{"id":2356,"date":"2016-03-04T21:32:53","date_gmt":"2016-03-04T21:32:53","guid":{"rendered":"http:\/\/bogott.net\/unspecified\/?p=2356"},"modified":"2016-03-04T21:34:43","modified_gmt":"2016-03-04T21:34:43","slug":"keystone-horizon-and-multi-factor-auth-part-22-horizon","status":"publish","type":"post","link":"https:\/\/bogott.net\/unspecified\/?p=2356","title":{"rendered":"Keystone, Horizon, and multi-factor auth (part 2\/2: Horizon)"},"content":{"rendered":"

Now that Keystone accepts and checks auth requests<\/a> with user\/password\/otp, we have to get all three from the user and get them properly packed into Horizon’s login request. Taking advantage of Horizon being backwards-compatibility, I upgraded our Horizon install to version Liberty before starting.<\/p>\n

I spent quite a while hopelessly grepping in the Horizon and Dashboard code until someone on IRC directed me to the openstack_auth<\/a> module which turns out to contain all the good bits. Once again, the auth code uses a plugin model, so adding totp support is just a matter of dropping a new file into openstack_auth\/plugins\/. My new file is called ‘wmtotp.py’ and it’s a copy of the ‘password.py’ plugin with the Keystone v2 API code ripped out and an extra parameter added on.<\/p>\n


\nimport logging<\/p>\n

from keystoneclient.auth.identity import v2 as v2_auth
\nfrom keystoneclient.auth.identity import v3 as v3_auth<\/p>\n

from openstack_auth.plugin import base
\nfrom openstack_auth import utils<\/p>\n

LOG = logging.getLogger(__name__)<\/p>\n

__all__ = ['WmtotpPlugin']<\/p>\n

class WmtotpPlugin(base.BasePlugin):
\n \"\"\"Authenticate against keystone given a username, password, totp token.
\n \"\"\"<\/p>\n

def get_plugin(self, auth_url=None, username=None, password=None,
\n user_domain_name=None, totp=None, **kwargs):
\n if not all((auth_url, username, password, totp)):
\n return None<\/p>\n

LOG.debug('Attempting to authenticate for %s', username)<\/p>\n

if utils.get_keystone_version() >= 3:
\n return v3_auth.Wmtotp(auth_url=auth_url,
\n username=username,
\n password=password,
\n totp=totp,
\n user_domain_name=user_domain_name,
\n unscoped=True)<\/p>\n

else:
\n msg = \"Totp authentication requires the keystone v3 api.\"
\n raise exceptions.KeystoneAuthException(msg)
\n<\/code><\/p>\n

I also needed to tell Horizon to use the new auth method during logins. That’s a change to the local_settings.py config file:<\/p>\n

AUTHENTICATION_PLUGINS = ['openstack_auth.plugin.wmtotp.WmtotpPlugin', 'openstack_auth.plugin.token.TokenPlugin']<\/code><\/p>\n

Now we just have to get our second factor from the user, and hand it to off to WmtotpPlugin. This is where Horizon is not<\/em> extensible — there’s just “forms.py” that draws a single username\/password dialog, with no custom field options. Time to get ugly and clobber forms.py with a patched version.<\/p>\n


\ndiff --git a\/openstack_auth\/forms.py b\/openstack_auth\/forms.py
\nindex 97a8bbf..0aeac58 100644
\ndiff --git a\/openstack_auth\/forms.py b\/openstack_auth\/forms.py
\nindex 97a8bbf..0aeac58 100644
\n--- a\/openstack_auth\/forms.py
\n+++ b\/openstack_auth\/forms.py
\n@@ -54,10 +54,12 @@ class Login(django_auth_forms.AuthenticationForm):
\n widget=forms.TextInput(attrs={\"autofocus\": \"autofocus\"}))
\n password = forms.CharField(label=_(\"Password\"),
\n widget=forms.PasswordInput(render_value=False))
\n+ totptoken = forms.CharField(label=_(\"Totp Token\"),
\n+ widget=forms.TextInput())<\/p>\n

