sapcc · thgrs · Oct 23, 2019 · Sep 6, 2019 · Sep 12, 2019 · Sep 12, 2019
diff --git a/pkg/cmd/client.go b/pkg/cmd/client.go
@@ -88,22 +88,38 @@ func fetchToken() {
 
 	if authType == "password" {
 		auth.TokenID = ""
+		auth.ApplicationCredentialName = ""
+		auth.ApplicationCredentialID = ""
+		auth.ApplicationCredentialSecret = ""
 	} else if authType == "token" {
 		auth.Password = ""
 		auth.UserID = ""
 		auth.Username = ""
 		auth.DomainID = ""
 		auth.DomainName = ""
+		auth.ApplicationCredentialName = ""
+		auth.ApplicationCredentialID = ""
+		auth.ApplicationCredentialSecret = ""
+	} else if authType == "application_credential" {
+		auth.Password = ""
+		auth.UserID = ""
+		auth.DomainID = ""
+		auth.DomainName = ""
+		auth.TokenID = ""
 	}
 
 	if auth.TokenID == "" {
-		if (auth.Username == "" && auth.UserID == "") || auth.Password == "" {
-			panic(fmt.Errorf("You must specify either --os-token or provide --os-username / --os-user-id and --os-password"))
+		if ((auth.Username == "" && auth.UserID == "") || auth.Password == "") &&
+			(auth.ApplicationCredentialID == "" || auth.ApplicationCredentialSecret == "") &&
+			(auth.ApplicationCredentialName == "" || auth.Username == "") {
+			panic(fmt.Errorf("You must specify either --os-token or provide --os-username / --os-user-id and --os-password " +
+				"or --os-application-credential-name and os-username or --os-application-credential-id and --os-application-credential-secret"))
 		}
 	}
 
-	if auth.TokenID != "" && auth.Password != "" {
-		panic(fmt.Errorf("--os-token and --os-password listed, can only use one. Setting --os-auth-type sets which authentication type to use"))
+	if (auth.TokenID != "" && auth.Password != "") || (auth.TokenID != "" && auth.ApplicationCredentialSecret != "") {
+		panic(fmt.Errorf("Multiple authentications specified (--os-password, --os-token, --os-application-credential-secret), " +
+			"can only use one. Setting --os-auth-type sets which authentication type to use"))
 	}
 	context, url, err := keystoneInstance().Authenticate(auth)
 	if err != nil {
@@ -643,7 +659,10 @@ func init() {
 	RootCmd.PersistentFlags().StringVar(&scopedDomain, "os-domain-name", os.Getenv("OS_DOMAIN_NAME"), "OpenStack domain name to scope to")
 	RootCmd.PersistentFlags().StringVar(&auth.Scope.DomainID, "os-domain-id", os.Getenv("OS_DOMAIN_ID"), "OpenStack domain ID to scope to")
 	RootCmd.PersistentFlags().StringVar(&auth.TokenID, "os-token", "$OS_TOKEN", "OpenStack keystone token") // avoid showing contents of $OS_TOKEN as default value
-	RootCmd.PersistentFlags().StringVar(&authType, "os-auth-type", os.Getenv("OS_AUTH_TYPE"), "OpenStack authentication type ('password' or 'token')")
+	RootCmd.PersistentFlags().StringVar(&authType, "os-auth-type", os.Getenv("OS_AUTH_TYPE"), "OpenStack authentication type ('password' or 'token' or application_credential)")
+	RootCmd.PersistentFlags().StringVar(&auth.ApplicationCredentialName, "os-application-credential-name", os.Getenv("OS_APPLICATION_CREDENTIAL_NAME"), "OpenStack application credential name")
+	RootCmd.PersistentFlags().StringVar(&auth.ApplicationCredentialID, "os-application-credential-id", os.Getenv("OS_APPLICATION_CREDENTIAL_ID"), "OpenStack application credential id")
+	RootCmd.PersistentFlags().StringVar(&auth.ApplicationCredentialSecret, "os-application-credential-secret", "$OS_APPLICATION_CREDENTIAL_SECRET", "OpenStack application credential secret") // avoid showing contents of $OS_PASSWORD as default value
 
