Support PyPAM in pam backend, update to latest API

Fix bug 938801. This bug pointed out that some distros don't have the same pam Python module packaged that this backend was expecting. In my case, on Fedora, it's PAM and the API is not compatible with the pam module that was used. This patch makes the backend support PyPAM, as well as the original pam module that was used. In order to test this, I updated the pam backend to the latest backend API. Even though the base class will raise NotImplementedError, I included all functions here to make it more clear all of the things this backend does not do. Change-Id: I74144f4e63b6830c8224bc87e1662eb5df8728a0
openstack · Mar 16, 2012 · e677327 · e677327
1 parent 88ac1ed
commit e677327
Showing 1 changed file with 125 additions and 12 deletions.
diff --git a/keystone/identity/backends/pam.py b/keystone/identity/backends/pam.py
@@ -16,28 +16,141 @@
 
 from __future__ import absolute_import
 
-import pam
+try:
+    import pam
+except ImportError:
+    pam = None
+    import PAM
 
+from keystone import identity
 
-class PamIdentity(object):
+
+def PAM_authenticate(username, password):
+    def _pam_conv(auth, query_list):
+        resp = []
+
+        for query, q_type in query_list:
+            if q_type in [PAM.PAM_PROMPT_ECHO_ON, PAM.PAM_PROMPT_ECHO_OFF]:
+                resp.append((password, 0))
+            elif q_type in [PAM.PAM_PROMPT_ERROR_MSG,
+                            PAM.PAM_PROMPT_TEXT_INFO]:
+                resp.append(('', 0))
+
+        return resp
+
+    auth = PAM.pam()
+    auth.start('passwd')
+    auth.set_item(PAM.PAM_USER, username)
+    auth.set_item(PAM.PAM_CONV, _pam_conv)
+
+    try:
+        auth.authenticate()
+        auth.acct_mgmt()
+    except PAM.error:
+        raise AssertionError('Invalid user / password')
+
+    return True
+
+
+class PamIdentity(identity.Driver):
     """Very basic identity based on PAM.
 
     Tenant is always the same as User, root user has admin role.
     """
 
-    def authenticate(self, username, password, **kwargs):
-        if pam.authenticate(username, password):
+    def authenticate(self, user_id, tenant_id, password):
+        auth = pam.authenticate if pam else PAM_authenticate
+        if auth(user_id, password):
             metadata = {}
-            if username == 'root':
+            if user_id == 'root':
                 metadata['is_admin'] == True
 
-            tenant = {'id': username,
-                      'name': username}
-            user = {'id': username,
-                    'name': username}
+            tenant = {'id': user_id, 'name': user_id}
+
+            user = {'id': user_id, 'name': user_id}
 
             return (tenant, user, metadata)
 
-    def get_tenants(self, username):
-        return [{'id': username,
-                 'name': username}]
+    def get_tenant(self, tenant_id):
+        return {'id': tenant_id, 'name': tenant_id}
+
+    def get_tenant_by_name(self, tenant_name):
+        return {'id': tenant_name, 'name': tenant_name}
+
+    def get_user(self, user_id):
+        return {'id': user_id, 'name': user_id}
+
+    def get_user_by_name(self, user_name):
+        return {'id': user_name, 'name': user_name}
+
+    def get_role(self, role_id):
+        raise NotImplementedError()
+
+    def list_users(self):
+        raise NotImplementedError()
+
+    def list_roles(self):
+        raise NotImplementedError()
+
+    def add_user_to_tenant(self, tenant_id, user_id):
+        pass
+
+    def remove_user_from_tenant(self, tenant_id, user_id):
+        pass
+
+    def get_all_tenants(self):
+        raise NotImplementedError()
+
+    def get_tenants_for_user(self, user_id):
+        return [user_id]
+
+    def get_roles_for_user_and_tenant(self, user_id, tenant_id):
+        raise NotImplementedError()
+
+    def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id):
+        raise NotImplementedError()
+
+    def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id):
+        raise NotImplementedError()
+
+    def create_user(self, user_id, user):
+        raise NotImplementedError()
+
+    def update_user(self, user_id, user):
+        raise NotImplementedError()
+
+    def delete_user(self, user_id):
+        raise NotImplementedError()
+
+    def create_tenant(self, tenant_id, tenant):
+        raise NotImplementedError()
+
+    def update_tenant(self, tenant_id, tenant):
+        raise NotImplementedError()
+
+    def delete_tenant(self, tenant_id, tenant):
+        raise NotImplementedError()
+
+    def get_metadata(self, user_id, tenant_id):
+        metadata = {}
+        if user_id == 'root':
+            metadata['is_admin'] == True
+        return metadata
+
+    def create_metadata(self, user_id, tenant_id, metadata):
+        raise NotImplementedError()
+
+    def update_metadata(self, user_id, tenant_id, metadata):
+        raise NotImplementedError()
+
+    def delete_metadata(self, user_id, tenant_id, metadata):
+        raise NotImplementedError()
+
+    def create_role(self, role_id, role):
+        raise NotImplementedError()
+
+    def update_role(self, role_id, role):
+        raise NotImplementedError()
+
+    def delete_role(self, role_id):
+        raise NotImplementedError()