sshservice-cli/openstack_cli_otp.env at main · eth-cscs/sshservice-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/bin/bash


# This script sets the environment properly so that a user can use the OpenStack CLI with OTP enabled

client_id="castor"
client_secret="c6cc606a-5ae4-4e3e-8a19-753ad265f521"


#Read Inputs
read -p "Username : " username
read -s -p "Password: " password
echo
read -s -p "Enter OTP: " otp
echo


ACCESS_TOKEN=$(curl -s -d "client_id=$client_id" -d "client_secret=$client_secret" -d "username=$username" -d "password=$password" -d "grant_type=password" -d "totp=$otp" https://auth.cscs.ch/auth/realms/cscs/protocol/openid-connect/token | cut -d \" -f 4)

# Prepare filter parameter
if [ "$1" == "" ]; then
  PRJ_FILTER="."
else
  PRJ_FILTER=" $1$"
fi

# Prepare environment
for key in $( set | awk '{FS="="}  /^OS_/ {print $1}' ); do unset $key ; done
export OS_USERNAME=$username
export OS_PASSWORD=$password
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=https://castor.cscs.ch:13000/v3
export OS_IDENTITY_PROVIDER=cscskc
export OS_PROTOCOL=openid
export OS_INTERFACE=public
export OS_CLIENT_ID=$client_id
export OS_CLIENT_SECRET=$client_secret #set to anything if keycloak client is public
export OS_DISCOVERY_ENDPOINT=https://auth.cscs.ch/auth/realms/cscs/.well-known/openid-configuration
export OS_ACCESS_TOKEN=$ACCESS_TOKEN

#Getting the unscoped token
echo "[openstack --os-auth-type v3oidcaccesstoken token issue]"
UNSCOPED_TOKEN="$(openstack --os-auth-type v3oidcaccesstoken token issue --format value --column id)"


export OS_AUTH_TYPE=token
export OS_TOKEN=$UNSCOPED_TOKEN
unset OS_PASSWORD

# Getting the user ID with python directly (no other way, plus serves as an example!!)
echo -n " * Logged in user ID $OS_USERNAME: "
python <<EOF
from keystoneauth1.identity import v3
from keystoneauth1 import session
auth = v3.Token(auth_url="$OS_AUTH_URL", token="$OS_TOKEN")
sess = session.Session(auth=auth)
print(sess.get_user_id())
EOF

# Getting the project name
echo "[openstack project list]"
PROJECTS="$(openstack project list --format value | grep "${PRJ_FILTER}")"
echo $PROJECTS


if [ $(echo "$PROJECTS" | wc -c) -lt 5 ]; then
  echo " * WARNING: You don't belong to a project, having a scoped token is not possible"
  return

elif [ $(echo -n "$PROJECTS" | grep -c '^') -eq 1 ]; then
  # Just one project, accepting it...
  PROJECT_ID="$(echo $PROJECTS | awk '{print $1}')"
  PROJECT_NAME="$(echo $PROJECTS | awk '{print $2}')"
  echo " * Selected project $PROJECT_NAME: $PROJECT_ID"
else
  # More than one project, we need a menu
  SAVEIFS=$IFS; IFS=$'\n' read -a lines -d '' <<< "$PROJECTS"
  declare -a lines; IFS=$SAVEIFS
  PS3="Please choose an option: "
  select option in "${lines[@]}"; do
    if [ 1 -le "$REPLY" ] && [ "$REPLY" -le ${#lines[@]} ]; then
      PROJECT_ID="$(echo $option | awk '{print $1}')"
      PROJECT_NAME="$(echo $option | awk '{print $2}')"
      echo " * Selected project $PROJECT_NAME: $PROJECT_ID"
      break;
    fi
  done
fi


# Getting the scoped token:
echo "[openstack --os-project-id $PROJECT_ID token issue]"
SCOPED_TOKEN="$(openstack --os-project-id $PROJECT_ID token issue --format value --column id)"

if [ $? -ne 0 ]; then
    echo " * WARNING: Failed to get scoped token, but unscoped commands should work fine"
    return
fi

export OS_TOKEN=$SCOPED_TOKEN
export OS_PROJECT_ID=$PROJECT_ID

echo " * Setting custom 'swift' alias"
alias swift='swift --os-auth-token $OS_TOKEN --os-storage-url https://object.cscs.ch/v1/AUTH_$OS_PROJECT_ID'