-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathkeystone.sh
More file actions
390 lines (326 loc) · 9.42 KB
/
keystone.sh
File metadata and controls
390 lines (326 loc) · 9.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
KEYSTONE_HOST=${KEYSTONE_HOST:-localhost}
# Domain
function create_domain() {
local TOKEN=$1
local DOMAIN_NAME=$2
curl -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" \
-d '{"domain": {"description": "--optional--", "enabled": true, "name": "'"$DOMAIN_NAME"'"}}' \
http://$KEYSTONE_HOST:5000/v3/domains \
| ./jq '.domain.id' -r
}
function delete_domain() {
local TOKEN=$1
local DOMAIN_ID=$2
# Disable domain
local OLD_DATA=$(curl -H "X-Auth-Token: $TOKEN" http://$KEYSTONE_HOST:5000/v3/domains/$DOMAIN_ID)
local NEW_DATA=$(echo $OLD_DATA | ./jq '.domain.enabled|=false')
curl -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" \
-X PATCH -d "$NEW_DATA" \
http://$KEYSTONE_HOST:5000/v3/domains/$DOMAIN_ID > /dev/null
# Delete domain
curl -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" \
-X DELETE \
http://$KEYSTONE_HOST:5000/v3/domains/$DOMAIN_ID
}
function get_domains() {
local TOKEN=$1
curl -H "X-Auth-Token: $TOKEN" http://$KEYSTONE_HOST:5000/v3/domains
}
function domainid_from_name() {
local TOKEN=$1
local DOMAIN_NAME=$2
get_domains $TOKEN | ./jq -r ".domains[] | select(.name == \"$DOMAIN_NAME\") | .id"
}
# Project
function create_project() {
local TOKEN=$1
local DOMAIN_ID=$2
local PROJECT_NAME=$3
curl -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" \
-d '{"project": {"description": "--optional--", "domain_id": "'"$DOMAIN_ID"'", "enabled": true, "name": "'"$PROJECT_NAME"'"}}' \
http://$KEYSTONE_HOST:5000/v3/projects \
| ./jq '.project.id' -r
}
# Role
function add_domain_role() {
local TOKEN=$1
local USER_ID=$2
local DOMAIN_ID=$3
local ROLE_ID=$4
curl -X PUT -H "X-Auth-Token: $TOKEN" "http://$KEYSTONE_HOST:5000/v3/domains/$DOMAIN_ID/users/$USER_ID/roles/$ROLE_ID"
}
function add_group_role() {
local TOKEN=$1
local PROJECT_ID=$2
local GROUP_ID=$3
local ROLE_ID=$4
curl -X PUT -H "X-Auth-Token: $TOKEN" "http://$KEYSTONE_HOST:5000/v3/projects/$PROJECT_ID/groups/$GROUP_ID/roles/$ROLE_ID"
}
function roleid_from_name() {
local TOKEN=$1
local ROLE_NAME=$2
curl -X GET -H "X-Auth-Token: $TOKEN" "http://$KEYSTONE_HOST:5000/v3/roles" | ./jq -r ".roles[] | select(.name == \"$ROLE_NAME\") | .id"
}
# User
function create_user() {
local TOKEN=$1
local DOMAIN_ID=$2
local NAME=$3
local PASSWORD=$4
#FIXME change default-project-id
local DATA=$(cat <<EOF
{
"user": {
"default_project_id": "d0f445c3379b48f38a2ab0f17314bbf9",
"description": "Description",
"domain_id": "$DOMAIN_ID",
"email": "email@email.com",
"enabled": true,
"name": "$NAME",
"password": "$PASSWORD"
}
}
EOF
)
curl -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" -d "$DATA" \
http://$KEYSTONE_HOST:5000/v3/users \
| ./jq -r .user.id
}
# Group
function create_group() {
local TOKEN=$1
local DOMAIN_ID=$2
local GROUP_NAME=$3
curl -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" \
-d '{"group": {"description": "--optional--", "domain_id": "'"$DOMAIN_ID"'", "name": "'"$GROUP_NAME"'"}}' \
http://$KEYSTONE_HOST:5000/v3/groups \
| ./jq '.group.id' -r
}
function delete_group() {
local TOKEN=$1
local GROUP_ID=$2
curl -H "X-Auth-Token: $TOKEN" -X DELETE \
http://$KEYSTONE_HOST:5000/v3/groups/$GROUP_ID
}
# Federation - Mapping
function create_mapping() {
local TOKEN=$1
local MAPPING_ID=$2
local RULES=$3
local DATA=$(cat <<EOF
{
"mapping": {
"rules": [
$RULES
]
}
}
EOF
)
curl -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" \
-d "$DATA" \
-X PUT \
http://$KEYSTONE_HOST:5000/v3/OS-FEDERATION/mappings/$MAPPING_ID \
| ./jq '.mapping.id' -r
}
function create_mapping_with_single_rule() {
local TOKEN=$1
local MAPPING_ID=$2
local GROUP_ID=$3
local REMOTE_RULES=$4
local RULE=$(cat <<EOF
{
"local": [
{
"user": {
"name": "federated-user"
}
},
{
"group": {
"id": "$GROUP_ID"
}
}
],
"remote": [
$REMOTE_RULES
]
}
EOF
)
create_mapping $TOKEN $MAPPING_ID $RULE
}
function delete_mapping() {