 	RootCmd.PersistentFlags().StringVarP(&outputFormat, "format", "f", "", "Specify output format: table, json, template or value")
 	RootCmd.PersistentFlags().StringVarP(&columns, "columns", "c", "", "Specify the columns to print (comma-separated; only when --format value is set)")

diff --git a/pkg/cmd/cmd_test.go b/pkg/cmd/cmd_test.go
@@ -59,10 +59,13 @@ func setupTest(controller *gomock.Controller) (*keystone.MockDriver, *storage.Mo
 
 	// set mandatory parameters
 	auth = gophercloud.AuthOptions{
-		IdentityEndpoint: "",
-		Username:         "username",
-		UserID:           "user_id",
-		Password:         "testwd",
+		IdentityEndpoint:            "",
+		Username:                    "username",
+		UserID:                      "user_id",
+		Password:                    "testwd",
+		ApplicationCredentialID:     "appcredid",
+		ApplicationCredentialName:   "appcredname",
+		ApplicationCredentialSecret: "appcredsecret",
 		Scope: &gophercloud.AuthScope{
 			ProjectID: "12345"}}
 
@@ -77,8 +80,10 @@ func setupTest(controller *gomock.Controller) (*keystone.MockDriver, *storage.Mo
 }
 
 func expectAuth(keystoneMock *keystone.MockDriver) {
-	keystoneMock.EXPECT().Authenticate(gophercloud.AuthOptions{IdentityEndpoint: auth.IdentityEndpoint, Username: auth.Username, UserID: auth.UserID, Password: auth.Password, DomainName: auth.DomainName, Scope: auth.Scope}).Return(&policy.Context{Request: map[string]string{"user_id": auth.UserID,
-		"project_id": auth.Scope.ProjectID, "password": auth.Password}, Auth: map[string]string{"project_id": auth.Scope.ProjectID}, Roles: []string{"monitoring_viewer"}}, "http://localhost:9091", nil)
+	keystoneMock.EXPECT().Authenticate(gophercloud.AuthOptions{IdentityEndpoint: auth.IdentityEndpoint, Username: auth.Username, UserID: auth.UserID, Password: auth.Password, ApplicationCredentialID: auth.ApplicationCredentialID,
+		ApplicationCredentialName: auth.ApplicationCredentialName, ApplicationCredentialSecret: auth.ApplicationCredentialSecret, DomainName: auth.DomainName, Scope: auth.Scope}).Return(&policy.Context{Request: map[string]string{"user_id": auth.UserID,
+		"project_id": auth.Scope.ProjectID, "password": auth.Password, "application_credential_id": auth.ApplicationCredentialID, "application_credentail_name": auth.ApplicationCredentialName, "application_credential_secret": auth.ApplicationCredentialSecret},
+		Auth: map[string]string{"project_id": auth.Scope.ProjectID}, Roles: []string{"monitoring_viewer"}}, "http://localhost:9091", nil)
 	// call this explicitly since the mocked storage does not
 	fetchToken()
 }
@@ -412,23 +417,30 @@ func ExampleQuery_rangeSeriesTable() {
 
 func Test_Auth(t *testing.T) {
 	tt := []struct {
-		name        string
-		tokenid     string
-		authtype    string
-		username    string
-		userid      string
-		password    string
-		expectpanic bool
+		name          string
+		tokenid       string
+		authtype      string
+		username      string
+		userid        string
+		password      string
+		appcredid     string
+		appcredname   string
+		appcredsecret string
+		expectpanic   bool
 	}{
-		{"passwithauthtype", "", "password", "testname", "testid", "testwd", false},
-		{"passwithoutauthtype", "", "", "testname", "testid", "testwd", false},
-		{"tokenwithpasswithauthtype", "ABC", "token", "testname", "testid", "testwd", false},
-		{"tokenwithpasswithoutauthtype", "ABC", "", "testname", "testid", "testwd", true},
+		{"passwithauthtype", "", "password", "testname", "testid", "testwd", "", "", "", false},
+		{"passwithoutauthtype", "", "", "testname", "testid", "testwd", "", "", "", false},
+		{"tokenwithpasswithauthtype", "ABC", "token", "testname", "testid", "testwd", "", "", "", false},
+		{"tokenwithpasswithoutauthtype", "ABC", "", "testname", "testid", "testwd", "", "", "", true},
+		{"appcredidwithsecret", "", "application_credential", "", "", "", "testappcredid", "", "testappcredsecret", false},
+		{"appcrednamewithusername", "", "application_credential", "testname", "", "", "", "testappcredname", "", false},
+		{"appcrednamewithoutusername", "", "application_credential", "", "", "", "", "testappcredname", "", true},
+		{"appcredidwithoutsecret", "", "application_credential", "testname", "", "", "testappcredid", "", "", true},
 	}
 
