blob: 0f7c6332e60dcd66eeb1a688eeeb2effdf8c515c [file] [log] [blame]
package gophercloud
import (
"github.com/racker/perigee"
)
// AuthOptions lets anyone calling Authenticate() supply the required access credentials.
// At present, only Identity V2 API support exists; therefore, only Username, Password,
// and optionally, TenantId are provided. If future Identity API versions become available,
// alternative fields unique to those versions may appear here.
type AuthOptions struct {
// Username and Password are required if using Identity V2 API.
// Consult with your provider's control panel to discover your
// account's username and password.
Username, Password string
// ApiKey used for providers that support Api Key authentication
ApiKey string
// The TenantId field is optional for the Identity V2 API.
TenantId string
// The TenantName can be specified instead of the TenantId
TenantName string
// AllowReauth should be set to true if you grant permission for Gophercloud to cache
// your credentials in memory, and to allow Gophercloud to attempt to re-authenticate
// automatically if/when your token expires. If you set it to false, it will not cache
// these settings, but re-authentication will not be possible. This setting defaults
// to false.
AllowReauth bool
}
// AuthContainer provides a JSON encoding wrapper for passing credentials to the Identity
// service. You will not work with this structure directly.
type AuthContainer struct {
Auth Auth `json:"auth"`
}
// Auth provides a JSON encoding wrapper for passing credentials to the Identity
// service. You will not work with this structure directly.
type Auth struct {
PasswordCredentials *PasswordCredentials `json:"passwordCredentials,omitempty"`
ApiKeyCredentials *ApiKeyCredentials `json:"RAX-KSKEY:apiKeyCredentials,omitempty"`
TenantId string `json:"tenantId,omitempty"`
TenantName string `json:"tenantName,omitempty"`
}
// PasswordCredentials provides a JSON encoding wrapper for passing credentials to the Identity
// service. You will not work with this structure directly.
type PasswordCredentials struct {
Username string `json:"username"`
Password string `json:"password"`
}
type ApiKeyCredentials struct {
Username string `json:"username"`
ApiKey string `json:"apiKey"`
}
// Access encapsulates the API token and its relevant fields, as well as the
// services catalog that Identity API returns once authenticated.
type Access struct {
Token Token
ServiceCatalog []CatalogEntry
User User
provider Provider `json:"-"`
options AuthOptions `json:"-"`
context *Context `json:"-"`
}
// Token encapsulates an authentication token and when it expires. It also includes
// tenant information if available.
type Token struct {
Id, Expires string
Tenant Tenant
}
// Tenant encapsulates tenant authentication information. If, after authentication,
// no tenant information is supplied, both Id and Name will be "".
type Tenant struct {
Id, Name string
}
// User encapsulates the user credentials, and provides visibility in what
// the user can do through its role assignments.
type User struct {
Id, Name string
XRaxDefaultRegion string `json:"RAX-AUTH:defaultRegion"`
Roles []Role
}
// Role encapsulates a permission that a user can rely on.
type Role struct {
Description, Id, Name string
}
// CatalogEntry encapsulates a service catalog record.
type CatalogEntry struct {
Name, Type string
Endpoints []EntryEndpoint
}
// EntryEndpoint encapsulates how to get to the API of some service.
type EntryEndpoint struct {
Region, TenantId string
PublicURL, InternalURL string
VersionId, VersionInfo, VersionList string
}
//
func getAuthCredentials(options AuthOptions) Auth {
if options.ApiKey == "" {
return Auth{
PasswordCredentials: &PasswordCredentials{
Username: options.Username,
Password: options.Password,
},
TenantId: options.TenantId,
TenantName: options.TenantName,
}
} else {
return Auth{
ApiKeyCredentials: &ApiKeyCredentials{
Username: options.Username,
ApiKey: options.ApiKey,
},
TenantId: options.TenantId,
TenantName: options.TenantName,
}
}
}
// papersPlease contains the common logic between authentication and re-authentication.
// The name, obviously a joke on the process of authentication, was chosen because
// of how many other entities exist in the program containing the word Auth or Authorization.
// I didn't need another one.
func (c *Context) papersPlease(p Provider, options AuthOptions) (*Access, error) {
var access *Access
if (options.Username == "") || (options.Password == "" && options.ApiKey == "") {
return nil, ErrCredentials
}
err := perigee.Post(p.AuthEndpoint, perigee.Options{
CustomClient: c.httpClient,
ReqBody: &AuthContainer{
Auth: getAuthCredentials(options),
},
Results: &struct {
Access **Access `json:"access"`
}{
&access,
},
})
if err == nil {
access.options = options
access.provider = p
access.context = c
}
return access, err
}
// Authenticate() grants access to the OpenStack-compatible provider API.
//
// Providers are identified through a unique key string.
// See the RegisterProvider() method for more details.
//
// The supplied AuthOptions instance allows the client to specify only those credentials
// relevant for the authentication request. At present, support exists for OpenStack
// Identity V2 API only; support for V3 will become available as soon as documentation for it
// becomes readily available.
//
// For Identity V2 API requirements, you must provide at least the Username and Password
// options. The TenantId field is optional, and defaults to "".
func (c *Context) Authenticate(provider string, options AuthOptions) (*Access, error) {
p, err := c.ProviderByName(provider)
if err != nil {
return nil, err
}
return c.papersPlease(p, options)
}
// Reauthenticate attempts to reauthenticate using the configured access credentials, if
// allowed. This method takes no action unless your AuthOptions has the AllowReauth flag
// set to true.
func (a *Access) Reauthenticate() error {
var other *Access
var err error
if a.options.AllowReauth {
other, err = a.context.papersPlease(a.provider, a.options)
if err == nil {
*a = *other
}
}
return err
}
// See AccessProvider interface definition for details.
func (a *Access) FirstEndpointUrlByCriteria(ac ApiCriteria) string {
ep := FindFirstEndpointByCriteria(a.ServiceCatalog, ac)
urls := []string{ep.PublicURL, ep.InternalURL}
return urls[ac.UrlChoice]
}
// See AccessProvider interface definition for details.
func (a *Access) AuthToken() string {
return a.Token.Id
}
// See AccessProvider interface definition for details.
func (a *Access) Revoke(tok string) error {
url := a.provider.AuthEndpoint + "/" + tok
err := perigee.Delete(url, perigee.Options{
MoreHeaders: map[string]string{
"X-Auth-Token": a.AuthToken(),
},
OkCodes: []int{204},
})
return err
}
// See ServiceCatalogerForIdentityV2 interface definition for details.
// Note that the raw slice is returend; be careful not to alter the fields of any members,
// for other components of Gophercloud may depend upon them.
// If this becomes a problem in the future,
// a future revision may return a deep-copy of the service catalog instead.
func (a *Access) V2ServiceCatalog() []CatalogEntry {
return a.ServiceCatalog
}