def __init__(self, *args, **kwargs):
\n super(Login, self).__init__(*args, **kwargs)
\n- fields_ordering = ['username', 'password', 'region']
\n+ fields_ordering = ['username', 'password', 'totptoken', 'region']
\n if getattr(settings,
\n 'OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT',
\n False):
\n@@ -66,7 +68,8 @@ class Login(django_auth_forms.AuthenticationForm):
\n required=True,
\n widget=forms.TextInput(attrs={\"autofocus\": \"autofocus\"}))
\n self.fields['username'].widget = forms.widgets.TextInput()
\n- fields_ordering = ['domain', 'username', 'password', 'region']
\n+ fields_ordering = ['domain', 'username', 'password',
\n+ 'totptoken', 'region']
\n self.fields['region'].choices = self.get_region_choices()
\n if len(self.fields['region'].choices) == 1:
\n self.fields['region'].initial = self.fields['region'].choices[0][0]
\n@@ -115,10 +118,11 @@ class Login(django_auth_forms.AuthenticationForm):
\n 'Default')
\n username = self.cleaned_data.get('username')
\n password = self.cleaned_data.get('password')
\n+ token = self.cleaned_data.get('totptoken')
\n region = self.cleaned_data.get('region')
\n domain = self.cleaned_data.get('domain', default_domain)<\/p>\n

- if not (username and password):
\n+ if not (username and password and token):
\n # Don't authenticate, just let the other validators handle it.
\n return self.cleaned_data<\/p>\n

@@ -126,6 +130,7 @@ class Login(django_auth_forms.AuthenticationForm):
\n self.user_cache = authenticate(request=self.request,
\n username=username,
\n password=password,
\n+ totp=token,
\n user_domain_name=domain,<\/p>\n

<\/code><\/p>\n

That’s it for Horizon! There’s one more layer between us and Keystone: the Keystoneclient code that’s loaded by wmtotp.py. keystoneclient\/auth\/identity\/v3 contains classes for each auth model so, once again, we drop in a custom wmtotp.py. And, again, it’s a modest modification of password.py:<\/p>\n


\n#
\n# Custom addition for Wikimedia Labs to add a totp plugin to keystoneclient
\n#
\n# Licensed under the Apache License, Version 2.0 (the \"License\"); you may
\n# not use this file except in compliance with the License. You may obtain
\n# a copy of the License at
\n#
\n# http:\/\/www.apache.org\/licenses\/LICENSE-2.0
\n#
\n# Unless required by applicable law or agreed to in writing, software
\n# distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT
\n# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
\n# License for the specific language governing permissions and limitations
\n# under the License.<\/p>\n

import sys<\/p>\n

from oslo_config import cfg<\/p>\n

from keystoneclient.auth.identity.v3 import base
\nfrom keystoneclient import utils<\/p>\n

__all__ = ['WmtotpMethod', 'Wmtotp']<\/p>\n

class WmtotpMethod(base.AuthMethod):
\n \"\"\"Construct a User\/Password\/totp based authentication method.<\/p>\n

:param string password: Password for authentication.
\n :param string totp: Totp token for authentication.
\n :param string username: Username for authentication.
\n :param string user_id: User ID for authentication.
\n :param string user_domain_id: User's domain ID for authentication.
\n :param string user_domain_name: User's domain name for authentication.
\n \"\"\"<\/p>\n

_method_parameters = ['user_id',
\n 'username',
\n 'user_domain_id',
\n 'user_domain_name',
\n 'password',
\n 'totp']<\/p>\n

def get_auth_data(self, session, auth, headers, **kwargs):
\n user = {'password': self.password, 'totp': self.totp}<\/p>\n

if self.user_id:
\n user['id'] = self.user_id
\n elif self.username:
\n user['name'] = self.username<\/p>\n

if self.user_domain_id:
\n user['domain'] = {'id': self.user_domain_id}
\n elif self.user_domain_name:
\n user['domain'] = {'name': self.user_domain_name}<\/p>\n

return 'wmtotp', {'user': user}<\/p>\n

class Wmtotp(base.AuthConstructor):
\n \"\"\"A plugin for authenticating with a username, password, totp token<\/p>\n

:param string auth_url: Identity service endpoint for authentication.
\n :param string password: Password for authentication.
\n :param string totp: totp token for authentication
\n :param string username: Username for authentication.
\n :param string user_id: User ID for authentication.
\n :param string user_domain_id: User's domain ID for authentication.
\n :param string user_domain_name: User's domain name for authentication.
\n :param string trust_id: Trust ID for trust scoping.
\n :param string domain_id: Domain ID for domain scoping.
\n :param string domain_name: Domain name for domain scoping.
\n :param string project_id: Project ID for project scoping.
\n :param string project_name: Project name for project scoping.
\n :param string project_domain_id: Project's domain ID for project.
\n :param string project_domain_name: Project's domain name for project.
\n :param bool reauthenticate: Allow fetching a new token if the current one
\n is going to expire. (optional) default True
\n \"\"\"<\/p>\n