 	for _, tc := range tt {
 		t.Run(tc.name, func(t *testing.T) {
-			paniced := authentication(tc.tokenid, tc.authtype, tc.username, tc.userid, tc.password)
+			paniced := authentication(tc.tokenid, tc.authtype, tc.username, tc.userid, tc.password, tc.appcredid, tc.appcredname, tc.appcredsecret)
 			if paniced != tc.expectpanic {
 				t.Errorf("Panic does not match desired result for test: %v", tc)
 			}
@@ -437,7 +449,7 @@ func Test_Auth(t *testing.T) {
 
 }
 
-func authentication(tokenid, authtype, username, userid, password string) (paniced bool) {
+func authentication(tokenid, authtype, username, userid, password, appcredid, appcredname, appcredsecret string) (paniced bool) {
 	paniced = false
 
 	defer func() {
@@ -465,11 +477,14 @@ func authentication(tokenid, authtype, username, userid, password string) (panic
 
 	// set mandatory parameters
 	auth = gophercloud.AuthOptions{
-		IdentityEndpoint: "",
-		Username:         username,
-		UserID:           userid,
-		Password:         password,
-		TokenID:          tokenid,
+		IdentityEndpoint:            "",
+		Username:                    username,
+		UserID:                      userid,
+		Password:                    password,
+		ApplicationCredentialID:     appcredid,
+		ApplicationCredentialName:   appcredname,
+		ApplicationCredentialSecret: appcredsecret,
+		TokenID:                     tokenid,
 		Scope: &gophercloud.AuthScope{
 			ProjectID: "12345"}}
 	expectedAuth := auth
@@ -480,16 +495,22 @@ func authentication(tokenid, authtype, username, userid, password string) (panic
 		expectedAuth.Password = ""
 		expectedAuth.UserID = ""
 		expectedAuth.Username = ""
+		expectedAuth.ApplicationCredentialID = ""
+		expectedAuth.ApplicationCredentialName = ""
+		expectedAuth.ApplicationCredentialSecret = ""
 	}
 
 	// create dummy keystone and storage mock
 	keystoneMock := keystone.NewMockDriver(ctrl)
 	setKeystoneInstance(keystoneMock)
 	keystoneMock.EXPECT().Authenticate(expectedAuth).Return(&policy.Context{
 		Request: map[string]string{
-			"user_id":    auth.UserID,
-			"project_id": auth.Scope.ProjectID,
-			"password":   auth.Password},
+			"user_id":                       auth.UserID,
+			"project_id":                    auth.Scope.ProjectID,
+			"password":                      auth.Password,
+			"application_credential_id":     auth.ApplicationCredentialID,
+			"application_credential_name":   auth.ApplicationCredentialName,
+			"application_credential_secret": auth.ApplicationCredentialSecret},
 		Auth:  map[string]string{"project_id": auth.Scope.ProjectID},
 		Roles: []string{"monitoring_viewer"},
 	}, "http://localhost:9091", nil)