local TOKEN=$1
local MAPPING_ID=$2
curl -H "X-Auth-Token: $TOKEN" -X DELETE \
http://$KEYSTONE_HOST:5000/v3/OS-FEDERATION/mappings/$MAPPING_ID
}
function get_mappings() {
local TOKEN=$1
curl -H "X-Auth-Token: $TOKEN" http://$KEYSTONE_HOST:5000/v3/OS-FEDERATION/mappings
}
function mappingid_from_name() {
local TOKEN=$1
local MAPPING_NAME=$2
get_mappings $TOKEN | ./jq -r ".mappings[] | select(.id == \"$MAPPING_NAME\") | .id"
}
# Federation - Identity Provider
function register_identity_provider() {
local TOKEN=$1
local IDP_ID=$2
curl -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" \
-d '{"identity_provider": {"description": "--optional--", "enabled": true}}' \
-X PUT \
http://$KEYSTONE_HOST:5000/v3/OS-FEDERATION/identity_providers/$IDP_ID \
| ./jq '.identity_provider.id' -r
}
function delete_identity_provider() {
local TOKEN=$1
local IDP_ID=$2
curl -H "X-Auth-Token: $TOKEN" -X DELETE \
http://$KEYSTONE_HOST:5000/v3/OS-FEDERATION/identity_providers/$IDP_ID
}
function get_identity_providers() {
local TOKEN=$1
curl -H "X-Auth-Token: $TOKEN" http://$KEYSTONE_HOST:5000/v3/OS-FEDERATION/identity_providers
}
function identity_provider_id_from_name() {
local TOKEN=$1
local IDP_NAME=$2
get_identity_providers $TOKEN | ./jq -r ".identity_providers[] | select(.id == \"$IDP_NAME\") | .id"
}
# Federation - Protocol
function register_protocol() {
local TOKEN=$1
local IDP_ID=$2
local MAPPING_ID=$3
local PROTOCOL_ID=$4
curl -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" \
-d '{"protocol": {"mapping_id": "'"$MAPPING_ID"'"}}' \
-X PUT \
http://$KEYSTONE_HOST:5000/v3/OS-FEDERATION/identity_providers/$IDP_ID/protocols/$PROTOCOL_ID \
| ./jq '.protocol.id' -r
}
function get_protocols() {
local TOKEN=$1
local IDP_ID=$2
curl -H "X-Auth-Token: $TOKEN" http://$KEYSTONE_HOST:5000/v3/OS-FEDERATION/identity_providers/$IDP_ID/protocols
}
# Federation - Projects and Domains
function federation_projects() {
local FEDERATED_TOKEN=$1
curl -H "X-Auth-Token: $FEDERATED_TOKEN" \
http://$KEYSTONE_HOST:5000/v3/OS-FEDERATION/projects
}
function federation_domains() {
local FEDERATED_TOKEN=$1
curl -H "X-Auth-Token: $FEDERATED_TOKEN" \
http://$KEYSTONE_HOST:5000/v3/OS-FEDERATION/domains
}
# Federation - Token
function get_project_scoped_token_from_federated_token() {
local FEDERATED_TOKEN=$1
local SCOPE_DOMAIN_NAME=$2
local SCOPE_PROJECT_NAME=$3
local DATA=$(cat <<EOF
{
"auth": {
"identity": {
"methods": [
"saml2"
],
"saml2": {
"id": "$FEDERATED_TOKEN"
}
},
"scope": {
"project": {
"domain": {
"name": "$SCOPE_DOMAIN_NAME"
},
"name": "$SCOPE_PROJECT_NAME"
}
}
}
}
EOF
)
curl -si -d "$DATA" -H "Content-type: application/json" http://$KEYSTONE_HOST:5000/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}' | sed 's/\r$//'
}
# Token
function get_project_scoped_token() {
local USER_DOMAIN_NAME=$1
local USER_NAME=$2
local USER_PASSWORD=$3
local SCOPE_DOMAIN_NAME=$4
local SCOPE_PROJECT_NAME=$5
local DATA=$(cat <<EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "$USER_DOMAIN_NAME"
},
"name": "$USER_NAME",
"password": "$USER_PASSWORD"
}
}
},
"scope": {
"project": {
"domain": {
"name": "$SCOPE_DOMAIN_NAME"
},
"name": "$SCOPE_PROJECT_NAME"
}
}
}
}
EOF
)
curl -si -d "$DATA" -H "Content-type: application/json" http://$KEYSTONE_HOST:5000/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}' | sed 's/\r$//'
}
function get_domain_scoped_token() {
local USER_NAME=$1
local USER_PASSWORD=$2
local USER_DOMAIN_NAME=$3
local SCOPE_DOMAIN_NAME=$4
local DATA=$(cat << EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "$USER_DOMAIN_NAME"
},
"name": "$USER_NAME",
"password": "$USER_PASSWORD"
}
}
},
"scope": {
"domain": {
"name": "$SCOPE_DOMAIN_NAME"
}
}
}
}
EOF
)
curl -si -d "$DATA" -H "Content-type: application/json" http://$KEYSTONE_HOST:5000/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}' | sed 's/\r$//'
}
function validate_token() {
local AUTH_TOKEN=$1
local SUBJECT_TOKEN=$2
curl -H "X-Auth-Token: $AUTH_TOKEN" -H "X-Subject-Token: $SUBJECT_TOKEN" http://$KEYSTONE_HOST:5000/v3/auth/tokens
}