_auth_method_class = WmtotpMethod<\/p>\n

@classmethod
\n def get_options(cls):
\n options = super(Wmtotp, cls).get_options()<\/p>\n

options.extend([
\n cfg.StrOpt('user-id', help='User ID'),
\n cfg.StrOpt('user-name', dest='username', help='Username',
\n deprecated_name='username'),
\n cfg.StrOpt('user-domain-id', help=\"User's domain id\"),
\n cfg.StrOpt('user-domain-name', help=\"User's domain name\"),
\n cfg.StrOpt('password', secret=True, help=\"User's password\"),
\n cfg.StrOpt('totp', secret=True, help=\"Totp token\"),
\n ])<\/p>\n

return options<\/p>\n

@classmethod
\n def load_from_argparse_arguments(cls, namespace, **kwargs):
\n if not (kwargs.get('password') or namespace.os_password):
\n kwargs['password'] = utils.prompt_user_password()<\/p>\n

if not kwargs.get('totp') and (hasattr(sys.stdin, 'isatty') and
\n sys.stdin.isatty()):
\n try:
\n kwargs['totp'] = getpass.getpass('Totp token: ')
\n except EOFError:
\n pass<\/p>\n

return super(Wmtotp, cls).load_from_argparse_arguments(namespace,
\n **kwargs)<\/p>\n

<\/code><\/p>\n

Now, a brief pause for bad news. Despite everything our prior experiences have taught us, keystoneclient seems not to have been designed with extending in mind. The __init__.py file in keystoneclient\/auth\/identity\/v3 has a hard-coded list of available auth classes, so we have to patch __init__.py:<\/p>\n


\ndiff --git a\/keystoneclient\/auth\/identity\/v3\/__init__.py b\/keystoneclient\/auth\/identity\/v3\/__init__.py
\nindex a08f3ec..c9ecd12 100644
\n--- a\/keystoneclient\/auth\/identity\/v3\/__init__.py
\n+++ b\/keystoneclient\/auth\/identity\/v3\/__init__.py
\n@@ -14,6 +14,7 @@ from keystoneclient.auth.identity.v3.base import * # noqa
\n from keystoneclient.auth.identity.v3.federated import * # noqa
\n from keystoneclient.auth.identity.v3.password import * # noqa
\n from keystoneclient.auth.identity.v3.token import * # noqa
\n+from keystoneclient.auth.identity.v3.wmtotp import * # noqa<\/p>\n

__all__ = ['Auth',
\n@@ -26,5 +27,8 @@ __all__ = ['Auth',
\n 'Password',
\n 'PasswordMethod',<\/p>\n

+ 'Mwtotp',
\n+ 'MwtotpMethod',
\n+
\n 'Token',
\n 'TokenMethod']
\n<\/code><\/p>\n

Get with the program, keystoneclient! Anyway, after recovering from that one disappointment it was time to make a puppet patch<\/a> to drop in all of our hacks and overlays and config changes.<\/p>\n

And… it works<\/a>!<\/p>\n

\"Screen<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Now that Keystone accepts and checks auth requests with user\/password\/otp, we have to get all three from the user and get them properly packed into Horizon’s login request. Taking advantage of Horizon being backwards-compatibility, I upgraded our Horizon install to … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-2356","post","type-post","status-publish","format-standard","hentry","category-operations"],"_links":{"self":[{"href":"https:\/\/bogott.net\/unspecified\/index.php?rest_route=\/wp\/v2\/posts\/2356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bogott.net\/unspecified\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bogott.net\/unspecified\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bogott.net\/unspecified\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bogott.net\/unspecified\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2356"}],"version-history":[{"count":10,"href":"https:\/\/bogott.net\/unspecified\/index.php?rest_route=\/wp\/v2\/posts\/2356\/revisions"}],"predecessor-version":[{"id":2368,"href":"https:\/\/bogott.net\/unspecified\/index.php?rest_route=\/wp\/v2\/posts\/2356\/revisions\/2368"}],"wp:attachment":[{"href":"https:\/\/bogott.net\/unspecified\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bogott.net\/unspecified\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bogott.net\/unspecified\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}