diff --git a/pkg/keystone/keystone.go b/pkg/keystone/keystone.go
@@ -129,6 +129,7 @@ type keystoneToken struct {
 	ProjectScope keystoneTokenThingInDomain `json:"project"`
 	Roles        []keystoneTokenThing       `json:"roles"`
 	User         keystoneTokenThingInDomain `json:"user"`
+	Application  keystoneTokenThingInDomain `json:"application"`
 	Token        string
 	ExpiresAt    string `json:"expires_at"`
 }
@@ -147,23 +148,27 @@ func (t *keystoneToken) ToContext() policy.Context {
 	c := policy.Context{
 		Roles: make([]string, 0, len(t.Roles)),
 		Auth: map[string]string{
-			"user_id":             t.User.ID,
-			"user_name":           t.User.Name,
-			"user_domain_id":      t.User.Domain.ID,
-			"user_domain_name":    t.User.Domain.Name,
-			"domain_id":           t.DomainScope.ID,
-			"domain_name":         t.DomainScope.Name,
-			"project_id":          t.ProjectScope.ID,
-			"project_name":        t.ProjectScope.Name,
-			"project_domain_id":   t.ProjectScope.Domain.ID,
-			"project_domain_name": t.ProjectScope.Domain.Name,
-			"token":               t.Token,
-			"token-expiry":        t.ExpiresAt,
+			"user_id":                     t.User.ID,
+			"user_name":                   t.User.Name,
+			"user_domain_id":              t.User.Domain.ID,
+			"user_domain_name":            t.User.Domain.Name,
+			"application_credential_id":   t.Application.ID,
+			"application_credential_name": t.Application.Name,
+			"domain_id":                   t.DomainScope.ID,
+			"domain_name":                 t.DomainScope.Name,
+			"project_id":                  t.ProjectScope.ID,
+			"project_name":                t.ProjectScope.Name,
+			"project_domain_id":           t.ProjectScope.Domain.ID,
+			"project_domain_name":         t.ProjectScope.Domain.Name,
+			"token":                       t.Token,
+			"token-expiry":                t.ExpiresAt,
 		},
 		Request: map[string]string{
-			"user_id":    t.User.ID,
-			"domain_id":  t.DomainScope.ID,
-			"project_id": t.ProjectScope.ID,
+			"user_id":                     t.User.ID,
+			"domain_id":                   t.DomainScope.ID,
+			"project_id":                  t.ProjectScope.ID,
+			"application_credential_id":   t.Application.ID,
+			"application_credential_name": t.Application.Name,
 		},
 		Logger: util.LogDebug,
 	}
@@ -264,6 +269,12 @@ func authOpts2StringKey(authOpts gophercloud.AuthOptions) string {
 
 	// build unique key by separating fields with blanks. Since blanks are not allowed in several of those
 	// the result will be unique
+	if authOpts.ApplicationCredentialID != "" || authOpts.ApplicationCredentialName != "" {
+		return authOpts.UserID + " " + authOpts.Username + " " + authOpts.Password + " " + authOpts.DomainID + " " +
+			authOpts.DomainName + " " + authOpts.ApplicationCredentialID + " " + authOpts.ApplicationCredentialName + " " +
+			authOpts.ApplicationCredentialSecret
+	}
+
 	return authOpts.UserID + " " + authOpts.Username + " " + authOpts.Password + " " + authOpts.DomainID + " " +
 		authOpts.DomainName + " " + authOpts.Scope.ProjectID + " " + authOpts.Scope.ProjectName + " " +
 		authOpts.Scope.DomainID + " " + authOpts.Scope.DomainName
@@ -300,6 +311,10 @@ func (d *keystone) AuthenticateRequest(r *http.Request, guessScope bool) (*polic
 	r.Header.Set("X-User-Name", context.Auth["user_name"])
 	r.Header.Set("X-User-Domain-Id", context.Auth["user_domain_id"])
 	r.Header.Set("X-User-Domain-Name", context.Auth["user_domain_name"])
+	r.Header.Set("X-Application-Credential-Id", context.Auth["application_credential_id"])
+	r.Header.Set("X-Application-Credential-Name", context.Auth["application_credential_name"])
+	r.Header.Set("X-Application-Credential-Secret", context.Auth["application_credential_secret"])
+
 	if context.Auth["project_id"] != "" {
 		r.Header.Set("X-Project-Id", context.Auth["project_id"])
 		r.Header.Set("X-Project-Name", context.Auth["project_name"])
@@ -330,6 +345,12 @@ func (d *keystone) authOptionsFromRequest(r *http.Request, guessScope bool) (*go
 		AllowReauth:      false,
 	}
 
+	// Get application credentials from header
+	appcredid := r.Header.Get("X-Application-Credential-Id")
+	appcredsecret := r.Header.Get("X-Application-Credential-secret")
+	appcredname := r.Header.Get("X-Application-Credential-Name")
+	appcredusername := r.Header.Get("X-User-Name")
+
 	// extract credentials
 	query := r.URL.Query()
 	if token := r.Header.Get("X-Auth-Token"); token != "" {
@@ -384,6 +405,13 @@ func (d *keystone) authOptionsFromRequest(r *http.Request, guessScope bool) (*go
 
