package authorizerimport ( "github.com/golang/glog" "github.com/gophercl

1. package authorizer
2.  
3. import (
4.     "github.com/golang/glog"
5.     "github.com/gophercloud/gophercloud"
6.     "github.com/gophercloud/gophercloud/openstack"
7.     "github.com/gophercloud/gophercloud/openstack/identity/v3/extensions/trusts"
8.     tokens3 "github.com/gophercloud/gophercloud/openstack/identity/v3/tokens"
9.     "gopkg.in/gcfg.v1"
10.     "io"
11.     openstack_provider "k8s.io/kubernetes/pkg/cloudprovider/providers/openstack"
12.     "log"
13.     "os"
14.     "sync"
15. )
16.  
17. type Authorizer struct {
18.     authClient *gophercloud.ServiceClient
19. }
20.  
21. var authorizer *Authorizer
22. var once sync.Once
23.  
24. func New() (*Authorizer, error) {
25.     var err error
26.     once.Do(func() {
27.         authorizer, err = Init("/etc/kittenhouse/auth.cfg")
28.     })
29.     if err != nil {
30.         return nil, err
31.     }
32.     return authorizer, nil
33. }
34.  
35. func v3auth(client *gophercloud.ProviderClient, endpoint string, opts tokens3.AuthOptionsBuilder, eo gophercloud.EndpointOpts) error {
36.     // Override the generated service endpoint with the one returned by the version endpoint.
37.     v3Client, err := openstack.NewIdentityV3(client, eo)
38.     if err != nil {
39.         return err
40.     }
41.  
42.     if endpoint != "" {
43.         v3Client.Endpoint = endpoint
44.     }
45.  
46.     result := tokens3.Create(v3Client, opts)
47.  
48.     token, err := result.ExtractToken()
49.     if err != nil {
50.         return err
51.     }
52.  
53.     catalog, err := result.ExtractServiceCatalog()
54.     if err != nil {
55.         return err
56.     }
57.  
58.     client.TokenID = token.ID
59.  
60.     if opts.CanReauth() {
61.         // here we're creating a throw-away client (tac). it's a copy of the user's provider client, but
62.         // with the token and reauth func zeroed out. combined with setting `AllowReauth` to `false`,
63.         // this should retry authentication only once
64.         tac := *client
65.         tac.ReauthFunc = nil
66.         tac.TokenID = ""
67.         var tao tokens3.AuthOptionsBuilder
68.         switch ot := opts.(type) {
69.         case *gophercloud.AuthOptions:
70.             o := *ot
71.             o.AllowReauth = false
72.             tao = &o
73.         case *tokens3.AuthOptions:
74.             o := *ot
75.             o.AllowReauth = false
76.             tao = &o
77.         default:
78.             tao = opts
79.         }
80.         client.ReauthFunc = func() error {
81.             err := v3auth(&tac, endpoint, tao, eo)
82.             if err != nil {
83.                 return err
84.             }
85.             client.TokenID = tac.TokenID
86.             return nil
87.         }
88.     }
89.     client.EndpointLocator = func(opts gophercloud.EndpointOpts) (string, error) {
90.         return openstack.V3EndpointURL(catalog, opts)
91.     }
92.  
93.     return nil
94. }
95.  
96. func buildProviderClient(cfg *openstack_provider.Config) (*gophercloud.ProviderClient, error) {
97.     opts := gophercloud.AuthOptions{
98.         IdentityEndpoint: cfg.Global.AuthURL,
99.         Username:         cfg.Global.Username,
100.         UserID:           cfg.Global.UserID,
101.         Password:         cfg.Global.Password,
102.         DomainID:         cfg.Global.DomainID,
103.         DomainName:       cfg.Global.DomainName,
104.         AllowReauth:      true,
105.     }
106.  
107.     authOptsExt := trusts.AuthOptsExt{
108.         TrustID:            cfg.Global.TrustID,
109.         AuthOptionsBuilder: &opts,
110.     }
111.  
112.     client, err := openstack.NewClient(cfg.Global.AuthURL)
113.     if err != nil {
114.         return nil, err
115.     }
116.  
117.     v3auth(client, cfg.Global.AuthURL, authOptsExt, gophercloud.EndpointOpts{})
118.     if err != nil {
119.         return nil, err
120.     }
121.  
122.     return client, nil
123. }
124.  
125. func Init(cfgPath string) (*Authorizer, error) {
126.     var config io.ReadCloser
127.     configReader, err := os.Open(cfgPath)
128.     if err != nil {
129.         return nil, err
130.     }
131.     defer config.Close()
132.     var cfg openstack_provider.Config
133.     if configReader != nil {
134.         if err := gcfg.ReadInto(&cfg, configReader); err != nil {
135.             glog.Errorf("Couldn't read config: %v", err)
136.             return nil, err
137.         }
138.     }
139.     providerClient, err := buildProviderClient(&cfg)
140.  
141.     eo := gophercloud.EndpointOpts{
142.         Region:       "RegionOne",
143.         Type:         "identity",
144.         Availability: "public",
145.     }
146.  
147.     eurl, err := providerClient.EndpointLocator(eo)
148.     if err != nil {
149.         return nil, err
150.     }
151.  
152.     authClient := gophercloud.ServiceClient{
153.         ProviderClient: providerClient,
154.         Endpoint:       eurl,
155.     }
156.     authorizer := &Authorizer{
157.         authClient: &authClient,
158.     }
159.     return authorizer, nil
160. }
161.  
162. func (a *Authorizer) validate(token string) (bool, error) {
163.  
164.     valid, err := tokens3.Validate(a.authClient, token)
165.     if err != nil {
166.         return false, err
167.     }
168.     return valid, nil
169. }
170.  
171. func Validate(token string) bool {
172.     var err error
173.     var valid bool
174.     authorizer, err = New()
175.     if err != nil {
176.         log.Fatalf("Error initializing authorizer: %s", err)
177.         return false
178.     }
179.     valid, err = authorizer.validate(token)
180.     if err != nil {
181.         log.Fatalf("Error validating token: %s", err)
182.         return false
183.     }
184.     return valid
185. }