id, protocol_id)[source]
delete_sp(sp_id)[source]
driver_namespace = 'keystone.federation'
evaluate(idp_id, protocol_id, assertion_data)[source]
get_enabled_service_providers()[source]

List enabled service providers for Service Catalog.

Service Provider in a catalog contains three attributes: id, auth_url, sp_url, where:

  • id is a unique, user defined identifier for service provider object

  • auth_url is an authentication URL of remote Keystone

  • sp_url a URL accessible at the remote service provider where SAML assertion is transmitted.

Returns

list of dictionaries with enabled service providers

Return type

list of dicts

update_protocol(idp_id, protocol_id, protocol)[source]
update_sp(sp_id, service_provider)[source]

keystone.federation.idp module

class keystone.federation.idp.ECPGenerator[source]

Bases: object

A class for generating an ECP assertion.

static generate_ecp(saml_assertion, relay_state_prefix)[source]
class keystone.federation.idp.MetadataGenerator[source]

Bases: object

A class for generating SAML IdP Metadata.

generate_metadata()[source]

Generate Identity Provider Metadata.

Generate and format metadata into XML that can be exposed and consumed by a federated Service Provider.

Returns

XML <EntityDescriptor> object.

Raises

keystone.exception.ValidationError – If the required config options aren’t set.

class keystone.federation.idp.SAMLGenerator[source]

Bases: object

A class to generate SAML assertions.

samlize_token(issuer, recipient, user, user_domain_name, roles, project, project_domain_name, groups, expires_in=None)[source]

Convert Keystone attributes to a SAML assertion.

Parameters
  • issuer (string) – URL of the issuing party

  • recipient (string) – URL of the recipient

  • user (string) – User name

  • user_domain_name (string) – User Domain name

  • roles (list) – List of role names

  • project (string) – Project name

  • project_domain_name (string) – Project Domain name

  • groups (list) – List of strings of user groups and domain name, where strings are serialized dictionaries.

  • expires_in (int) – Sets how long the assertion is valid for, in seconds

Returns

XML <Response> object

keystone.federation.schema module

keystone.federation.utils module

Utilities for Federation Extension.

class keystone.federation.utils.DirectMaps[source]

Bases: object

An abstraction around the remote matches.

Each match is treated internally as a list.

add(values)[source]

Add a matched value to the list of matches.

Parameters

value (list) – the match to save

class keystone.federation.utils.RuleProcessor(mapping_id, rules)[source]

Bases: object

A class to process assertions and mapping rules.

process(assertion_data)[source]

Transform assertion to a dictionary.

The dictionary contains mapping of user name and group ids based on mapping rules.

This function will iterate through the mapping rules to find assertions that are valid.

Parameters

assertion_data (dict) – an assertion containing values from an IdP

Example assertion_data:

{
    'Email': 'testacct@example.com',
    'UserName': 'testacct',
    'FirstName': 'Test',
    'LastName': 'Account',
    'orgPersonType': 'Tester'
}
Returns

dictionary with user and group_ids

The expected return structure is:

{
    'name': 'foobar',
    'group_ids': ['abc123', 'def456'],
    'group_names': [
        {
            'name': 'group_name_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_1_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_2',
            'domain': {
                'id': 'xyz132'
            }
        }
    ]
}
class keystone.federation.utils.UserType[source]

Bases: object

User mapping type.

EPHEMERAL = 'ephemeral'
LOCAL = 'local'
keystone.federation.utils.assert_enabled_identity_provider(federation_api, idp_id)[source]
keystone.federation.utils.assert_enabled_service_provider_object(service_provider)[source]
keystone.federation.utils.get_assertion_params_from_env()[source]
keystone.federation.utils.get_remote_id_parameter(idp, protocol)[source]
keystone.federation.utils.transform_to_group_ids(group_names, mapping_id, identity_api, resource_api)[source]

Transform groups identified by name/domain to their ids.

Function accepts list of groups identified by a name and domain giving a list of group ids in return. A message is logged if the group doesn’t exist in the backend.

Example of group_names parameter:

[
    {
        "name": "group_name",
        "domain": {
            "id": "domain_id"
        },
    },
    {
        "name": "group_name_2",
        "domain": {
            "name": "domain_name"
        }
    }
]
Parameters
  • group_names (list) – list of group identified by name and its domain.

  • mapping_id (str) – id of the mapping used for mapping assertion into local credentials

  • identity_api – identity_api object

  • resource_api – resource manager object

Returns

generator object with group ids

keystone.federation.utils.validate_expiration(token)[source]
keystone.federation.utils.validate_idp(idp, protocol, assertion)[source]

The IdP providing the assertion should be registered for the mapping.

keystone.federation.utils.validate_mapped_group_ids(group_ids, mapping_id, identity_api)[source]

Iterate over group ids and make sure they are present in the backend.

This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str

Parameters
  • mapping_id (str) – id of the mapping used for this operation

  • identity_api (identity.Manager) – Identity Manager object used for communication with backend

Raises

keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.

keystone.federation.utils.validate_mapping_structure(ref)[source]

Module contents