 		// set password
 		ba.Password = password
+		// if application credentials are used, skip th basic auth checks below
+	} else if (appcredid != "" && appcredsecret != "") ||
+		(appcredname != "" && appcredusername != "") {
+		ba.ApplicationCredentialID = appcredid
+		ba.ApplicationCredentialName = appcredname
+		ba.ApplicationCredentialSecret = appcredsecret
+		return &ba, nil
 	} else {
 		return nil, NewAuthenticationError(StatusMissingCredentials, "Authorization header missing (no username/password or token)")
 	}
@@ -433,6 +461,9 @@ func (d *keystone) guessScope(ba *gophercloud.AuthOptions) AuthenticationError {
 // It returns the authorization context
 func (d *keystone) authenticate(authOpts gophercloud.AuthOptions, asServiceUser bool, rescope bool) (*policy.Context, string, AuthenticationError) {
 	// check cache, which does not work if tokens are rescoped
+	if authOpts.ApplicationCredentialName != "" || authOpts.ApplicationCredentialID != "" {
+		asServiceUser = false
+	}
 	if entry, found := d.tokenCache.Get(authOpts2StringKey(authOpts)); found && (authOpts.Scope == nil || authOpts.Scope.ProjectID == entry.(*cacheEntry).context.Auth["project_id"]) {
 		if authOpts.TokenID != "" {
 			util.LogDebug("Token cache hit: token %s... for scope %+v", authOpts.TokenID[:1+len(authOpts.TokenID)/4], authOpts.Scope)
@@ -441,6 +472,7 @@ func (d *keystone) authenticate(authOpts gophercloud.AuthOptions, asServiceUser
 		}
 		return entry.(*cacheEntry).context, entry.(*cacheEntry).endpointURL, nil
 	}
+
 	//use a custom token struct instead of tokens.Token which is way incomplete
 	var tokenData keystoneToken
 	var endpointURL string
@@ -488,6 +520,8 @@ func (d *keystone) authenticate(authOpts gophercloud.AuthOptions, asServiceUser
 				util.LogInfo("Failed login of user name %s%s for scope %+v: %s", authOpts.Username, authOpts.UserID, authOpts.Scope, err.Error())
 			} else if authOpts.TokenID != "" {
 				util.LogInfo("Failed login of with token %s... for scope %+v: %s", authOpts.TokenID[:1+len(authOpts.TokenID)/4], authOpts.Scope, err.Error())
+			} else if authOpts.ApplicationCredentialID != "" || authOpts.ApplicationCredentialSecret != "" {
+				util.LogInfo("Failed login of application credentials %s%s: %s", authOpts.ApplicationCredentialID, authOpts.ApplicationCredentialName, err.Error())
 			} else {
 				statusCode = StatusMissingCredentials
 			}
@@ -513,10 +547,16 @@ func (d *keystone) authenticate(authOpts gophercloud.AuthOptions, asServiceUser
 		tokenData.User.Name = authOpts.Username
 		tokenData.User.Domain.ID = authOpts.DomainID
 		tokenData.User.Domain.Name = authOpts.DomainName
-		tokenData.ProjectScope.ID = authOpts.Scope.ProjectID
-		tokenData.ProjectScope.Name = authOpts.Scope.ProjectName
-		tokenData.DomainScope.ID = authOpts.Scope.DomainID
-		tokenData.ProjectScope.Name = authOpts.Scope.DomainName
+		if authOpts.Scope != nil {
+			tokenData.ProjectScope.ID = authOpts.Scope.ProjectID
+			tokenData.ProjectScope.Name = authOpts.Scope.ProjectName
+			tokenData.DomainScope.ID = authOpts.Scope.DomainID
+			tokenData.ProjectScope.Name = authOpts.Scope.DomainName
+		}
+		if authOpts.ApplicationCredentialName != "" || authOpts.ApplicationCredentialID != "" {
+			tokenData.Application.ID = authOpts.ApplicationCredentialID
+			tokenData.Application.Name = authOpts.ApplicationCredentialName
+		}
 
 		endpointURL, err = client.EndpointLocator(metricsEndpointOpts)
 		if err != nil {